v4.1.4

Author: dschuermann

build.gradle

@@ -1,12 +1,14 @@
+import org.jetbrains.dokka.gradle.DokkaTask
+
 buildscript {
     repositories {
         google()
         jcenter()
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:4.0.0'
-        classpath 'org.jetbrains.dokka:dokka-android-gradle-plugin:0.9.17'
+        classpath 'com.android.tools.build:gradle:4.0.1'
+        classpath 'org.jetbrains.dokka:dokka-gradle-plugin:1.4.0'
     }
 }
 
@@ -15,9 +17,16 @@ allprojects {
         google()
         jcenter()
     }
+
+    // custom dokka format
+    tasks.register("dokkaHugo", DokkaTask) {
+        dependencies {
+            dokkaHugoPlugin 'com.github.cotechde:dokka-hugo-plugin:d053c16110'
+        }
+    }
 }
 
 ext {
     compileSdkVersion = 29
-    hwSdkVersionName = '4.1.0'
+    hwSdkVersionName = '4.1.4'
 }

hwsecurity/core/build.gradle

@@ -1,11 +1,12 @@
 apply plugin: 'com.android.library'
 apply plugin: 'maven-publish'
-apply plugin: 'org.jetbrains.dokka-android'
+apply plugin: 'org.jetbrains.dokka'
 
 dependencies {
     implementation 'androidx.lifecycle:lifecycle-runtime:2.2.0'
 
     compileOnly 'androidx.annotation:annotation:1.1.0'
+    compileOnly 'io.sentry:sentry-android:2.3.1'
 
     api 'com.google.auto.value:auto-value-annotations:1.6.2'
     annotationProcessor 'com.google.auto.value:auto-value:1.6.2'
@@ -88,18 +89,26 @@ afterEvaluate {
     }
 }
 
-dokka {
-    // uses locally built dokka extension
-    dokkaFatJar = files('libs/dokka-hugo-fatjar-0.9.17.jar')
-    // does not work correctly with Maven:
-    //dokkaFatJar = 'de.cotech:dokka-hugo-fatjar:0.9.17'
-    moduleName = 'hwsecurity'
-    outputFormat = "hugo"
-    outputDirectory = "$projectDir/../../hwsecurity.dev/content/reference"
-    sourceDirs = files('src/main/java')
-
-    packageOptions {
-        prefix = "de.cotech.hw.internal"
-        suppress = true
+dokkaHugo {
+    configure {
+        outputDirectory.set(file("$projectDir/../../hwsecurity.dev/content/reference"))
+
+        dokkaSourceSets {
+            register("java") {
+                moduleDisplayName.set("hwsecurity")
+
+                sourceRoots.setFrom(file("src/main/java"))
+
+                jdkVersion.set(8) // Used for linking to JDK documentation
+                noStdlibLink.set(false) // Disable linking to online kotlin-stdlib documentation
+                noJdkLink.set(true) // Disable linking to online JDK documentation
+                noAndroidSdkLink.set(false) // Disable linking to online Android documentation
+
+                perPackageOption {
+                    prefix.set("de.cotech.hw.internal")
+                    suppress.set(true)
+                }
+            }
+        }
     }
-}
+}

hwsecurity/core/libs/dokka-hugo-fatjar-0.9.17.jar

@@ -1,7 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
     package="de.cotech.hw">
 
+    <!-- This library is included by the application anyways. -->
+    <uses-sdk tools:overrideLibrary="io.sentry.android" />
+
     <uses-permission android:name="android.permission.NFC" />
     <application />
 </manifest>

hwsecurity/core/src/main/AndroidManifest.xml

@@ -40,7 +40,7 @@
  * is already associated with a specific key.
  * <p>
  * Example:
- * <pre>{@code
+ * <pre>
  * byte[] challenge = { (byte) 1, (byte) 2, (byte) 3, (byte) 4 };
  * PinProvider pinProvider = StaticPinProvider.getInstance(ByteSecret.unsafeFromString("123456"));
  *
@@ -52,7 +52,7 @@
  * signature.update(challenge);
  * boolean isVerified = signature.verify(signatureBytes);
  * assert isVerified;
- * }</pre>
+ * </pre>
  */
 public interface SecurityKeyAuthenticator {
     /**

hwsecurity/core/src/main/java/de/cotech/hw/SecurityKeyAuthenticator.java

@@ -39,4 +39,7 @@ public abstract class SecurityKeyConnectionMode<T extends SecurityKey> {
     protected abstract boolean isRelevantTransport(Transport transport);
     @AnyThread
     protected abstract boolean isRelevantSecurityKey(SecurityKey securityKey);
+
+    @AnyThread
+    protected void clearSentryTags() { }
 }

hwsecurity/core/src/main/java/de/cotech/hw/SecurityKeyConnectionMode.java

@@ -53,6 +53,7 @@
 import androidx.lifecycle.LifecycleObserver;
 import androidx.lifecycle.LifecycleOwner;
 import androidx.lifecycle.OnLifecycleEvent;
+import de.cotech.hw.internal.HwSentry;
 import de.cotech.hw.internal.dispatch.UsbIntentDispatchActivity;
 import de.cotech.hw.internal.transport.Transport;
 import de.cotech.hw.internal.transport.nfc.NfcConnectionDispatcher;
@@ -73,23 +74,23 @@
  * Once initialized, this class will dispatch newly connected security keys to all currently registered listeners.
  * Listeners can be registered with {@link #registerCallback}.
  * <p>
- * <pre>{@code
+ * <pre>
  * public void onCreate() {
  *     super.onCreate();
  *     SecurityKeyManager securityKeyManager = SecurityKeyManager.getInstance();
  *     securityKeyManager.init(this);
  * }
- * }</pre>
+ * </pre>
  * <p>
  * A callback is registered together with a {@link SecurityKeyConnectionMode}, which establishes a
- * connection to a particular type of Security Token, such as FIDO, PIV, or OpenPGP.  Implementations
- * for different SecurityKeyConnectionModes are shipped as modules, such as :de.cotech:hwsecurity-fido:,
- * :de.cotech:hwsecurity-piv:, and :de.cotech:hwsecurity-openpgp:. Apps will typically use only a
- * single type of Security Key.
+ * connection to a particular type of Security Token, such as FIDO2, FIDO, PIV, or OpenPGP.
+ * Implementations for different SecurityKeyConnectionModes are shipped as artifacts,
+ * such as hwsecurity-fido2, hwsecurity-fido, hwsecurity-piv, and hwsecurity-openpgp.
+ * Apps will typically use only a single type of Security Key.
  * <p>
  * To receive callbacks in an Activity, register for a callback bound to the Activity's lifecycle:
  * <p>
- * <pre>{@code
+ * <pre>
  * public void onCreate() {
  *     super.onResume();
  *     FidoSecurityKeyConnectionMode connectionMode = new FidoSecurityKeyConnectionMode();
@@ -98,7 +99,7 @@
  * public void onSecurityKeyDiscovered(FidoSecurityKey securityKey) {
  *     // perform operations on FidoSecurityKey
  * }
- * }</pre>
+ * </pre>
  * <p>
  * Advanced applications that want to work with different applets on the same connected Security Key
  * can do so using {@link de.cotech.hw.raw.RawSecurityKeyConnectionMode}.
@@ -178,6 +179,8 @@ public void init(@NonNull Application application, @NonNull SecurityKeyManagerCo
             HwTimber.plant(loggingTree);
         }
 
+        HwSentry.initializeIfAvailable(config);
+
         if (config.isEnableDebugLogging() && HwTimber.treeCount() == 0) {
             HwTimber.plant(new DebugTree() {
                 @Override
@@ -238,6 +241,8 @@ private class DispatcherActivityLifecycleCallbacks implements ActivityLifecycleC
         private Activity boundActivity;
         private UsbConnectionDispatcher activeUsbDispatcher;
         private NfcConnectionDispatcher activeNfcDispatcher;
+        private boolean isResumed;
+        private boolean isActive;
 
         private void bindToActivity(Activity activity) {
             if (isUsbDispatchActivity(activity)) {
@@ -274,31 +279,60 @@ private void unbindFromActivity(Activity activity) {
             boundActivity = null;
         }
 
-        @Override
-        public void onActivityResumed(Activity activity) {
-            bindToActivity(activity);
+        private void refreshActiveState() {
+            if (boundActivity == null) {
+                return;
+            }
+            boolean isActive = isResumed && (!config.isDisableWhileInactive() || !registeredCallbacks.isEmpty());
+            if (isActive) {
+                ensureStateActive();
+            } else {
+                ensureStateInactive();
+            }
+        }
+
+        private void ensureStateActive() {
+            if (isActive) {
+                return;
+            }
+            isActive = true;
+            HwTimber.d("Switching hwsecurity state to active");
             if (activeUsbDispatcher != null) {
-                activeUsbDispatcher.onResume();
+                activeUsbDispatcher.onActive();
             }
             if (activeNfcDispatcher != null) {
-                activeNfcDispatcher.onResume();
+                activeNfcDispatcher.onActive();
             }
             postTriggerCallbacksActively();
         }
 
-        @Override
-        public void onActivityPaused(Activity activity) {
-            if (boundActivity != activity) {
+        private void ensureStateInactive() {
+            if (!isActive) {
                 return;
             }
+            isActive = false;
+            HwTimber.d("Switching hwsecurity state to inactive");
             if (activeUsbDispatcher != null) {
-                activeUsbDispatcher.onPause();
+                activeUsbDispatcher.onInactive();
             }
             if (activeNfcDispatcher != null) {
-                activeNfcDispatcher.onPause();
+                activeNfcDispatcher.onInactive();
             }
         }
 
+        @Override
+        public void onActivityResumed(Activity activity) {
+            bindToActivity(activity);
+            isResumed = true;
+            refreshActiveState();
+        }
+
+        @Override
+        public void onActivityPaused(Activity activity) {
+            isResumed = false;
+            refreshActiveState();
+        }
+
         @Override
         public void onActivityDestroyed(Activity activity) {
             unbindFromActivity(activity);
@@ -424,6 +458,7 @@ public <T extends SecurityKey> void registerCallback(SecurityKeyConnectionMode<T
         RegisteredConnectionMode<T> registeredConnectionMode = new RegisteredConnectionMode<>(mode, callback, false);
         lifecycleOwner.getLifecycle().addObserver(registeredConnectionMode);
         registeredCallbacks.add(0, registeredConnectionMode);
+        activityLifecycleCallbacks.refreshActiveState();
 
         postTriggerCallbacksActively();
     }
@@ -439,6 +474,7 @@ public <T extends SecurityKey> void registerCallbackForever(SecurityKeyConnectio
             throw new IllegalStateException("SecurityKeyManager must be initialized in your Application class!");
         }
         registeredCallbacks.add(0, new RegisteredConnectionMode<>(mode, callback, true));
+        activityLifecycleCallbacks.refreshActiveState();
     }
 
     @SuppressWarnings("WeakerAccess") // public API
@@ -463,6 +499,24 @@ public void rediscoverConnectedSecurityKeys() {
         postTriggerCallbacksActively();
     }
 
+    /**
+     * This method clears and releases all connected security keys.
+     *
+     * Calling this method will clear the managed state of all persistently connected Security Keys.
+     * This operation should not be called during regular operation, since all managed devices (NFC
+     * and USB) are automatically cleaned up when they are disconnected. However, it may still be
+     * useful to clear managed state in order to rediscover a connected Security Key with a different
+     * SecurityKeyConnectionMode.
+     *
+     * This method is not part of the public API.
+     */
+    @AnyThread
+    @RestrictTo(Scope.LIBRARY_GROUP)
+    public void clearConnectedSecurityKeys() {
+        nfcTagManager.clearManagedNfcTags();
+        usbDeviceManager.clearManagedUsbDevices();
+    }
+
     /**
      * Returns true if USB host mode is available.
      *
@@ -549,11 +603,18 @@ private void maybeDeliverPostponedTransport() {
 
         @UiThread
         boolean maybeRedeliverSecurityKey(SecurityKey securityKeyCandidate) {
-            if (!isBoundForever && isActive && postponedTransport == null &&
-                    connectionMode.isRelevantSecurityKey(securityKeyCandidate)) {
-                // noinspection unchecked, this is checked with isRelevantSecurityKey
-                deliverDiscover((T) securityKeyCandidate);
-                return true;
+            if (!isBoundForever && isActive && postponedTransport == null) {
+                if (connectionMode.isRelevantSecurityKey(securityKeyCandidate)) {
+                    // noinspection unchecked, this is checked with isRelevantSecurityKey
+                    deliverDiscover((T) securityKeyCandidate);
+                    return true;
+                } else {
+                    HwTimber.d(
+                            "Connected Security Key of type %s doesn't match SecurityKeyConnectionMode %s",
+                            securityKeyCandidate.getClass().getSimpleName(),
+                            connectionMode.getClass().getSimpleName());
+                    return false;
+                }
             }
             return false;
         }
@@ -566,6 +627,9 @@ private boolean attemptConnectWithRegisteredSecurityMode(Transport transport) {
                 if (securityKey == null) {
                     return false;
                 }
+                HwSentry.addBreadcrumb("Connected security key of type %s on transport %s",
+                        securityKey.getClass().getSimpleName(),
+                        securityKey.transport.getTransportType());
             } catch (IOException e) {
                 callbackHandlerMain.post(() -> {
                     if (!isActive) {
@@ -602,6 +666,12 @@ private void deliverDiscover(T securityKey) {
 
         @AnyThread
         private void handleTransportRelease(T securityKey) {
+            HwSentry.addBreadcrumb("Released security key of type %s on transport %s",
+                    securityKey.getClass().getSimpleName(),
+                    securityKey.transport.getTransportType());
+            // Clear tags that may have been added by us while this Security Key was active
+            connectionMode.clearSentryTags();
+
             persistentSecurityKeys.remove(securityKey);
 
             boolean isNfcTransport = securityKey.transport instanceof NfcTransport;
@@ -646,6 +716,10 @@ void onDestroy() {
                     connectionMode.getClass().getSimpleName(), callback.getClass().getSimpleName());
             registeredCallbacks.remove(this);
             postponedTransport = null;
+            if (persistentSecurityKeys.isEmpty()) {
+                connectionMode.clearSentryTags();
+            }
+            activityLifecycleCallbacks.refreshActiveState();
         }
     }
 }