Search code examples
androidsecurityimportcryptographykeystore

Android KeyStore secure key import - getting KM_ERROR_UNKNOWN_ERROR

I've recently been developing a solution around the Secure Key Import feature of Android (info here) and have run into a problem.

I follow the procedure as documented. On the final step, when calling keyStore.setEntry(...) I get thrown an error with the code -1000 which is KM_ERROR_UNKNOWN_ERROR (error codes). I really don't have an idea on how to proceed from here. Any ideas on where the problem might be?

Some relevant code:

// (app)    send attestation challenge request to server
// (server) generate and send challenge to the app
// (app)    use challenge to generate a PURPOSE_WRAP_KEY key pair
// (app)    get certificate and send to server
// (server) do wrap operations and return a blob (ASN.1 sequence as required in docs)
// (app) code below

byte[] wrappedKeySequence = response.body().getSequenceAsBytes();
AlgorithmParameterSpec spec = new KeyGenParameterSpec.Builder(WRAP_KEY_ALIAS, KeyProperties.PURPOSE_WRAP_KEY)
                .setDigests(KeyProperties.DIGEST_SHA256)
                .build();
KeyStore.Entry wrappedKeyEntry = new WrappedKeyEntry(wrappedKeySequence, WRAP_KEY_ALIAS, WRAP_ALGORITHM, spec);
String keyAlias = "SECRET_KEY";
keyStore.setEntry(keyAlias, wrappedKeyEntry, null);

More random details:

  • I'm trying to import an AES128 key
  • It'll be only used for encrypting data
  • Targeting API 28 and above, as required by the docs

Again, any help would be greatly appreciated.

Thanks, G.

Solution

  • Update:

    I've found the reason for this specific error, but have come to another error.

    Namely, I used the tag 403 which defines MIN_SECONDS_BETWEEN_OPS. It being in the types.hal file, one would expect it to be implemented/valid everywhere, but it seems this isn't the case. However, I'm testing only on one Samsung phone, so it might be implemented by other manufacturers, or even on other Samsung phones.

    Anyway, the next error is INVALID_ARGUMENT (-38) which, unlike the name suggests is as cryptic as this one. The docs say that it should occur for the RSA stuff (I'm trying to import an AES key), so the saga continues.

    I'll update this answer if I find anything else.

    Update 2: I don't have any good news regarding the INVALID_ARGUMENT error. I get it even when I execute the unedited CTS test code, which is supposed to work, as the manufacturers use the CTS tests for validating that the devices work before leaving the factory.

    For now I've paused work on that feature, if I ever come back to it I'll update as necessary.