alexa_request_verifier 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f04e24cc0281c027ccf0f9d8220c121000623eec
+  data.tar.gz: 3957243bbc7ecb22f3f0563a82061e903c811c84
+SHA512:
+  metadata.gz: 67b7bc57673d5e3de1364ff0f76b7e644407af7a4b66b35184a48cb9730d4c06799503092988394883aac0d6a76a6e90154d28c02803400551e36a0632b76662
+  data.tar.gz: 01c9b9eb44b4ccd23a15d834203344b7d919a68ea4f027684513141164b211c3b3c5ecf973281a5fa36d1c9d7dfdfeb4ca68e9145d1095ccdc4e8bc964d5d868

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+Gemfile.lock

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,9 @@
+AllCops:
+  Exclude:
+    - spec/**/*.rb
+
+Metrics/LineLength:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false

data/.ruby-version

@@ -0,0 +1 @@
+2.4.2

data/.travis.yml

@@ -0,0 +1,14 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.0
+  - 2.1
+  - 2.2
+  - 2.3
+  - 2.4
+  - 2.4.2
+  - ruby-head
+
+matrix:
+  allow_failures:
+  - rvm: ruby-head

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at m@rayner.io. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in alexa_request_verifier.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Matt Rayner
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,95 @@
+# Alexa Request Verifier
+
+[AlexaRequestVerifier][alexa_request_verifier] is a gem created to verify that requests received within a Sinatra application originate from Amazon's Alexa API.
+
+[![Build Status][shield-travis]][info-travis] [![License][shield-license]][info-license]
+
+## Requirements
+[AlexaRequestVerifier][alexa_request_verifier] requires the following:
+* [Ruby][ruby] - version 2.0 or greater
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'alexa_request_verifier'
+```
+
+
+## Usage
+This gem's main function is taking an [Sinatra][sinatra] request and verifying that it was sent by Amazon.
+
+```ruby
+# within server.rb (or equivalent)
+
+post '/' do
+  AlexaRequestVerifier.valid!(request)
+end
+```
+
+### Methods
+[AlexaRequestVerifier][alexa_request_verifier] has two main entry points, detailsed below:
+
+Method | Parameter type | Returns
+---|---|---
+`AlexaRequestVerifier.valid!(request)` | `Sinatra::Request` | `true` on successful verification. Raises an error if unsuccessful.
+`AlexaRequestVerifier.valid?(request)` | `Sinatra::Request` | `true` on successful verificatipn. `false` if unsuccessful.
+
+
+### Handling errors
+AlexaRequestVerifier#valid! will raise one of the following *expected* errors if verification cannot be performed.
+
+> Please note that all errors come with (hopefully) helpful accompanying messages.
+
+Error | Description
+---|---
+`AlexaRequestVerifier::InvalidCertificateURIError` | Raised when the certificate URI does not pass validation.
+`AlexaRequestVerifier::InvalidCertificateError` | Raised when the certificate itself does not pass validation e.g. out of date, does not contain the requires SAN extension, etc.
+`AlexaRequestVerifier::InvalidRequestError` | Raised when the request cannot be verified (not timely, not signed with the certificate, etc.)
+
+
+## Getting Started with Development
+To clone the repository and set up the dependencies, run the following:
+```bash
+git clone https://github.com/mattrayner/alexa_request_verifier.git
+cd alexa_request_verifier
+bundle install
+```
+
+### Running the tests
+We use [RSpec][rspec] as our testing framework and tests can be run using:
+```bash
+bundle exec rake
+```
+
+
+## Contributing
+If you wish to submit a bug fix or feature, you can create a pull request and it will be merged pending a code review.
+
+1. Fork the repository
+1. Create your feature branch (`git checkout -b my-new-feature`)
+1. Commit your changes (`git commit -am 'Add some feature'`)
+1. Push to the branch (`git push origin my-new-feature`)
+1. Ensure your changes are tested using [Rspec][rspec]
+1. Create a new Pull Request
+
+
+## License
+[AlexaRequestVerifier][alexa_request_verifier] is licensed under the [MIT][info-license].
+
+## Code of Conduct
+
+Everyone interacting in the AlexaRequestVerifier project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct][code_of_conduct].
+
+[alexa_request_verifier]: https://github.com/mattrayner/alexa_request_verifier
+[ruby]:                   http://ruby-lang.org
+[rspec]:                  http://rspec.info
+[code_of_conduct]:        https://github.com/mattrayner/alexa_request_verifier/blob/master/CODE_OF_CONDUCT.md
+
+[info-travis]:   https://travis-ci.org/mattrayner/alexa_request_verifier
+[shield-travis]: https://img.shields.io/travis/mattrayner/alexa_request_verifier.svg
+
+[info-license]:   https://github.com/mattrayner/alexa_request_verifier/blob/master/LICENSE
+[shield-license]: https://img.shields.io/badge/license-MIT-blue.svg

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/alexa_request_verifier.gemspec

@@ -0,0 +1,30 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'alexa_request_verifier/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'alexa_request_verifier'
+  spec.version       = AlexaRequestVerifier::VERSION
+  spec.authors       = ['Matt Rayner']
+  spec.email         = ['m@rayner.io']
+
+  spec.summary       = 'Verify HTTP requests sent to an Alexa skill are sent from Amazon.'
+  spec.description   = 'This gem is designed to work with Sinatra applications that serve as back-ends for Amazon Alexa skills.'
+  spec.homepage      = 'https://github.com/mattrayner/alexa_request_verifier'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.16'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'simplecov', '~> 0.15'
+  spec.add_development_dependency 'timecop', '~> 0.9'
+  spec.add_development_dependency 'vcr', '~> 3.0'
+  spec.add_development_dependency 'webmock', '~> 3.0'
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'alexa_request_verifier'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/alexa_request_verifier.rb

@@ -0,0 +1,108 @@
+require 'alexa_request_verifier/certificate_store'
+require 'alexa_request_verifier/verifier'
+require 'alexa_request_verifier/version'
+
+# Errors
+require 'alexa_request_verifier/base_error'
+require 'alexa_request_verifier/invalid_certificate_error'
+require 'alexa_request_verifier/invalid_certificate_u_r_i_error'
+require 'alexa_request_verifier/invalid_request_error'
+
+# Verify that HTTP requests sent to an Alexa skill are sent from Amazon
+# @since 0.1.0
+module AlexaRequestVerifier
+  REQUEST_THRESHOLD = 150 # Requests must be received within X seconds
+
+  class << self
+    # Validate a request object from Sinatra.
+    # Raise an error if it is not valid.
+    #
+    # @param [Sinatra::Request] request a Sinatra HTTP Request
+    #
+    # @raise [AlexaRequestVerifier::InvalidCertificateURIError]
+    #   there was a problem validating the certificate URI from your request
+    #
+    # @return [nil] will always return nil
+    def valid!(request)
+      signature_certificate_url = request.env['HTTP_SIGNATURECERTCHAINURL']
+
+      AlexaRequestVerifier::Verifier::CertificateURIVerifier.valid!(signature_certificate_url)
+
+      raw_body = request.body.read
+      request.body.rewind
+
+      check_that_request_is_timely(raw_body)
+
+      check_that_request_is_valid(signature_certificate_url, request, raw_body)
+
+      true
+    end
+
+    # Validate a request object from Sinatra.
+    # Return a boolean.
+    #
+    # @param [Sinatra::Request] request a Sinatra HTTP Request
+    # @return [Boolean] is the request valid?
+    def valid?(request)
+      begin
+        valid!(request)
+      rescue AlexaRequestVerifier::BaseError => e
+        puts e
+
+        return false
+      end
+
+      true
+    end
+
+    private
+
+    # Prevent replays of requests by checking that they are timely.
+    #
+    # @param [String] raw_body the raw body of our https request
+    # @raise [AlexaRequestVerifier::InvalidRequestError] raised when the timestamp is not timely, or is not set
+    def check_that_request_is_timely(raw_body)
+      request_json = JSON.parse(raw_body)
+
+      raise AlexaRequestVerifier::InvalidRequestError, 'Timestamp field not present in request' if request_json.fetch('request', {}).fetch('timestamp', nil).nil?
+
+      raise AlexaRequestVerifier::InvalidRequestError, 'Request is from more than 150 seconds ago' unless Time.parse(request_json['request']['timestamp'].to_s) >= (Time.now - REQUEST_THRESHOLD)
+    end
+
+    # Check that our request is valid.
+    #
+    # @param [String] signature_certificate_url the url for our signing certificate
+    # @param [Sinatra::Request] request the request object
+    # @param [String] raw_body the raw body of our https request
+    def check_that_request_is_valid(signature_certificate_url, request, raw_body)
+      certificate = AlexaRequestVerifier::CertificateStore.fetch(signature_certificate_url)
+
+      begin
+        AlexaRequestVerifier::Verifier::CertificateVerifier.valid!(certificate)
+
+        check_that_request_was_signed(certificate.public_key, request, raw_body)
+      rescue AlexaRequestVerifier::InvalidCertificateError, AlexaRequestVerifier::InvalidRequestError => error
+        # We don't want to cache a certificate that fails our checks as it could lock us out of valid requests for the cache length
+        AlexaRequestVerifier::CertificateStore.delete(signature_certificate_url)
+
+        raise error
+      end
+    end
+
+    # Check that our request was signed by a given public key.
+    #
+    # @param [OpenSSL::PKey::PKey] certificate_public_key the public key we are checking
+    # @param [Sinatra::Request] request the request object we are checking
+    # @param [String] raw_body the raw body of our https request
+    # @raise [AlexaRequestVerifier::InvalidRequestError] raised if our signature does not match the certificate provided
+    def check_that_request_was_signed(certificate_public_key, request, raw_body)
+      signed_by_certificate = certificate_public_key.verify(
+        OpenSSL::Digest::SHA1.new,
+        Base64.decode64(request.env['HTTP_SIGNATURE']),
+        raw_body
+      )
+
+      raise AlexaRequestVerifier::InvalidRequestError, 'Signature does not match certificate provided' unless signed_by_certificate
+    end
+  end
+end

data/lib/alexa_request_verifier/base_error.rb

@@ -0,0 +1,4 @@
+module AlexaRequestVerifier
+  class BaseError < StandardError
+  end
+end

data/lib/alexa_request_verifier/certificate_store.rb

@@ -0,0 +1,81 @@
+module AlexaRequestVerifier
+  # A module used to download, cache and serve certificates from our requests.
+  # @since 0.1
+  module CertificateStore
+    CERTIFICATE_CACHE_TIME = 1800 # 30 minutes
+
+    class << self
+      # Given a certificate uri, either download the certificate, or
+      # load it from our certificate store.
+      #
+      # @param [String] uri the uri of our certificate
+      # @return [OpenSSL::X509::Certificate] our certificate file
+      def fetch(uri)
+        store
+
+        if cache_valid?(@store[uri])
+          certificate = @store[uri][:certificate]
+        else
+          certificate_data = download_certificate(uri)
+          certificate = OpenSSL::X509::Certificate.new(certificate_data)
+
+          @store[uri] = { timestamp: Time.now, certificate: certificate }
+        end
+
+        certificate
+      end
+
+      # Given a certificate uri, remove the certificate from our store.
+      #
+      # @param [String] uri the uri of our certificate
+      # @return [nil|Hash] returns nil if the certificate was not in the store,
+      #   or a Hash representing the deleted certificate
+      def delete(uri)
+        store
+
+        @store.delete(uri)
+      end
+
+      # Returns a copy of our certificate store
+      #
+      # @return [Hash] returns our certificate store
+      def store
+        @store ||= {}
+      end
+
+      private
+
+      # Given a certificate entry from our store, tell us if the cache is still valid
+      #
+      # @param [Hash] certificate_entry the entry we are checking
+      # @return [Boolean] is the certificate cache valid?
+      def cache_valid?(certificate_entry)
+        return false if certificate_entry.nil?
+
+        (Time.now <= (certificate_entry[:timestamp] + CERTIFICATE_CACHE_TIME))
+      end
+
+      # Given a certificate uri, download it and return the certificate data
+      #
+      # @param [String] uri the uri of our certificate
+      # @return [String] certificate data
+      def download_certificate(uri)
+        certificate_uri = URI.parse(uri)
+
+        certificate_data = nil
+
+        Net::HTTP.start(certificate_uri.host, certificate_uri.port, use_ssl: true) do |http|
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+          response = http.request(Net::HTTP::Get.new(certificate_uri))
+
+          raise AlexaRequestVerifier::InvalidCertificateError, "Unable to download certificate from #{certificate_uri} - Got #{response.code} status code" unless response.is_a? Net::HTTPOK
+
+          certificate_data = response.body
+        end
+
+        certificate_data
+      end
+    end
+  end
+end

data/lib/alexa_request_verifier/invalid_certificate_error.rb

@@ -0,0 +1,8 @@
+module AlexaRequestVerifier
+  # An error that is raised when the certificate referenced from a request is
+  # invalid.
+  #
+  # @since 0.1
+  class InvalidCertificateError < AlexaRequestVerifier::BaseError
+  end
+end

data/lib/alexa_request_verifier/invalid_certificate_u_r_i_error.rb

@@ -0,0 +1,31 @@
+module AlexaRequestVerifier
+  # An error that is raised when the certificate URI from a request is invalid.
+  # @since 0.1
+  class InvalidCertificateURIError < AlexaRequestVerifier::BaseError
+    # Create a new instance of our InvalidCertificateURIError
+    #
+    # @param [String] message the main message we want to include
+    # @param [String] value an optional value used when creating a message.
+    #
+    # @example Error without a value
+    #   AlexaRequestVerifier::InvalidCertificateURIError.new(
+    #     'No URI Passed'
+    #   ) #=> #<AlexaRequestVerifier::InvalidCertificateURIError
+    #             @message="Invalid certificate URI : No URI Passed.">
+    #
+    # @example Error with a valuex
+    #   AlexaRequestVerifier::InvalidCertificateURIError.new(
+    #     "Expected 'a'",
+    #     'b'
+    #   ) #=> #<AlexaRequestVerifier::InvalidCertificateURIError
+    #             @message="Invalid certificate URI : Expected 'a'. Got: 'b'.">
+    #
+    # @return [AlexaRequestVerifier::InvalidCertificateURIError] a new instance
+    def initialize(message, value = nil)
+      error_message = "Invalid certificate URI : #{message}."
+      error_message = "#{error_message} Got: '#{value}'." if value
+
+      super(error_message)
+    end
+  end
+end

data/lib/alexa_request_verifier/invalid_request_error.rb

@@ -0,0 +1,8 @@
+module AlexaRequestVerifier
+  # An error that is raised when the certificate referenced from a request is
+  # invalid.
+  #
+  # @since 0.1
+  class InvalidRequestError < AlexaRequestVerifier::BaseError
+  end
+end

data/lib/alexa_request_verifier/verifier.rb

@@ -0,0 +1,9 @@
+require_relative 'verifier/certificate_verifier'
+require_relative 'verifier/certificate_u_r_i_verifier'
+
+module AlexaRequestVerifier
+  # A namespace for all of our verifiers to live under
+  # @since 0.1
+  module Verifier
+  end
+end

data/lib/alexa_request_verifier/verifier/certificate_u_r_i_verifier.rb

@@ -0,0 +1,93 @@
+module AlexaRequestVerifier
+  module Verifier
+    # Given an Alexa certificate URI, validate it according to:
+    # https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#h2_verify_sig_cert
+    #
+    # @since 0.1
+    module CertificateURIVerifier
+      VALIDATIONS = {
+        scheme: 'https',
+        port:   443,
+        host:   's3.amazonaws.com'
+      }.freeze
+
+      PATH_REGEX = %r{\A\/echo.api\/}
+
+      class << self
+        # Check that a given certificate URI meets Amazon's requirements.
+        # Raise an error if it does not.
+        #
+        # @param [String] uri The URI value from HTTP_SIGNATURECERTCHAINURL
+        #
+        # @raise [AlexaRequestVerifier::InvalidCertificateURIError] An error
+        #   raised when the URI does not meet a requirement
+        #
+        # @return [true] This method will either raise an error or return true
+        def valid!(uri)
+          begin
+            uri = URI.parse(uri)
+          rescue URI::InvalidURIError => e
+            puts e
+
+            raise AlexaRequestVerifier::InvalidCertificateURIError,
+                  "#{uri} : #{e.message}"
+          end
+
+          test_validations(uri)
+
+          test_path(uri)
+
+          true
+        end
+
+        # Check that a given certificate URI meets Amazon's requirements
+        # Return true if it does, or false if it does not.
+        #
+        # @param [String] uri The URI value from HTTP_SIGNATURECERTCHAINURL
+        #
+        # @return [Boolean] Returns true if the uri is valid and false if not
+        def valid?(uri)
+          begin
+            valid!(uri)
+          rescue AlexaRequestVerifier::InvalidCertificateURIError => e
+            puts e
+
+            return false
+          end
+
+          true
+        end
+
+        private
+
+        # Test that a given URI meets all of our 'simple' validation rules.
+        #
+        # @param [URI] uri the URI object to test
+        def test_validations(uri)
+          VALIDATIONS.each do |method, value|
+            next if uri.send(method) == value
+
+            raise AlexaRequestVerifier::InvalidCertificateURIError.new(
+              "URI #{method} must be '#{value}'",
+              uri.send(method)
+            )
+          end
+        end
+
+        # Test that a given URI matches our 'path' regex.
+        #
+        # @param [URI] uri the URI object to test
+        def test_path(uri)
+          path = File.absolute_path(uri.path)
+
+          return if path.match(PATH_REGEX) # rubocop:disable Performance/RegexpMatch # Disabled for backwards compatibility below 2.4
+
+          raise AlexaRequestVerifier::InvalidCertificateURIError.new(
+            "URI path must start with '/echo.api/'",
+            uri.path
+          )
+        end
+      end
+    end
+  end
+end

data/lib/alexa_request_verifier/verifier/certificate_verifier.rb

@@ -0,0 +1,65 @@
+require 'json'
+require 'time'
+require 'net/http'
+require 'openssl'
+require 'base64'
+
+module AlexaRequestVerifier
+  module Verifier
+    # Given an OpenSSL certificate, validate it according to:
+    # https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#h2_verify_sig_cert
+    #
+    # @since 0.1
+    module CertificateVerifier
+      SAN = 'echo-api.amazon.com'.freeze
+
+      class << self
+        # Check that a given certificate meet's Amazon's requirements.
+        # Raise an error if it does not.
+        #
+        # @param [OpenSSL::X509::Certificate] certificate certificate to check.
+        #
+        # @raise [AlexaRequestVerifier::InvalidCertificateError] raised when
+        #   the provided certificate does not meet a requirement
+        #
+        # @return [true] either returns true or raises an error.
+        def valid!(certificate)
+          # Check that it's in date
+          certificate_in_date = Time.now.between?(certificate.not_before, certificate.not_after)
+          raise AlexaRequestVerifier::InvalidCertificateError, 'Certificate is not in date.' unless certificate_in_date
+
+          # Check that the required SAN is present
+          valid_sans = certificate.extensions.select do |extension|
+            valid_oid = (extension.oid == 'subjectAltName')
+            valid_value = (extension.value == "DNS:#{SAN}")
+
+            valid_oid && valid_value
+          end
+          raise AlexaRequestVerifier::InvalidCertificateError, "Certificate does not contain SAN: #{SAN}." if valid_sans.empty?
+
+          # TODO: Check that the certificate is valid up to the root CA
+
+          true
+        end
+
+        # Check that a given certificate meet's Amazon's requirements.
+        # Returns a boolean.
+        #
+        # @param [OpenSSL::X509::Certificate] certificate certificate to check.
+        #
+        # @return [Boolean] returns the result of our checks.
+        def valid?(certificate)
+          begin
+            valid!(certificate)
+          rescue AlexaRequestVerifier::InvalidCertificateError => e
+            puts e
+
+            return false
+          end
+
+          true
+        end
+      end
+    end
+  end
+end

data/lib/alexa_request_verifier/version.rb

@@ -0,0 +1,3 @@
+module AlexaRequestVerifier
+  VERSION = '0.1.0'.freeze
+end

metadata

@@ -0,0 +1,166 @@
+--- !ruby/object:Gem::Specification
+name: alexa_request_verifier
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Matt Rayner
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-11-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: This gem is designed to work with Sinatra applications that serve as
+  back-ends for Amazon Alexa skills.
+email:
+- m@rayner.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- alexa_request_verifier.gemspec
+- bin/console
+- bin/setup
+- lib/alexa_request_verifier.rb
+- lib/alexa_request_verifier/base_error.rb
+- lib/alexa_request_verifier/certificate_store.rb
+- lib/alexa_request_verifier/invalid_certificate_error.rb
+- lib/alexa_request_verifier/invalid_certificate_u_r_i_error.rb
+- lib/alexa_request_verifier/invalid_request_error.rb
+- lib/alexa_request_verifier/verifier.rb
+- lib/alexa_request_verifier/verifier/certificate_u_r_i_verifier.rb
+- lib/alexa_request_verifier/verifier/certificate_verifier.rb
+- lib/alexa_request_verifier/version.rb
+homepage: https://github.com/mattrayner/alexa_request_verifier
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: Verify HTTP requests sent to an Alexa skill are sent from Amazon.
+test_files: []