module AlexaRequestVerifier::Verifier::CertificateVerifier

Given an OpenSSL certificate, validate it according to: developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#h2_verify_sig_cert

@since 0.1

Constants

SAN

Public Class Methods

valid!(certificate) click to toggle source

Check that a given certificate meet's Amazon's requirements. Raise an error if it does not.

@param [OpenSSL::X509::Certificate] certificate certificate to check.

@raise [AlexaRequestVerifier::InvalidCertificateError] raised when

the provided certificate does not meet a requirement

@return [true] either returns true or raises an error.

# File lib/alexa_request_verifier/verifier/certificate_verifier.rb, line 26
def valid!(certificate)
  # Check that it's in date
  certificate_in_date = Time.now.between?(certificate.not_before, certificate.not_after)
  raise AlexaRequestVerifier::InvalidCertificateError, 'Certificate is not in date.' unless certificate_in_date

  # Check that the required SAN is present
  valid_sans = certificate.extensions.select do |extension|
    valid_oid = (extension.oid == 'subjectAltName')
    valid_value = (extension.value == "DNS:#{SAN}")

    valid_oid && valid_value
  end
  raise AlexaRequestVerifier::InvalidCertificateError, "Certificate does not contain SAN: #{SAN}." if valid_sans.empty?

  # TODO: Check that the certificate is valid up to the root CA

  true
end
valid?(certificate) click to toggle source

Check that a given certificate meet's Amazon's requirements. Returns a boolean.

@param [OpenSSL::X509::Certificate] certificate certificate to check.

@return [Boolean] returns the result of our checks.

# File lib/alexa_request_verifier/verifier/certificate_verifier.rb, line 51
def valid?(certificate)
  begin
    valid!(certificate)
  rescue AlexaRequestVerifier::InvalidCertificateError => e
    puts e

    return false
  end

  true
end