// '!' represents an interior node that represents a REGISTRY entry in the map.
      // '?' represents a leaf node, which represents a REGISTRY entry in map.
      // ':' represents an interior node that represents a private entry in the map
      // ',' represents a leaf node, which represents a private entry in the map.
      String domain = DIRECT_JOINER.join(stack);

      if (domain.length() > 0) {

#
# This file is a series of lines, each of the form:
#     <type> <name>
#
# Type can be:
#    path - an exact path to a single file
#    file-name - an exact leaf filename, regardless of path
#    path-prefix - a prefix match on the file path
#    file-prefix - a prefix match of the leaf filename (no path)
#    paths-from-repo - read a file from the repo and load file paths
#

file-prefix	zz_generated.

file-name	types.generated.go

        .certificateAuthority(0)
        .rsa2048()
        .build()
    val leaf =
      HeldCertificate.Builder()
        .certificateAuthority(0)
        .ecdsa256()
        .signedBy(root)
        .build()
    assertThat(root.certificate.sigAlgName).isEqualTo("SHA256WITHRSA", ignoreCase = true)
    assertThat(leaf.certificate.sigAlgName).isEqualTo("SHA256WITHRSA", ignoreCase = true)
  }

  @Test

CERTIFICATE NAME                                         TYPE     STATUS           VALID CERT     SERIAL NUMBER                        NOT AFTER                NOT BEFORE
spiffe://cluster.local/ns/istio-system/sa/istiod         Leaf     Available        true           e5dfb59150b2ba7f108d93dcec5aa613     2033-03-22T13:04:57Z     2023-03-21T13:02:57Z

				secret.Identity, valueOrNA(""), secret.State, false, valueOrNA(""), valueOrNA(""), valueOrNA(""))
		} else {
			for i, ca := range secret.CertChain {
				t := "Intermediate"
				if i == 0 {
					t = "Leaf"
				} else if i == len(secret.CertChain)-1 {
					t = "Root"
				}
				n := new(big.Int)
				n, _ = n.SetString(ca.SerialNumber, 10)
				fmt.Fprintf(w, "%v\t%v\t%v\t%v\t%x\t%v\t%v\n",

internal data class BasicConstraints(
  /** True if this certificate can be used as a Certificate Authority (CA). */
  val ca: Boolean,
  /** The maximum number of intermediate CAs between this and leaf certificates. */
  val maxIntermediateCas: Long?,
)

/** A private key. Note that this class doesn't support attributes or an embedded public key. */
internal data class PrivateKeyInfo(
  // v1(0), v2(1).

func unwrapErrs(err error) (leafErr error) {
	uerr := errors.Unwrap(err)
	depth := 1
	for uerr != nil {
		// Save the current `uerr`
		leafErr = uerr
		// continue to look for leaf errors underneath
		uerr = errors.Unwrap(leafErr)
		depth++
		if depth == unwrapErrsDepth {
			// If we have reached enough depth we
			// do not further recurse down, this
			// is done to avoid any unnecessary

    val cleaner = get(root)
    assertFailsWith<SSLPeerUnverifiedException> {
      cleaner.clean(certificates, "hostname")
    }
  }

  /** Returns a chain starting at the leaf certificate and progressing to the root.  */
  private fun chainOfLength(length: Int): List<HeldCertificate> {
    val result = mutableListOf<HeldCertificate>()
    for (i in 1..length) {
      result.add(
        0,

	peerCertificates := make([]*x509.Certificate, 0, len(r.TLS.PeerCertificates))
	for _, cert := range r.TLS.PeerCertificates {
		if cert.IsCA {
			continue
		}
		peerCertificates = append(peerCertificates, cert)
	}
	r.TLS.PeerCertificates = peerCertificates

	// Now, we have to check that the client has provided exactly one leaf
	// certificate that we can map to a policy.

        .signedBy(pinnedRoot)
        .build()
    val attackerSwitch =
      HeldCertificate.Builder()
        .serialNumber(5L)
        .keyPair(attackerIntermediate.keyPair) // share keys between compromised CA and leaf!
        .commonName("attacker")
        .addSubjectAlternativeName("attacker.com")
        .signedBy(pinnedIntermediate)
        .build()
    val phonyVictim =
      HeldCertificate.Builder()