possibleRootCert = rootCertFromCertChain
		}
		if possibleRootCert == nil {
			return nil, raerror.NewError(raerror.CSRError, fmt.Errorf("failed to find root cert from either signed cert-chain or mesh config"))
		}
		if verifyErr := util.VerifyCertificate(nil, cert, possibleRootCert, nil); verifyErr != nil {
			return nil, raerror.NewError(raerror.CSRError, fmt.Errorf("root cert from signed cert-chain is invalid (%v)", verifyErr))
		}

	if forCA {
		return requestedLifetime, raerror.NewError(raerror.CSRError,
			fmt.Errorf("unable to generate CA certifificates"))
	}
	if !ValidateCSR(csrPEM, subjectIDs) {
		return requestedLifetime, raerror.NewError(raerror.CSRError, fmt.Errorf(
			"unable to validate SAN Identities in CSR"))
	}

 *
 *  05-Sep-2004   Added internal test interface. (JDS)
 */

/** @file
 *  Error handling functions (user interface).
 *  CUnit uses a simple (and conventional) error handling strategy.
 *  Functions that can generate errors set (and usually return) an
 *  error code to indicate the run status.  The error code can be

			return nil, status.Error(codes.Unauthenticated, "request authenticate failure")
		}
		id = caller.Identities
	}
	cert, err := s.sign([]byte(request.Csr), id, time.Duration(request.ValidityDuration)*time.Second, false)
	if err != nil {
		caServerLog.Errorf("failed to sign CSR: %+v", err)
		return nil, status.Errorf(err.(*caerror.Error).HTTPErrorCode(), "CSR signing error: %+v", err.(*caerror.Error))
	}

func Test_atomicLastError(t *testing.T) {
	aError := &atomicLastError{err: fmt.Errorf("initial error")}
	// no timestamp is always updated
	aError.Store(errors.New("updated error"), time.Time{})
	err := aError.Load()
	if err.Error() != "updated error" {
		t.Fatalf("Expected: \"updated error\" got: %s", err.Error())
	}
	// update to current time
	now := time.Now()
	aError.Store(errors.New("now error"), now)
	err = aError.Load()

	"errors"
	"fmt"
)

var ErrPartialAdd = errors.New("partial add error")

type PartialAddError struct {
	inner error
}

func (e *PartialAddError) Error() string {
	return fmt.Sprintf("%s: %v", ErrPartialAdd.Error(), e.inner)
}

func (e *PartialAddError) Unwrap() []error {
	return []error{ErrPartialAdd, e.inner}
}

func NewErrPartialAdd(err error) *PartialAddError {
	return &PartialAddError{
		inner: err,
	}

// limitations under the License.

package mock

import (
	"istio.io/istio/security/pkg/pki/ca"
	caerror "istio.io/istio/security/pkg/pki/error"
	"istio.io/istio/security/pkg/pki/util"
)

// FakeCA is a mock of CertificateAuthority.
type FakeCA struct {
	SignedCert    []byte
	SignErr       *caerror.Error
	KeyCertBundle *util.KeyCertBundle
	ReceivedIDs   []string
}

	{new(mapError), new(error), true},
	{new(*mapError), new(error), true},
}

type notAnExpr struct{}

func (notAnExpr) Pos() token.Pos { return token.NoPos }
func (notAnExpr) End() token.Pos { return token.NoPos }
func (notAnExpr) exprNode()      {}

type notASTExpr interface {
	Pos() token.Pos
	End() token.Pos
	exprNode()
}

type mapError map[string]string

func (e *SyscallError) Unwrap() error { return e.Err }

// Timeout reports whether this error represents a timeout.
func (e *SyscallError) Timeout() bool {
	t, ok := e.Err.(timeout)
	return ok && t.Timeout()
}

// NewSyscallError returns, as an error, a new [SyscallError]
// with the given system call name and error details.
// As a convenience, if err is nil, NewSyscallError returns nil.

	e := fmt.Errorf(format, a...)
	ee := Error{}
	ee.msg = e.Error()
	ee.cause = errors.Unwrap(e)
	return ee
}

// Unwrap the internal error.
func (e Error) Unwrap() error { return e.cause }

// Error 'error' compatible method.
func (e Error) Error() string {
	if e.msg == "" {
		return "crypto: cause <nil>"
	}
	return e.msg
}

var (
	// ErrInvalidEncryptionMethod indicates that the specified SSE encryption method