Classic ASP
Classic ASP
Verify Signature of Alexa Custom Skill Request
See more HTTP Misc Examples
This example verifies the signature of an Alexa Custom Skill Request.Chilkat Classic ASP Downloads
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<%
success = 0
' This example assumes you have a web service that will receive requests from Alexa.
' A sample request sent by Alexa will look like the following:
' Connection: Keep-Alive
' Content-Length: 2583
' Content-Type: application/json; charset=utf-8
' Accept: application/json
' Accept-Charset: utf-8
' Host: your.web.server.com
' User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
' Signature: dSUmPwxc9...aKAf8mpEXg==
' SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
'
' {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}
' First, assume we've written code to get the 3 pieces of data we need:
signature = "dSUmPwxc9...aKAf8mpEXg=="
certChainUrl = "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem"
jsonBody = "{""version"":""1.0"",""session"":{""new"":true,""sessionId"":""amzn1.echo-api.session.433 ... }}"
' To validate the signature, we do the following:
' First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message
set http = Server.CreateObject("Chilkat.Http")
set sbPem = Server.CreateObject("Chilkat.StringBuilder")
success = http.QuickGetSb(certChainUrl,sbPem)
If (success = 0) Then
Response.Write "<pre>" & Server.HTMLEncode( http.LastErrorText) & "</pre>"
Response.End
End If
set pem = Server.CreateObject("Chilkat.Pem")
success = pem.LoadPem(sbPem.GetAsString(),"passwordNotUsed")
If (success = 0) Then
Response.Write "<pre>" & Server.HTMLEncode( pem.LastErrorText) & "</pre>"
Response.End
End If
' The 1st certificate should be the signing certificate.
' cert is a Chilkat.Cert
Set cert = pem.GetCert(0)
If (pem.LastMethodSuccess = 0) Then
Response.Write "<pre>" & Server.HTMLEncode( pem.LastErrorText) & "</pre>"
Response.End
End If
' Get the public key from the cert.
set pubKey = Server.CreateObject("Chilkat.PublicKey")
success = cert.GetPublicKey(pubKey)
' Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
set rsa = Server.CreateObject("Chilkat.Rsa")
success = rsa.UsePublicKey(pubKey)
If (success = 0) Then
Response.Write "<pre>" & Server.HTMLEncode( cert.LastErrorText) & "</pre>"
Response.End
End If
' RSA "decrypt" the signature.
' (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
' of the request body. This happens in a single call to VerifyStringENC...)
rsa.EncodingMode = "base64"
bVerified = rsa.VerifyStringENC(jsonBody,"sha1",signature)
If (bVerified = 1) Then
Response.Write "<pre>" & Server.HTMLEncode( "The signature is verified against the JSON body of the request. Yay!") & "</pre>"
Else
Response.Write "<pre>" & Server.HTMLEncode( "Sorry, not verified. Crud!") & "</pre>"
End If
%>
</body>
</html>