question

Amazon Customer avatar image
Amazon Customer asked

Validating Requests Are From Amazon Cloud Service (certificate pinning)

In https://forums.developer.amazon.com/forums/thread.jspa?messageID=15388 the accepted answer does not adequately answer the question, as the header contents in the HTTP request are not signed under the signature given. Someone (even Amazon) could easily use a different value for the signaturecertchainurl: header than the current value of ' https://s3.amazonaws.com/echo.api/echo-api-cert.pem' either with intent to deceive, or because over time the Amazon AlexaKit team changes where to find the certificate chain. How do you recommend ensuring that a publicly-accessible API end point be able to verify that not only is the signature valid, but that the signature itself is from Amazon's private key?
alexa skills kitdebugging
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Amazon Customer avatar image
Amazon Customer answered
This is now addressed in today's beta kit update in the section "verifying the signature certificate URL": https://developer.amazon.com/public/solutions/devices/echo/alexa-app-kit/docs/developing-your-app-with-the-alexa-appkit#verifying-the-signature-certificate-url [i] Verifying the Signature Certificate URL Before downloading the certificate from the URL specified in the SignatureCertChainUrl header, you should ensure that the URL represents a URL Amazon would use for the certificate. This protects against requests that attempt to make your web service download malicious files and similar attacks. First, normalize the URL so that you can validate against a correctly formated URL. For example, normalize https://s3.amazonaws.com/echo.api/../echo.api/echo-api-cert.pem to: https://s3.amazonaws.com/echo.api/echo-api-cert.pem Next, determine whether the URL meets each of the following criteria: The protocol is equal to https (case insensitive). The hostname is equal to s3.amazonaws.com (case insensitive). The path starts with /echo.api/ (case sensitive). If a port is defined in the URL, the port is equal to 443. Examples of correctly formatted URLs: https://s3.amazonaws.com/echo.api/echo-api-cert.pem https://s3.amazonaws.com:443/echo.api/echo-api-cert.pem https://s3.amazonaws.com/echo.api/../echo.api/echo-api-cert.pem Examples of invalid URLs: http://s3.amazonaws.com/echo.api/echo-api-cert.pem (invalid protocol) https://notamazon.com/echo.api/echo-api-cert.pem (invalid hostname) https://s3.amazonaws.com/EcHo.aPi/echo-api-cert.pem (invalid path) https://s3.amazonaws.com/invalid.path/echo-api-cert.pem (invalid path) https://s3.amazonaws.com:563/echo.api/echo-api-cert.pem (invalid port) If the URL does not pass these tests, reject the reqeust and do not proceed with verifying the signature. [/i]
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

rgr@amazon avatar image
rgr@amazon answered
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.