2

I am using coldfusion webservice for my custom skill. Docs here

We're successfully extracting the public key, checking the start/end dates of the certificate, verifying that echo-api.amazon.com is the subject of the certificate, and verifying the chain of trust (by using OpenSSL command line functions).

But we're stuck at the point where the Amazon documentation says to "Use the public key extracted from the signing certificate to decrypt the encrypted signature to produce the asserted hash value."

here is my code -

<cfexecute name="D:\openssl.exe" 
       arguments="x509 -noout -pubkey -in D:\web\alexa\cert\echo.pem"    
       variable="local.cert.OpenSSL_Pubkey"
       timeout="120" >
    </cfexecute>

    <cffile action="write"
        file="D:\web\alexa\cert\keys\pubkey.key"
        output="#local.cert.OpenSSL_Pubkey#" nameconflict="makeunique">  

    <cfset encryptedSign = binaryEncode( ToBinary( signature ) , "hex")>
    <cffile action="write"
        file="D:\web\alexa\cert\keys\pubkey.sig"
        output="#encryptedSign#" nameconflict="makeunique">  

    <cfset assertedHash = Decrypt(encryptedSign, local.cert.OpenSSL_Pubkey)>
    <cffile action="write"
        file="D:\web\alexa\cert\keys\assertedHash.txt"
        output="#assertedHash#" nameconflict="makeunique"> 

    <cfset deriveddHash = Hash(toString( getHttpRequestData().content ),"SHA-1")>
    <cffile action="write"
        file="D:\web\alexa\cert\keys\deriveddHash.txt"
        output="#deriveddHash#" nameconflict="makeunique">

I think, the issue is on coldfusion decrypt logic where i get assertedHash value. Unfortunately this gives me binary rubbish such as: 0!0 +p��(}%

jww
  • 97,681
  • 90
  • 411
  • 885
user3025605
  • 323
  • 1
  • 4
  • 15
  • *... verifying that echo-api.amazon.com is the subject of the certificate..."* - that is probably incorrect. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) – jww Jan 26 '18 at 20:03
  • That is the wrong syntax for Decrypt, but ... not even sure why the Amazon docs say encryption. Sounds like they mean verify the signature, [which is different than encrypt/decrypt](https://security.stackexchange.com/questions/159282/can-openssl-decrypt-the-encrypted-signature-in-an-amazon-alexa-request-to-a-web#159289). – SOS Jan 26 '18 at 20:13
  • The alexa skill kit for java does all these checks internally. You can see source code on github and know how to handle that. – Shailesh Pratapwar Jan 30 '19 at 05:41

0 Answers0