Sample code for 30+ languages & platforms
Android™

Verify Signature of Alexa Custom Skill Request

See more HTTP Misc Examples

This example verifies the signature of an Alexa Custom Skill Request.

Chilkat Android™ Downloads

Android™
// Important: Don't forget to include the call to System.loadLibrary
// as shown at the bottom of this code sample.
package com.test;

import android.app.Activity;
import com.chilkatsoft.*;

import android.widget.TextView;
import android.os.Bundle;

public class SimpleActivity extends Activity {

  private static final String TAG = "Chilkat";

  // Called when the activity is first created.
  @Override
  public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);

    boolean success = false;

    // This example assumes you have a web service that will receive requests from Alexa.
    // A sample request sent by Alexa will look like the following:

    // Connection: Keep-Alive
    // Content-Length: 2583
    // Content-Type: application/json; charset=utf-8
    // Accept: application/json
    // Accept-Charset: utf-8
    // Host: your.web.server.com
    // User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
    // Signature: dSUmPwxc9...aKAf8mpEXg==
    // SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
    // 
    // {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}

    // First, assume we've written code to get the 3 pieces of data we need:
    String signature = "dSUmPwxc9...aKAf8mpEXg==";
    String certChainUrl = "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem";
    String jsonBody = "{\"version\":\"1.0\",\"session\":{\"new\":true,\"sessionId\":\"amzn1.echo-api.session.433 ... }}";

    // To validate the signature, we do the following:

    // First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message 
    CkHttp http = new CkHttp();
    CkStringBuilder sbPem = new CkStringBuilder();
    success = http.QuickGetSb(certChainUrl,sbPem);
    if (success == false) {
        Log.i(TAG, http.lastErrorText());
        return;
        }

    CkPem pem = new CkPem();
    success = pem.LoadPem(sbPem.getAsString(),"passwordNotUsed");
    if (success == false) {
        Log.i(TAG, pem.lastErrorText());
        return;
        }

    // The 1st certificate should be the signing certificate.
    CkCert cert = pem.GetCert(0);
    if (pem.get_LastMethodSuccess() == false) {
        Log.i(TAG, pem.lastErrorText());
        return;
        }

    // Get the public key from the cert.
    CkPublicKey pubKey = new CkPublicKey();
    cert.GetPublicKey(pubKey);

    // Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
    CkRsa rsa = new CkRsa();
    success = rsa.UsePublicKey(pubKey);
    if (success == false) {
        Log.i(TAG, cert.lastErrorText());
        return;
        }

    // RSA "decrypt" the signature.
    // (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
    // of the request body.  This happens in a single call to VerifyStringENC...)
    rsa.put_EncodingMode("base64");
    boolean bVerified = rsa.VerifyStringENC(jsonBody,"sha1",signature);
    if (bVerified == true) {
        Log.i(TAG, "The signature is verified against the JSON body of the request. Yay!");
        }
    else {
        Log.i(TAG, "Sorry, not verified.  Crud!");
        }


  }

  static {
      System.loadLibrary("chilkat");

      // Note: If the incorrect library name is passed to System.loadLibrary,
      // then you will see the following error message at application startup:
      //"The application <your-application-name> has stopped unexpectedly. Please try again."
  }
}