我在示例应用程序中使用secretkey进行mac签名。该键是使用生成器参数生成的
setUserAuthenticationValidityDurationSeconds(10)允许使用指纹和(取消)锁定设备pin来保护我的钥匙。
ui仅包含用于启动签名的签名按钮。
如果我通过“使用pin”使用生物识别提示,输入pin后我会收到签名(在我的示例“2bjeusxl/BOTTUEXE4VTX2RNRZEC1ZFA21FOOKBFNC=”)[注意:预期行为]。
在给定的10秒钟“validityduration”时间内再次按下sign按钮,我可以成功使用指纹进行授权[注意:预期行为]。
10秒后按下sign(签名)按钮并使用指纹进行授权[或在未事先使用pin的情况下使用指纹]会出现异常[注意:非预期行为]:
android.security.keystore.UserNotAuthenticatedException: User not authenticated因此,我的问题是:如何使用相同的secretkey来使用pin和fingerprint选项授权签名过程(或者更好地使用从androidkeystore释放密钥)?
我正在android sdk 30(目标)和(最低)23上进行测试,生物识别功能可通过“androidx.biometric:biometric:1.1.0”实现。
以下是logcat调试输出,以及我方的一些评论:
>>> first start
2021-07-04 14:23:47.178 6980-6980/de.biometrics D/*** Biometric ***: sign started
2021-07-04 14:23:47.181 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:23:47.211 6980-6980/de.biometrics D/*** Biometric ***: generated fresh key, try to load
2021-07-04 14:23:47.223 6980-6980/de.biometrics D/*** Biometric ***: UserNotAuthenticatedException thrown, try to authenticate
>>> biometric prompt, used the PIN [authType = 1]:
2021-07-04 14:24:04.089 6980-6980/de.biometrics D/*** Biometric ***: Authentication succeeded with authType 1
2021-07-04 14:24:04.089 6980-6980/de.biometrics D/*** Biometric ***: (authType: 1=PIN, 2=fingerprint)
2021-07-04 14:24:04.092 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:24:04.097 6980-6980/de.biometrics D/signed data: a1wbBdybQkP30XWFBj0o8fiVrS8BXlREGmDHQQQhEwg=
>>> pressed "SIGN" again after 5 seconds
2021-07-04 14:24:09.725 6980-6980/de.biometrics D/*** Biometric ***: sign started
2021-07-04 14:24:09.730 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:24:13.421 6980-6980/de.biometrics D/*** Biometric ***: Authentication succeeded with authType 2
2021-07-04 14:24:13.422 6980-6980/de.biometrics D/*** Biometric ***: (authType: 1=PIN, 2=fingerprint)
2021-07-04 14:24:13.426 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:24:13.432 6980-6980/de.biometrics D/signed data: a1wbBdybQkP30XWFBj0o8fiVrS8BXlREGmDHQQQhEwg=
>>> pressed "SIGN" again 21 seconds after the PIN authorization
2021-07-04 14:24:23.348 6980-6980/de.biometrics D/*** Biometric ***: sign started
2021-07-04 14:24:23.359 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:24:23.366 6980-6980/de.biometrics D/*** Biometric ***: UserNotAuthenticatedException thrown, try to authenticate
>>> fingerprint is accepted [authType = 2]
2021-07-04 14:24:25.356 6980-6980/de.biometrics D/*** Biometric ***: Authentication succeeded with authType 2
2021-07-04 14:24:25.356 6980-6980/de.biometrics D/*** Biometric ***: (authType: 1=PIN, 2=fingerprint)
2021-07-04 14:24:25.361 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
>>> the exception is thrown on line 86:
>>> mac.init(getOrCreateSecretKey(KEY_NAME_SIGN));
2021-07-04 14:24:25.377 6980-6980/de.biometrics W/System.err: android.security.keystore.UserNotAuthenticatedException: User not authenticated
2021-07-04 14:24:25.377 6980-6980/de.biometrics W/System.err: at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1346)
2021-07-04 14:24:25.378 6980-6980/de.biometrics W/System.err: at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1388)
2021-07-04 14:24:25.379 6980-6980/de.biometrics W/System.err: at android.security.keystore.KeyStoreCryptoOperationUtils.getInvalidKeyExceptionForInit(KeyStoreCryptoOperationUtils.java:54)
2021-07-04 14:24:25.379 6980-6980/de.biometrics W/System.err: at android.security.keystore.AndroidKeyStoreHmacSpi.ensureKeystoreOperationInitialized(AndroidKeyStoreHmacSpi.java:184)
2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at android.security.keystore.AndroidKeyStoreHmacSpi.engineInit(AndroidKeyStoreHmacSpi.java:101)
2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at javax.crypto.Mac.chooseProvider(Mac.java:443)
2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at javax.crypto.Mac.init(Mac.java:513)
2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at de.biometrics.MainActivity$1.onAuthenticationSucceeded(MainActivity.java:86)
2021-07-04 14:24:25.381 6980-6980/de.biometrics W/System.err: at androidx.biometric.BiometricFragment$9.run(BiometricFragment.java:907)
2021-07-04 14:24:25.381 6980-6980/de.biometrics W/System.err: at android.os.Handler.handleCallback(Handler.java:938)
2021-07-04 14:24:25.381 6980-6980/de.biometrics W/System.err: at android.os.Handler.dispatchMessage(Handler.java:99)
2021-07-04 14:24:25.382 6980-6980/de.biometrics W/System.err: at android.os.Looper.loop(Looper.java:223)
2021-07-04 14:24:25.384 6980-6980/de.biometrics W/System.err: at android.app.ActivityThread.main(ActivityThread.java:7656)
2021-07-04 14:24:25.385 6980-6980/de.biometrics W/System.err: at java.lang.reflect.Method.invoke(Native Method)
2021-07-04 14:24:25.386 6980-6980/de.biometrics W/System.err: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
2021-07-04 14:24:25.386 6980-6980/de.biometrics W/System.err: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)这是完整的源代码(mainactivity.java):
编辑:我稍微修改了createkey函数,使其更符合上的文档https://developer.android.com/training/sign-in/biometric-auth#java
package de.biometrics;
import android.os.Bundle;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyProperties;
import android.security.keystore.UserNotAuthenticatedException;
import android.util.Base64;
import android.util.Log;
import android.view.View;
import android.widget.Button;
import androidx.annotation.NonNull;
import androidx.appcompat.app.AppCompatActivity;
import androidx.biometric.BiometricPrompt;
import androidx.core.content.ContextCompat;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.concurrent.Executor;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
public class MainActivity extends AppCompatActivity {
// use dependency in build.graddle:
// implementation 'androidx.biometric:biometric:1.1.0'
private static final String KEY_NAME_SIGN = "SignKey";
private static final int VALIDITY_DURATION_SECONDS = 10;
private static final String APP_TAG = "***Biometric***";
private BiometricPrompt biometricPrompt;
private BiometricPrompt.PromptInfo promptInfo;
private Executor executor;
Button btnSign;
Mac mac;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
executor = ContextCompat.getMainExecutor(this);
btnSign = (Button) findViewById(R.id.button);
// Allows user to authenticate using either a Class 3 biometric or
// their lock screen credential (PIN, pattern, or password).
promptInfo = new BiometricPrompt.PromptInfo.Builder()
.setTitle("Biometric login for my app")
.setSubtitle("Log in using your biometric credential")
// Can't call setNegativeButtonText() and
// setAllowedAuthenticators(...|DEVICE_CREDENTIAL) at the same time.
// .setNegativeButtonText("Use account password")
.setAllowedAuthenticators(
androidx.biometric.BiometricManager.Authenticators.BIOMETRIC_STRONG
| androidx.biometric.BiometricManager.Authenticators.DEVICE_CREDENTIAL)
.build();
biometricPrompt = new BiometricPrompt(MainActivity.this,
executor, new BiometricPrompt.AuthenticationCallback() {
@Override
public void onAuthenticationError(int errorCode,
@NonNull CharSequence errString) {
super.onAuthenticationError(errorCode, errString);
Log.d(APP_TAG, "Authentication succeeded!");
}
@Override
public void onAuthenticationSucceeded(
@NonNull BiometricPrompt.AuthenticationResult result) {
super.onAuthenticationSucceeded(result);
int authorizationType = result.getAuthenticationType();
Log.d(APP_TAG, "Authentication succeeded with authType " + authorizationType);
Log.d(APP_TAG, "(authType: 1=PIN, 2=fingerprint)");
try {
// init mac from scratch
mac = Mac.getInstance("HmacSHA256");
mac.init(getOrCreateSecretKey(KEY_NAME_SIGN));
byte[] bytes = "secret-text".getBytes(StandardCharsets.UTF_8);
byte[] macResult = mac.doFinal(bytes);
Log.d("signed data ", Base64.encodeToString(macResult, Base64.NO_WRAP));
} catch (InvalidKeyException | NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
@Override
public void onAuthenticationFailed() {
super.onAuthenticationFailed();
Log.d(APP_TAG, "Authentication failed");
}
});
btnSign.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
sign();
}
});
}
private void sign() {
// simple sign function
Log.d(APP_TAG, "sign started");
// setup the mac
try {
mac = Mac.getInstance("HmacSHA256");
mac.init(getOrCreateSecretKey(KEY_NAME_SIGN));
} catch (UserNotAuthenticatedException e) {
Log.d(APP_TAG, "UserNotAuthenticatedException thrown, try to authenticate");
biometricPrompt.authenticate(promptInfo);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
e.printStackTrace();
}
biometricPrompt.authenticate(promptInfo);
}
private SecretKey getOrCreateSecretKey(String keyName) {
SecretKey secretKey = getSecretKey(keyName);
Log.d(APP_TAG, "try to load secretKey from keystore");
if (secretKey == null) {
createSecretKey(keyName);
secretKey = getSecretKey(keyName);
Log.d(APP_TAG, "generated fresh key, try to load");
}
return secretKey;
}
private SecretKey getSecretKey(String keyName) {
KeyStore keyStore = null;
try {
keyStore = KeyStore.getInstance("AndroidKeyStore");
// Before the keystore can be accessed, it must be loaded.
keyStore.load(null);
return ((SecretKey) keyStore.getKey(keyName, null));
} catch (KeyStoreException | CertificateException | UnrecoverableKeyException | NoSuchAlgorithmException | IOException e) {
e.printStackTrace();
return null;
}
}
private void createSecretKey(String keyName) {
generateSecretKey(new KeyGenParameterSpec.Builder(
keyName,
KeyProperties.PURPOSE_SIGN)
.setUserAuthenticationRequired(true)
//.setInvalidatedByBiometricEnrollment(true)
.setUserAuthenticationValidityDurationSeconds(10)
.build());
}// All exceptions unhandled
private void generateSecretKey(KeyGenParameterSpec keyGenParameterSpec) {
KeyGenerator keyGenerator = null;
try {
keyGenerator = KeyGenerator.getInstance(
KeyProperties.KEY_ALGORITHM_HMAC_SHA256, "AndroidKeyStore");
keyGenerator.init(keyGenParameterSpec);
keyGenerator.generateKey();
} catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException | NoSuchProviderException e) {
e.printStackTrace();
}
}
}activity_main.xml
<?xml version="1.0" encoding="utf-8"?>
<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:app="http://schemas.android.com/apk/res-auto"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
tools:context=".MainActivity">
<Button
android:id="@+id/button"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginStart="16dp"
android:layout_marginTop="32dp"
android:layout_marginEnd="16dp"
android:text="Sign"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toTopOf="parent" />
</androidx.constraintlayout.widget.ConstraintLayout>build.graddle(模块):
plugins {
id 'com.android.application'
}
android {
compileSdkVersion 30
buildToolsVersion "30.0.3"
defaultConfig {
applicationId "de.biometrics"
minSdkVersion 23
targetSdkVersion 30
versionCode 1
versionName "1.0"
testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
}
buildTypes {
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
}
compileOptions {
sourceCompatibility JavaVersion.VERSION_1_8
targetCompatibility JavaVersion.VERSION_1_8
}
}
dependencies {
implementation 'androidx.appcompat:appcompat:1.3.0'
implementation 'com.google.android.material:material:1.3.0'
implementation 'androidx.constraintlayout:constraintlayout:2.0.4'
testImplementation 'junit:junit:4.+'
androidTestImplementation 'androidx.test.ext:junit:1.1.3'
androidTestImplementation 'androidx.test.espresso:espresso-core:3.4.0'
implementation 'androidx.biometric:biometric:1.1.0'
}注意:这只是一个非常简化的程序,仅用于测试生物特征提示功能。
1条答案
按热度按时间6vl6ewon1#
我在回答我自己的问题,因为我的发现可能对其他人有所帮助。
到目前为止(2021年7月6日),我不知道为什么使用该选项生成secretkey
无法先通过指纹释放。正如我在问题中所写的,当它首先通过pin(设备凭证)发布时,只要持续时间未过期,它就可以通过指纹使用(“身份验证”)。
无论如何,文档中还有另一个选项可用,即使用每次使用的身份验证密钥进行身份验证(https://developer.android.com/training/sign-in/biometric-auth#auth-每次使用密钥),此选项提供预期结果。
当用新代码更新代码时,不要忘记生成一个新的密钥!
使用新选项时
您会注意到,代码需要sdk 30+才能运行。对于在sdk>23上运行的代码,可以使用
使用“0”秒很重要,因为这(内部)默认为“生物特征|设备|凭证”,使用“-1”时默认为“设备|凭证”(不带指纹选项)。
下面我提供的代码用于检查正在使用的sdk并选择正确的generatekey函数: