0

I am developing an ASP.NET Core Web API and want to use JWT (JSON Web Tokens) for authentication. I want to sign the tokens using RSA encryption. The API should be deployable on both Linux and Windows servers, so the solution must be cross-platform.

Below is my current code for generating the JWT token and exporting the private key:

using System;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Security.Cryptography;
using Microsoft.IdentityModel.Tokens;

public class JwtTokenGenerator
{
    private readonly RSA _rsa;
    private readonly RsaSecurityKey _rsaSecurityKey;
    private readonly string _issuer;
    private readonly string _audience;

    public JwtTokenGenerator(string issuer, string audience)
    {
        _issuer = issuer;
        _audience = audience;

        // Generate RSA key
        _rsa = RSA.Create();
        _rsa.KeySize = 2048; // Set key size
        _rsaSecurityKey = new RsaSecurityKey(_rsa);
    }

    /// <summary>
    /// Generates a JWT token
    /// </summary>
    /// <param name="claims">List of claims for the token</param>
    /// <param name="expiresInMinutes">Token validity in minutes</param>
    /// <returns>The generated JWT token as a string</returns>
    public string GenerateToken(Claim[] claims, int expiresInMinutes)
    {
        var signingCredentials = new SigningCredentials(_rsaSecurityKey, SecurityAlgorithms.RsaSha256);

        var tokenDescriptor = new SecurityTokenDescriptor
        {
            Subject = new ClaimsIdentity(claims),
            Expires = DateTime.UtcNow.AddMinutes(expiresInMinutes),
            Issuer = _issuer,
            Audience = _audience,
            SigningCredentials = signingCredentials
        };

        var tokenHandler = new JwtSecurityTokenHandler();
        var token = tokenHandler.CreateToken(tokenDescriptor);

        return tokenHandler.WriteToken(token);
    }

    /// <summary>
    /// Exports the private RSA key as XML
    /// </summary>
    /// <returns>The private key as an XML string</returns>
    public string ExportPrivateKey()
    {
        return _rsa.ToXmlString(true); // Export the private key
    }
}

QUESTION: Where can I store the private key safely? Environment variables? I know that storing it in the code or a--settings is not the proper way. If you have an answer, please explain it a little bit. Thanks you

Improve this question
3
  • Not really my expertise, but I'd be very surprised if you find a cross-platform solution. At some point, you really need the assistance of the OS to provide a secure store for key material. If you do it at the app level, it's very hard to protect your keys Commented Dec 7, 2024 at 6:05
  • 2
    You better create a x509 certificate / have your private key stored as an X509certificate, deploy that certificate to all machines out-of-band. Then use X509Store to get that certificate. X509Store is OS agnostic. It has a Platform Abstraction Layer (PAL) for every major OS. Commented Dec 7, 2024 at 8:06
  • @rene ok, but for the certification i need to use a password. That means that I have to store the password somewhere. Put the password in to the environment variables for example is the same as putting the private key directly to the environment variables. Where should i save the password to open the certificate? Commented Dec 9, 2024 at 9:56
Related questions
1109
Calculate RSA key fingerprint
96
C# RSA encryption/decryption with transmission
278
Differences between "BEGIN RSA PRIVATE KEY" and "BEGIN PRIVATE KEY"
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.