Reputation: 41
Android KeyPermanentlyInvalidatedException is not catched when setUserAuthenticationRequired(true) and setUserAuthenticationValidityDurationSeconds(X)
Hello Android developers,
I've got something strange in my app when I'm using the Fingerprint and the AndroidKeystoreProvider together.
Here is the case:
I create a KeyPair with KeyPairGenerator.
In the builder I have set setUserAuthenticationRequired(true) and setUserAuthenticationValidityDurationSeconds(10).
Into my fingerprint I have enrolled 3 fingers.
When I try next to init the Signature algorithm with initSign(...) the first time, UserNotAuthenticatedException is catched. That's fair. (https://developer.android.com/reference/android/security/keystore/UserNotAuthenticatedException.html)
Then I enroll a new finger into my fingerprint.
So I expect than when I init the Signature algorithm, it should catch KeyPermanentlyInvalidatedException as described into the Google documentation (https://developer.android.com/reference/android/security/keystore/KeyPermanentlyInvalidatedException.html) but it is not the case. UserNotAuthenticatedException is always catched.
If I remove setUserAuthenticationValidityDurationSeconds(10) things gonna work as expected. (KeyPermanentlyInvalidatedException is well catched)
Did you know if there is a way to make both exceptions work with setUserAuthenticationRequired(true) and setUserAuthenticationValidityDurationSeconds(10) ?
Thank you in advance, Matt
Upvotes: 3
Views: 3312
Answers (1)
Reputation: 1166
No, KeyPermanentlyInvalidatedException is not thrown when setUserAuthenticationValidityDurationSeconds > -1
From the setUserAuthenticationValidityDurationSeconds docs:
Parameters: seconds int: duration in seconds or-1 if user authentication must take place for every use of the key.
and from setUserAuthenticationRequired:
Additionally,if the key requires that user authentication takes place for every use of the key, it is also irreversibly invalidated once a new fingerprint is enrolled
Update (26.11.2018)
KeyPermanentlyInvalidatedException will not be thrown if setUserAuthenticationValidityDurationSeconds > -1, because:
Cryptographic operations involving keys which are authorized to be used for a duration of time after a successful user authentication event can only use secure lock screen authentication. These cryptographic operations will throw UserNotAuthenticatedException during initialization if the user needs to be authenticated to proceed.
Upvotes: 2
Related Questions
- setInvalidatedByBiometricEnrollment does not throw exception with fingerprint added or removed
- Error after Fingerprint touched on Samsung phones: android.security.KeyStoreException: Key user not authenticated
- KeyPermanentlyInvalidatedException not thrown when a new fingerprint is added
- Android Key Store API 23, use setUserAuthenticationRequired without Fingerprint Scanner
- Android fingerprint authenticate KeyguardManager.isKeyguardSecure() check
- UserNotAuthenticatedException during FingerprintManager.authenticate()
- SecurityException while checking if fingerprints are enrolled in Samsung Phones
- Key permanently invalidated Exception after adding/removing fingerprint
- Fingerprint Operation Cancelled while using in app authentication
- Android "KeyPermanentlyInvalidatedException" on simulator restart