Support RFC 9802 LMS and XMSS in X.509 verification

Wire the stateful hash-based signature schemes HSS/LMS (RFC 8554) and
XMSS / XMSS^MT (RFC 8391) into the X.509 cert-verification path per
RFC 9802.

asn:
- Register id-alg-hss-lms-hashsig (1.2.840.113549.1.9.16.3.17),
  id-alg-xmss-hashsig (1.3.6.1.5.5.7.6.34) and id-alg-xmssmt-hashsig
  (1.3.6.1.5.5.7.6.35) in oid_sum.h, asn.c and asn1_oid_sum.pl.
- Plumb the new keyOIDs through GetCertKey, SigOidMatchesKeyOid,
  HashForSignature, FreeSignatureCtx and ConfirmSignature so leaf
  and CA certificates parse, load and verify end-to-end.
- Rename IsSigAlgoECC -> IsSigAlgoNoParams; the function has tested
  "AlgorithmIdentifier omits NULL parameters" since PQC algos were
  added, and HSS/LMS + XMSS only made the original name more
  misleading.

wc_lms / wc_xmss:
- Add wc_XmssKey_ImportPubRaw_ex which derives parameters from the
  4-byte OID prefix at the start of the raw public key, taking an
  is_xmssmt hint to disambiguate the overlapping XMSS / XMSS^MT OID
  spaces.
- Extend wc_LmsKey_ImportPubRaw with the same auto-derive from
  u32str(L) || lmsType || lmOtsType when key->params is NULL; this
  also fixes a latent NULL-deref when the legacy precondition was
  violated.
- Reject WC_*_STATE_OK in both ImportPubRaw paths so re-importing
  on a private-key-loaded handle can't desync priv/pub.
- Tighten wc_XmssKey_Verify's length check to strict equality,
  matching wc_LmsKey_Verify and the documented contract of using
  wc_XmssKey_GetSigLen for the buffer size.

tests / fixtures:
- Bouncy Castle 1.81 fixtures in certs/lms and certs/xmss covering
  every supported parameter set, plus CA->leaf chains per family
  and one BC-native LMS fixture as a cross-impl interop gate.
- New api tests verify each fixture end-to-end, tamper TBS and
  signature bytes, exercise the wolfCrypt-level negative paths
  (NOT_COMPILED_IN, BUFFER_E, BAD_FUNC_ARG, BAD_STATE_E, OID/family
  mismatch, partial-write invariants, lenient VERIFYONLY re-import,
  strict sigLen check) and confirm the outer signatureAlgorithm
  OID is rejected when it disagrees with the SPKI in both
  XMSS<->XMSS^MT directions.

Author: Frauschi

CMakeLists.txt

@@ -699,16 +699,24 @@ add_option(WOLFSSL_LMSSHA256192
     "Enable the LMS SHA_256_192 truncated variant (default: disabled)"
     "no" "yes;no")
 
+add_option(WOLFSSL_LMSNOSHA256256
+    "Disable the LMS SHA_256_256 standard variant (default: disabled)"
+    "no" "yes;no")
+
 if (WOLFSSL_LMS)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_LMS")
 
     set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
 
     if (WOLFSSL_LMSSHA256192)
         list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_LMS_SHA256_192")
-        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_NO_LMS_SHA256_256")
 
         set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
+    endif()
+
+    if (WOLFSSL_LMSNOSHA256256)
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_NO_LMS_SHA256_256")
+
         set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
     endif()
 endif()

certs/include.am

@@ -161,6 +161,8 @@ include certs/falcon/include.am
 include certs/rsapss/include.am
 include certs/dilithium/include.am
 include certs/slhdsa/include.am
+include certs/lms/include.am
+include certs/xmss/include.am
 include certs/rpk/include.am
 include certs/acert/include.am
 include certs/mldsa/include.am

certs/lms/bc_hss_L2_H5_W8_root.der

@@ -0,0 +1,12 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+         certs/lms/bc_lms_sha256_h5_w4_root.der \
+         certs/lms/bc_lms_sha256_h10_w8_root.der \
+         certs/lms/bc_hss_L2_H5_W8_root.der \
+         certs/lms/bc_hss_L3_H5_W4_root.der \
+         certs/lms/bc_lms_chain_ca.der \
+         certs/lms/bc_lms_chain_leaf.der \
+         certs/lms/bc_lms_native_bc_root.der