}
	if len(certs) == 0 {
		return nil, nil, fmt.Errorf("no PEM encoded X.509 certificates parsed")
	}
	return certs, rootCertBytes, nil
}

// ParsePemEncodedCSR constructs a `x509.CertificateRequest` object using the
// given PEM-encoded certificate signing request.
func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error) {
	block, _ := pem.Decode(csrBytes)
	if block == nil {

func (c *CAClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error) {
	atomic.AddUint64(&c.SignInvokeCount, 1)
	signingCert, signingKey, certChain, rootCert := c.bundle.GetAll()
	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		return nil, fmt.Errorf("csr sign error: %v", err)
	}
	subjectIDs := []string{"test"}

)

// ValidateCSR : Validate all SAN extensions in csrPEM match authenticated identities
func ValidateCSR(csrPEM []byte, subjectIDs []string) bool {
	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		return false
	}
	if err := csr.CheckSignature(); err != nil {
		return false
	}
	csrIDs, err := util.ExtractIDs(csr.Extensions)
	if err != nil {
		return false
	}

		log.Info("CSR has already been signed. Ignoring.")
	case !isCertificateRequestApproved(csr):
		log.Info("CSR is not approved, Ignoring.")
	default:
		log.Info("Signing")
		x509cr, err := util.ParsePemEncodedCSR(csr.Spec.Request)
		if err != nil {
			log.Infof("unable to parse csr: %v", err)
			return nil
		}

		requestedLifeTime := signer.CertTTL

	}
	caServerLog.Info("send back CSR success response")
	return response, nil
}

func (s *CAServer) sign(csrPEM []byte, subjectIDs []string, _ time.Duration, forCA bool) ([]byte, error) {
	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		caServerLog.Errorf("failed to parse CSR: %+v", err)
		return nil, caerror.NewError(caerror.CSRError, err)
	}
	signingCert, signingKey, _, _ := s.KeyCertBundle.GetAll()

			pem:    certECDSA,
		},
		"Parse CSR": {
			algo: x509.RSA,
			pem:  csr,
		},
	}

	for id, c := range testCases {
		_, err := ParsePemEncodedCSR([]byte(c.pem))
		if c.errMsg != "" {
			if err == nil {
				t.Errorf(`%s: no error is returned, expected "%s"`, id, c.errMsg)
			} else if c.errMsg != err.Error() {

	signingCert, signingKey, _, _ := ca.keyCertBundle.GetAll()
	if signingCert == nil {
		return nil, caerror.NewError(caerror.CANotReady, fmt.Errorf("Istio CA is not ready")) // nolint
	}

	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		return nil, caerror.NewError(caerror.CSRError, err)
	}

	if err := csr.CheckSignature(); err != nil {
		return nil, caerror.NewError(caerror.CSRError, err)
	}