This would make an awesome elixir library when you are done. *hint*hint* ^.^
Yeah - that is my plan! Once I get the functionality working Iāll then have to figure out how to separate it out into a library (Havenāt never done that yet but I am assuming there is good documentation and it is not that hard).
Part of me is wondering if there is a big need for an elixir library that basically has all of the erlang records preloaded so that Elixir members can use Erlang records without needing to find the files and extract them etcā¦
Yeah it is very simple.
Always useful too!
Woo hoo! I got it to verify! Some notes for those of you who may later read this: I did need to base64 decode the message and we did not need to further decode the RSA since the :otp decode did it recursively.
I am attaching a modified version of the PublicKey test that xlphs posted on github that now works with verify. I have a few more easy validations an to add and some cleanup and will then extract this whole thing into a library so that people can just use mix to import it. Thanks again to everyone who helped! I really appreciate it!
defmodule PublicKey do
def verify_fun(_, {:extension, _}, state) do
IO.puts "verify_fun -- extension"
{:unknown, state}
end
def verify_fun(_, {:revoked, _}, state) do
IO.puts "verify_fun -- revoked"
{:fail, state}
end
def verify_fun(cert, event, state) do
IO.puts "verify_fun --"
IO.inspect event
{:unknown, state}
end
def verify do
Application.ensure_all_started :inets
Application.ensure_all_started :ssl
Application.ensure_all_started :public_key
{:ok, resp} = :httpc.request(:get, {'https://s3.amazonaws.com/echo.api/echo-api-cert-4.pem', []}, [], [body_format: :binary])
{_, _headers, certificate_chain_bin} = resp
# alternatively, read from local file
# {:ok, certificate_chain_bin} = :file.read_file("echo-api-cert.pem")
cert_chain = :public_key.pem_decode(certificate_chain_bin)
cert_chain_decoded = Enum.map(cert_chain,
fn {_, bin, _} -> bin
end) |> Enum.reverse
{:ok, resp} = :httpc.request(:get, {'https://www.symantec.com/content/dam/symantec/docs/other-resources/verisign-class-3-public-primary-certification-authority-g5-en.pem', []}, [], [body_format: :binary])
{_, _headers, root_cert_bin} = resp
# {:ok, root_cert_bin} = :file.read_file("auth_root.pem")
[{_, root_cer, _}] = :public_key.pem_decode(root_cert_bin)
case :public_key.pkix_path_validation(root_cer, cert_chain_decoded,
[{:verify_fun, {&PublicKey.verify_fun/3, {}}}]) do
{:ok, {public_key_info, _policy_tree}} ->
IO.inspect public_key_info
{:error, {:bad_cert, reason}} ->
IO.puts "validation failed with bad cert"
IO.inspect reason
end
[{_,first,_}|_tail] = cert_chain
decoded = :public_key.pkix_decode_cert(first,:otp)
public_key_der = decoded |> elem(1) |> elem(7) |> elem(2)
message = "<raw body of alexa request>"
signature = "cHV0IHNpZ25hdHVyZSB2YWx1ZSBpbiByZXF1ZXN0IGhlYWRlciBoZXJl" #signature request header parameter
{:ok, signature} = Base.decode64(signature)
IO.puts ("verified? #{:public_key.verify(message, :sha, signature, public_key_der)}");
end
end
PublicKey.verify()
Hi all,
Just a quick note that I believe I finished all the validation and published it to hex and github as a library. You can see it on github here https://github.com/grahac/alexa_request_verifier. and on Hex here https://hexdocs.pm/alexa_request_verifier/api-reference.html
Thank you all once again for your help! Also, this is my very first Elixir library submission so if I did something wrong or if you have any suggestions on how to make it better, please let me know!