{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放荡不羁爱自由 的问题《Android Key Invalidation when Fingerprints removed》','https://www.manongdao.com/q-592249.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm testing on a Google Pixel device on 7.1.1 and finding that my Private Key isn't being invalidated when all fingerprints are removed from the device. I've tested using a single symmetric SecretKey as per the demo app and that worked as expected, however using an asymmetric key pair only throws a KeyPermanentlyInvalidatedException when new prints are enrolled, and not when they are all deleted.
What's more, if I then enrol a new fingerprint, then show my fingerprint dialog and successfully scan my fingerprint authenticating the Cipher object, when I then call doFinal() on the Cipher object it throws a KeyStoreException: Key user not authenticated. If I then try to initialise the Cipher object again after the KeyStoreException then I get the invalidated exception as required.
I did test on a Samsung S7 using 6.0.1 and that works correctly, with the KeyPermanentlyInvalidatedException being thrown when the prints are all removed. I have found in a related post that someone else had trouble with a Nexus (OS version wasn't mentioned), possibly related? Could there be a bug with certain combinations of devices/OS not invalidating particular keys?
It would seem that:
- On Pixel or 7.1.1 devices, the PrivateKey is not invalidated when all fingerprints are removed.
- If enrolling new prints after previously removing all of them, the PrivateKey can't be used to decrypt data, however it only gets invalidated after you try to use it.
Is there a way to manually invalidate a key via the keystore or something when I detect that a user has registered for fingerprints in my app before but there are now no fingerprints enrolled on the device as a bit of failsafe?
UPDATE: showing key generation at request.
mKeyPairGenerator.initialize(
new KeyGenParameterSpec.Builder(getKeyName(), KeyProperties.PURPOSE_DECRYPT)
.setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP)
.setUserAuthenticationRequired(true)
.setRandomizedEncryptionRequired(true)
.build());
mKeyPairGenerator.generateKeyPair();
UPDATE This it would seem is partly related to Google Issue 227919. Comment in Feb/17 Says a fix was put in latest N version but I can still reproduce like others.
If you have this issue, please star Google issue so it gets more attention.