Sample code for 30+ languages & platforms
Chilkat2-Python

Verify Signature of Alexa Custom Skill Request

See more HTTP Misc Examples

This example verifies the signature of an Alexa Custom Skill Request.

Chilkat Chilkat2-Python Downloads

Chilkat2-Python
import sys
import chilkat2

success = False

# This example assumes you have a web service that will receive requests from Alexa.
# A sample request sent by Alexa will look like the following:

# Connection: Keep-Alive
# Content-Length: 2583
# Content-Type: application/json; charset=utf-8
# Accept: application/json
# Accept-Charset: utf-8
# Host: your.web.server.com
# User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
# Signature: dSUmPwxc9...aKAf8mpEXg==
# SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
# 
# {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}

# First, assume we've written code to get the 3 pieces of data we need:
signature = "dSUmPwxc9...aKAf8mpEXg=="
certChainUrl = "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem"
jsonBody = "{\"version\":\"1.0\",\"session\":{\"new\":true,\"sessionId\":\"amzn1.echo-api.session.433 ... }}"

# To validate the signature, we do the following:

# First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message 
http = chilkat2.Http()
sbPem = chilkat2.StringBuilder()
success = http.QuickGetSb(certChainUrl,sbPem)
if (success == False):
    print(http.LastErrorText)
    sys.exit()

pem = chilkat2.Pem()
success = pem.LoadPem(sbPem.GetAsString(),"passwordNotUsed")
if (success == False):
    print(pem.LastErrorText)
    sys.exit()

# The 1st certificate should be the signing certificate.
# cert is a CkCert
cert = pem.GetCert(0)
if (pem.LastMethodSuccess == False):
    print(pem.LastErrorText)
    sys.exit()

# Get the public key from the cert.
pubKey = chilkat2.PublicKey()
cert.GetPublicKey(pubKey)

# Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
rsa = chilkat2.Rsa()
success = rsa.UsePublicKey(pubKey)
if (success == False):
    print(cert.LastErrorText)
    sys.exit()

# RSA "decrypt" the signature.
# (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
# of the request body.  This happens in a single call to VerifyStringENC...)
rsa.EncodingMode = "base64"
bVerified = rsa.VerifyStringENC(jsonBody,"sha1",signature)
if (bVerified == True):
    print("The signature is verified against the JSON body of the request. Yay!")
else:
    print("Sorry, not verified.  Crud!")