Skip to content

Invalid signatures with django-ask-sdk since ask-sdk-webservice-support v1.3.3 #202

New issue
New issue
Open
Open
Invalid signatures with django-ask-sdk since ask-sdk-webservice-support v1.3.3#202
@oyooyo

Description

@oyooyo
oyooyo
opened on Aug 13, 2022

I'm submitting a...


[ ] Regression (a behavior that used to work and stopped working in a new release)
[X] Bug report  
[ ] Performance issue
[ ] Feature request
[ ] Documentation issue or request
[ ] Other... Please describe:

Expected Behavior

Request signatures should validate when using django-ask-sdk

Current Behavior

I'm using django-ask-sdk for a Django-hosted Alexa skill. Since ask-sdk-webservice-support v1.3.3, all incoming requests to the Alexa endpoint cause a InvalidSignature exception.

Django version 4.1, using settings 'django_project.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.
Request verification failed
Traceback (most recent call last):
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 414, in _valid_request_body
    public_key.verify(
  File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in verify
    _rsa_sig_verify(
  File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 325, in _rsa_sig_verify
    raise InvalidSignature
cryptography.exceptions.InvalidSignature

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/venv/lib/python3.9/site-packages/django_ask_sdk/skill_adapter.py", line 199, in post
    response = self._webservice_handler.verify_request_and_dispatch(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/webservice_handler.py", line 145, in verify_request_and_dispatch
    verifier.verify(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 210, in verify
    self._valid_request_body(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 418, in _valid_request_body
    raise VerificationException("Request body is not valid", e)
ask_sdk_webservice_support.verifier.VerificationException: ('Request body is not valid', InvalidSignature())
2022-08-13 08:27:39,313 - ERROR - Request verification failed
Traceback (most recent call last):
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 414, in _valid_request_body
    public_key.verify(
  File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in verify
    _rsa_sig_verify(
  File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 325, in _rsa_sig_verify
    raise InvalidSignature
cryptography.exceptions.InvalidSignature

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/venv/lib/python3.9/site-packages/django_ask_sdk/skill_adapter.py", line 199, in post
    response = self._webservice_handler.verify_request_and_dispatch(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/webservice_handler.py", line 145, in verify_request_and_dispatch
    verifier.verify(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 210, in verify
    self._valid_request_body(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 418, in _valid_request_body
    raise VerificationException("Request body is not valid", e)
ask_sdk_webservice_support.verifier.VerificationException: ('Request body is not valid', InvalidSignature())
Bad Request: /test_app/alexa_endpoint
2022-08-13 08:27:39,320 - WARNING - Bad Request: /test_app/alexa_endpoint
[13/Aug/2022 08:27:39] "POST /test_app/alexa_endpoint HTTP/1.1" 400 36

Possible Solution

The problem appears since ask-sdk-webservice-support v1.3.3 and disappears again by going back to v1.3.2. The problem seams to be related to ask-sdk-webservice-support's RequestVerifier class is now using SHA256 instead of SHA1 as hash_algorithm by default:

class RequestVerifier(AbstractVerifier):
[...]
    def __init__(
            self,
            signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_HEADER,
            signature_key=SIGNATURE_HEADER,
            padding=PKCS1v15(), hash_algorithm=SHA256()):

and django-ask-sdk's SkillAdapter class is using the default value for hash_algorithm when instantiating the RequestVerifier:

class SkillAdapter(View):
[...]
    def __init__(
            self, skill, verify_signature=True, verify_timestamp=True,
            verifiers=None):
[...]
        if verify_signature:
            request_verifier = RequestVerifier(
                signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_KEY,
                signature_key=SIGNATURE_KEY)
            self._verifiers.append(request_verifier)

Steps to Reproduce (for bugs)

  1. Create a new, empty venv and activate it
  2. pip install Django django-ask-sdk
  3. Set up a Django-hosted Alexa skill using django-ask-sdk's SkillAdapter view
  4. Trigger a request to the Alexa skill's endpoint in the Alexa developer console.

Context

Your Environment

  • Operating System and version: Debian 11

Python version info

  • Python version used for development:
    3.9.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions