Status Update
No update yet.
Comments
is...@google.com
so...@gmail.com
I am not sure I understand the use case. how can the benchmark be code to real world scenario when it's not possible to do right now ? which scenario is it ?
In any case, since this would be for benchmarking, this would clearly not be available through the public DSL. We should find a semi-private way of doing this (maybe the private variant API object could offer that functionality for instance or a property).
so...@gmail.com
We want benchmarks to measure code after Progaurd / R8, but it's not possible to turn that on for androidTests in library modules at the moment (to my knowledge?)
Benchmarks are also a public facing thing, but we have a plugin to help configure gradle builds for our users, so if support for this ends up in a private API, we could try to keep those usages localized to our code perhaps.
Description
Version used:
Devices/Android versions reproduced on: Starting from 9 to 14
Wrap operation of keystore is working as expected but unwrap seems to fail randomly in production on different device models. Top OEMS impacted are Pixel, Motorolla and Xiaomi.
We are unable to reproduce it internally. Hence unable to experiment with the parameters and see what can fix the issue. But we want to understand the root cause since the stacktrace does not clearly explain what exactly is the problem.
Below the stacktrace observed
Exception : [YPC] 2024-11-14 17:34:29.29 [25795][917] ERROR [AndroidKeyStoreUtil:unwrap] [2024-11-14 12:04:29 - thread_id: 911, correlation_id: UNSET - Android 34] invalid_key
java.security.InvalidKeyException: Keystore operation failed
at android.security.keystore2.KeyStoreCryptoOperationUtils.getInvalidKeyException(KeyStoreCryptoOperationUtils.java:128)
at android.security.keystore2.KeyStoreCryptoOperationUtils.getExceptionForCipherInit(KeyStoreCryptoOperationUtils.java:152)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized(AndroidKeyStoreCipherSpiBase.java:354)
Also providing the code snippet for how we invoke the wrap operation and how we invoke unwrap operation are provided below
WRAPPING
...................................................................................................................................................................................................
if(keyPair == null){
Logger.info(methodTag, "No existing keypair. Generating a new one.");
keyPair = AndroidKeyStoreUtil.generateKeyPair(
"RSA",
getSpecForKeyStoreKey(mContext, mAlias));
}
final byte[] keyWrapped = AndroidKeyStoreUtil.wrap(unencryptedKey, keyPair, "RSA/ECB/PKCS1Padding");
......................................................................................................................................................................................................
private static AlgorithmParameterSpec getLegacySpecForKeyStoreKey(@NonNull final Context context,
@NonNull final String alias) {
// Generate a self-signed cert.
final String certInfo = String.format(Locale.ROOT, "CN=%s, OU=%s",
alias,
context.getPackageName());
final Calendar start = Calendar.getInstance();
final Calendar end = Calendar.getInstance();
final int certValidYears = 100;
end.add(Calendar.YEAR, certValidYears);
return new KeyPairGeneratorSpec.Builder(context)
.setAlias(alias)
.setSubject(new X500Principal(certInfo))
.setSerialNumber(BigInteger.ONE)
.setStartDate(start.getTime())
.setEndDate(end.getTime())
.build();
}
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
UNWRAPPING
final SecretKey key = AndroidKeyStoreUtil.unwrap(wrappedSecretKey, "AES", keyPair, "RSA/ECB/PKCS1Padding");