5

Im recently working with Android keystore system.

A Xiaomi 9 phone and Huawei P20(updated to Android 9) were used for test which might not support StrongBox according to the GrapheneOS/AttestationSamples provided from this link.

Furthermore, below code returned false indicate that the device doesn't have StrongBox Feature.

private boolean hasStrongBox(Context context){
    return context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_STRONGBOX_KEYSTORE);
}

However, during the test, when I'm generating AES encryption key by using the code below , both of the phone doesn't throw StrongBoxUnavailableException:

protected int createAndroidKeyStoreSymmetricKey() throws NoSuchProviderException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
    KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");

    KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(ALIAS_MASTER_KEY, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
            .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7);
            .setIsStrongBoxBacked(true);
    
    keyGenerator.init(builder.build());
    secretKey = keyGenerator.generateKey();

    if(secretKey != null ){
        return 0;
    } else {
        return -1;
    }
}

While generating RSA encryption key, they both did throw StrongBoxUnavailableException:

private KeyPair genKeyPair(String alias, boolean isStrongBoxBacked) throws Exception {
    KeyPairGenerator kpg =
            KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore");
    KeyGenParameterSpec.Builder keyBuilder = new KeyGenParameterSpec.Builder(
            alias,
            KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
            .setBlockModes(KeyProperties.BLOCK_MODE_ECB)
            .setKeySize(CRYPTO_BITS)
            .setIsStrongBoxBacked(true);
    kpg.initialize(keyBuilder.build());

    return kpg.generateKeyPair();
}

android.security.keystore.StrongBoxUnavailableException: Failed to generate key pair

Is there any spec configuration was done wrong during the Key generation? As The expecting result is StrongBoxUnavailableException is thrown even during the AES generation.

Andr6
  • 51
  • 5
  • Could you check your createAndroidKeyStoreSymmetricKey() code again? I think it shouldn't compile as there's an additional semicolon in the builder definition after setEncryptionPaddings(...) – SebastianBrandt Apr 02 '21 at 16:08

0 Answers0