Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid signatures with django-ask-sdk since ask-sdk-webservice-support v1.3.3 #202

Open
oyooyo opened this issue Aug 13, 2022 · 4 comments
Open

Invalid signatures with django-ask-sdk since ask-sdk-webservice-support v1.3.3 #202

oyooyo opened this issue Aug 13, 2022 · 4 comments

Comments

@oyooyo
Copy link

oyooyo commented Aug 13, 2022

I'm submitting a...


[ ] Regression (a behavior that used to work and stopped working in a new release)
[X] Bug report  
[ ] Performance issue
[ ] Feature request
[ ] Documentation issue or request
[ ] Other... Please describe:

Expected Behavior

Request signatures should validate when using django-ask-sdk

Current Behavior

I'm using django-ask-sdk for a Django-hosted Alexa skill. Since ask-sdk-webservice-support v1.3.3, all incoming requests to the Alexa endpoint cause a InvalidSignature exception.

Django version 4.1, using settings 'django_project.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.
Request verification failed
Traceback (most recent call last):
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 414, in _valid_request_body
    public_key.verify(
  File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in verify
    _rsa_sig_verify(
  File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 325, in _rsa_sig_verify
    raise InvalidSignature
cryptography.exceptions.InvalidSignature

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/venv/lib/python3.9/site-packages/django_ask_sdk/skill_adapter.py", line 199, in post
    response = self._webservice_handler.verify_request_and_dispatch(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/webservice_handler.py", line 145, in verify_request_and_dispatch
    verifier.verify(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 210, in verify
    self._valid_request_body(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 418, in _valid_request_body
    raise VerificationException("Request body is not valid", e)
ask_sdk_webservice_support.verifier.VerificationException: ('Request body is not valid', InvalidSignature())
2022-08-13 08:27:39,313 - ERROR - Request verification failed
Traceback (most recent call last):
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 414, in _valid_request_body
    public_key.verify(
  File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in verify
    _rsa_sig_verify(
  File "/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 325, in _rsa_sig_verify
    raise InvalidSignature
cryptography.exceptions.InvalidSignature

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/venv/lib/python3.9/site-packages/django_ask_sdk/skill_adapter.py", line 199, in post
    response = self._webservice_handler.verify_request_and_dispatch(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/webservice_handler.py", line 145, in verify_request_and_dispatch
    verifier.verify(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 210, in verify
    self._valid_request_body(
  File "/venv/lib/python3.9/site-packages/ask_sdk_webservice_support/verifier.py", line 418, in _valid_request_body
    raise VerificationException("Request body is not valid", e)
ask_sdk_webservice_support.verifier.VerificationException: ('Request body is not valid', InvalidSignature())
Bad Request: /test_app/alexa_endpoint
2022-08-13 08:27:39,320 - WARNING - Bad Request: /test_app/alexa_endpoint
[13/Aug/2022 08:27:39] "POST /test_app/alexa_endpoint HTTP/1.1" 400 36

Possible Solution

The problem appears since ask-sdk-webservice-support v1.3.3 and disappears again by going back to v1.3.2. The problem seams to be related to ask-sdk-webservice-support's RequestVerifier class is now using SHA256 instead of SHA1 as hash_algorithm by default:

class RequestVerifier(AbstractVerifier):
[...]
    def __init__(
            self,
            signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_HEADER,
            signature_key=SIGNATURE_HEADER,
            padding=PKCS1v15(), hash_algorithm=SHA256()):

and django-ask-sdk's SkillAdapter class is using the default value for hash_algorithm when instantiating the RequestVerifier:

class SkillAdapter(View):
[...]
    def __init__(
            self, skill, verify_signature=True, verify_timestamp=True,
            verifiers=None):
[...]
        if verify_signature:
            request_verifier = RequestVerifier(
                signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_KEY,
                signature_key=SIGNATURE_KEY)
            self._verifiers.append(request_verifier)

Steps to Reproduce (for bugs)

  1. Create a new, empty venv and activate it
  2. pip install Django django-ask-sdk
  3. Set up a Django-hosted Alexa skill using django-ask-sdk's SkillAdapter view
  4. Trigger a request to the Alexa skill's endpoint in the Alexa developer console.

Context

Your Environment

  • Operating System and version: Debian 11

Python version info

  • Python version used for development:
    3.9.2
sebadasta added a commit to sebadasta/django-TrainApp that referenced this issue Oct 17, 2022
@sebadasta
Update urls.py
cb6c7f8 
Added verify_signature=False to SkillAdapter initialization as a workaround for a bug mentioned here: alexa/alexa-skills-kit-sdk-for-python#202
@bobshao
Copy link

bobshao commented Oct 24, 2022

I encountered the same issue with you, and solve it by your analysis, thanks very much! @oyooyo I think it is a critical issue that make a basic feature failed, why we have not seen the official response and fix from alexa RD team @doiron @haruny @milancermak @hyandell @JCGrant

@brianglass brianglass mentioned this issue Mar 13, 2023
Closed
@thorrak
Copy link

thorrak commented May 23, 2023

Encountering the same issue here.

@thorrak thorrak mentioned this issue May 23, 2023
Merged
10 tasks
thorrak added a commit to thorrak/alexa-skills-kit-sdk-for-python that referenced this issue May 23, 2023
@thorrak
Update signature header
18a4c92 
Updates the Django-specific signature header to use SHA-256 rather than SHA-1
Fixes alexa#202
@thorrak thorrak mentioned this issue May 23, 2023
Open
10 tasks
@thorrak
Copy link

thorrak commented May 23, 2023
edited

Bugfix for this is in PR #207

While waiting for that to get merged, I've created a custom package that wraps up the fix. If you want to use it, just copy the following into your requirements.txt instead of django-ask-sdk:

django-ask-sdk @ git+https://github.com/thorrak/django_ask_sdk@master

Note - I will delete this repo once the fix is officially released, so if you use it make a note to change it back later!

@ajinkya-open
Copy link

ajinkya-open commented Aug 30, 2023
edited

my observation

    # for verifier in self._verifiers:
    #     verifier.verify(
    #         headers=http_request_headers,
    #         serialized_request_env=http_request_body,
    #         deserialized_request_env=request_envelope)

if i disable to verifier in file it then launches the app

update: downgrading to 1.3.2 works

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@thorrak @bobshao @ajinkya-open @oyooyo