Sample code for 30+ languages & platforms
Lianja

Verify Signature of Alexa Custom Skill Request

See more HTTP Misc Examples

This example verifies the signature of an Alexa Custom Skill Request.

Chilkat Lianja Downloads

Lianja
llSuccess = .F.

// This example assumes you have a web service that will receive requests from Alexa.
// A sample request sent by Alexa will look like the following:

// Connection: Keep-Alive
// Content-Length: 2583
// Content-Type: application/json; charset=utf-8
// Accept: application/json
// Accept-Charset: utf-8
// Host: your.web.server.com
// User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
// Signature: dSUmPwxc9...aKAf8mpEXg==
// SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
// 
// {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}

// First, assume we've written code to get the 3 pieces of data we need:
lcSignature = "dSUmPwxc9...aKAf8mpEXg=="
lcCertChainUrl = "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem"
lcJsonBody = '{"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}'

// To validate the signature, we do the following:

// First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message 
loHttp = createobject("CkHttp")
loSbPem = createobject("CkStringBuilder")
llSuccess = loHttp.QuickGetSb(lcCertChainUrl,loSbPem)
if (llSuccess = .F.) then
    ? loHttp.LastErrorText
    release loHttp
    release loSbPem
    return
endif

loPem = createobject("CkPem")
llSuccess = loPem.LoadPem(loSbPem.GetAsString(),"passwordNotUsed")
if (llSuccess = .F.) then
    ? loPem.LastErrorText
    release loHttp
    release loSbPem
    release loPem
    return
endif

// The 1st certificate should be the signing certificate.
loCert = loPem.GetCert(0)
if (loPem.LastMethodSuccess = .F.) then
    ? loPem.LastErrorText
    release loHttp
    release loSbPem
    release loPem
    return
endif

// Get the public key from the cert.
loPubKey = createobject("CkPublicKey")
loCert.GetPublicKey(loPubKey)

release loCert

// Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
loRsa = createobject("CkRsa")
llSuccess = loRsa.UsePublicKey(loPubKey)
if (llSuccess = .F.) then
    ? loCert.LastErrorText
    release loHttp
    release loSbPem
    release loPem
    release loPubKey
    release loRsa
    return
endif

// RSA "decrypt" the signature.
// (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
// of the request body.  This happens in a single call to VerifyStringENC...)
loRsa.EncodingMode = "base64"
llBVerified = loRsa.VerifyStringENC(lcJsonBody,"sha1",lcSignature)
if (llBVerified = .T.) then
    ? "The signature is verified against the JSON body of the request. Yay!"
else
    ? "Sorry, not verified.  Crud!"
endif



release loHttp
release loSbPem
release loPem
release loPubKey
release loRsa