使用Android Fingerprint API与PrivateKey签署JWT

时间:2017-08-14 23:47:52

标签: android jwt digital-signature android-fingerprint-api

我有一些声明,我想创建JWT并使用Fingerprint API创建的PrivateKey对其进行签名。

这是JWT声明 - 

Header:

{
     "alg": "RS256”,
     “kid”: “ABCDEDFkjsdfjaldfkjg”,
      “auth_type” : “fingerprint” / "pin"
}

Payload:
{
      “client_id”:”XXXXX-YYYYYY-ZZZZZZ”
}

为指纹创建KeyPair - 

import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyProperties;
import android.support.annotation.RequiresApi;
import android.util.Log;

import com.yourmobileid.mobileid.library.common.MIDCommons;

import org.jose4j.base64url.Base64;

import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.RSAKeyGenParameterSpec;


@RequiresApi(api = Build.VERSION_CODES.M)
public class BiometricHelper {

    public static final String KEY_NAME = "my_key";
    static KeyPairGenerator mKeyPairGenerator;
    private static String mKid;
    private static KeyStore keyStore;

    public static void init() {
        try {
            mKeyPairGenerator = KeyPairGenerator.getInstance(  KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
            throw new RuntimeException("Failed to get an instance of KeyPairGenerator", e);
        }
        mKid = MIDCommons.generateRandomString();

         keyStore = null;

        try {
            keyStore = KeyStore.getInstance("AndroidKeyStore");
        } catch (KeyStoreException e) {
            throw new RuntimeException("Failed to get an instance of KeyStore", e);
        }

        createKeyPair();
    }


    /**
     * Generates an asymmetric key pair in the Android Keystore. Every use of the private key must
     * be authorized by the user authenticating with fingerprint. Public key use is unrestricted.
     */
    public static void createKeyPair() {
        try {

            mKeyPairGenerator.initialize(
                    new KeyGenParameterSpec.Builder(
                            KEY_NAME,
                            KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
                            .setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
                            .build());
            mKeyPairGenerator.generateKeyPair();
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException(e);
        }
    }


    public static PrivateKey getPrivateKey() {
        PrivateKey privateKey = null;
        try {
            keyStore.load(null);
            privateKey = (PrivateKey) keyStore.getKey(KEY_NAME, null);
        } catch (KeyStoreException | CertificateException | UnrecoverableKeyException | NoSuchAlgorithmException | IOException e) {
            e.printStackTrace();
        }
        return privateKey;
    }

    public static PublicKey getPublicKey() {
        PublicKey publicKey = null;
        try {
            keyStore.load(null);
            publicKey = keyStore.getCertificate(KEY_NAME).getPublicKey();
        } catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException e) {
            e.printStackTrace();
        }
        return publicKey;
    }

    public static KeyStore getKeyStore(){
        return keyStore;
    }
    public static String getPublicKeyStr()  {
        StringBuilder publicKey = new StringBuilder("-----BEGIN PUBLIC KEY-----\n");
        publicKey.append(Base64.encode((getPublicKey().getEncoded())).replace("==",""));
        publicKey.append("\n-----END PUBLIC KEY-----");


        Log.d("Key==","\n"+publicKey);
        return publicKey.toString();
    }

    public static String getKid() {

        Log.d("mKid==","\n"+mKid);
        return mKid;
    }
 }

以这种方式创建JWT - 

@RequiresApi(api = Build.VERSION_CODES.M)
private String createJWT(){

    JwtClaims claims = new JwtClaims();
    claims.setClaim("client_id","”XXXXX-YYYYYY-ZZZZZZ”"); 

    JsonWebSignature jws = new JsonWebSignature();

    jws.setPayload(claims.toJson());
    jws.setKey(BiometricHelper.getPrivateKey());
    jws.setKeyIdHeaderValue(BiometricHelper.getKid());
    jws.setHeader("auth_type","fingerprint");
    jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);

    String jwt = null;
    try {
        jwt = jws.getCompactSerialization();

    } catch (JoseException e) {
        e.printStackTrace();
    }
    System.out.println("JWT: " + jwt);

    return jwt;
}

当我这样做时,它正在 - 

W/System.err: org.jose4j.lang.InvalidKeyException: The given key (algorithm=RSA) is not valid for SHA256withRSA
W/System.err:     at org.jose4j.jws.BaseSignatureAlgorithm.initForSign(BaseSignatureAlgorithm.java:97)
W/System.err:     at org.jose4j.jws.BaseSignatureAlgorithm.sign(BaseSignatureAlgorithm.java:68)
W/System.err:     at org.jose4j.jws.JsonWebSignature.sign(JsonWebSignature.java:101)

到目前为止,我尝试了很多其他方式与PrivateKey签署JWT,但我找不到解决方案。

感谢任何帮助

3 个答案:

答案 0 :(得分:1)

您已创建仅用于加密的密钥,而不是用于签名。改变

mKeyPairGenerator.initialize(
        new KeyGenParameterSpec.Builder(
                    KEY_NAME,
                    KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
                    .setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
                    .build());

使用

mKeyPairGenerator.initialize(
      new KeyGenParameterSpec.Builder(
                  KEY_NAME,
                  KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY)
                  .setDigests(KeyProperties.DIGEST_SHA256)
                  .setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
                  .build());

答案 1 :(得分:0)

使用gradle依赖

compile group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '4.41.1'

库我能够解决问题并使用AndroidKeyStoreRSAPrivateKey签署JWT

这里的RSASSASigner构造函数从Android KeyStore获取PrivateKey,这个签名者用于签署JWSObject。

在寻找解决方案时,我没有在网上找到关于此的更多信息,因此在此发布解决方案,了解如何使用Android指纹API使用PrivateKey对JWT进行签名。感谢pedrofb为您提供帮助:)

@RequiresApi(api = Build.VERSION_CODES.M)
private String createJWT(){
    RSASSASigner signer = new RSASSASigner(BiometricHelper.getPrivateKey());
    JSONObject message = new JSONObject();
    message.put("client_id",mConfiguration.getClientID());

    JWSObject jwsObject = new JWSObject(
            new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(BiometricHelper.getKid())
           .customParam("auth_type","touchid").build(),new Payload(message ));
    try {
        jwsObject.sign(signer);
    } catch (JOSEException e) {
        e.printStackTrace();
    }

    String jwt = jwsObject.serialize();

    Log.d("JWT============","\n"+jwt);

    return jwt;
}

在处理这件事的同时,我遇到了Nimbus-JOSE-JWT旧版https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/169/android-m-support中报告的一些错误

答案 2 :(得分:0)

对于阅读此问题和答案的任何人来说,值得一提的是,此密钥不受指纹保护 - (密钥上未设置 setUserAuthenticationRequired(true),并且 BiometricPrompt 未用于批准签名操作。

要使用 jose4j 正确执行此操作,您需要使用它的 jws.prepareSigningPrimitive() 方法 - https://bitbucket.org/b_c/jose4j/issues/176/signing-not-possible-with-an 有一个讨论和一个完整示例的链接。

相关问题
最新问题