From 90b56c448ae0bc49e56f837ebb692388ddfd705d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 3 Feb 2026 18:12:44 +0100
Subject: [PATCH] Bump the key size of RSA keys used to generate ephemeral keys
 and development certificates

---
 src/OpenIddict.Client/OpenIddictClientBuilder.cs |  8 ++++----
 src/OpenIddict.Server/OpenIddictServerBuilder.cs | 11 +++++------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/OpenIddict.Client/OpenIddictClientBuilder.cs b/src/OpenIddict.Client/OpenIddictClientBuilder.cs
index 0eb9d157..860345cd 100644
--- a/src/OpenIddict.Client/OpenIddictClientBuilder.cs
+++ b/src/OpenIddict.Client/OpenIddictClientBuilder.cs
@@ -207,7 +207,7 @@ public sealed class OpenIddictClientBuilder
             if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
             {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);
 
                 var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                 request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
@@ -299,7 +299,7 @@ public sealed class OpenIddictClientBuilder
             SecurityAlgorithms.RsaOAEP or
             SecurityAlgorithms.RsaOaepKeyWrap
                 => AddEncryptionCredentials(new EncryptingCredentials(
-                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 2048)),
+                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 4096)),
                     algorithm, SecurityAlgorithms.Aes256CbcHmacSha512)),
 
             _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0058))
@@ -585,7 +585,7 @@ public sealed class OpenIddictClientBuilder
             if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
             {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);
 
                 var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                 request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
@@ -681,7 +681,7 @@ public sealed class OpenIddictClientBuilder
             SecurityAlgorithms.RsaSsaPssSha384Signature or
             SecurityAlgorithms.RsaSsaPssSha512Signature
                 => AddSigningCredentials(new SigningCredentials(new RsaSecurityKey(
-                    OpenIddictHelpers.CreateRsaKey(size: 2048)), algorithm)),
+                    OpenIddictHelpers.CreateRsaKey(size: 4096)), algorithm)),
 
 #if SUPPORTS_ECDSA
             SecurityAlgorithms.EcdsaSha256 or
diff --git a/src/OpenIddict.Server/OpenIddictServerBuilder.cs b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
index 3a6e19fb..8cb4fb4a 100644
--- a/src/OpenIddict.Server/OpenIddictServerBuilder.cs
+++ b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
@@ -218,7 +218,7 @@ public sealed class OpenIddictServerBuilder
             if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
             {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);
 
                 var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                 request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
@@ -310,7 +310,7 @@ public sealed class OpenIddictServerBuilder
             SecurityAlgorithms.RsaOAEP or
             SecurityAlgorithms.RsaOaepKeyWrap
                 => AddEncryptionCredentials(new EncryptingCredentials(
-                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 2048)),
+                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 4096)),
                     algorithm, SecurityAlgorithms.Aes256CbcHmacSha512)),
 
             _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0058))
@@ -593,11 +593,10 @@ public sealed class OpenIddictServerBuilder
                 .Cast<X509Certificate2>()
                 .ToList();
 
-            if (!certificates.Exists(certificate =>
-                    certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
+            if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
             {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);
 
                 var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                 request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
@@ -693,7 +692,7 @@ public sealed class OpenIddictServerBuilder
             SecurityAlgorithms.RsaSsaPssSha384Signature or
             SecurityAlgorithms.RsaSsaPssSha512Signature
                 => AddSigningCredentials(new SigningCredentials(new RsaSecurityKey(
-                    OpenIddictHelpers.CreateRsaKey(size: 2048)), algorithm)),
+                    OpenIddictHelpers.CreateRsaKey(size: 4096)), algorithm)),
 
 #if SUPPORTS_ECDSA
             SecurityAlgorithms.EcdsaSha256 or