Tootsville::Check-Alexa-Signature-Cert-Chain-Url

Function

Check-Alexa-Signature-Cert-Chain-Url names a function, with lambda list (URL):

Perform the mandatory checks on an Alexa request's certificate chain URL.

Excerpt from Amazon requirements at https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html:

Verifying the Signature Certificate URL

Before downloading the certificate from the URL specified in the SignatureCertChainUrl header, you should ensure that the URL represents a URL Amazon would use for the certificate. This protects against requests that attempt to make your web service download malicious files and similar attacks.

First, normalize the URL so that you can validate against a correctly formatted URL. For example, normalize

https://s3.amazonaws.com/echo.api/../echo.api/echo-api-cert.pem

to:

https://s3.amazonaws.com/echo.api/echo-api-cert.pem

Next, determine whether the URL meets each of the following criteria:

• The protocol is equal to https (case insensitive).
• The hostname is equal to s3.amazonaws.com (case insensitive).
• The path starts with /echo.api/ (case sensitive).
• If a port is defined in the URL, the port is equal to 443.

Examples of correctly formatted URLs:

• https://s3.amazonaws.com/echo.api/echo-api-cert.pem
• https://s3.amazonaws.com:443/echo.api/echo-api-cert.pem
• https://s3.amazonaws.com/echo.api/../echo.api/echo-api-cert.pem

Examples of invalid URLs:

• http://s3.amazonaws.com/echo.api/echo-api-cert.pem (invalid protocol)
• https://notamazon.com/echo.api/echo-api-cert.pem (invalid hostname)
• https://s3.amazonaws.com/EcHo.aPi/echo-api-cert.pem (invalid path)
• https://s3.amazonaws.com/invalid.path/echo-api-cert.pem (invalid path)
• https://s3.amazonaws.com:563/echo.api/echo-api-cert.pem (invalid port)

If the URL does not pass these tests, reject the request and do not proceed with verifying the signature.

File

Defined in file src/endpoints/gossip/alexa/alexa.lisp.