[1] Refactor the swtpm_cert tests and fix some more issues in swtpm_cert

[stefanberger]

See patch descriptions.

This now also requires OpenSSL 3.5 since we want to be able to grep for "Endorsement Key Certificate" in a certificate dump.

Summary by CodeRabbit

• Dependencies

  • Minimum OpenSSL/libcrypto requirement raised to 3.5.

• Bug Fixes

  • TPM certificate ASN.1 encoding and certificate validity handling adjusted for improved encoding/validation and clearer error messages.

• Tests

  • Certificate test suite rewritten: new runtime key/cert generation and end-to-end validation scripts added; legacy fixed-input tests removed or consolidated.

• Chores

  • CI runner OS updated to ubuntu-26.04.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

CI runner OS updated to ubuntu-26.04; libcrypto pkg-config tightened to >= 3.5. TPM IAK SAN ASN.1 tags removed and static ASN.1 table/C write paths adjusted; ek-cert.c X509 time/result handling changed. Test suite refactored: static fixtures removed, new helper scripts added, and wrappers now generate keys/certs at runtime.

Changes

OpenSSL Update and ASN.1 Schema Corrections

Layer / File(s)	Summary
Environment setup and dependency requirements .github/workflows/ci.yml, configure.ac	CI runner OS upgraded to ubuntu-26.04 for multiple test jobs; libcrypto pkg-config requirement tightened to libcrypto >= 3.5.
ASN.1 schema corrections for TPM IAK SAN src/swtpm_cert/tpm.asn, src/swtpm_cert/tpm_asn1.h, src/swtpm_cert/ek-cert.c	Remove [0] IMPLICIT / [0] EXPLICIT context-specific tags from IAK SAN ASN.1 types; update static ASN.1 node table entries and C code OID write paths; adjust X509_time_adj_ex handling for days-based validity.

Test Infrastructure Refactor

Layer / File(s)	Summary
Test configuration and Makefile updates tests/Makefile.am	Remove test_tpm2_swtpm_cert_ecc from TESTS, drop several static data/*.pem fixtures, and add _test_swtpm_cert and _test_tpm2_swtpm_cert to distribution.
_test_swtpm_cert: core certificate generation tests tests/_test_swtpm_cert	New helper script exercising swtpm-certificate across password delivery modes and platform certificate checks with temp-file cleanup and size validations.
test_swtpm_cert: dynamic key generation and delegation tests/test_swtpm_cert	Rewritten wrapper: creates TMPDIR, generates root CA and key/cert material with openssl, and delegates to ./_test_swtpm_cert via PARAM_* env variables.
_test_tpm2_swtpm_cert: comprehensive TPM2 validations tests/_test_tpm2_swtpm_cert	New helper covering RSA/ECC, allow-signing/pubkey/platform/IAK/IDevID cases with size/text assertions, chain verification, and serial-number boundary tests.
test_tpm2_swtpm_cert: dynamic CA/key setup and orchestration tests/test_tpm2_swtpm_cert	Rewritten harness: generates CA, EK, and signing key/certs at runtime, then runs ./_test_tpm2_swtpm_cert for RSA and EC signing cases with expected size lists.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• LordGrimmauld

Poem

🐰 In tempdirs warm the fresh keys lie,

ASN.1 tags waved soft goodbye,
Runners leap to twenty-six's shore,
Tests wake up and run once more,
A tiny hop — proofs pass, I sigh.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main changes: test refactoring and multiple fixes in swtpm_cert across the codebase, which is directly reflected in the file modifications.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stefanberger/refactor_tests_and_fix_swtpm_cert

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 9: Replace all occurrences of the unsupported runner label "runs-on:
ubuntu-26.04" with a supported label such as "runs-on: ubuntu-24.04" (there are
four occurrences referenced by the diff); update each "runs-on" line in the CI
workflow to use "ubuntu-24.04" (or another valid GitHub-hosted runner) so
actionlint no longer reports an unknown runner.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 81cea28d-0721-43a4-89cd-0146d0285360

📥 Commits

Reviewing files that changed from the base of the PR and between c43003b and 91d8324.

⛔ Files ignored due to path filters (8)

• tests/data/ecprivek.pem is excluded by !**/*.pem
• tests/data/ecpubek.pem is excluded by !**/*.pem
• tests/data/issuercert.pem is excluded by !**/*.pem
• tests/data/pubek.pem is excluded by !**/*.pem
• tests/data/signkey-encrypted.pem is excluded by !**/*.pem
• tests/data/signkey.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-cert.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-privkey.pem is excluded by !**/*.pem

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• configure.ac
• src/swtpm_cert/ek-cert.c
• src/swtpm_cert/tpm.asn
• src/swtpm_cert/tpm_asn1.h
• tests/Makefile.am
• tests/_test_swtpm_cert
• tests/_test_tpm2_swtpm_cert
• tests/test_swtpm_cert
• tests/test_tpm2_swtpm_cert
• tests/test_tpm2_swtpm_cert_ecc

💤 Files with no reviewable changes (1)

• tests/test_tpm2_swtpm_cert_ecc

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

tests/_test_tpm2_swtpm_cert (1)

12-16: 💤 Low value

Define cleanup function before the trap statement.

The trap on line 12 references the cleanup function before it's defined on lines 13-16. While this works in bash (the function is resolved when the trap fires, not when defined), it's unconventional and can confuse readers.

Suggested reorder

-trap "cleanup" SIGTERM EXIT
 function cleanup()
 {
 	rm -f "${cert}"
 }
+trap "cleanup" SIGTERM EXIT

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/_test_tpm2_swtpm_cert` around lines 12 - 16, Move the cleanup function
definition (function cleanup() { rm -f "${cert}"; }) above the trap invocation
so the trap "cleanup" SIGTERM EXIT references an already-declared symbol; keep
the trap arguments unchanged (SIGTERM EXIT) and preserve the "${cert}" use
inside cleanup to retain original behavior and quoting.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/swtpm_cert/ek-cert.c`:
- Around line 1592-1594: The CHECK_OSSL_NULLPTR call using X509_time_adj_ex
passes a format string that incorrectly uses the unsigned specifier "%lu" for
the variable days (which is declared as long); update the format specifier to
"%ld" in the CHECK_OSSL_NULLPTR invocation (referencing X509_time_adj_ex,
asn1_time, days, now) so the signed long is logged correctly.

In `@tests/_test_swtpm_cert`:
- Line 61: Replace use of echo -en for feeding password material into process
substitution with printf '%s' to preserve exact bytes; find occurrences like the
--signkey-pwd file:<(echo -en "${PARAM_PASSWORD}") (and the second occurrence
around the other instance) and change them to use printf '%s'
"${PARAM_PASSWORD}" in the process substitution so backslashes and special bytes
are not reinterpreted.
- Around line 20-32: The test currently only issues warnings in function
check_cert_size when the certificate file is missing or its byte size (computed
via size=$(stat -c%s "${cert}" 2>/dev/null)) does not match the expected value
(exp); change check_cert_size to treat these conditions as failures by printing
the same diagnostic and then failing the test (e.g., exit 1 or return non-zero)
so CI fails on mismatch or missing cert. Ensure you still log "Warning:
Certificate file has unexpected size." and the "Expected: $exp; found: $size"
details before exiting, and handle the case where stat returns empty (missing
file) as a failure as well.

In `@tests/_test_tpm2_swtpm_cert`:
- Around line 152-170: The test invokes SWTPM_CERT with PARAM_ECPUBKEY (an EC
public key) but the final success message prints "RSA key", which is misleading;
update the success output in the block that calls SWTPM_CERT/check_cert
(referencing SWTPM_CERT, PARAM_ECPUBKEY, check_cert, PARAM_CERT_SIZES, and the
echo "Test ${TC}: OK (RSA key)") to reflect EC/ECC (e.g., "EC key" or "ECC key")
so the message matches the key type used.
- Around line 70-81: The COMMON array contains a duplicated flag --tpm2
(appearing twice); edit the COMMON variable definition and remove the redundant
--tpm2 entry so the array only includes a single --tpm2 flag (look for the
COMMON=( ... ) block that includes --signkey "${PARAM_SIGNKEY}", --issuercert
"${PARAM_ISSUERCERT}", and --out-cert "${cert}" and delete the extra --tpm2
occurrence).

---

Nitpick comments:
In `@tests/_test_tpm2_swtpm_cert`:
- Around line 12-16: Move the cleanup function definition (function cleanup() {
rm -f "${cert}"; }) above the trap invocation so the trap "cleanup" SIGTERM EXIT
references an already-declared symbol; keep the trap arguments unchanged
(SIGTERM EXIT) and preserve the "${cert}" use inside cleanup to retain original
behavior and quoting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4bebd59b-1fe5-4d3e-9ea9-f3c94b4e5f23

📥 Commits

Reviewing files that changed from the base of the PR and between 91d8324 and 919c2fe.

⛔ Files ignored due to path filters (8)

• tests/data/ecprivek.pem is excluded by !**/*.pem
• tests/data/ecpubek.pem is excluded by !**/*.pem
• tests/data/issuercert.pem is excluded by !**/*.pem
• tests/data/pubek.pem is excluded by !**/*.pem
• tests/data/signkey-encrypted.pem is excluded by !**/*.pem
• tests/data/signkey.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-cert.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-privkey.pem is excluded by !**/*.pem

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• configure.ac
• src/swtpm_cert/ek-cert.c
• src/swtpm_cert/tpm.asn
• src/swtpm_cert/tpm_asn1.h
• tests/Makefile.am
• tests/_test_swtpm_cert
• tests/_test_tpm2_swtpm_cert
• tests/test_swtpm_cert
• tests/test_tpm2_swtpm_cert
• tests/test_tpm2_swtpm_cert_ecc

💤 Files with no reviewable changes (1)

• tests/test_tpm2_swtpm_cert_ecc

[coderabbitai]

🧹 Nitpick comments (1)

tests/_test_tpm2_swtpm_cert (1)

18-34: 💤 Low value

Consider failing on size mismatch for consistent test behavior.

Similar to _test_swtpm_cert, the check_cert_size function only warns when the DER certificate size falls outside the expected range. While the check_cert function handles content verification failures properly, silent size mismatches could mask regressions.

Since this uses a range format (lo-hi) and EC signature sizes can legitimately vary, this may be intentional. If so, consider adding a comment explaining why warnings are acceptable here.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/_test_tpm2_swtpm_cert` around lines 18 - 34, The check_cert_size
function currently only prints a warning when the DER cert size is outside the
expected lo-hi range; update it for consistent test behavior by making it fail
the test on mismatch: inside check_cert_size (function name) after computing
size, replace the warning-only branch with a deterministic failure (e.g., log
the same messages then exit nonzero or return nonzero) so callers see a test
failure instead of a silent warning; if variable EC signature sizes require
allowing ranges, alternatively add a short comment above check_cert_size
explaining why a warning is acceptable and list the expected variability, but
prefer making the function return nonzero/exit 1 to ensure failures are caught.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/_test_tpm2_swtpm_cert`:
- Around line 18-34: The check_cert_size function currently only prints a
warning when the DER cert size is outside the expected lo-hi range; update it
for consistent test behavior by making it fail the test on mismatch: inside
check_cert_size (function name) after computing size, replace the warning-only
branch with a deterministic failure (e.g., log the same messages then exit
nonzero or return nonzero) so callers see a test failure instead of a silent
warning; if variable EC signature sizes require allowing ranges, alternatively
add a short comment above check_cert_size explaining why a warning is acceptable
and list the expected variability, but prefer making the function return
nonzero/exit 1 to ensure failures are caught.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 57018ddf-b3d4-4c23-ba05-c3a3b5b4530d

📥 Commits

Reviewing files that changed from the base of the PR and between 919c2fe and ffb95f2.

⛔ Files ignored due to path filters (8)

• tests/data/ecprivek.pem is excluded by !**/*.pem
• tests/data/ecpubek.pem is excluded by !**/*.pem
• tests/data/issuercert.pem is excluded by !**/*.pem
• tests/data/pubek.pem is excluded by !**/*.pem
• tests/data/signkey-encrypted.pem is excluded by !**/*.pem
• tests/data/signkey.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-cert.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-privkey.pem is excluded by !**/*.pem

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• configure.ac
• src/swtpm_cert/ek-cert.c
• src/swtpm_cert/tpm.asn
• src/swtpm_cert/tpm_asn1.h
• tests/Makefile.am
• tests/_test_swtpm_cert
• tests/_test_tpm2_swtpm_cert
• tests/test_swtpm_cert
• tests/test_tpm2_swtpm_cert
• tests/test_tpm2_swtpm_cert_ecc

💤 Files with no reviewable changes (1)

• tests/test_tpm2_swtpm_cert_ecc

[coderabbitai]

🧹 Nitpick comments (2)

tests/_test_tpm2_swtpm_cert (1)

18-34: ⚡ Quick win

Size check only warns, allowing silent regressions.

Similar to the TPM1 helper, check_cert_size only emits a warning when DER certificate size falls outside the expected range. Consider making this a hard failure to catch output regressions in CI.

Proposed fix

 function check_cert_size()
 {
 	local cert="$1"
 	local exp="$2"

 	local size lo hi

 	lo=$(cut -d"-" -f1 <<< "${exp}")
 	hi=$(cut -d"-" -f2 <<< "${exp}")

 	# Check size of DER cert
 	size=$(openssl x509 -in "${cert}" -outform der | wc -c)
 	if [ "${size}" -lt "${lo}" ] || [ "${size}" -gt "${hi}" ]; then
-		echo "Warning: DER Certificate has unexpected size."
-		echo "         Expected: $exp;  found: $size"
+		echo "Error: DER Certificate has unexpected size."
+		echo "       Expected: $exp; found: $size"
+		exit 1
 	fi
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/_test_tpm2_swtpm_cert` around lines 18 - 34, The check_cert_size
function currently only prints warnings when the DER certificate size is outside
the expected range; change it to fail the test instead by returning a non-zero
status (or exiting) so CI catches regressions: update check_cert_size to print
the same messages to stderr and then call return 1 (or exit 1 if intended to
stop the script) when the size is out of bounds, ensuring callers see the
failing status; keep function name check_cert_size and the same size calculation
logic unchanged.

tests/test_swtpm_cert (1)

25-52: 💤 Low value

Chained openssl commands capture only the last error message.

When multiple openssl commands are chained with ||, only the last failed command's output is captured in $msg. If an earlier command fails, $msg may contain output from a subsequent (possibly successful) command or be misleading.

Consider capturing each command's output separately or appending to $msg:

Alternative approach

-if ! msg=$(openssl genrsa -out "${RSAPRIVKEY}" 2432 2>&1) ||
-   ! msg=$(openssl rsa -in "${RSAPRIVKEY}" -pubout -out "${RSAPUBKEY}" 2>&1) ||
+msg=""
+if ! out=$(openssl genrsa -out "${RSAPRIVKEY}" 2432 2>&1); then msg+="$out"; fi
+if [ -z "$msg" ] && ! out=$(openssl rsa -in "${RSAPRIVKEY}" -pubout -out "${RSAPUBKEY}" 2>&1); then msg+="$out"; fi
 ...

Or simply run commands sequentially with set -e and let the first failure exit.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_swtpm_cert` around lines 25 - 52, The chained openssl pipeline
only preserves the last command's output in $msg, so change the block to run
each openssl command sequentially and capture each command's stderr into a
temporary variable (or append to $msg) and exit immediately on failure; target
the commands that produce RSAPRIVKEY, RSAPUBKEY, CAKEY/CACERT,
RSA3072ENCRYPTED_PRIVKEY/RSA3072ENCRYPTED_PUBKEY and
ISSUERCERT_RSA3072ENCRYPTED_PRIVKEY, e.g. run each openssl invocation
separately, check its exit status, and if non-zero copy its captured output into
$msg and exit 1 (or enable set -e at top and let the first failing command
terminate while redirecting stderr to a per-command log), so you always report
the exact failing command and its error text.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/_test_tpm2_swtpm_cert`:
- Around line 18-34: The check_cert_size function currently only prints warnings
when the DER certificate size is outside the expected range; change it to fail
the test instead by returning a non-zero status (or exiting) so CI catches
regressions: update check_cert_size to print the same messages to stderr and
then call return 1 (or exit 1 if intended to stop the script) when the size is
out of bounds, ensuring callers see the failing status; keep function name
check_cert_size and the same size calculation logic unchanged.

In `@tests/test_swtpm_cert`:
- Around line 25-52: The chained openssl pipeline only preserves the last
command's output in $msg, so change the block to run each openssl command
sequentially and capture each command's stderr into a temporary variable (or
append to $msg) and exit immediately on failure; target the commands that
produce RSAPRIVKEY, RSAPUBKEY, CAKEY/CACERT,
RSA3072ENCRYPTED_PRIVKEY/RSA3072ENCRYPTED_PUBKEY and
ISSUERCERT_RSA3072ENCRYPTED_PRIVKEY, e.g. run each openssl invocation
separately, check its exit status, and if non-zero copy its captured output into
$msg and exit 1 (or enable set -e at top and let the first failing command
terminate while redirecting stderr to a per-command log), so you always report
the exact failing command and its error text.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e9b450d3-83c9-466f-908b-6431d471e61e

📥 Commits

Reviewing files that changed from the base of the PR and between ffb95f2 and 6707c66.

⛔ Files ignored due to path filters (8)

• tests/data/ecprivek.pem is excluded by !**/*.pem
• tests/data/ecpubek.pem is excluded by !**/*.pem
• tests/data/issuercert.pem is excluded by !**/*.pem
• tests/data/pubek.pem is excluded by !**/*.pem
• tests/data/signkey-encrypted.pem is excluded by !**/*.pem
• tests/data/signkey.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-cert.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-privkey.pem is excluded by !**/*.pem

📒 Files selected for processing (6)

• tests/Makefile.am
• tests/_test_swtpm_cert
• tests/_test_tpm2_swtpm_cert
• tests/test_swtpm_cert
• tests/test_tpm2_swtpm_cert
• tests/test_tpm2_swtpm_cert_ecc

💤 Files with no reviewable changes (1)

• tests/test_tpm2_swtpm_cert_ecc

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/_test_swtpm_cert`:
- Line 61: Replace unsafe printf usage that can interpret % sequences in
passwords: locate the here-document substitutions using printf
"${PARAM_PASSWORD}" (e.g., the --signkey-pwd file:<(printf "${PARAM_PASSWORD}")
invocation and the other similar occurrence) and change them to use a fixed
format string printf '%s' "${PARAM_PASSWORD}" so the password bytes are passed
verbatim to swtpm-certificate.

In `@tests/_test_tpm2_swtpm_cert`:
- Around line 18-45: The test currently only logs a warning in check_cert_size()
and check_cert() ignores that result, so DER size regressions don't fail the
test; modify check_cert_size() (the function that computes lo/hi and size) to
return a non-zero status (or exit 1) when size is outside the expected range
instead of only echoing a warning, and update check_cert() to call
check_cert_size and propagate its failure (exit or return non-zero) so the test
suite fails on size regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 01d60282-b926-4691-92eb-e7d3ee715a55

📥 Commits

Reviewing files that changed from the base of the PR and between 6707c66 and ed48b1c.

⛔ Files ignored due to path filters (8)

• tests/data/ecprivek.pem is excluded by !**/*.pem
• tests/data/ecpubek.pem is excluded by !**/*.pem
• tests/data/issuercert.pem is excluded by !**/*.pem
• tests/data/pubek.pem is excluded by !**/*.pem
• tests/data/signkey-encrypted.pem is excluded by !**/*.pem
• tests/data/signkey.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-cert.pem is excluded by !**/*.pem
• tests/data/swtpm-localca-rootca-privkey.pem is excluded by !**/*.pem

📒 Files selected for processing (6)

• tests/Makefile.am
• tests/_test_swtpm_cert
• tests/_test_tpm2_swtpm_cert
• tests/test_swtpm_cert
• tests/test_tpm2_swtpm_cert
• tests/test_tpm2_swtpm_cert_ecc

💤 Files with no reviewable changes (1)

• tests/test_tpm2_swtpm_cert_ecc