在FingerprintManager.authenticate()中的android – UserNotAuthenticatedException

前端之家收集整理的这篇文章主要介绍了在FingerprintManager.authenticate()中的android – UserNotAuthenticatedException前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我有一个加密密码存储Android KeyStore.

我想通过使用指纹API验证用户来解密该密码.

据我所知,我必须调用FingerprintManager.authenticate(CryptoObject cryptoObject)方法来开始侦听指纹结果. CryptoObject参数是这样创建的:

public static Cipher getDecryptionCipher(Context context) throws KeyStoreException {
    try {
        Cipher cipher = Cipher.getInstance(TRANSFORMATION);
        SecretKey secretKey = getKeyFromKeyStore();
        final IvParameterSpec ivParameterSpec = getIvParameterSpec(context);

        cipher.init(Cipher.DECRYPT_MODE,secretKey,ivParameterSpec);
        return cipher;

    } catch (NoSuchAlgorithmException | NoSuchPaddingException | IOException | UnrecoverableKeyException | CertificateException | InvalidAlgorithmParameterException | InvalidKeyException e) {
        e.printStackTrace();

    }

    return null;
}

Cipher cipher = FingerprintCryptoHelper.getDecryptionCipher(getContext());
FingerprintManager.CryptoObject cryptoObject = new FingerprintManager.CryptoObject(cipher);
fingerprintManager.authenticate(cryptoObject,...);

getDecryptionCipher()方法正常工作,直到cipher.init()调用.在这个调用上,我得到一个UserNotAuthenticatedException,因为用户没有为这个secretKey进行身份验证.这是有道理的.但这不是一个循环,不可能实现:

要认证用户,我想使用他/她的指纹
>要听他/她的指纹,我需要初始化Cipher,这个返回需要一个经过身份验证的用户

这里有什么问题?

编辑:

我使用模拟器(Nexus 4,API 23).

这是我用来创建密钥的代码.

private SecretKey createKey() {
    try {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES,ANDROID_KEY_STORE);
        keyGenerator.init(new KeyGenParameterSpec.Builder(
                KEY_NAME,KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT
        )
                .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
                .setUserAuthenticationrequired(true)
                .setUserAuthenticationValidityDurationSeconds(AUTHENTICATION_DURATION_SECONDS)
                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
                .build());
        return keyGenerator.generateKey();
    } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException e) {
        throw new RuntimeException("Failed to create a symmetric key",e);
    }
}

解决方法

事实证明,这个问题与KeyGenParameterSpec的一个已知问题有关,防止在没有认证的情况下使用公共密钥(这正是公钥不需要的).

一个相关的问题/答案可以在这里找到:Android Fingerprint API Encryption and Decryption

解决方法是从最初创建的密钥创建一个PublicKey,并使用这个无限制的PublicKey来初始化密码.
所以我的最终密码使用AES / CBC / PKCS7Padding,并通过这种方法初始化:

public boolean initCipher(int opMode) {
    try {
        Key key = mKeyStore.getKey(KEY_NAME,null);

        if (opMode == Cipher.ENCRYPT_MODE) {
            final byte[] encoded = key.getEncoded();
            final String algorithm = key.getAlgorithm();
            final X509EncodedKeySpec keySpec = new X509EncodedKeySpec(encoded);
            PublicKey unrestricted = KeyFactory.getInstance(algorithm).generatePublic(keySpec);

            mCipher.init(opMode,unrestricted);

        } else {
            final IvParameterSpec ivParameterSpec = getIvParameterSpec();
            mCipher.init(opMode,key,ivParameterSpec);

        }

        return true;

    } catch (KeyPermanentlyInvalidatedException exception) {
        return false;

    } catch ( NoSuchAlgorithmException | InvalidKeyException
            | InvalidKeySpecException | InvalidAlgorithmParameterException | UnrecoverableKeyException | KeyStoreException exception) {
        throw new RuntimeException("Failed to initialize Cipher or Key: ",exception);
    }
}

@NonNull
public IvParameterSpec getIvParameterSpec() {
    // the IV is stored in the Preferences after encoding.
    String base64EncryptionIv = PreferenceHelper.getEncryptionIv(mContext);
    byte[] encryptionIv = Base64.decode(base64EncryptionIv,Base64.DEFAULT);
    return new IvParameterSpec(encryptionIv);
}

猜你在找的Android相关文章