KeyStoreException

public class KeyStoreException
extends Exception

java.lang.Object
   ↳ java.lang.Throwable
     ↳ java.lang.Exception
       ↳ android.security.KeyStoreException


Exception containing information about the failure at the Keystore / KeyMint layer while generating or using a key. The public error codes indicate the cause of the error and the methods indicate whether it's a system/key issue and whether re-trying the operation (with the same key or a new key) is likely to succeed.

Summary

Constants

int ERROR_ATTESTATION_CHALLENGE_TOO_LARGE

The attestation challenge specified is too large.

int ERROR_ATTESTATION_KEYS_UNAVAILABLE

There are no keys available for attestation.

int ERROR_ID_ATTESTATION_FAILURE

The error related to inclusion of device identifiers in the attestation record.

int ERROR_INCORRECT_USAGE

The feature the caller is trying to use is not compatible with the parameters used to generate the key.

int ERROR_INTERNAL_SYSTEM_ERROR

An internal system error - refer to isTransientFailure() to determine whether re-trying the operation is likely to yield different results.

int ERROR_KEYMINT_FAILURE

General error in the KeyMint layer.

int ERROR_KEYSTORE_FAILURE

Failure in the Keystore layer.

int ERROR_KEYSTORE_UNINITIALIZED

Indicating that load() has not been called on the Keystore instance, or an attempt has been made to generate an authorization bound key while the user has not set a lock screen knowledge factor (LSKF).

int ERROR_KEY_CORRUPTED

The key is corrupted and could not be recovered.

int ERROR_KEY_DOES_NOT_EXIST

The key the operation refers to doesn't exist.

int ERROR_KEY_NOT_TEMPORALLY_VALID

The key is not currently valid: Either at has expired or it will be valid for use in the future.

int ERROR_KEY_OPERATION_EXPIRED

The crypto object the caller has been using held a reference to a KeyMint operation that has been evacuated (likely due to other concurrent operations taking place).

int ERROR_OTHER

This error code is for mapping errors that the caller will not know about.

int ERROR_PERMISSION_DENIED

The caller has requested key parameters or operation which are only available to system or privileged apps.

int ERROR_UNIMPLEMENTED

The feature the caller is trying to use is not implemented by the underlying KeyMint implementation.

int ERROR_USER_AUTHENTICATION_REQUIRED

Indicating the key could not be used because the user needs to authenticate first.

int RETRY_AFTER_NEXT_REBOOT

Re-try the operation that led to this error when the device has a software update downloaded and on the next reboot.

int RETRY_NEVER

Never re-try the operation that led to this error, since it's a permanent error.

int RETRY_WHEN_CONNECTIVITY_AVAILABLE

Re-try the operation that led to this error when the device regains connectivity.

int RETRY_WITH_EXPONENTIAL_BACKOFF

Re-try the operation that led to this error with an exponential back-off delay.

Public methods

int getNumericErrorCode()

Returns one of the error codes exported by the class.

int getRetryPolicy()

Returns the re-try policy for transient failures.

boolean isSystemError()

Indicates whether the error related to the Keystore/KeyMint implementation and not a specific key.

boolean isTransientFailure()

Returns true if the failure is a transient failure - that is, performing the same operation again at a late time is likely to succeed.

boolean requiresUserAuthentication()

Indicates whether the failure is due to the device being locked.

String toString()

Returns a short description of this throwable.

Inherited methods

Constants

ERROR_ATTESTATION_CHALLENGE_TOO_LARGE

Added in API level 33
public static final int ERROR_ATTESTATION_CHALLENGE_TOO_LARGE

The attestation challenge specified is too large.

Constant Value: 9 (0x00000009)

ERROR_ATTESTATION_KEYS_UNAVAILABLE

Added in API level 33
public static final int ERROR_ATTESTATION_KEYS_UNAVAILABLE

There are no keys available for attestation. This error is returned only on devices that rely solely on remotely-provisioned keys (see Remote Key Provisioning).

On such a device, if the caller requests key generation and includes an attestation challenge (indicating key attestation is required), the error will be returned in one of the following cases:

  • The pool of remotely-provisioned keys has been exhausted.
  • The device is not registered with the key provisioning server.

This error is a transient one if the pool of remotely-provisioned keys has been exhausted. However, if the device is not registered with the server, or the key provisioning server refuses key issuance, this is a permanent error.

Constant Value: 16 (0x00000010)

ERROR_ID_ATTESTATION_FAILURE

Added in API level 33
public static final int ERROR_ID_ATTESTATION_FAILURE

The error related to inclusion of device identifiers in the attestation record.

Constant Value: 8 (0x00000008)

ERROR_INCORRECT_USAGE

Added in API level 33
public static final int ERROR_INCORRECT_USAGE

The feature the caller is trying to use is not compatible with the parameters used to generate the key. For example, trying to use a key generated for a different signature algorithm, or a digest not specified during key creation. Another case is the attempt to generate a symmetric AES key and requesting key attestation.

Constant Value: 13 (0x0000000d)

ERROR_INTERNAL_SYSTEM_ERROR

Added in API level 33
public static final int ERROR_INTERNAL_SYSTEM_ERROR

An internal system error - refer to isTransientFailure() to determine whether re-trying the operation is likely to yield different results.

Constant Value: 4 (0x00000004)

ERROR_KEYMINT_FAILURE

Added in API level 33
public static final int ERROR_KEYMINT_FAILURE

General error in the KeyMint layer.

Constant Value: 10 (0x0000000a)

ERROR_KEYSTORE_FAILURE

Added in API level 33
public static final int ERROR_KEYSTORE_FAILURE

Failure in the Keystore layer.

Constant Value: 11 (0x0000000b)

ERROR_KEYSTORE_UNINITIALIZED

Added in API level 33
public static final int ERROR_KEYSTORE_UNINITIALIZED

Indicating that load() has not been called on the Keystore instance, or an attempt has been made to generate an authorization bound key while the user has not set a lock screen knowledge factor (LSKF). Instruct the user to set an LSKF and retry.

Constant Value: 3 (0x00000003)

ERROR_KEY_CORRUPTED

Added in API level 33
public static final int ERROR_KEY_CORRUPTED

The key is corrupted and could not be recovered.

Constant Value: 7 (0x00000007)

ERROR_KEY_DOES_NOT_EXIST

Added in API level 33
public static final int ERROR_KEY_DOES_NOT_EXIST

The key the operation refers to doesn't exist.

Constant Value: 6 (0x00000006)

ERROR_KEY_NOT_TEMPORALLY_VALID

Added in API level 33
public static final int ERROR_KEY_NOT_TEMPORALLY_VALID

The key is not currently valid: Either at has expired or it will be valid for use in the future.

Constant Value: 14 (0x0000000e)

ERROR_KEY_OPERATION_EXPIRED

Added in API level 33
public static final int ERROR_KEY_OPERATION_EXPIRED

The crypto object the caller has been using held a reference to a KeyMint operation that has been evacuated (likely due to other concurrent operations taking place). The caller should re-create the crypto object and try again.

Constant Value: 15 (0x0000000f)

ERROR_OTHER

Added in API level 33
public static final int ERROR_OTHER

This error code is for mapping errors that the caller will not know about. If the caller is targeting an API level earlier than the one the error was introduced in, then the error will be mapped to this one. In API level 33 no errors map to this error.

Constant Value: 1 (0x00000001)

ERROR_PERMISSION_DENIED

Added in API level 33
public static final int ERROR_PERMISSION_DENIED

The caller has requested key parameters or operation which are only available to system or privileged apps.

Constant Value: 5 (0x00000005)

ERROR_UNIMPLEMENTED

Added in API level 33
public static final int ERROR_UNIMPLEMENTED

The feature the caller is trying to use is not implemented by the underlying KeyMint implementation. This could happen when an unsupported algorithm is requested, or when trying to import a key in a format other than raw or PKCS#8.

Constant Value: 12 (0x0000000c)

ERROR_USER_AUTHENTICATION_REQUIRED

Added in API level 33
public static final int ERROR_USER_AUTHENTICATION_REQUIRED

Indicating the key could not be used because the user needs to authenticate first. See KeyGenParameterSpec.Builder.setUserAuthenticationRequired(boolean).

Constant Value: 2 (0x00000002)

RETRY_AFTER_NEXT_REBOOT

Added in API level 34
public static final int RETRY_AFTER_NEXT_REBOOT

Re-try the operation that led to this error when the device has a software update downloaded and on the next reboot. The Remote provisioning server recognizes the device, but refuses issuance of attestation keys because it contains a software version that could potentially be vulnerable and needs an update. Re-trying after the device has upgraded and rebooted may alleviate the problem.

This value is returned when isTransientFailure() is true.

Constant Value: 4 (0x00000004)

RETRY_NEVER

Added in API level 33
public static final int RETRY_NEVER

Never re-try the operation that led to this error, since it's a permanent error. This value is always returned when isTransientFailure() is false.

Constant Value: 1 (0x00000001)

RETRY_WHEN_CONNECTIVITY_AVAILABLE

Added in API level 33
public static final int RETRY_WHEN_CONNECTIVITY_AVAILABLE

Re-try the operation that led to this error when the device regains connectivity. Remote provisioning of keys requires reaching the remote server, and the device is currently unable to due that due to lack of network connectivity. This value is returned when isTransientFailure() is true.

Constant Value: 3 (0x00000003)

RETRY_WITH_EXPONENTIAL_BACKOFF

Added in API level 33
public static final int RETRY_WITH_EXPONENTIAL_BACKOFF

Re-try the operation that led to this error with an exponential back-off delay. The first delay should be between 5 to 30 seconds, and each subsequent re-try should double the delay time. This value is returned when isTransientFailure() is true.

Constant Value: 2 (0x00000002)

Public methods

getNumericErrorCode

Added in API level 33
public int getNumericErrorCode ()

Returns one of the error codes exported by the class.

Returns
int a public error code Value is either 0 or a combination of ERROR_OTHER, ERROR_USER_AUTHENTICATION_REQUIRED, ERROR_KEYSTORE_UNINITIALIZED, ERROR_INTERNAL_SYSTEM_ERROR, ERROR_PERMISSION_DENIED, ERROR_KEY_DOES_NOT_EXIST, ERROR_KEY_CORRUPTED, ERROR_ID_ATTESTATION_FAILURE, ERROR_ATTESTATION_CHALLENGE_TOO_LARGE, ERROR_KEYMINT_FAILURE, ERROR_KEYSTORE_FAILURE, ERROR_UNIMPLEMENTED, ERROR_INCORRECT_USAGE, ERROR_KEY_NOT_TEMPORALLY_VALID, ERROR_KEY_OPERATION_EXPIRED, ERROR_ATTESTATION_KEYS_UNAVAILABLE, and android.security.KeyStoreException.ERROR_DEVICE_REQUIRES_UPGRADE_FOR_ATTESTATION

getRetryPolicy

Added in API level 33
public int getRetryPolicy ()

Returns the re-try policy for transient failures. Valid only if isTransientFailure() returns True.

Returns
int Value is either 0 or a combination of RETRY_NEVER, RETRY_WITH_EXPONENTIAL_BACKOFF, RETRY_WHEN_CONNECTIVITY_AVAILABLE, and RETRY_AFTER_NEXT_REBOOT

isSystemError

Added in API level 33
public boolean isSystemError ()

Indicates whether the error related to the Keystore/KeyMint implementation and not a specific key.

Returns
boolean true if the error is related to the system, not the key in use. System errors indicate a feature isn't working, whereas key-related errors are likely to succeed with a new key.

isTransientFailure

Added in API level 33
public boolean isTransientFailure ()

Returns true if the failure is a transient failure - that is, performing the same operation again at a late time is likely to succeed. If isSystemError() returns true, the transient nature of the failure relates to the device, otherwise relates to the key (so a permanent failure with an existing key likely requires creating another key to repeat the operation with).

Returns
boolean

requiresUserAuthentication

Added in API level 33
public boolean requiresUserAuthentication ()

Indicates whether the failure is due to the device being locked.

Returns
boolean true if the key operation failed because the user has to authenticate (e.g. by unlocking the device).

toString

Added in API level 33
public String toString ()

Returns a short description of this throwable. The result is the concatenation of:

  • the name of the class of this object
  • ": " (a colon and a space)
  • the result of invoking this object's getLocalizedMessage() method
If getLocalizedMessage returns null, then just the class name is returned.

Returns
String a string representation of this throwable.