@succinctlabs/react-native-zcam1 0.3.0 → 0.4.0-alpha.2

package/src/camera.tsx

@@ -1,14 +1,18 @@
+import Geolocation from "@react-native-community/geolocation";
 import JailMonkey from "jail-monkey";
 import React from "react";
-import { requireNativeComponent, type StyleProp, type ViewStyle } from "react-native";
+import { Platform, requireNativeComponent, type StyleProp, type ViewStyle } from "react-native";
+import { isEmulator } from "react-native-device-info";
 import { Dirs, Util } from "react-native-file-access";
 
 import {
+  AuthenticityData,
   buildSelfSignedCertificate,
   computeHash,
   DepthData,
   ExistingCertChain,
   formatFromPath,
+  LocationInfo,
   ManifestEditor,
   type PhotoMetadataInfo,
   SelfSignedCertChain,
@@ -153,6 +157,22 @@ export interface ZCameraProps {
    * Use with `filmStyle` prop by casting the custom name: `filmStyle={"myStyle" as CameraFilmStyle}`.
    */
   customFilmStyles?: Record<string, FilmStyleRecipe>;
+  /**
+   * When true, embeds a trusted GPS timestamp in the C2PA manifest at capture time.
+   * Requires location permission. The timestamp is sourced from GPS rather than device clock,
+   * making it tamper-evident. Stored as `trustedTimestamp` in photo/video metadata.
+   * @default false
+   */
+  captureTimestampEnabled?: boolean;
+  /**
+   * When true, embeds GPS coordinates in the C2PA manifest at capture time.
+   * Requires location permission. Stored as `location` in photo/video metadata.
+   * If location retrieval fails, `isLocationAvailable` is set to `false` and
+   * `locationRetrievalStatus` contains the error reason.
+   * @default false
+   */
+  captureLocationEnabled?: boolean;
+
   /**
    * Enable depth data capture at session level.
    * When true, depth data can be captured but zoom may be restricted on dual-camera devices.
@@ -472,6 +492,16 @@ export class ZCamera extends React.PureComponent<ZCameraProps> {
       const when = new Date().toISOString().replace("T", " ").split(".")[0]!;
       const isJailBroken = JailMonkey.isJailBroken();
       const isLocationSpoofingAvailable = JailMonkey.canMockLocation();
+      const location = await retrieveLocationData(
+        this.props.captureTimestampEnabled,
+        this.props.captureLocationEnabled,
+      );
+      const authenticityData: AuthenticityData = {
+        isJailBroken,
+        isLocationSpoofingAvailable,
+        isLocationAvailable: location.isLocationAvailable,
+        locationRetrievalStatus: location.locationRetrievalStatus,
+      };
 
       result.filePath = await embedBindings(
         result.filePath,
@@ -492,11 +522,10 @@ export class ZCamera extends React.PureComponent<ZCameraProps> {
           audioCodec: result.audioCodec,
           audioSampleRate: result.audioSampleRate,
           audioChannels: result.audioChannels,
-          authenticityData: {
-            isJailBroken,
-            isLocationSpoofingAvailable,
-          },
+          authenticityData,
           filmStyle: this.resolveFilmStyleInfo(),
+          trustedTimestamp: location.trustedTimestamp,
+          location: location.coords,
         },
         this.props.captureInfo,
         this.certChainPem,
@@ -550,11 +579,21 @@ export class ZCamera extends React.PureComponent<ZCameraProps> {
     const tiff = metadata["{TIFF}"] ?? {};
 
     const when = tiff.DateTime || new Date().toISOString().replace("T", " ").split(".")[0];
-    const deviceMake = tiff.Make || "Apple";
+    const deviceMake = tiff.Make || (Platform.OS === "android" ? "Android" : "Apple");
     const deviceModel = tiff.Model || "Unknown";
     const softwareVersion = tiff.Software || "Unknown";
     const isJailBroken = JailMonkey.isJailBroken();
     const isLocationSpoofingAvailable = JailMonkey.canMockLocation();
+    const location = await retrieveLocationData(
+      this.props.captureTimestampEnabled,
+      this.props.captureLocationEnabled,
+    );
+    const authenticityData: AuthenticityData = {
+      isJailBroken,
+      isLocationSpoofingAvailable,
+      isLocationAvailable: location.isLocationAvailable,
+      locationRetrievalStatus: location.locationRetrievalStatus,
+    };
 
     const destinationPath = await embedBindings(
       originalPath,
@@ -570,12 +609,11 @@ export class ZCamera extends React.PureComponent<ZCameraProps> {
         exposureTime: exif.ExposureTime,
         depthOfField: exif.FNumber,
         focalLength: exif.FocalLength,
-        authenticityData: {
-          isJailBroken,
-          isLocationSpoofingAvailable,
-        },
+        authenticityData,
         depthData: result.depthData as DepthData | undefined,
         filmStyle: this.resolveFilmStyleInfo(),
+        trustedTimestamp: location.trustedTimestamp,
+        location: location.coords,
       },
       this.props.captureInfo,
       this.certChainPem,
@@ -656,9 +694,18 @@ async function embedBindings(
   const destinationPath =
     Dirs.CacheDir + `/zcam-${Date.now()}-${Math.random().toString(36).slice(2, 10)}.${ext}`;
 
+  // On Android, pass the KeyStore alias so Rust signs via JNI.
+  // On iOS, pass the contentKeyId (SHA1 of public key) so Rust signs via Secure Enclave.
+  const keyTag =
+    Platform.OS === "android"
+      ? new TextEncoder().encode(
+          (await isEmulator()) ? "ZCAM1_MOCK_CONTENT_KEY_TAG" : "ZCAM1_CONTENT_KEY_TAG",
+        )
+      : captureInfo.contentKeyId;
+
   const manifestEditor = new ManifestEditor(
     originalPath,
-    captureInfo.contentKeyId.buffer as ArrayBuffer,
+    keyTag.buffer as ArrayBuffer,
     certChainPem,
   );
 
@@ -692,3 +739,61 @@ async function embedBindings(
 
   return destinationPath;
 }
+
+type LocationData = {
+  coords: LocationInfo | undefined;
+  trustedTimestamp: bigint | undefined;
+  isLocationAvailable: boolean | undefined;
+  locationRetrievalStatus: string | undefined;
+};
+
+function retrieveLocationData(
+  captureTimestampEnabled: boolean | undefined,
+  captureLocationEnabled: boolean | undefined,
+): Promise<LocationData> {
+  if (!captureTimestampEnabled && !captureLocationEnabled) {
+    return Promise.resolve({
+      coords: undefined,
+      trustedTimestamp: undefined,
+      isLocationAvailable: undefined,
+      locationRetrievalStatus: undefined,
+    });
+  }
+
+  return new Promise((resolve) => {
+    Geolocation.getCurrentPosition(
+      (position) => {
+        resolve({
+          coords: captureLocationEnabled
+            ? {
+                latitude: position.coords.latitude.toFixed(6),
+                longitude: position.coords.longitude.toFixed(6),
+                altitude: position.coords.altitude?.toFixed(6),
+                accuracy: position.coords.accuracy.toFixed(6),
+                altitudeAccuracy: position.coords.altitudeAccuracy?.toFixed(6),
+              }
+            : undefined,
+          trustedTimestamp: captureTimestampEnabled
+            ? BigInt(Math.trunc(position.timestamp))
+            : undefined,
+          isLocationAvailable: true,
+          locationRetrievalStatus: "success",
+        });
+      },
+      (error) => {
+        console.warn(`[ZCAM1] failed to retrieve GPS location data: ${error.message}`);
+        resolve({
+          coords: undefined,
+          trustedTimestamp: undefined,
+          isLocationAvailable: false,
+          locationRetrievalStatus: error.message,
+        });
+      },
+      {
+        timeout: 1000, // 1 second
+        maximumAge: 60 * 1000, // 1 minute
+        enableHighAccuracy: true,
+      },
+    );
+  });
+}

package/src/capture.tsx

@@ -1,4 +1,16 @@
-import { generateHardwareKey, getAttestation } from "@pagopa/io-react-native-integrity";
+import {
+  getPublicKeyFixed,
+  isKeyStrongboxBacked,
+  sign as cryptoSign,
+} from "@pagopa/io-react-native-crypto";
+import {
+  generateHardwareKey,
+  getAttestation,
+  isPlayServicesAvailable,
+} from "@pagopa/io-react-native-integrity";
+import Geolocation from "@react-native-community/geolocation";
+import { PermissionsAndroid, Platform } from "react-native";
+import { getBundleId, isEmulator } from "react-native-device-info";
 import EncryptedStorage from "react-native-encrypted-storage";
 
 import { type ECKey, getContentPublicKey, getSecureEnclaveKeyId } from "./common";
@@ -6,15 +18,15 @@ export { buildSelfSignedCertificate, SelfSignedCertChain } from "./bindings";
 
 /**
  * Camera component for capturing photos with secure enclave integration.
+ * Lazy-loaded to avoid native module errors on platforms without camera support.
  */
-export {
-  type CameraFilmStyle,
-  type FilmStyleEffect,
-  type FilmStyleRecipe,
-  type HighlightShadowConfig,
-  type MonochromeConfig,
-  type WhiteBalanceConfig,
-  ZCamera,
+export type {
+  CameraFilmStyle,
+  FilmStyleEffect,
+  FilmStyleRecipe,
+  HighlightShadowConfig,
+  MonochromeConfig,
+  WhiteBalanceConfig,
 } from "./camera";
 
 import NativeZcam1Capture from "./NativeZcam1Capture";
@@ -84,9 +96,11 @@ export class ZPhoto {
  * @returns Device information including keys, certificate chain, and attestation
  */
 export async function initCapture(settings: Settings): Promise<CaptureInfo> {
-  let deviceKeyId = await EncryptedStorage.getItem(`deviceKeyId-${settings.appId}`);
-
   const contentPublicKey = await getContentPublicKey();
+  const isSimulator = await isEmulator();
+
+  // On Android, the appId is the package name.
+  const appId = Platform.OS == "android" ? getBundleId() : settings.appId;
 
   if (contentPublicKey.kty !== "EC") {
     throw new Error("Only EC public keys are supported");
@@ -94,42 +108,63 @@ export async function initCapture(settings: Settings): Promise<CaptureInfo> {
 
   const contentKeyId = getSecureEnclaveKeyId(contentPublicKey);
 
-  if (deviceKeyId == null) {
-    // Try to generate hardware key, but fall back to mock for simulator
-    try {
-      deviceKeyId = await generateHardwareKey();
-    } catch (error: unknown) {
-      // If running in simulator, hardware key generation is not supported
-      const err = error as { code?: string; message?: string } | undefined;
-      if (err?.code === "-1" || err?.message?.includes("UNSUPPORTED_SERVICE")) {
-        console.warn(
-          "[ZCAM] Running in simulator - using mock device key. This is for development only.",
-        );
-        // Generate a mock device key for simulator testing
-        deviceKeyId = `SIMULATOR_DEVICE_KEY_${Date.now()}`;
-      } else {
-        throw error;
-      }
+  let deviceKeyId = await EncryptedStorage.getItem(`deviceKeyId-${settings.appId}`);
+  let attestation = deviceKeyId
+    ? await EncryptedStorage.getItem(`attestation-${deviceKeyId}`)
+    : null;
+
+  if (deviceKeyId == null || attestation == null) {
+    switch (Platform.OS) {
+      case "android":
+        // On Android, getAttestation() creates the key AND returns the attestation
+        // certificate chain in a single call. generateHardwareKey() is iOS-only.
+        deviceKeyId = `ZCAM1_ANDROID_DEVICE_${appId}`;
+
+        if (isSimulator) {
+          // Emulator or device without Play Integrity support — use mock attestation.
+          console.warn(
+            "[ZCAM] Play Integrity not available - using mock attestation. This is for development only.",
+          );
+          attestation = `SIMULATOR_MOCK_${deviceKeyId}_${Date.now()}`;
+        } else {
+          attestation = await getAttestation(deviceKeyId, deviceKeyId);
+        }
+        break;
+
+      case "ios":
+      case "macos":
+        // iOS: generate key first, then attest separately
+        if (deviceKeyId == null) {
+          if (isSimulator) {
+            console.warn(
+              "[ZCAM] Running in simulator - using mock device key. This is for development only.",
+            );
+            deviceKeyId = `SIMULATOR_DEVICE_KEY_${Date.now()}`;
+          } else {
+            deviceKeyId = await generateHardwareKey();
+          }
+        }
+        attestation = await updateRegistration(deviceKeyId!, settings);
+        break;
+
+      default:
+        throw new Error(`initCapture: ${Platform.OS} not supported`);
     }
-    await EncryptedStorage.setItem(`deviceKeyId-${settings.appId}`, deviceKeyId);
+
+    await EncryptedStorage.setItem(`deviceKeyId-${settings.appId}`, deviceKeyId!);
+    await EncryptedStorage.setItem(`attestation-${deviceKeyId}`, attestation!);
   }
 
   if (deviceKeyId == null) {
     throw new Error("Failed to generate a device key");
   }
 
-  let attestation = await EncryptedStorage.getItem(`attestation-${deviceKeyId}`);
-
-  if (attestation == null) {
-    attestation = await updateRegistration(deviceKeyId, settings);
-  }
-
   return {
-    appId: settings.appId,
+    appId,
     deviceKeyId,
     contentPublicKey,
     contentKeyId,
-    attestation,
+    attestation: attestation!,
   };
 }
 
@@ -140,26 +175,88 @@ export async function initCapture(settings: Settings): Promise<CaptureInfo> {
  * @returns Attestation data and challenge
  */
 export async function updateRegistration(keyId: string, _settings: Settings): Promise<string> {
-  // Try to get real attestation, but fall back to mock for simulator
-  let attestation: string;
-  try {
-    attestation = await getAttestation(keyId, keyId);
-  } catch (error: unknown) {
-    // If running in simulator, App Attest is not supported
-    const err = error as { code?: string; message?: string } | undefined;
-    if (err?.code === "-1" || err?.message?.includes("UNSUPPORTED_SERVICE")) {
-      console.warn(
-        "[ZCAM] Running in simulator - using mock attestation. This is for development only.",
-      );
-      // Use a mock attestation for simulator testing
-      // In production, this would need to be rejected by the backend
-      return `SIMULATOR_MOCK_${keyId}_${Date.now()}`;
-    } else {
-      throw error;
-    }
+  const isSimulator = await isEmulator();
+
+  if (isSimulator) {
+    console.warn(
+      "[ZCAM] Running in simulator - using mock attestation. This is for development only.",
+    );
+    return `SIMULATOR_MOCK_${keyId}_${Date.now()}`;
   }
 
+  const attestation = await getAttestation(keyId, keyId);
   await EncryptedStorage.setItem(`attestation-${keyId}`, attestation);
 
   return attestation;
 }
+
+/**
+ * Requests camera (and microphone) permissions on Android.
+ * No-op on iOS — the system prompts automatically when the camera is accessed.
+ */
+export async function requestCameraPermission(): Promise<void> {
+  if (Platform.OS !== "android") return;
+  await PermissionsAndroid.requestMultiple([
+    PermissionsAndroid.PERMISSIONS.CAMERA,
+    PermissionsAndroid.PERMISSIONS.RECORD_AUDIO,
+  ]);
+}
+
+/**
+ * Requests location permission from the user.
+ * This function triggers the native location authorization prompt on the device.
+ * @throws {string} Error message if permission request fails
+ */
+export function requestLocationPermission() {
+  Geolocation.requestAuthorization(
+    () => {},
+    (error) => {
+      throw error.message;
+    },
+  );
+}
+
+/**
+ * Sign a message with the device hardware key.
+ * Uses SHA256withECDSA on Android (Android KeyStore) or SecureEnclave on iOS.
+ * @param deviceKeyId - The key alias/tag from initCapture().deviceKeyId
+ * @param message - The UTF-8 string message to sign
+ * @returns Base64-encoded ECDSA signature
+ */
+export async function signWithDeviceKey(deviceKeyId: string, message: string): Promise<string> {
+  return cryptoSign(message, deviceKeyId);
+}
+
+/**
+ * Get the public key for a device key in JWK format.
+ * @param deviceKeyId - The key alias/tag from initCapture().deviceKeyId
+ * @returns The public key as an ECKey (JWK format with x, y coordinates)
+ */
+export async function getDevicePublicKey(deviceKeyId: string): Promise<ECKey> {
+  const key = await getPublicKeyFixed(deviceKeyId);
+  if (key.kty !== "EC") {
+    throw new Error("Expected EC key, got " + key.kty);
+  }
+  return key;
+}
+
+/**
+ * Check if the device key is backed by StrongBox (highest hardware security level).
+ * Only meaningful on Android. Returns false on iOS.
+ * @param deviceKeyId - The key alias/tag from initCapture().deviceKeyId
+ * @returns true if StrongBox-backed, false if TEE-backed or unsupported
+ */
+export async function isDeviceKeyStrongboxBacked(deviceKeyId: string): Promise<boolean> {
+  if (Platform.OS !== "android") return false;
+  return isKeyStrongboxBacked(deviceKeyId);
+}
+
+/**
+ * Check if Google Play Services is available (Android only).
+ * Required for Play Integrity token requests.
+ * @returns true if Play Services available, false otherwise. Always false on iOS.
+ */
+export async function checkPlayServicesAvailable(): Promise<boolean> {
+  if (Platform.OS !== "android") return false;
+  return isPlayServicesAvailable();
+}

package/src/common.tsx

@@ -1,9 +1,20 @@
 import { sha1 } from "@noble/hashes/legacy.js";
 import { generate, getPublicKeyFixed, type PublicKey } from "@pagopa/io-react-native-crypto";
 import { base64, base64nopad, base64url, base64urlnopad } from "@scure/base";
+import { Platform } from "react-native";
+import { isEmulator } from "react-native-device-info";
 
 const CONTENT_KEY_TAG = "ZCAM1_CONTENT_KEY_TAG";
 
+// Mock P-256 key used on emulators where hardware-backed key generation is unavailable.
+// Public key coordinates correspond to MOCK_KEY in crates/c2pa-utils/src/manifest_editor.rs.
+const MOCK_EMULATOR_CONTENT_KEY = {
+  kty: "EC" as const,
+  crv: "P-256",
+  x: "hcUZSvoPr0QDDmC0CwMFLgGcHUTas1g4RXET2nFv_BA",
+  y: "v5WB7DJhhKed3SmZpO8hVJQXRUSOzNSxrfnQ9kv1zTg",
+};
+
 export interface ECKey {
   kty: "EC";
   crv: string;
@@ -24,8 +35,17 @@ function flexibleBase64Decode(str: string): Uint8Array {
 }
 
 export async function getContentPublicKey(): Promise<PublicKey> {
-  return await getPublicKeyFixed(CONTENT_KEY_TAG).catch(() => {
-    return generate(CONTENT_KEY_TAG);
+  const isAndroidEmulator = await isEmulator().then(
+    (isEmulator) => isEmulator && Platform.OS === "android",
+  );
+
+  if (isAndroidEmulator) {
+    return MOCK_EMULATOR_CONTENT_KEY;
+  }
+
+  return await getPublicKeyFixed(CONTENT_KEY_TAG).catch(async () => {
+    await generate(CONTENT_KEY_TAG);
+    return getPublicKeyFixed(CONTENT_KEY_TAG);
   });
 }