Update key sizes in aspire extension to 4096 bits (#11861)

* update key sizes to 4096

* make createSelfSignedCert async

* revert generateToken change

Author: adamint

extension/src/dcp/AspireDcpServer.ts

@@ -1,7 +1,7 @@
 import express, { Request, Response, NextFunction } from 'express';
 import https from 'https';
 import WebSocket, { WebSocketServer } from 'ws';
-import { createSelfSignedCert, generateToken } from '../utils/security';
+import { createSelfSignedCertAsync, generateToken } from '../utils/security';
 import { extensionLogOutputChannel } from '../utils/logging';
 import { AspireResourceDebugSession, DcpServerConnectionInfo, ErrorDetails, ErrorResponse, ProcessRestartedNotification, RunSessionNotification, RunSessionPayload, ServiceLogsNotification, SessionMessageNotification, SessionTerminatedNotification } from './types';
 import { AspireDebugSession } from '../debugger/AspireDebugSession';
@@ -38,7 +38,7 @@ export default class AspireDcpServer {
         const wsBySession = new Map<string, WebSocket>();
         const pendingNotificationQueueByDcpId = new Map<string, RunSessionNotification[]>();
 
-        return new Promise((resolve, reject) => {
+        return new Promise(async (resolve, reject) => {
             const token = generateToken();
 
             const app = express();
@@ -174,7 +174,7 @@ export default class AspireDcpServer {
             });
 
 
-            const { key, cert, certBase64 } = createSelfSignedCert();
+            const { key, cert, certBase64 } = await createSelfSignedCertAsync();
             const server = https.createServer({ key, cert }, app);
             const wss = new WebSocketServer({ noServer: true });
 

extension/src/server/AspireRpcServer.ts

@@ -5,7 +5,7 @@ import { invalidTokenProvided, rpcServerAddressError, rpcServerError } from '../
 import { addInteractionServiceEndpoints, IInteractionService } from './interactionService';
 import { ICliRpcClient } from './rpcClient';
 import * as tls from 'tls';
-import { createSelfSignedCert, generateToken } from '../utils/security';
+import { createSelfSignedCertAsync, generateToken } from '../utils/security';
 import { extensionLogOutputChannel } from '../utils/logging';
 import { getSupportedCapabilities } from '../capabilities';
 import { timingSafeEqual } from 'crypto';
@@ -51,9 +51,9 @@ export default class AspireRpcServer {
         this.server.close();
     }
 
-    static create(rpcClientFactory: (rpcServerConnectionInfo: RpcServerConnectionInfo, connection: MessageConnection, token: string, debugSessionId: string | null) => ICliRpcClient): Promise<AspireRpcServer> {
+    static async create(rpcClientFactory: (rpcServerConnectionInfo: RpcServerConnectionInfo, connection: MessageConnection, token: string, debugSessionId: string | null) => ICliRpcClient): Promise<AspireRpcServer> {
         const token = generateToken();
-        const { key, cert } = createSelfSignedCert();
+        const { key, cert } = await createSelfSignedCertAsync();
 
         function withAuthentication(callback: (...params: any[]) => any) {
             return (...params: any[]) => {

extension/src/utils/security.ts

@@ -1,9 +1,25 @@
 import { randomBytes, X509Certificate } from 'crypto';
 import forge from 'node-forge';
 
-export function createSelfSignedCert(commonName: string = 'localhost') {
+interface SelfSignedCert {
+    key: string;
+    cert: string;
+    certBase64: string;
+}
+
+export async function createSelfSignedCertAsync(commonName: string = 'localhost'): Promise<SelfSignedCert> {
   const pki = forge.pki;
-  const keys = pki.rsa.generateKeyPair(2048);
+  const keys = await new Promise<forge.pki.rsa.KeyPair>((resolve, reject) => {
+    // 4096 bits provides enough entropy. Follows modern industry practice
+    pki.rsa.generateKeyPair({ bits: 4096, workers: -1 }, (err, keypair) => {
+      if (err) {
+        reject(err);
+      } else {
+        resolve(keypair);
+      }
+    });
+  });
+
   const cert = pki.createCertificate();
   cert.publicKey = keys.publicKey;
   cert.serialNumber = (Math.floor(Math.random() * 1e16)).toString();