Unlock DB using NFC tag. Select entry using NFC tag. Use secure NFC tags.

app/build.gradle

@@ -35,6 +35,9 @@ android {
             minifyEnabled = false
             proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
         }
+        debug {
+            applicationIdSuffix 'debug' //todo-op!!! disable
+        }
     }
 
     flavorDimensions "version"

app/src/main/AndroidManifest.xml

@@ -20,6 +20,7 @@
     <uses-permission
         android:name="android.permission.QUERY_ALL_PACKAGES"
         tools:ignore="QueryAllPackagesPermission" />
+    <uses-permission android:name="android.permission.NFC" />
 
     <application
         android:label="@string/app_name"

app/src/main/java/com/kunzisoft/keepass/activities/MainCredentialActivity.kt

@@ -352,6 +352,7 @@ class MainCredentialActivity : DatabaseModeActivity(), AdvancedUnlockFragment.Bu
 
     override fun onNewIntent(intent: Intent?) {
         super.onNewIntent(intent)
+        if (true == advancedUnlockFragment?.nfc?.checkAndProcessTag(intent)) return
         getUriFromIntent(intent)
     }
 

app/src/main/java/com/kunzisoft/keepass/biometric/AdvancedUnlockManager.kt

@@ -74,6 +74,7 @@ class AdvancedUnlockManager(private var retrieveContext: () -> FragmentActivity)
 
     private var isKeyManagerInit = false
 
+    private val unlockNfcEnable = PreferencesUtil.isUnlockNfcEnable(retrieveContext())
     private val biometricUnlockEnable = PreferencesUtil.isBiometricUnlockEnable(retrieveContext())
     private val deviceCredentialUnlockEnable = PreferencesUtil.isDeviceCredentialUnlockEnable(retrieveContext())
 
@@ -101,7 +102,7 @@ class AdvancedUnlockManager(private var retrieveContext: () -> FragmentActivity)
     }
 
     init {
-        if (isDeviceSecure(retrieveContext())
+        if (unlockNfcEnable || isDeviceSecure(retrieveContext())
                 && (biometricUnlockEnable || deviceCredentialUnlockEnable)) {
             try {
                 this.keyStore = KeyStore.getInstance(ADVANCED_UNLOCK_KEYSTORE)
@@ -213,15 +214,17 @@ class AdvancedUnlockManager(private var retrieveContext: () -> FragmentActivity)
         }
     }
 
-    @Synchronized fun encryptData(value: ByteArray) {
+    @Synchronized fun encryptData(value: ByteArray, unlockData: List<Byte>? = null, databaseKeyId: Int? = null) {
         if (!isKeyManagerInitialized) {
             return
         }
         try {
-            val encrypted = cipher?.doFinal(value) ?: byteArrayOf()
+            val valueAndData = if (true != unlockData?.isNotEmpty()) value else
+                value.toMutableList().also { it.addAll(unlockData) }.toByteArray()
+            val encrypted = cipher?.doFinal(valueAndData) ?: byteArrayOf()
             // passes updated iv spec on to callback so this can be stored for decryption
             cipher?.parameters?.getParameterSpec(IvParameterSpec::class.java)?.let{ spec ->
-                advancedUnlockCallback?.handleEncryptedResult(encrypted, spec.iv)
+                advancedUnlockCallback?.handleEncryptedResult(encrypted, spec.iv, databaseKeyId)
             }
         } catch (e: Exception) {
             Log.e(TAG, "Unable to encrypt data", e)
@@ -278,14 +281,19 @@ class AdvancedUnlockManager(private var retrieveContext: () -> FragmentActivity)
         }
     }
 
-    @Synchronized fun decryptData(encryptedValue: ByteArray) {
+    @Synchronized fun decryptData(encryptedValue: ByteArray, unlockDataSize: Int = 0, databaseKeyId: Int? = null, onUnlockData: ((ByteArray, List<Byte>) -> Boolean)? = null) {
         if (!isKeyManagerInitialized) {
             return
         }
         try {
             // actual decryption here
-            cipher?.doFinal(encryptedValue)?.let { decrypted ->
-                advancedUnlockCallback?.handleDecryptedResult(decrypted)
+            cipher?.doFinal(encryptedValue)?.let { valueArray ->
+                val decrypted = if (valueArray.size <= unlockDataSize) valueArray else {
+                    valueArray.take(valueArray.size - unlockDataSize).toByteArray().also {
+                        if (true != onUnlockData?.invoke(it, valueArray.takeLast(unlockDataSize))) throw Exception("Invalid unlock data.")
+                    }
+                }
+                advancedUnlockCallback?.handleDecryptedResult(decrypted, databaseKeyId)
             }
         } catch (badPaddingException: BadPaddingException) {
             Log.e(TAG, "Unable to decrypt data", badPaddingException)
@@ -360,8 +368,8 @@ class AdvancedUnlockManager(private var retrieveContext: () -> FragmentActivity)
         fun onAuthenticationSucceeded()
         fun onAuthenticationFailed()
         fun onAuthenticationError(errorCode: Int, errString: CharSequence)
-        fun handleEncryptedResult(encryptedValue: ByteArray, ivSpec: ByteArray)
-        fun handleDecryptedResult(decryptedValue: ByteArray)
+        fun handleEncryptedResult(encryptedValue: ByteArray, ivSpec: ByteArray, databaseKeyId: Int?)
+        fun handleDecryptedResult(decryptedValue: ByteArray, databaseKeyId: Int?)
     }
 
     companion object {
@@ -455,9 +463,9 @@ class AdvancedUnlockManager(private var retrieveContext: () -> FragmentActivity)
 
                     override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {}
 
-                    override fun handleEncryptedResult(encryptedValue: ByteArray, ivSpec: ByteArray) {}
+                    override fun handleEncryptedResult(encryptedValue: ByteArray, ivSpec: ByteArray, databaseKeyId: Int?) {}
 
-                    override fun handleDecryptedResult(decryptedValue: ByteArray) {}
+                    override fun handleDecryptedResult(decryptedValue: ByteArray, databaseKeyId: Int?) {}
 
                     override fun onUnrecoverableKeyException(e: Exception) {
                         advancedCallback.onUnrecoverableKeyException(e)