Sample code for 30+ languages & platforms
AutoIt

Verify Signature of Alexa Custom Skill Request

See more HTTP Misc Examples

This example verifies the signature of an Alexa Custom Skill Request.

Chilkat AutoIt Downloads

AutoIt
Local $bSuccess = False

; This example assumes you have a web service that will receive requests from Alexa.
; A sample request sent by Alexa will look like the following:

; Connection: Keep-Alive
; Content-Length: 2583
; Content-Type: application/json; charset=utf-8
; Accept: application/json
; Accept-Charset: utf-8
; Host: your.web.server.com
; User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
; Signature: dSUmPwxc9...aKAf8mpEXg==
; SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
; 
; {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}

; First, assume we've written code to get the 3 pieces of data we need:
Local $signature = "dSUmPwxc9...aKAf8mpEXg=="
Local $sCertChainUrl = "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem"
Local $sJsonBody = "{""version"":""1.0"",""session"":{""new"":true,""sessionId"":""amzn1.echo-api.session.433 ... }}"

; To validate the signature, we do the following:

; First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message 
$oHttp = ObjCreate("Chilkat.Http")
$oSbPem = ObjCreate("Chilkat.StringBuilder")
$bSuccess = $oHttp.QuickGetSb($sCertChainUrl,$oSbPem)
If ($bSuccess = False) Then
    ConsoleWrite($oHttp.LastErrorText & @CRLF)
    Exit
EndIf

$oPem = ObjCreate("Chilkat.Pem")
$bSuccess = $oPem.LoadPem($oSbPem.GetAsString(),"passwordNotUsed")
If ($bSuccess = False) Then
    ConsoleWrite($oPem.LastErrorText & @CRLF)
    Exit
EndIf

; The 1st certificate should be the signing certificate.
Local $oCert = $oPem.GetCert(0)
If ($oPem.LastMethodSuccess = False) Then
    ConsoleWrite($oPem.LastErrorText & @CRLF)
    Exit
EndIf

; Get the public key from the cert.
$oPubKey = ObjCreate("Chilkat.PublicKey")
$oCert.GetPublicKey($oPubKey)

; Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
$oRsa = ObjCreate("Chilkat.Rsa")
$bSuccess = $oRsa.UsePublicKey($oPubKey)
If ($bSuccess = False) Then
    ConsoleWrite($oCert.LastErrorText & @CRLF)
    Exit
EndIf

; RSA "decrypt" the signature.
; (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
; of the request body.  This happens in a single call to VerifyStringENC...)
$oRsa.EncodingMode = "base64"
Local $bVerified = $oRsa.VerifyStringENC($sJsonBody,"sha1",$signature)
If ($bVerified = True) Then
    ConsoleWrite("The signature is verified against the JSON body of the request. Yay!" & @CRLF)
Else
    ConsoleWrite("Sorry, not verified.  Crud!" & @CRLF)
EndIf