fix: add error handling in decryptBytes to throw CryptoFailedException for AEADBadTagException (#739)

Bowlerr · web-flow · commit 0f7f94f90b5d · 2025-03-22T13:42:23.000+01:00
diff --git a/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageBase.kt b/android/src/main/java/com/oblador/keychain/cipherStorage/CipherStorageBase.kt
@@ -339,7 +339,7 @@ abstract class CipherStorageBase(protected val applicationContext: Context) : Ci
 
   /** Decrypt provided bytes to a string. */
   @SuppressLint("NewApi")
-  @Throws(GeneralSecurityException::class, IOException::class)
+  @Throws(GeneralSecurityException::class, IOException::class, CryptoFailedException::class)
   protected open fun decryptBytes(
     key: Key,
     bytes: ByteArray,
@@ -361,7 +361,14 @@ abstract class CipherStorageBase(protected val applicationContext: Context) : Ci
                 e.cause?.message?.contains("Key user not authenticated") == true -> {
                 throw UserNotAuthenticatedException()
               }
-
+              e is javax.crypto.AEADBadTagException -> {
+                throw CryptoFailedException(
+                  "Decryption failed: Authentication tag verification failed. " +
+                  "This usually indicates that the encrypted data was modified, corrupted, " +
+                  "or is being decrypted with the wrong key.",
+                  e
+                )
+              }
               else -> throw e
             }
           }
