From ecb33a17feae2457246a9ea00141f7942d2646e2 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Tue, 3 Feb 2026 21:33:57 -0600
Subject: [PATCH] fix(#288): Upgrade RSA key size to 4096 bits

Changed modulusLength from 2048 to 4096 in generateKeypair() method
following NIST recommendations for long-term security. Added test to
verify generated keys meet the minimum size requirement.

Security improvement: RSA-4096 provides better protection against
future cryptographic attacks as computational power increases.

Fixes #288

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 apps/api/src/federation/federation.service.spec.ts | 12 ++++++++++++
 apps/api/src/federation/federation.service.ts      |  3 ++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/federation/federation.service.spec.ts b/apps/api/src/federation/federation.service.spec.ts
index fb85ea8..3914270 100644
--- a/apps/api/src/federation/federation.service.spec.ts
+++ b/apps/api/src/federation/federation.service.spec.ts
@@ -198,6 +198,18 @@ describe("FederationService", () => {
       expect(result1.publicKey).not.toEqual(result2.publicKey);
       expect(result1.privateKey).not.toEqual(result2.privateKey);
     });
+
+    it("should generate RSA-4096 key pairs for future-proof security", () => {
+      // Act
+      const result = service.generateKeypair();
+
+      // Assert - Verify key size by checking approximate length
+      // RSA-4096 keys are significantly larger than RSA-2048
+      // Private key in PKCS8 format: RSA-2048 ≈ 1700 bytes, RSA-4096 ≈ 3200 bytes
+      // Public key in SPKI format: RSA-2048 ≈ 400 bytes, RSA-4096 ≈ 800 bytes
+      expect(result.privateKey.length).toBeGreaterThan(3000);
+      expect(result.publicKey.length).toBeGreaterThan(700);
+    });
   });
 
   describe("regenerateKeypair", () => {
diff --git a/apps/api/src/federation/federation.service.ts b/apps/api/src/federation/federation.service.ts
index 390aec3..1e7e03a 100644
--- a/apps/api/src/federation/federation.service.ts
+++ b/apps/api/src/federation/federation.service.ts
@@ -57,10 +57,11 @@ export class FederationService {
 
   /**
    * Generate a new RSA key pair for instance signing
+   * Uses RSA-4096 for future-proof security (NIST recommendation)
    */
   generateKeypair(): KeyPair {
     const { publicKey, privateKey } = generateKeyPairSync("rsa", {
-      modulusLength: 2048,
+      modulusLength: 4096,
       publicKeyEncoding: {
         type: "spki",
         format: "pem",