java.lang.IllegalArgumentException: invalid date string: Unparseable date: "ag`habagagdfGMT+00:00" (at offset 0)

[anuj-mehta]

Hello,

I know that this issue has been resolved as this is a known issue from
Common-Issues-With-AndroidKeyStore.

We already have the suggested mitigation implementation in our code

SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithSHA256And256BitAES-CBC-BC");
SecretKey generatedSecretKey = keyFactory.generateSecret(new PBEKeySpec(your_password, byte-code-for-your-salt, 100, 256));
SecretKey secretKey = new SecretKeySpec(generatedSecretKey.getEncoded(), algorithm);
AuthenticationSettings.INSTANCE.setSecretKey(secretKey.getEncoded());

However, I am still getting this error for Android APK version for Android 5.1 and up (API level 22+).
The key is being used from Android Key store and I am still getting this error. (I believe it works fine for API level 18 and below since we don't have any logs for those)

Someone has used a work around that was posted on Google's Issuetracker WebSite

The proposed fix was to temporarily change the locale to English, generate the Keys and then change it back.

Please refer to lines 68

private void generateRSAKey(@Nonnull final String keyAlias) throws Exception {
   final Locale localeBeforeFakingEnglishLocale = Locale.getDefault();
    setFakeEnglishLocale();
    ...
    setLocale(localeBeforeFakingEnglishLocale);
}

I was wondering if there is anything that you can help me with :)

let me know if you need anything else

Thanks

Anuj

[iambmelt]

Hi @anuj-mehta -- Are you seeing this Exception occur across a variety of devices, one in particular, or perhaps at one specific API level >18? Any additional information you may be able to provide which will help us improve our documentation or library is always hugely appreciated :)

I'm not familiar with the proposed workaround of setting the device's locale to English; have you deployed this proposed workaround? Can you confirm if it is a viable approach?

Any detailed information you have which might allow us to reproduce this issue in-house would be hugely appreciated include device make, model, os version, and logs. Should you elect to supply us telemetry or logging data to troubleshoot this issue, please ensure that that information does not contain any secret keys, password, tokens, or personally identifiable information.

[iambmelt]

Additionally, if you have sample code demonstrating your usage of the Keystore (specifically, how the key is being set) within your application that may be helpful for troubleshooting.

[anuj-mehta]

Hello @iambmelt
I tried to repro the issue but I was unable to reproduce it. I have the android version numbers and they are all >5.0.1 (Hence I can confirm that API level>18). I am still looking into this to get back telemetry data. I will get back to you once I have some of that.

I am pasting the code that we use for keystore.

`
public CordovaAdalPlugin() {

    // Android API < 18 does not support AndroidKeyStore so ADAL requires
    // some extra work to crete and pass secret key to ADAL.
    if (Build.VERSION.SDK_INT < Build.VERSION_CODES.JELLY_BEAN_MR2) {
        try {
            SecretKey secretKey = this.createSecretKey(SECRET_KEY);
            AuthenticationSettings.INSTANCE.setSecretKey(secretKey.getEncoded());
        } catch (Exception e) {
            //Start - Modified for PowerApps
            //Log.w("CordovaAdalPlugin", "Unable to create secret key: " + e.getMessage());
            //End - Modified for PowerApps
        }
    }
}

private SecretKey createSecretKey(String key) throws NoSuchAlgorithmException, UnsupportedEncodingException, InvalidKeySpecException {
    SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithSHA256And256BitAES-CBC-BC");
    SecretKey tempkey = keyFactory.generateSecret(new PBEKeySpec(key.toCharArray(), "abcdedfdfd".getBytes("UTF-8"), 100, 256));
    SecretKey secretKey = new SecretKeySpec(tempkey.getEncoded(), "AES");
    return secretKey;
}

`

Thanks

Anuj

[anuj-mehta]

Hey @iambmelt

I was able to get a stack trace and the device make. I am pasting it for your reference.

Package: com.microsoft.msapps
Version Code: 206700
Version Name: 2.0.671
Android: 5.0
Manufacturer: samsung
Model: SM-N9005
CrashReporter Key: 5451C6A5-4910-85EC-15B7-68856C355BD6068671C5
Date: Sat Aug 12 21:30:12 GMT+04:00 2017

java.lang.IllegalArgumentException: invalid date string: Unparseable date: "ag`habagc`a`GMT+00:00" (at offset 0)
	at com.android.org.bouncycastle.asn1.DERUTCTime.<init>(DERUTCTime.java:98)
	at com.android.org.bouncycastle.asn1.x509.Time.<init>(Time.java:62)
	at com.android.org.bouncycastle.x509.X509V3CertificateGenerator.setNotBefore(X509V3CertificateGenerator.java:112)
	at android.security.AndroidKeyPairGenerator.generateKeyPair(AndroidKeyPairGenerator.java:127)
	at java.security.KeyPairGenerator$KeyPairGeneratorImpl.generateKeyPair(KeyPairGenerator.java:276)
	at com.microsoft.aad.adal.StorageHelper.generateKeyPairFromAndroidKeyStore(StorageHelper.java:414)
	at com.microsoft.aad.adal.StorageHelper.getKeyOrCreate(StorageHelper.java:362)
	at com.microsoft.aad.adal.StorageHelper.loadSecretKeyForEncryption(StorageHelper.java:320)
	at com.microsoft.aad.adal.StorageHelper.encrypt(StorageHelper.java:178)
	at com.microsoft.aad.adal.DefaultTokenCacheStore.encrypt(DefaultTokenCacheStore.java:122)
	at com.microsoft.aad.adal.DefaultTokenCacheStore.setItem(DefaultTokenCacheStore.java:190)
	at com.microsoft.aad.adal.TokenCacheAccessor.setItemToCacheForUser(TokenCacheAccessor.java:227)
	at com.microsoft.aad.adal.TokenCacheAccessor.updateTokenCache(TokenCacheAccessor.java:165)
	at com.microsoft.aad.adal.AcquireTokenInteractiveRequest.acquireTokenWithAuthCode(AcquireTokenInteractiveRequest.java:121)
	at com.microsoft.aad.adal.AcquireTokenRequest$4.run(AcquireTokenRequest.java:651)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
	at java.lang.Thread.run(Thread.java:818)

[anuj-mehta]

any updates here?

Thanks

Anuj

[iambmelt]

Hi @anuj-mehta apologies for the delayed response; we (team and I) are investigating on our end and will post any questions, resolutions, or follow-up we have asap

[anuj-mehta]

Thank you so much :)

Let me know if you need any more information that I can help you with.

Best
Anuj

[iambmelt]

Hi @anuj-mehta - the suggested approach to this issue would be to remove the if (Build.VERSION.SDK_INT < Build.VERSION_CODES.JELLY_BEAN_MR2) check around the secret key generation. Users may encounter a failure to decrypt once after this change is made but after the users sign-in again the tokens will be henceforth persisted with the supplied encryption keys.

[iambmelt]

Hi @anuj-mehta - If no further action is needed on this issue, can it be closed?

[nazukj]

Closing issue. please reopen if still an issue. thanks.