Extracting key of type ECDA or ECDH from X509Certificate2 object

[MukilanP]

I have X509Certificate2 object which is constructed from PFX bytes. It can be ECDSA/ECDH key. I would like to extract the key. How can I know whether it is ECDSA/ECDH key and call GetECDsaPrivateKey() or GetECDiffieHellmanPrivateKey().

[bartonjs]

If by "extract" you mean "export", then you can generally pick one arbitrarily. If you mean "use" then you have to pick the one that meets your needs.

The certificate's Key Usage can say that the key should only be used for signing, in which case it's ECDSA, or that it should only be used for key agreement, in which case it's ECDH. But if it's flexible, you get to pick.

https://source.dot.net/#System.Security.Cryptography/System/Security/Cryptography/X509Certificates/ECDsaCertificateExtensions.cs,3e517b2c43fe7cfc

[MukilanP]

Thank you very much Jeremy for the answer and the reference to the function.

One more query on top of it. Do we consider the key is ECDH type if it has only Key Agreement key usage or combination of key usage including Key Agreement.

[vcsjones]

Do we consider the key is ECDH type if it has only Key Agreement key usage or combination of key usage including Key Agreement.

A certificate key is useable for GetECDsaPrivateKey if the key usage has any of the following properties:

• Is missing entirely. No key usage extension means "All usages"
• Does not have the keyAgreement key usage.
• Has the keyAgreement key usage, and has one of keyCertSign, crlSign, nonRepudiation, or digitalSignature.

A certificate key is useable for GetECDiffieHellmanPrivateKey if the key usage has any of the following properties:

• Is missing entirely. No key usage extension means "All usages"
• Explicitly has the keyAgreement key usage.

So you can certainly end up in a situation where a certificate is useable for both.

[MukilanP]

Thank you very much Kevin