Sample code for 30+ languages & platforms
Go

Verify Signature of Alexa Custom Skill Request

See more HTTP Misc Examples

This example verifies the signature of an Alexa Custom Skill Request.

Chilkat Go Downloads

Go
    success := false

    // This example assumes you have a web service that will receive requests from Alexa.
    // A sample request sent by Alexa will look like the following:

    // Connection: Keep-Alive
    // Content-Length: 2583
    // Content-Type: application/json; charset=utf-8
    // Accept: application/json
    // Accept-Charset: utf-8
    // Host: your.web.server.com
    // User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
    // Signature: dSUmPwxc9...aKAf8mpEXg==
    // SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
    // 
    // {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}

    // First, assume we've written code to get the 3 pieces of data we need:
    signature := "dSUmPwxc9...aKAf8mpEXg=="
    certChainUrl := "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem"
    jsonBody := "{\"version\":\"1.0\",\"session\":{\"new\":true,\"sessionId\":\"amzn1.echo-api.session.433 ... }}"

    // To validate the signature, we do the following:

    // First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message 
    http := chilkat.NewHttp()
    sbPem := chilkat.NewStringBuilder()
    success = http.QuickGetSb(certChainUrl,sbPem)
    if success == false {
        fmt.Println(http.LastErrorText())
        http.DisposeHttp()
        sbPem.DisposeStringBuilder()
        return
    }

    pem := chilkat.NewPem()
    success = pem.LoadPem(*sbPem.GetAsString(),"passwordNotUsed")
    if success == false {
        fmt.Println(pem.LastErrorText())
        http.DisposeHttp()
        sbPem.DisposeStringBuilder()
        pem.DisposePem()
        return
    }

    // The 1st certificate should be the signing certificate.
    cert := pem.GetCert(0)
    if pem.LastMethodSuccess() == false {
        fmt.Println(pem.LastErrorText())
        http.DisposeHttp()
        sbPem.DisposeStringBuilder()
        pem.DisposePem()
        return
    }

    // Get the public key from the cert.
    pubKey := chilkat.NewPublicKey()
    cert.GetPublicKey(pubKey)

    cert.DisposeCert()

    // Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
    rsa := chilkat.NewRsa()
    success = rsa.UsePublicKey(pubKey)
    if success == false {
        fmt.Println(cert.LastErrorText())
        http.DisposeHttp()
        sbPem.DisposeStringBuilder()
        pem.DisposePem()
        pubKey.DisposePublicKey()
        rsa.DisposeRsa()
        return
    }

    // RSA "decrypt" the signature.
    // (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
    // of the request body.  This happens in a single call to VerifyStringENC...)
    rsa.SetEncodingMode("base64")
    bVerified := rsa.VerifyStringENC(jsonBody,"sha1",signature)
    if bVerified == true {
        fmt.Println("The signature is verified against the JSON body of the request. Yay!")
    } else {
        fmt.Println("Sorry, not verified.  Crud!")
    }


    http.DisposeHttp()
    sbPem.DisposeStringBuilder()
    pem.DisposePem()
    pubKey.DisposePublicKey()
    rsa.DisposeRsa()