0

have you experienced the case when Android Fingerprint APIs are behaving in the not expected way? The issue I have is when I generate PrivateKey with given attestationChallenge and userAuthenticationValidityDurationSeconds for data signing. Everything works as expected if I don't enroll new fingerprints however after enrollment of a new fingerprint I expect for that key to be permanently invalidated but this is not the case. Have you experienced the similar?

Below is the code I'm using to generate the PrivateKey.

val keyStore = KeyStore.getInstance("AndroidKeystore")
keyStore.load(null)
val keyPairGenerator = KeyPairGenerator.getInstance(algorithm, "AndroidKeyStore")
val builder = KeyGenParameterSpec.Builder("alias", KeyProperties.PURPOSE_SIGN)
builder.apply {
    setDigests(digests)
    setSignaturePaddings(paddings)
    setUserAuthenticationRequired(true)
    setInvalidatedByBiometricEnrollment(true)
    setAttestationChallenge(attestationChallenge)
    setUserAuthenticationValidityDurationSeconds(userAuthenticationValidityDurationSeconds)
}

keyPairGenerator.initialize(builder.build())
keyPairGenerator.generateKeyPair()

Am I doing something wrong or missing something? Thanks!

Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
Toochka
  • 894
  • 1
  • 9
  • 25

1 Answers1

0

To answer my own question. PrivateKey will not be invalidated by OS if userAuthenticationValidityDurationSeconds is set to a positive value. The key will only be invalidated on the enrolment of new fingerprint if its purpose is to be used only when authenticated with fingerprint.

Toochka
  • 894
  • 1
  • 9
  • 25