question

No one? This is my last outstanding issue for my app. I guess it's back to Google to learn some certificate parsing/comparing. If anyone has any info to share, it would be much appreciated. thanks.

Hi, I'm not a .NET expert, but it seems this could do what you are looking for: https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.servercertificatevalidationcallback%28v=vs.110%29.aspx Thanks, Nick

Sorry to sway off topic, but is certificate checking required? Amazon's comment says "We recommend"... I'm using Amazon ELB, which, as far as I know, doesn't support client cert validation. As such, it would be a serious pain to implement. I am however using a secret key in the endpoint that, in theory, only Amazon would know (not as secure, I know, but for most of my apps there should not by any security issue if the endpoint is made public).

Hey Anil, I was in a call with Alexa engineers today, and they definitely need client certificate checking as part of the app approval process. I'm hosting on App Engine, and this function is not supported. It does seem a little over the top imho, but I understand that Amazon just want to ensure that no clients are accessing your App Endpoint with a dodgy certificate. They're going to send out communications (I think, via email) shortly to confirm what they expect us to do in terms of inbound connection cert checking, and how we should lock it down (i.e. to what inbound domain(s) they specify, etc.). If you're hosting on platform that doesn't natively support client cert checking, you can address the issue by proxying connections, say, via nginx or apache on a VPS (back to your app host) and configure the web server to validate the inbound certs. It is definitely a pain though, and means that your app frontend proxy will end up being a SPOF (unless you LB across several servers). A better solution would be to add a unique token to each app configuration when we add a new app, and pass this token along in the requests to our app endpoint - and let us validate the inbound request based on checking this token against the issued string.

Thanks James, You're right it's not a recommendation, it's a requirement. boo. Lacking documentation, I've tried verifying the signature of the POSTed data using the public_key and an SHA1 and SHA256 digest, but without success. Is it just the POSTed data that is signed? If so, what stops a hacker from repeatedly replaying a message. Or even setting up a dummy app as a proxy.

Regarding the dotnet question, If the code in this thread works: https://forums.developer.amazon.com/forums/thread.jspa?messageID=15353㯹 You might be able to do something similar using this: https://msdn.microsoft.com/en-us/library/55yk5665(v=vs.110).aspx Example here: http://stackoverflow.com/questions/11847666/how-to-verify-a-signature-with-a-public-key-provided-in-pem-file

If you develop using .NET this library is useful https://github.com/AreYouFreeBusy/AlexaAppKit.NET for validating the request signature (I'm the dev). The specific code you're asking about is in https://github.com/AreYouFreeBusy/AlexaAppKit.NET/blob/master/AlexaAppKit.Lib/Authentication/SpeechletRequestSignatureVerifier.cs Feel free to pick up just the code but please respect the attribution requirement per license. I will push an update this weekend that adds add'l checks per the May 2015 Alexa SDK update (the one Amazon send mail about yesterday). Let me know if you have any questions. Best, Stefan

FYI, I am using the code mentioned above from Stefan and it works like a charm. I am awaiting amazons response as to whether it passes their validation process on app submissions, but it should from my testing.

Freebusy, Congrats, it looks like your app passed certification, so the process does work. Please let me know if you have any more questions. Thanks, Nick

Hi Stefan. I've been using your AlexaSkillsKit.Lib for my skill. I'm using the Speechlet version and not SpeechletAsync. It has been extremely helpful, and I appreciate you making it available. When I submitted my app to Amazon, they are coming back with the following error: The skill does not validate the certificates for the incoming requests and is accepting requests with incorrect certificate. Does this make any sense to you? I'm using the latest version of your library. Not really sure if there is a good way to test this. Thanks for any help you can provide.