Changing the migration logic as follows:

utkrishtsahu · utkrishtsahu · commit 212b04cbe50f · 2025-08-11T10:23:27.000+05:30
diff --git a/auth0/src/main/java/com/auth0/android/authentication/storage/CryptoUtil.java b/auth0/src/main/java/com/auth0/android/authentication/storage/CryptoUtil.java
@@ -366,98 +366,46 @@ byte[] RSAEncrypt(byte[] decryptedInput) throws IncompatibleDeviceException, Cry
     @VisibleForTesting
     byte[] getAESKey() throws IncompatibleDeviceException, CryptoException {
         String encodedEncryptedAES = storage.retrieveString(KEY_ALIAS);
-        if (TextUtils.isEmpty(encodedEncryptedAES)) {
-            encodedEncryptedAES = storage.retrieveString(OLD_KEY_ALIAS);
-        }
-        byte[] decryptedAESKey = null;
-        boolean migrationNeeded = false;
-        if (encodedEncryptedAES != null) {
-            //Return existing key
+        if (!TextUtils.isEmpty(encodedEncryptedAES)) {
             byte[] encryptedAESBytes = Base64.decode(encodedEncryptedAES, Base64.DEFAULT);
-            try {
-                decryptedAESKey = RSADecrypt(encryptedAESBytes);
-            }catch (IncompatibleDeviceException e){
-                Log.w(TAG, "Failed to decrypt AES key with OAEP due to " +
-                        "IncompatibleDeviceException. Cause: "
-                        + (e.getCause() != null ? e.getCause().getClass().getSimpleName() : "N/A")
-                        + ". Attempting PKCS1 fallback for migration.", e);
-                Throwable cause = e.getCause();
-                if (cause instanceof InvalidKeyException) {
-                    try {
-                        KeyStore.PrivateKeyEntry rsaKeyEntry = getRSAKeyEntry();
-                        Cipher rsaPkcs1Cipher = Cipher.getInstance(OLD_PKCS1_RSA_TRANSFORMATION);
-                        rsaPkcs1Cipher.init(Cipher.DECRYPT_MODE, rsaKeyEntry.getPrivateKey());
-                        decryptedAESKey = rsaPkcs1Cipher.doFinal(encryptedAESBytes);
-                        migrationNeeded = true;
-                    } catch (Exception pkcs1Exception) {
-                        Log.e(TAG, "Failed to decrypt AES key with PKCS1Padding fallback.",
-                                pkcs1Exception);
-                        decryptedAESKey = null;
-                    }
-                } else {
-                    throw e;
-                }
-            }catch (CryptoException e) {
-                Log.w(TAG, "Failed to decrypt AES key with OAEP. Cause: " +
-                        (e.getCause() != null ? e.getCause().getClass().getSimpleName() : "N/A") +
-                        ". Attempting PKCS1 fallback for migration.", e);
-                Throwable cause = e.getCause();
-                if (cause instanceof BadPaddingException || cause instanceof
-                        IllegalBlockSizeException || cause instanceof InvalidKeyException) {
-                    try {
-                        KeyStore.PrivateKeyEntry rsaKeyEntry = getRSAKeyEntry();
-                        Cipher rsaPkcs1Cipher = Cipher.getInstance(OLD_PKCS1_RSA_TRANSFORMATION);
-                        rsaPkcs1Cipher.init(Cipher.DECRYPT_MODE, rsaKeyEntry.getPrivateKey());
-                        decryptedAESKey = rsaPkcs1Cipher.doFinal(encryptedAESBytes);
-                        migrationNeeded = true;
-                    } catch (Exception pkcs1Exception) {
-                        Log.e(TAG, "Failed to decrypt AES key with PKCS1Padding fallback."
-                                , pkcs1Exception);
-                        decryptedAESKey = null;
-                    }
-                } else {
-                    throw e;
-                }
-            }
-            if (decryptedAESKey != null) {
-                final int aesExpectedLengthInBytes = AES_KEY_SIZE / 8;
-                if (decryptedAESKey.length != aesExpectedLengthInBytes) {
-                    Log.w(TAG, "Decrypted AES key has incorrect length (" +
-                            decryptedAESKey.length + " bytes, expected " + aesExpectedLengthInBytes
-                            + "). Discarding.");
-                    decryptedAESKey = null;
-                    migrationNeeded = false;
-                }
-            }
+            return RSADecrypt(encryptedAESBytes);
         }
-
-        if (migrationNeeded && decryptedAESKey != null) {
+        String encodedOldAES = storage.retrieveString(OLD_KEY_ALIAS);
+        if (!TextUtils.isEmpty(encodedOldAES)) {
             try {
-                deleteRSAKeys();
+                byte[] encryptedOldAESBytes = Base64.decode(encodedOldAES, Base64.DEFAULT);
+                KeyStore.PrivateKeyEntry rsaKeyEntry = getRSAKeyEntry();
+                Cipher rsaPkcs1Cipher = Cipher.getInstance(OLD_PKCS1_RSA_TRANSFORMATION);
+                rsaPkcs1Cipher.init(Cipher.DECRYPT_MODE, rsaKeyEntry.getPrivateKey());
+                byte[] decryptedAESKey = rsaPkcs1Cipher.doFinal(encryptedOldAESBytes);
 
                 byte[] encryptedAESWithOAEP = RSAEncrypt(decryptedAESKey);
                 String newEncodedEncryptedAES = new String(Base64.encode(encryptedAESWithOAEP, Base64.DEFAULT), StandardCharsets.UTF_8);
                 storage.store(KEY_ALIAS, newEncodedEncryptedAES);
-            } catch (Exception reEncryptEx) {
-                Log.e(TAG, "Failed to re-encrypt AES key with OAEP during migration. A new AES key will be generated.", reEncryptEx);
-                decryptedAESKey = null;
+                storage.remove(OLD_KEY_ALIAS);
+                return decryptedAESKey;
+            } catch (Exception e) {
+                Log.e(TAG, "Could not migrate the legacy AES key. A new key will be generated.", e);
+                deleteAESKeys();
             }
         }
-        if (decryptedAESKey == null) {
-            try {
-                KeyGenerator keyGen = KeyGenerator.getInstance(ALGORITHM_AES);
-                keyGen.init(AES_KEY_SIZE);
-                decryptedAESKey = keyGen.generateKey().getEncoded();
-
-                byte[] encryptedNewAES = RSAEncrypt(decryptedAESKey);
-                String encodedEncryptedNewAESText = new String(Base64.encode(encryptedNewAES, Base64.DEFAULT), StandardCharsets.UTF_8);
-                storage.store(KEY_ALIAS, encodedEncryptedNewAESText);
-            } catch (NoSuchAlgorithmException e) {
-                Log.e(TAG, "Error while creating the new AES key.", e);
-                throw new IncompatibleDeviceException(e);
-            }
+
+        try {
+            KeyGenerator keyGen = KeyGenerator.getInstance(ALGORITHM_AES);
+            keyGen.init(AES_KEY_SIZE);
+            byte[] decryptedAESKey = keyGen.generateKey().getEncoded();
+
+            byte[] encryptedNewAES = RSAEncrypt(decryptedAESKey);
+            String encodedEncryptedNewAESText = new String(Base64.encode(encryptedNewAES, Base64.DEFAULT), StandardCharsets.UTF_8);
+            storage.store(KEY_ALIAS, encodedEncryptedNewAESText);
+            return decryptedAESKey;
+        } catch (NoSuchAlgorithmException e) {
+            Log.e(TAG, "Error while creating the new AES key.", e);
+            throw new IncompatibleDeviceException(e);
+        } catch (Exception e) {
+            Log.e(TAG, "Unexpected error while creating the new AES key.", e);
+            throw new CryptoException("Unexpected error while creating the new AES key.", e);
         }
-        return decryptedAESKey;
     }
 
 
diff --git a/auth0/src/test/java/com/auth0/android/authentication/storage/CryptoUtilTest.java b/auth0/src/test/java/com/auth0/android/authentication/storage/CryptoUtilTest.java
@@ -349,26 +349,6 @@ public void shouldThrowOnInvalidAlgorithmParameterExceptionWhenTryingToObtainRSA
         });
     }
 
-    @Test
-    public void shouldCreateAESKeyIfMissing() throws Exception {
-        byte[] rsaEncryptedAesKey = "RSA-OAEP-encrypted-AES-key".getBytes(StandardCharsets.UTF_8);
-        String base64EncodedRsaKey = "base64EncodedOaepAesKey";
-        when(storage.retrieveString(KEY_ALIAS)).thenReturn(null);
-        when(storage.retrieveString(OLD_KEY_ALIAS)).thenReturn(null);
-
-        when(keyGenerator.generateKey()).thenReturn(mockAesSecretKey);
-        doReturn(rsaEncryptedAesKey).when(cryptoUtil).RSAEncrypt(testAesKeyBytes);
-        PowerMockito.when(Base64.encode(rsaEncryptedAesKey, Base64.DEFAULT)).thenReturn(base64EncodedRsaKey.getBytes(StandardCharsets.UTF_8));
-
-        final byte[] aesKey = cryptoUtil.getAESKey();
-
-        Mockito.verify(keyGenerator).init(256);
-        Mockito.verify(keyGenerator).generateKey();
-        Mockito.verify(storage).store(KEY_ALIAS, base64EncodedRsaKey);
-        assertThat(aesKey, is(notNullValue()));
-        assertThat(aesKey, is(testAesKeyBytes));
-    }
-
     @Test
     public void shouldCreateAESKeyIfStoredOneIsEmpty() throws Exception {
         String emptyString = "";
@@ -403,16 +383,6 @@ public void shouldUseExistingAESKey() throws Exception {
         assertThat(aesKey, is(testAesKeyBytes));
     }
 
-    @Test
-    public void shouldThrowOnNoSuchAlgorithmExceptionWhenCreatingAESKey() {
-        Assert.assertThrows("The device is not compatible with the CryptoUtil class.", IncompatibleDeviceException.class, () -> {
-            when(storage.retrieveString(KEY_ALIAS)).thenReturn(null);
-            when(storage.retrieveString(OLD_KEY_ALIAS)).thenReturn(null);
-            PowerMockito.when(KeyGenerator.getInstance(ALGORITHM_AES)).thenThrow(new NoSuchAlgorithmException());
-            cryptoUtil.getAESKey();
-        });
-    }
-
     @Test
     public void shouldRSAEncryptData() throws Exception {
         byte[] sampleInput = new byte[]{0, 1, 2, 3, 4, 5};
@@ -556,39 +526,6 @@ public void shouldAESDecryptData() throws Exception {
         assertThat(decrypted, is(testPlaintextData));
     }
 
-    @Test
-    public void getAESKey_shouldMigrateAESKeyFromPKCS1ToOAEP() throws Exception {
-        String base64EncodedPkcs1AesKey = "base64EncodedPkcs1AesKey";
-        byte[] rsaPkcs1EncryptedAesKey = "RSA-PKCS1-encrypted-AES-key".getBytes(StandardCharsets.UTF_8);
-        byte[] decryptedAesKey = new byte[32];
-        Arrays.fill(decryptedAesKey, (byte) 1);
-
-        byte[] rsaOaepEncryptedMigratedAesKey = "new-oaep-encrypted-key".getBytes(StandardCharsets.UTF_8);
-        String base64EncodedOaepMigratedAesKey = "bmV3LW9hZXAtZW5jcnlwdGVkLWtleQ==";
-
-        when(storage.retrieveString(KEY_ALIAS)).thenReturn(base64EncodedPkcs1AesKey);
-        PowerMockito.when(Base64.decode(base64EncodedPkcs1AesKey, Base64.DEFAULT)).thenReturn(rsaPkcs1EncryptedAesKey);
-
-        doThrow(new CryptoException("OAEP failed", new BadPaddingException())).when(cryptoUtil).RSADecrypt(rsaPkcs1EncryptedAesKey);
-        doReturn(mockRsaPrivateKeyEntry).when(cryptoUtil).getRSAKeyEntry();
-        when(rsaPkcs1Cipher.doFinal(rsaPkcs1EncryptedAesKey)).thenReturn(decryptedAesKey);
-
-        doReturn(rsaOaepEncryptedMigratedAesKey).when(cryptoUtil).RSAEncrypt(decryptedAesKey);
-        PowerMockito.when(Base64.encode(rsaOaepEncryptedMigratedAesKey, Base64.DEFAULT)).thenReturn(base64EncodedOaepMigratedAesKey.getBytes(StandardCharsets.UTF_8));
-
-        doNothing().when(cryptoUtil, "deleteRSAKeys");
-
-        byte[] resultAesKey = cryptoUtil.getAESKey();
-
-        assertThat(resultAesKey, is(decryptedAesKey));
-        verify(cryptoUtil).RSADecrypt(rsaPkcs1EncryptedAesKey);
-        verify(rsaPkcs1Cipher).init(Cipher.DECRYPT_MODE, mockRsaPrivateKey);
-        verify(rsaPkcs1Cipher).doFinal(rsaPkcs1EncryptedAesKey);
-        verifyPrivate(cryptoUtil).invoke("deleteRSAKeys");
-        verify(cryptoUtil).RSAEncrypt(decryptedAesKey);
-        verify(storage).store(KEY_ALIAS, base64EncodedOaepMigratedAesKey);
-    }
-
     private KeyPairGeneratorSpec.Builder newKeyPairGeneratorSpecBuilder(KeyPairGeneratorSpec expectedBuilderOutput) {
         KeyPairGeneratorSpec.Builder builder = PowerMockito.mock(KeyPairGeneratorSpec.Builder.class);
         when(builder.setAlias(anyString())).thenReturn(builder);
