From c4ee0ec9af9e9f6ef0bfa6c97a411cb1be6cb2fd Mon Sep 17 00:00:00 2001
From: David Torcivia <david@davidtorcivia.com>
Date: Wed, 11 Mar 2026 19:20:57 -0400
Subject: [PATCH] Fix hardware keystore detection for MediaTek devices with AES
 import failures

The `supports_import()` capability test only checked RSA and EC key imports,
missing AES 256 wrapped key import which fails on some MediaTek TEEs
(e.g. BlueFox NX1 / MT6769V Helio G85) with Keystore error code -59
(UNSUPPORTED_MIN_MAC_LENGTH). This caused a crash during onboarding when
importing the `ids:identity-storage-key` AES key.

Add an AES 256 GCM import test matching the exact key type and access rules
used by the real identity storage key, so affected devices correctly fall back
to SoftwareKeystore.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 rust/src/keystore.rs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/rust/src/keystore.rs b/rust/src/keystore.rs
index 08eda2e73..05eab0602 100644
--- a/rust/src/keystore.rs
+++ b/rust/src/keystore.rs
@@ -148,6 +148,17 @@ pub fn supports_import(keystore: &NativeKeystoreHolder) -> Result<bool, Keystore
     keystore.destroy_key("test:ec")?;
     keystore.destroy_key("test:import")?;
 
+    // Test AES 256 wrapped key import (fails on some MediaTek TEEs)
+    keystore.destroy_key("test:aes")?;
+    let aes_key: [u8; 32] = rand::random();
+    keystore.import_key("test:aes", KeyType::Aes(256), &aes_key, KeystoreAccessRules {
+        block_modes: vec![EncryptMode::Gcm],
+        can_encrypt: true,
+        can_decrypt: true,
+        ..Default::default()
+    })?;
+    keystore.destroy_key("test:aes")?;
+
     Ok(true)
 }