java.lang.IllegalStateException: Android keystore must be in initialized and unlocked state if encryption is required

[francoj11]

When trying to use the SecureCredentialsManager in a device without Lock Screen set (no fingerprint, no pin, no password, no pattern) the app crashes when trying to save a credential.

java.lang.IllegalStateException: Android keystore must be in initialized and unlocked state if encryption is required at android.security.AndroidKeyPairGenerator.generateKeyPair(AndroidKeyPairGenerator.java:84) at java.security.KeyPairGenerator$KeyPairGeneratorImpl.generateKeyPair(KeyPairGenerator.java:276) at com.auth0.android.authentication.storage.CryptoUtil.getRSAKeyEntry(CryptoUtil.java:135) at com.auth0.android.authentication.storage.CryptoUtil.RSAEncrypt(CryptoUtil.java:184) at com.auth0.android.authentication.storage.CryptoUtil.getAESKey(CryptoUtil.java:212) at com.auth0.android.authentication.storage.CryptoUtil.encrypt(CryptoUtil.java:243) at com.auth0.android.authentication.storage.SecureCredentialsManager.saveCredentials(SecureCredentialsManager.java:146) at com.perxhealth.android.ui.activities.SplashActivity.onSuccessfulLogin(SplashActivity.kt:426)

[francoj11]

This is only happening in a device with Android 5.1. In other device with Android 7.1 and 9 it works ok

[lbalmaceda]

@francoj11 Do you have more information about the device or setup you're trying?

I just downloaded 2 official android emulator images for APIs 21 and 22. Fresh started (no lock screen set up) and installed this sample app https://github.com/lbalmaceda/CryptoSample, prior changing its dependencies to use latest sdk version (1.15.0 as of today). First button I clicked was "encrypt" which would call saveCredentials passing a hardcoded value, and it works fine. No exception is thrown.

Analyzing the stacktrace and the CryptoUtil class code, the setEncryptionRequired() method is only called on APIs 21 and 22 if and only if a secure Lock Screen is set up by the user (anything but NONE or SWIPE), so the steps to reproduce you mentioned don't make sense either.

[francoj11]

The device is an old Huawei Y6II with Android 5.1.
The device actually had a Sim Lock pattern, but no device lock screen set.
When adding an unlock pattern, there is no exception.

What I understand is that setEncryptionRequired is set when kManager.isKeyguardSecure is true, which actually takes into account the Sim card Lock. Could this have anything to do with how the CryptoUtils class work?

[lbalmaceda]

@francoj11 Actually, setEncryptionRequired is called if a set of conditions is met (all of them):

• Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP && Build.VERSION.SDK_INT < Build.VERSION_CODES.M
• kManager.isKeyguardSecure()
• kManager.createConfirmDeviceCredentialIntent(null, null) != null

It's true that kManager.isKeyguardSecure is taking into account the SIM lock status but is a method that it's available since API 16 (that piece of code runs from API 18). The alternative that doesn't check the SIM lock status is kManager.isDeviceSecure but unfortunately it's not available until API 23 (version in which setEncryptionRequired is already deprecated).

What we do in addition is check whether this call to createConfirmDeviceCredentialIntent returns a null intent or a valid one, defaulting to null for the case we couldn't call that method. If the result is a null intent then the device doesn't have a secure lock screen set up. That's what I understand from the method documentation:

the intent for launching the activity or null if no password is required.

And that's why I don't understand why you're having that issue. Anyway, I'll look into trying to reproduce this by turning on the SIM lock on our phones. I'll come back to you later 👌

[lbalmaceda]

@francoj11 I couldn't enable SIM lock on the phones I have for testing. Emulators don't have this capability, unfortunately. As mentioned in my comment above, the isKeyguardSecure() is not the only check we perform before deciding to encrypt the keys. I'm still confident that the createConfirmDeviceCredentialIntent() returns null if no LockScreen Password/PIN/Fingerprint/Pattern has been set, regardless of the "SIM lock" status. If you happen to reproduce this again and can share the steps, please re-open the issue and I'll look into it.

I've just released version 1.15.1 with a big refactor on the SecureCredentialsManager class. Feel free to try this one and see if the error persists.

[stephen1706]

Hi @lbalmaceda , I am facing this issue as well on library version 1.23.0. It happened on Oppo ColorOS, which is Android 5.1. I believe this issue can be handled using CredentialsManagerException.isDeviceIncompatible method?