Crash on MediaTek devices during onboarding: KeyStoreException error code -59 (AES wrapped key import) #185
Description
Bug Description
OpenBubbles crashes during onboarding activation on certain MediaTek devices with:
KeyStoreException: Failed to import wrapped key. Keystore error code: -59
The crash occurs when importing ids:identity-storage-key:openbubbles — a 256-bit AES key used for GCM encryption.
Root Cause
The hardware keystore capability test (supports_import() in rust/src/keystore.rs) only tests RSA 1024 and EC P384 key imports. On some MediaTek TEEs, these pass but AES 256 wrapped key import fails with UNSUPPORTED_MIN_MAC_LENGTH (error code -59). The device is incorrectly classified as hardware-compatible, and the AES key import then fails at runtime during activation.
Affected Device
- BlueFox NX1
- SoC: MediaTek MT6769V/CB (Helio G85)
- Platform: mt6768
- Android 15, SDK 35
Likely affects other MediaTek devices where the TEE supports RSA/EC wrapped key import but not AES.
Steps to Reproduce
- Install OpenBubbles on an affected MediaTek device
- Open the app and begin onboarding
- App silently crashes when setting up the identity storage key. Behavior is the "Use This Device" key just spins for a second then resets so onboarding cannot continue. Logs reveal the crash.
Expected Behavior
The app should detect that AES wrapped key import is unsupported and fall back to SoftwareKeystore. "Use this device" should then move onto apple ID log in.
Logcat Output
keystore2: Error::Km(r#UNSUPPORTED_MIN_MAC_LENGTH)
Workaround
None currently — the app silently crashes before completing onboarding and it's impossible to register.
Fix
PR #184 adds an AES 256 GCM import test to supports_import() so affected devices correctly fall back to SoftwareKeystore.