Replace liboqs SPHINCS+ with native SLH-DSA in certificate layer

Replace the liboqs-based pre-standardization SPHINCS+ implementation
with the native FIPS 205 SLH-DSA implementation across the
certificate/ASN.1/X.509 layers. All liboqs SPHINCS+ code is removed.

This PR enables SLH-DSA for certificate chain authentication (CA
certificates signed with SLH-DSA, certificate verification). TLS 1.3
entity authentication via CertificateVerify with SLH-DSA will be
added in a follow-up PR.

Follows RFC 9909 (X.509 Algorithm Identifiers for SLH-DSA).

Changes:
- New DER codec for SLH-DSA (PrivateKeyDecode, PublicKeyDecode,
  KeyToDer, PrivateKeyToDer, PublicKeyToDer) with RFC 9909 compliant
  encoding (bare OCTET STRING, no nested wrapper) and OID auto-
  detection across all 6 SHAKE parameter sets
- 12 standardized NIST OIDs (6 SHA2 + 6 SHAKE) per RFC 9909
- Complete ASN.1 layer replacement (~500 lines in asn.c)
- X.509 public key handling in x509.c
- OID collision mechanism cleaned up (NIST OIDs don't collide)
- DER round-trip test for all compiled-in parameter sets
- SLH-DSA test cert chain generated with OpenSSL 3.5
- All build system/IDE project files updated
- SPHINCS+ source files, headers, and test data removed

https://claude.ai/code/session_019gqvW3ZMKGGyi6zCRNPDYV

Author: claude

.wolfssl_known_macro_extras

@@ -835,7 +835,6 @@ WOLFSSL_NO_SERVER_GROUPS_EXT
 WOLFSSL_NO_SESSION_STATS
 WOLFSSL_NO_SIGALG
 WOLFSSL_NO_SOCKADDR_UN
-WOLFSSL_NO_SPHINCS
 WOLFSSL_NO_STRICT_CIPHER_SUITE
 WOLFSSL_NO_TICKET_EXPIRE
 WOLFSSL_NO_TRUSTED_CERTS_VERIFY

IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/component.mk

@@ -245,7 +245,6 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/siphash.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm2.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm3.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm4.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sphincs.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm32.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm64.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_armthumb.o

IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/component.mk

@@ -245,7 +245,6 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/siphash.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm2.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm3.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm4.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sphincs.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm32.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm64.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_armthumb.o

IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/component.mk

@@ -245,7 +245,6 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/siphash.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm2.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm3.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm4.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sphincs.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm32.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm64.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_armthumb.o

IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/component.mk

@@ -245,7 +245,6 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/siphash.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm2.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm3.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm4.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sphincs.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm32.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm64.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_armthumb.o

IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/component.mk

@@ -245,7 +245,6 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/siphash.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm2.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm3.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm4.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sphincs.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm32.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm64.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_armthumb.o

IDE/INTIME-RTOS/Makefile

@@ -320,7 +320,6 @@ INCL_TARGS := 	wolfssl/callbacks.h \
 	wolfssl/wolfcrypt/sm4.h \
 	wolfssl/wolfcrypt/sp.h \
 	wolfssl/wolfcrypt/sp_int.h \
-	wolfssl/wolfcrypt/sphincs.h \
 	wolfssl/wolfcrypt/srp.h \
 	wolfssl/wolfcrypt/tfm.h \
 	wolfssl/wolfcrypt/types.h \

IDE/INTIME-RTOS/libwolfssl.vcxproj

@@ -81,7 +81,6 @@
 	<ClCompile Include="..\..\wolfcrypt\src\sha3.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sha512.c" />
     <ClCompile Include="..\..\wolfcrypt\src\signature.c" />
-	<ClCompile Include="..\..\wolfcrypt\src\sphincs.c" />
 	<ClCompile Include="..\..\wolfcrypt\src\sp_c32.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sp_c64.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sp_int.c" />

IDE/INTIME-RTOS/wolfssl-lib.vcxproj

@@ -108,7 +108,6 @@
     <ClCompile Include="..\..\wolfcrypt\src\sm2.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sm3.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sm4.c" />
-    <ClCompile Include="..\..\wolfcrypt\src\sphincs.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sp_arm32.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sp_arm64.c" />
     <ClCompile Include="..\..\wolfcrypt\src\sp_armthumb.c" />

IDE/MPLABX16/wolfssl.X/nbproject/configurations.xml

@@ -81,7 +81,6 @@
         <itemPath>../../../wolfcrypt/src/sp_c32.c</itemPath>
         <itemPath>../../../wolfcrypt/src/sp_c64.c</itemPath>
         <itemPath>../../../wolfcrypt/src/sp_int.c</itemPath>
-        <itemPath>../../../wolfcrypt/src/sphincs.c</itemPath>
         <itemPath>../../../wolfcrypt/src/srp.c</itemPath>
         <itemPath>../../../wolfcrypt/src/tfm.c</itemPath>
         <itemPath>../../../wolfcrypt/src/wc_encrypt.c</itemPath>