2

I am looking for a way to get notify if the user changed his/her fingerprint. I saw this answer here but it wasn't clear how to use "setAllowedAuthenticators" in this scenario.

I would appreciate it if someone could help.

[update] the updated code:

1- Generate secret key

generateSecretKey(new KeyGenParameterSpec.Builder(
                        KEY_NAME,
                        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
                        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
                        .setUserAuthenticationRequired(true)
                        // Invalidate the keys if the user has registered a new biometric
                        // credential, such as a new fingerprint. Can call this method only
                        // on Android 7.0 (API level 24) or higher. The variable
                        .setInvalidatedByBiometricEnrollment(true)
                        .build());

2- Generate cipher 

       Cipher cipher = getCipher();
            SecretKey secretKey = getSecretKey();
            try {
                cipher.init(Cipher.ENCRYPT_MODE, secretKey);
            } catch (KeyPermanentlyInvalidatedException e) {
                System.out.print("key has changed");
            } catch (InvalidKeyException e) {
                e.printStackTrace();
            }

3- authenticate 

biometricPrompt.authenticate(new CancellationSignal(), excutor, new BiometricPrompt.AuthenticationCallback() {


            @Override
            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {

                    }
                });
            }
        });
    }
});

Error:

E/AndroidRuntime: FATAL EXCEPTION: main
Process: com.example.fingerprint_poc, PID: 9523
java.lang.IllegalArgumentException: keystoreAlias must not be empty
    at android.security.keystore.KeyGenParameterSpec$Builder.<init>(KeyGenParameterSpec.java:760)
    at com.example.fingerprint_poc.task$5.onClick(task.java:153)
    at android.view.View.performClick(View.java:6597)
    at android.view.View.performClickInternal(View.java:6574)
    at android.view.View.access$3100(View.java:778)
    at android.view.View$PerformClick.run(View.java:25885)
    at android.os.Handler.handleCallback(Handler.java:873)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loop(Looper.java:193)
    at android.app.ActivityThread.main(ActivityThread.java:6669)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)    I/Process: Sending signal. PID: 9523 SIG: 9
Atheer Abdullatif
  • 182
  • 1
  • 15
  • I'm not sure what `setAllowedAuthenticators` has to do with this(?). The `KeyPermanentlyInvalidatedException` will be thrown when you try to `init` your `Cipher`, which you would do before you even start the authentication. – Michael Apr 15 '20 at 09:25
  • How can I init a Cipher? can you elaborate on that? – Atheer Abdullatif Apr 24 '20 at 12:56
  • It would require that you at some point in time (let's call it A) have generated a cryptographic key that requires user authentication (see [this](https://developer.android.com/training/sign-in/biometric-auth#crypto) and [this](https://developer.android.com/training/sign-in/biometric-auth#biometric-only)). If at some later point (B) you try to init a `Cipher` for your key as shown in the linked examples, and the user has added new fingerprints between time A and B, then you should get a `KeyPermanentlyInvalidatedException`. – Michael Apr 24 '20 at 13:54
  • I tried doing so before the authenticate function and my app caches now. I added the code with the post. can you check it please? – Atheer Abdullatif Apr 24 '20 at 14:48
  • You also need to add the stacktrace from the crash. And both the code and the stacktrace should be added as text, not as screenshots. – Michael Apr 24 '20 at 14:51
  • I edited the code and I used the following functions https://developer.android.com/training/sign-in/biometric-auth#crypto – Atheer Abdullatif Apr 24 '20 at 15:07
  • Did you give `KEY_NAME` a value? It can be pretty much any string, but it can't be empty. Also, if it wasn't clear, you shouldn't generate new keys all the time. `generateSecretKey` should only be called if the key doesn't already exist, or after you've received a `KeyPermanentlyInvalidatedException`. – Michael Apr 24 '20 at 15:08
  • I gave KEY_NAME a string value, and generate generateSecretKey inside KeyPermanentlyInvalidatedException. The app now doesn't crash however I still can add multiple fingerprint and the KeyPermanentlyInvalidatedException didn't occurred. "generateSecretKey should only be called if the key doesn't already exist" how to check if Secret Key doesn't exist? – Atheer Abdullatif Apr 24 '20 at 16:35
  • By trying to load it with `getSecretKey` and generating a new key only if that failed. – Michael Apr 24 '20 at 16:43
  • Thank you so much I added a simple check if (getSecretKey() == null) and then called generateSecretKey. the app works fine now and I get notified when the fingerprint is changed. I honestly appreciate it. – Atheer Abdullatif Apr 24 '20 at 17:04

1 Answers1

4

Using the functions here link and link You add this code before the authentication

Cipher cipher = getCipher();
    SecretKey secretKey = getSecretKey();
    if (getSecretKey() == null){
        generateSecretKey(new KeyGenParameterSpec.Builder(
                KEY_NAME,
                KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
                .setUserAuthenticationRequired(true)
                // Invalidate the keys if the user has registered a new biometric
                // credential, such as a new fingerprint. Can call this method only
                // on Android 7.0 (API level 24) or higher. The variable
                .setInvalidatedByBiometricEnrollment(true)
                .build());
    }
    try {
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
    } catch (KeyPermanentlyInvalidatedException e) {
        System.out.print("key has changed");

        Toast.makeText(task.this, "changed", Toast.LENGTH_LONG).show();

        generateSecretKey(new KeyGenParameterSpec.Builder(
                KEY_NAME,
                KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
                .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
                .setUserAuthenticationRequired(true)
                // Invalidate the keys if the user has registered a new biometric
                // credential, such as a new fingerprint. Can call this method only
                // on Android 7.0 (API level 24) or higher. The variable
                .setInvalidatedByBiometricEnrollment(true)
                .build());
    } catch (InvalidKeyException e) {
        e.printStackTrace();

    }

Important: the KEY_NAME must be the same, it must not change between instances.

Delly Fabian Lucas
  • 39
  • 7
Atheer Abdullatif
  • 182
  • 1
  • 15