com.oblador.keychain.exceptions.CryptoFailedException: Wrapped error: null

[phamngocthinh]

I encountered an issue when calling the getGenericPassword method from react-native-keychain.

My usage is:
await Keychain.setGenericPassword(username, password, { service: USER_KEY123456 });
await Keychain.getGenericPassword({ service: USER_KEY123456 });

Some users randomly experience the following error:
com.oblador.keychain.exceptions.CryptoFailedException: Wrapped error: null

This issue seems device-specific and occurs randomly, making it difficult to reproduce consistently.
Does anyone have experience with this problem or suggestions on how to resolve it?

[DorianMazur]

What version of react-native-keychain are you using?

[phamngocthinh]

I’m using version 9.2.2 of react-native-keychain.

[DorianMazur]

I've identified the root cause: When using a custom service:

Keychain.setGenericPassword(username, password, { service: 'customService' })

sometimes the AES_GCM cipher storage is attempting to use the same keystore alias in both ciphers AES_GCM and AES_GCM_NO_AUTH. This alias collision is triggering the error you're experiencing. I am working on a fix.

[phamngocthinh]

@DorianMazur Thank you so much for feedback on this issue,
Could you suggest any temporary workaround that we can apply for affected customers? Also, do you have an estimated timeline for when the fix will be officially released?

[Bowlerr]

Also had users experience this issue :) if you could let us know the fix once you are done so I can get it patched asap. Thanks for all the hard work @DorianMazur

[Bowlerr]

If I understood the issue correctly, @DorianMazur does this solve the issue? #736

[SYoder1]

I am seeing the same, but the errors are very heavily weighted to the Motorola Razr

[DorianMazur]

@Bowlerr @SYoder1
The prefix might help with some of the issues, but after thinking about it, I don’t believe it’s the root cause of the error. This is a general error, so the first step should be to add better error handling. I’ll look into it further, I think it is an edge case and quite hard to reproduce. Prefix was my first guess as it's something I want to change for quite some time.

[Bowlerr]

14437:14523 W/c: null
javax.crypto.AEADBadTagException
	at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:632)
	at javax.crypto.Cipher.doFinal(Cipher.java:2074)
	at E6.c.m(Unknown Source:37)
	at E6.k.l(Unknown Source:16)
	at E6.k.b(Unknown Source:51)
	at com.oblador.keychain.KeychainModule.decryptToResult(Unknown Source:29)
	at com.oblador.keychain.KeychainModule.decryptCredentials(Unknown Source:12)
	at com.oblador.keychain.KeychainModule.access$decryptCredentials(Unknown Source:0)
	at com.oblador.keychain.KeychainModule$b.invokeSuspend(Unknown Source:237)
	at kotlin.coroutines.jvm.internal.a.resumeWith(Unknown Source:11)
	at v8.W.run(Unknown Source:128)
	at C8.a.c0(Unknown Source:0)
	at C8.a$c.d(Unknown Source:14)
	at C8.a$c.p(Unknown Source:28)
	at C8.a$c.run(Unknown Source:0)
Caused by: android.security.KeyStoreException: Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish

Caused by:
    0: system/security/keystore2/src/operation.rs:426: Finish failed.
    1: Error::Km(r#VERIFICATION_FAILED)) (public error code: 10 internal Keystore code: -30)
	at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:435)
	at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
	at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:128)
	at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
	at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
	at android.security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:396)
	at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:624)
	... 14 more

[Bowlerr]

identical exceptions from another user

25340:25381 W/c: null
javax.crypto.AEADBadTagException
	at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:632)
	at javax.crypto.Cipher.doFinal(Cipher.java:2074)
	at E6.c.m(Unknown Source:37)
	at E6.k.l(Unknown Source:16)
	at E6.k.b(Unknown Source:51)
	at com.oblador.keychain.KeychainModule.decryptToResult(Unknown Source:29)
	at com.oblador.keychain.KeychainModule.decryptCredentials(Unknown Source:12)
	at com.oblador.keychain.KeychainModule.access$decryptCredentials(Unknown Source:0)
	at com.oblador.keychain.KeychainModule$b.invokeSuspend(Unknown Source:237)
	at kotlin.coroutines.jvm.internal.a.resumeWith(Unknown Source:11)
	at v8.W.run(Unknown Source:128)
	at C8.a.c0(Unknown Source:0)
	at C8.a$c.d(Unknown Source:14)
	at C8.a$c.p(Unknown Source:28)
	at C8.a$c.run(Unknown Source:0)
Caused by: android.security.KeyStoreException: Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish

Caused by:
    0: system/security/keystore2/src/operation.rs:426: Finish failed.
    1: Error::Km(r#VERIFICATION_FAILED)) (public error code: 10 internal Keystore code: -30)
	at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:435)
	at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
	at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:128)
	at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
	at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
	at android.security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:396)
	at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:624)
	... 14 more

[Bowlerr]

both on samsung SM-S928B

[phamngocthinh]

@Bowlerr Could u help me reproduce this issue on simulator or device?