Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StrongBoxUnavailableException/ProviderException: Failed to generate key error when connecting Tap to Pay reader #469

Open
wkol opened this issue Jun 7, 2024 · 6 comments
Open

StrongBoxUnavailableException/ProviderException: Failed to generate key error when connecting Tap to Pay reader #469

wkol opened this issue Jun 7, 2024 · 6 comments

Comments

@wkol
Copy link

wkol commented Jun 7, 2024

Summary

This issue follows the problem encountered in this issue, where an attempt to connect to the Tap to Pay reader resulted in a crash of the Stripe AIDL process. After upgrading the SDK to version 3.6.0, the crashes mentioned in the original issue indeed disappeared. However, some new crashes have appeared in the same place (connection process). The stack traces (so far, we have encountered two variants of this crash) are a bit different, but it seems that the problem is during the generation of the hardware backed key:

  1. Variant:
Caused by android.security.keystore.StrongBoxUnavailableException/
Failed to generate key
keyboard_arrow_up
android.security.keystore2.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey (AndroidKeyStoreKeyGeneratorSpi.java:411)
javax.crypto.KeyGenerator.generateKey (KeyGenerator.java:612)
java.lang.reflect.Method.invoke (Method.java)
com.s.s.As$14140.Dashboard (Unknown Source:142)
Caused by android.security.KeyStoreException
No StrongBox available
  1. Variant
Caused by java.security.ProviderException
Keystore key generation failed
keyboard_arrow_up
android.security.keystore2.AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey (AndroidKeyStoreKeyGeneratorSpi.java:413)
javax.crypto.KeyGenerator.generateKey (KeyGenerator.java:612)
java.lang.reflect.Method.invoke (Method.java)
com.s.s.As$14140.Dashboard (Unknown Source:142)
Caused by android.security.KeyStoreException
System error (internal Keystore code: 4 message: system/security/keystore2/src/security_level.rs:693: In generate_key. 10351, Some("asp_key") Caused by: 0: system/security/keystore2/src/security_level.rs:691: While generating Key without explicit attestation key. 1: Binder exception code TRANSACTION_FAILED, 0)

Again, the crashes occur on Samsung devices, so there is probably an issue with their software, but maybe you could figure out some workaround. Also, since the exception says that the StrongBox is not available, I wonder if you could add a StrongBox check to the method supportsReaderOfType() or return TerminalErrorCode.LOCAL_MOBILE_UNSUPPORTED_DEVICE in case of connection on a device where the StrongBox is not available.

Code to reproduce

Well so far I couldn't reproduce this, but if I succeed i will provide the code.

Android version

Mostly 14

Impacted devices (Android devices or readers)

Samsung devices/Tap to Pay reader

SDK version

3.6.0
@sidhant-stripe
Copy link
Collaborator

Hi @wkol, thanks for bringing this to our attention.

The first error (No StrongBox available) is very confusing since we do explicitly check for a StrongBox as part of supportsReaderOfType(). That would probably need to be fixed via a firmware update on Samsung's end.

As for the second error, we are updating supportsReadersOfType() to run through a simulation of our key generation, and will be returning TerminalErrorCode.LOCAL_MOBILE_UNSUPPORTED_DEVICE if key generation fails. We are expecting this fix to be merged in time for the 3.9.0 release, which is scheduled for early September.

@sidhant-stripe
Copy link
Collaborator

Hi @wkol unfortunately fixing this issue is going to take more engineering resources than we have at the moment. We will try to pick this up as soon as our workload frees up and keep you updated in this thread.

@sidhant-stripe sidhant-stripe mentioned this issue Aug 14, 2024
Closed
@wkol
Copy link
Author

wkol commented Aug 22, 2024

Hi @sidhant-stripe, thanks for all the work and updates. I am going to report this issue directly to Samsung, and since I currently do not have access to any Samsung S24 - could you provide more or less the code used to generate the keys (I believe "asp_key" is the problematic key) - I mean just a general overview - what algorithm, padding, any custom options etc? Something that could allow Samsung to reproduce it.

@gliu-stripe
Copy link

Hey @wkol, asp_key is a MasterKey that can be generated like so:

val masterKey: MasterKey = MasterKey.Builder(context, "asp_key")
            .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
            .setRequestStrongBoxBacked(true)
            .build()

@wkol
Copy link
Author

wkol commented Oct 11, 2024

Hi, are there any updates on this issue or a timeline for the fix?

@sidhant-stripe
Copy link
Collaborator

sidhant-stripe commented Oct 14, 2024
edited
Loading

unfortunately we aren't expecting to have the resources to work on this in the near future, but we'll be sure to update this thread if we have any updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wkol @gliu-stripe @sidhant-stripe