stefanberger · stefanberger · Apr 9, 2026 · Apr 9, 2026 · May 7, 2026 · May 7, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,7 +6,7 @@ on:
 
 jobs:
   test-distcheck:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-26.04
     env:
       PREFIX:   "/usr"
       CONFIG:   "--with-openssl --prefix=/usr"
@@ -20,7 +20,7 @@ jobs:
         uses: ./.github/actions/test-swtpm
 
   test-coveralls:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-26.04
     env:
       PREFIX:                    "/usr"
       CONFIG:                    "--with-openssl --prefix=/usr --enable-test-coverage"
@@ -52,7 +52,7 @@ jobs:
           cpp-coveralls -e libtpms --gcov-options '\-lp'
 
   test-asan-ubsan:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-26.04
     env:
       CFLAGS:         "-fsanitize=address,undefined -g -fno-omit-frame-pointer -fno-sanitize-recover"
       LIBTPMS_CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer -fno-sanitize-recover"
@@ -71,7 +71,7 @@ jobs:
         uses: ./.github/actions/test-swtpm
 
   test-asan-ubsan-non-openssl:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-26.04
     env:
       CFLAGS:         "-fsanitize=address,undefined -g -fno-omit-frame-pointer -fno-sanitize-recover"
       LIBTPMS_CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer -fno-sanitize-recover"

diff --git a/configure.ac b/configure.ac
@@ -115,13 +115,8 @@ AC_ARG_WITH([openssl],
             [])
 
 AS_CASE([$cryptolib],[openssl],
-    [PKG_CHECK_MODULES([LIBCRYPTO],[libcrypto])
-     AC_CHECK_LIB(crypto,
-        [AES_set_encrypt_key],
-        [true],
-        AC_MSG_ERROR(Faulty openssl crypto library)
-     )
-    AC_CHECK_HEADERS([openssl/aes.h],[],
+    [PKG_CHECK_MODULES([LIBCRYPTO],[libcrypto >= 3.5])
+    AC_CHECK_HEADERS([openssl/obj_mac.h],[],
         AC_MSG_ERROR(Is openssl-devel/libssl-dev installed?))
     AC_MSG_RESULT([Building with openssl crypto library])
 

diff --git a/src/swtpm_cert/ek-cert.c b/src/swtpm_cert/ek-cert.c
@@ -792,13 +792,13 @@ create_iak_info(datum_t *asn1, const char *hwSerialNum)
     err = asn1_create_element(_tpm_asn, "TPM.TPMIAKSanInfo", &at);
     ASN1_CHECK_ERROR(err, "asn1_create_element");
 
-    err = asn1_write_value(at, "tpmIAKSanInfoSeq.id", "1.3.6.1.5.5.7.8.4", 0);
+    err = asn1_write_value(at, "tpmIAKSanInfoSet.tpmIAKSanInfoSeq.id", "1.3.6.1.5.5.7.8.4", 0);
     ASN1_CHECK_ERROR(err, "asn1_write_value");
 
-    err = asn1_write_value(at, "tpmIAKSanInfoSeq.iakSanInfoSet.hwType", "2.23.133.1.2", 0);
+    err = asn1_write_value(at, "tpmIAKSanInfoSet.tpmIAKSanInfoSeq.iakSanInfoSet.hwType", "2.23.133.1.2", 0);
     ASN1_CHECK_ERROR(err, "asn1_write_value");
 
-    err = asn1_write_value(at, "tpmIAKSanInfoSeq.iakSanInfoSet.hwSerialNum", hwSerialNum, 0);
+    err = asn1_write_value(at, "tpmIAKSanInfoSet.tpmIAKSanInfoSeq.iakSanInfoSet.hwSerialNum", hwSerialNum, 0);
     ASN1_CHECK_ERROR(err, "asn1_write_value");
 
     err = encode_asn1(asn1, at);
@@ -1589,8 +1589,9 @@ int main(int argc, char *argv[])
     if (days < 0) {
         ASN1_TIME_set_string(asn1_time, "99991231235959Z");
     } else {
-        asn1_time = X509_time_adj_ex(asn1_time, days, 0, &now);
-        CHECK_OSSL_NULLPTR1(asn1_time, "Out of memory.\n");
+        CHECK_OSSL_NULLPTR(X509_time_adj_ex(asn1_time, days, 0, &now),
+                           "Days '%lu' may be too far in the future.\n",
+                           days);
     }
     CHECK_OSSL_RETURN1(X509_set1_notAfter(crt, asn1_time) != 1,
                        "Could not set expiration time on CRT.\n");

diff --git a/src/swtpm_cert/tpm.asn b/src/swtpm_cert/tpm.asn
@@ -116,12 +116,16 @@ TPMEKCertExtendedKeyUsage ::= SEQUENCE {
 -- IAK --
 
 TPMIAKSanInfo ::= SEQUENCE {
-  tpmIAKSanInfoSeq [0] IMPLICIT TPMIAKSanInfoSeq
+  tpmIAKSanInfoSet TPMIAKSanInfoSet
+}
+
+TPMIAKSanInfoSet ::= SET {
+  tpmIAKSanInfoSeq TPMIAKSanInfoSeq
 }
 
 TPMIAKSanInfoSeq ::= SEQUENCE {
   id OBJECT IDENTIFIER,
-  iakSanInfoSet [0] EXPLICIT IAKHardwareModuleName
+  iakSanInfoSet IAKHardwareModuleName
 }
 
 IAKHardwareModuleName ::= SEQUENCE {

diff --git a/src/swtpm_cert/tpm_asn1.h b/src/swtpm_cert/tpm_asn1.h
@@ -95,12 +95,12 @@ const asn1_static_node tpm_asn1_tab[] = {
   { "TPMEKCertExtendedKeyUsage", 1610612741, NULL },
   { "id", 12, NULL },
   { "TPMIAKSanInfo", 1610612741, NULL },
-  { "tpmIAKSanInfoSeq", 536879106, "TPMIAKSanInfoSeq"},
-  { NULL, 4104, "0"},
+  { "tpmIAKSanInfoSet", 2, "TPMIAKSanInfoSet"},
+  { "TPMIAKSanInfoSet", 1610612750, NULL },
+  { "tpmIAKSanInfoSeq", 201326594, "TPMIAKSanInfoSeq"},
   { "TPMIAKSanInfoSeq", 1610612741, NULL },
   { "id", 1073741836, NULL },
-  { "iakSanInfoSet", 536879106, "IAKHardwareModuleName"},
-  { NULL, 2056, "0"},
+  { "iakSanInfoSet", 2, "IAKHardwareModuleName"},
   { "IAKHardwareModuleName", 536870917, NULL },
   { "hwType", 1073741836, NULL },
   { "hwSerialNum", 7, NULL },

diff --git a/tests/Makefile.am b/tests/Makefile.am
@@ -82,7 +82,6 @@ TESTS = \
 	test_tpm2_save_load_state_locking \
 	test_tpm2_setbuffersize \
 	test_tpm2_swtpm_cert \
-	test_tpm2_swtpm_cert_ecc \
 	test_tpm2_swtpm_localca \
 	test_tpm2_swtpm_localca_pkcs11.test \
 	test_tpm2_swtpm_setup_create_cert \
@@ -113,12 +112,6 @@ EXTRA_DIST = \
 	$(TEST_UTILS) \
 	swtpm_setup.conf \
 	create_certs.sh \
-	data/ecpubek.pem \
-	data/ecprivek.pem \
-	data/issuercert.pem \
-	data/pubek.pem \
-	data/signkey.pem \
-	data/signkey-encrypted.pem \
 	data/keyfile.txt \
 	data/keyfile256bit.txt \
 	data/pwdfile.txt \
@@ -189,6 +182,7 @@ EXTRA_DIST = \
 	_test_save_load_state \
 	_test_setbuffersize \
 	_test_swtpm_bios \
+	_test_swtpm_cert \
 	_test_tpm_probe \
 	_test_tpm2_avoid_da_lockout \
 	_test_tpm2_derived_keys \
@@ -213,6 +207,7 @@ EXTRA_DIST = \
 	_test_tpm2_save_load_state_locking \
 	_test_tpm2_setbuffersize \
 	_test_tpm2_swtpm_bios \
+	_test_tpm2_swtpm_cert \
 	_test_tpm2_volatilestate \
 	_test_tpm2_wrongorder \
 	_test_volatilestate \

diff --git a/tests/_test_swtpm_cert b/tests/_test_swtpm_cert
@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+
+# For the license, see the LICENSE file in the root directory.
+
+ROOT=${abs_top_builddir:-$(dirname "$0")/..}
+TESTDIR=${abs_top_testdir:=$(dirname "$0")}
+
+source "${TESTDIR}/common"
+
+trap "cleanup" SIGTERM EXIT
+
+function cleanup()
+{
+	rm -f "${cert}" "${pwdfile}"
+}
+
+cert="$(mktemp)" || exit 1
+pwdfile="$(mktemp)" || exit 1
+
+function check_cert_size()
+{
+	local cert="$1"
+	local exp="$2"
+
+	local size
+
+	size=$(get_filesize "${cert}")
+	if [ "$size" -ne "$exp" ]; then
+		echo "Warning: Certificate file has unexpected size."
+		echo "         Expected: $exp;  found: $size"
+	fi
+}
+
+COMMON=(
+	--signkey "${PARAM_SIGNKEY_ENCRYPTED}"
+	--issuercert "${PARAM_ISSUERCERT}"
+	--out-cert "${cert}"
+	--days 3650
+	--pem
+	--tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2
+	--tpm-spec-family 1.2 --tpm-spec-revision 123 --tpm-spec-level 321
+)
+
+if ! VARNAME=${PARAM_PASSWORD} ${SWTPM_CERT} \
+	"${COMMON[@]}" \
+	--signkey-pwd env:VARNAME \
+	--modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497';
+then
+	echo "Error: ${SWTPM_CERT} returned error code."
+	exit 1
+fi
+
+check_cert_size "${cert}" 1395
+
+# truncate result file
+echo -n > "${cert}"
+echo "Test 1: OK"
+
+if ! ${SWTPM_CERT} \
+	"${COMMON[@]}" \
+	--signkey-pwd file:<(printf "%s" "${PARAM_PASSWORD}") \
+	--modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497';
+then
+	echo "Error: ${SWTPM_CERT} returned error code."
+	exit 1
+fi
+
+#expecting size to be constant
+check_cert_size "${cert}" 1395
+
+# truncate result file
+echo -n > "${cert}"
+echo "Test 2: OK"
+
+
+if ! ${SWTPM_CERT} \
+	"${COMMON[@]}" \
+	--signkey-pwd "pass:${PARAM_PASSWORD}" \
+	--pubkey "${PARAM_RSAPUBKEY}";
+then
+	echo "Error: ${SWTPM_CERT} returned error code."
+	exit 1
+fi
+
+check_cert_size "${cert}" 1460
+
+# truncate result file
+echo -n > "${cert}"
+echo "Test 3: OK"
+
+
+###################### Platform Certificate #####################
+
+printf "%s" "${PARAM_PASSWORD}" > "${pwdfile}"
+exec 100<"${pwdfile}"
+if ! ${SWTPM_CERT} \
+        --type platform \
+	"${COMMON[@]}" \
+	--signkey-pwd fd:100 \
+	--pubkey "${PARAM_RSAPUBKEY}" \
+	--platform-manufacturer Fedora \
+	--platform-model QEMU \
+	--platform-version 2.1; then
+	echo "Error: ${SWTPM_CERT} returned error code."
+	exit 1
+fi
+
+#expecting size to be constant
+check_cert_size "${cert}" 1489
+
+# truncate result file
+echo -n > "${cert}"
+echo "Test 4: OK"