Perl
Perl
Verify Signature of Alexa Custom Skill Request
See more HTTP Misc Examples
This example verifies the signature of an Alexa Custom Skill Request.Chilkat Perl Downloads
use chilkat();
$success = 0;
# This example assumes you have a web service that will receive requests from Alexa.
# A sample request sent by Alexa will look like the following:
# Connection: Keep-Alive
# Content-Length: 2583
# Content-Type: application/json; charset=utf-8
# Accept: application/json
# Accept-Charset: utf-8
# Host: your.web.server.com
# User-Agent: Apache-HttpClient/4.5.x (Java/1.8.0_172)
# Signature: dSUmPwxc9...aKAf8mpEXg==
# SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem
#
# {"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.433 ... }}
# First, assume we've written code to get the 3 pieces of data we need:
$signature = "dSUmPwxc9...aKAf8mpEXg==";
$certChainUrl = "https://s3.amazonaws.com/echo.api/echo-api-cert-6-ats.pem";
$jsonBody = "{\"version\":\"1.0\",\"session\":{\"new\":true,\"sessionId\":\"amzn1.echo-api.session.433 ... }}";
# To validate the signature, we do the following:
# First, download the PEM-encoded X.509 certificate chain that Alexa used to sign the message
$http = chilkat::CkHttp->new();
$sbPem = chilkat::CkStringBuilder->new();
$success = $http->QuickGetSb($certChainUrl,$sbPem);
if ($success == 0) {
print $http->lastErrorText() . "\r\n";
exit;
}
$pem = chilkat::CkPem->new();
$success = $pem->LoadPem($sbPem->getAsString(),"passwordNotUsed");
if ($success == 0) {
print $pem->lastErrorText() . "\r\n";
exit;
}
# The 1st certificate should be the signing certificate.
# cert is a Cert
$cert = $pem->GetCert(0);
if ($pem->get_LastMethodSuccess() == 0) {
print $pem->lastErrorText() . "\r\n";
exit;
}
# Get the public key from the cert.
$pubKey = chilkat::CkPublicKey->new();
$cert->GetPublicKey($pubKey);
# Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value.
$rsa = chilkat::CkRsa->new();
$success = $rsa->UsePublicKey($pubKey);
if ($success == 0) {
print $cert->lastErrorText() . "\r\n";
exit;
}
# RSA "decrypt" the signature.
# (Amazon's documentation is confusing, because we're simply verifiying the signature against the SHA-1 hash
# of the request body. This happens in a single call to VerifyStringENC...)
$rsa->put_EncodingMode("base64");
$bVerified = $rsa->VerifyStringENC($jsonBody,"sha1",$signature);
if ($bVerified == 1) {
print "The signature is verified against the JSON body of the request. Yay!" . "\r\n";
}
else {
print "Sorry, not verified. Crud!" . "\r\n";
}