Extend AIA interface

[padelsbach]

Description

• Add support for multiple AIA's
• Add support for CA issuer URL in addition to OCSP in AIA

Testing

New unit tests

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[padelsbach]

jenkins retest this please

[Copilot]

Pull request overview

This PR extends Authority Information Access (AIA) handling to support multiple AIA entries per certificate and to expose CA Issuers URLs in addition to OCSP, with associated test certificates and API surface.

Changes:

• Introduces a shared WOLFSSL_AIA_ENTRY representation and stores multiple AIA locations (method + URI) in DecodedCert and WOLFSSL_X509, with overflow tracking and copying from decoded certs into X.509 objects.
• Refactors AIA decoding in wolfcrypt/src/asn.c and X.509 AIA accessors in src/x509.c to build stacks of URIs for both OCSP and CA Issuers, while preserving legacy single-entry behavior as a fallback.
• Adds tests, OpenSSL config, renewal script steps, and test certificates for CA Issuers AIA, multiple AIA entries, and overflow handling, and wires the new tests into the existing API test suite.

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
wolfssl/wolfcrypt/asn.h	Defines WOLFSSL_AIA_ENTRY and adds extAuthInfoList, size, and overflow tracking to DecodedCert to represent multiple AIA entries per certificate.
wolfssl/ssl.h	Declares new public APIs wolfSSL_X509_get_aia_overflow and wolfSSL_X509_get1_ca_issuers alongside the existing OCSP AIA accessor.
wolfssl/internal.h	Mirrors the WOLFSSL_AIA_ENTRY struct and adds authInfoList, size, and overflow flags to WOLFSSL_X509 for runtime AIA storage.
wolfcrypt/src/asn.c	Extends DecodeAuthInfo (both template and non-template paths) to populate the AIA list, set the first OCSP and CA Issuer URIs, and flag overflows.
src/x509.c	Replaces the single-URI OCSP accessor with a generic AIA helper that returns stacks of URIs per method, adds an overflow query API, and adds a CA Issuers getter built on the same helper.
src/internal.c	Copies the decoded AIA list and overflow flag from DecodedCert into WOLFSSL_X509, rebasing URI pointers into the certificate’s DER buffer and enforcing WOLFSSL_MAX_AIA_ENTRIES.
tests/api.c	Adds tests for wolfSSL_X509_get1_ca_issuers, multi-entry OCSP/CA Issuers AIA URLs, and overflow behavior when the AIA list exceeds WOLFSSL_MAX_AIA_ENTRIES, and registers them in the test table.
certs/renewcerts/wolfssl.cnf	Adds OpenSSL config sections to generate AIA test certificates for CA Issuers, multiple AIA entries, and overflow cases.
certs/renewcerts.sh	Extends the renewal script to generate and refresh the new AIA test certificates used by the added tests.
certs/include.am	Ships the new AIA test certificates with the build/test distribution.
certs/crl/include.am	Adds additional CRL test files (large CRL number cases) to the distribution list.
certs/aia/*.pem	Provides concrete CA Issuers, multi-AIA, and overflow AIA certificates for exercising the new behavior in tests.
.gitignore	Ignores compile_commands.json to avoid checking in local code-navigation metadata.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new wolfSSL_X509_get_aia_overflow accessor introduced just above is not exercised in this overflow test, even though this test is specifically validating behavior when the AIA list exceeds WOLFSSL_MAX_AIA_ENTRIES. To protect against regressions in how overflow is tracked, consider also asserting that wolfSSL_X509_get_aia_overflow(cert) returns 1 for this certificate, and that it returns 0 for non-overflowing certificates (e.g., in test_wolfSSL_X509_get1_aia_multi).