Search code examples
androidkeystoresamsung-mobilebiometricsandroid-biometric

Failed to generate key pair on Samsung S20, S20+ and S20 Ultra for biometric auth


We have an issue with Samsung S20, S20+ and S20 Ultra devices when trying to generate a keypair upon enrolling in fingerprint auth in my app. We are only seeing this issue on the new Samsung S20 family with the Exynos chipset (International model) NOT Snapdragon, but not on any other devices. I tested it with US spec Samsung S20+, but I can't get it to repro the issue.

This is the exception.

    Caused by: java.security.ProviderException: Failed to generate key pair
    at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.generateKeystoreKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:556)
    at android.security.keystore.AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair(AndroidKeyStoreKeyPairGeneratorSpi.java:499)
    at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:727)
    at com.x.biometricskit.provider.BioKeyGeneratorImpl.generateKeyPair(BioKeyGenerator.kt:70)
    ... 34 more
    Caused by: android.security.KeyStoreException: Unsupported digest
    at android.security.KeyStore.getKeyStoreException(KeyStore.java:1539)
    ... 38 more

Here's the code snippet for the BioKeyGeneratorImpl.generateKeyPair.

fun generateKeyPair(keyStoreAlias: String): KeyPair? {

    val specBuilder: KeyGenParameterSpec.Builder =
                    KeyGenParameterSpec.Builder(keyStoreAlias, KeyProperties.PURPOSE_SIGN)
                        .setAlgorithmParameterSpec(ECGenParameterSpec(EC_KEY_SPEC))
                        .setDigests(
                            KeyProperties.DIGEST_SHA256,
                            KeyProperties.DIGEST_SHA384,
                            KeyProperties.DIGEST_SHA512
                        )
                        .setUserAuthenticationRequired(true)
                        .setIsStrongBoxBacked(true)
                        .setInvalidatedByBiometricEnrollment(true)

    val keyPairGenSpec = specBuilder.build()

    val keyPairGenerator =
        KeyPairGenerator.getInstance(
            KeyProperties.KEY_ALGORITHM_EC,
            "AndroidKeyStore"
        )

    keyPairGenerator.initialize(keyPairGenSpec)

    return keyPairGenerator.generateKeyPair()
}

Solution

  • I have changed it to

    KeyProperties.DIGEST_SHA256

    setDigests(KeyProperties.DIGEST_SHA256)
    

    and it works.

    Hope this will help someone out there.