CertificateRequest.CreateSelfSigned with ECDSA with invalid key usage

[vcsjones]

If you attempt to create a self signed certificate with CertificateRequest with an ECDsa key and a key usage that makes the certificate ineligible for ECDSA usage, it fails with a less-than-clear exception.

using ECDsa ecdsa = ECDsa.Create();
CertificateRequest req = new CertificateRequest("CN=who", ecdsa, HashAlgorithmName.SHA256);
req.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyAgreement, true));
req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(42));

Produces:

Unhandled exception. System.ArgumentException: The provided key does not match the public key algorithm for this certificate.
   at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, ECDsa privateKey)
   at System.Security.Cryptography.X509Certificates.CertificateRequest.CreateSelfSigned(DateTimeOffset notBefore, DateTimeOffset notAfter)

We should validate the key usages and key type in CreateSelfSigned and give a better exception.

Reproduced in Core 3.1 and 5.0 RC1.

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @jeffhandley
See info in area-owners.md if you want to be subscribed.

[dotnet-policy-service]

This issue will now be closed since it had been marked no-recent-activity but received no further activity in the past 14 days. It is still possible to reopen or comment on the issue, but please note that the issue will be locked if it remains inactive for another 30 days.