[Bug] Repeat generate jwt error `Cannot access a disposed object. Object name: 'System.Security.Cryptography.RSABCrypt'.`

[LGinC]

Which version of Microsoft.IdentityModel are you using?
Note that to get help, you need to run the latest version.

Where is the issue?

• M.IM.JsonWebTokens
• M.IM.KeyVaultExtensions
• M.IM.Logging
• M.IM.ManagedKeyVaultSecurityKey
• M.IM.Protocols
• M.IM.Protocols.OpenIdConnect
• M.IM.Protocols.SignedHttpRequest
• M.IM.Protocols.WsFederation
• M.IM.TestExtensions
• M.IM.Tokens
• M.IM.Tokens.Saml
• M.IM.Validators
• M.IM.Xml
• S.IM.Tokens.Jwt
• Other (please describe)

Is this a new or an existing app?

Repro

void Main()
{
	
	var privateKeyPem = """
	-----BEGIN PRIVATE KEY-----
	MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYrYfdcnEec2pQ
	29fC397hsTE3gx+b6kqq9pcrE43UN2rrtD63ay6bDQ76ob3Nt6Nzyy/AS0I3eukm
	vrF/uv/K8EM0Z2ZlAkgDE3ZLw5iFueEbvG7CrWTaLx7fDbZPgp7AE4j34RQeOqkc
	0tQX/a8T3b/+gz5FWfQSp9SYXm69oD17cHE2VhN7ZOU+ap43Fo3JGfdSfGJUFFJV
	xee0KtZreVRaCpUw10rj9zlB0HxV+Hoqxhq+aU/EwWh4A3brYTj6vaIJs8a4RGr6
	IL9K0CRYPaLQhHrwHwOtRFgcT9dSJBzqllyUYqBhYPxju/X9GQuB1AJnVfrgbfts
	rb514g4NAgMBAAECggEABFT506dTVCLGFB5FEsgThmsauwuj0OPvALqD3LBcJEtE
	V7iHjXa23JI3A7NCnm+GtMyx5HQMu5u5OBVVaqKUNRw3F7/ed/QC+Q7FTW/4Z2oH
	Ml0C0OETFFqfUSHOzImlv1zUnvIQyybslR8w7tbbTngfO8kncE8DVnElCrPOnnth
	emx8E12FEuLIqqSpkxMxaZO8MgJqgH09y+SYFA9VJjeIpIXDt4M1OFpvTRZA/3mk
	KKHe3TP2SV90vYk6JzVM/zAAqLMjmHguxzoIrjAnni9C89T9qN+DXJhVnICqPwIi
	YH7VUsoX16ZUxPpiI1+8LnKjayt31wg8csMbE/87gQKBgQD1WKq4Cl/pv7EBlNTO
	9b5HaiotyluxlwV9Pse2NooGgDYxepxY6LN/NgM8jMLjSItifYiqDsW24mLGv+bs
	fXuZOlvWCEoDNSY2lXyuUnO/kp+p5bWYxmsKo4NiN4ssqmS7+eOPw3zN5DNXkPaX
	Dd0WEHm81GmniovjjbjN1H/tjQKBgQDiFi1sOGYIDFNorvFaRbzNOs+X9FkOWGNt
	Ejo678w+cm5kXSDqN0ECOmcijvFZNxz1oG/M/W9unb4zVGACKZ6o/FDUH4qgwwCn
	S7er6fvQmwwXq/Ryh0Hr1CG7dQ2X6dvtTBituehiokRfc3F66+/+MwMPPwdJUnL5
	Jbk7oyFCgQKBgQC5m/arfM3K3MZgV+QXHjpxdJOsSKbN117DvbcA1ondGSnmjMez
	S3hgCNCyAht+Luej/yxg2wQgs2veyFc/Gj9jUI8hgOvdOVxLdxP4HVCL4bUAp1OW
	3KUmS0WeDD8x70Z+HzJVFKNacAWXfYfQByD3DEfM3zV/FoV2BUWGEfkmEQKBgHGg
	x89+QPmGiF0yn6bJKezTxAYRDrlA/yeQY6e/YZ15EbZrf+F3R7sA81jREsfOBUYG
	DmqubVTg/vj5TQ+JL26q8UzLVXcayrdKPNOwU5kyc89p4v+0rxMBmLqIR/6z0I7h
	Ef4uU3dPKqH2eXBYKFRP+xesi9L0F0jVBtXMVSkBAoGAP5gc6dIETWqYiFag4MIv
	crXOiaoDfZIAqj2qHMA7NhHZftp0WDex0J1PsviFCl+TSozl2qQ63BBfW6CL6Zge
	CqRSV5VhL5Wbe8VQ44fzSj9TRSDUqJqBMGpyylH5an/CSBLTXa+HSl7VJ4xnCP2L
	YR1fMwqD7/wrNcqn1tJwKaE=
	-----END PRIVATE KEY-----
	""";

	Console.WriteLine(GenerateToken(privateKeyPem));
	
	try
	{
		Console.WriteLine(GenerateToken(privateKeyPem));
	}
	catch (Exception ex)
	{
		ex.Dump();
	}

	Console.WriteLine(GenerateToken(privateKeyPem));
	
	try
	{
		Console.WriteLine(GenerateToken(privateKeyPem));
	}
	catch (Exception ex)
	{
		ex.Dump();
	}

}

private string GenerateToken(string pem)
{

	using var rsa = RSA.Create();
	rsa.ImportFromPem(pem);
	// Create signing credentials with RSA
	var signingCredentials = new SigningCredentials(
		new RsaSecurityKey(rsa),
		SecurityAlgorithms.RsaSha256
	);
	
	var tokenDescriptor = new SecurityTokenDescriptor
	{
		Subject = new ClaimsIdentity([]),
		Expires = DateTime.UtcNow.AddDays(10),
		Issuer = "myIssuer",
		Audience = "myAudience",
		SigningCredentials = signingCredentials
	};

	var tokenHandler = new JwtSecurityTokenHandler();
	var token = tokenHandler.CreateToken(tokenDescriptor);
	return tokenHandler.WriteToken(token);
}

Expected behavior
4 jwt string output

Actual behavior
1st, 3rd output normal,
2nd, 4th output exception

Possible solution

Additional context / logs / screenshots / links to code

ObjectDisposedException
Cannot access a disposed object.Object name: 'System.Security.Cryptography.RSABCrypt'.
 at System.Security.Cryptography.RSABCrypt.GetKey()
   at System.Security.Cryptography.RSABCrypt.TrySignHash(ReadOnlySpan`1 hash, Span`1 destination, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding, Int32& bytesWritten)
   at System.Security.Cryptography.RSA.TrySignData(ReadOnlySpan`1 data, Span`1 destination, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding, Int32& bytesWritten)
   at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.SignUsingSpanRsa(ReadOnlySpan`1 data, Span`1 destination, Int32& bytesWritten)
   at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.SignUsingSpan(ReadOnlySpan`1 data, Span`1 destination, Int32& bytesWritten)
   at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.Sign(ReadOnlySpan`1 input, Span`1 signature, Int32& bytesWritten)
   at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateSignature(ReadOnlySpan`1 data, Span`1 destination, SigningCredentials signingCredentials, Int32& bytesWritten)
   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.CreateToken(SecurityTokenDescriptor tokenDescriptor, Boolean setdefaultTimesOnTokenCreation, Int32 tokenLifetimeInMinutes)
   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.CreateToken(SecurityTokenDescriptor tokenDescriptor)

[LGinC]

throw error from here

[LGinC]

I guess signatureProvider did not dispose.

just add signatureProvider.Dispose();
it's work.

i don't know why finally release did not work correctly

[LGinC]

strange, just change new RsaSecurityKey(rsa) to new RsaSecurityKey(rsa.ExportParameters(true)), it work

void Main()
{
	
	var privateKeyPem = """
	-----BEGIN PRIVATE KEY-----
	MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYrYfdcnEec2pQ
	29fC397hsTE3gx+b6kqq9pcrE43UN2rrtD63ay6bDQ76ob3Nt6Nzyy/AS0I3eukm
	vrF/uv/K8EM0Z2ZlAkgDE3ZLw5iFueEbvG7CrWTaLx7fDbZPgp7AE4j34RQeOqkc
	0tQX/a8T3b/+gz5FWfQSp9SYXm69oD17cHE2VhN7ZOU+ap43Fo3JGfdSfGJUFFJV
	xee0KtZreVRaCpUw10rj9zlB0HxV+Hoqxhq+aU/EwWh4A3brYTj6vaIJs8a4RGr6
	IL9K0CRYPaLQhHrwHwOtRFgcT9dSJBzqllyUYqBhYPxju/X9GQuB1AJnVfrgbfts
	rb514g4NAgMBAAECggEABFT506dTVCLGFB5FEsgThmsauwuj0OPvALqD3LBcJEtE
	V7iHjXa23JI3A7NCnm+GtMyx5HQMu5u5OBVVaqKUNRw3F7/ed/QC+Q7FTW/4Z2oH
	Ml0C0OETFFqfUSHOzImlv1zUnvIQyybslR8w7tbbTngfO8kncE8DVnElCrPOnnth
	emx8E12FEuLIqqSpkxMxaZO8MgJqgH09y+SYFA9VJjeIpIXDt4M1OFpvTRZA/3mk
	KKHe3TP2SV90vYk6JzVM/zAAqLMjmHguxzoIrjAnni9C89T9qN+DXJhVnICqPwIi
	YH7VUsoX16ZUxPpiI1+8LnKjayt31wg8csMbE/87gQKBgQD1WKq4Cl/pv7EBlNTO
	9b5HaiotyluxlwV9Pse2NooGgDYxepxY6LN/NgM8jMLjSItifYiqDsW24mLGv+bs
	fXuZOlvWCEoDNSY2lXyuUnO/kp+p5bWYxmsKo4NiN4ssqmS7+eOPw3zN5DNXkPaX
	Dd0WEHm81GmniovjjbjN1H/tjQKBgQDiFi1sOGYIDFNorvFaRbzNOs+X9FkOWGNt
	Ejo678w+cm5kXSDqN0ECOmcijvFZNxz1oG/M/W9unb4zVGACKZ6o/FDUH4qgwwCn
	S7er6fvQmwwXq/Ryh0Hr1CG7dQ2X6dvtTBituehiokRfc3F66+/+MwMPPwdJUnL5
	Jbk7oyFCgQKBgQC5m/arfM3K3MZgV+QXHjpxdJOsSKbN117DvbcA1ondGSnmjMez
	S3hgCNCyAht+Luej/yxg2wQgs2veyFc/Gj9jUI8hgOvdOVxLdxP4HVCL4bUAp1OW
	3KUmS0WeDD8x70Z+HzJVFKNacAWXfYfQByD3DEfM3zV/FoV2BUWGEfkmEQKBgHGg
	x89+QPmGiF0yn6bJKezTxAYRDrlA/yeQY6e/YZ15EbZrf+F3R7sA81jREsfOBUYG
	DmqubVTg/vj5TQ+JL26q8UzLVXcayrdKPNOwU5kyc89p4v+0rxMBmLqIR/6z0I7h
	Ef4uU3dPKqH2eXBYKFRP+xesi9L0F0jVBtXMVSkBAoGAP5gc6dIETWqYiFag4MIv
	crXOiaoDfZIAqj2qHMA7NhHZftp0WDex0J1PsviFCl+TSozl2qQ63BBfW6CL6Zge
	CqRSV5VhL5Wbe8VQ44fzSj9TRSDUqJqBMGpyylH5an/CSBLTXa+HSl7VJ4xnCP2L
	YR1fMwqD7/wrNcqn1tJwKaE=
	-----END PRIVATE KEY-----
	""";
	GenerateToken(privateKeyPem).Dump();
	
	try
	{
		GenerateToken(privateKeyPem).Dump();
	}
	catch (Exception ex)
	{
		ex.Dump();
	}
	GenerateToken(privateKeyPem).Dump();
	
	try
	{
		GenerateToken(privateKeyPem).Dump();
	}
	catch (Exception ex)
	{
		ex.Dump();
	}

}

private string GenerateToken(string pem)
{

	using var rsa = RSA.Create();
	rsa.ImportFromPem(pem);
	var signingCredentials = new SigningCredentials(
		new RsaSecurityKey(rsa.ExportParameters(true)),
		SecurityAlgorithms.RsaSha256
	);

	var tokenDescriptor = new SecurityTokenDescriptor
	{
		Subject = new ClaimsIdentity([]),
		Expires = DateTime.UtcNow.AddDays(10),
		Issuer = "myIssuer",
		Audience = "myAudience",
		SigningCredentials = signingCredentials
	};

	var tokenHandler = new JwtSecurityTokenHandler();
	var token = tokenHandler.CreateToken(tokenDescriptor);
	return tokenHandler.WriteToken(token);
}

[keegan-caruso]

@brentschmaltz - Can you take a look at this?

[brentschmaltz]

@LGinC you hit on a couple of things.
It is always better to call SignatureProvider.Release, rather than Dispose, since the CryptoProviderFactory will cache SignatureProviders. A SignatureProvider will remain in the cache until the cache is full.

I am not sure what you meant by this:

"i don't know why finally release did not work correctly"

What happens when you create a SignatureProvider with the rsa object the SignatureProvider keeps a copy of the RSA object, if it is disposed, then when the SignatureProvider attempts to use the RSA object, object dispose get hit.
When you pass the RSAParameters, a new RSA object will be created just for that SignatureProvider, any dispose called on the original RSA object will not affect the SignatureProvider.