UNPKG

alexa-verifier

Version:

Verify HTTP requests sent to an Alexa skill are sent from Amazon

github.com/mreinstein/alexa-verifier

mreinstein/alexa-verifier

131 lines (118 loc) 3.52 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
import fs from 'fs' import pkg from 'node-forge' import { test } from 'tap' import url from 'url' import validate from '../validate-cert.js' import { dirname } from 'path' import { fileURLToPath } from 'url' const __dirname = dirname(fileURLToPath(import.meta.url)) const { pki } = pkg function createInvalidCert () { const keys = pki.rsa.generateKeyPair(512) const cert = pki.createCertificate() cert.publicKey = keys.publicKey // alternatively set public key from a csr //cert.publicKey = csr.publicKey cert.serialNumber = '01' cert.validity.notBefore = new Date() cert.validity.notAfter = new Date() cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1) const attrs = [ { name: 'commonName', value: 'example.org' }, { name: 'countryName', value: 'US' }, { shortName: 'ST', value: 'Virginia' }, { name: 'localityName', value: 'Blacksburg' }, { name: 'organizationName', value: 'Test' }, { shortName: 'OU', value: 'Test' } ] cert.setSubject(attrs) // alternatively set subject from a csr //cert.setSubject(csr.subject.attributes) cert.setIssuer(attrs) cert.setExtensions([ { name: 'basicConstraints', cA: true }, { name: 'keyUsage', keyCertSign: true, digitalSignature: true, nonRepudiation: true, keyEncipherment: true, dataEncipherment: true }, { name: 'extKeyUsage', serverAuth: true, clientAuth: true, codeSigning: true, emailProtection: true, timeStamping: true }, { name: 'nsCertType', client: true, server: true, email: true, objsign: true, sslCA: true, emailCA: true, objCA: true }, { name: 'subjectAltName', altNames: [{ type: 6, // URI value: 'http://example.org/webid#me' }, { type: 7, // IP ip: '127.0.0.1' }] }, { name: 'subjectKeyIdentifier' } ]) // self-sign certificate cert.sign(keys.privateKey) return pki.certificateToPem(cert) } test('fails on invalid pem cert parameter', function (t) { t.ok(validate(undefined) !== undefined, 'Error should have been thrown') t.end() }) test('fails on non amazon subject alt name', function (t) { const pem = createInvalidCert() t.ok(validate(pem) === 'invalid certificate validity (correct domain not found in subject alternative names)', 'Certificate must be from amazon') t.end() }) test('fails on expired certificate (Not After)', function (t) { const pem = fs.readFileSync(__dirname + '/mocks/cert-expired.pem') t.ok(validate(pem) === 'invalid certificate validity (past expired date)') t.end() }) test('approves valid certifcate', function (t) { const pem = fs.readFileSync(__dirname + '/mocks/echo-api-cert-12.cer') t.ok(validate(pem) === undefined, 'Certificate should be valid') t.end() })