问题
Hello Android developers,
I've got something strange in my app when I'm using the Fingerprint and the AndroidKeystoreProvider together.
Here is the case:
I create a KeyPair with KeyPairGenerator.
In the builder I have set setUserAuthenticationRequired(true) and setUserAuthenticationValidityDurationSeconds(10).
Into my fingerprint I have enrolled 3 fingers.
When I try next to init the Signature algorithm with initSign(...) the first time, UserNotAuthenticatedException is catched. That's fair. (https://developer.android.com/reference/android/security/keystore/UserNotAuthenticatedException.html)
Then I enroll a new finger into my fingerprint.
So I expect than when I init the Signature algorithm, it should catch KeyPermanentlyInvalidatedException as described into the Google documentation (https://developer.android.com/reference/android/security/keystore/KeyPermanentlyInvalidatedException.html) but it is not the case. UserNotAuthenticatedException is always catched.
If I remove setUserAuthenticationValidityDurationSeconds(10) things gonna work as expected. (KeyPermanentlyInvalidatedException is well catched)
Did you know if there is a way to make both exceptions work with setUserAuthenticationRequired(true) and setUserAuthenticationValidityDurationSeconds(10) ?
Thank you in advance, Matt
回答1:
No, KeyPermanentlyInvalidatedException is not thrown when setUserAuthenticationValidityDurationSeconds > -1
From the setUserAuthenticationValidityDurationSeconds docs:
Parameters: seconds int: duration in seconds or-1 if user authentication must take place for every use of the key.
and from setUserAuthenticationRequired:
Additionally,if the key requires that user authentication takes place for every use of the key, it is also irreversibly invalidated once a new fingerprint is enrolled
Update (26.11.2018)
KeyPermanentlyInvalidatedException will not be thrown if setUserAuthenticationValidityDurationSeconds > -1, because:
Cryptographic operations involving keys which are authorized to be used for a duration of time after a successful user authentication event can only use secure lock screen authentication. These cryptographic operations will throw UserNotAuthenticatedException during initialization if the user needs to be authenticated to proceed.
Source: https://developer.android.com/reference/android/security/keystore/KeyProtection.Builder#setUserAuthenticationValidityDurationSeconds(int)
来源:https://stackoverflow.com/questions/44073096/android-keypermanentlyinvalidatedexception-is-not-catched-when-setuserauthentica