@succinctlabs/react-native-zcam1 0.2.5

package/src/proving/prove.tsx

@@ -0,0 +1,492 @@
+import { base64 } from "@scure/base";
+import React, {
+  createContext,
+  useContext,
+  useEffect,
+  useMemo,
+  useReducer,
+  useRef,
+  useState,
+} from "react";
+import { Dirs, Util } from "react-native-file-access";
+
+import {
+  buildSelfSignedCertificate,
+  ExistingCertChain,
+  formatFromPath,
+  ManifestEditor,
+  SelfSignedCertChain,
+} from "../bindings";
+import { getContentPublicKey, getSecureEnclaveKeyId } from "../common";
+import {
+  FulfillmentStatus,
+  type Initialized,
+  IosProvingClient,
+  type IosProvingClientInterface,
+  ProofRequestStatus,
+  ProverNetworkMode,
+} from "./bindings";
+
+export { ProverNetworkMode } from "./bindings";
+
+/**
+ * Configuration settings for backend communication.
+ */
+export type Settings = {
+  /** Private key used to authenticate with the prover network. If omitted, a mock prover is used. */
+  privateKey?: string;
+  /** Certificate chain used to sign C2PA manifests. If omitted, a self signed certificate chain.is build using default values */
+  certChain?: SelfSignedCertChain | ExistingCertChain;
+  /** Whether to target the production environment. */
+  production: boolean;
+  /** Prover network mode (mainnet or reserved capacity). Defaults to `Reserved`. */
+  proverNetworkMode?: ProverNetworkMode;
+};
+
+/**
+ * Creates a `ProvingClient` (non-React helper).
+ *
+ * Note: If the proofs are generated on the same app where the photos are captured,
+ * call the initDevice() function from `react-native-zcam1-capture` instead of
+ * this one.
+ */
+async function createProvingClient(
+  settings: Settings,
+  onInitialized: Initialized,
+  onProofRequest?: (requestId: string, photoPath: string) => void,
+): Promise<ProvingClient> {
+  let certChainPem: string;
+  let client: IosProvingClientInterface;
+  const contentPublicKey = await getContentPublicKey();
+
+  if (contentPublicKey.kty !== "EC") {
+    throw "Only EC public keys are supported";
+  }
+
+  const contentKeyId = getSecureEnclaveKeyId(contentPublicKey);
+
+  if (settings.certChain && "pem" in settings.certChain) {
+    certChainPem = settings.certChain.pem;
+  } else {
+    console.warn("[ZCAM1] Using a self signed certificate");
+
+    certChainPem = buildSelfSignedCertificate(contentPublicKey, settings.certChain);
+  }
+
+  if (settings.privateKey) {
+    const proverNetworkMode = settings.proverNetworkMode ?? ProverNetworkMode.Mainnet;
+    client = new IosProvingClient(settings.privateKey, onInitialized, proverNetworkMode);
+  } else {
+    client = IosProvingClient.mock(onInitialized);
+  }
+
+  return new ProvingClient(client, contentKeyId, certChainPem, settings.production, onProofRequest);
+}
+
+export type ProverContextValue = {
+  provingClient: ProvingClient | null;
+  provingTasks: ProvingTasksState;
+  provingTasksCount: number;
+  isInitializing: boolean;
+  error: unknown;
+};
+
+export type ProofRequestContextValue = {
+  isInitializing: boolean;
+  error: unknown;
+  fulfillementStatus: FulfillmentStatus;
+  proof: ArrayBuffer | undefined;
+};
+
+export type ProvingTask = {
+  photoPath: string;
+  createdAtMs: number;
+};
+
+export type ProvingTasksState = Record<string, ProvingTask>;
+
+type ProvingTasksAction =
+  | { type: "reset" }
+  | { type: "requested"; requestId: string; photoPath: string }
+  | { type: "removed"; requestId: string };
+
+function provingTasksReducer(
+  state: ProvingTasksState,
+  action: ProvingTasksAction,
+): ProvingTasksState {
+  switch (action.type) {
+    case "reset":
+      return {};
+    case "requested":
+      return {
+        ...state,
+        [action.requestId]: {
+          photoPath: action.photoPath,
+          createdAtMs: Date.now(),
+        },
+      };
+    case "removed": {
+      if (!(action.requestId in state)) return state;
+      const { [action.requestId]: _, ...rest } = state;
+      return rest;
+    }
+    default:
+      return state;
+  }
+}
+
+const ProverContext = createContext<ProverContextValue | null>(null);
+
+export type ProverProviderProps = {
+  children: React.ReactNode;
+  /**
+   * Provider configuration. The provider always initializes itself from these settings.
+   */
+  settings: Settings;
+
+  onFulfilled?: (
+    requestId: string,
+    photoPath: string,
+    proof: ArrayBuffer,
+    provingClient: ProvingClient,
+  ) => void;
+  onUnfulfillable?: (requestId: string) => void;
+};
+
+export function ProverProvider({
+  children,
+  settings,
+  onFulfilled,
+  onUnfulfillable,
+}: ProverProviderProps) {
+  const [provingClient, setProvingClient] = useState<ProvingClient | null>(null);
+  const [isInitializing, setIsInitializing] = useState(false);
+  const [error, setError] = useState<unknown>(null);
+
+  const [provingTasks, dispatchProvingTasks] = useReducer(provingTasksReducer, {});
+
+  const provingTasksRef = useRef<ProvingTasksState>({});
+
+  // Keep a ref to the latest tasks so async callbacks don't read stale state.
+  useEffect(() => {
+    provingTasksRef.current = provingTasks;
+  }, [provingTasks]);
+
+  const dispatchProvingTasksSync = (action: ProvingTasksAction) => {
+    provingTasksRef.current = provingTasksReducer(provingTasksRef.current, action);
+    dispatchProvingTasks(action);
+  };
+
+  const provingTasksCount = useMemo(() => Object.keys(provingTasks).length, [provingTasks]);
+
+  // Initialize proving client
+  useEffect(() => {
+    let cancelled = false;
+
+    setIsInitializing(true);
+    setError(null);
+    setProvingClient(null);
+    dispatchProvingTasksSync({ type: "reset" });
+
+    (async () => {
+      try {
+        const provingClient = await createProvingClient(
+          settings,
+          {
+            initialized: () => {
+              if (cancelled) return;
+              setProvingClient(provingClient);
+              setIsInitializing(false);
+            },
+          },
+          (requestId: string, photoPath: string) => {
+            dispatchProvingTasksSync({
+              type: "requested",
+              requestId,
+              photoPath,
+            });
+          },
+        );
+      } catch (e) {
+        if (cancelled) return;
+        setError(e);
+      }
+    })();
+
+    return () => {
+      cancelled = true;
+    };
+  }, [settings]);
+
+  // Poll the proving client to keep task statuses fresh.
+  useEffect(() => {
+    if (!provingClient) return;
+
+    let cancelled = false;
+    let inFlight = false;
+
+    const pollOnce = async () => {
+      if (cancelled) return;
+      if (inFlight) return;
+
+      const entries = Object.entries(provingTasksRef.current);
+      if (entries.length === 0) return;
+
+      inFlight = true;
+      try {
+        const results = await Promise.allSettled(
+          entries.map(async ([requestId]) => {
+            const status = await provingClient.getProofStatus(requestId);
+            return { requestId, status };
+          }),
+        );
+
+        if (cancelled) return;
+
+        for (const r of results) {
+          if (r.status !== "fulfilled") continue;
+
+          const { requestId, status } = r.value;
+
+          const task = provingTasksRef.current[requestId];
+          if (!task) continue;
+
+          if (status.fulfillmentStatus === FulfillmentStatus.Fulfilled) {
+            dispatchProvingTasksSync({ type: "removed", requestId });
+
+            if (onFulfilled) {
+              if (!status.proof) {
+                console.warn("[ZCAM1] Fulfilled proof request returned no proof bytes", requestId);
+              } else {
+                onFulfilled(requestId, task.photoPath, status.proof, provingClient);
+              }
+            }
+          } else if (status.fulfillmentStatus === FulfillmentStatus.Unfulfillable) {
+            dispatchProvingTasksSync({ type: "removed", requestId });
+
+            if (onUnfulfillable) {
+              onUnfulfillable(requestId);
+            }
+          }
+        }
+      } catch (e) {
+        if (!cancelled) {
+          console.error("[ZCAM1] ProvingTasksProvider polling failed", e);
+        }
+      } finally {
+        inFlight = false;
+      }
+    };
+
+    // Kick off once immediately, then poll on an interval.
+    void pollOnce();
+    const intervalId = setInterval(() => {
+      void pollOnce();
+    }, 1000);
+
+    return () => {
+      cancelled = true;
+      clearInterval(intervalId);
+    };
+  }, [provingClient, onFulfilled, onUnfulfillable]);
+
+  const value = useMemo<ProverContextValue>(
+    () => ({
+      provingClient,
+      provingTasks,
+      provingTasksCount,
+      isInitializing,
+      error,
+    }),
+    [provingClient, provingTasks, provingTasksCount, isInitializing, error],
+  );
+
+  return <ProverContext.Provider value={value}>{children}</ProverContext.Provider>;
+}
+
+export function useProver(): ProverContextValue {
+  const ctx = useContext(ProverContext);
+  if (!ctx) {
+    throw new Error("useProver must be used within a ProverProvider");
+  }
+  return ctx;
+}
+
+export function useProofRequestStatus(requestId: string | null): ProofRequestContextValue {
+  const [fulfillementStatus, setFulfillementStatus] = useState<FulfillmentStatus>(
+    FulfillmentStatus.UnspecifiedFulfillmentStatus,
+  );
+  const [proof, setProof] = useState<ArrayBuffer | undefined>(undefined);
+  const { provingClient, isInitializing, error } = useProver();
+
+  useEffect(() => {
+    let cancelled = false;
+
+    // Reset per-request state when inputs change.
+    setFulfillementStatus(FulfillmentStatus.UnspecifiedFulfillmentStatus);
+    setProof(undefined);
+
+    const sleep = (ms: number) => new Promise<void>((r) => setTimeout(r, ms));
+
+    (async () => {
+      if (!provingClient) return;
+      if (!requestId) return;
+
+      if (cancelled) return;
+
+      while (!cancelled) {
+        const status = await provingClient.getProofStatus(requestId);
+        if (cancelled) return;
+
+        setFulfillementStatus(status.fulfillmentStatus);
+
+        if (status.fulfillmentStatus === FulfillmentStatus.Unfulfillable) {
+          setProof(undefined);
+          return;
+        }
+
+        if (status.fulfillmentStatus === FulfillmentStatus.Fulfilled) {
+          // Depending on how your backend behaves, proof should be present on Fulfilled.
+          if (!status.proof) {
+            throw new Error("Fulfilled proof request returned no proof bytes");
+          }
+
+          setProof(status.proof);
+
+          return;
+        }
+
+        await sleep(1000);
+      }
+    })().catch((e) => {
+      if (!cancelled) {
+        console.error("[ZCAM1] useProofRequestStatus failed", e);
+      }
+    });
+
+    return () => {
+      cancelled = true;
+    };
+  }, [provingClient, requestId]);
+
+  return {
+    isInitializing,
+    error,
+    fulfillementStatus,
+    proof,
+  };
+}
+
+export class ProvingClient {
+  client: IosProvingClientInterface;
+  contentKeyId: Uint8Array;
+  certChainPem: string;
+  production: boolean;
+  onProofRequest?: (requestId: string, photoPath: string) => void;
+
+  constructor(
+    client: IosProvingClientInterface,
+    contentKeyId: Uint8Array,
+    certChainPem: string,
+    production: boolean,
+    onProofRequest?: (requestId: string, photoPath: string) => void,
+  ) {
+    this.client = client;
+    this.contentKeyId = contentKeyId;
+    this.certChainPem = certChainPem;
+    this.production = production;
+    this.onProofRequest = onProofRequest;
+  }
+
+  /**
+   * Embeds a cryptographic proof into an image file by modifying its C2PA manifest.
+   * @param originalPath - Path to the original image file
+   * @param deviceInfo - Device information for signing
+   * @param settings - Configuration settings for proof generation
+   * @returns Request ID for polling proof status
+   */
+  async requestProof(originalPath: string): Promise<string> {
+    originalPath = originalPath.replace("file://", "");
+    const format = formatFromPath(originalPath);
+
+    if (format === undefined) {
+      throw new Error(`Unsupported file format: ${originalPath}`);
+    }
+
+    const requestId = await this.client.requestProof(originalPath, format, {
+      appAttestProduction: this.production,
+    });
+
+    if (this.onProofRequest) {
+      this.onProofRequest(requestId, originalPath);
+    }
+
+    return requestId;
+  }
+
+  async getProofStatus(requestId: string): Promise<ProofRequestStatus> {
+    return await this.client.getProofStatus(requestId);
+  }
+
+  /**
+   * Embeds a cryptographic proof into an image file by modifying its C2PA manifest.
+   * @param originalPath - Path to the original image file
+   * @param deviceInfo - Device information for signing
+   * @param settings - Configuration settings for proof generation
+   * @returns Path to the new file with embedded proof
+   */
+  async embedProof(originalPath: string, proof: ArrayBuffer): Promise<string> {
+    originalPath = originalPath.replace("file://", "");
+    const format = formatFromPath(originalPath);
+    const ext = Util.extname(originalPath);
+
+    if (format === undefined) {
+      throw new Error(`Unsupported file format: ${originalPath}`);
+    }
+
+    const manifestEditor = ManifestEditor.fromManifest(
+      originalPath,
+      this.contentKeyId.buffer as ArrayBuffer,
+      this.certChainPem,
+    );
+
+    const vkHash = this.client.vkHash();
+
+    // Include the proof to the C2PA manifest
+    manifestEditor.addAssertion(
+      "succinct.proof",
+      JSON.stringify({
+        data: base64.encode(new Uint8Array(proof)),
+        vk_hash: vkHash,
+      }),
+    );
+
+    const destinationPath =
+      Dirs.CacheDir + `/zcam-${Date.now()}-${Math.random().toString(36).slice(2, 10)}.${ext}`;
+
+    // Embed the manifest to the photo
+    await manifestEditor.embedManifestToFile(destinationPath, format);
+
+    return destinationPath;
+  }
+
+  async waitAndEmbedProof(originalPath: string): Promise<string> {
+    const requestId = await this.requestProof(originalPath);
+    console.log(`Request ID: ${requestId}`);
+    const sleep = (ms: number) => new Promise<void>((r) => setTimeout(r, ms));
+
+    while (true) {
+      const status = await this.getProofStatus(requestId);
+
+      if (status.fulfillmentStatus === FulfillmentStatus.Unfulfillable) {
+        throw new Error("The proof is unfulfillable");
+      }
+
+      if (status.fulfillmentStatus === FulfillmentStatus.Fulfilled) {
+        return this.embedProof(originalPath, status.proof!);
+      }
+
+      await sleep(1000);
+    }
+  }
+}

package/src/utils.ts

@@ -0,0 +1,38 @@
+import { sha256 } from "@noble/hashes/sha2.js";
+import { generateHardwareSignatureWithAssertion } from "@pagopa/io-react-native-integrity";
+import { base64 } from "@scure/base";
+
+function stringToArray(s: string): Uint8Array {
+  return new TextEncoder().encode(s);
+}
+
+export async function generateAppAttestAssertion(
+  dataHash: ArrayBuffer,
+  normalizedMetadata: string,
+  deviceKeyId: string,
+): Promise<string> {
+  let assertion: string;
+
+  const metadataBytes = stringToArray(normalizedMetadata);
+
+  try {
+    assertion = await generateHardwareSignatureWithAssertion(
+      base64.encode(new Uint8Array(dataHash)) + "|" + base64.encode(sha256(metadataBytes)),
+      deviceKeyId,
+    );
+  } catch (error: unknown) {
+    const err = error as { code?: string; message?: string } | undefined;
+    if (err?.code === "-1" || err?.message?.includes("UNSUPPORTED_SERVICE")) {
+      console.warn(
+        "[ZCAMs] Running in simulator - using mock attestation. This is for development only.",
+      );
+      // Use a mock attestation for simulator testing
+      // In production, this would need to be rejected by the backend
+      assertion = `SIMULATOR_MOCK_${deviceKeyId}_${Date.now()}`;
+    } else {
+      throw error;
+    }
+  }
+
+  return assertion;
+}

package/src/verify.tsx

@@ -0,0 +1,119 @@
+import { utf8ToBytes } from "@noble/hashes/utils.js";
+import { base64 } from "@scure/base";
+
+import {
+  computeHash,
+  extractManifest,
+  type ManifestInterface,
+  PhotoMetadataInfo,
+  verifyBindingsFromManifest,
+  verifyGroth16,
+  VideoMetadataInfo,
+} from "./bindings";
+
+/**
+ * Capture metadata extracted from the C2PA manifest.
+ * Contains device info and camera settings at capture time.
+ */
+export interface CaptureMetadata {
+  action: string;
+  when: string;
+  parameters: PhotoMetadataInfo | VideoMetadataInfo;
+}
+
+export const APPLE_ROOT_CERT =
+  "MIICITCCAaegAwIBAgIQC/O+DvHN0uD7jG5yH2IXmDAKBggqhkjOPQQDAzBSMSYwJAYDVQQDDB1BcHBsZSBBcHAgQXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yMDAzMTgxODMyNTNaFw00NTAzMTUwMDAwMDBaMFIxJjAkBgNVBAMMHUFwcGxlIEFwcCBBdHRlc3RhdGlvbiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERTHhmLW07ATaFQIEVwTtT4dyctdhNbJhFs/Ii2FdCgAHGbpphY3+d8qjuDngIN3WVhQUBHAoMeQ/cLiP1sOUtgjqK9auYen1mMEvRq9Sk3Jm5X8U62H+xTD3FE9TgS41o0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSskRBTM72+aEH/pwyp5frq5eWKoTAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDaAAwZQIwQgFGnByvsiVbpTKwSga0kP0e8EeDS4+sQmTvb7vn53O5+FRXgeLhpJ06ysC5PrOyAjEAp5U4xDgEgllF7En3VcE3iexZZtKeYnpqtijVoyFraWVIyd/dganmrduC1bmTBGwD";
+
+/**
+ * Represents a file with a C2PA manifest that can be verified for authenticity.
+ */
+export class VerifiableFile {
+  path: string;
+  activeManifest: ManifestInterface;
+  hash: ArrayBuffer | undefined;
+
+  /**
+   * Creates a VerifiableFile instance by extracting the C2PA manifest from the file.
+   * @param path - Path to the file to verify
+   */
+  constructor(path: string) {
+    const store = extractManifest(path);
+
+    this.path = path;
+    this.activeManifest = store.activeManifest();
+  }
+
+  /**
+   * Verifies the manifest's bindings (e.g., App Attest).
+   */
+  verifyBindings(appAttestProduction: boolean): boolean {
+    if (this.hash === undefined) {
+      this.hash = computeHash(this.path);
+    }
+
+    return verifyBindingsFromManifest(
+      this.activeManifest.bindings()!,
+      this.activeManifest.captureMetadataAction()!,
+      this.hash,
+      appAttestProduction,
+    );
+  }
+
+  /**
+   * Verifies the cryptographic proof embedded in the C2PA manifest.
+   * @returns True if the proof is valid, false otherwise
+   */
+  verifyProof(appId: string): boolean {
+    return verifyProofFromManifest(this.activeManifest, this.path, appId);
+  }
+
+  /**
+   * Returns the file's content hash as recorded in the active C2PA manifest.
+   * @returns The manifest data hash (base64-encoded string)
+   */
+  dataHash(): string | undefined {
+    if (this.hash === undefined) {
+      this.hash = computeHash(this.path);
+    }
+
+    return base64.encode(new Uint8Array(this.hash));
+  }
+
+  /**
+   * Returns the capture metadata from the C2PA manifest.
+   * Contains device info and camera settings recorded at capture time.
+   * @returns The capture metadata, or null if not present
+   */
+  captureMetadata(): CaptureMetadata | null {
+    const actionJson = this.activeManifest.captureMetadataAction();
+    if (!actionJson) return null;
+    return JSON.parse(actionJson) as CaptureMetadata;
+  }
+}
+
+function verifyProofFromManifest(
+  activeManifest: ManifestInterface,
+  path: string,
+  appId: string,
+): boolean {
+  const proof = activeManifest.proof();
+
+  if (proof === undefined) {
+    throw new Error("The proof was not found in the manifest");
+  }
+
+  const hash = new Uint8Array(computeHash(path));
+  const appIdBytes = utf8ToBytes(appId);
+  const appleRootCert = utf8ToBytes(APPLE_ROOT_CERT);
+
+  const publicInputs = new Uint8Array(hash.length + appIdBytes.length + appleRootCert.length);
+  publicInputs.set(hash);
+  publicInputs.set(appIdBytes, hash.length);
+  publicInputs.set(appleRootCert, hash.length + appIdBytes.length);
+
+  return verifyGroth16(
+    base64.decode(proof.data).buffer as ArrayBuffer,
+    publicInputs.buffer,
+    proof.vkHash,
+  );
+}

package/turbo.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://turbo.build/schema.json",
+  "globalDependencies": [".nvmrc", ".yarnrc.yml"],
+  "globalEnv": ["NODE_ENV"],
+  "tasks": {
+    "build:android": {
+      "env": ["ANDROID_HOME", "ORG_GRADLE_PROJECT_newArchEnabled"],
+      "inputs": [
+        "package.json",
+        "android",
+        "!android/build",
+        "src/*.ts",
+        "src/*.tsx"
+      ],
+      "outputs": []
+    },
+    "build:ios": {
+      "env": [
+        "RCT_NEW_ARCH_ENABLED",
+        "RCT_USE_RN_DEP",
+        "RCT_USE_PREBUILT_RNCORE"
+      ],
+      "inputs": ["package.json", "*.podspec", "ios", "src/*.ts", "src/*.tsx"],
+      "outputs": []
+    }
+  }
+}