0

I have taken a certificate:

X509Certificate2 x509 = store.Certificates.Find(X509FindType.FindBySubjectName, "CNGTestCert", false)[0];

and now I want to get the providertype parameter. But I cant do x509.PrivateKey. In result of this I used var key = x509.GetRSAPrivateKey();. How can I get out of this key the ProviderType to decide the KeyNumber (looks like here: referencesource.microsoft.com). Or is there a easier way to test the private key for key function (key was created for signature or exchange)?

Christian Meißner
  • 81
  • 5
  • What is KeyNumber? – Crypt32 Apr 20 '20 at 15:53
  • What does "exchangeable" mean? – President James K. Polk Apr 20 '20 at 15:54
  • 1
    It seems that `KeyNumber` stands for `KeySpec`. For CNG keys it is always 0fffffffff or -1. And CNG keys do not have `ProviderType` either. Exchangeable -- I can suspect, that it is whether the key is exportable or not? – Crypt32 Apr 20 '20 at 19:35
  • @Crypt32 The Key should be tested for key function. Looking here: https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.cspparameters.keynumber?view=netframework-4.8 – Christian Meißner Apr 21 '20 at 06:37
  • 1
    As I said, for CNG keys, KeyNumber is always -1 and its meaning is undefined. CNG keys no longer use/specify `AT_EXCHANGE` or `AT_SIGNATURE`. – Crypt32 Apr 21 '20 at 06:58

1 Answers1

0

I found a way to check CNG certificate for exchangeable. If I read the private key of certificate by var privateKey = (cngCert.GetRSAPrivateKey() as RSACng).Key;, did I get the KeyUsage. The "KeyAgreement" flag marks the certificate for usage of secret agreement generation and key exchange.

var privateKey = (cngCert.GetRSAPrivateKey() as RSACng).Key;
        
        if(privateKey.KeyUsage.HasFlag(CngKeyUsages.KeyAgreement))
        {
            //is for KeyExchange 
        }
Christian Meißner
  • 81
  • 5