Sign JWT with PrivateKey from android Fingerprint API -
i have claims , want create jwt , sign privatekey created in fingerprint api.
this jwt claim -
header: { "alg": "rs256”, “kid”: “abcdedfkjsdfjaldfkjg”, “auth_type” : “fingerprint” / "pin" } payload: { “client_id”:”xxxxx-yyyyyy-zzzzzz” }
creating keypair fingerprint -
import android.os.build; import android.security.keystore.keygenparameterspec; import android.security.keystore.keyproperties; import android.support.annotation.requiresapi; import android.util.log; import com.yourmobileid.mobileid.library.common.midcommons; import org.jose4j.base64url.base64; import java.io.ioexception; import java.security.invalidalgorithmparameterexception; import java.security.keypairgenerator; import java.security.keystore; import java.security.keystoreexception; import java.security.nosuchalgorithmexception; import java.security.nosuchproviderexception; import java.security.privatekey; import java.security.publickey; import java.security.unrecoverablekeyexception; import java.security.cert.certificateexception; import java.security.spec.rsakeygenparameterspec; @requiresapi(api = build.version_codes.m) public class biometrichelper { public static final string key_name = "my_key"; static keypairgenerator mkeypairgenerator; private static string mkid; private static keystore keystore; public static void init() { try { mkeypairgenerator = keypairgenerator.getinstance( keyproperties.key_algorithm_rsa, "androidkeystore"); } catch (nosuchalgorithmexception | nosuchproviderexception e) { throw new runtimeexception("failed instance of keypairgenerator", e); } mkid = midcommons.generaterandomstring(); keystore = null; try { keystore = keystore.getinstance("androidkeystore"); } catch (keystoreexception e) { throw new runtimeexception("failed instance of keystore", e); } createkeypair(); } /** * generates asymmetric key pair in android keystore. every use of private key must * authorized user authenticating fingerprint. public key use unrestricted. */ public static void createkeypair() { try { mkeypairgenerator.initialize( new keygenparameterspec.builder( key_name, keyproperties.purpose_encrypt | keyproperties.purpose_decrypt) .setencryptionpaddings(keyproperties.encryption_padding_rsa_pkcs1) .setalgorithmparameterspec(new rsakeygenparameterspec(2048, rsakeygenparameterspec.f4)) .build()); mkeypairgenerator.generatekeypair(); } catch (invalidalgorithmparameterexception e) { throw new runtimeexception(e); } } public static privatekey getprivatekey() { privatekey privatekey = null; try { keystore.load(null); privatekey = (privatekey) keystore.getkey(key_name, null); } catch (keystoreexception | certificateexception | unrecoverablekeyexception | nosuchalgorithmexception | ioexception e) { e.printstacktrace(); } return privatekey; } public static publickey getpublickey() { publickey publickey = null; try { keystore.load(null); publickey = keystore.getcertificate(key_name).getpublickey(); } catch (keystoreexception | certificateexception | nosuchalgorithmexception | ioexception e) { e.printstacktrace(); } return publickey; } public static keystore getkeystore(){ return keystore; } public static string getpublickeystr() { stringbuilder publickey = new stringbuilder("-----begin public key-----\n"); publickey.append(base64.encode((getpublickey().getencoded())).replace("==","")); publickey.append("\n-----end public key-----"); log.d("key==","\n"+publickey); return publickey.tostring(); } public static string getkid() { log.d("mkid==","\n"+mkid); return mkid; } }
and creating jwt way -
@requiresapi(api = build.version_codes.m) private string createjwt(){ jwtclaims claims = new jwtclaims(); claims.setclaim("client_id","”xxxxx-yyyyyy-zzzzzz”"); jsonwebsignature jws = new jsonwebsignature(); jws.setpayload(claims.tojson()); jws.setkey(biometrichelper.getprivatekey()); jws.setkeyidheadervalue(biometrichelper.getkid()); jws.setheader("auth_type","fingerprint"); jws.setalgorithmheadervalue(algorithmidentifiers.rsa_using_sha256); string jwt = null; try { jwt = jws.getcompactserialization(); } catch (joseexception e) { e.printstacktrace(); } system.out.println("jwt: " + jwt); return jwt; }
when doing getting -
w/system.err: org.jose4j.lang.invalidkeyexception: given key (algorithm=rsa) not valid sha256withrsa w/system.err: @ org.jose4j.jws.basesignaturealgorithm.initforsign(basesignaturealgorithm.java:97) w/system.err: @ org.jose4j.jws.basesignaturealgorithm.sign(basesignaturealgorithm.java:68) w/system.err: @ org.jose4j.jws.jsonwebsignature.sign(jsonwebsignature.java:101)
i tried many other way signing jwt privatekey far did not find solution.
any appreciated
you have created key encryption only, not signing. change
mkeypairgenerator.initialize( new keygenparameterspec.builder( key_name, keyproperties.purpose_encrypt | keyproperties.purpose_decrypt) .setencryptionpaddings(keyproperties.encryption_padding_rsa_pkcs1) .setalgorithmparameterspec(new rsakeygenparameterspec(2048, rsakeygenparameterspec.f4)) .build());
with
mkeypairgenerator.initialize( new keygenparameterspec.builder( key_name, keyproperties.purpose_sign | keyproperties.purpose_verify) .setdigests(keyproperties.digest_sha256) .setalgorithmparameterspec(new rsakeygenparameterspec(2048, rsakeygenparameterspec.f4)) .build());
Comments
Post a Comment