X509Certificates can be extracted from the token if they are marked as extractable.
This is a snippet to extract a certificate and convert it to X509Certificate2 class:
// Searchs for an X509Certificate object
CryptokiCollection template = new CryptokiCollection();
template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_CERTIFICATE_TYPE, Certificate.CKC_X_509));
// Launches the search specifying the template just created
CryptokiCollection objects = session.Objects.Find(template, 1);
if(objects.count == 0)
{
// CERTIFICATE NOT FOUND
return false;
}
// takes the first object as key
X509Certificate certificate = (X509Certificate)objects[0];
// convert to X509Certificate2
X509Certificate2 cert = Utils.ConvertCertificate(certificate)