I was developing an application to test signing capabilities of Android devices. My app is quite simple:
It generates a key -> it signs user-inputted text -> displays the signature

Overall it works with no problems. The other day I tried to figure out which hashing function are supported by Android Keystore, and specifically by StrongBox.

That’s what I’ve tried:

1. Given the list of SHA functions (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, NONE) only SHA-256 was working on the emulator, which works accordingly to this part of Android Documentation: https://source.android.com/docs/security/features/keystore/features

That made sense: even if StrongBox is not active on the emulator, it was still following the documentation.

2. Then I checked ECDSA hashing with actual mobile phone with StrongBox. (Samsung Galaxy S21 5G)
Supported hashing algorithms are SHA1, SHA256, SHA385, SHA512, even NONE, and for some reason the only NOT supported (apart from MD5): SHA224

That’s when I’ve got questions. Why so? I didn’t find any reasons or articles regarding that in AOSP neither.

I accept that probably my code is just shitty, (I am still quite new to cryptography) that’s why below you will find the functions I used:

FOR ECDSA KEY GENERATION:

    @RequiresApi(Build.VERSION_CODES.R)
    private fun generateKeyPair() {
        try {
            val keyPairGenerator = KeyPairGenerator.getInstance(
                KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"
            )
            val parameterSpec = KeyGenParameterSpec.Builder(
                "biometricKeyAlias",
                KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY
            )
                .setDigests(KeyProperties.DIGEST_SHA256)
                .setUserAuthenticationRequired(true)
                .setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG)
                .setAttestationChallenge("attestation_challenge".toByteArray())
                .setIsStrongBoxBacked(true)
                .build()
            keyPairGenerator.initialize(parameterSpec)
            val keyPair = keyPairGenerator.generateKeyPair()
            publicKey = keyPair.public
            Log.d("MainActivity", "Key pair generated successfully")
        } catch (e: java.lang.Exception) {
            Log.e("MainActivity", "Key pair generation failed", e)
        }
    }

SIGNING WITH ECDSA:

   @RequiresApi(Build.VERSION_CODES.S)
    private fun handleButtonClick() {
        generateKeyPair()
        try {
            val keyStore = KeyStore.getInstance("AndroidKeyStore")
            keyStore.load(null)
            val privateKey = keyStore.getKey("biometricKeyAlias", null) as? PrivateKey
            val signature = Signature.getInstance("SHA256withECDSA")
            signature.initSign(privateKey)
            val cryptoObject = BiometricPrompt.CryptoObject(signature)
            currentAuthContext = AuthContext.SIGN_DATA
            biometricPrompt.authenticate(
                promptInfo,
                cryptoObject
            )  // Pass the CryptoObject here
        } catch (e: Exception) {
            Log.e("MainActivity", "Error setting up signature: ${e.localizedMessage}")
        }
    }

For RSA I did the same, just added a padding
.setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)

And again, for every single digest function the signature was generated successfully, except for SHA224: Error Keystore operation failed during signing operation for both RSA and ECDSA.

In case somebody wants to check revision of my code, feel free to explore https://github.com/VKrivkov/BSP–Offline-Payments-/blob/main/BiometricRSA/app/src/main/java/com/example/biometric/MainActivity.kt

PS: Every operation is done in main activity for the sake of simplicity.