search

dvsekhvalnov / jose-jwt

Ultimate Javascript Object Signing and Encryption (JOSE), JSON Web Token (JWT) and Json Web Keys (JWK) Implementation for .NET and .NET Core
MIT License
921 stars 183 forks source link

Play Integrity Exception "org.jose4j.lang.IntegrityException: A256KW key unwrap/decrypt failed" #226

Closed Jitendran closed 1 year ago

Jitendran commented 1 year ago

We follow the below google and separate 1 developer blog Google doc https://developer.android.com/google/play/integrity/verdict#decrypt-verify-locally

1 developer blog https://hoven.in/cpp-projects/play-integrity-api-2.html https://hoven.in/cpp-projects/play-integrity-api-3.html

We are getting this "org.jose4j.lang.IntegrityException: A256KW key unwrap/decrypt failed" exception in below try catch block line.

"compactJws = jwe.payload" // This is the code we are using for Play integrity

val str = "AIzaSyBPF4dLN4SLxNlraMWUD2FpUrfE39qvF_E" val strBytes = Base64.decode(str, Base64.DEFAULT) val encoded = Base64.encode( strBytes, Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP ) val nonce = String(encoded) val DECRYPTION_KEY = "xcClpnhjH0JQrwcJ…./9TPiTqr34Nmqs=" val VERIFICATION_KEY = "MFkwEwYHKoZIzj0CAQYI….AEuzmUjHs7b7Z7NUgbKmq/5AJfpeMbjh/10yNlQllYlDz1DRIisRMbLI/4yDIO95VWgcfrrnSyIPKBMRFiFEZE3Q=="

val integrityManager = IntegrityManagerFactory.create(applicationContext) val integrityTokenResponse = integrityManager.requestIntegrityToken(IntegrityTokenRequest.builder() .setNonce(nonce) .setCloudProjectNumber(70102…724) .build() ) .addOnSuccessListener( (OnSuccessListener { response: IntegrityTokenResponse -> val integrityToken = response.token() val decryptionKeyBytes: ByteArray = Base64.decode(DECRYPTION_KEY, Base64.DEFAULT)

        // SecretKey
        val decryptionKey: SecretKey =
            SecretKeySpec(decryptionKeyBytes, 0, decryptionKeyBytes.size, "AES")
        val encodedVerificationKey: ByteArray =
            Base64.decode(VERIFICATION_KEY, Base64.DEFAULT)

        // PublicKey
        var verificationKey: PublicKey? = null
        verificationKey = KeyFactory.getInstance("EC")
                .generatePublic(X509EncodedKeySpec(encodedVerificationKey))
        if (null == verificationKey) {
            return@OnSuccessListener
        }

        // JsonWebEncryption
        var jwe: JsonWebEncryption? = null
        jwe = JsonWebStructure.fromCompactSerialization(integrityToken) as JsonWebEncryption

        if (null == jwe) {
            return@OnSuccessListener
        }
        jwe.key = decryptionKey
        var compactJws: String? = null
        try {
            **compactJws = jwe.payload**    // We are getting exception on tis line
        } catch (e: JoseException) {
            Log.d(TAG, e.message!!)
        }

        // JsonWebSignature
        var jws: JsonWebSignature? = null
        try {
            if (compactJws != null) {
                jws = JsonWebStructure
                    .fromCompactSerialization(compactJws) as JsonWebSignature
            } else {
                Log.d(TAG, "Null compactJWS")
            }

        } catch (e: JoseException) {
            Log.d(TAG, e.message!!)
        }

        if (null == jws) {
            return@OnSuccessListener
        }
        jws.key = verificationKey

        // get the json human readable string
        var jsonPlainVerdict: String? = ""
        jsonPlainVerdict = try {
            jws.payload
        } catch (e: JoseException) {
            Log.d(TAG, e.message!!)
            return@OnSuccessListener
        }

        // payload is available in json format
        // plain text, can be processed as per needs
        Log.d(TAG, jsonPlainVerdict!!)
    } as OnSuccessListener<IntegrityTokenResponse>)!!
)
.addOnFailureListener((OnFailureListener { ex: Exception? ->
    Log.d(
        TAG,
        ex!!.message.toString()
    )
} as OnFailureListener)!!)
dvsekhvalnov commented 1 year ago

Hey @Jitendran ,

it doesn't look like the code that using jose-jwt lib? Not sure what i can comment about?

Jitendran commented 1 year ago

Hey @dvsekhvalnov , Thanks for your reply. I am using below lib in my kotlin build.gradle file.

implementation 'com.google.android.play:integrity:1.1.0' implementation group: 'org.bitbucket.b_c', name: 'jose4j', version: '0.7.12'

dvsekhvalnov commented 1 year ago

@Jitendran i got it :)

I can't comment on those ones, i can comment on jose-jwt project, but you not showing any code that using it.

dishanphilips commented 1 year ago

On C# I managed to solve it like mentioned here : https://github.com/dvsekhvalnov/jose-jwt/issues/202

Jitendran commented 1 year ago

Thanks @dishanphilips for your reply.

dvsekhvalnov commented 1 year ago

If you guys good with your question, feel free to close ticket.

KubinkiewiczDawid commented 1 year ago

Hi @Jitendran, did u managed to fix it in ur app?

Jitendran commented 1 year ago

Hi @KubinkiewiczDawid , we was facing this issue before the app was not live when we live the app in Play store after that we are not facing this issue.