question

Galactoise avatar image
Galactoise asked

How do I use SpeechletRequestSignatureVerifier.checkRequestSignature?

I'm trying to work through the cert verification step of the checklist, but one of the requirements is to verify the cert against the signature provided. Unfortunately, the verifier classes provided in the ASK don't include javadocs, the sources aren't attached, and they haven't bothered to name their parameters something useful. As a result, I'm left guessing what I'm supposed to pass into this static method: void com.amazon.speech.speechlet.authentication.SpeechletRequestSignatureVerifier.checkRequestSignature(byte[] arg0, String arg1, String arg2) I assume that one of those two strings is going to be value from the Signature header, although even that is ambiguous because it's not clear whether to use the provided form of it, or to base64 decode it first. Can someone tell me what these three parameters are supposed to be? Also, this method returns void but doesn't seem to throw anything (whereas the certificateChain check throws a CertificateException)... how is this helping me check the request?
alexa skills kitsubmission testing certification
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Stefan Negritoiu avatar image
Stefan Negritoiu answered
AFAIK, that function is not meant to be called by you (the skill developer) directly. AlexaSkillsKit itself uses it to verify the signature for you. By using the library (as opposed to handling the raw request/responses) you get some benefits including the fact that signature verification is done for you. HTH, Stefan
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise avatar image
Galactoise answered
The docs about required verification for certification include the following bullet point: "If you use the Java library without using the SpeechletServlet class, you can use the SpeechletRequestSignatureVerifier class to do this." We use the majority of the skills kit (POJOs, builders, etc) but we run on dropwizard instead of using SpeechletServlet.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Stefan Negritoiu avatar image
Stefan Negritoiu answered
Got it. Most likely the function expects (raw request body as bytes, base64 signature value from HTTP header as string, RSA certificate URL from HTTP header as string), but I agree it's unfortunate there are no docs for that function.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A avatar image
Steve A answered
I believe Stefan is right. They want the base64 decoded signature of the HTTP header. (When I was writing the verification for my web based skill, Stefan was the one who helped me figure it out!) Steve
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise avatar image
Galactoise answered
Yep, freebusy's answer matches what I eventually figured that out through trial and error. I'm gonna mark it as "correct" for anyone who sees this thread in the future.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

James D Gardner avatar image
James D Gardner answered
I'm having trouble with NoSignatureHeader and NoCertHeader coming from HttpResponseMessage. I'm using the latest AlexaSkillsKit.Lib off of GitHub. If I comment out the checks, I can run this in development fine, but I'm not sure what to do to figure out why the headers are not correct. Are there some IIS settings that need to be implemented as well? Thanks.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

James D Gardner avatar image
James D Gardner answered
Heres is what is coming in the header from Amazon: Connection: Keep-Alive Accept: application/json Accept-Charset: utf-8 Host: test.voicepod.com User-Agent: Apache-HttpClient/4.3 (java 1.5) Signature: AShIn8Z5BB4NDdc5g6SYK1vryqal70RqxLb0tkSKoZWKDXb1O345MJdSsNCbwAkEQ7KXjzPsMs+w9TaraTNjFNC1jGdLBwD0TeL96W9gFwglGEuQ4z7cimjTvCJbPfXvL9g6B/XAC8p6iqhuVRXihGrP/pvCAu1znGDR+3+JBT49aVCOnEzHupXv4RL8spknRCx0I4LAcjWfAeZFUJUnrcq+qBkD53gZl98SCo8QrsIdfkArnYJMoSijyttrgxiQyGHcUy+QtzKit6B7kvH6oXYyM1S5sIuirmd0/GTqRUBwAxQUAEYcs1hq7uXIqRs51vnldAbjpVy4MEOWz8nvNg== SignatureCertChainUrl: https://s3.amazonaws.com/echo.api/echo-api-cert-3.pem
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Stefan Negritoiu avatar image
Stefan Negritoiu answered
Hi James, if you're asking about using https://github.com/AreYouFreeBusy/AlexaSkillsKit.NET I can help you directly, just open an issue on GitHub and I'll investigate (the discussion above in this thread was referring to using the Java library from Amazon). Best, Stefan
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.