return 0
	}
	// Check that certChainBytes can be parsed successfully
	_, err = util.ParsePemEncodedCertificate(certChainBytes)
	if err != nil {
		return 0
	}
	rootCertBytes, err := f.GetBytes()
	if err != nil {
		return 0
	}
	// Check that rootCertBytes can be parsed successfully
	_, err = util.ParsePemEncodedCertificate(rootCertBytes)
	if err != nil {
		return 0
	}
	signedCert, err := f.GetBytes()

			keyPEM, append(certPEM, certChainBytes...), rootCertBytes, &tc.verifyFields); err != nil {
			t.Errorf("%s: VerifyCertificate error: %v", id, err)
		}

		cert, err := util.ParsePemEncodedCertificate(certPEM)
		if err != nil {
			t.Errorf("%s: ParsePemEncodedCertificate error: %v", id, err)
		}

		if ttl := cert.NotAfter.Sub(cert.NotBefore) - util.ClockSkewGracePeriod; ttl != tc.requestedTTL {

	blockTypeRSAPrivateKey   = "RSA PRIVATE KEY" // PKCS#1 private key
	blockTypePKCS8PrivateKey = "PRIVATE KEY"     // PKCS#8 plain private key
)

// ParsePemEncodedCertificate constructs a `x509.Certificate` object using the
// given a PEM-encoded certificate.
func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error) {
	cb, _ := pem.Decode(certBytes)
	if cb == nil {
		return nil, fmt.Errorf("invalid PEM encoded certificate")
	}

		}
	}

	intermediates := x509.NewCertPool()
	if ok := intermediates.AppendCertsFromPEM(certChainPem); !ok {
		return fmt.Errorf("failed to parse certificate chain")
	}

	cert, err := ParsePemEncodedCertificate(certChainPem)
	if err != nil {
		return err
	}

	opts := x509.VerifyOptions{
		Intermediates: intermediates,
		Roots:         roots,
	}
	host := ""
	if expectedFields != nil {

// grace period.
func (cu CertUtilImpl) GetWaitTime(certBytes []byte, now time.Time) (time.Duration, error) {
	cert, certErr := util.ParsePemEncodedCertificate(certBytes)
	if certErr != nil {
		return time.Duration(0), certErr
	}
	timeToExpire := cert.NotAfter.Sub(now)
	if timeToExpire < 0 {

	b.rootCertBytes = copyBytes(rootCertBytes)
	// cert and privKey are always reset to point to new addresses. This avoids modifying the pointed structs that
	// could be still used outside of the class.
	b.cert, _ = ParsePemEncodedCertificate(certBytes)
	privKey, _ := ParsePemEncodedKey(privKeyBytes)
	b.privKey = &privKey
	b.mutex.Unlock()
}

// CertOptions returns the certificate config based on currently stored cert.

	if err != nil {
		serverCaLog.Errorf("failed to extract root cert expiry timestamp (error %v)", err)
	}
	rootCertExpiryTimestamp.Record(rootCertExpiry)

	rootCertPem, err := util.ParsePemEncodedCertificate(keyCertBundle.GetRootCertPem())
	if err != nil {
		serverCaLog.Errorf("failed to parse the root cert: %v", err)
	}

		t.Fatal(err)
	}

	if VerifyCertificate(ecCaPrivPem, ecCaCertPem, ecCaCertPem, fields) != nil {
		t.Fatal(err)
	}

	rsaCaCert, err := ParsePemEncodedCertificate(rsaCaCertPem)
	if err != nil {
		t.Fatal(err)
	}

	ecCaCert, err := ParsePemEncodedCertificate(ecCaCertPem)
	if err != nil {
		t.Fatal(err)
	}

	rsaCaPriv, err := ParsePemEncodedKey(rsaCaPrivPem)
	if err != nil {
		t.Fatal(err)
	}

	if oldKeyLen != newKeyLen {
		t.Errorf("Public key size should not change, (got %d) vs (expected %d)",
			newKeyLen, oldKeyLen)
	}

	oldRootCert, _ := util.ParsePemEncodedCertificate(oldCertItem.caSecret.Data[CACertFile])
	newRootCert, _ := util.ParsePemEncodedCertificate(newCertItem.caSecret.Data[CACertFile])
	if oldRootCert.Subject.String() != newRootCert.Subject.String() {
		t.Errorf("certificate Subject does not match (old: %s) vs (new: %s)",

// genCertTemplateFromOptions(), and only called by a self-signed Citadel.
func GetCertOptionsFromExistingCert(certBytes []byte) (opts CertOptions, err error) {
	cert, certErr := ParsePemEncodedCertificate(certBytes)
	if certErr != nil {
		return opts, certErr
	}

	orgs := cert.Subject.Organization
	if len(orgs) > 0 {
		opts.Org = orgs[0]
	}