Bump the key size of RSA keys used to generate ephemeral keys and development certificates

3 days ago · b28f31891f
2 changed files with 9 additions and 10 deletions
--- a/src/OpenIddict.Client/OpenIddictClientBuilder.cs
+++ b/src/OpenIddict.Client/OpenIddictClientBuilder.cs
@ -207,7 +207,7 @@ public sealed class OpenIddictClientBuilder
            if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
            {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);

                var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
@ -299,7 +299,7 @@ public sealed class OpenIddictClientBuilder
            SecurityAlgorithms.RsaOAEP or
            SecurityAlgorithms.RsaOaepKeyWrap
                => AddEncryptionCredentials(new EncryptingCredentials(
-                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 2048)),
+                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 4096)),
                    algorithm, SecurityAlgorithms.Aes256CbcHmacSha512)),

            _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0058))
@ -585,7 +585,7 @@ public sealed class OpenIddictClientBuilder
            if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
            {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);

                var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
@ -681,7 +681,7 @@ public sealed class OpenIddictClientBuilder
            SecurityAlgorithms.RsaSsaPssSha384Signature or
            SecurityAlgorithms.RsaSsaPssSha512Signature
                => AddSigningCredentials(new SigningCredentials(new RsaSecurityKey(
-                    OpenIddictHelpers.CreateRsaKey(size: 2048)), algorithm)),
+                    OpenIddictHelpers.CreateRsaKey(size: 4096)), algorithm)),

 #if SUPPORTS_ECDSA
            SecurityAlgorithms.EcdsaSha256 or
--- a/src/OpenIddict.Server/OpenIddictServerBuilder.cs
+++ b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
@ -218,7 +218,7 @@ public sealed class OpenIddictServerBuilder
            if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
            {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);

                var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
@ -310,7 +310,7 @@ public sealed class OpenIddictServerBuilder
            SecurityAlgorithms.RsaOAEP or
            SecurityAlgorithms.RsaOaepKeyWrap
                => AddEncryptionCredentials(new EncryptingCredentials(
-                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 2048)),
+                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 4096)),
                    algorithm, SecurityAlgorithms.Aes256CbcHmacSha512)),

            _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0058))
@ -593,11 +593,10 @@ public sealed class OpenIddictServerBuilder
                .Cast<X509Certificate2>()
                .ToList();

-            if (!certificates.Exists(certificate =>
-                    certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
+            if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
            {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);

                var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
@ -693,7 +692,7 @@ public sealed class OpenIddictServerBuilder
            SecurityAlgorithms.RsaSsaPssSha384Signature or
            SecurityAlgorithms.RsaSsaPssSha512Signature
                => AddSigningCredentials(new SigningCredentials(new RsaSecurityKey(
-                    OpenIddictHelpers.CreateRsaKey(size: 2048)), algorithm)),
+                    OpenIddictHelpers.CreateRsaKey(size: 4096)), algorithm)),

 #if SUPPORTS_ECDSA
            SecurityAlgorithms.EcdsaSha256 or