if err != nil {
		return nil, fmt.Errorf("failed to parse X.509 certificate signing request")
	}
	return csr, nil
}

// ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.
func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error) {
	kb, _ := pem.Decode(keyBytes)
	if kb == nil {
		return nil, fmt.Errorf("invalid PEM-encoded key")
	}

	// cert and privKey are always reset to point to new addresses. This avoids modifying the pointed structs that
	// could be still used outside of the class.
	b.cert, _ = ParsePemEncodedCertificate(certBytes)
	privKey, _ := ParsePemEncodedKey(privKeyBytes)
	b.privKey = &privKey
	b.mutex.Unlock()
}

// CertOptions returns the certificate config based on currently stored cert.
func (b *KeyCertBundle) CertOptions() (*CertOptions, error) {

		},
		"Parse invalid PKCS8 key": {
			pem:    keyInvalidPKCS8,
			errMsg: "failed to parse the PKCS8 private key",
		},
	}

	for id, c := range testCases {
		key, err := ParsePemEncodedKey([]byte(c.pem))
		if c.errMsg != "" {
			if err == nil {
				t.Errorf(`%s: no error is returned, expected "%s"`, id, c.errMsg)
			} else if !strings.HasPrefix(err.Error(), c.errMsg) {

	}

	template, err := genCertTemplateFromOptions(options)
	if err != nil {
		return nil, nil, fmt.Errorf("cert generation fails at cert template creation (%v)", err)
	}
	caPrivateKey, err := ParsePemEncodedKey(options.SignerPrivPem)
	if err != nil {
		return nil, nil, fmt.Errorf("unrecogniazed CA "+
			"private key, skip root cert rotation: %s", err.Error())
	}

	}

	var secret k8s.Secret
	err = json.Unmarshal(out, &secret)
	if err != nil {
		log.Fatalf("Unmarshal secret error: %v", err)
	}
	key, err := util.ParsePemEncodedKey(secret.Data[ca.CAPrivateKeyFile])
	if err != nil {
		log.Fatalf("Unrecognized key format from citadel %v", err)
	}
	cert, err := util.ParsePemEncodedCertificate(secret.Data[ca.CACertFile])
	if err != nil {

	opts.KeyUsages = append(opts.KeyUsages, x509.ExtKeyUsageAny)

	if _, err = cert.Verify(opts); err != nil {
		return fmt.Errorf("failed to verify certificate: " + err.Error())
	}
	if privPem != nil {
		priv, err := ParsePemEncodedKey(privPem)
		if err != nil {
			return err
		}

		privRSAKey, privRSAOk := priv.(*rsa.PrivateKey)
		pubRSAKey, pubRSAOk := cert.PublicKey.(*rsa.PublicKey)

		privECKey, privECOk := priv.(*ecdsa.PrivateKey)

		t.Fatal(err)
	}

	ecCaCert, err := ParsePemEncodedCertificate(ecCaCertPem)
	if err != nil {
		t.Fatal(err)
	}

	rsaCaPriv, err := ParsePemEncodedKey(rsaCaPrivPem)
	if err != nil {
		t.Fatal(err)
	}

	ecCaPriv, err := ParsePemEncodedKey(ecCaPrivPem)
	if err != nil {
		t.Fatal(err)
	}

	notBefore := now.Add(-5 * time.Minute)
	ttl := time.Hour
	cases := map[string]struct {

			oldRootCert.PublicKeyAlgorithm.String(), newRootCert.PublicKeyAlgorithm.String())
	}
}

func getPublicKeySizeInBits(keyPem []byte) int {
	privateKey, _ := util.ParsePemEncodedKey(keyPem)
	k := privateKey.(*rsa.PrivateKey)
	return k.PublicKey.Size() * 8
}

// TestKeyCertBundleReloadInRootCertRotatorForSigningCitadel verifies that

	}

	rootCert, err := ParsePemEncodedCertificate(rootCertBytes)
	if err != nil {
		t.Errorf("failed to parsing pem for root cert %v", err)
	}

	rootKey, err := ParsePemEncodedKey(rootKeyBytes)
	if err != nil {
		t.Errorf("failed to parsing pem for root key cert %v", err)
	}

	caCertBytes, caCertKeyBytes, err := GenCertKeyFromOptions(CertOptions{

	if err != nil {
		return nil, err
	}

	rootCert, err := util.ParsePemEncodedCertificate(rootCertBytes)
	if err != nil {
		return nil, err
	}

	rootKey, err := util.ParsePemEncodedKey(rootKeyBytes)
	if err != nil {
		return nil, err
	}

	intermediateCAOpts := util.CertOptions{
		IsCA:         true,
		IsSelfSigned: false,
		TTL:          time.Hour,