|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(CkPython) Verify Signature of Alexa Custom Skill RequestThis example verifies the signature of an Alexa Custom Skill Request.
import sys import chilkat # This example assumes you have a web service that will receive requests from Alexa. # A sample request sent by Alexa will look like the following: # Connection: Keep-Alive # Content-Length: 2583 # Content-Type: application/json; charset=utf-8 # Accept: application/json # Accept-Charset: utf-8 # Host: your.web.server.com # User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172) # Signature: dSUmPwxc9...aKAf8mpEXg== # SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem # # {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }} # First, assume we've written code to get the 3 pieces of data we need: signature = "dSUmPwxc9...aKAf8mpEXg==" certChainUrl = "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem" jsonBody = "{\"version\":\"1.0\",\"session\":{\"new\":true,\"sessionId\":\"amzn1.echo-api.session.433 ... }}" # To validate the signature, we do the following: # First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message http = chilkat.CkHttp() sbPem = chilkat.CkStringBuilder() success = http.QuickGetSb(certChainUrl,sbPem) if (success == False): print(http.lastErrorText()) sys.exit() pem = chilkat.CkPem() success = pem.LoadPem(sbPem.getAsString(),"passwordNotUsed") if (success == False): print(pem.lastErrorText()) sys.exit() # The 1st certificate should be the signing certificate. # cert is a CkCert cert = pem.GetCert(0) if (pem.get_LastMethodSuccess() == False): print(pem.lastErrorText()) sys.exit() # Get the public key from the cert. # pubKey is a CkPublicKey pubKey = cert.ExportPublicKey() if (cert.get_LastMethodSuccess() == False): print(cert.lastErrorText()) sys.exit() # Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value. rsa = chilkat.CkRsa() success = rsa.ImportPublicKeyObj(pubKey) if (success == False): print(cert.lastErrorText()) sys.exit() # RSA "decrypt" the signature. # (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash # of the request body. This happens in a single call to VerifyStringENC...) rsa.put_EncodingMode("base64") bVerified = rsa.VerifyStringENC(jsonBody,"sha1",signature) if (bVerified == True): print("The signature is verified against the JSON body of the request. Yay!") else: print("Sorry, not verified. Crud!") |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.