digest.rsa_verify

BOOLdigest.rsa_verifyIDhash_methodSTRINGpublic_keySTRINGpayloadSTRINGdigestIDbase64_method

Available inall subroutines.

Returns true if the RSA signature of payload using public_key matches digest. The hash_method parameter selects the digest function to use. It can be sha256, sha384, sha512, or default (default is equivalent to sha256). The STRING parameter in the payload or digest could reference headers such as req.http.payload and req.http.digest. The base64_method parameter is optional. It can be standard, url, url_nopad, or default (default is equivalent to url_nopad).

Base64 decoding behaves as if by a call to digest.base64_decode. See that function for handling invalid characters and the behavior of padding. Unlike digest.base64_decode, the decoded output is used directly (rather than constructing a VCL STRING type), and so binary content is permitted, including possible NUL bytes.

Example

if (digest.rsa_verify(sha256, {"-----BEGIN PUBLIC KEY-----
aabbccddIieEffggHHhEXAMPLEPUBLICKEY
-----END PUBLIC KEY-----"}, req.http.payload, req.http.digest, url_nopad)) {
set req.http.verified = "Verified";
} else {
set req.http.verified = "Not Verified";
}
error 900;

Try it out

digest.rsa_verify is used in the following code examples. Examples apply VCL to real-world use cases and can be deployed as they are, or adapted for your own service. See the full list of code examples for more inspiration.

Click RUN on a sample below to provision a Fastly service, execute the code on Fastly, and see how the function behaves.

Authenticate JSON Web Tokens at the edge

Decode the popular JWT format to verify user session tokens before forwarding trusted authentication data to your origin.