fix: Handle ProviderException in PKCS1→OAEP key migration to prevent saveCredentials() crash

[utkrishtsahu]

Changes

CryptoUtil.java — bug fix, no public API changes:

• RSADecrypt(): Added ProviderException to the catch block. On Android 12–15 (Keystore2), an OAEP cipher initialised against a PKCS1-restricted RSA key throws ProviderException instead of InvalidKeyException — this was previously uncaught and propagated as a crash.
• RSAEncrypt(): Same fix as above for the encryption path.
• tryMigrateLegacyAESKey(): Added deleteRSAKeys() before calling RSAEncrypt(). Without this, the stale PKCS1-restricted key remained in the Keystore and caused RSAEncrypt() to fail again immediately after decryption succeeded.
• generateNewAESKey(): Added an explicit IncompatibleDeviceException catch that cleans up both RSA and AES keys before re-throwing, preventing orphaned keys from blocking all subsequent attempts.

CryptoUtilTest.java — 5 new unit tests covering all four fix paths.

No public API surface changes. SecureCredentialsManager.saveCredentials() behaviour is unchanged from the caller's perspective — the migration is fully transparent.

References

#923

Testing

• This change adds unit test coverage — 5 tests in CryptoUtilTest covering ProviderException in encrypt/decrypt, deleteRSAKeys() ordering, IncompatibleDeviceException cleanup, and the end-to-end migration flow. All pass via ./gradlew :auth0:test.

• Tested on latest platform — verified end-to-end on Pixel 7a (Android 16) by installing a pre-OAEP build (commit 854fbc9) to seed the Keystore with a PKCS1 key, then upgrading to the fixed build. saveCredentials() self-healed in a single call with no user action required. Fixes SecureCredentialsManager.saveCredentials() started crashing in new version. #923.

Checklist

• I have read the Auth0 general contribution guidelines

• I have read the Auth0 Code of Conduct

• All existing and new tests complete without errors

[alexRocket891]

Our crashes originated from Android 16 devices, will this fix work for them too?

[pmathew92]

@alexRocket891 This is still a WIP as we want to ensure to cover all areas where the crash can occur and should work on all devices irrespective of the version. But we are not able to replicate the crash on our devices which makes the testing a bit difficult

[Copilot]

Pull request overview

Fixes a crash during RSA PKCS1 → OAEP key migration on Android 12+ (Keystore2) by handling ProviderException cases and improving key cleanup/migration behavior in CryptoUtil, with accompanying unit tests.

Changes:

• Catch ProviderException in RSA encrypt/decrypt paths to avoid uncaught crashes on Keystore2.
• Ensure legacy PKCS1 AES key migration deletes stale RSA keys before re-encrypting with OAEP.
• Add unit tests covering the new exception handling and migration/cleanup flows.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
auth0/src/main/java/com/auth0/android/authentication/storage/CryptoUtil.java	Adds ProviderException handling and adjusts key migration/cleanup ordering to avoid Keystore2 padding-mismatch crashes.
auth0/src/test/java/com/auth0/android/authentication/storage/CryptoUtilTest.java	Adds new unit tests for ProviderException handling, RSA deletion ordering, and cleanup behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.