Fixed ECDH key to have keyAgreement in its KeyUsage extension

jstedfast · jstedfast · commit 653ca83b4ff7 · 2026-01-25T19:01:57.000-05:00
It seems that the latest X509Certificate2 impl validates that this key usage is set if the KeyUsage extension exists.

Unfortunately, this still isn't enough to fix CmsSignerTests.TestConstructors() which is now failing with:

System.Security.Cryptography.CryptographicException: Keyset does not exist
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at MimeKit.Cryptography.X509Certificate2Extensions.GetPrivateKeyAsAsymmetricKeyParameter(X509Certificate2 certificate) in C:\src\MimeKit\MimeKit\Cryptography\X509Certificate2Extensions.cs:line 249
   at MimeKit.Cryptography.CmsSigner..ctor(X509Certificate2 certificate, SubjectIdentifierType signerIdentifierType) in C:\src\MimeKit\MimeKit\Cryptography\CmsSigner.cs:line 347
   at UnitTests.Cryptography.CmsSignerTests.TestConstructors() in C:\src\MimeKit\UnitTests\Cryptography\CmsSignerTests.cs:line 155
diff --git a/UnitTests/Cryptography/CmsSignerTests.cs b/UnitTests/Cryptography/CmsSignerTests.cs
@@ -151,7 +151,8 @@ public void TestConstructors ()
 				}
 
 				try {
-					signer = new CmsSigner (new X509Certificate2 (path, password, X509KeyStorageFlags.Exportable));
+					var cert = new X509Certificate2 (path, password, X509KeyStorageFlags.Exportable);
+					signer = new CmsSigner (cert);
 				} catch (Exception ex) {
 					Assert.Fail ($".ctor (X509Certificate2): {ex}");
 				}
diff --git a/UnitTests/TestData/smime/ec/smime.cfg b/UnitTests/TestData/smime/ec/smime.cfg
@@ -25,7 +25,7 @@ BasicConstraints       = critical, CA:false
 DaysValid              = 3650
 Issuer                 = ..\intermediate2.pfx
 IssuerPassword         = no.secret
-KeyUsage               = critical, digitalSignature, keyEncipherment, nonRepudiation
+KeyUsage               = critical, digitalSignature, keyAgreement, keyEncipherment, nonRepudiation
 SignatureAlgorithm     = SHA256WithRSA
 #Output                 = smime.pfx
 Password               = no.secret
diff --git a/UnitTests/TestData/smime/ec/smime.key b/UnitTests/TestData/smime/ec/smime.key
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDBmMPHErht57LDf+Cqs9FnZNFGOKgoufuiA1oUfJfPDBQTHhPK1EQlJ
+YV8iz2+Pbv2gBwYFK4EEACKhZANiAAT3RoBDTLPIr7D2y6MPfm4T7MuJubEfEkXL
+IH+pqeYQQrbz2D0X4Gek9BTG51uZ7q2ra8toWPZCWwksb8BbWQsvPwr0w3/2zGXJ
+GYZO1WLD97i88PODLoFqO/weGtJpi/8=
+-----END EC PRIVATE KEY-----
diff --git a/UnitTests/TestData/smime/ec/smime.pfx b/UnitTests/TestData/smime/ec/smime.pfx

Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,8 @@ public void TestConstructors ()`
`151`	`151`	`}`
`152`	`152`
`153`	`153`	`try {`
`154`		`- signer = new CmsSigner (new X509Certificate2 (path, password, X509KeyStorageFlags.Exportable));`
	`154`	`+ var cert = new X509Certificate2 (path, password, X509KeyStorageFlags.Exportable);`
	`155`	`+ signer = new CmsSigner (cert);`
`155`	`156`	`} catch (Exception ex) {`
`156`	`157`	`Assert.Fail ($".ctor (X509Certificate2): {ex}");`
`157`	`158`	`}`