![]() |
Chilkat HOME Android™ AutoIt C C# C++ Chilkat2-Python CkPython Classic ASP DataFlex Delphi DLL Go Java Node.js Objective-C PHP Extension Perl PowerBuilder PowerShell PureBasic Ruby SQL Server Swift Tcl Unicode C Unicode C++ VB.NET VBScript Visual Basic 6.0 Visual FoxPro Xojo Plugin
(Visual FoxPro) Verify Signature of Alexa Custom Skill RequestThis example verifies the signature of an Alexa Custom Skill Request. Note: This example requires Chilkat v11.0.0 or greater.
LOCAL lnSuccess LOCAL lcSignature LOCAL lcCertChainUrl LOCAL lcJsonBody LOCAL loHttp LOCAL loSbPem LOCAL loPem LOCAL loCert LOCAL loPubKey LOCAL loRsa LOCAL lnBVerified lnSuccess = 0 * This example assumes you have a web service that will receive requests from Alexa. * A sample request sent by Alexa will look like the following: * Connection: Keep-Alive * Content-Length: 2583 * Content-Type: application/json; charset=utf-8 * Accept: application/json * Accept-Charset: utf-8 * Host: your.web.server.com * User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172) * Signature: dSUmPwxc9...aKAf8mpEXg== * SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem * * {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }} * First, assume we've written code to get the 3 pieces of data we need: lcSignature = "dSUmPwxc9...aKAf8mpEXg==" lcCertChainUrl = "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem" lcJsonBody = '{"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}' * To validate the signature, we do the following: * First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message loHttp = CreateObject('Chilkat.Http') loSbPem = CreateObject('Chilkat.StringBuilder') lnSuccess = loHttp.QuickGetSb(lcCertChainUrl,loSbPem) IF (lnSuccess = 0) THEN ? loHttp.LastErrorText RELEASE loHttp RELEASE loSbPem CANCEL ENDIF loPem = CreateObject('Chilkat.Pem') lnSuccess = loPem.LoadPem(loSbPem.GetAsString(),"passwordNotUsed") IF (lnSuccess = 0) THEN ? loPem.LastErrorText RELEASE loHttp RELEASE loSbPem RELEASE loPem CANCEL ENDIF * The 1st certificate should be the signing certificate. loCert = loPem.GetCert(0) IF (loPem.LastMethodSuccess = 0) THEN ? loPem.LastErrorText RELEASE loHttp RELEASE loSbPem RELEASE loPem CANCEL ENDIF * Get the public key from the cert. loPubKey = loCert.ExportPublicKey() IF (loCert.LastMethodSuccess = 0) THEN ? loCert.LastErrorText RELEASE loCert RELEASE loHttp RELEASE loSbPem RELEASE loPem CANCEL ENDIF RELEASE loCert * Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value. loRsa = CreateObject('Chilkat.Rsa') lnSuccess = loRsa.UsePublicKey(loPubKey) IF (lnSuccess = 0) THEN ? loCert.LastErrorText RELEASE loPubKey RELEASE loHttp RELEASE loSbPem RELEASE loPem RELEASE loRsa CANCEL ENDIF RELEASE loPubKey * RSA "decrypt" the signature. * (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash * of the request body. This happens in a single call to VerifyStringENC...) loRsa.EncodingMode = "base64" lnBVerified = loRsa.VerifyStringENC(lcJsonBody,"sha1",lcSignature) IF (lnBVerified = 1) THEN ? "The signature is verified against the JSON body of the request. Yay!" ELSE ? "Sorry, not verified. Crud!" ENDIF RELEASE loHttp RELEASE loSbPem RELEASE loPem RELEASE loRsa |
© 2000-2025 Chilkat Software, Inc. All Rights Reserved.