Removing a fingerprint from device security can break stored credentials

[johnbotris]

A bug from #3588

• Setup multiple fingerprints in device security
• Save tutanota credentials using biometrics only
• remove one of your fingerprints from device security
• try to log into the account again
• This error is thrown and login is unsuccessful. It's also not possible to remove the credentials
• Restarting the device will cause the invalidated keychain to be properly handled

Client: android
Type: UNKNOWN
Tutanota version: 3.89.7
Timestamp (UTC): Tue, 26 Oct 2021 14:25:22 GMT
User agent:
Mozilla/5.0 (Linux; Android 12; Pixel 4a Build/SP1A.210812.015; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36
de.tutao.tutanota.CryptoError
Error message: javax.crypto.IllegalBlockSizeException
Stacktrace:
de.tutao.tutanota.CryptoError: javax.crypto.IllegalBlockSizeException
at de.tutao.tutanota.AndroidKeyStoreFacade.decryptData(AndroidKeyStoreFacade.java:153)
at de.tutao.tutanota.credentials.CredentialsEncryptionFromAPI30.decryptUsingKeychain(CredentialsEncryptionFromAPI30.java:48)
at de.tutao.tutanota.Native.invokeMethod(Native.java:325)
at de.tutao.tutanota.Native.lambda$invoke$2(Native.java:98)
at de.tutao.tutanota.Native.$r8$lambda$f7qJ0eoqELxVifjuL5uWd7yLx-I(Unknown Source:0)
at de.tutao.tutanota.Native$$ExternalSyntheticLambda2.run(Unknown Source:4)
at java.lang.Thread.run(Thread.java:920)
Caused by: javax.crypto.IllegalBlockSizeException
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:613)
at javax.crypto.Cipher.doFinal(Cipher.java:2055)
at de.tutao.tutanota.AndroidKeyStoreFacade.decryptData(AndroidKeyStoreFacade.java:151)
... 6 more
Caused by: android.security.KeyStoreException: Key user not authenticated
at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:356)
at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
at android.security.KeyStoreOperation.update(KeyStoreOperation.java:114)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.update(KeyStoreCryptoOperationChunkedStreamer.java:222)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.update(KeyStoreCryptoOperationChunkedStreamer.java:156)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:179)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:603)

[johnbotris]

So far i've only reproduced it on the Pixel 4a running Android 12, it doesn't occur on another two devices running android 10. Could be a difference in how the keychain in 12 works?

[charlag]

This only happens on Android 12, not on 11 and it is fixed by rebooting the phone so I am 99% sure it's a bug in Android 12 beta. They probably cache the cipher somehow.

[charlag]

Indeed a bug:
https://issuetracker.google.com/issues/199367808#comment2