I'm submitting a...
[ ] Regression (a behavior that used to work and stopped working in a new release)
[X] Bug report
[ ] Performance issue
[ ] Feature request
[ ] Documentation issue or request
[ ] Other... Please describe:
Expected Behavior
Request signatures should validate when using django-ask-sdk
Current Behavior
I'm using django-ask-sdk for a Django-hosted Alexa skill. Since ask-sdk-webservice-support v1.3.3, all incoming requests to the Alexa endpoint cause a InvalidSignature exception.
Django version 4.1, using settings 'django_project.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.
Request verification failed
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 414, in _valid_request_body
public_key.verify(
File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in verify
_rsa_sig_verify(
File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 325, in _rsa_sig_verify
raise InvalidSignature
cryptography.exceptions.InvalidSignature
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/django_ask_sdk/skill_adapter.py", line 199, in post
response = self._webservice_handler.verify_request_and_dispatch(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/webservice_handler.py", line 145, in verify_request_and_dispatch
verifier.verify(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 210, in verify
self._valid_request_body(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 418, in _valid_request_body
raise VerificationException("Request body is not valid", e)
ask_sdk_webservice_support.verifier.VerificationException: ('Request body is not valid', InvalidSignature())
2022-08-13 08:27:39,313 - ERROR - Request verification failed
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 414, in _valid_request_body
public_key.verify(
File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in verify
_rsa_sig_verify(
File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 325, in _rsa_sig_verify
raise InvalidSignature
cryptography.exceptions.InvalidSignature
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/venv/lib/python3.9/site-packages/django_ask_sdk/skill_adapter.py", line 199, in post
response = self._webservice_handler.verify_request_and_dispatch(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/webservice_handler.py", line 145, in verify_request_and_dispatch
verifier.verify(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 210, in verify
self._valid_request_body(
File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 418, in _valid_request_body
raise VerificationException("Request body is not valid", e)
ask_sdk_webservice_support.verifier.VerificationException: ('Request body is not valid', InvalidSignature())
Bad Request: /test_app/alexa_endpoint
2022-08-13 08:27:39,320 - WARNING - Bad Request: /test_app/alexa_endpoint
[13/Aug/2022 08:27:39] "POST /test_app/alexa_endpoint HTTP/1.1" 400 36
Possible Solution
The problem appears since ask-sdk-webservice-support v1.3.3 and disappears again by going back to v1.3.2. The problem seams to be related to ask-sdk-webservice-support's RequestVerifier class is now using SHA256 instead of SHA1 as hash_algorithm by default:
class RequestVerifier(AbstractVerifier):
[...]
def __init__(
self,
signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_HEADER,
signature_key=SIGNATURE_HEADER,
padding=PKCS1v15(), hash_algorithm=SHA256()):
and django-ask-sdk's SkillAdapter class is using the default value for hash_algorithm when instantiating the RequestVerifier:
class SkillAdapter(View):
[...]
def __init__(
self, skill, verify_signature=True, verify_timestamp=True,
verifiers=None):
[...]
if verify_signature:
request_verifier = RequestVerifier(
signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_KEY,
signature_key=SIGNATURE_KEY)
self._verifiers.append(request_verifier)
Steps to Reproduce (for bugs)
- Create a new, empty venv and activate it
pip install Django django-ask-sdk- Set up a Django-hosted Alexa skill using django-ask-sdk's SkillAdapter view
- Trigger a request to the Alexa skill's endpoint in the Alexa developer console.
Context
Your Environment
- Operating System and version: Debian 11
Python version info
- Python version used for development:
3.9.2
I'm submitting a...
Expected Behavior
Request signatures should validate when using django-ask-sdk
Current Behavior
I'm using django-ask-sdk for a Django-hosted Alexa skill. Since ask-sdk-webservice-support v1.3.3, all incoming requests to the Alexa endpoint cause a
InvalidSignatureexception.Possible Solution
The problem appears since ask-sdk-webservice-support v1.3.3 and disappears again by going back to v1.3.2. The problem seams to be related to ask-sdk-webservice-support's
RequestVerifierclass is now using SHA256 instead of SHA1 ashash_algorithmby default:and django-ask-sdk's
SkillAdapterclass is using the default value forhash_algorithmwhen instantiating the RequestVerifier:Steps to Reproduce (for bugs)
pip install Django django-ask-sdkContext
Your Environment
Python version info
3.9.2