[Bug] Token will not be signed if key length of certificate is larger than default (8192 with RSA 256 or 384)

[APiebalga-tricentis]

Which version of Microsoft.IdentityModel are you using?
Note that to get help, you need to run the latest version.

Microsoft.IdentityModel.JsonWebTokens >= 7.3.1

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• S.IM.Tokens.Jwt
• Other (please describe)

Is this a new or an existing app?
Existing application with upgraded Microsoft.IdentityModel.JsonWebTokens.dll

Repro
Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler CreateToken will fail to add signature to token if key length of certificate is larger than the default. In Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler CreateToken method it appears to determine length of bytes required for signature in token. The decision is then based on algorithm. No consideration is taken for Key Lenght. For RsaSha256 and RsaSha384 512 bytes are allowed. If key length is 8192 this is exceeded (it would need 1024).

To reproduce:

1. Create certificate with key length 8192. For example (powershell “New-SelfSignedCertificate -DnsName "mypcname", "localhost" -CertStoreLocation "Cert:\LocalMachine\My" -FriendlyName "TestCert" -KeyAlgorithm RSA -KeyLength 8192 -HashAlgorithm SHA384 -KeyUsage DigitalSignature, KeyEncipherment )”)
2. Use this cert with JsonWebTokenHandler CreateToken call => Token will be missing signature

Expected behavior
Before 7.3.1 the certificate worked and token could generate signature. Expectation is that it still works

Actual behavior
Token will be created without signature and rejected when used

Possible solution
Consider also KeySize when calculating byte size of token signature