我在示例应用程序中使用secretkey进行mac签名。该键是使用生成器参数生成的
setUserAuthenticationValidityDurationSeconds(10)
允许使用指纹和(取消)锁定设备pin来保护我的钥匙。
ui仅包含用于启动签名的签名按钮。
如果我通过“使用pin”使用生物识别提示,输入pin后我会收到签名(在我的示例“2bjeusxl/BOTTUEXE4VTX2RNRZEC1ZFA21FOOKBFNC=”)[注意:预期行为]。
在给定的10秒钟“validityduration”时间内再次按下sign按钮,我可以成功使用指纹进行授权[注意:预期行为]。
10秒后按下sign(签名)按钮并使用指纹进行授权[或在未事先使用pin的情况下使用指纹]会出现异常[注意:非预期行为]:
android.security.keystore.UserNotAuthenticatedException: User not authenticated
因此,我的问题是:如何使用相同的secretkey来使用pin和fingerprint选项授权签名过程(或者更好地使用从androidkeystore释放密钥)?
我正在android sdk 30(目标)和(最低)23上进行测试,生物识别功能可通过“androidx.biometric:biometric:1.1.0”实现。
以下是logcat调试输出,以及我方的一些评论:
>>> first start2021-07-04 14:23:47.178 6980-6980/de.biometrics D/*** Biometric ***: sign started2021-07-04 14:23:47.181 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore2021-07-04 14:23:47.211 6980-6980/de.biometrics D/*** Biometric ***: generated fresh key, try to load2021-07-04 14:23:47.223 6980-6980/de.biometrics D/*** Biometric ***: UserNotAuthenticatedException thrown, try to authenticate>>> biometric prompt, used the PIN [authType = 1]:2021-07-04 14:24:04.089 6980-6980/de.biometrics D/*** Biometric ***: Authentication succeeded with authType 12021-07-04 14:24:04.089 6980-6980/de.biometrics D/*** Biometric ***: (authType: 1=PIN, 2=fingerprint)2021-07-04 14:24:04.092 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore2021-07-04 14:24:04.097 6980-6980/de.biometrics D/signed data: a1wbBdybQkP30XWFBj0o8fiVrS8BXlREGmDHQQQhEwg=>>> pressed "SIGN" again after 5 seconds2021-07-04 14:24:09.725 6980-6980/de.biometrics D/*** Biometric ***: sign started2021-07-04 14:24:09.730 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore2021-07-04 14:24:13.421 6980-6980/de.biometrics D/*** Biometric ***: Authentication succeeded with authType 22021-07-04 14:24:13.422 6980-6980/de.biometrics D/*** Biometric ***: (authType: 1=PIN, 2=fingerprint)2021-07-04 14:24:13.426 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore2021-07-04 14:24:13.432 6980-6980/de.biometrics D/signed data: a1wbBdybQkP30XWFBj0o8fiVrS8BXlREGmDHQQQhEwg=>>> pressed "SIGN" again 21 seconds after the PIN authorization2021-07-04 14:24:23.348 6980-6980/de.biometrics D/*** Biometric ***: sign started2021-07-04 14:24:23.359 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore2021-07-04 14:24:23.366 6980-6980/de.biometrics D/*** Biometric ***: UserNotAuthenticatedException thrown, try to authenticate>>> fingerprint is accepted [authType = 2]2021-07-04 14:24:25.356 6980-6980/de.biometrics D/*** Biometric ***: Authentication succeeded with authType 22021-07-04 14:24:25.356 6980-6980/de.biometrics D/*** Biometric ***: (authType: 1=PIN, 2=fingerprint)2021-07-04 14:24:25.361 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore>>> the exception is thrown on line 86:>>> mac.init(getOrCreateSecretKey(KEY_NAME_SIGN));2021-07-04 14:24:25.377 6980-6980/de.biometrics W/System.err: android.security.keystore.UserNotAuthenticatedException: User not authenticated2021-07-04 14:24:25.377 6980-6980/de.biometrics W/System.err: at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1346)2021-07-04 14:24:25.378 6980-6980/de.biometrics W/System.err: at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1388)2021-07-04 14:24:25.379 6980-6980/de.biometrics W/System.err: at android.security.keystore.KeyStoreCryptoOperationUtils.getInvalidKeyExceptionForInit(KeyStoreCryptoOperationUtils.java:54)2021-07-04 14:24:25.379 6980-6980/de.biometrics W/System.err: at android.security.keystore.AndroidKeyStoreHmacSpi.ensureKeystoreOperationInitialized(AndroidKeyStoreHmacSpi.java:184)2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at android.security.keystore.AndroidKeyStoreHmacSpi.engineInit(AndroidKeyStoreHmacSpi.java:101)2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at javax.crypto.Mac.chooseProvider(Mac.java:443)2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at javax.crypto.Mac.init(Mac.java:513)2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at de.biometrics.MainActivity$1.onAuthenticationSucceeded(MainActivity.java:86)2021-07-04 14:24:25.381 6980-6980/de.biometrics W/System.err: at androidx.biometric.BiometricFragment$9.run(BiometricFragment.java:907)2021-07-04 14:24:25.381 6980-6980/de.biometrics W/System.err: at android.os.Handler.handleCallback(Handler.java:938)2021-07-04 14:24:25.381 6980-6980/de.biometrics W/System.err: at android.os.Handler.dispatchMessage(Handler.java:99)2021-07-04 14:24:25.382 6980-6980/de.biometrics W/System.err: at android.os.Looper.loop(Looper.java:223)2021-07-04 14:24:25.384 6980-6980/de.biometrics W/System.err: at android.app.ActivityThread.main(ActivityThread.java:7656)2021-07-04 14:24:25.385 6980-6980/de.biometrics W/System.err: at java.lang.reflect.Method.invoke(Native Method)2021-07-04 14:24:25.386 6980-6980/de.biometrics W/System.err: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)2021-07-04 14:24:25.386 6980-6980/de.biometrics W/System.err: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
这是完整的源代码(mainactivity.java):
编辑:我稍微修改了createkey函数,使其更符合上的文档https://developer.android.com/training/sign-in/biometric-auth#java
package de.biometrics;import android.os.Bundle;import android.security.keystore.KeyGenParameterSpec;import android.security.keystore.KeyProperties;import android.security.keystore.UserNotAuthenticatedException;import android.util.Base64;import android.util.Log;import android.view.View;import android.widget.Button;import androidx.annotation.NonNull;import androidx.appcompat.app.AppCompatActivity;import androidx.biometric.BiometricPrompt;import androidx.core.content.ContextCompat;import java.io.IOException;import java.nio.charset.StandardCharsets;import java.security.InvalidAlgorithmParameterException;import java.security.InvalidKeyException;import java.security.KeyStore;import java.security.KeyStoreException;import java.security.NoSuchAlgorithmException;import java.security.NoSuchProviderException;import java.security.UnrecoverableKeyException;import java.security.cert.CertificateException;import java.util.concurrent.Executor;import javax.crypto.KeyGenerator;import javax.crypto.Mac;import javax.crypto.SecretKey;public class MainActivity extends AppCompatActivity {// use dependency in build.graddle:// implementation 'androidx.biometric:biometric:1.1.0'private static final String KEY_NAME_SIGN = "SignKey";private static final int VALIDITY_DURATION_SECONDS = 10;private static final String APP_TAG = "***Biometric***";private BiometricPrompt biometricPrompt;private BiometricPrompt.PromptInfo promptInfo;private Executor executor;Button btnSign;Mac mac;@Overrideprotected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(R.layout.activity_main);executor = ContextCompat.getMainExecutor(this);btnSign = (Button) findViewById(R.id.button);// Allows user to authenticate using either a Class 3 biometric or// their lock screen credential (PIN, pattern, or password).promptInfo = new BiometricPrompt.PromptInfo.Builder().setTitle("Biometric login for my app").setSubtitle("Log in using your biometric credential")// Can't call setNegativeButtonText() and// setAllowedAuthenticators(...|DEVICE_CREDENTIAL) at the same time.// .setNegativeButtonText("Use account password").setAllowedAuthenticators(androidx.biometric.BiometricManager.Authenticators.BIOMETRIC_STRONG| androidx.biometric.BiometricManager.Authenticators.DEVICE_CREDENTIAL).build();biometricPrompt = new BiometricPrompt(MainActivity.this,executor, new BiometricPrompt.AuthenticationCallback() {@Overridepublic void onAuthenticationError(int errorCode,@NonNull CharSequence errString) {super.onAuthenticationError(errorCode, errString);Log.d(APP_TAG, "Authentication succeeded!");}@Overridepublic void onAuthenticationSucceeded(@NonNull BiometricPrompt.AuthenticationResult result) {super.onAuthenticationSucceeded(result);int authorizationType = result.getAuthenticationType();Log.d(APP_TAG, "Authentication succeeded with authType " + authorizationType);Log.d(APP_TAG, "(authType: 1=PIN, 2=fingerprint)");try {// init mac from scratchmac = Mac.getInstance("HmacSHA256");mac.init(getOrCreateSecretKey(KEY_NAME_SIGN));byte[] bytes = "secret-text".getBytes(StandardCharsets.UTF_8);byte[] macResult = mac.doFinal(bytes);Log.d("signed data ", Base64.encodeToString(macResult, Base64.NO_WRAP));} catch (InvalidKeyException | NoSuchAlgorithmException e) {e.printStackTrace();}}@Overridepublic void onAuthenticationFailed() {super.onAuthenticationFailed();Log.d(APP_TAG, "Authentication failed");}});btnSign.setOnClickListener(new View.OnClickListener() {@Overridepublic void onClick(View v) {sign();}});}private void sign() {// simple sign functionLog.d(APP_TAG, "sign started");// setup the mactry {mac = Mac.getInstance("HmacSHA256");mac.init(getOrCreateSecretKey(KEY_NAME_SIGN));} catch (UserNotAuthenticatedException e) {Log.d(APP_TAG, "UserNotAuthenticatedException thrown, try to authenticate");biometricPrompt.authenticate(promptInfo);} catch (NoSuchAlgorithmException | InvalidKeyException e) {e.printStackTrace();}biometricPrompt.authenticate(promptInfo);}private SecretKey getOrCreateSecretKey(String keyName) {SecretKey secretKey = getSecretKey(keyName);Log.d(APP_TAG, "try to load secretKey from keystore");if (secretKey == null) {createSecretKey(keyName);secretKey = getSecretKey(keyName);Log.d(APP_TAG, "generated fresh key, try to load");}return secretKey;}private SecretKey getSecretKey(String keyName) {KeyStore keyStore = null;try {keyStore = KeyStore.getInstance("AndroidKeyStore");// Before the keystore can be accessed, it must be loaded.keyStore.load(null);return ((SecretKey) keyStore.getKey(keyName, null));} catch (KeyStoreException | CertificateException | UnrecoverableKeyException | NoSuchAlgorithmException | IOException e) {e.printStackTrace();return null;}}private void createSecretKey(String keyName) {generateSecretKey(new KeyGenParameterSpec.Builder(keyName,KeyProperties.PURPOSE_SIGN).setUserAuthenticationRequired(true)//.setInvalidatedByBiometricEnrollment(true).setUserAuthenticationValidityDurationSeconds(10).build());}// All exceptions unhandledprivate void generateSecretKey(KeyGenParameterSpec keyGenParameterSpec) {KeyGenerator keyGenerator = null;try {keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_HMAC_SHA256, "AndroidKeyStore");keyGenerator.init(keyGenParameterSpec);keyGenerator.generateKey();} catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException | NoSuchProviderException e) {e.printStackTrace();}}}
activity_main.xml
<?xml version="1.0" encoding="utf-8"?><androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"xmlns:app="http://schemas.android.com/apk/res-auto"xmlns:tools="http://schemas.android.com/tools"android:layout_width="match_parent"android:layout_height="match_parent"tools:context=".MainActivity"><Buttonandroid:id="@+id/button"android:layout_width="wrap_content"android:layout_height="wrap_content"android:layout_marginStart="16dp"android:layout_marginTop="32dp"android:layout_marginEnd="16dp"android:text="Sign"app:layout_constraintEnd_toEndOf="parent"app:layout_constraintStart_toStartOf="parent"app:layout_constraintTop_toTopOf="parent" /></androidx.constraintlayout.widget.ConstraintLayout>
build.graddle(模块):
plugins {id 'com.android.application'}android {compileSdkVersion 30buildToolsVersion "30.0.3"defaultConfig {applicationId "de.biometrics"minSdkVersion 23targetSdkVersion 30versionCode 1versionName "1.0"testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"}buildTypes {release {minifyEnabled falseproguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'}}compileOptions {sourceCompatibility JavaVersion.VERSION_1_8targetCompatibility JavaVersion.VERSION_1_8}}dependencies {implementation 'androidx.appcompat:appcompat:1.3.0'implementation 'com.google.android.material:material:1.3.0'implementation 'androidx.constraintlayout:constraintlayout:2.0.4'testImplementation 'junit:junit:4.+'androidTestImplementation 'androidx.test.ext:junit:1.1.3'androidTestImplementation 'androidx.test.espresso:espresso-core:3.4.0'implementation 'androidx.biometric:biometric:1.1.0'}
注意:这只是一个非常简化的程序,仅用于测试生物特征提示功能。
1条答案
按热度按时间6vl6ewon1#
我在回答我自己的问题,因为我的发现可能对其他人有所帮助。
到目前为止(2021年7月6日),我不知道为什么使用该选项生成secretkey
无法先通过指纹释放。正如我在问题中所写的,当它首先通过pin(设备凭证)发布时,只要持续时间未过期,它就可以通过指纹使用(“身份验证”)。
无论如何,文档中还有另一个选项可用,即使用每次使用的身份验证密钥进行身份验证(https://developer.android.com/training/sign-in/biometric-auth#auth-每次使用密钥),此选项提供预期结果。
当用新代码更新代码时,不要忘记生成一个新的密钥!
使用新选项时
您会注意到,代码需要sdk 30+才能运行。对于在sdk>23上运行的代码,可以使用
使用“0”秒很重要,因为这(内部)默认为“生物特征|设备|凭证”,使用“-1”时默认为“设备|凭证”(不带指纹选项)。
下面我提供的代码用于检查正在使用的sdk并选择正确的generatekey函数: