Error Creating JWT Token using RSA Security Key with key size less than 2048

Question

I'm facing an exception when trying to create a JWT token in C# Web API application.

Test environment

• Platform: Windows 10 x64 with .net framework: 4.6.1
• jwt NuGet package: System.IdentityModel.Tokens.Jwt version: 4.0.2.206221351

Here is the code responsible for generating RSA keys:

    public SignatureInformation CreateNewSignatureInformation(int length = 0)
    {
        try
        {
            var signatureInformation = new SignatureInformation();

            var rsaProvider = new RSACryptoServiceProvider(length);

            var publicKey = rsaProvider.ToXmlString(false);
            signatureInformation.Public = publicKey;

            var privateKey = rsaProvider.ToXmlString(true);
            signatureInformation.Private = privateKey;

            return signatureInformation;
        }
        catch (Exception)
        {
            return null;
        }
    }

And here is the code responsible for generating a JTW token signed with a RSA key pair generated with the above code:

    private string GenerateToken(string privateKeyInXml)
    {
        var cryptoServiceProvider = new RSACryptoServiceProvider();
        cryptoServiceProvider.FromXmlString(privateKeyInXml);

        var creds = new SigningCredentials(new RsaSecurityKey(cryptoServiceProvider),
            SecurityAlgorithms.RsaSha256Signature,
            SecurityAlgorithms.Sha256Digest);

        var nbf = DateTime.UtcNow;
        var exp = nbf.AddMinutes(10);
        var jwtToken = new JwtSecurityToken("SAMPLE_ISSUER",
            "SAMPLE_AUDIENCE",
            null, //null is given as claims list in this sample
            nbf,
            exp,
            creds);

        var tokenHandler = new JwtSecurityTokenHandler();
        var token = tokenHandler.WriteToken(jwtToken); //the exception is thrown here
        return token;
    }

the exception thrown is of type System.ArgumentOutOfRangeException and the message is:

"IDX10630: The 'System.IdentityModel.Tokens.RsaSecurityKey' for signing cannot be smaller than '2048' bits.\r\nParameter name: key.KeySize\r\nActual value was 512."

Question

How can I generate a JWT Token using an RSA Security Key with key size less than 2048?

Answer 1

Restriction on minimum key size in this case is controlled by SignatureProviderFactory.MinimumAsymmetricKeySizeInBitsForSigning property. Unfortunately, there is also an "absolute" minimum, which is controlled by readonly field SignatureProviderFactory.AbsoluteMinimumAsymmetricKeySizeInBitsForSigning, and this "absolute" minimum is set to 2048.

You have to use reflection to modify value of that readonly field to the value you desire. After that, you can set MinimumAsymmetricKeySizeInBitsForSigning to the same desired value.

Sample code:

var absoluteField = typeof(SignatureProviderFactory).GetField(nameof(SignatureProviderFactory.AbsoluteMinimumAsymmetricKeySizeInBitsForSigning), BindingFlags.Public | BindingFlags.Static);
absoluteField.SetValue(null, 512);
SignatureProviderFactory.MinimumAsymmetricKeySizeInBitsForSigning = 512;

After that your code should work fine and accept any assymetric keys of size 512 and above.