java.security.KeyStoreException: the master key android-keystore exists but is unusable

[rajeshjadidminc]

Describe the bug?

Application crashed due to java.security.KeyStoreException: the master key android-keystore exists but is unusable

What is expected to happen?

It should be run as usual when running with the check box enable for biometric.

What is the actual behaviour?

java.security.KeyStoreException: the master key android-keystore://com_okta_sample_storage exists but is unusable
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:276)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:237)
at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:165)
at com.cfna.app.okta.storage.SharedPreferencesModule.createSharedPreferences(SharedPreferencesModule.kt:47)
at com.cfna.app.okta.storage.SharedPreferencesModule.providesBiometricCredentialSharedPrefs(SharedPreferencesModule.kt:94)
at com.cfna.app.okta.storage.SharedPreferencesModule_ProvidesBiometricCredentialSharedPrefsFactory.providesBiometricCredentialSharedPrefs(SharedPreferencesModule_ProvidesBiometricCredentialSharedPrefsFactory.java:42)
at com.cfna.app.DaggerCFNAApplication_HiltComponents_SingletonC$SingletonCImpl$SwitchingProvider.get(DaggerCFNAApplication_HiltComponents_SingletonC.java:757)
at dagger.internal.DoubleCheck.get(DoubleCheck.java:47)
at com.cfna.app.okta.biometric.BiometricCredentialsManager.useBiometricCredentialStorage(BiometricCredentialsManager.kt:64)
at com.cfna.app.ui.home.HomeKt$launchBiometricPrompt$2$onAuthenticationSucceeded$1.invokeSuspend(Home.kt:269)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
at androidx.compose.ui.platform.AndroidUiDispatcher.performTrampolineDispatch(AndroidUiDispatcher.android.kt:81)
at androidx.compose.ui.platform.AndroidUiDispatcher.access$performTrampolineDispatch(AndroidUiDispatcher.android.kt:41)
at androidx.compose.ui.platform.AndroidUiDispatcher$dispatchCallback$1.run(AndroidUiDispatcher.android.kt:57)
at android.os.Handler.handleCallback(Handler.java:938)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:233)
at android.app.ActivityThread.main(ActivityThread.java:8068)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:631)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:978)
Suppressed: kotlinx.coroutines.DiagnosticCoroutineContextException: [androidx.compose.ui.platform.MotionDurationScaleImpl@f6488b6, androidx.compose.runtime.BroadcastFrameClock@239d9b7, StandaloneCoroutine{Cancelling}@43057b4, AndroidUiDispatcher@e5c788d]
Caused by: android.security.keystore.UserNotAuthenticatedException: User not authenticated
at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1369)
at android.security.KeyStore.getInvalidKeyException(KeyStore.java:1388)
at android.security.keystore.KeyStoreCryptoOperationUtils.getInvalidKeyExceptionForInit(KeyStoreCryptoOperationUtils.java:54)
at android.security.keystore.KeyStoreCryptoOperationUtils.getExceptionForCipherInit(KeyStoreCryptoOperationUtils.java:89)
at android.security.keystore.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized(AndroidKeyStoreCipherSpiBase.java:265)
at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineInit(AndroidKeyStoreCipherSpiBase.java:109)
at javax.crypto.Cipher.tryTransformWithProvider(Cipher.java:2984)
at javax.crypto.Cipher.tryCombinations(Cipher.java:2891)
at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider(Cipher.java:2796)
at javax.crypto.Cipher.chooseProvider(Cipher.java:773)
at javax.crypto.Cipher.init(Cipher.java:1143)
at javax.crypto.Cipher.init(Cipher.java:1084)
at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encryptInternal(AndroidKeystoreAesGcm.java:84)
at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encrypt(AndroidKeystoreAesGcm.java:72)
2022-12-23 21:19:03.914 15506-15506 AndroidRuntime com.cfna.app.debug E at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.validateAead(AndroidKeystoreKmsClient.java:259)
at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:175)
at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:268)
... 21 more

Reproduction Steps?

• Login without biometric (remove biometric setup from device)
• Go dashboard
• Enable checkbox( i have managed the code with if biometric is not enable then it will go setting and come back with enabling the biometric and check again in activity result if its enable run the same which you have mention for checkbox)
• application crashed.

Additional Information?

• please try to resolve this asap we are planning to release the build to the customer.

SDK Version(s)

latest sdk version

coreLibraryDesugaring 'com.android.tools:desugar_jdk_libs:1.1.5'
implementation(platform('com.okta.kotlin:bom:1.1.1'))
implementation('com.okta.kotlin:auth-foundation-bootstrap')
implementation('com.okta.kotlin:web-authentication-ui')
implementation 'androidx.security:security-crypto-ktx:1.1.0-alpha04'
implementation "org.jetbrains.kotlinx:kotlinx-serialization-json:1.2.2"
implementation 'androidx.biometric:biometric:1.1.0'

Build Information

No response

[rajdeepnanua-okta]

Hey @rajeshjadidminc,

From your stacktrace, your logic for requesting user to add biometrics in settings, and then coming back to the app seems correct and onAuthenticationSucceeded callback is getting called correctly. Is it possible that biometric SharedPrefs were opened at any point before biometric prompt was successfully authenticated?

[rajdeepnanua-okta]

I looked into this issue more and realized that the biometric keystore can be invalidated if the user adds or removes fingerprints from the device. I've added a fix for this, which is invalidating the biometric key and trying again. That should fix this issue. Biometric support is also merged into master branch of this repo now.

[rajeshjadidminc]

Hi,

I am a little bit confused about the 2 variables used in the share preference class

_biometricEnabled
_biometricAuthenticated

[rajdeepnanua-okta]

Hi @rajeshjadidminc,

biometricEnabled is for used to check if the app is currently using biometric-backed storage or regular storage for storing credentials.

biometricAuthenticated is used to check if the user has successfully authenticated a biometric prompt. I use biometricAuthenticated to:

1. Display the biometric prompt only if the user hasn't already authenticated earlier
2. Throw an IllegalStateException in case the code attempts to open biometric storage without authenticating first