Android KeyPermanentlyInvalidatedException is not catched when setUserAuthenticationRequired(true) and setUserAuthenticationValidityDurationSeconds(X)

Question

I've got something strange in my app when I'm using the Fingerprint and the AndroidKeystoreProvider together.

Here is the case:

I create a KeyPair with KeyPairGenerator. In the builder, I have set setUserAuthenticationRequired(true) and setUserAuthenticationValidityDurationSeconds(10).

Into my fingerprint I have enrolled 3 fingers.

When I try next to init the Signature algorithm with initSign(...) the first time, UserNotAuthenticatedException is caught. That's fair. (https://developer.android.com/reference/android/security/keystore/UserNotAuthenticatedException.html)

Then I enroll a new finger into my fingerprint.

So I expect than when I init the Signature algorithm, it should catch KeyPermanentlyInvalidatedException as described into the Google documentation (https://developer.android.com/reference/android/security/keystore/KeyPermanentlyInvalidatedException.html) but it is not the case. UserNotAuthenticatedException is always caught.

If I remove setUserAuthenticationValidityDurationSeconds(10), things work as expected. (KeyPermanentlyInvalidatedException is well caught)

Did you know if there is a way to make both exceptions work with setUserAuthenticationRequired(true) and setUserAuthenticationValidityDurationSeconds(10) ?

Answer 1

No, KeyPermanentlyInvalidatedException is not thrown when setUserAuthenticationValidityDurationSeconds > -1

From the setUserAuthenticationValidityDurationSeconds docs:

Parameters: seconds int: duration in seconds or-1 if user authentication must take place for every use of the key.

and from setUserAuthenticationRequired:

Additionally,if the key requires that user authentication takes place for every use of the key, it is also irreversibly invalidated once a new fingerprint is enrolled

---

Update (26.11.2018)

KeyPermanentlyInvalidatedException will not be thrown if setUserAuthenticationValidityDurationSeconds > -1, because:

Cryptographic operations involving keys which are authorized to be used for a duration of time after a successful user authentication event can only use secure lock screen authentication. These cryptographic operations will throw UserNotAuthenticatedException during initialization if the user needs to be authenticated to proceed.

Source: https://developer.android.com/reference/android/security/keystore/KeyProtection.Builder#setUserAuthenticationValidityDurationSeconds(int)