alexa-skills-kit-sdk-for-python
alexa-skills-kit-sdk-for-python copied to clipboard
alexa
Invalid signatures with django-ask-sdk since ask-sdk-webservice-support v1.3.3
I'm submitting a...
[ ] Regression (a behavior that used to work and stopped working in a new release)
[X] Bug report
[ ] Performance issue
[ ] Feature request
[ ] Documentation issue or request
[ ] Other... Please describe:
Expected Behavior
Request signatures should validate when using django-ask-sdk
Current Behavior
I'm using django-ask-sdk for a Django-hosted Alexa skill. Since ask-sdk-webservice-support v1.3.3, all incoming requests to the Alexa endpoint cause a InvalidSignature exception.
Django version 4.1, using settings 'django_project.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.
Request verification failed
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 414, in _valid_request_body
public_key.verify(
File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in verify
_rsa_sig_verify(
File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 325, in _rsa_sig_verify
raise InvalidSignature
cryptography.exceptions.InvalidSignature
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/django_ask_sdk/skill_adapter.py", line 199, in post
response = self._webservice_handler.verify_request_and_dispatch(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/webservice_handler.py", line 145, in verify_request_and_dispatch
verifier.verify(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 210, in verify
self._valid_request_body(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 418, in _valid_request_body
raise VerificationException("Request body is not valid", e)
ask_sdk_webservice_support.verifier.VerificationException: ('Request body is not valid', InvalidSignature())
2022-08-13 08:27:39,313 - ERROR - Request verification failed
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 414, in _valid_request_body
public_key.verify(
File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in verify
_rsa_sig_verify(
File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 325, in _rsa_sig_verify
raise InvalidSignature
cryptography.exceptions.InvalidSignature
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/django_ask_sdk/skill_adapter.py", line 199, in post
response = self._webservice_handler.verify_request_and_dispatch(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/webservice_handler.py", line 145, in verify_request_and_dispatch
verifier.verify(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 210, in verify
self._valid_request_body(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 418, in _valid_request_body
raise VerificationException("Request body is not valid", e)
ask_sdk_webservice_support.verifier.VerificationException: ('Request body is not valid', InvalidSignature())
Bad Request: /test_app/alexa_endpoint
2022-08-13 08:27:39,320 - WARNING - Bad Request: /test_app/alexa_endpoint
[13/Aug/2022 08:27:39] "POST /test_app/alexa_endpoint HTTP/1.1" 400 36
Possible Solution
The problem appears since ask-sdk-webservice-support v1.3.3 and disappears again by going back to v1.3.2. The problem seams to be related to ask-sdk-webservice-support's RequestVerifier class is now using SHA256 instead of SHA1 as hash_algorithm by default:
class RequestVerifier(AbstractVerifier):
[...]
def __init__(
self,
signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_HEADER,
signature_key=SIGNATURE_HEADER,
padding=PKCS1v15(), hash_algorithm=SHA256()):
and django-ask-sdk's SkillAdapter class is using the default value for hash_algorithm when instantiating the RequestVerifier:
class SkillAdapter(View):
[...]
def __init__(
self, skill, verify_signature=True, verify_timestamp=True,
verifiers=None):
[...]
if verify_signature:
request_verifier = RequestVerifier(
signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_KEY,
signature_key=SIGNATURE_KEY)
self._verifiers.append(request_verifier)
Steps to Reproduce (for bugs)
- Create a new, empty venv and activate it
-
pip install Django django-ask-sdk - Set up a Django-hosted Alexa skill using django-ask-sdk's SkillAdapter view
- Trigger a request to the Alexa skill's endpoint in the Alexa developer console.
Context
Your Environment
- Operating System and version: Debian 11
Python version info
- Python version used for development: 3.9.2
I encountered the same issue with you, and solve it by your analysis, thanks very much! @oyooyo I think it is a critical issue that make a basic feature failed, why we have not seen the official response and fix from alexa RD team @doiron @haruny @milancermak @hyandell @JCGrant
Bugfix for this is in PR #207
While waiting for that to get merged, I've created a custom package that wraps up the fix. If you want to use it, just copy the following into your requirements.txt instead of django-ask-sdk:
django-ask-sdk @ git+https://github.com/thorrak/django_ask_sdk@master
Note - I will delete this repo once the fix is officially released, so if you use it make a note to change it back later!
my observation
# for verifier in self._verifiers:
# verifier.verify(
# headers=http_request_headers,
# serialized_request_env=http_request_body,
# deserialized_request_env=request_envelope)
if i disable to verifier in file it then launches the app
update: downgrading to 1.3.2 works
