KeyStoreException: Keystore key generation failed #348
Description
Describe the bug?
We have several Crashlytics reports showing crashes from the com.okta.authfoundation library.
When updating credentials:
Fatal Exception: java.security.ProviderException: Keystore key generation failed
at android.security.keystore2.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:413)
at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
at com.okta.authfoundation.util.AndroidKeystoreUtil.getOrCreateAesKey(AndroidKeystoreUtil.kt:56)
at com.okta.authfoundation.util.AesEncryptionHandler.encryptString(AesEncryptionHandler.kt:44)
at com.okta.authfoundation.client.EncryptionTokenProvider$setDeviceToken$2.invokeSuspend(EncryptionTokenProvider.kt:61)
at com.okta.authfoundation.client.EncryptionTokenProvider$setDeviceToken$2.invoke(EncryptionTokenProvider.kt:103)
at com.okta.authfoundation.client.EncryptionTokenProvider$setDeviceToken$2.invoke(EncryptionTokenProvider.kt:103)
at androidx.datastore.preferences.core.PreferencesKt$edit$2.invokeSuspend(Preferences.kt:358)
at androidx.datastore.preferences.core.PreferencesKt$edit$2.invoke(Preferences.kt:18)
at androidx.datastore.preferences.core.PreferencesKt$edit$2.invoke(Preferences.kt:18)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invokeSuspend(PreferenceDataStore.java:94)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invoke(PreferenceDataStore.java:137)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invoke(PreferenceDataStore.java:137)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invokeSuspend(PreferenceDataStore.java:94)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invoke(PreferenceDataStore.java:137)Caused by android.security.KeyStoreException: -22 (internal Keystore code: -22 message: system/security/keystore2/src/security_level.rs:622
Caused by:
0: system/security/keystore2/src/security_level.rs:620: While generating Key without explicit attestation key.
1: Error::Km(r#KEY_EXPORT_OPTIONS_INVALID))
at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:386)
at android.security.KeyStoreSecurityLevel.handleExceptions(KeyStoreSecurityLevel.java:57)
at android.security.KeyStoreSecurityLevel.generateKey(KeyStoreSecurityLevel.java:145)
at android.security.keystore2.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey(AndroidKeyStoreKeyGeneratorSpi.java:400)
at javax.crypto.KeyGenerator.generateKey(KeyGenerator.java:612)
at com.okta.authfoundation.util.AndroidKeystoreUtil.getOrCreateAesKey(AndroidKeystoreUtil.kt:56)
at com.okta.authfoundation.util.AesEncryptionHandler.encryptString(AesEncryptionHandler.kt:44)
at com.okta.authfoundation.client.EncryptionTokenProvider$setDeviceToken$2.invokeSuspend(EncryptionTokenProvider.kt:61)
at com.okta.authfoundation.client.EncryptionTokenProvider$setDeviceToken$2.invoke(EncryptionTokenProvider.kt:103)
at com.okta.authfoundation.client.EncryptionTokenProvider$setDeviceToken$2.invoke(EncryptionTokenProvider.kt:103)
at androidx.datastore.preferences.core.PreferencesKt$edit$2.invokeSuspend(Preferences.kt:358)
at androidx.datastore.preferences.core.PreferencesKt$edit$2.invoke(Preferences.kt:18)
at androidx.datastore.preferences.core.PreferencesKt$edit$2.invoke(Preferences.kt:18)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invokeSuspend(PreferenceDataStore.java:94)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invoke(PreferenceDataStore.java:137)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invoke(PreferenceDataStore.java:137)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invokeSuspend(PreferenceDataStore.java:94)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invoke(PreferenceDataStore.java:137)
at androidx.datastore.preferences.core.PreferenceDataStore$updateData$2.invoke(PreferenceDataStore.java:137)
at androidx.datastore.core.DataStoreImpl$transformAndWrite$2$newData$1.invokeSuspend(DataStoreImpl.java:331)And getting credentials:
Fatal Exception: java.security.InvalidKeyException: Keystore operation failed
at android.security.keystore2.KeyStoreCryptoOperationUtils.getInvalidKeyException(KeyStoreCryptoOperationUtils.java:128)
at android.security.keystore2.KeyStoreCryptoOperationUtils.getExceptionForCipherInit(KeyStoreCryptoOperationUtils.java:152)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized(AndroidKeyStoreCipherSpiBase.java:354)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineInit(AndroidKeyStoreCipherSpiBase.java:185)
at javax.crypto.Cipher.tryTransformWithProvider(Cipher.java:3003)
at javax.crypto.Cipher.tryCombinations(Cipher.java:2910)
at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider(Cipher.java:2815)
at javax.crypto.Cipher.chooseProvider(Cipher.java:792)
at javax.crypto.Cipher.init(Cipher.java:1162)
at javax.crypto.Cipher.init(Cipher.java:1103)
at com.okta.authfoundation.credential.DefaultTokenEncryptionHandler.rsaDecrypt(TokenEncryptionHandler.kt:290)
at com.okta.authfoundation.credential.DefaultTokenEncryptionHandler.decrypt(TokenEncryptionHandler.kt:279)
at com.okta.authfoundation.credential.RoomTokenStorage.getTokenFromEntity(RoomTokenStorage.kt:151)
at com.okta.authfoundation.credential.RoomTokenStorage.getToken(RoomTokenStorage.kt:146)
at com.okta.authfoundation.credential.RoomTokenStorage$getToken$1.invokeSuspend(RoomTokenStorage.kt:13)Caused by android.security.KeyStoreException: -22 (internal Keystore code: -22 message: system/security/keystore2/src/security_level.rs:358: Failed to begin operation.
Caused by:
0: system/security/keystore2/src/security_level.rs:868
1: system/security/keystore2/src/utils.rs:200: Calling km_op.
2: Error::Km(r#KEY_EXPORT_OPTIONS_INVALID))
at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:386)
at android.security.KeyStoreSecurityLevel.createOperation(KeyStoreSecurityLevel.java:120)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized(AndroidKeyStoreCipherSpiBase.java:349)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineInit(AndroidKeyStoreCipherSpiBase.java:185)
at javax.crypto.Cipher.tryTransformWithProvider(Cipher.java:3003)
at javax.crypto.Cipher.tryCombinations(Cipher.java:2910)
at javax.crypto.Cipher$SpiAndProviderUpdater.updateAndGetSpiAndProvider(Cipher.java:2815)
at javax.crypto.Cipher.chooseProvider(Cipher.java:792)
at javax.crypto.Cipher.init(Cipher.java:1162)
at javax.crypto.Cipher.init(Cipher.java:1103)
at com.okta.authfoundation.credential.DefaultTokenEncryptionHandler.rsaDecrypt(TokenEncryptionHandler.kt:290)
at com.okta.authfoundation.credential.DefaultTokenEncryptionHandler.decrypt(TokenEncryptionHandler.kt:279)
at com.okta.authfoundation.credential.RoomTokenStorage.getTokenFromEntity(RoomTokenStorage.kt:151)
at com.okta.authfoundation.credential.RoomTokenStorage.getToken(RoomTokenStorage.kt:146)
at com.okta.authfoundation.credential.RoomTokenStorage$getToken$1.invokeSuspend(RoomTokenStorage.kt:13)What is expected to happen?
Application doesn't crash
What is the actual behavior?
Application crashes
Reproduction Steps?
Didn't find reproduction steps for this crash, but it seems to happen when we request a new token with Credentials.refreshToken() or calling Credentials.getDefaultAsync()
Additional Information?
No response
SDK Version and Artifact(s) used.
2.0.3
Build Information
No response