java - 谷歌播放完整性 API : a Nightmare

Question

我需要一些帮助，伙计们!!我是一个自学成才的加密新手，在阅读、测试和错误两个多星期后，我发现了很少的人群知识，几乎没有来自谷歌的文档。
我正在尝试阅读完整性裁决，我已经设法让它 IntegrityTokenRequest 做

    String nonce = Base64.encodeToString("this_is_my_nonce".getBytes(), Base64.URL_SAFE | Base64.NO_WRAP | Base64.NO_PADDING);
    IntegrityManager myIntegrityManager =   IntegrityManagerFactory
          .create(getApplicationContext());
    // Request the integrity token by providing a nonce.
    Task<IntegrityTokenResponse> myIntegrityTokenResponse = myIntegrityManager
          .requestIntegrityToken(IntegrityTokenRequest
          .builder()
          .setNonce(nonce)
          .build());

    myIntegrityTokenResponse.addOnSuccessListener(new OnSuccessListener<IntegrityTokenResponse>() {
        @Override
        public void onSuccess(IntegrityTokenResponse myIntegrityTokenResponse) {
            String token = myIntegrityTokenResponse.token();
            // so here I have my Integrity token.
            // now how do I read it??
        }
    }

根据文档，这一切都在 Play Console 中设置，并相应地创建了 Google Cloud 项目。现在出现了文档中的大漏洞:
a) JWT 有 4 个点将 JWT 分为 5 个部分，而不是这里描述的 3 个部分 https://jwt.io/
b) Developer.Android.com 建议在 Google 服务器上解密和验证

我不知道如何或将要执行此命令... :-(
c) 如果我选择解密并验证返回的 token ，它会更复杂，因为我没有自己的安全服务器环境，只有我的应用程序和 Google Play 控制台。
d) 我在已下载的 Google Cloud Platform OAuth 2.0 Client IDs "Android client for com.company.project"JSON 文件中找到，但(再次)不知道如何在我的应用程序中使用它从诚信 token 。

{"installed":
    {"client_id":"123456789012-abcdefghijklmnopqrstuvwxyza0g2ahk.apps.googleusercontent.com",
        "project_id":"myproject-360d3",
        "auth_uri":"https://accounts.google.com/o/oauth2/auth",
        "token_uri":"https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url":https://www.googleapis.com/oauth2/v1/certs
    }
}

我确定我错过了很多，请帮助

Answer 1

非常感谢@John_S对于您的答案，我将其标记为最终答案，无论如何，我在这里为 future 的开发人员发布所有缺少的部分，以便他们可以缩短我在这个问题上的近一个月的时间，因为没有完整的文档或 java 示例(在写这篇文章的时间)用于 Google PlayIntegrity API。
首先，您需要在 Google Cloud 和 Google Play 中设置我们的项目，如 @John_S 所述，但缺少的部分是您需要将凭据设置为“ 服务帐户 ”，然后设置“ 添加 key ”，如 java.io.IOException: Error reading credentials from stream, 'type' field not specified 所述这个https://developers.google.com/workspace/guides/create-credentials#android;然后，您可以使用您的凭据下载 .json 文件。我的问题中描述的 .json 文件无效，因为它必须具有如下结构:

    {  "type": "service_account",
       "project_id": "your-project",
       "private_key_id": "your-key-id",
       "private_key": "your-private-key",
       "client_email": "your-email@appspot.gserviceaccount.com",
       "client_id": "your-client-id",
       "auth_uri": "https://accounts.google.com/o/oauth2/auth",
       "token_uri": "https://oauth2.googleapis.com/token",
       "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
       "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-email%40appspot.gserviceaccount.com"
    }

其次，一旦您下载了有效的 .json 文件，将其存储在“ src/main/resources/credentials.json ”(如果需要，创建新文件夹，而不是“res”文件夹)，如所述这里 Where must the client_secrets.json file go in Android Studio project folder tree?
第三，要完成 build.gradle 的所有缺失部分，您必须包括:

dependencies {
    implementation 'com.google.android.play:integrity:1.0.1'                  
    implementation 'com.google.apis:google-api-services-playintegrity:v1-rev20220211-1.32.1'
    implementation 'com.google.api-client:google-api-client-jackson2:1.20.0'
    implementation 'com.google.auth:google-auth-library-credentials:1.7.0'
    implementation 'com.google.auth:google-auth-library-oauth2-http:1.7.0'
}

并将它们导入您的项目

import com.google.android.gms.tasks.Task;
import com.google.android.play.core.integrity.IntegrityManager;
import com.google.android.play.core.integrity.IntegrityManagerFactory;
import com.google.android.play.core.integrity.IntegrityTokenRequest;
import com.google.android.play.core.integrity.IntegrityTokenResponse;
import com.google.api.services.playintegrity.v1.PlayIntegrity;
import com.google.api.services.playintegrity.v1.PlayIntegrityRequestInitializer;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.api.services.playintegrity.v1.model.DecodeIntegrityTokenRequest;
import com.google.api.services.playintegrity.v1.model.DecodeIntegrityTokenResponse;
import com.google.api.client.googleapis.services.GoogleClientRequestInitializer;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;

然后，请求“完整性 token ”并对其进行解码的完整代码将是:

    // create the NONCE  Base64-encoded, URL-safe, and non-wrapped String
    String mynonce = Base64.encodeToString("this_is_my_nonce".getBytes(), Base64.URL_SAFE | Base64.NO_WRAP | Base64.NO_PADDING);

    // Create an instance of a manager.
    IntegrityManager myIntegrityManager = IntegrityManagerFactory.create(getApplicationContext());

    // Request the integrity token by providing a nonce.
    Task<IntegrityTokenResponse> myIntegrityTokenResponse = myIntegrityManager
        .requestIntegrityToken(IntegrityTokenRequest
        .builder()
        .setNonce(mynonce)
//      .setCloudProjectNumber(cloudProjNumber)         // necessary only if sold outside Google Play
        .build());

        // get the time to check against the decoded integrity token time
        timeRequest = Calendar.getInstance().getTimeInMillis();

        myIntegrityTokenResponse.addOnSuccessListener(new OnSuccessListener<IntegrityTokenResponse>() {
            @Override
            public void onSuccess(IntegrityTokenResponse myIntegrityTokenResponse) {
                try {
                    String token = myIntegrityTokenResponse.token();

                    DecodeIntegrityTokenRequest requestObj = new DecodeIntegrityTokenRequest();
                    requestObj.setIntegrityToken(token);

                    //Configure your credentials from the downloaded Json file from the resource
                    GoogleCredentials credentials = GoogleCredentials.fromStream(Objects.requireNonNull(getClass().getClassLoader()).getResourceAsStream("credentials.json"));
                    HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(credentials);

                    HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
                    JsonFactory JSON_FACTORY  = new JacksonFactory();
                    GoogleClientRequestInitializer initializer = new PlayIntegrityRequestInitializer();

                    PlayIntegrity.Builder playIntegrity = new PlayIntegrity.Builder(HTTP_TRANSPORT, JSON_FACTORY, requestInitializer).setApplicationName("your-project")
                        .setGoogleClientRequestInitializer(initializer);
                    PlayIntegrity play  = playIntegrity.build();

                    // the DecodeIntegrityToken must be run on a parallel thread
                    Thread thread = new Thread(new Runnable() {
                        @Override
                        public void run() {
                            try  {
                                DecodeIntegrityTokenResponse response = play.v1().decodeIntegrityToken("com.project.name", requestObj).execute();
                                String licensingVerdict = response.getTokenPayloadExternal().getAccountDetails().getAppLicensingVerdict();
                                if (licensingVerdict.equalsIgnoreCase("LICENSED")) {
                                    // Looks good! LICENSED app
                                } else {
                                    // LICENSE NOT OK
                                }
                            } catch (Exception e) {
                                //  LICENSE error
                            }
                        }
                    });

                    // execute the parallel thread 
                    thread.start();

                } catch (Error | IOException e) {
                    // LICENSE error
                } catch (Exception e) {
                    // LICENSE error
                }
            }
    });

希望这可以帮助。