Update README and configuration to replace RSA with Ed25519 for federation security

server/config/federation.js

@@ -10,7 +10,7 @@ const FEDERATION_DOMAIN = process.env.FEDERATION_DOMAIN || '';
 let privateKeyPem = process.env.FEDERATION_PRIVATE_KEY || '';
 let publicKeyPem = '';
 
-// Load or generate RSA keys
+// Load or generate Ed25519 keys
 if (FEDERATION_DOMAIN) {
     const keyPath = path.join(__dirname, 'federation_key.pem');
 
@@ -19,9 +19,8 @@ if (FEDERATION_DOMAIN) {
     }
 
     if (!privateKeyPem) {
-        console.log('Generating new RSA federation key pair...');
-        const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
-            modulusLength: 2048,
+        console.log('Generating new Ed25519 federation key pair...');
+        const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519', {
             publicKeyEncoding: { type: 'spki', format: 'pem' },
             privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
         });
@@ -47,7 +46,7 @@ export function getFederationDomain() {
 }
 
 /**
- * Get this instance's RSA public key (PEM format).
+ * Get this instance's Ed25519 public key (PEM format).
  */
 export function getPublicKey() {
     return publicKeyPem;
@@ -61,21 +60,18 @@ export function isFederationEnabled() {
 }
 
 /**
- * RSA sign a JSON payload.
+ * Ed25519 sign a JSON payload.
  * @param {object} payload
  * @returns {string} base64 signature
  */
 export function signPayload(payload) {
     if (!privateKeyPem) throw new Error("Federation private key not available");
     const data = Buffer.from(JSON.stringify(payload));
-    const sign = crypto.createSign('SHA256');
-    sign.update(data);
-    sign.end();
-    return sign.sign(privateKeyPem, 'base64');
+    return crypto.sign(null, data, privateKeyPem).toString('base64');
 }
 
 /**
- * Verify an RSA signature against a JSON payload using a remote public key.
+ * Verify an Ed25519 signature against a JSON payload using a remote public key.
  * @param {object} payload
  * @param {string} signature base64 signature
  * @param {string} remotePublicKeyPem
@@ -85,10 +81,7 @@ export function verifyPayload(payload, signature, remotePublicKeyPem) {
     if (!remotePublicKeyPem || !signature) return false;
     try {
         const data = Buffer.from(JSON.stringify(payload));
-        const verify = crypto.createVerify('SHA256');
-        verify.update(data);
-        verify.end();
-        return verify.verify(remotePublicKeyPem, signature, 'base64');
+        return crypto.verify(null, data, remotePublicKeyPem, Buffer.from(signature, 'base64'));
     } catch (e) {
         console.error('Signature verification error:', e.message);
         return false;