Go
Go
Verify Signature of Alexa Custom Skill Request
See more HTTP Misc Examples
This example verifies the signature of an Alexa Custom Skill Request.Chilkat Go Downloads
success := false
// This example assumes you have a web service that will receive requests from Alexa.
// A sample request sent by Alexa will look like the following:
// Connection: Keep-Alive
// Content-Length: 2583
// Content-Type: application/json; charset=utf-8
// Accept: application/json
// Accept-Charset: utf-8
// Host: your.web.server.com
// User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
// Signature: dSUmPwxc9...aKAf8mpEXg==
// SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
//
// {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}
// First, assume we've written code to get the 3 pieces of data we need:
signature := "dSUmPwxc9...aKAf8mpEXg=="
certChainUrl := "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem"
jsonBody := "{\"version\":\"1.0\",\"session\":{\"new\":true,\"sessionId\":\"amzn1.echo-api.session.433 ... }}"
// To validate the signature, we do the following:
// First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message
http := chilkat.NewHttp()
sbPem := chilkat.NewStringBuilder()
success = http.QuickGetSb(certChainUrl,sbPem)
if success == false {
fmt.Println(http.LastErrorText())
http.DisposeHttp()
sbPem.DisposeStringBuilder()
return
}
pem := chilkat.NewPem()
success = pem.LoadPem(*sbPem.GetAsString(),"passwordNotUsed")
if success == false {
fmt.Println(pem.LastErrorText())
http.DisposeHttp()
sbPem.DisposeStringBuilder()
pem.DisposePem()
return
}
// The 1st certificate should be the signing certificate.
cert := pem.GetCert(0)
if pem.LastMethodSuccess() == false {
fmt.Println(pem.LastErrorText())
http.DisposeHttp()
sbPem.DisposeStringBuilder()
pem.DisposePem()
return
}
// Get the public key from the cert.
pubKey := chilkat.NewPublicKey()
cert.GetPublicKey(pubKey)
cert.DisposeCert()
// Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
rsa := chilkat.NewRsa()
success = rsa.UsePublicKey(pubKey)
if success == false {
fmt.Println(cert.LastErrorText())
http.DisposeHttp()
sbPem.DisposeStringBuilder()
pem.DisposePem()
pubKey.DisposePublicKey()
rsa.DisposeRsa()
return
}
// RSA "decrypt" the signature.
// (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
// of the request body. This happens in a single call to VerifyStringENC...)
rsa.SetEncodingMode("base64")
bVerified := rsa.VerifyStringENC(jsonBody,"sha1",signature)
if bVerified == true {
fmt.Println("The signature is verified against the JSON body of the request. Yay!")
} else {
fmt.Println("Sorry, not verified. Crud!")
}
http.DisposeHttp()
sbPem.DisposeStringBuilder()
pem.DisposePem()
pubKey.DisposePublicKey()
rsa.DisposeRsa()