Feature Request: Extend API support for ECDH (Key Agreement) - or decryption, is available #36
Description
secure-env offers robust key generation and signing using hardware security modules (Secure Enclave on iOS, Android Keystore/StrongBox on Android). While messages can be encrypted using the Public key, they can't be decrypted. Apples API provides a decryption function, I think Google's doesn't.
However, a symmetric key could be created with just the others public key, performing Elliptic Curve Diffie-Hellman (ECDH) key agreement on both platforms.
This function is available in the native libraries. Please add a function to secure-env that performs ECDH key agreement using a hardware-backed private key.
Proposed function (Rust pseudo-code):
/// Performs an ECDH key agreement using a hardware-backed private key.
///
/// `private_key_alias`: Alias of the stored private key.
/// `other_public_key_bytes`: Raw bytes of the other party's public key (e.g., in SEC1 uncompressed format for P-256).
///
/// Returns the derived shared secret as `Vec<u8>`.
pub fn perform_ecdh_key_agreement(
private_key_alias: String,
other_public_key_bytes: Vec<u8>,
) -> Result<Vec<u8>, String>;Internally, this would leverage:
Android: android.security.keystore.KeyAgreement with the PrivateKey obtained from the AndroidKeyStore.
iOS: SecKeyCopyKeyExchangeResult from Security.framework using the SecKeyRef for the specified alias.
Benefits
Adding this function would:
Streamline E2EE Development: Provide a secure and straightforward way to implement key exchange.
Enhance Security: Ensure the critical ECDH private key operation occurs entirely within the secure hardware on both platforms.
Reduce Complexity: Eliminate the need for custom JNI/FFI boilerplate or fighting problematic third-party dependencies.
Thank you for considering this vital enhancement!