tests: expand dual-alg-cert coverage with preTBS unit tests and a CSR roundtrip

Add three new tests in tests/api.c, each gated identically to the
existing test_dual_alg_ecdsa_mldsa (WOLFSSL_DUAL_ALG_CERTS +
HAVE_DILITHIUM + HAVE_ECC + WOLFSSL_CUSTOM_OID + HAVE_OID_ENCODING +
non-small-stack):

  test_dual_alg_pretbs_cert
    Direct unit test for wc_GeneratePreTBS on an X.509 dual-alg cert.
    Covers:
      - NULL / zero-size argument validation (BAD_FUNC_ARG).
      - Issuer-side fast path: cert built with sapki+altSigAlg only,
        preTBS must equal the parsed TBS verbatim (XMEMCMP against
        dCert->source[certBegin..sigIndex]).
      - BUFFER_E when the output buffer is too small.
      - Verifier-side excision: after embedding altSigValue and
        re-emitting, preTBS must be strictly smaller than TBS and
        re-encode cleanly. (Byte-comparing the resulting alt sig
        directly is impossible because ML-DSA is randomised; the
        end-to-end "alt sig verifies against preTBS" check is
        already exercised by test_dual_alg_support.)

  test_dual_alg_pretbs_altsigval_not_last
    Builds a cert in which altSigValue is followed by another
    extension (a trailing custom OID), violating the X9.146 /
    ITU-T X.509:2019 Annex A "altSignatureValue must be the last
    extension" requirement. Verifies wc_GeneratePreTBS returns
    ASN_PARSE_E. The dummy altSigValue content is a properly-formed
    BIT STRING (real ML-DSA signature over scratch bytes), since the
    cert parser validates the BIT STRING layout before our "last
    extension" check fires.

  test_dual_alg_csr_roundtrip
    First end-to-end CSR-shaped test for the dual-alg-cert feature.
    Builds a PKCS#10 CertificationRequest carrying sapki+altSigAlg in
    its extensionRequest attribute, parses it, generates the preTBS
    via wc_GeneratePreTBS (issuer-side fast path: byte-equal CRInfo),
    signs the preTBS with the ML-DSA alt key, embeds altSigValue,
    re-emits and re-signs the CSR, then parses it again and runs
    preTBS through the verifier-side path (GenerateCsrPreTBS).
    Verifies the verifier-side preTBS is strictly smaller than the
    original CRInfo and still leads with a SEQUENCE tag. Gated on
    WOLFSSL_CERT_REQ in addition to the dual-alg flags above.

Verified with:
  --enable-dual-alg-certs --enable-experimental --disable-shared
    -> base build: 0 failures.
  + --enable-dilithium --enable-mldsa --enable-certreq --enable-certgen
    -DWOLFSSL_CUSTOM_OID -DHAVE_OID_ENCODING -DHAVE_OID_DECODING
    -> all six dual-alg tests pass:
       test_dual_alg_support, test_dual_alg_crit_ext_support,
       test_dual_alg_ecdsa_mldsa, test_dual_alg_pretbs_cert,
       test_dual_alg_pretbs_altsigval_not_last,
       test_dual_alg_csr_roundtrip.

Author: claude