AzureAD · fadidurah · Sep 12, 2025 · Aug 30, 2025 · Aug 30, 2025 · Aug 30, 2025
@@ -47,6 +47,8 @@
 import java.security.cert.CertificateException;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Locale;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
@@ -447,11 +449,18 @@ public static synchronized SecretKey unwrap(@NonNull final byte[] wrappedKeyBlob
                 exception
         );
         if (exception instanceof InvalidKeyException) {
+            final android.security.KeyStoreException keyStoreException = findKeyStoreException(exception);
+            String ksMessage = keyStoreException != null ? keyStoreException.getMessage() : "No Keystore Exception Found";
+            if (ksMessage == null) {
+                ksMessage = "";
+            }
             final Attributes attributes = Attributes.builder()
                     .put(AttributeName.keystore_operation.name(), "unwrap")
                     .put(AttributeName.error_code.name(), errCode)
                     .put(AttributeName.error_type.name(), clientException.getClass().getSimpleName())
                     .put(AttributeName.keystore_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(clientException))
+                    .put(AttributeName.keystore_exception_message.name(), ksMessage)
+                    .put(AttributeName.keystore_internal_error_code.name(), extractInternalKeystoreCode(ksMessage))
                     .build();
             sFailedAndroidKeyStoreUnwrapOperationCount.add(1, attributes);
         }
@@ -464,4 +473,30 @@ public static synchronized SecretKey unwrap(@NonNull final byte[] wrappedKeyBlob
         throw clientException;
     }
 
+
+    private static @Nullable android.security.KeyStoreException findKeyStoreException(@NonNull Throwable throwable) {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+            while (throwable != null) {
+                if (throwable instanceof android.security.KeyStoreException) {
+                    return (android.security.KeyStoreException) throwable;
+                }
+                throwable = throwable.getCause();
+            }
+            return null;
+        } else {
+            return null;
+        }
+    }
+
+    /**
+     * Use Regex to pull out the internal error code from the key store exception message
+     * @param message the exception message
+     * @return the internal error code, or "N/A" if it can't be found
+     */
+    private static String extractInternalKeystoreCode(final String message) {
+        if (message == null) return "";
+        Pattern pattern = Pattern.compile("internal Keystore code:\\s*(-?\\d+)");
+        Matcher matcher = pattern.matcher(message);
+        return matcher.find() ? matcher.group(1) : "";
+    }
 }
@@ -305,6 +305,16 @@ public enum AttributeName {
      */
     keystore_exception_stack_trace,
 
+    /**
+     * Indicates the exception message from a Android KeyStore operation exception.
+     */
+    keystore_exception_message,
+
+    /**
+     * Indicates the error code from a Android KeyStore operation exception.
+     */
+    keystore_internal_error_code,
+
     /**
      * Indicates the new nonce found in the eSTS request.
      */