java.security.InvalidKeyException: Key for algorithm RSA not suitable for symmetric encryption on API < 23

[NickvanDyke]

java.lang.RuntimeException: Unable to create application <censored>: com.cioccarellia.ksprefs.exceptions.EngineException: 
        at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4521)
        at android.app.ActivityThread.access$1500(ActivityThread.java:144)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1339)
        at android.os.Handler.dispatchMessage(Handler.java:102)
        at android.os.Looper.loop(Looper.java:135)
        at android.app.ActivityThread.main(ActivityThread.java:5221)
        at java.lang.reflect.Method.invoke(Native Method)
        at java.lang.reflect.Method.invoke(Method.java:372)
        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:899)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:694)
     Caused by: com.cioccarellia.ksprefs.exceptions.EngineException: 
        at com.cioccarellia.ksprefs.exceptions.EngineException$Companion.convertFrom(EngineException.kt:34)
        at com.cioccarellia.ksprefs.extensions.ExceptionExtsKt.getOrThrowException(ExceptionExts.kt:23)
        at com.cioccarellia.ksprefs.internal.SafeRun$DefaultImpls.runSafely(SafeRun.kt:26)
        at com.cioccarellia.ksprefs.engines.base.Engine.runSafely(Engine.kt:25)
        at com.cioccarellia.ksprefs.internal.SafeRun$DefaultImpls.runSafely$default(SafeRun.kt:24)
        at com.cioccarellia.ksprefs.engines.model.keystore.RsaKeyPairKeyStoreEngine.encrypt(RsaKeyPairKeyStoreEngine.kt:68)
        at com.cioccarellia.ksprefs.engines.model.keystore.RsaKeyPairKeyStoreEngine.derive-qJcYHfg(RsaKeyPairKeyStoreEngine.kt:61)
        at com.cioccarellia.ksprefs.enclosure.KspEnclosure.read$library(KspEnclosure.kt:100)
        at com.cioccarellia.ksprefs.dispatcher.KspDispatcher.pull(KspDispatcher.kt:73)
        at com.cioccarellia.ksprefs.KsPrefs.pull(KsPrefs.kt:152)
        at com.cioccarellia.ksprefs.delegates.dynamic.DelegateDynamicKsPref.getValue(DelegateDynamicKsPref.kt:30)
Caused by: java.security.InvalidKeyException: Key for algorithm RSA not suitable for symmetric enryption.
        at com.android.org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineInit(BaseBlockCipher.java:464)
        at com.android.org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineInit(BaseBlockCipher.java:758)
        at javax.crypto.Cipher.init(Cipher.java:661)
        at javax.crypto.Cipher.init(Cipher.java:621)
        at com.cioccarellia.ksprefs.extensions.CipherExtsKt.initEncryptKeyPair(CipherExts.kt:60)
        at com.cioccarellia.ksprefs.engines.model.keystore.RsaKeyPairKeyStoreEngine.getEncryptionCipher(RsaKeyPairKeyStoreEngine.kt:52)
        at com.cioccarellia.ksprefs.engines.model.keystore.RsaKeyPairKeyStoreEngine.access$getEncryptionCipher$p(RsaKeyPairKeyStoreEngine.kt:32)
        at com.cioccarellia.ksprefs.engines.model.keystore.RsaKeyPairKeyStoreEngine$encrypt$1.invoke(RsaKeyPairKeyStoreEngine.kt:70)
        at com.cioccarellia.ksprefs.engines.model.keystore.RsaKeyPairKeyStoreEngine$encrypt$1.invoke(RsaKeyPairKeyStoreEngine.kt:32)

My config:

KsPrefs(context) {
    this.encryptionType = EncryptionType.KeyStore("prefs")
}

I've read through the other issues about using the AndroidKeyStore and how it works differently on API < 23. I'm assuming that the library handles all that internally - Am I misusing it?

[cioccarellia]

No, you are not misusing It: what's the device os version and app's target sdk?

[NickvanDyke]

I'm using an emulator - don't have a physical device of this Android version to test on. Perhaps related? It works fine on the emulator on more recent Android versions. App's target sdk is 30, and here's the output of the AVD Manager "View details":

Name: Nexus_5X_API_21

CPU/ABI: Google APIs Intel Atom (x86)

Path: /Users/nvandyke/.android/avd/Nexus_5X_API_21.avd

Target: google_apis [Google APIs] (API level 21)

Skin: nexus_5x

SD Card: 512M

fastboot.chosenSnapshotFile: 

runtime.network.speed: full

hw.accelerometer: yes

hw.device.name: Nexus 5X

hw.lcd.width: 1080

hw.initialOrientation: Portrait

image.androidVersion.api: 21

tag.id: google_apis

hw.audioOutput: n

hw.mainKeys: no

hw.camera.front: emulated

avd.ini.displayname: Nexus 5X API 21

hw.gpu.mode: auto

hw.ramSize: 1536

PlayStore.enabled: false

fastboot.forceColdBoot: no

hw.cpu.ncore: 4

hw.keyboard: yes

hw.sensors.proximity: yes

hw.dPad: no

hw.lcd.height: 1920

vm.heapSize: 228

skin.dynamic: yes

hw.device.manufacturer: Google

hw.gps: yes

hw.audioInput: no

image.sysdir.1: system-images/android-21/google_apis/x86/

showDeviceFrame: yes

ohw.battery: yes

hw.camera.back: virtualscene

AvdId: Nexus_5X_API_21

hw.lcd.density: 420

hw.arc: false

hw.device.hash2: MD5:ae200ad6786ec467cb9067f7b46b0fd1

fastboot.forceChosenSnapshotBoot: no

fastboot.forceFastBoot: yes

hw.trackBall: no

hw.sdCard: yes

tag.display: Google APIs

runtime.network.latency: none

disk.dataPartition.size: 800M

hw.sensors.orientation: yes

avd.ini.encoding: UTF-8

hw.gpu.enabled: yes

[cioccarellia]

Yep, I check back to be sure and the behaviour is definitely different if not running at least Android M (23). Below it, an RSA KeyPair generator is used instead of the full AES-compliant Android Keystone mechanism, since it was introduced on API 23. This generates two keys: that's not fantastic, but it should pretty much be ok for pre-M devices. I tested with physical devices and emulators but did not get a crash, maybe you can try to reproduce it on a real device using your same application to check if that's just something avd-related, or if we have to investigate a bit deeper?

[NickvanDyke]

I think some coworkers have devices with older Android versions, I'll see if they've run into anything. I appreciate the prompt response 👍

[cioccarellia]

I appreciate your detailed issue :) Thank you so much for helping out