AndroidKeyStore KeyPairGenerator Crashes On Small Number of Devices

Question

My application only targets Android 6.0+. In my application I generate a RSA key in the AndroidKeyStore with the following:

KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
kpg.initialize(new KeyGenParameterSpec.Builder(
    "myKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
    .setCertificateSubject(new X500Principal("CN=myKey"))
    .setDigests("SHA-1")
    .setEncryptionPaddings("OAEPPadding")
    .build());

KeyPair kp = kpg.generateKeyPair();

This works well on 20+ devices that we have tested and nearly 100% percent of our users.

However, there is a small number of users that that application crashes for when kpg.generateKeyPair() is executed with the following:

java.security.ProviderException: Failed to load generated key pair from keystore
at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.loadKeystoreKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:518)
at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:470)
at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:699)
at md5fb78b69c5ddbc157f4db38fd738139a6.MainApplication.n_onCreate(Native Method)
at md5fb78b69c5ddbc157f4db38fd738139a6.MainApplication.onCreate(MainApplication.java:34)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1025)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5448)
at android.app.ActivityThread.-wrap2(ActivityThread.java)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1564)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6186)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)
Caused by: java.security.UnrecoverableKeyException: Failed to obtain X.509 form of public key
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStorePublicKeyFromKeystore(AndroidKeyStoreProvider.java:230)
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreKeyPairFromKeystore(AndroidKeyStoreProvider.java:259)
at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.loadKeystoreKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:509)
... 14 more
Caused by: android.security.KeyStoreException: -22
at android.security.KeyStore.getKeyStoreException(KeyStore.java:676)
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStorePublicKeyFromKeystore(AndroidKeyStoreProvider.java:231)
... 16 more


java.security.UnrecoverableKeyException: Failed to obtain X.509 form of public key
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStorePublicKeyFromKeystore(AndroidKeyStoreProvider.java:230)
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreKeyPairFromKeystore(AndroidKeyStoreProvider.java:259)
at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.loadKeystoreKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:509)
at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:470)
at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:699)
at md5fb78b69c5ddbc157f4db38fd738139a6.MainApplication.n_onCreate(Native Method)
at md5fb78b69c5ddbc157f4db38fd738139a6.MainApplication.onCreate(MainApplication.java:34)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1025)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5448)
at android.app.ActivityThread.-wrap2(ActivityThread.java)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1564)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6186)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)
Caused by: android.security.KeyStoreException: -22
at android.security.KeyStore.getKeyStoreException(KeyStore.java:676)
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStorePublicKeyFromKeystore(AndroidKeyStoreProvider.java:231)
... 16 more


android.security.KeyStoreException: -22
at android.security.KeyStore.getKeyStoreException(KeyStore.java:676)
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStorePublicKeyFromKeystore(AndroidKeyStoreProvider.java:231)
at android.security.keystore.AndroidKeyStoreProvider.loadAndroidKeyStoreKeyPairFromKeystore(AndroidKeyStoreProvider.java:259)
at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.loadKeystoreKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:509)
at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:470)
at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:699)
at md5fb78b69c5ddbc157f4db38fd738139a6.MainApplication.n_onCreate(Native Method)
at md5fb78b69c5ddbc157f4db38fd738139a6.MainApplication.onCreate(MainApplication.java:34)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1025)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5448)
at android.app.ActivityThread.-wrap2(ActivityThread.java)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1564)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6186)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)

The only things I can find on the internet about this Failed to obtain X.509 form of public key error are a few articles with no real solutions. See:

The few reports that we have received are from users with OnePlus devices on Android 7.1, which is also one of the devices mentioned in the above articles but there are definitely other devices affected as well.

Why is this happening?
Are there any workarounds?

I think that -22 corresponds to this: "KM_ERROR_KEY_EXPORT_OPTIONS_INVALID = -22" in KeyMasterDefs — Stephen C, Jun 10 '17 at 04:06
Seems to be stemming from this line: https://android.googlesource.com/platform/frameworks/base/+/refs/heads/master/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java#230 — kspearrin, Jun 10 '17 at 12:48
@kspearrin I am actually one of the affected users, running a OnePlus 2. I TP-Links app "Kasa" crashing on me, with this exactly stack trace. Decompilation of the APK points to code looking like yours. Have you got any new information? — Fredefl, Jul 28 '17 at 19:38
@Fredefl Unfortunately I was never able to solve the problem. I gave up on it. My solution was to forego using asymmetric keypairs and revert to use symmetric keys (on Android 6.0+). Fortunately my solution allowed for that, but I realize that isn't the case most of the time. — kspearrin, Jul 28 '17 at 19:52

AndroidKeyStore KeyPairGenerator Crashes On Small Number of Devices

0 Answers0

Linked