[KeyVault] Migrate BouncyCastle Library

[notyashhh]

Description

Mandatory Checklist

• Please choose the target release of Azure PowerShell. (⚠️Target release is a different concept from API readiness. Please click below links for details.)

  • General release
  • Public preview
  • Private preview
  • Engineering build
  • No need for a release

• Check this box to confirm: I have read the Submitting Changes section of CONTRIBUTING.md and reviewed the following information:

• SHOULD update ChangeLog.md file(s) appropriately
  • Update src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.
    • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header in the past tense.
  • Should not change ChangeLog.md if no new release is required, such as fixing test case only.
• SHOULD regenerate markdown help files if there is cmdlet API change. Instruction
• SHOULD have proper test coverage for changes in pull request.
• SHOULD NOT adjust version of module manually in pull request

[azure-client-tools-bot-prd]

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

[Copilot]

Pull request overview

This PR attempts to migrate the KeyVault module from using the Portable.BouncyCastle library to built-in .NET cryptography APIs for PEM key handling in security domain operations. The change addresses a CodeQL security finding about using approved cryptographic libraries by replacing third-party crypto code with .NET's native implementation.

Key changes:

• Replaced BouncyCastle's PemReader with .NET's RSA.ImportFromPem and ImportFromEncryptedPem methods
• Removed the Portable.BouncyCastle NuGet package dependency
• Removed BouncyCastle assembly from module manifest

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/KeyVault/KeyVault/SecurityDomain/Models/CertKey.cs	Replaced BouncyCastle PEM parsing with .NET 5+ ImportFromPem methods; removed helper methods for RSA parameter conversion
src/KeyVault/KeyVault/Track2Models/Track2KeyVaultDataServiceClient.cs	Removed unused BouncyCastle X509 import
src/KeyVault/KeyVault/KeyVault.csproj	Removed Portable.BouncyCastle package reference
src/KeyVault/KeyVault/Az.KeyVault.psd1	Removed BouncyCastle assembly from RequiredAssemblies list
src/KeyVault/KeyVault/ChangeLog.md	Added changelog entry describing the migration

[Copilot]

The methods ImportFromPem and ImportFromEncryptedPem require .NET 5.0 or later, but this project targets netstandard2.0 (as defined in Az.props). This will cause runtime errors when the code is executed on .NET Framework or .NET Standard 2.0 runtimes.

Since the BouncyCastle library was previously used to support these older runtimes, removing it without ensuring the replacement methods are available will break backwards compatibility. You need to either:

1. Keep using a PEM parsing library compatible with netstandard2.0, or
2. Add conditional compilation to use different implementations based on the target framework, or
3. Upgrade the project's target framework to net5.0 or later (which may have broader implications for Azure PowerShell)

[Copilot]

The changelog entry uses technical acronyms "PEM", "PKCS#1", and "PKCS#8" without explanation. According to the ChangeLog.md guidelines for Azure PowerShell, less-obvious acronyms should be explained on first use in a release section, as the primary audience is Azure PowerShell users, not developers.

Consider updating to:

* Updated security domain PEM (Privacy Enhanced Mail) key handling to use built-in .NET cryptography instead of Portable.BouncyCastle
    - Maintains support for standard PKCS#1 and PKCS#8 key formats while resolving the CodeQL cs/use-approved-crypto-library finding