javax.crypto.AEADBadTagException and android.security.KeyStoreException

[sayasheng]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Java

Amplify Categories

GraphQL API

Gradle script dependencies

// Put output below this line
 api "amplifyframework:core:$amplify"
    api "amplifyframework:aws-auth-cognito:2.4.11"
    api "amplifyframework:aws-api-appsync:2.4.11"
    api "amplifyframework:aws-api:2.4.11"

Environment information

# Put output below this line
------------------------------------------------------------
Gradle 7.5
------------------------------------------------------------

Build time:   2022-07-14 12:48:15 UTC
Revision:     c7db7b958189ad2b0c1472b6fe663e6d654a5103

Kotlin:       1.6.21
Groovy:       3.0.10
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          11.0.8-internal (Oracle Corporation 11.0.8-internal+0-adhoc..jdk11u)
OS:           Windows 10 10.0 amd64

Please include any relevant guides or documentation you're referencing

No response

Describe the bug

02-20 14:36:40.059 E/AndroidRuntime( 4405): java.security.KeyStoreException: the master key android-keystore://amplify_master_key exists but is unusable
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:275)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.build(AndroidKeysetManager.java:236)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at androidx.security.crypto.EncryptedSharedPreferences.create(EncryptedSharedPreferences.java:123)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.core.store.EncryptedKeyValueRepository.getSharedPreferencesOrThrow(EncryptedKeyValueRepository.kt:110)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.core.store.EncryptedKeyValueRepository.openKeystoreWithAmplifyMasterKey(EncryptedKeyValueRepository.kt:86)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.core.store.EncryptedKeyValueRepository.getOrCreateSharedPreferences(EncryptedKeyValueRepository.kt:64)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.core.store.EncryptedKeyValueRepository.access$getOrCreateSharedPreferences(EncryptedKeyValueRepository.kt:32)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.core.store.EncryptedKeyValueRepository$sharedPreferences$2.invoke(EncryptedKeyValueRepository.kt:48)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.core.store.EncryptedKeyValueRepository$sharedPreferences$2.invoke(EncryptedKeyValueRepository.kt:48)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.core.store.EncryptedKeyValueRepository.getSharedPreferences(EncryptedKeyValueRepository.kt:48)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.core.store.EncryptedKeyValueRepository.get(EncryptedKeyValueRepository.kt:51)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.auth.cognito.data.AWSCognitoAuthCredentialStore.retrieveCredential(AWSCognitoAuthCredentialStore.kt:63)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.auth.cognito.actions.CredentialStoreCognitoActions$loadCredentialStoreAction$$inlined$invoke$1.execute(Action.kt:70)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.amplifyframework.statemachine.ConcurrentEffectExecutor$execute$1$1.invokeSuspend(ConcurrentEffectExecutor.kt:26)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:793)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:697)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:684)
02-20 14:36:40.059 E/AndroidRuntime( 4405): Suppressed: kotlinx.coroutines.internal.DiagnosticCoroutineContextException: [StandaloneCoroutine{Cancelling}@13a33af, Dispatchers.Default]
02-20 14:36:40.059 E/AndroidRuntime( 4405): Caused by: javax.crypto.AEADBadTagException
02-20 14:36:40.059 E/AndroidRuntime( 4405): at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:517)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:531)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at javax.crypto.Cipher.doFinal(Cipher.java:2267)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encryptInternal(AndroidKeystoreAesGcm.java:87)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.google.crypto.tink.integration.android.AndroidKeystoreAesGcm.encrypt(AndroidKeystoreAesGcm.java:72)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.validateAead(AndroidKeystoreKmsClient.java:248)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient.getAead(AndroidKeystoreKmsClient.java:165)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at com.google.crypto.tink.integration.android.AndroidKeysetManager$Builder.readOrGenerateNewMasterKey(AndroidKeysetManager.java:267)
02-20 14:36:40.059 E/AndroidRuntime( 4405): ... 20 more
02-20 14:36:40.059 E/AndroidRuntime( 4405): Caused by: android.security.KeyStoreException: Signature/MAC verification failed
02-20 14:36:40.059 E/AndroidRuntime( 4405): at android.security.KeyStore.getKeyStoreException(KeyStore.java:1303)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at android.security.keystore.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:224)
02-20 14:36:40.059 E/AndroidRuntime( 4405): at android.security.keystore.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:506)

Reproduction steps (if applicable)

upgrade v1 to v2 and get this issue.

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

amplifyconfiguration.json

No response

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

No response

[ankpshah]

Hello, @sayasheng. can you upgrade to latest version of Amplify v2.14.11? Latest release has fix for adding fallback logic for corrupt keys to EncryptedKeyValueRepository.

[sayasheng]

@ankpshah Yes, I already upgraded to Amplify v2.14.11 from v1 yesterday. This issue still happens on v2.14.11 after clearing all data.

[ankpshah]

Hello @sayasheng,
I tried replicating this issue by signing in using v1 (v1.38.8) then upgraded to v2 (v2.14.11). Followed by Sign out and Sign In operation using v2. I was able to sign in without any exceptions or keyStore error.

Here are some questions I have:

1. Is there any specific step to replicate this?
2. What kind of Auth configuration are you using?
3. Which device and API level are you using?
4. Also in issue description under gradle dependencies I see the version as 2.4.11 just want to make sure you are using the latest version of Amplify.

[tylerjroach]

@sayasheng If you have any specific test devices where you can replicate this issue, I would be curious if you are able to use EncryptedSharedPreferences at all on these devices: https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences.

It is possible that we are running into a limited set of devices where EncryptedSharedPreferences library does not work properly. This class is critical to securely storing information on the device and we cannot operate without it.

Let us know if this is an edge case you are seeing in the wild, or if you have a test device youi can replicate this with.

[sayasheng]

Hello @sayasheng, I tried replicating this issue by signing in using v1 (v1.38.8) then upgraded to v2 (v2.14.11). Followed by Sign out and Sign In operation using v2. I was able to sign in without any exceptions or keyStore error.

Here are some questions I have:

1. Is there any specific step to replicate this?
   @ankpshah Here is my step
   Step 1 : use amplify version 1.37.4 and sign in a user
   Step 2: sign out the user
   Step 3: use amplify version 2.14.11 and use the same user to login
   I got error message "An unclassified error prevented this operation" in this step, however the user can be signed in successfully.
   
   Step 4: sign out the user
   I got KeyStoreException/AEADBadTagException in this step.

2. What kind of Auth configuration are you using?

3. Which device and API level are you using?
   Our device is customize hardware with Android 10. compileSdkVersion is 33.

4. Also in issue description under gradle dependencies I see the version as 2.4.11 just want to make sure you are using the latest version of Amplify.
   yes, I am pretty sure that apk is complied with 2.4.11 because apk compiled with 1.37.4 works fine.