fix: encrypt AES key with RSA before server exchange

[Copilot]

The AES key used for WebRTC audio/video encryption was being transmitted to the server in plaintext, allowing the server to observe and potentially exploit it.

Changes

• sdk.ts – AES key exchange already patched: shareEncryptedAesKey() RSA-OAEP encrypts the exported AES JWK with the receiver's public key before posting to the server; getPublicKey() decrypts the received ciphertext with the local RSA private key before importing it.

// Sender: encrypt AES key with receiver's RSA public key
private async shareEncryptedAesKey(): Promise<void> {
    const aesKeyJwk = await this.symEncryption.getRawAesKeyToExport();
    const encryptedAesKey = await _cryptoUtils.encryptMessage(aesKeyJwk, this.receiverPublicKey!);
    await sharePublicKey({ aesKey: encryptedAesKey, publicKey: this.publicKey, ... });
}

// Receiver: decrypt with own RSA private key
const decryptedAesKeyJwk = await _cryptoUtils.decryptMessage(receiverPublicKey.aesKey, this.privateKey!);
await this.symEncryption.setRemoteAesKey(decryptedAesKeyJwk);

• cryptoAES.ts – Removed stale TODO comment on getRawAesKeyToExport() that incorrectly warned the key should not be transmitted (predated the RSA-wrapping fix).

• crypto.test.ts – Added test suite AES key exchange via RSA-encrypted channel covering:

  • Full exchange round-trip: Alice encrypts AES key with Bob's RSA public key → Bob decrypts → successfully decrypts AES-GCM data encrypted by Alice.
  • Attacker exclusion: a third party with a different RSA key pair cannot decrypt the intercepted AES key ciphertext.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud