I've been hacking together a server-based skill & doing verification in PHP. The Alexa request comes in with HTTP headers including a signature such as:
dWgWTtAdG3RIB/54Q1XJ86Wy7G2iesJUIuMNbAtptiVPMV0Q415iMLJ2/50Ii1nxx3IftOytWDNu4HX
dZZhUDp11Qk4rXeIFY+Plofdj4sLrTDvySCEzsGee7H2kdQ1ExG2sEmiv4D84EVgfqI9THR9Ig3NTl2YTw
yXbCWWZVMa1VAGCTSsTGHD3HptS7jvv1XvkZMrsU7k8dABOAKA1083REkX3ccuLyAeuDhi5PWWFYR
CGYz4cQbXd8pAEp55NII0KWoK+gvARnn2qMraZAn6WCw2blQ9v87khr86ibtAHAhYlNmuc4xmNZ2OE
I+tkau38PRXiFyttw1Z9xjMDYA==
Converting that to binary with base64_decode() and decrypting with openssl_public_decrypt() gives this, after bin2hex():
3021300906052b0e03021a0500041433518d943e1851830b2e596a1c025b8f9be55d74
The SHA-1 hash of the request body (JSON data) in this case is:
33518d943e1851830b2e596a1c025b8f9be55d74
So it appears that the decrypted signature is the 40-character SHA-1 hash of the JSON data prepended with 30 characters of something else:
3021300906052b0e03021a05000414
33518d943e1851830b2e596a1c025b8f9be55d74 matches the SHA-1 hash of the JSON data
So what is the 30-character first part?
0 Replies
11764 Views