F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

JD_02_146678's avatar
JD_02_146678
Icon for Nimbostratus rankNimbostratus
Feb 05, 2015

Signed request

Hi,

 

I'm wondering if anyone knows how to evaluate an http post that contains an RSA SHA-1 signature using either ASM or an iRule? I noticed the algorithms supported for crypto::verify includes HMAC but not RSA SHA-1 but I'm not certain if this means in cannot but done.

 

I saw some info on the iRule wiki that looks like I would need to do something like the following: * when http::request * call http::collect which triggers http::request::data * access the data by calling http::payload * call crypto::verify to test rsa sha-1 signature * call http::release

 

Any assistance is much appreciated!

 

application delivery
ASM Advanced WAF
deployment
devops
iRules
LTM
security

1 Reply

  • JD_02_146678's avatar
    JD_02_146678
    Icon for Nimbostratus rankNimbostratus
    Mar 02, 2015

    Updated info, hopefully clarifying the question a bit.

     

    I am using something called Webhooks. The webhooks FAQ (https://t3n.zendesk.com/entries/22916235-Webhooks-FAQ) contains this:

     

    > Q: How can listener services be sure that it was CenturyLink Cloud that sent the message and not someone spoofing you?> A: While SSL ensures that the message cannot be read in transit, it doesn't protect you from rogue callers who target your public endpoint. Each Webhook notification includes a signature hash of the message payload. The "Tier3-RsaSha1" header is encrypted with our private key and can be decrypted with our public key. After decrypting the signature, customers can compare the payloads to make sure that the message wasn't tampered with.

     

    I want to handle this check with an iRule prior to sending the webhook notification on to the pool member. The closest thing I have found to do this is the CRYPTO:: command. As I read it, it looks like we could put the webhook public key into the command in hex. On the other hand, the name of the header (Tier3-RsaSha1) implies RSA-SHA1 and I do not see that in the algorithm list in this command ( https://devcentral.f5.com/wiki/iRules.CRYPTO__decrypt.ashx ). Unfortunately, it seems that the CRYPTO command only handles symmetric encryption.

     

    Does anyone have any suggestions on how I might be able to decrypt the "Tier3-RsaSha1" header in an iRule (instead of having to let it get all the way to my server)?