|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(SQL Server) Verify Signature of Alexa Custom Skill RequestThis example verifies the signature of an Alexa Custom Skill Request.
-- Important: See this note about string length limitations for strings returned by sp_OAMethod calls. -- CREATE PROCEDURE ChilkatSample AS BEGIN DECLARE @hr int DECLARE @iTmp0 int -- Important: Do not use nvarchar(max). See the warning about using nvarchar(max). DECLARE @sTmp0 nvarchar(4000) -- This example assumes you have a web service that will receive requests from Alexa. -- A sample request sent by Alexa will look like the following: -- Connection: Keep-Alive -- Content-Length: 2583 -- Content-Type: application/json; charset=utf-8 -- Accept: application/json -- Accept-Charset: utf-8 -- Host: your.web.server.com -- User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172) -- Signature: dSUmPwxc9...aKAf8mpEXg== -- SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem -- -- {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }} -- First, assume we've written code to get the 3 pieces of data we need: DECLARE @signature nvarchar(4000) SELECT @signature = 'dSUmPwxc9...aKAf8mpEXg==' DECLARE @certChainUrl nvarchar(4000) SELECT @certChainUrl = 'https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem' DECLARE @jsonBody nvarchar(4000) SELECT @jsonBody = '{"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}' -- To validate the signature, we do the following: -- First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message DECLARE @http int -- Use "Chilkat_9_5_0.Http" for versions of Chilkat < 10.0.0 EXEC @hr = sp_OACreate 'Chilkat.Http', @http OUT IF @hr <> 0 BEGIN PRINT 'Failed to create ActiveX component' RETURN END DECLARE @sbPem int -- Use "Chilkat_9_5_0.StringBuilder" for versions of Chilkat < 10.0.0 EXEC @hr = sp_OACreate 'Chilkat.StringBuilder', @sbPem OUT DECLARE @success int EXEC sp_OAMethod @http, 'QuickGetSb', @success OUT, @certChainUrl, @sbPem IF @success = 0 BEGIN EXEC sp_OAGetProperty @http, 'LastErrorText', @sTmp0 OUT PRINT @sTmp0 EXEC @hr = sp_OADestroy @http EXEC @hr = sp_OADestroy @sbPem RETURN END DECLARE @pem int -- Use "Chilkat_9_5_0.Pem" for versions of Chilkat < 10.0.0 EXEC @hr = sp_OACreate 'Chilkat.Pem', @pem OUT EXEC sp_OAMethod @sbPem, 'GetAsString', @sTmp0 OUT EXEC sp_OAMethod @pem, 'LoadPem', @success OUT, @sTmp0, 'passwordNotUsed' IF @success = 0 BEGIN EXEC sp_OAGetProperty @pem, 'LastErrorText', @sTmp0 OUT PRINT @sTmp0 EXEC @hr = sp_OADestroy @http EXEC @hr = sp_OADestroy @sbPem EXEC @hr = sp_OADestroy @pem RETURN END -- The 1st certificate should be the signing certificate. DECLARE @cert int EXEC sp_OAMethod @pem, 'GetCert', @cert OUT, 0 EXEC sp_OAGetProperty @pem, 'LastMethodSuccess', @iTmp0 OUT IF @iTmp0 = 0 BEGIN EXEC sp_OAGetProperty @pem, 'LastErrorText', @sTmp0 OUT PRINT @sTmp0 EXEC @hr = sp_OADestroy @http EXEC @hr = sp_OADestroy @sbPem EXEC @hr = sp_OADestroy @pem RETURN END -- Get the public key from the cert. DECLARE @pubKey int EXEC sp_OAMethod @cert, 'ExportPublicKey', @pubKey OUT EXEC sp_OAGetProperty @cert, 'LastMethodSuccess', @iTmp0 OUT IF @iTmp0 = 0 BEGIN EXEC sp_OAGetProperty @cert, 'LastErrorText', @sTmp0 OUT PRINT @sTmp0 EXEC @hr = sp_OADestroy @cert EXEC @hr = sp_OADestroy @http EXEC @hr = sp_OADestroy @sbPem EXEC @hr = sp_OADestroy @pem RETURN END EXEC @hr = sp_OADestroy @cert -- Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value. DECLARE @rsa int -- Use "Chilkat_9_5_0.Rsa" for versions of Chilkat < 10.0.0 EXEC @hr = sp_OACreate 'Chilkat.Rsa', @rsa OUT EXEC sp_OAMethod @rsa, 'ImportPublicKeyObj', @success OUT, @pubKey IF @success = 0 BEGIN EXEC sp_OAGetProperty @cert, 'LastErrorText', @sTmp0 OUT PRINT @sTmp0 EXEC @hr = sp_OADestroy @pubKey EXEC @hr = sp_OADestroy @http EXEC @hr = sp_OADestroy @sbPem EXEC @hr = sp_OADestroy @pem EXEC @hr = sp_OADestroy @rsa RETURN END EXEC @hr = sp_OADestroy @pubKey -- RSA "decrypt" the signature. -- (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash -- of the request body. This happens in a single call to VerifyStringENC...) EXEC sp_OASetProperty @rsa, 'EncodingMode', 'base64' DECLARE @bVerified int EXEC sp_OAMethod @rsa, 'VerifyStringENC', @bVerified OUT, @jsonBody, 'sha1', @signature IF @bVerified = 1 BEGIN PRINT 'The signature is verified against the JSON body of the request. Yay!' END ELSE BEGIN PRINT 'Sorry, not verified. Crud!' END EXEC @hr = sp_OADestroy @http EXEC @hr = sp_OADestroy @sbPem EXEC @hr = sp_OADestroy @pem EXEC @hr = sp_OADestroy @rsa END GO |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.