oblador
com.oblador.keychain.exceptions.CryptoFailedException: Wrapped error: null
I encountered an issue when calling the getGenericPassword method from react-native-keychain.
My usage is:
await Keychain.setGenericPassword(username, password, { service: USER_KEY123456 });
await Keychain.getGenericPassword({ service: USER_KEY123456 });
Some users randomly experience the following error:
com.oblador.keychain.exceptions.CryptoFailedException: Wrapped error: null
This issue seems device-specific and occurs randomly, making it difficult to reproduce consistently. Does anyone have experience with this problem or suggestions on how to resolve it?
I've identified the root cause: When using a custom service:
Keychain.setGenericPassword(username, password, { service: 'customService' })
sometimes the AES_GCM cipher storage is attempting to use the same keystore alias in both ciphers AES_GCM and AES_GCM_NO_AUTH. This alias collision is triggering the error you're experiencing. I am working on a fix.
@DorianMazur Thank you so much for feedback on this issue, Could you suggest any temporary workaround that we can apply for affected customers? Also, do you have an estimated timeline for when the fix will be officially released?
Also had users experience this issue :) if you could let us know the fix once you are done so I can get it patched asap. Thanks for all the hard work @DorianMazur
If I understood the issue correctly, @DorianMazur does this solve the issue? https://github.com/oblador/react-native-keychain/pull/736
I am seeing the same, but the errors are very heavily weighted to the Motorola Razr
@Bowlerr @SYoder1 The prefix might help with some of the issues, but after thinking about it, I don’t believe it’s the root cause of the error. This is a general error, so the first step should be to add better error handling. I’ll look into it further, I think it is an edge case and quite hard to reproduce. Prefix was my first guess as it's something I want to change for quite some time.
14437:14523 W/c: null
javax.crypto.AEADBadTagException
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:632)
at javax.crypto.Cipher.doFinal(Cipher.java:2074)
at E6.c.m(Unknown Source:37)
at E6.k.l(Unknown Source:16)
at E6.k.b(Unknown Source:51)
at com.oblador.keychain.KeychainModule.decryptToResult(Unknown Source:29)
at com.oblador.keychain.KeychainModule.decryptCredentials(Unknown Source:12)
at com.oblador.keychain.KeychainModule.access$decryptCredentials(Unknown Source:0)
at com.oblador.keychain.KeychainModule$b.invokeSuspend(Unknown Source:237)
at kotlin.coroutines.jvm.internal.a.resumeWith(Unknown Source:11)
at v8.W.run(Unknown Source:128)
at C8.a.c0(Unknown Source:0)
at C8.a$c.d(Unknown Source:14)
at C8.a$c.p(Unknown Source:28)
at C8.a$c.run(Unknown Source:0)
Caused by: android.security.KeyStoreException: Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish
Caused by:
0: system/security/keystore2/src/operation.rs:426: Finish failed.
1: Error::Km(r#VERIFICATION_FAILED)) (public error code: 10 internal Keystore code: -30)
at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:435)
at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:128)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
at android.security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:396)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:624)
... 14 more
identical exceptions from another user
25340:25381 W/c: null
javax.crypto.AEADBadTagException
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:632)
at javax.crypto.Cipher.doFinal(Cipher.java:2074)
at E6.c.m(Unknown Source:37)
at E6.k.l(Unknown Source:16)
at E6.k.b(Unknown Source:51)
at com.oblador.keychain.KeychainModule.decryptToResult(Unknown Source:29)
at com.oblador.keychain.KeychainModule.decryptCredentials(Unknown Source:12)
at com.oblador.keychain.KeychainModule.access$decryptCredentials(Unknown Source:0)
at com.oblador.keychain.KeychainModule$b.invokeSuspend(Unknown Source:237)
at kotlin.coroutines.jvm.internal.a.resumeWith(Unknown Source:11)
at v8.W.run(Unknown Source:128)
at C8.a.c0(Unknown Source:0)
at C8.a$c.d(Unknown Source:14)
at C8.a$c.p(Unknown Source:28)
at C8.a$c.run(Unknown Source:0)
Caused by: android.security.KeyStoreException: Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish
Caused by:
0: system/security/keystore2/src/operation.rs:426: Finish failed.
1: Error::Km(r#VERIFICATION_FAILED)) (public error code: 10 internal Keystore code: -30)
at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:435)
at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:128)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
at android.security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:396)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:624)
... 14 more
@Bowlerr Could u help me reproduce this issue on simulator or device?
@DorianMazur I sincerely appreciate you taking the time to address this. This issue is affecting many users of my project. Could you please help me with a patch version to resolve this issue in time, before your version is released?
@DorianMazur How should I use Keychain.setGenericPassword(username, password, { service: 'customService' }) and getGenericPassword with storage to avoid issues for both existing users and new users?
@SYoder1 if you can recreate this with ease, could you see if https://github.com/oblador/react-native-keychain/pull/736 fixes the issue
I have tried the fixed version from #736 and it does not seem to fix it for me Error remains:
Decryption failed: Authentication tag verification failed. This usually indicates that the encrypted data was modified, corrupted, or is being decrypted with the wrong key.
com.oblador.keychain.exceptions.CryptoFailedException: Decryption failed: Authentication tag verification failed. This usually indicates that the encrypted data was modified, corrupted, or is being decrypted with the wrong key.
at com.oblador.keychain.cipherStorage.CipherStorageBase.decryptBytes(CipherStorageBase.kt:456)
at com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesGcm.decryptBytes(CipherStorageKeystoreAesGcm.kt:243)
at com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesGcm.decrypt(CipherStorageKeystoreAesGcm.kt:135)
at com.oblador.keychain.KeychainModule.decryptToResult(KeychainModule.kt:527)
at com.oblador.keychain.KeychainModule.decryptCredentials(KeychainModule.kt:490)
at com.oblador.keychain.KeychainModule.access$decryptCredentials(KeychainModule.kt:39)
at com.oblador.keychain.KeychainModule$getGenericPassword$1.invokeSuspend(KeychainModule.kt:294)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:101)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:589)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:832)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:720)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:707)
Caused by: javax.crypto.AEADBadTagException
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:632)
at javax.crypto.Cipher.doFinal(Cipher.java:2074)
at com.oblador.keychain.cipherStorage.CipherStorageBase.decryptBytes(CipherStorageBase.kt:446)
at com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesGcm.decryptBytes(CipherStorageKeystoreAesGcm.kt:243)
at com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesGcm.decrypt(CipherStorageKeystoreAesGcm.kt:135)
at com.oblador.keychain.KeychainModule.decryptToResult(KeychainModule.kt:527)
at com.oblador.keychain.KeychainModule.decryptCredentials(KeychainModule.kt:490)
at com.oblador.keychain.KeychainModule.access$decryptCredentials(KeychainModule.kt:39)
at com.oblador.keychain.KeychainModule$getGenericPassword$1.invokeSuspend(KeychainModule.kt:294)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:101)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:589)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:832)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:720)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:707)
Caused by: android.security.KeyStoreException: Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:847: KeystoreOperation::finish
Caused by:
0: system/security/keystore2/src/operation.rs:428: Finish failed.
1: Error::Km(r#VERIFICATION_FAILED)) (public error code: 10 internal Keystore code: -30)
at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:416)
at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:79)
at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:132)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
at android.security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:396)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:624)
... 14 more
@phamngocthinh @Bowlerr I now have permanent physical access to the Razr 2024 and have been testing with the example app. I can now help test any changes as needed.
I tired both the latest main, as well as #736, and they both return the same error, the same as @cjanietz.
Decryption failed: Authentication tag verification failed. This usually indicates that the encrypted data was modified, corrupted, or is being decrypted with the wrong key.
com.oblador.keychain.exceptions.CryptoFailedException: Decryption failed: Authentication tag verification failed. This usually indicates that the encrypted data was modified, corrupted, or is being decrypted with the wrong key.
at com.oblador.keychain.cipherStorage.CipherStorageBase.decryptBytes(CipherStorageBase.kt:455)
at com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesGcm.decryptBytes(CipherStorageKeystoreAesGcm.kt:243)
at com.oblador.keychain.resultHandler.ResultHandlerInteractiveBiometric.onAuthenticationSucceeded(ResultHandlerInteractiveBiometric.kt:103)
at androidx.biometric.BiometricFragment$9.run(BiometricFragment.java:907)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: javax.crypto.AEADBadTagException
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:626)
at javax.crypto.Cipher.doFinal(Cipher.java:2056)
at com.oblador.keychain.cipherStorage.CipherStorageBase.decryptBytes(CipherStorageBase.kt:445)
at com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesGcm.decryptBytes(CipherStorageKeystoreAesGcm.kt:243)
at com.oblador.keychain.resultHandler.ResultHandlerInteractiveBiometric.onAuthenticationSucceeded(ResultHandlerInteractiveBiometric.kt:103)
at androidx.biometric.BiometricFragment$9.run(BiometricFragment.java:907)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: android.security.KeyStoreException: Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish
Caused by:
0: system/security/keystore2/src/operation.rs:426: Finish failed.
1: Error::Km(r#VERIFICATION_FAILED)) (public error code: 10 internal Keystore code: -30)
at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:386)
at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:128)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
at android.security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:396)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:618)
... 8 more
https://github.com/user-attachments/assets/a99f44c7-1bb5-42b0-bdd7-5b15abd657c5
@DorianMazur It looks like it is the same error again. I tried to save and read the password in the same app session, as well as save it, kill the app, relaunch and read.
Decryption failed: Authentication tag verification failed. This usually indicates that the encrypted data was modified, corrupted, or is being decrypted with the wrong key.
com.oblador.keychain.exceptions.CryptoFailedException: Decryption failed: Authentication tag verification failed. This usually indicates that the encrypted data was modified, corrupted, or is being decrypted with the wrong key.
at com.oblador.keychain.cipherStorage.CipherStorageBase.decryptBytes(CipherStorageBase.kt:353)
at com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesGcm.decryptBytes(CipherStorageKeystoreAesGcm.kt:246)
at com.oblador.keychain.resultHandler.ResultHandlerInteractiveBiometric.onAuthenticationSucceeded(ResultHandlerInteractiveBiometric.kt:103)
at androidx.biometric.BiometricFragment$9.run(BiometricFragment.java:907)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: javax.crypto.AEADBadTagException
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:626)
at javax.crypto.Cipher.doFinal(Cipher.java:2056)
at com.oblador.keychain.cipherStorage.CipherStorageBase.decryptBytes(CipherStorageBase.kt:343)
at com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesGcm.decryptBytes(CipherStorageKeystoreAesGcm.kt:246)
at com.oblador.keychain.resultHandler.ResultHandlerInteractiveBiometric.onAuthenticationSucceeded(ResultHandlerInteractiveBiometric.kt:103)
at androidx.biometric.BiometricFragment$9.run(BiometricFragment.java:907)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
at java.lang.Thread.run(Thread.java:1012)
Caused by: android.security.KeyStoreException: Signature/MAC verification failed (internal Keystore code: -30 message: system/security/keystore2/src/operation.rs:850: KeystoreOperation::finish
Caused by:
0: system/security/keystore2/src/operation.rs:426: Finish failed.
1: Error::Km(r#VERIFICATION_FAILED)) (public error code: 10 internal Keystore code: -30)
at android.security.KeyStore2.getKeyStoreException(KeyStore2.java:386)
at android.security.KeyStoreOperation.handleExceptions(KeyStoreOperation.java:78)
at android.security.KeyStoreOperation.finish(KeyStoreOperation.java:128)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer$MainDataStream.finish(KeyStoreCryptoOperationChunkedStreamer.java:228)
at android.security.keystore2.KeyStoreCryptoOperationChunkedStreamer.doFinal(KeyStoreCryptoOperationChunkedStreamer.java:181)
at android.security.keystore2.AndroidKeyStoreAuthenticatedAESCipherSpi$BufferAllOutputUntilDoFinalStreamer.doFinal(AndroidKeyStoreAuthenticatedAESCipherSpi.java:396)
at android.security.keystore2.AndroidKeyStoreCipherSpiBase.engineDoFinal(AndroidKeyStoreCipherSpiBase.java:618)
... 8 more
2025-04-12 17:40:25.443 29727-30407 ResultHand...eBiometric keychain.example I unblocking thread.
2025-04-12 17:40:25.443 29727-30407 RNKeychainManager keychain.example E Decryption failed: Authentication tag verification failed. This usually indicates that the encrypted data was modified, corrupted, or is being decrypted with the wrong key.
Thanks for looking into this 🙏
@SYoder1 Can you try one last time https://github.com/oblador/react-native-keychain/pull/749 ?
I added android:allowBackup="false" for the example app. Remember to completely remove the app from the device before installing it again.
I got some logs from the Motorola device where decryption isn’t working. It looks like the problem is with StrongBox-Thales (sometimes called strongbox-thales in code), which means the device uses a Thales Secure Element (First time I'm hearing about it) for hardware encryption. Some Xiaomi and Motorola devices use this chip, but it doesn’t seem to be working properly. It can't decrypt data properly or maybe it requires some extra code to work properly.
@SYoder1 @cjanietz Can you try setting the Security Level to "Software" and see if encryption works when using software instead of hardware?
@DorianMazur I just tried both ideas, and they both still throw the same error.
If it would be helpful I can grab any logs you need, or if needed we can even jump on a screen share.
hi @DorianMazur , I got this issue both on Xiaomi Redmi 14 pro+. Can you support us ?
