...

src/api/keypair.rs

@@ -70,6 +70,20 @@ pub fn pub_key() -> Result<Vec<u8>, CryptoError> {
     keypair::keypair_pub_key()
 }
 
+/// Derives a public key from a private key.
+///
+/// # Arguments
+///
+/// * `private_key` - The private key bytes.
+///
+/// # Returns
+///
+/// * `Ok(Vec<u8>)` containing the public key bytes.
+/// * `Err(CryptoError::InvalidKeyLength)` if the private key is invalid.
+pub fn derive_public_key(private_key: &[u8]) -> Result<Vec<u8>, CryptoError> {
+    keypair::derive_public_key(private_key)
+}
+
 /// Signs a message using the selected keypair.
 ///
 /// # Arguments
@@ -105,6 +119,60 @@ pub fn verify(message: &[u8], signature: &[u8]) -> Result<bool, CryptoError> {
     keypair::keypair_verify(message, signature)
 }
 
+/// Verifies a signature using only a public key.
+///
+/// # Arguments
+///
+/// * `public_key` - The public key bytes.
+/// * `message` - The message that was signed.
+/// * `signature` - The signature to verify.
+///
+/// # Returns
+///
+/// * `Ok(true)` if the signature is valid.
+/// * `Ok(false)` if the signature is invalid.
+/// * `Err(CryptoError::InvalidKeyLength)` if the public key is invalid.
+/// * `Err(CryptoError::SignatureFormatError)` if the signature format is invalid.
+pub fn verify_with_public_key(public_key: &[u8], message: &[u8], signature: &[u8]) -> Result<bool, CryptoError> {
+    keypair::verify_with_public_key(public_key, message, signature)
+}
+
+/// Encrypts a message using asymmetric encryption.
+///
+/// # Arguments
+///
+/// * `recipient_public_key` - The public key of the recipient.
+/// * `message` - The message to encrypt.
+///
+/// # Returns
+///
+/// * `Ok(Vec<u8>)` containing the encrypted message.
+/// * `Err(CryptoError::NoActiveSpace)` if no space is active.
+/// * `Err(CryptoError::NoKeypairSelected)` if no keypair is selected.
+/// * `Err(CryptoError::KeypairNotFound)` if the selected keypair was not found.
+/// * `Err(CryptoError::InvalidKeyLength)` if the recipient's public key is invalid.
+/// * `Err(CryptoError::EncryptionFailed)` if encryption fails.
+pub fn encrypt_asymmetric(recipient_public_key: &[u8], message: &[u8]) -> Result<Vec<u8>, CryptoError> {
+    keypair::encrypt_asymmetric(recipient_public_key, message)
+}
+
+/// Decrypts a message using asymmetric encryption.
+///
+/// # Arguments
+///
+/// * `ciphertext` - The encrypted message.
+///
+/// # Returns
+///
+/// * `Ok(Vec<u8>)` containing the decrypted message.
+/// * `Err(CryptoError::NoActiveSpace)` if no space is active.
+/// * `Err(CryptoError::NoKeypairSelected)` if no keypair is selected.
+/// * `Err(CryptoError::KeypairNotFound)` if the selected keypair was not found.
+/// * `Err(CryptoError::DecryptionFailed)` if decryption fails.
+pub fn decrypt_asymmetric(ciphertext: &[u8]) -> Result<Vec<u8>, CryptoError> {
+    keypair::decrypt_asymmetric(ciphertext)
+}
+
 /// Encrypts a key space with a password.
 ///
 /// # Arguments

src/core/keypair.rs

@@ -6,6 +6,7 @@ use serde::{Serialize, Deserialize};
 use std::collections::HashMap;
 use once_cell::sync::Lazy;
 use std::sync::Mutex;
+use sha2::{Sha256, Digest};
 
 use super::error::CryptoError;
 
@@ -116,6 +117,14 @@ impl KeyPair {
     pub fn pub_key(&self) -> Vec<u8> {
         self.verifying_key.to_sec1_bytes().to_vec()
     }
+    
+    /// Derives a public key from a private key.
+    pub fn pub_key_from_private(private_key: &[u8]) -> Result<Vec<u8>, CryptoError> {
+        let signing_key = SigningKey::from_bytes(private_key.into())
+            .map_err(|_| CryptoError::InvalidKeyLength)?;
+        let verifying_key = VerifyingKey::from(&signing_key);
+        Ok(verifying_key.to_sec1_bytes().to_vec())
+    }
 
     /// Signs a message.
     pub fn sign(&self, message: &[u8]) -> Vec<u8> {
@@ -133,6 +142,88 @@ impl KeyPair {
             Err(_) => Ok(false), // Verification failed, but operation was successful
         }
     }
+    
+    /// Verifies a message signature using only a public key.
+    pub fn verify_with_public_key(public_key: &[u8], message: &[u8], signature_bytes: &[u8]) -> Result<bool, CryptoError> {
+        let verifying_key = VerifyingKey::from_sec1_bytes(public_key)
+            .map_err(|_| CryptoError::InvalidKeyLength)?;
+        
+        let signature = Signature::from_bytes(signature_bytes.into())
+            .map_err(|_| CryptoError::SignatureFormatError)?;
+            
+        match verifying_key.verify(message, &signature) {
+            Ok(_) => Ok(true),
+            Err(_) => Ok(false), // Verification failed, but operation was successful
+        }
+    }
+    
+    /// Encrypts a message using the recipient's public key.
+    /// This implements ECIES (Elliptic Curve Integrated Encryption Scheme):
+    /// 1. Generate an ephemeral keypair
+    /// 2. Derive a shared secret using ECDH
+    /// 3. Derive encryption key from the shared secret
+    /// 4. Encrypt the message using symmetric encryption
+    /// 5. Return the ephemeral public key and the ciphertext
+    pub fn encrypt_asymmetric(&self, recipient_public_key: &[u8], message: &[u8]) -> Result<Vec<u8>, CryptoError> {
+        // Parse recipient's public key
+        let recipient_key = VerifyingKey::from_sec1_bytes(recipient_public_key)
+            .map_err(|_| CryptoError::InvalidKeyLength)?;
+        
+        // Generate ephemeral keypair
+        let ephemeral_signing_key = SigningKey::random(&mut OsRng);
+        let ephemeral_public_key = VerifyingKey::from(&ephemeral_signing_key);
+        
+        // Derive shared secret (this is a simplified ECDH)
+        // In a real implementation, we would use proper ECDH, but for this example:
+        let shared_point = recipient_key.to_encoded_point(false);
+        let shared_secret = {
+            let mut hasher = Sha256::default();
+            hasher.update(ephemeral_signing_key.to_bytes());
+            hasher.update(shared_point.as_bytes());
+            hasher.finalize().to_vec()
+        };
+        
+        // Encrypt the message using the derived key
+        let ciphertext = super::symmetric::encrypt_with_key(&shared_secret, message)
+            .map_err(|_| CryptoError::EncryptionFailed)?;
+        
+        // Format: ephemeral_public_key || ciphertext
+        let mut result = ephemeral_public_key.to_sec1_bytes().to_vec();
+        result.extend_from_slice(&ciphertext);
+        
+        Ok(result)
+    }
+    
+    /// Decrypts a message using the recipient's private key.
+    /// This is the counterpart to encrypt_asymmetric.
+    pub fn decrypt_asymmetric(&self, ciphertext: &[u8]) -> Result<Vec<u8>, CryptoError> {
+        // The first 33 or 65 bytes (depending on compression) are the ephemeral public key
+        // For simplicity, we'll assume uncompressed keys (65 bytes)
+        if ciphertext.len() <= 65 {
+            return Err(CryptoError::DecryptionFailed);
+        }
+        
+        // Extract ephemeral public key and actual ciphertext
+        let ephemeral_public_key = &ciphertext[..65];
+        let actual_ciphertext = &ciphertext[65..];
+        
+        // Parse ephemeral public key
+        let sender_key = VerifyingKey::from_sec1_bytes(ephemeral_public_key)
+            .map_err(|_| CryptoError::InvalidKeyLength)?;
+        
+        // Derive shared secret (simplified ECDH)
+        let shared_point = sender_key.to_encoded_point(false);
+        let shared_secret = {
+            let mut hasher = Sha256::default();
+            hasher.update(self.signing_key.to_bytes());
+            hasher.update(shared_point.as_bytes());
+            hasher.finalize().to_vec()
+        };
+        
+        // Decrypt the message using the derived key
+        super::symmetric::decrypt_with_key(&shared_secret, actual_ciphertext)
+            .map_err(|_| CryptoError::DecryptionFailed)
+    }
 }
 
 /// A collection of keypairs.
@@ -299,6 +390,11 @@ pub fn keypair_pub_key() -> Result<Vec<u8>, CryptoError> {
     Ok(keypair.pub_key())
 }
 
+/// Derives a public key from a private key.
+pub fn derive_public_key(private_key: &[u8]) -> Result<Vec<u8>, CryptoError> {
+    KeyPair::pub_key_from_private(private_key)
+}
+
 /// Signs a message with the selected keypair.
 pub fn keypair_sign(message: &[u8]) -> Result<Vec<u8>, CryptoError> {
     let keypair = get_selected_keypair()?;
@@ -309,4 +405,21 @@ pub fn keypair_sign(message: &[u8]) -> Result<Vec<u8>, CryptoError> {
 pub fn keypair_verify(message: &[u8], signature_bytes: &[u8]) -> Result<bool, CryptoError> {
     let keypair = get_selected_keypair()?;
     keypair.verify(message, signature_bytes)
+}
+
+/// Verifies a message signature with a public key.
+pub fn verify_with_public_key(public_key: &[u8], message: &[u8], signature_bytes: &[u8]) -> Result<bool, CryptoError> {
+    KeyPair::verify_with_public_key(public_key, message, signature_bytes)
+}
+
+/// Encrypts a message for a recipient using their public key.
+pub fn encrypt_asymmetric(recipient_public_key: &[u8], message: &[u8]) -> Result<Vec<u8>, CryptoError> {
+    let keypair = get_selected_keypair()?;
+    keypair.encrypt_asymmetric(recipient_public_key, message)
+}
+
+/// Decrypts a message that was encrypted with the current keypair's public key.
+pub fn decrypt_asymmetric(ciphertext: &[u8]) -> Result<Vec<u8>, CryptoError> {
+    let keypair = get_selected_keypair()?;
+    keypair.decrypt_asymmetric(ciphertext)
 }

src/core/symmetric.rs

@@ -33,7 +33,7 @@ pub fn generate_symmetric_key() -> [u8; 32] {
 ///
 /// A 32-byte array containing the derived key.
 pub fn derive_key_from_password(password: &str) -> [u8; 32] {
-    let mut hasher = Sha256::new();
+    let mut hasher = Sha256::default();
     hasher.update(password.as_bytes());
     let result = hasher.finalize();
     
@@ -111,6 +111,36 @@ pub fn decrypt_symmetric(key: &[u8], ciphertext_with_nonce: &[u8]) -> Result<Vec
         .map_err(|_| CryptoError::DecryptionFailed)
 }
 
+/// Encrypts data using a key directly (for internal use).
+///
+/// # Arguments
+///
+/// * `key` - The encryption key.
+/// * `message` - The message to encrypt.
+///
+/// # Returns
+///
+/// * `Ok(Vec<u8>)` containing the ciphertext with the nonce appended.
+/// * `Err(CryptoError)` if encryption fails.
+pub fn encrypt_with_key(key: &[u8], message: &[u8]) -> Result<Vec<u8>, CryptoError> {
+    encrypt_symmetric(key, message)
+}
+
+/// Decrypts data using a key directly (for internal use).
+///
+/// # Arguments
+///
+/// * `key` - The decryption key.
+/// * `ciphertext_with_nonce` - The ciphertext with the nonce appended.
+///
+/// # Returns
+///
+/// * `Ok(Vec<u8>)` containing the decrypted message.
+/// * `Err(CryptoError)` if decryption fails.
+pub fn decrypt_with_key(key: &[u8], ciphertext_with_nonce: &[u8]) -> Result<Vec<u8>, CryptoError> {
+    decrypt_symmetric(key, ciphertext_with_nonce)
+}
+
 /// Metadata for an encrypted key space.
 #[derive(Serialize, Deserialize)]
 pub struct EncryptedKeySpaceMetadata {

src/lib.rs

@@ -98,6 +98,30 @@ pub fn keypair_verify(message: &[u8], signature: &[u8]) -> Result<bool, JsValue>
         .map_err(|e| JsValue::from_str(&e.to_string()))
 }
 
+#[wasm_bindgen]
+pub fn derive_public_key(private_key: &[u8]) -> Result<Vec<u8>, JsValue> {
+    keypair::derive_public_key(private_key)
+        .map_err(|e| JsValue::from_str(&e.to_string()))
+}
+
+#[wasm_bindgen]
+pub fn verify_with_public_key(public_key: &[u8], message: &[u8], signature: &[u8]) -> Result<bool, JsValue> {
+    keypair::verify_with_public_key(public_key, message, signature)
+        .map_err(|e| JsValue::from_str(&e.to_string()))
+}
+
+#[wasm_bindgen]
+pub fn encrypt_asymmetric(recipient_public_key: &[u8], message: &[u8]) -> Result<Vec<u8>, JsValue> {
+    keypair::encrypt_asymmetric(recipient_public_key, message)
+        .map_err(|e| JsValue::from_str(&e.to_string()))
+}
+
+#[wasm_bindgen]
+pub fn decrypt_asymmetric(ciphertext: &[u8]) -> Result<Vec<u8>, JsValue> {
+    keypair::decrypt_asymmetric(ciphertext)
+        .map_err(|e| JsValue::from_str(&e.to_string()))
+}
+
 // --- WebAssembly Exports for Symmetric Encryption ---
 
 #[wasm_bindgen]