refactor(crypto): remove System.Security.Cryptography refs, use BouncyCastle

Per the project's crypto policy: all certificate/key/hash handling must
use BouncyCastle, never BCL System.Security.Cryptography.  Two legacy
violations remained:

- ExtractSerialFromPem in CERTInextCAPlugin.cs used X509Certificate2 to
  parse a cert's serial number for audit logging.  Replaced with
  Org.BouncyCastle.X509.X509CertificateParser; output is the same
  uppercase-hex serial format the BCL produced via .SerialNumber.
  Side benefit: silences the SYSLIB0057 warning that X509Certificate2's
  byte[] constructor produces on net10.0.

- ComputeAuthKey in CERTInextClient.cs used SHA256.HashData to derive the
  CERTInext request authKey.  Replaced with
  Org.BouncyCastle.Crypto.Digests.Sha256Digest.  Bytes-out are identical
  to the BCL implementation by construction (both are stock SHA-256), so
  the wire-level authKey is unchanged.  Verified live against the
  sandbox: Ping/GetProductDetails/ListOrders all PASS, meaning the new
  authKey continues to authenticate.

Removed the now-unused `using System.Security.Cryptography;` from
CERTInextClient.cs.

146/146 unit tests pass; live Ping/Sync verifies the wire-level behaviour
is unchanged.

Author: spbsoluble

CERTInext/CERTInextCAPlugin.cs

@@ -1660,6 +1660,9 @@ private static string GetStringValue(
         /// Extracts the X.509 serial number from a PEM-encoded certificate for inclusion
         /// in audit log entries.  Returns "(parse-error)" rather than throwing, so that a
         /// logging failure never suppresses an audit record.
+        ///
+        /// Implemented with BouncyCastle (per the project's crypto policy: all certificate
+        /// and key handling goes through BouncyCastle, never BCL System.Security.Cryptography).
         /// </summary>
         private static string ExtractSerialFromPem(string pem)
         {
@@ -1677,8 +1680,13 @@ private static string ExtractSerialFromPem(string pem)
                     return "(empty-pem)";
 
                 byte[] der = Convert.FromBase64String(b64);
-                using var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(der);
-                return cert.SerialNumber;
+                var parser = new Org.BouncyCastle.X509.X509CertificateParser();
+                var cert = parser.ReadCertificate(der);
+                if (cert == null)
+                    return "(parse-error)";
+                // Match the prior format produced by X509Certificate2.SerialNumber:
+                // uppercase hex, no separators, no leading zeros for normal serials.
+                return cert.SerialNumber.ToString(16).ToUpperInvariant();
             }
             catch
             {

CERTInext/Client/CERTInextClient.cs

@@ -9,7 +9,6 @@
 using System.Collections.Generic;
 using System.Net;
 using System.Runtime.CompilerServices;
-using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
 using System.Threading;
@@ -1031,11 +1030,18 @@ private Task<RequestMeta> BuildMetaAsync(CancellationToken ct)
 
         /// <summary>
         /// Computes the CERTInext authKey: SHA256(accessKey + ts + txn) as lowercase hex.
+        ///
+        /// Implemented with BouncyCastle (per the project's crypto policy: all hashing and
+        /// key handling goes through BouncyCastle, never BCL System.Security.Cryptography).
         /// </summary>
         private static string ComputeAuthKey(string accessKey, string ts, string txn)
         {
             string input = accessKey + ts + txn;
-            byte[] hash = SHA256.HashData(Encoding.UTF8.GetBytes(input));
+            byte[] inputBytes = Encoding.UTF8.GetBytes(input);
+            var digest = new Org.BouncyCastle.Crypto.Digests.Sha256Digest();
+            digest.BlockUpdate(inputBytes, 0, inputBytes.Length);
+            byte[] hash = new byte[digest.GetDigestSize()];
+            digest.DoFinal(hash, 0);
             return Convert.ToHexString(hash).ToLowerInvariant();
         }