Forum Discussion
If by "RSA private public key pair", you're referring to PKI-based digital signing as the process by which a sender will create a hash of some piece of data, encrypt that hash with his PRIVATE key, and then send the data and the signed hash to the receiver, where the receiver creates another hash of that same data, decrypts the signed hash with the sender's PUBLIC key, and then compares the two hashes for the purposes of validating integrity (no data loss or tampering in transit) and non-repudiation (authentication by means of an assertion that the sender is who they claim to be by virtue of a private key possession), then I'd say the concepts you're referring to aren't all that complex.
Using PKI encryption (RSA private public key pair) for digital signatures, the signature is created by the sender with the private key, which the F5 or any other server has in its possession
This is completely and vehemently wrong. In no way would any entity other than the private key's owner, ever possess a copy of that private key. That would constitute compromised security, and would invalidate the private key (and its public peer).
You asked in your original request if an iRule could be used to digitally sign using either the PKI (person) cert associated with the session, or the SSL cert associated with the F5 VS, and the answer again is no, for the following reasons:
-
Certificates aren't used to digitally sign. A certificate is a component of the public key, and private keys are used to digitally sign data. The public key is then used to decrypt the data (hash) encrypted by the private key.
-
No entity other than the intended holder should ever have a copy of another entity's private key. There is no mechanism in the PKI protocol that exposes a sender's PKI private key to a receiver. That would be a bad thing.
-
As of the current 11.4.1 HF2 version of BIG-IP, there is no mechanism within iRules to access the certificates and private keys stored in the file system.
And as Lee states, the CRYPTO::sign command will in fact perform a type of digital signature, but it does so with symmetric shared keys, not PKI.