Requests sent by Alexa provide the information you need to verify the
signature in the HTTP headers:
SignatureCertChainUrl
Signature
To validate the signature:
Verify the URL specified by the SignatureCertChainUrl header value on
the request to ensure that it matches the format used by Amazon.
See Verifying the Signature Certificate URL.
Download the PEM-encoded X.509 certificate chain that Alexa used to sign
the message as specified by the SignatureCertChainUrl header value on
the request.
This chain is provided at runtime so that the certificate may be updated
periodically, so your web service should be resilient to different URLs
with different content.
This certificate chain is composed of, in order, (1) the Amazon signing
certificate and (2) one or more additional certificates that create
a chain of trust to a root certificate authority (CA) certificate.
To confirm the validity of the signing certificate, perform the
following checks:
The signing certificate has not expired (examine both the Not Before and
Not After dates)
The domain echo-api.amazon.com is present in the Subject Alternative
Names (SANs) section of the signing certificate
All certificates in the chain combine to create a chain of trust to
a trusted root CA certificate
Once you have determined that the signing certificate is valid, extract
the public key from it.
Base64-decode the Signature header value on the request to obtain the
encrypted signature.
Use the public key extracted from the signing certificate to decrypt the
encrypted signature to produce the asserted hash value.
Generate a SHA-1 hash value from the full HTTPS request body to produce
the derived hash value
Compare the asserted hash value and derived hash values to ensure that
they match.
File
Defined in file src/endpoints/gossip/alexa/alexa.lisp.