PHP ActiveX
PHP ActiveX
Verify Signature of Alexa Custom Skill Request
See more HTTP Misc Examples
This example verifies the signature of an Alexa Custom Skill Request.Chilkat PHP ActiveX Downloads
<?php
$success = 0;
// This example assumes you have a web service that will receive requests from Alexa.
// A sample request sent by Alexa will look like the following:
// Connection: Keep-Alive
// Content-Length: 2583
// Content-Type: application/json; charset=utf-8
// Accept: application/json
// Accept-Charset: utf-8
// Host: your.web.server.com
// User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
// Signature: dSUmPwxc9...aKAf8mpEXg==
// SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
//
// {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}
// First, assume we've written code to get the 3 pieces of data we need:
$signature = 'dSUmPwxc9...aKAf8mpEXg==';
$certChainUrl = 'https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem';
$jsonBody = '{\'version\':\'1.0\',\'session\':{\'new\':true,\'sessionId\':\'amzn1.echo-api.session.433 ... }}';
// To validate the signature, we do the following:
// First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message
$http = new COM("Chilkat.Http");
$sbPem = new COM("Chilkat.StringBuilder");
$success = $http->QuickGetSb($certChainUrl,$sbPem);
if ($success == 0) {
print $http->LastErrorText . "\n";
exit;
}
$pem = new COM("Chilkat.Pem");
$success = $pem->LoadPem($sbPem->getAsString(),'passwordNotUsed');
if ($success == 0) {
print $pem->LastErrorText . "\n";
exit;
}
// The 1st certificate should be the signing certificate.
// cert is a Chilkat.Cert
$cert = $pem->GetCert(0);
if ($pem->LastMethodSuccess == 0) {
print $pem->LastErrorText . "\n";
exit;
}
// Get the public key from the cert.
$pubKey = new COM("Chilkat.PublicKey");
$cert->GetPublicKey($pubKey);
// Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
$rsa = new COM("Chilkat.Rsa");
$success = $rsa->UsePublicKey($pubKey);
if ($success == 0) {
print $cert->LastErrorText . "\n";
exit;
}
// RSA "decrypt" the signature.
// (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
// of the request body. This happens in a single call to VerifyStringENC...)
$rsa->EncodingMode = 'base64';
$bVerified = $rsa->VerifyStringENC($jsonBody,'sha1',$signature);
if ($bVerified == 1) {
print 'The signature is verified against the JSON body of the request. Yay!' . "\n";
}
else {
print 'Sorry, not verified. Crud!' . "\n";
}
?>