|
Chilkat • HOME • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi DLL • Go • Java • Node.js • Objective-C • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(Visual FoxPro) Verify Signature of Alexa Custom Skill RequestThis example verifies the signature of an Alexa Custom Skill Request. Note: This example requires Chilkat v11.0.0 or greater.
LOCAL lnSuccess LOCAL lcSignature LOCAL lcCertChainUrl LOCAL lcJsonBody LOCAL loHttp LOCAL loSbPem LOCAL loPem LOCAL loCert LOCAL loPubKey LOCAL loRsa LOCAL lnBVerified lnSuccess = 0 * This example assumes you have a web service that will receive requests from Alexa. * A sample request sent by Alexa will look like the following: * Connection: Keep-Alive * Content-Length: 2583 * Content-Type: application/json; charset=utf-8 * Accept: application/json * Accept-Charset: utf-8 * Host: your.web.server.com * User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172) * Signature: dSUmPwxc9...aKAf8mpEXg== * SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem * * {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }} * First, assume we've written code to get the 3 pieces of data we need: lcSignature = "dSUmPwxc9...aKAf8mpEXg==" lcCertChainUrl = "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem" lcJsonBody = '{"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}' * To validate the signature, we do the following: * First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message loHttp = CreateObject('Chilkat.Http') loSbPem = CreateObject('Chilkat.StringBuilder') lnSuccess = loHttp.QuickGetSb(lcCertChainUrl,loSbPem) IF (lnSuccess = 0) THEN ? loHttp.LastErrorText RELEASE loHttp RELEASE loSbPem CANCEL ENDIF loPem = CreateObject('Chilkat.Pem') lnSuccess = loPem.LoadPem(loSbPem.GetAsString(),"passwordNotUsed") IF (lnSuccess = 0) THEN ? loPem.LastErrorText RELEASE loHttp RELEASE loSbPem RELEASE loPem CANCEL ENDIF * The 1st certificate should be the signing certificate. loCert = loPem.GetCert(0) IF (loPem.LastMethodSuccess = 0) THEN ? loPem.LastErrorText RELEASE loHttp RELEASE loSbPem RELEASE loPem CANCEL ENDIF * Get the public key from the cert. loPubKey = CreateObject('Chilkat.PublicKey') loCert.GetPublicKey(loPubKey) RELEASE loCert * Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value. loRsa = CreateObject('Chilkat.Rsa') lnSuccess = loRsa.UsePublicKey(loPubKey) IF (lnSuccess = 0) THEN ? loCert.LastErrorText RELEASE loHttp RELEASE loSbPem RELEASE loPem RELEASE loPubKey RELEASE loRsa CANCEL ENDIF * RSA "decrypt" the signature. * (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash * of the request body. This happens in a single call to VerifyStringENC...) loRsa.EncodingMode = "base64" lnBVerified = loRsa.VerifyStringENC(lcJsonBody,"sha1",lcSignature) IF (lnBVerified = 1) THEN ? "The signature is verified against the JSON body of the request. Yay!" ELSE ? "Sorry, not verified. Crud!" ENDIF RELEASE loHttp RELEASE loSbPem RELEASE loPem RELEASE loPubKey RELEASE loRsa |
||||
© 2000-2025 Chilkat Software, Inc. All Rights Reserved.