ML-DSA certificate accessors for M.B.C.

[PranavSenthilnathan]

Adds GetMLDsaPublicKey, GetMLDsaPrivateKey and CopyWithPrivateKey extension methods for X509Certificate2 in Microsoft.Bcl.Cryptography.

Note that GetPrivateKey requires the SafeNCryptKeyHandle overload with 2 parameters to allow associating a key with a certificate. This is was introduced in .NETFramework 4.7.2. Instead of making GetPrivateKey unavailable in .NET Framework 4.6.2 and .NET Standard, we will do a runtime check for the constructor. This is to accommodate the common scenario of people targeting net462 or otherwise referencing the net462 version of the package, but actually running on net481.

Contributes to #113502

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull Request Overview

This PR adds ML-DSA certificate accessor methods (GetPrivateKey, GetPublicKey, and CopyWithPrivateKey) to Microsoft.Bcl.Cryptography, enabling support for ML-DSA certificates in environments where the full .NET 10+ API is not available. The implementation includes Windows-specific support with runtime compatibility checks for .NET Framework 4.6.2.

Key changes:

• Addition of ML-DSA certificate extension methods to X509CertificateKeyAccessors
• Refactoring of existing Windows certificate helper code into shared components
• Runtime compatibility checks for SafeNCryptKeyHandle constructor availability on older frameworks

Reviewed Changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
X509CertificateKeyAccessors.cs	Adds ML-DSA GetPublicKey, GetPrivateKey, and CopyWithPrivateKey extension methods with platform-specific implementations
CertificateHelpers.Windows.cs (Common)	New shared helper class containing Windows-specific certificate operations extracted from existing code
CertificateHelpers.Windows.cs (BCL)	BCL-specific implementation with .NET Framework compatibility checks for SafeNCryptKeyHandle constructor
CertificatePal.Windows.PrivateKey.cs	Refactored to use shared certificate helpers, reducing code duplication
PrivateKeyAssociationTests.Shared.cs	Moved ML-DSA tests from main library to shared test location for reuse across projects
*.csproj files	Updated project files to include new shared components and reorganize file references

Comments suppressed due to low confidence (1)

src/libraries/System.Security.Cryptography/tests/X509Certificates/CertificateCreation/PrivateKeyAssociationTests.cs:4

• The removal of this using statement may indicate that some tests or test utilities are no longer accessible, potentially reducing test coverage for ML-DSA functionality.

using System.Collections.Generic;

[bartonjs]

I'm getting sad at how much code is moving into Common/src, but, oh well.

[artl93]

Approved for API additions.