I would like to remove credentials if any of current fingerprints are removed or new one is added after the app setup biometric.
Creating key like:
private Key getKey(String KEY_ALIAS) throws GeneralSecurityException, IOException {
KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) getKeyStore().getEntry(KEY_ALIAS, null);
if (secretKeyEntry != null) {
return secretKeyEntry.getSecretKey();
} else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
KeyGenerator generator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, ANDROID_KEY_STORE);
generator.init(new KeyGenParameterSpec.Builder(
KEY_ALIAS,
KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setBlockModes(KeyProperties.BLOCK_MODE_GCM)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.setInvalidatedByBiometricEnrollment(true)
.setRandomizedEncryptionRequired(false)
.build()
);
return generator.generateKey();
} else {
return getAESKey(KEY_ALIAS);
}
}
And decrypting like:
private String decryptString(String stringToDecrypt, String KEY_ALIAS) throws GeneralSecurityException, IOException {
Log.d("biometric", "decryptString");
byte[] encryptedData = Base64.decode(stringToDecrypt, Base64.DEFAULT);
Cipher cipher;
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
cipher = Cipher.getInstance(TRANSFORMATION);
try {
cipher.init(Cipher.DECRYPT_MODE, getKey(KEY_ALIAS), new GCMParameterSpec(128, FIXED_IV));
} catch (InvalidKeyException e) {
this.deleteCredentials();
e.printStackTrace();
}
} else {
cipher = Cipher.getInstance(AES_MODE, "BC");
try {
cipher.init(Cipher.DECRYPT_MODE, getKey(KEY_ALIAS));
} catch (InvalidKeyException e) {
this.deleteCredentials();
e.printStackTrace();
}
}
byte[] decryptedData = cipher.doFinal(encryptedData);
return new String(decryptedData, "UTF-8");
}
but even wrapping cipher.init
with try and catch block does not throw any exception. I am testing on Emulator SDK 30.
cipher.init(Cipher.DECRYPT_MODE, getKey(KEY_ALIAS), new GCMParameterSpec(128, FIXED_IV));
Reference: Key permanently invalidated Exception after adding/removing fingerprint
The flag
setInvalidatedByBiometricEnrollment
only applies to keys that require user authentication:Source: https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setInvalidatedByBiometricEnrollment(boolean)