Track A · PR 1/7 — Rust: add PQ algorithm OIDs to SPKI parser

[bradh11]

Parent: #28 · Track A (cert-side) · No dependencies · Blocks PRs 2, 3, 6

Scope

Teach the Rust SPKI parser to recognize post-quantum signature/key algorithm OIDs so PQ certs no longer collapse to PublicKeyAlgorithm::Unknown. Pure additive change.

In scope

• ML-DSA-44 / 65 / 87 (FIPS-204) OIDs
• SLH-DSA variants (FIPS-205) OIDs
• Falcon OIDs (when codepoints are stable; otherwise stub with TODO)
• Hybrid composite signature OIDs (draft-ietf-lamps-pq-composite-sigs — note in code that this table will need updates as registry stabilizes)
• Extend PublicKeyAlgorithm enum with new variants
• Update pyobj.rs to translate new variants into the Python-facing dict

Out of scope

• Any Python validator changes (those land in subsequent PRs)
• TLS-side OIDs (those land in Track B)

Files to touch

• rust_certinfo/src/der/oid.rs — add OID constants
• rust_certinfo/src/x509/spki.rs — extend enum + parsed()
• rust_certinfo/src/pyobj.rs — translate new variants to dict

Tests

• One unit test per OID in spki.rs#tests building a synthetic SPKI and asserting the parsed variant.
• Round-trip the Python-facing dict for at least one PQ algorithm to confirm pyobj.rs mapping.

Definition of Done

• make ci clean (ruff, cargo fmt, clippy -D warnings, pytest, mypy, cargo audit, bandit)
• Coverage ≥ 95%
• CHANGELOG entry added
• PR opened against develop from feat/pq-spki-oids
• No behavior change for existing RSA/EC certs (regression-tested)