csrOptions CertOptions
		err        error
	}{
		"GenCSR with RSA": {
			csrOptions: CertOptions{
				Host:       "test_ca.com",
				Org:        "MyOrg",
				RSAKeySize: 2048,
			},
		},
		"GenCSR with EC": {
			csrOptions: CertOptions{
				Host:     "test_ca.com",
				Org:      "MyOrg",
				ECSigAlg: EcdsaSigAlg,
			},
		},
		"GenCSR with EC errors due to invalid signature algorithm": {

	"istio.io/istio/pkg/log"
)

// minimumRsaKeySize is the minimum RSA key size to generate certificates
// to ensure proper security
const minimumRsaKeySize = 2048

// GenCSR generates a X.509 certificate sign request and private key with the given options.
func GenCSR(options CertOptions) ([]byte, []byte, error) {
	var priv any
	var err error
	if options.ECSigAlg != "" {
		switch options.ECSigAlg {
		case EcdsaSigAlg:

	}

	err = os.WriteFile(*outPriv, privPem, 0o600)
	if err != nil {
		log.Fatalf("Could not write output private key: %s.", err)
	}
}

func main() {
	flag.Parse()

	csrPem, privPem, err := util.GenCSR(util.CertOptions{
		Host:       *host,
		Org:        *org,
		RSAKeySize: *keySize,
		ECSigAlg:   util.SupportedECSignatureAlgorithms(*ec),
		ECCCurve:   util.SupportedEllipticCurves(*curve),
	})
	if err != nil {

)

func FuzzGenCSR(data []byte) int {
	f := fuzz.NewConsumer(data)
	certOptions := util.CertOptions{}
	err := f.GenerateStruct(&certOptions)
	if err != nil {
		return 0
	}
	_, _, _ = util.GenCSR(certOptions)
	return 1
}

func fuzzedCertChain(f *fuzz.ConsumeFuzzer) ([][]*x509.Certificate, error) {
	certChain := [][]*x509.Certificate{}
	withPkixExtension, err := f.GetBool()
	if err != nil {

	options := pkiutil.CertOptions{
		Host:       san,
		RSAKeySize: 2048,
	}
	// Generate the cert/key, send CSR to CA.
	csrPEM, keyPEM, err := pkiutil.GenCSR(options)
	if err != nil {
		return Cert{}, err
	}
	a, err := i.InternalDiscoveryAddressFor(c)
	if err != nil {
		return Cert{}, err
	}
	client, err := newCitadelClient(a, []byte(rootCert))
	if err != nil {

	options := pkiutil.CertOptions{
		Host:       testCsrHostName,
		RSAKeySize: 2048,
		PKCS8Key:   false,
		ECSigAlg:   pkiutil.SupportedECSignatureAlgorithms("ECDSA"),
	}
	csrPEM, _, err := pkiutil.GenCSR(options)
	if err != nil {
		t.Fatalf("Error creating Mock CA client: %v", err)
		return nil
	}
	return csrPEM
}

func initFakeKubeClient(t test.Failer, certificate []byte) kube.CLIClient {

) ([]byte, []byte, []byte, error) {
	// 1. Generate a CSR
	options := util.CertOptions{
		Host:       dnsName,
		RSAKeySize: keySize,
		IsDualUse:  false,
		PKCS8Key:   false,
	}
	csrPEM, keyPEM, err := util.GenCSR(options)
	if err != nil {
		log.Errorf("CSR generation error (%v)", err)
		return nil, nil, nil, err
	}
	usages := []cert.KeyUsage{
		cert.UsageDigitalSignature,
		cert.UsageKeyEncipherment,