test: fill edge-case gaps in PEM/inspect/PKCS#12 coverage

[danielewood]

Summary

Several required edge cases and test‑quality rules (T‑7, T‑8, T‑9) are not fully covered in the current test suite.

Underlying problems

1. ParsePEMCertificates_NoCertificates claims to cover non‑PEM text but does not include a non‑PEM input case.
2. InspectFile tests compute SKI using the same implementation under test, making the assertion tautological (T‑9).
3. InspectFile tests only PEM key input, despite DER key parsing support.
4. PKCS#12 tests lack the empty‑container case (no certs/keys), required by T‑8.

Why this matters

These gaps can allow regressions in parsing and inspection logic without failing tests, reducing confidence in correctness guarantees.

Evidence

• Missing non‑PEM text case: certkit_test.go:26-48.
• Tautological SKI assertion: internal/inspect_test.go:128-138.
• Missing DER key coverage: internal/inspect.go:119-123 vs tests only PEM in internal/inspect_test.go:92-126.
• Missing empty PKCS#12 container test: pkcs_test.go:76-207.

Acceptance criteria

• Add a non‑PEM text case to TestParsePEMCertificates_NoCertificates.
• Replace SKI test with an independent calculation or a known value (not using the same helper under test).
• Add at least one DER private key test for inspect.
• Add an empty‑PKCS#12 container test that asserts expected error behavior.

Suggested approach

• Extend existing table‑driven tests with additional inputs to keep coverage consolidated (T‑12).

Dedupe notes

Checked open issues #88–#92 and gh search issues "repo:sensiblebit/certkit" with relevant keywords; no overlapping issue found. Classified as new.

[danielewood]

Implemented in #107 and included in #110, now merged to main. Closing as complete.