Unicode C
Unicode C
Verify Signature of Alexa Custom Skill Request
See more HTTP Misc Examples
This example verifies the signature of an Alexa Custom Skill Request.Chilkat Unicode C Downloads
#include <C_CkHttpW.h>
#include <C_CkStringBuilderW.h>
#include <C_CkPemW.h>
#include <C_CkCertW.h>
#include <C_CkPublicKeyW.h>
#include <C_CkRsaW.h>
void ChilkatSample(void)
{
BOOL success;
const wchar_t *signature;
const wchar_t *certChainUrl;
const wchar_t *jsonBody;
HCkHttpW http;
HCkStringBuilderW sbPem;
HCkPemW pem;
HCkCertW cert;
HCkPublicKeyW pubKey;
HCkRsaW rsa;
BOOL bVerified;
success = FALSE;
// This example assumes you have a web service that will receive requests from Alexa.
// A sample request sent by Alexa will look like the following:
// Connection: Keep-Alive
// Content-Length: 2583
// Content-Type: application/json; charset=utf-8
// Accept: application/json
// Accept-Charset: utf-8
// Host: your.web.server.com
// User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
// Signature: dSUmPwxc9...aKAf8mpEXg==
// SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
//
// {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}
// First, assume we've written code to get the 3 pieces of data we need:
signature = L"dSUmPwxc9...aKAf8mpEXg==";
certChainUrl = L"https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem";
jsonBody = L"{\"version\":\"1.0\",\"session\":{\"new\":true,\"sessionId\":\"amzn1.echo-api.session.433 ... }}";
// To validate the signature, we do the following:
// First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message
http = CkHttpW_Create();
sbPem = CkStringBuilderW_Create();
success = CkHttpW_QuickGetSb(http,certChainUrl,sbPem);
if (success == FALSE) {
wprintf(L"%s\n",CkHttpW_lastErrorText(http));
CkHttpW_Dispose(http);
CkStringBuilderW_Dispose(sbPem);
return;
}
pem = CkPemW_Create();
success = CkPemW_LoadPem(pem,CkStringBuilderW_getAsString(sbPem),L"passwordNotUsed");
if (success == FALSE) {
wprintf(L"%s\n",CkPemW_lastErrorText(pem));
CkHttpW_Dispose(http);
CkStringBuilderW_Dispose(sbPem);
CkPemW_Dispose(pem);
return;
}
// The 1st certificate should be the signing certificate.
cert = CkPemW_GetCert(pem,0);
if (CkPemW_getLastMethodSuccess(pem) == FALSE) {
wprintf(L"%s\n",CkPemW_lastErrorText(pem));
CkHttpW_Dispose(http);
CkStringBuilderW_Dispose(sbPem);
CkPemW_Dispose(pem);
return;
}
// Get the public key from the cert.
pubKey = CkPublicKeyW_Create();
CkCertW_GetPublicKey(cert,pubKey);
CkCertW_Dispose(cert);
// Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
rsa = CkRsaW_Create();
success = CkRsaW_UsePublicKey(rsa,pubKey);
if (success == FALSE) {
wprintf(L"%s\n",CkCertW_lastErrorText(cert));
CkHttpW_Dispose(http);
CkStringBuilderW_Dispose(sbPem);
CkPemW_Dispose(pem);
CkPublicKeyW_Dispose(pubKey);
CkRsaW_Dispose(rsa);
return;
}
// RSA "decrypt" the signature.
// (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
// of the request body. This happens in a single call to VerifyStringENC...)
CkRsaW_putEncodingMode(rsa,L"base64");
bVerified = CkRsaW_VerifyStringENC(rsa,jsonBody,L"sha1",signature);
if (bVerified == TRUE) {
wprintf(L"The signature is verified against the JSON body of the request. Yay!\n");
}
else {
wprintf(L"Sorry, not verified. Crud!\n");
}
CkHttpW_Dispose(http);
CkStringBuilderW_Dispose(sbPem);
CkPemW_Dispose(pem);
CkPublicKeyW_Dispose(pubKey);
CkRsaW_Dispose(rsa);
}