Missing validating certificate against a root CA certificate

mreinstein / alexa-verifier

✓ Verify HTTP requests sent to an Alexa skill are sent from Amazon

MIT License

76 stars 23 forks source link

Missing validating certificate against a root CA certificate #49

Closed paveljamal closed 6 years ago

paveljamal commented 6 years ago

Currently there is no verification that the downloaded certificate can be trusted, and the certificate is being taken at face value. This is critical in verification and is called out in Amazon's documentation:

All certificates in the chain combine to create a chain of trust to a trusted root CA certificate.

Reference: https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#checking-the-signature-of-the-request

mreinstein commented 6 years ago

Currently there is no verification that the downloaded certificate can be trusted

That's what this code does: https://github.com/mreinstein/alexa-verifier/blob/master/validate-cert-uri.js

It ensures the address from which the certificate is pulled is served over https and comes from amazon.