Status Update
No update yet.
Comments
kc...@google.com
sw...@google.com
java.security.ProviderException: Keystore operation failed
at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:386)
at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
at androidx.biometric.CryptoObjectUtils.createFakeCryptoObject(CryptoObjectUtils.java:256)
at androidx.biometric.BiometricManager.canAuthenticateWithStrongBiometricOnApi29(BiometricManager.java:419)
at androidx.biometric.BiometricManager.canAuthenticateCompat(BiometricManager.java:386)
at {packageName}.fingerprint.BiometricUtils.getBiometricSupportLevelForLogin(BiometricUtils.java:3343)
at androidx.biometric.BiometricManager.canAuthenticate(BiometricManager.java:343)
at {packageName}.fingerprint.BiometricUtils.getBiometricSupportLevelForLogin(BiometricUtils.java:19)
at {packageName}.domain.biometrics.GetBiometricsSupportForLoginInteractor.execute(GetBiometricsSupportForLoginInteractor.java:13)
at {packageName}.ui.settings.SettingsViewModel$$special$$inlined$apply$lambda$1$1.invoke(SettingsViewModel.java:85)
at {packageName}.ui.settings.SettingsViewModel$$special$$inlined$apply$lambda$1$1.invokeSuspend(SettingsViewModel.java:85)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(BaseContinuationImpl.java:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.java:106)
at kotlinx.coroutines.scheduling.CoroutineScheduler.submitToLocalQueue(CoroutineScheduler.java:571)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.java:571)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.java:9738)
Caused by: android.security.KeyStoreException: 16
at android.security.KeyStore.getKeyStoreException(KeyStore.java:1552)
at android.security.keystore.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:386)
at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
at androidx.biometric.CryptoObjectUtils.createFakeCryptoObject(CryptoObjectUtils.java:256)
at androidx.biometric.BiometricManager.canAuthenticateWithStrongBiometricOnApi29(BiometricManager.java:419)
at androidx.biometric.BiometricManager.canAuthenticateCompat(BiometricManager.java:386)
at {packageName}.fingerprint.BiometricUtils.getBiometricSupportLevelForLogin(BiometricUtils.java:3343)
at androidx.biometric.BiometricManager.canAuthenticate(BiometricManager.java:343)
at {packageName}.fingerprint.BiometricUtils.getBiometricSupportLevelForLogin(BiometricUtils.java:19)
at {packageName}.domain.biometrics.GetBiometricsSupportForLoginInteractor.execute(GetBiometricsSupportForLoginInteractor.java:13)
at {packageName}.ui.settings.SettingsViewModel$$special$$inlined$apply$lambda$1$1.invoke(SettingsViewModel.java:85)
at {packageName}.ui.settings.SettingsViewModel$$special$$inlined$apply$lambda$1$1.invokeSuspend(SettingsViewModel.java:85)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(BaseContinuationImpl.java:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.java:106)
at kotlinx.coroutines.scheduling.CoroutineScheduler.submitToLocalQueue(CoroutineScheduler.java:571)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.java:571)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.java:9738)
il...@google.com
Again: Android: 10 Android Build: QP1A.190711.020 Manufacturer: samsung Model: SM-G781W
It seems that this issue happens on Samsung phones running Android 10.
ze...@google.com
I was able to reproduce the same issue using a Samsung Galaxy S20 running Android 10.
Basically, what I have to do to reproduce this issue was to register only Face Recognition (which is a weak authenticator) in the phone and then try to use the app that I'm implementing.
As soon as I registered a Fingerprint in the device, I was not able to reproduce this issue anymore.
Also, I've noticed that my app was also calling the same method twice because of the logic that I had on my observables.
In summary, the issue with BiometricManager.canAuthenticate(BIOMETRIC_STRONG) is easier to reproduce if the method is called more than once in a row and on a Samsung phone with only Face Recognition registered.
I don't think that calling the method multiple times is the root cause of this issue, but I think it makes easier to the reproduce the issue. Possibly, the error occurs because the biometrics framework is not ready/busy to process the request and returns a KeyStoreException: 16.
Description
Library: androidx.biometric:biometric:1.0.0-rc01
We encountered an issue related to decryption using a user-authentication protected key that only seems to occur on devices running Android 10.
Our use-case is the following:
1. Create an RSA keypair in the AndroidKeyStore with UserAuthenticationRequired(true) and without a specified ValidityDuration (valid for only one decryption operation).
2. Attempt decryption operation using the private key cipher*
3. Receive exception “javax.crypto.IllegalBlockSizeException” (cause “android.security.KeyStoreException: Key user not authenticated)
4. Invoke biometric framework (biometricPrompt.authenticate with private key cipher)
5. Re-Attempt decryption operation using the private key cipher
We have found that when we attempt to use the cipher before authenticate (step 2), we are no longer able to perform the decryption operation on Android 10. The operation systematically results in “javax.crypto.IllegalBlockSizeException” (cause “android.security.KeyStoreException: Invalid operation handle)
To reproduce, the attached sample project and APK demonstrates two buttons:
- Test NOK : steps 1-5 above
- Test OK : same but without step 2 (step 1 and 3-5 above)
With Android platforms prior to 10.0, both buttons result in a working decryption operation.
Thank you for your assistance.
Bug report: