|
Chilkat • HOME • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi DLL • Go • Java • Node.js • Objective-C • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(Delphi ActiveX) Verify Signature of Alexa Custom Skill RequestThis example verifies the signature of an Alexa Custom Skill Request. Note: This example requires Chilkat v11.0.0 or greater.
uses Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics, Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Chilkat_TLB; ... procedure TForm1.Button1Click(Sender: TObject); var success: Integer; signature: WideString; certChainUrl: WideString; jsonBody: WideString; http: TChilkatHttp; sbPem: TChilkatStringBuilder; pem: TChilkatPem; cert: IChilkatCert; pubKey: IPublicKey; rsa: TChilkatRsa; bVerified: Integer; begin success := 0; // This example assumes you have a web service that will receive requests from Alexa. // A sample request sent by Alexa will look like the following: // Connection: Keep-Alive // Content-Length: 2583 // Content-Type: application/json; charset=utf-8 // Accept: application/json // Accept-Charset: utf-8 // Host: your.web.server.com // User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172) // Signature: dSUmPwxc9...aKAf8mpEXg== // SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem // // {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }} // First, assume we've written code to get the 3 pieces of data we need: signature := 'dSUmPwxc9...aKAf8mpEXg=='; certChainUrl := 'https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem'; jsonBody := '{"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}'; // To validate the signature, we do the following: // First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message http := TChilkatHttp.Create(Self); sbPem := TChilkatStringBuilder.Create(Self); success := http.QuickGetSb(certChainUrl,sbPem.ControlInterface); if (success = 0) then begin Memo1.Lines.Add(http.LastErrorText); Exit; end; pem := TChilkatPem.Create(Self); success := pem.LoadPem(sbPem.GetAsString(),'passwordNotUsed'); if (success = 0) then begin Memo1.Lines.Add(pem.LastErrorText); Exit; end; // The 1st certificate should be the signing certificate. cert := pem.GetCert(0); if (pem.LastMethodSuccess = 0) then begin Memo1.Lines.Add(pem.LastErrorText); Exit; end; // Get the public key from the cert. pubKey := cert.ExportPublicKey(); if (cert.LastMethodSuccess = 0) then begin Memo1.Lines.Add(cert.LastErrorText); Exit; end; // Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value. rsa := TChilkatRsa.Create(Self); success := rsa.UsePublicKey(pubKey); if (success = 0) then begin Memo1.Lines.Add(cert.LastErrorText); Exit; end; // RSA "decrypt" the signature. // (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash // of the request body. This happens in a single call to VerifyStringENC...) rsa.EncodingMode := 'base64'; bVerified := rsa.VerifyStringENC(jsonBody,'sha1',signature); if (bVerified = 1) then begin Memo1.Lines.Add('The signature is verified against the JSON body of the request. Yay!'); end else begin Memo1.Lines.Add('Sorry, not verified. Crud!'); end; end; |
||||
© 2000-2025 Chilkat Software, Inc. All Rights Reserved.