18

My app is using Android's keystore to encrypt some data after authenticating with a fingerprint. This seems to work on most devices but I have received error reports of OnePlus2 users with the exception

android.security.KeyStoreException: Signature/MAC verification failed
    at android.security.KeyStore.getKeyStoreException(KeyStore.java:632)
    at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.update(KeyStoreCryptoOperationChunkedStreamer.java:132)
    at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:217)
    at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:473)
    at javax.crypto.Cipher.doFinal(Cipher.java:1502)

My code basically does this (Written in Mono for Android):

Cipher _cipher = Cipher.GetInstance(KeyProperties.KeyAlgorithmAes + "/"
                                              + KeyProperties.BlockModeCbc + "/"
                                              + KeyProperties.EncryptionPaddingPkcs7);

KeyStore _keystore = KeyStore.GetInstance("AndroidKeyStore");
FingerprintManager _fingerprintManager = (FingerprintManager) Context.GetSystemService(Context.FingerprintService);

_keystore.Load(null);
var key = _keystore.GetKey(_keyId, null);
_cipher.Init(CipherMode.EncryptMode, key);
_cryptoObject = new FingerprintManager.CryptoObject(_cipher);
_fingerprintManager.Authenticate(_cryptoObject, _cancellationSignal, 0 /* flags */, this, null);

//OnAuthSucceeded:
var mySecret = _cipher.DoFinal(System.Text.Encoding.UTF8.GetBytes(textToEncrypt));

Is there anything wrong with the code? What does the exception mean?

Improve this question
6
  • did you use keytool to make a self signed certificate or are you using the debug certificate? It sounds like it does not like the Mac address Commented Apr 18, 2016 at 20:40
  • @user3535611 MAC = message authentication code, not media access control. Commented Apr 18, 2016 at 22:24
  • The authentication tag of the key store failed. It seems streaming is happening, so that's probably an authenticated cipher that failed verification. That probably means the wrong key was made available after fingerprint verification. Hell if I know why that happens though. Commented Apr 18, 2016 at 22:27
  • authentication problem? manifest permissions? Commented Apr 18, 2016 at 22:28
  • @Philipp have you got the solutions to your problem Commented Jan 30, 2018 at 7:31

1 Answer 1

Reset to default
3

First, your code looks fine.

In my experience Android fingerprint tends to have a lot of weird edge case errors across various devices.. I can't answer exactly but it sounds like a HW or implementation issue with the FP api on oneplus's part. I know XiaoMi and even Google has acknowledged various weird issues with their implementation.

Tips:

make sure you are listening only once for fingerprint. if you listen twice, you can receive the incorrect cipher object, so the encryption won't match.

update your gradle/min sdk/support libraries, all that stuff

hold on to your butt

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

that Jurassic Park reference though :D

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.