[英]Android biometrics UserNotAuthenticatedException on fingerprint
我在我的示例應用程序中使用 SecretKey 進行 Mac 簽名。 密鑰是用 builder 參數生成的
setUserAuthenticationValidityDurationSeconds(10)
允許使用指紋和(解鎖)設備 PIN 來保護我的密鑰。
UI 僅包含用於開始簽名的 SIGN 按鈕。
如果我通過“使用 PIN”使用生物識別提示,在輸入 PIN 后我會收到簽名(在我的示例中為“2BjEuSxl/bOTTUExE4vTX2rnRZEC1Zfa21FooKkBfnc=”)[注意:預期行為]。
在給定的 10 秒“ValidityDuration”期間內再次按下 SIGN 按鈕,我可以成功使用指紋進行授權 [注意:預期行為]。
10 秒后按下 SIGN 按鈕並使用指紋進行授權 [或在未事先使用 PIN 的情況下使用指紋] 會出現異常 [注意:不是預期的行為]:
android.security.keystore.UserNotAuthenticatedException: User not authenticated
所以我的問題是:如何使用相同的SecretKey 通過 PIN 和指紋選項來授權簽名過程(或者更好地從 AndroidKeystore 發布密鑰)?
我正在 Android SDK 30(目標)和(最低)23 上進行測試,生物識別功能可用於實現“androidx.biometric:biometric:1.1.0”。
以下是 Logcat 調試輸出,其中包含我的一些評論:
>>> first start
2021-07-04 14:23:47.178 6980-6980/de.biometrics D/*** Biometric ***: sign started
2021-07-04 14:23:47.181 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:23:47.211 6980-6980/de.biometrics D/*** Biometric ***: generated fresh key, try to load
2021-07-04 14:23:47.223 6980-6980/de.biometrics D/*** Biometric ***: UserNotAuthenticatedException thrown, try to authenticate
>>> biometric prompt, used the PIN [authType = 1]:
2021-07-04 14:24:04.089 6980-6980/de.biometrics D/*** Biometric ***: Authentication succeeded with authType 1
2021-07-04 14:24:04.089 6980-6980/de.biometrics D/*** Biometric ***: (authType: 1=PIN, 2=fingerprint)
2021-07-04 14:24:04.092 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:24:04.097 6980-6980/de.biometrics D/signed data: a1wbBdybQkP30XWFBj0o8fiVrS8BXlREGmDHQQQhEwg=
>>> pressed "SIGN" again after 5 seconds
2021-07-04 14:24:09.725 6980-6980/de.biometrics D/*** Biometric ***: sign started
2021-07-04 14:24:09.730 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:24:13.421 6980-6980/de.biometrics D/*** Biometric ***: Authentication succeeded with authType 2
2021-07-04 14:24:13.422 6980-6980/de.biometrics D/*** Biometric ***: (authType: 1=PIN, 2=fingerprint)
2021-07-04 14:24:13.426 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:24:13.432 6980-6980/de.biometrics D/signed data: a1wbBdybQkP30XWFBj0o8fiVrS8BXlREGmDHQQQhEwg=
>>> pressed "SIGN" again 21 seconds after the PIN authorization
2021-07-04 14:24:23.348 6980-6980/de.biometrics D/*** Biometric ***: sign started
2021-07-04 14:24:23.359 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
2021-07-04 14:24:23.366 6980-6980/de.biometrics D/*** Biometric ***: UserNotAuthenticatedException thrown, try to authenticate
>>> fingerprint is accepted [authType = 2]
2021-07-04 14:24:25.356 6980-6980/de.biometrics D/*** Biometric ***: Authentication succeeded with authType 2
2021-07-04 14:24:25.356 6980-6980/de.biometrics D/*** Biometric ***: (authType: 1=PIN, 2=fingerprint)
2021-07-04 14:24:25.361 6980-6980/de.biometrics D/*** Biometric ***: try to load secretKey from keystore
>>> the exception is thrown on line 86:
>>> mac.init(getOrCreateSecretKey(KEY_NAME_SIGN));
2021-07-04 14:24:25.377 6980-6980/de.biometrics W/System.err: android.security.keystore.UserNotAuthenticatedException: User not authenticated
2021-07-04 14:24:25.377 6980-6980/de.biometrics W/System.err: at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1346)
2021-07-04 14:24:25.378 6980-6980/de.biometrics W/System.err: at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1388)
2021-07-04 14:24:25.379 6980-6980/de.biometrics W/System.err: at android.security.keystore.KeyStoreCryptoOperationUtils.getInvalidKeyExceptionForInit(KeyStoreCryptoOperationUtils.java:54)
2021-07-04 14:24:25.379 6980-6980/de.biometrics W/System.err: at android.security.keystore.AndroidKeyStoreHmacSpi.ensureKeystoreOperationInitialized(AndroidKeyStoreHmacSpi.java:184)
2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at android.security.keystore.AndroidKeyStoreHmacSpi.engineInit(AndroidKeyStoreHmacSpi.java:101)
2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at javax.crypto.Mac.chooseProvider(Mac.java:443)
2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at javax.crypto.Mac.init(Mac.java:513)
2021-07-04 14:24:25.380 6980-6980/de.biometrics W/System.err: at de.biometrics.MainActivity$1.onAuthenticationSucceeded(MainActivity.java:86)
2021-07-04 14:24:25.381 6980-6980/de.biometrics W/System.err: at androidx.biometric.BiometricFragment$9.run(BiometricFragment.java:907)
2021-07-04 14:24:25.381 6980-6980/de.biometrics W/System.err: at android.os.Handler.handleCallback(Handler.java:938)
2021-07-04 14:24:25.381 6980-6980/de.biometrics W/System.err: at android.os.Handler.dispatchMessage(Handler.java:99)
2021-07-04 14:24:25.382 6980-6980/de.biometrics W/System.err: at android.os.Looper.loop(Looper.java:223)
2021-07-04 14:24:25.384 6980-6980/de.biometrics W/System.err: at android.app.ActivityThread.main(ActivityThread.java:7656)
2021-07-04 14:24:25.385 6980-6980/de.biometrics W/System.err: at java.lang.reflect.Method.invoke(Native Method)
2021-07-04 14:24:25.386 6980-6980/de.biometrics W/System.err: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
2021-07-04 14:24:25.386 6980-6980/de.biometrics W/System.err: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
這是完整的源代碼(MainActivity.java):
編輯:我稍微改變了 createKey-function 以更符合https://developer.android.com/training/sign-in/biometric-auth#java上的文檔
package de.biometrics;
import android.os.Bundle;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyProperties;
import android.security.keystore.UserNotAuthenticatedException;
import android.util.Base64;
import android.util.Log;
import android.view.View;
import android.widget.Button;
import androidx.annotation.NonNull;
import androidx.appcompat.app.AppCompatActivity;
import androidx.biometric.BiometricPrompt;
import androidx.core.content.ContextCompat;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.concurrent.Executor;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
public class MainActivity extends AppCompatActivity {
// use dependency in build.graddle:
// implementation 'androidx.biometric:biometric:1.1.0'
private static final String KEY_NAME_SIGN = "SignKey";
private static final int VALIDITY_DURATION_SECONDS = 10;
private static final String APP_TAG = "*** Biometric *** ";
private BiometricPrompt biometricPrompt;
private BiometricPrompt.PromptInfo promptInfo;
private Executor executor;
Button btnSign;
Mac mac;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
executor = ContextCompat.getMainExecutor(this);
btnSign = (Button) findViewById(R.id.button);
// Allows user to authenticate using either a Class 3 biometric or
// their lock screen credential (PIN, pattern, or password).
promptInfo = new BiometricPrompt.PromptInfo.Builder()
.setTitle("Biometric login for my app")
.setSubtitle("Log in using your biometric credential")
// Can't call setNegativeButtonText() and
// setAllowedAuthenticators(...|DEVICE_CREDENTIAL) at the same time.
// .setNegativeButtonText("Use account password")
.setAllowedAuthenticators(
androidx.biometric.BiometricManager.Authenticators.BIOMETRIC_STRONG
| androidx.biometric.BiometricManager.Authenticators.DEVICE_CREDENTIAL)
.build();
biometricPrompt = new BiometricPrompt(MainActivity.this,
executor, new BiometricPrompt.AuthenticationCallback() {
@Override
public void onAuthenticationError(int errorCode,
@NonNull CharSequence errString) {
super.onAuthenticationError(errorCode, errString);
Log.d(APP_TAG, "Authentication succeeded!");
}
@Override
public void onAuthenticationSucceeded(
@NonNull BiometricPrompt.AuthenticationResult result) {
super.onAuthenticationSucceeded(result);
int authorizationType = result.getAuthenticationType();
Log.d(APP_TAG, "Authentication succeeded with authType " + authorizationType);
Log.d(APP_TAG, "(authType: 1=PIN, 2=fingerprint)");
try {
// init mac from scratch
mac = Mac.getInstance("HmacSHA256");
mac.init(getOrCreateSecretKey(KEY_NAME_SIGN));
byte[] bytes = "secret-text".getBytes(StandardCharsets.UTF_8);
byte[] macResult = mac.doFinal(bytes);
Log.d("signed data ", Base64.encodeToString(macResult, Base64.NO_WRAP));
} catch (InvalidKeyException | NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
@Override
public void onAuthenticationFailed() {
super.onAuthenticationFailed();
Log.d(APP_TAG, "Authentication failed");
}
});
btnSign.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
sign();
}
});
}
private void sign() {
// simple sign function
Log.d(APP_TAG, "sign started");
// setup the mac
try {
mac = Mac.getInstance("HmacSHA256");
mac.init(getOrCreateSecretKey(KEY_NAME_SIGN));
} catch (UserNotAuthenticatedException e) {
Log.d(APP_TAG, "UserNotAuthenticatedException thrown, try to authenticate");
biometricPrompt.authenticate(promptInfo);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
e.printStackTrace();
}
biometricPrompt.authenticate(promptInfo);
}
private SecretKey getOrCreateSecretKey(String keyName) {
SecretKey secretKey = getSecretKey(keyName);
Log.d(APP_TAG, "try to load secretKey from keystore");
if (secretKey == null) {
createSecretKey(keyName);
secretKey = getSecretKey(keyName);
Log.d(APP_TAG, "generated fresh key, try to load");
}
return secretKey;
}
private SecretKey getSecretKey(String keyName) {
KeyStore keyStore = null;
try {
keyStore = KeyStore.getInstance("AndroidKeyStore");
// Before the keystore can be accessed, it must be loaded.
keyStore.load(null);
return ((SecretKey) keyStore.getKey(keyName, null));
} catch (KeyStoreException | CertificateException | UnrecoverableKeyException | NoSuchAlgorithmException | IOException e) {
e.printStackTrace();
return null;
}
}
private void createSecretKey(String keyName) {
generateSecretKey(new KeyGenParameterSpec.Builder(
keyName,
KeyProperties.PURPOSE_SIGN)
.setUserAuthenticationRequired(true)
//.setInvalidatedByBiometricEnrollment(true)
.setUserAuthenticationValidityDurationSeconds(10)
.build());
}// All exceptions unhandled
private void generateSecretKey(KeyGenParameterSpec keyGenParameterSpec) {
KeyGenerator keyGenerator = null;
try {
keyGenerator = KeyGenerator.getInstance(
KeyProperties.KEY_ALGORITHM_HMAC_SHA256, "AndroidKeyStore");
keyGenerator.init(keyGenParameterSpec);
keyGenerator.generateKey();
} catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException | NoSuchProviderException e) {
e.printStackTrace();
}
}
}
活動_main.xml
<?xml version="1.0" encoding="utf-8"?>
<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:app="http://schemas.android.com/apk/res-auto"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
tools:context=".MainActivity">
<Button
android:id="@+id/button"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginStart="16dp"
android:layout_marginTop="32dp"
android:layout_marginEnd="16dp"
android:text="Sign"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toTopOf="parent" />
</androidx.constraintlayout.widget.ConstraintLayout>
build.graddle(模塊):
plugins {
id 'com.android.application'
}
android {
compileSdkVersion 30
buildToolsVersion "30.0.3"
defaultConfig {
applicationId "de.biometrics"
minSdkVersion 23
targetSdkVersion 30
versionCode 1
versionName "1.0"
testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
}
buildTypes {
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
}
compileOptions {
sourceCompatibility JavaVersion.VERSION_1_8
targetCompatibility JavaVersion.VERSION_1_8
}
}
dependencies {
implementation 'androidx.appcompat:appcompat:1.3.0'
implementation 'com.google.android.material:material:1.3.0'
implementation 'androidx.constraintlayout:constraintlayout:2.0.4'
testImplementation 'junit:junit:4.+'
androidTestImplementation 'androidx.test.ext:junit:1.1.3'
androidTestImplementation 'androidx.test.espresso:espresso-core:3.4.0'
implementation 'androidx.biometric:biometric:1.1.0'
}
注意:這只是一個非常簡化的程序,僅用於測試生物識別提示功能。
我正在回答我自己的問題,因為我的發現可能對其他人有幫助。
到目前為止(2021 年 7 月 6 日)我不知道為什么使用該選項生成的 SecretKey
.setUserAuthenticationValidityDurationSeconds(10);
不能先通過指紋釋放。 正如我的問題中所寫,當它首先通過 PIN(設備憑據)發布時,只要持續時間未過期,它就可以通過指紋使用(“驗證”)。
無論如何,文檔中還有另一個選項可以使用 auth-per-use 密鑰進行身份驗證( https://developer.android.com/training/sign-in/biometric-auth#auth-per-use-keys )和這個選項給出了預期的結果。
使用新代碼更新代碼時,不要忘記生成新密鑰!
使用新選項時
.setUserAuthenticationParameters(0 /* duration */,
KeyProperties.AUTH_BIOMETRIC_STRONG |
KeyProperties.AUTH_DEVICE_CREDENTIAL)
您會注意到代碼需要 SDK 30+ 才能運行。 對於在 SDK > 23 上運行的代碼,您可以使用
.setUserAuthenticationValidityDurationSeconds(0)
使用“0”秒很重要,因為這(內部)默認為“BIOMETRIC_STRONG | DEVICE_CREDENTIAL”,當使用“-1”時,它默認為“DEVICE_CREDENTIAL”(沒有指紋選項)。
下面我提供的代碼用於檢查正在使用的 SDK 並選擇正確的 generateKey 函數:
private SecretKey getOrCreateSecretKey(String keyName) {
SecretKey secretKey = getSecretKey(keyName);
Log.d(APP_TAG, "try to load secretKey from keystore");
if (secretKey == null) {
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M &
Build.VERSION.SDK_INT < Build.VERSION_CODES.R) {
createSecretKeyApi2329(keyName);
Log.d(APP_TAG, "createSecretKeyApi2329 SDK in use: " + Build.VERSION.SDK_INT);
}
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
createSecretKeyApi30(keyName);
Log.d(APP_TAG, "createSecretKeyApi30 SDK in use: " + Build.VERSION.SDK_INT);
}
// as minimum SDK in build.gradle was set to 23 the version can't be below 23
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) {
Log.d(APP_TAG, "SDK in use is to old, minimum SDK is 23 = M");
finish();
}
secretKey = getSecretKey(keyName);
Log.d(APP_TAG, "generated fresh key, try to load");
}
return secretKey;
}
@RequiresApi(api = Build.VERSION_CODES.R)
private void createSecretKeyApi30(String keyName) {
generateSecretKey(new KeyGenParameterSpec.Builder(
keyName,
KeyProperties.PURPOSE_SIGN)
//.setInvalidatedByBiometricEnrollment(true)
// Accept either a biometric credential or a device credential.
// To accept only one type of credential, include only that type as the
// second argument.
// @RequiresApi(api = Build.VERSION_CODES.R)
.setUserAuthenticationParameters(0 /* duration */,
KeyProperties.AUTH_BIOMETRIC_STRONG |
KeyProperties.AUTH_DEVICE_CREDENTIAL)
.build());
}// All exceptions unhandled
//@RequiresApi(api = Build.VERSION_CODES.M)
private void createSecretKeyApi2329(String keyName) {
generateSecretKey(new KeyGenParameterSpec.Builder(
keyName,
KeyProperties.PURPOSE_SIGN)
//.setInvalidatedByBiometricEnrollment(true)
// Accept either a biometric credential or a device credential.
// To accept only one type of credential, include only that type as the
// second argument.
// for SDK < 30 use .setUserAuthenticationValidityDurationSeconds(0)
// see https://cs.android.com/android/platform/superproject/+/android-11.0.0_r3:frameworks/base/keystore/java/android/security/keystore/KeyGenParameterSpec.java;l=1236-1246;drc=a811787a9642e6a9e563f2b7dfb15b5ae27ebe98
// parameter "0" defaults to AUTH_BIOMETRIC_STRONG | AUTH_DEVICE_CREDENTIAL
// parameter "-1" default to AUTH_BIOMETRIC_STRONG
.setUserAuthenticationValidityDurationSeconds(0)
.build());
}// All exceptions unhandled
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.