Sample code for 30+ languages & platforms
Unicode C

Verify Signature of Alexa Custom Skill Request

See more HTTP Misc Examples

This example verifies the signature of an Alexa Custom Skill Request.

Chilkat Unicode C Downloads

Unicode C
#include <C_CkHttpW.h>
#include <C_CkStringBuilderW.h>
#include <C_CkPemW.h>
#include <C_CkCertW.h>
#include <C_CkPublicKeyW.h>
#include <C_CkRsaW.h>

void ChilkatSample(void)
    {
    BOOL success;
    const wchar_t *signature;
    const wchar_t *certChainUrl;
    const wchar_t *jsonBody;
    HCkHttpW http;
    HCkStringBuilderW sbPem;
    HCkPemW pem;
    HCkCertW cert;
    HCkPublicKeyW pubKey;
    HCkRsaW rsa;
    BOOL bVerified;

    success = FALSE;

    // This example assumes you have a web service that will receive requests from Alexa.
    // A sample request sent by Alexa will look like the following:

    // Connection: Keep-Alive
    // Content-Length: 2583
    // Content-Type: application/json; charset=utf-8
    // Accept: application/json
    // Accept-Charset: utf-8
    // Host: your.web.server.com
    // User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
    // Signature: dSUmPwxc9...aKAf8mpEXg==
    // SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
    // 
    // {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}

    // First, assume we've written code to get the 3 pieces of data we need:
    signature = L"dSUmPwxc9...aKAf8mpEXg==";
    certChainUrl = L"https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem";
    jsonBody = L"{\"version\":\"1.0\",\"session\":{\"new\":true,\"sessionId\":\"amzn1.echo-api.session.433 ... }}";

    // To validate the signature, we do the following:

    // First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message 
    http = CkHttpW_Create();
    sbPem = CkStringBuilderW_Create();
    success = CkHttpW_QuickGetSb(http,certChainUrl,sbPem);
    if (success == FALSE) {
        wprintf(L"%s\n",CkHttpW_lastErrorText(http));
        CkHttpW_Dispose(http);
        CkStringBuilderW_Dispose(sbPem);
        return;
    }

    pem = CkPemW_Create();
    success = CkPemW_LoadPem(pem,CkStringBuilderW_getAsString(sbPem),L"passwordNotUsed");
    if (success == FALSE) {
        wprintf(L"%s\n",CkPemW_lastErrorText(pem));
        CkHttpW_Dispose(http);
        CkStringBuilderW_Dispose(sbPem);
        CkPemW_Dispose(pem);
        return;
    }

    // The 1st certificate should be the signing certificate.
    cert = CkPemW_GetCert(pem,0);
    if (CkPemW_getLastMethodSuccess(pem) == FALSE) {
        wprintf(L"%s\n",CkPemW_lastErrorText(pem));
        CkHttpW_Dispose(http);
        CkStringBuilderW_Dispose(sbPem);
        CkPemW_Dispose(pem);
        return;
    }

    // Get the public key from the cert.
    pubKey = CkPublicKeyW_Create();
    CkCertW_GetPublicKey(cert,pubKey);

    CkCertW_Dispose(cert);

    // Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
    rsa = CkRsaW_Create();
    success = CkRsaW_UsePublicKey(rsa,pubKey);
    if (success == FALSE) {
        wprintf(L"%s\n",CkCertW_lastErrorText(cert));
        CkHttpW_Dispose(http);
        CkStringBuilderW_Dispose(sbPem);
        CkPemW_Dispose(pem);
        CkPublicKeyW_Dispose(pubKey);
        CkRsaW_Dispose(rsa);
        return;
    }

    // RSA "decrypt" the signature.
    // (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
    // of the request body.  This happens in a single call to VerifyStringENC...)
    CkRsaW_putEncodingMode(rsa,L"base64");
    bVerified = CkRsaW_VerifyStringENC(rsa,jsonBody,L"sha1",signature);
    if (bVerified == TRUE) {
        wprintf(L"The signature is verified against the JSON body of the request. Yay!\n");
    }
    else {
        wprintf(L"Sorry, not verified.  Crud!\n");
    }



    CkHttpW_Dispose(http);
    CkStringBuilderW_Dispose(sbPem);
    CkPemW_Dispose(pem);
    CkPublicKeyW_Dispose(pubKey);
    CkRsaW_Dispose(rsa);

    }