From 4b087e221b7a60ad6d04597cd70a84caf2857a54 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Sat, 4 Apr 2026 11:17:37 +0530
Subject: [PATCH] fix(crypto): increase RSA key size, fix DecryptRSA error
 handling, rename b64 funcs

- L1: RSA key size increased from 2048 to 4096 bits
- L2: DecryptRSA now properly handles base64 decode errors instead of
  silently discarding them
- L5: Added properly named EncodeB64/DecodeB64 functions alongside
  deprecated EncryptB64/DecryptB64 aliases

Fixes: L1, L2, L5 (Low)
---
 internal/crypto/b64.go | 18 ++++++++++++++----
 internal/crypto/rsa.go |  7 +++++--
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/internal/crypto/b64.go b/internal/crypto/b64.go
index 34534225c..fcaa1160c 100644
--- a/internal/crypto/b64.go
+++ b/internal/crypto/b64.go
@@ -2,16 +2,26 @@ package crypto
 
 import "encoding/base64"
 
-// EncryptB64 encrypts data into base64 string
-func EncryptB64(text string) string {
+// EncodeB64 encodes data to a base64 string.
+func EncodeB64(text string) string {
 	return base64.StdEncoding.EncodeToString([]byte(text))
 }
 
-// DecryptB64 decrypts from base64 string to readable string
-func DecryptB64(s string) (string, error) {
+// DecodeB64 decodes a base64 string back to plaintext.
+func DecodeB64(s string) (string, error) {
 	data, err := base64.StdEncoding.DecodeString(s)
 	if err != nil {
 		return "", err
 	}
 	return string(data), nil
 }
+
+// EncryptB64 is a deprecated alias for EncodeB64.
+func EncryptB64(text string) string {
+	return EncodeB64(text)
+}
+
+// DecryptB64 is a deprecated alias for DecodeB64.
+func DecryptB64(s string) (string, error) {
+	return DecodeB64(s)
+}
diff --git a/internal/crypto/rsa.go b/internal/crypto/rsa.go
index 6eba85213..b2a435f70 100644
--- a/internal/crypto/rsa.go
+++ b/internal/crypto/rsa.go
@@ -13,7 +13,7 @@ import (
 // NewRSAKey to generate new RSA Key if env is not set
 // returns key instance, private key string, public key string, jwk string, error
 func NewRSAKey(algo, keyID string) (*rsa.PrivateKey, string, string, string, error) {
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	key, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return nil, "", "", "", err
 	}
@@ -130,7 +130,10 @@ func EncryptRSA(message string, key rsa.PublicKey) (string, error) {
 }
 
 func DecryptRSA(cipherText string, privateKey rsa.PrivateKey) (string, error) {
-	ct, _ := base64.StdEncoding.DecodeString(cipherText)
+	ct, err := base64.StdEncoding.DecodeString(cipherText)
+	if err != nil {
+		return "", err
+	}
 	label := []byte("OAEP Encrypted")
 	rng := rand.Reader
 	plaintext, err := rsa.DecryptOAEP(sha256.New(), rng, &privateKey, ct, label)