使用来自 android 指纹 API 的私钥签署 JWT
Sign JWT with PrivateKey from android Fingerprint API
我有一些声明,我想创建 JWT 并使用在指纹 API 中创建的私钥对其进行签名。
这是 JWT 声明 -
Header:
{
"alg": "RS256”,
“kid”: “ABCDEDFkjsdfjaldfkjg”,
“auth_type” : “fingerprint” / "pin"
}
Payload:
{
“client_id”:”XXXXX-YYYYYY-ZZZZZZ”
}
正在为指纹创建密钥对 -
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyProperties;
import android.support.annotation.RequiresApi;
import android.util.Log;
import com.yourmobileid.mobileid.library.common.MIDCommons;
import org.jose4j.base64url.Base64;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.RSAKeyGenParameterSpec;
@RequiresApi(api = Build.VERSION_CODES.M)
public class BiometricHelper {
public static final String KEY_NAME = "my_key";
static KeyPairGenerator mKeyPairGenerator;
private static String mKid;
private static KeyStore keyStore;
public static void init() {
try {
mKeyPairGenerator = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
throw new RuntimeException("Failed to get an instance of KeyPairGenerator", e);
}
mKid = MIDCommons.generateRandomString();
keyStore = null;
try {
keyStore = KeyStore.getInstance("AndroidKeyStore");
} catch (KeyStoreException e) {
throw new RuntimeException("Failed to get an instance of KeyStore", e);
}
createKeyPair();
}
/**
* Generates an asymmetric key pair in the Android Keystore. Every use of the private key must
* be authorized by the user authenticating with fingerprint. Public key use is unrestricted.
*/
public static void createKeyPair() {
try {
mKeyPairGenerator.initialize(
new KeyGenParameterSpec.Builder(
KEY_NAME,
KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
.build());
mKeyPairGenerator.generateKeyPair();
} catch (InvalidAlgorithmParameterException e) {
throw new RuntimeException(e);
}
}
public static PrivateKey getPrivateKey() {
PrivateKey privateKey = null;
try {
keyStore.load(null);
privateKey = (PrivateKey) keyStore.getKey(KEY_NAME, null);
} catch (KeyStoreException | CertificateException | UnrecoverableKeyException | NoSuchAlgorithmException | IOException e) {
e.printStackTrace();
}
return privateKey;
}
public static PublicKey getPublicKey() {
PublicKey publicKey = null;
try {
keyStore.load(null);
publicKey = keyStore.getCertificate(KEY_NAME).getPublicKey();
} catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException e) {
e.printStackTrace();
}
return publicKey;
}
public static KeyStore getKeyStore(){
return keyStore;
}
public static String getPublicKeyStr() {
StringBuilder publicKey = new StringBuilder("-----BEGIN PUBLIC KEY-----\n");
publicKey.append(Base64.encode((getPublicKey().getEncoded())).replace("==",""));
publicKey.append("\n-----END PUBLIC KEY-----");
Log.d("Key==","\n"+publicKey);
return publicKey.toString();
}
public static String getKid() {
Log.d("mKid==","\n"+mKid);
return mKid;
}
}
并以这种方式创建 JWT -
@RequiresApi(api = Build.VERSION_CODES.M)
private String createJWT(){
JwtClaims claims = new JwtClaims();
claims.setClaim("client_id","”XXXXX-YYYYYY-ZZZZZZ”");
JsonWebSignature jws = new JsonWebSignature();
jws.setPayload(claims.toJson());
jws.setKey(BiometricHelper.getPrivateKey());
jws.setKeyIdHeaderValue(BiometricHelper.getKid());
jws.setHeader("auth_type","fingerprint");
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
String jwt = null;
try {
jwt = jws.getCompactSerialization();
} catch (JoseException e) {
e.printStackTrace();
}
System.out.println("JWT: " + jwt);
return jwt;
}
当我这样做时,它得到 -
W/System.err: org.jose4j.lang.InvalidKeyException: The given key (algorithm=RSA) is not valid for SHA256withRSA
W/System.err: at org.jose4j.jws.BaseSignatureAlgorithm.initForSign(BaseSignatureAlgorithm.java:97)
W/System.err: at org.jose4j.jws.BaseSignatureAlgorithm.sign(BaseSignatureAlgorithm.java:68)
W/System.err: at org.jose4j.jws.JsonWebSignature.sign(JsonWebSignature.java:101)
到目前为止,我尝试了很多其他方法来使用 PrivateKey 对 JWT 进行签名,但我没有找到解决方案。
感谢任何帮助
您创建的密钥仅用于加密,不用于签名。更改
mKeyPairGenerator.initialize(
new KeyGenParameterSpec.Builder(
KEY_NAME,
KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
.build());
有
mKeyPairGenerator.initialize(
new KeyGenParameterSpec.Builder(
KEY_NAME,
KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY)
.setDigests(KeyProperties.DIGEST_SHA256)
.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
.build());
使用 gradle 依赖项
compile group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '4.41.1'
library 我能够解决问题并使用 AndroidKeyStoreRSAPrivateKey
签署 JWT
这里是 RSASSASigner 构造函数,它从 Android KeyStore 中获取 PrivateKey,这个签名者用于签署 JWSObject。
在寻找解决方案时,我没有在 Web 上找到太多关于此的信息,因此在此处发布有关如何使用来自 android 指纹 API 的私钥对 JWT 进行签名的解决方案。感谢 pedrofb 的帮助:)
@RequiresApi(api = Build.VERSION_CODES.M)
private String createJWT(){
RSASSASigner signer = new RSASSASigner(BiometricHelper.getPrivateKey());
JSONObject message = new JSONObject();
message.put("client_id",mConfiguration.getClientID());
JWSObject jwsObject = new JWSObject(
new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(BiometricHelper.getKid())
.customParam("auth_type","touchid").build(),new Payload(message ));
try {
jwsObject.sign(signer);
} catch (JOSEException e) {
e.printStackTrace();
}
String jwt = jwsObject.serialize();
Log.d("JWT============","\n"+jwt);
return jwt;
}
在处理这件事时,我遇到了 Nimbus-JOSE-JWT 旧版本中报告的一些错误 https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/169/android-m-support
对于阅读此问题和答案的任何人,值得一提的是此密钥不受指纹保护 - (setUserAuthenticationRequired(true) 未设置在密钥上,并且 BiometricPrompt 未被使用批准签名操作。
要使用 jose4j 正确执行此操作,您需要使用它的 jws.prepareSigningPrimitive() 方法 - https://bitbucket.org/b_c/jose4j/issues/176/signing-not-possible-with-an 有讨论和 link 完整示例。
我有一些声明,我想创建 JWT 并使用在指纹 API 中创建的私钥对其进行签名。
这是 JWT 声明 -
Header:
{
"alg": "RS256”,
“kid”: “ABCDEDFkjsdfjaldfkjg”,
“auth_type” : “fingerprint” / "pin"
}
Payload:
{
“client_id”:”XXXXX-YYYYYY-ZZZZZZ”
}
正在为指纹创建密钥对 -
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyProperties;
import android.support.annotation.RequiresApi;
import android.util.Log;
import com.yourmobileid.mobileid.library.common.MIDCommons;
import org.jose4j.base64url.Base64;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.RSAKeyGenParameterSpec;
@RequiresApi(api = Build.VERSION_CODES.M)
public class BiometricHelper {
public static final String KEY_NAME = "my_key";
static KeyPairGenerator mKeyPairGenerator;
private static String mKid;
private static KeyStore keyStore;
public static void init() {
try {
mKeyPairGenerator = KeyPairGenerator.getInstance( KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
throw new RuntimeException("Failed to get an instance of KeyPairGenerator", e);
}
mKid = MIDCommons.generateRandomString();
keyStore = null;
try {
keyStore = KeyStore.getInstance("AndroidKeyStore");
} catch (KeyStoreException e) {
throw new RuntimeException("Failed to get an instance of KeyStore", e);
}
createKeyPair();
}
/**
* Generates an asymmetric key pair in the Android Keystore. Every use of the private key must
* be authorized by the user authenticating with fingerprint. Public key use is unrestricted.
*/
public static void createKeyPair() {
try {
mKeyPairGenerator.initialize(
new KeyGenParameterSpec.Builder(
KEY_NAME,
KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
.build());
mKeyPairGenerator.generateKeyPair();
} catch (InvalidAlgorithmParameterException e) {
throw new RuntimeException(e);
}
}
public static PrivateKey getPrivateKey() {
PrivateKey privateKey = null;
try {
keyStore.load(null);
privateKey = (PrivateKey) keyStore.getKey(KEY_NAME, null);
} catch (KeyStoreException | CertificateException | UnrecoverableKeyException | NoSuchAlgorithmException | IOException e) {
e.printStackTrace();
}
return privateKey;
}
public static PublicKey getPublicKey() {
PublicKey publicKey = null;
try {
keyStore.load(null);
publicKey = keyStore.getCertificate(KEY_NAME).getPublicKey();
} catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException e) {
e.printStackTrace();
}
return publicKey;
}
public static KeyStore getKeyStore(){
return keyStore;
}
public static String getPublicKeyStr() {
StringBuilder publicKey = new StringBuilder("-----BEGIN PUBLIC KEY-----\n");
publicKey.append(Base64.encode((getPublicKey().getEncoded())).replace("==",""));
publicKey.append("\n-----END PUBLIC KEY-----");
Log.d("Key==","\n"+publicKey);
return publicKey.toString();
}
public static String getKid() {
Log.d("mKid==","\n"+mKid);
return mKid;
}
}
并以这种方式创建 JWT -
@RequiresApi(api = Build.VERSION_CODES.M)
private String createJWT(){
JwtClaims claims = new JwtClaims();
claims.setClaim("client_id","”XXXXX-YYYYYY-ZZZZZZ”");
JsonWebSignature jws = new JsonWebSignature();
jws.setPayload(claims.toJson());
jws.setKey(BiometricHelper.getPrivateKey());
jws.setKeyIdHeaderValue(BiometricHelper.getKid());
jws.setHeader("auth_type","fingerprint");
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
String jwt = null;
try {
jwt = jws.getCompactSerialization();
} catch (JoseException e) {
e.printStackTrace();
}
System.out.println("JWT: " + jwt);
return jwt;
}
当我这样做时,它得到 -
W/System.err: org.jose4j.lang.InvalidKeyException: The given key (algorithm=RSA) is not valid for SHA256withRSA
W/System.err: at org.jose4j.jws.BaseSignatureAlgorithm.initForSign(BaseSignatureAlgorithm.java:97)
W/System.err: at org.jose4j.jws.BaseSignatureAlgorithm.sign(BaseSignatureAlgorithm.java:68)
W/System.err: at org.jose4j.jws.JsonWebSignature.sign(JsonWebSignature.java:101)
到目前为止,我尝试了很多其他方法来使用 PrivateKey 对 JWT 进行签名,但我没有找到解决方案。
感谢任何帮助
您创建的密钥仅用于加密,不用于签名。更改
mKeyPairGenerator.initialize(
new KeyGenParameterSpec.Builder(
KEY_NAME,
KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
.build());
有
mKeyPairGenerator.initialize(
new KeyGenParameterSpec.Builder(
KEY_NAME,
KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY)
.setDigests(KeyProperties.DIGEST_SHA256)
.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4))
.build());
使用 gradle 依赖项
compile group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '4.41.1'
library 我能够解决问题并使用 AndroidKeyStoreRSAPrivateKey
签署 JWT这里是 RSASSASigner 构造函数,它从 Android KeyStore 中获取 PrivateKey,这个签名者用于签署 JWSObject。
在寻找解决方案时,我没有在 Web 上找到太多关于此的信息,因此在此处发布有关如何使用来自 android 指纹 API 的私钥对 JWT 进行签名的解决方案。感谢 pedrofb 的帮助:)
@RequiresApi(api = Build.VERSION_CODES.M)
private String createJWT(){
RSASSASigner signer = new RSASSASigner(BiometricHelper.getPrivateKey());
JSONObject message = new JSONObject();
message.put("client_id",mConfiguration.getClientID());
JWSObject jwsObject = new JWSObject(
new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(BiometricHelper.getKid())
.customParam("auth_type","touchid").build(),new Payload(message ));
try {
jwsObject.sign(signer);
} catch (JOSEException e) {
e.printStackTrace();
}
String jwt = jwsObject.serialize();
Log.d("JWT============","\n"+jwt);
return jwt;
}
在处理这件事时,我遇到了 Nimbus-JOSE-JWT 旧版本中报告的一些错误 https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/169/android-m-support
对于阅读此问题和答案的任何人,值得一提的是此密钥不受指纹保护 - (setUserAuthenticationRequired(true) 未设置在密钥上,并且 BiometricPrompt 未被使用批准签名操作。
要使用 jose4j 正确执行此操作,您需要使用它的 jws.prepareSigningPrimitive() 方法 - https://bitbucket.org/b_c/jose4j/issues/176/signing-not-possible-with-an 有讨论和 link 完整示例。