alexa-skills-kit-sdk-for-java | Alexa Skills Kit SDK for Java helps | AWS library
kandi X-RAY | alexa-skills-kit-sdk-for-java Summary
kandi X-RAY | alexa-skills-kit-sdk-for-java Summary
The Alexa Skills Kit SDK for Java helps you get a skill up and running quickly, letting you focus on skill logic instead of boilerplate code.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Verifies the signed HTTP certificate
- Wait for a certificate to retry
- Verifies a signing certificate chain URL
- Retrieves a certificate from the specified URL
- Handles the user input
- Removes and closes the output speech
- Process template content
- Method used to create a custom exception
- Handle a POST request
- Handle the skill request
- Triggers a new connection on the web socket
- Handles the incoming request
- Processes template and returns response
- Returns a string representation of the TemplateContentData object
- Get the next combination
- Loads the template file content
- Unmarshalls the contents of the given byte array
- Performs the actual unmarshall operation
- Validates the given request against the validity of the request
- Create a debug endpoint URI
- Unmarshalls the JSON data
- Get the template data for a given identifier
- Sets the skill invoker method
- Handles the intent request
- Put template content
- Get the size of the request
alexa-skills-kit-sdk-for-java Key Features
alexa-skills-kit-sdk-for-java Examples and Code Snippets
Community Discussions
Trending Discussions on alexa-skills-kit-sdk-for-java
QUESTION
I'm trying to work through the steps listed here for an Alexa Skill I'm developing in Java.
I'm getting a request from Alexa which is a POST. Two of the headers are the signing certificate chain url and the signature.
Amazon SHA1 hashes then signs the entire body of the Alexa request with an X509 key, and then base64 encodes the signed body. This is the "signature." The signing certificate chain is the url where I can GET the X509 certificate chain that contains their public key.
What I need to do is base64 decode the signature, then use the X509 public key to decrypt the signature. This leaves me with a SHA1 hashed request body. Then I need to SHA1 hash the body of the request myself and compare the two.
I validate the certificate chain. I extract the public key. I hash the body of the POST and produce a derived hash value (its SHA1withRSA). I base64 decode the "signature" then decrypt it with the public key to get the asserted hash value.
I've not been able to produce a derived hash value that matches the asserted hash value. This is where I'm stuck and I can't understand what I'm doing wrong. I don't really understand this encryption stuff very well so perhaps I'm missing something super simple.
Step 8 from the link above is where I'm stuck.
First, I borrowed the code from the alexa SDK here. The problem is this code doesn't seem to work:
...ANSWER
Answered 2021-Jan-14 at 05:28First, digital signature is NOT encryption with the privatekey; Amazon is deceiving you there, see https://security.stackexchange.com/questions/159282/can-openssl-decrypt-the-encrypted-signature-in-an-amazon-alexa-request-to-a-web which was basically the same question except without Java. And Java crypto exacerbates this because it was designed in the 1990s when this mistake was still fairly common, and as a result the Cipher
object which is intended to be for encryption and decryption accepts the 'backwards' use of RSA keys and internally changes them to the operations used in the Signature
scheme 'NoneWithRSA' (which might be considered a pseudo-scheme since it doesn't really match PKCS1).
Expanding on that point, the difference between your 'decrypted' (more properly, recovered) value and a simple hash is that the PKCS1v1 signature scheme used here, now retronymed RSASSA-PKCS1-v1_5 in PKCS1v2, actually has four steps:
#1 hash the data
#2 encode the hash value and algorithm in a DigestInfo ASN.1 structure encoded in DER, which amounts to adding a fixed prefix per algorithm
#3-5 prepend padding of the form 00 01 FF...(at least 8) 00
(8.2.1#2) treating the result as a number m, apply RSASP1 which does m ^ d mod n (or for verify 8.2.2#2 apply RSAVP1 which does s ^ e mod n; this is stated as before the three padding steps above but actually can just as well be after)
The backwards-Cipher operation performs, or reverses, only the third and fourth steps above; you have added the first step, but not the second, so your 'decrypted' value is actually a DigestInfo structure that contains some metadata, the OID for the SHA1 algorithm, and the hash value that should correspond to the data.
This failure to create or remove the DigestInfo structure is also a very common mistake and problem; see my list at https://crypto.stackexchange.com/questions/87006/why-is-data-signed-with-sha256-rsa-pkcs-and-digest-signed-with-rsa-pkcs-differen/#87022 .
But it doesn't match. The hash value embedded in the recovered DigestInfo is not the same as the hash value you computed on your data (and I also get). This strongly suggests some change between your data and the data the Amazon signed, but I have no idea what; certainly your data looks superficially like an Alexa request should. Sorry :-)
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install alexa-skills-kit-sdk-for-java
You can use alexa-skills-kit-sdk-for-java like any standard Java library. Please include the the jar files in your classpath. You can also use any IDE and you can run and debug the alexa-skills-kit-sdk-for-java component as you would do with any other Java program. Best practice is to use a build tool that supports dependency management such as Maven or Gradle. For Maven installation, please refer maven.apache.org. For Gradle installation, please refer gradle.org .
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page