Replace Deprecated Keystore API for Android 28+, Fixes AB#3110184 #2558
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
❌ Work item link check failed. Description does not contain AB#{ID}. Click here to Learn more. |
somalaya
changed the title
|
✅ Work item link check complete. Description contains link AB#3110184 to an Azure Boards work item. |
rpdome
approved these changes
Dec 17, 2024
iamgusain
approved these changes
Dec 18, 2024
somalaya
added a commit
that referenced
this pull request
Jan 31, 2025
…B#3137956 (#2578) In an older [PR](#2558), I replaced the deprecated Keystore API for Android 28+ But it did not fix the issue of unwrap keystore operation failing on some Pixel 5 devices. Since it is not reproducing on other devices, I am removing the unnecessary attributes from the keystore wrap operation to see if it fixes the issue. certificate parameters are no longer actively used in other parts of the code. Hence removed those. I have already shared the test build with 2 customers and the issue has NOT reproduced on their devices so far with this fix. Fixes [AB#3137956](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3137956)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue : https://portal.microsofticm.com/imp/v5/incidents/details/540463066/summary
Keystore operation "unwrap" is failing on Pixel 5 Android 14 devices. It is still not clear why the operation would fail specifically on Pixel 5 devices but it could be some bug on google side which is fixed for all other devices through a patch. Updates for Pixel 5 are stopped hence it may not have the google fix.
However, the getSpecForKeyStoreKey method used while wrapping the key was using a deprecated API (KeyPairGeneratorSpec). It was deprecated in Android 23. Updating it to latest one has somehow resolved the issue for 1 customer (Since there are no updates from other customers, we assumed that it is the fix).
Exception : [YPC] 2024-11-14 17:34:29.29 [25795][917] ERROR [AndroidKeyStoreUtil:unwrap] [2024-11-14 12:04:29 - thread_id: 911, correlation_id: UNSET - Android 34] invalid_key
java.security.InvalidKeyException: Keystore operation failed
at android.security.keystore2.KeyStoreCryptoOperationUtils.getInvalidKeyException(KeyStoreCryptoOperationUtils.java:128)
at android.security.keystore2.KeyStoreCryptoOperationUtils.getExceptionForCipherInit(KeyStoreCryptoOperationUtils.java:152)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.ensureKeystoreOperationInitialized(AndroidKeyStoreCipherSpiBase.java:354)
Fix : Removed the deprecated API KeyPairGeneratorSpec and using the new one KeyGenParameterSpec which lets us set the purpose as PURPOSE_WRAP_KEY
Testing : Ran the pipeline to confirm if the instrumented and UI tests are running as expected https://identitydivision.visualstudio.com/Engineering/_build/results?buildId=1401690&view=ms.vss-test-web.build-test-results-tab&runId=4352544&resultId=100000&paneView=debug and https://identitydivision.visualstudio.com/Engineering/_build/results?buildId=1401664&view=logs&s=60296c01-192d-58d3-82b8-da4d468e44bd
Fixes AB#3110184