Android KeyStoreException:

Question

My app is using Android's keystore to encrypt some data after authenticating with a fingerprint. This seems to work on most devices but I have received error reports of OnePlus2 users with the exception

android.security.KeyStoreException: Signature/MAC verification failed
    at android.security.KeyStore.getKeyStoreException(KeyStore.java:632)
    at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.update(KeyStoreCryptoOperationChunkedStreamer.java:132)
    at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:217)
    at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:473)
    at javax.crypto.Cipher.doFinal(Cipher.java:1502)

My code basically does this (Written in Mono for Android):

Cipher _cipher = Cipher.GetInstance(KeyProperties.KeyAlgorithmAes + "/"
                                              + KeyProperties.BlockModeCbc + "/"
                                              + KeyProperties.EncryptionPaddingPkcs7);

KeyStore _keystore = KeyStore.GetInstance("AndroidKeyStore");
FingerprintManager _fingerprintManager = (FingerprintManager) Context.GetSystemService(Context.FingerprintService);

_keystore.Load(null);
var key = _keystore.GetKey(_keyId, null);
_cipher.Init(CipherMode.EncryptMode, key);
_cryptoObject = new FingerprintManager.CryptoObject(_cipher);
_fingerprintManager.Authenticate(_cryptoObject, _cancellationSignal, 0 /* flags */, this, null);

//OnAuthSucceeded:
var mySecret = _cipher.DoFinal(System.Text.Encoding.UTF8.GetBytes(textToEncrypt));

Is there anything wrong with the code? What does the exception mean?

did you use keytool to make a self signed certificate or are you using the debug certificate? It sounds like it does not like the Mac address — Pomagranite, Apr 18 '16 at 20:40
@user3535611 MAC = message authentication code, not media access control. — Maarten Bodewes, Apr 18 '16 at 22:24
The authentication tag of the key store failed. It seems streaming is happening, so that's probably an authenticated cipher that failed verification. That *probably* means the wrong key was made available after fingerprint verification. Hell if I know *why* that happens though. — Maarten Bodewes, Apr 18 '16 at 22:27

score 2 · Answer 1 · answered Apr 26 '18 at 15:37

First, your code looks fine.

In my experience Android fingerprint tends to have a lot of weird edge case errors across various devices.. I can't answer exactly but it sounds like a HW or implementation issue with the FP api on oneplus's part. I know XiaoMi and even Google has acknowledged various weird issues with their implementation.

Tips:

make sure you are listening only once for fingerprint. if you listen twice, you can receive the incorrect cipher object, so the encryption won't match.

update your gradle/min sdk/support libraries, all that stuff

hold on to your butt

that Jurassic Park reference though :D – Bugs Happen Jun 19 '19 at 04:30 — Bugs Happen, Jun 19 '19 at 04:30

Android KeyStoreException:

1 Answers1