使用android指纹API中的私钥签署JWT
我有一些声明,我想创建JWT并使用在指纹API中创建的私钥对其进行签名 这是JWT的声明-使用android指纹API中的私钥签署JWT,android,jwt,digital-signature,android-fingerprint-api,Android,Jwt,Digital Signature,Android Fingerprint Api,我有一些声明,我想创建JWT并使用在指纹API中创建的私钥对其进行签名 这是JWT的声明- Header: { "alg": "RS256”, “kid”: “ABCDEDFkjsdfjaldfkjg”, “auth_type” : “fingerprint” / "pin" } Payload: { “client_id”:”XXXXX-YYYYYY-ZZZZZZ” } 为指纹创建密钥对- import android.os.Build; im
Header:
{
"alg": "RS256”,
“kid”: “ABCDEDFkjsdfjaldfkjg”,
“auth_type” : “fingerprint” / "pin"
}
Payload:
{
“client_id”:”XXXXX-YYYYYY-ZZZZZZ”
}
为指纹创建密钥对-
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyProperties;
import android.support.annotation.RequiresApi;
import android.util.Log;
import com.yourmobileid.mobileid.library.common.MIDCommons;
import org.jose4j.base64url.Base64;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.RSAKeyGenParameterSpec;
@RequiresApi(api = Build.VERSION_CODES.M)
public class BiometricHelper {
public static final String KEY_NAME = "my_key";
static KeyPairGenerator mKeyPairGenerator;
private static String mKid;
private static KeyStore keyStore;
public static void init() {
try {
mKeyPairGenerator = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
throw new RuntimeException("Failed to get an instance of KeyPairGenerator", e);
}
mKid = MIDCommons.generateRandomString();
keyStore = null;
try {
keyStore = KeyStore.getInstance("AndroidKeyStore");
} catch (KeyStoreException e) {
throw new RuntimeException("Failed to get an instance of KeyStore", e);
}
createKeyPair();
}
/**
* Generates an asymmetric key pair in the Android Keystore. Every use of the private key must
* be authorized by the user authenticating with fingerprint. Public key use is unrestricted.
*/
public static void createKeyPair() {
try {
mKeyPairGenerator.initialize(
new KeyGenParameterSpec.Builder(
KEY_NAME,
KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
.build());
mKeyPairGenerator.generateKeyPair();
} catch (InvalidAlgorithmParameterException e) {
throw new RuntimeException(e);
}
}
public static PrivateKey getPrivateKey() {
PrivateKey privateKey = null;
try {
keyStore.load(null);
privateKey = (PrivateKey) keyStore.getKey(KEY_NAME, null);
} catch (KeyStoreException | CertificateException | UnrecoverableKeyException | NoSuchAlgorithmException | IOException e) {
e.printStackTrace();
}
return privateKey;
}
public static PublicKey getPublicKey() {
PublicKey publicKey = null;
try {
keyStore.load(null);
publicKey = keyStore.getCertificate(KEY_NAME).getPublicKey();
} catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException e) {
e.printStackTrace();
}
return publicKey;
}
public static KeyStore getKeyStore(){
return keyStore;
}
public static String getPublicKeyStr() {
StringBuilder publicKey = new StringBuilder("-----BEGIN PUBLIC KEY-----\n");
publicKey.append(Base64.encode((getPublicKey().getEncoded())).replace("==",""));
publicKey.append("\n-----END PUBLIC KEY-----");
Log.d("Key==","\n"+publicKey);
return publicKey.toString();
}
public static String getKid() {
Log.d("mKid==","\n"+mKid);
return mKid;
}
}
以这种方式创建JWT-
@RequiresApi(api = Build.VERSION_CODES.M)
private String createJWT(){
JwtClaims claims = new JwtClaims();
claims.setClaim("client_id","”XXXXX-YYYYYY-ZZZZZZ”");
JsonWebSignature jws = new JsonWebSignature();
jws.setPayload(claims.toJson());
jws.setKey(BiometricHelper.getPrivateKey());
jws.setKeyIdHeaderValue(BiometricHelper.getKid());
jws.setHeader("auth_type","fingerprint");
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
String jwt = null;
try {
jwt = jws.getCompactSerialization();
} catch (JoseException e) {
e.printStackTrace();
}
System.out.println("JWT: " + jwt);
return jwt;
}
当我这样做的时候,它变得-
W/System.err: org.jose4j.lang.InvalidKeyException: The given key (algorithm=RSA) is not valid for SHA256withRSA
W/System.err: at org.jose4j.jws.BaseSignatureAlgorithm.initForSign(BaseSignatureAlgorithm.java:97)
W/System.err: at org.jose4j.jws.BaseSignatureAlgorithm.sign(BaseSignatureAlgorithm.java:68)
W/System.err: at org.jose4j.jws.JsonWebSignature.sign(JsonWebSignature.java:101)
我用PrivateKey尝试了很多其他方法来签署JWT,但到目前为止,我没有找到解决方案
感谢您的帮助您创建的密钥仅用于加密,不用于签名。改变
mKeyPairGenerator.initialize(
new KeyGenParameterSpec.Builder(
KEY_NAME,
KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
.build());
与
使用渐变依赖
compile group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '4.41.1'
库我能够修复这个问题,并使用AndroidKeyStoreRSAPrivateKey签署JWT
这里的rsassigner构造函数从Android密钥库获取PrivateKey,该签名者用于对JWSObject进行签名
在寻找解决方案时,我并没有在网上找到太多信息,所以在这里发布了如何使用android指纹API中的PrivateKey对JWT进行签名的解决方案。谢谢佩德罗夫的帮助:)
在处理这个问题的过程中,我遇到了Nimbus JOSE JWT旧版本中报告的一些错误任何阅读此问题和答案的人,值得一提的是,此密钥没有指纹保护-(
setUserAuthenticationRequired(true)钥匙上未设置
,且未使用提示批准签名操作
为了正确地使用jose4j,您需要使用它的
jws.prepareSigningPrimitive()
method-有一个讨论和一个完整示例的链接。感谢您的帮助@pedrofb。是的,更改KeyProperties是有意义的。PURPOSE\u从KeyProperties.PURPOSE\u签名加密,但我仍然存在ClassCastException问题:android.security.keystore.AndroidKeyStoreRSAPrivateKey无法转换为java.security.interfaces.RSAPrIVATEKEY你能发布新的堆栈跟踪吗?你检查过jose4j是否与Android密钥库兼容吗?私钥受到保护,不会被提取。如果库试图操作它们,它将失败。感谢你的评论,当我搜索与Android密钥库兼容的jose4j时,我发现它们知道错误,并且最新已修复。那么,您的问题解决了吗?需要进一步澄清吗?
compile group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '4.41.1'
@RequiresApi(api = Build.VERSION_CODES.M)
private String createJWT(){
RSASSASigner signer = new RSASSASigner(BiometricHelper.getPrivateKey());
JSONObject message = new JSONObject();
message.put("client_id",mConfiguration.getClientID());
JWSObject jwsObject = new JWSObject(
new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(BiometricHelper.getKid())
.customParam("auth_type","touchid").build(),new Payload(message ));
try {
jwsObject.sign(signer);
} catch (JOSEException e) {
e.printStackTrace();
}
String jwt = jwsObject.serialize();
Log.d("JWT============","\n"+jwt);
return jwt;
}