5

I'm facing an exception when trying to create a JWT token in C# Web API application.

Test environment

Here is the code responsible for generating RSA keys:

    public SignatureInformation CreateNewSignatureInformation(int length = 0)
    {
        try
        {
            var signatureInformation = new SignatureInformation();

            var rsaProvider = new RSACryptoServiceProvider(length);

            var publicKey = rsaProvider.ToXmlString(false);
            signatureInformation.Public = publicKey;

            var privateKey = rsaProvider.ToXmlString(true);
            signatureInformation.Private = privateKey;

            return signatureInformation;
        }
        catch (Exception)
        {
            return null;
        }
    }

And here is the code responsible for generating a JTW token signed with a RSA key pair generated with the above code:

    private string GenerateToken(string privateKeyInXml)
    {
        var cryptoServiceProvider = new RSACryptoServiceProvider();
        cryptoServiceProvider.FromXmlString(privateKeyInXml);

        var creds = new SigningCredentials(new RsaSecurityKey(cryptoServiceProvider),
            SecurityAlgorithms.RsaSha256Signature,
            SecurityAlgorithms.Sha256Digest);

        var nbf = DateTime.UtcNow;
        var exp = nbf.AddMinutes(10);
        var jwtToken = new JwtSecurityToken("SAMPLE_ISSUER",
            "SAMPLE_AUDIENCE",
            null, //null is given as claims list in this sample
            nbf,
            exp,
            creds);

        var tokenHandler = new JwtSecurityTokenHandler();
        var token = tokenHandler.WriteToken(jwtToken); //the exception is thrown here
        return token;
    }

the exception thrown is of type System.ArgumentOutOfRangeException and the message is:

"IDX10630: The 'System.IdentityModel.Tokens.RsaSecurityKey' for signing cannot be smaller than '2048' bits.\r\nParameter name: key.KeySize\r\nActual value was 512."

Question

How can I generate a JWT Token using an RSA Security Key with key size less than 2048?

monty
  • 7,888
  • 16
  • 63
  • 100
Shadi Mahmoodian
  • 94
  • 1
  • 10
  • Is it a requirement to use keys with smaller size? I mean you can just adjust your code to generate keys with required size instead. – Evk May 01 '18 at 14:24
  • @Evk Yes, It is. In fact I am generating another set of RSA key's with 2048 key size for some other purpose in my service. This one however must be smaller in order to reduce the CPU calculation overhead since the system is under some 10K request per second load. – Shadi Mahmoodian May 01 '18 at 14:56

1 Answers1

4

Restriction on minimum key size in this case is controlled by SignatureProviderFactory.MinimumAsymmetricKeySizeInBitsForSigning property. Unfortunately, there is also an "absolute" minimum, which is controlled by readonly field SignatureProviderFactory.AbsoluteMinimumAsymmetricKeySizeInBitsForSigning, and this "absolute" minimum is set to 2048.

You have to use reflection to modify value of that readonly field to the value you desire. After that, you can set MinimumAsymmetricKeySizeInBitsForSigning to the same desired value.

Sample code:

var absoluteField = typeof(SignatureProviderFactory).GetField(nameof(SignatureProviderFactory.AbsoluteMinimumAsymmetricKeySizeInBitsForSigning), BindingFlags.Public | BindingFlags.Static);
absoluteField.SetValue(null, 512);
SignatureProviderFactory.MinimumAsymmetricKeySizeInBitsForSigning = 512;

After that your code should work fine and accept any assymetric keys of size 512 and above.

Evk
  • 98,527
  • 8
  • 141
  • 191
  • Any euivalnet code for .net core 3.1. facing similar issue in https://stackoverflow.com/questions/60599339/any-way-to-creat-jwt-token-with-key-size-512-getting-error-idx10630-idx10630 – Kamran Shahid Mar 09 '20 at 11:15