Closed martijnthe closed 7 years ago
mreinstein
commented
8 years ago @martijnthe this might be something to bring up with Amazon's support team. If you've found a way around some certificate validation I'm sure they'd love to know about it! 👍
If Amazon's verification steps become more stringent, we could add this PR. I'm hesitant to merge this as-is because the main purpose of the module is to pass Amazon-specific Alexa certification, and it is already capable of doing that.
martijnthe
commented
8 years ago @mreinstein did Amazon recommend you to use openssl-cert-tools for the purpose of validating the certificate? If not, I don't think there's a need to get them involved.
I think it's just a matter of using openssl's verify to verify the integrity of the certificate, and optionally specify a root certificate from which the certificate should be stemming – there's probably an existing node module that can help here, but it's not openssl-cert-tools.
The .zip that I attached is just a modified/"counterfeit" version of Amazon's certificate, just to show that it passes the existing "verification" that this project is performing.
If I find some spare time, I'll create a PR to fix this problem.
mreinstein
commented
8 years ago @martijnthe
did Amazon recommend you to use openssl-cert-tools for the purpose of validating the certificate?
They didn't make any recommendations to me. This is just a module that seemed to accomplish the goal, in a minimal way. Open for replacement suggestions if there are better known alternative(s). 👍
If not, I don't think there's a need to get them involved.
If you found a way around Amazon's certificate checks, it would be super helpful to let them know. Right now this module is passing their Alexa validation process. Alerting them to the problem would enable them to make more stringent checks, which improves security for everyone.
I strongly encourage you to reach out if you have the time. Amazon community !== github community, but it's still a group of devs working together nonetheless. :)
mreinstein
commented
7 years ago closing due to inactivity and lack of clear actionable work.
It looks the certificate isn't checked for integrity, nor is the chain verified at all. Inspecting
openssl-cert-tools, it doesn't seem to do any of this. As a quick test, I tried handing it a counterfeit certificate (I modified the first byte of the signature of the public key, could have modded more, but you get the idea). The library doesn't detect this, so effectively any self-signed certificate could be handed and will pass, as long as CN starts withecho-api.amazon.comand the certificate hasn't expired yet...bad-signature.pem.zip