// in its normal expanded *Certificate form.
type lazyCert struct {
	// rawSubject is the Certificate.RawSubject value.
	// It's the same as the CertPool.byName key, but in []byte
	// form to make CertPool.Subjects (as used by crypto/tls) do
	// fewer allocations.
	rawSubject []byte

	// constraint is a function to run against a chain when it is a candidate to

// license that can be found in the LICENSE file.

package x509

import "testing"

func TestCertPoolEqual(t *testing.T) {
	tc := &Certificate{Raw: []byte{1, 2, 3}, RawSubject: []byte{2}}
	otherTC := &Certificate{Raw: []byte{9, 8, 7}, RawSubject: []byte{8}}

	emptyPool := NewCertPool()
	nonSystemPopulated := NewCertPool()
	nonSystemPopulated.AddCert(tc)
	nonSystemPopulatedAlt := NewCertPool()

			Value: sanBytes,
		})
	}

	return append(ret, template.ExtraExtensions...), nil
}

func subjectBytes(cert *Certificate) ([]byte, error) {
	if len(cert.RawSubject) > 0 {
		return cert.RawSubject, nil
	}

	return asn1.Marshal(cert.Subject.ToRDNSequence())
}

// signingParamsForKey returns the signature algorithm and its Algorithm

	for _, ext := range candidate.Extensions {
		if ext.Id.Equal(oidExtensionSubjectAltName) {
			candidateSAN = &ext
			break
		}
	}

	for _, cert := range chain {
		if !bytes.Equal(candidate.RawSubject, cert.RawSubject) {
			continue
		}
		if !candidate.PublicKey.(pubKeyEqual).Equal(cert.PublicKey) {
			continue
		}
		var certSAN *pkix.Extension
		for _, ext := range cert.Extensions {

			// With Go 1.19's updated RevocationList, we can now directly compare
			// the RawSubject of the certificate to RawIssuer on the parsed CRL.
			// However, this doesn't work with our hacked issuers above (that
			// aren't parsed from a proper DER bundle but are instead manually
			// constructed). Prefer RawSubject when it is set.
			if len(tc.issuer.RawSubject) > 0 {
				issuerSubj, err := subjectBytes(tc.issuer)
				if err != nil {

	if err != nil {
		return nil, err
	}

	var subjectSeq cryptobyte.String
	if !tbs.ReadASN1Element(&subjectSeq, cryptobyte_asn1.SEQUENCE) {
		return nil, errors.New("x509: malformed issuer")
	}
	cert.RawSubject = subjectSeq
	subjectRDNs, err := parseName(subjectSeq)
	if err != nil {
		return nil, err
	}
	cert.Subject.FillFromRDNSequence(subjectRDNs)

	var spki cryptobyte.String

	c := &Certificate{
		RawIssuer:      []byte{1, 2, 3},
		AuthorityKeyId: []byte{1, 2, 3},
	}
	opts := &VerifyOptions{}
	opts.Roots = NewCertPool()
	r := &Certificate{
		RawSubject:   []byte{1, 2, 3},
		SubjectKeyId: []byte{1, 2, 3},
	}
	opts.Roots.AddCert(r)

	_, err := c.buildChains([]*Certificate{r}, nil, opts)
	if _, ok := err.(UnknownAuthorityError); !ok {

pkg crypto/x509, type CertificateRequest struct, PublicKeyAlgorithm PublicKeyAlgorithm
pkg crypto/x509, type CertificateRequest struct, Raw []uint8
pkg crypto/x509, type CertificateRequest struct, RawSubject []uint8
pkg crypto/x509, type CertificateRequest struct, RawSubjectPublicKeyInfo []uint8
pkg crypto/x509, type CertificateRequest struct, RawTBSCertificateRequest []uint8

		{"Certificate.PublicKey", Field, 0},
		{"Certificate.PublicKeyAlgorithm", Field, 0},
		{"Certificate.Raw", Field, 0},
		{"Certificate.RawIssuer", Field, 0},
		{"Certificate.RawSubject", Field, 0},
		{"Certificate.RawSubjectPublicKeyInfo", Field, 0},
		{"Certificate.RawTBSCertificate", Field, 0},
		{"Certificate.SerialNumber", Field, 0},
		{"Certificate.Signature", Field, 0},

pkg crypto/x509, type Certificate struct, Raw []uint8
pkg crypto/x509, type Certificate struct, RawIssuer []uint8
pkg crypto/x509, type Certificate struct, RawSubject []uint8
pkg crypto/x509, type Certificate struct, RawSubjectPublicKeyInfo []uint8
pkg crypto/x509, type Certificate struct, RawTBSCertificate []uint8
pkg crypto/x509, type Certificate struct, SerialNumber *big.Int