How do I use SpeechletRequestSignatureVerifier.checkRequestSignature?
I'm trying to work through the cert verification step of the checklist, but one of the requirements is to verify the cert against the signature provided. Unfortunately, the verifier classes provided in the ASK don't include javadocs, the sources aren't attached, and they haven't bothered to name their parameters something useful. As a result, I'm left guessing what I'm supposed to pass into this static method: void com.amazon.speech.speechlet.authentication.SpeechletRequestSignatureVerifier.checkRequestSignature(byte arg0, String arg1, String arg2) I assume that one of those two strings is going to be value from the Signature header, although even that is ambiguous because it's not clear whether to use the provided form of it, or to base64 decode it first. Can someone tell me what these three parameters are supposed to be? Also, this method returns void but doesn't seem to throw anything (whereas the certificateChain check throws a CertificateException)... how is this helping me check the request?
AFAIK, that function is not meant to be called by you (the skill developer) directly. AlexaSkillsKit itself uses it to verify the signature for you. By using the library (as opposed to handling the raw request/responses) you get some benefits including the fact that signature verification is done for you. HTH, Stefan
The docs about required verification for certification include the following bullet point: "If you use the Java library without using the SpeechletServlet class, you can use the SpeechletRequestSignatureVerifier class to do this." We use the majority of the skills kit (POJOs, builders, etc) but we run on dropwizard instead of using SpeechletServlet.
Got it. Most likely the function expects (raw request body as bytes, base64 signature value from HTTP header as string, RSA certificate URL from HTTP header as string), but I agree it's unfortunate there are no docs for that function.
I believe Stefan is right. They want the base64 decoded signature of the HTTP header. (When I was writing the verification for my web based skill, Stefan was the one who helped me figure it out!) Steve
I'm having trouble with NoSignatureHeader and NoCertHeader coming from HttpResponseMessage. I'm using the latest AlexaSkillsKit.Lib off of GitHub. If I comment out the checks, I can run this in development fine, but I'm not sure what to do to figure out why the headers are not correct. Are there some IIS settings that need to be implemented as well? Thanks.
Heres is what is coming in the header from Amazon: Connection: Keep-Alive Accept: application/json Accept-Charset: utf-8 Host:
test.voicepod.com User-Agent: Apache-HttpClient/4.3 (java 1.5) Signature: AShIn8Z5BB4NDdc5g6SYK1vryqal70RqxLb0tkSKoZWKDXb1O345MJdSsNCbwAkEQ7KXjzPsMs+w9TaraTNjFNC1jGdLBwD0TeL96W9gFwglGEuQ4z7cimjTvCJbPfXvL9g6B/XAC8p6iqhuVRXihGrP/pvCAu1znGDR+3+JBT49aVCOnEzHupXv4RL8spknRCx0I4LAcjWfAeZFUJUnrcq+qBkD53gZl98SCo8QrsIdfkArnYJMoSijyttrgxiQyGHcUy+QtzKit6B7kvH6oXYyM1S5sIuirmd0/GTqRUBwAxQUAEYcs1hq7uXIqRs51vnldAbjpVy4MEOWz8nvNg== SignatureCertChainUrl:
Hi James, if you're asking about using
https://github.com/AreYouFreeBusy/AlexaSkillsKit.NET I can help you directly, just open an issue on GitHub and I'll investigate (the discussion above in this thread was referring to using the Java library from Amazon). Best, Stefan