var override string
	if SignatureAlgorithm(e) == SHA1WithRSA || SignatureAlgorithm(e) == ECDSAWithSHA1 {
		override = " (temporarily override with GODEBUG=x509sha1=1)"
	}
	return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e)) + override
}

// ConstraintViolationError results when a requested usage is not permitted by
// a certificate. For example: checking a signature when the public key isn't a

}

// typeAndHashFromSignatureScheme returns the corresponding signature type and
// crypto.Hash for a given TLS SignatureScheme.
func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType uint8, hash crypto.Hash, err error) {
	switch signatureAlgorithm {
	case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512:
		sigType = signaturePKCS1v15
	case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:

func CertificateText(cert *x509.Certificate) string {
	var buf strings.Builder

	buf.WriteString(color.Blue("\nCertificate:\n"))
	if cert.SignatureAlgorithm != x509.UnknownSignatureAlgorithm {
		buf.WriteString(color.Blue("%4sSignature Algorithm: ", "") + color.Bold(fmt.Sprintf("%s\n", cert.SignatureAlgorithm)))
	}

	// Issuer information
	buf.WriteString(color.Blue("%4sIssuer: ", ""))
	printName(cert.Issuer.Names, &buf)

	}

	var signatureAlgorithm SignatureScheme
	var sigType uint8
	var sigHash crypto.Hash
	if ka.version >= VersionTLS12 {
		signatureAlgorithm, err = selectSignatureScheme(ka.version, cert, clientHello.supportedSignatureAlgorithms)
		if err != nil {
			return nil, err
		}
		sigType, sigHash, err = typeAndHashFromSignatureScheme(signatureAlgorithm)
		if err != nil {
			return nil, err
		}

        issuer = subject
      }
      val signatureAlgorithm = signatureAlgorithm(issuerKeyPair)

      // Subset of certificate data that's covered by the signature.
      val tbsCertificate =
        TbsCertificate(
          // v3:
          version = 2L,
          serialNumber = serialNumber ?: BigInteger.ONE,
          signature = signatureAlgorithm,
          issuer = issuer,
          validity = validity(),

      Adapters.BIT_STRING,
      decompose = {
        listOf(
          it.tbsCertificate,
          it.signatureAlgorithm,
          it.signatureValue,
        )
      },
      construct = {
        Certificate(
          tbsCertificate = it[0] as TbsCertificate,
          signatureAlgorithm = it[1] as AlgorithmIdentifier,
          signatureValue = it[2] as BitString,
        )
      },
    )

				t.Fatalf("Failed to parse generated CRL: %s", err)
			}

			if tc.template.SignatureAlgorithm != UnknownSignatureAlgorithm &&
				parsedCRL.SignatureAlgorithm != tc.template.SignatureAlgorithm {
				t.Fatalf("SignatureAlgorithm mismatch: got %v; want %v.", parsedCRL.SignatureAlgorithm,
					tc.template.SignatureAlgorithm)
			}

			if len(tc.template.RevokedCertificates) > 0 {

	// check all received non-self-signed certificates for deprecated signing algorithms
	for _, cert := range peerCertificates {
		if cert.SignatureAlgorithm == x509.SHA1WithRSA || cert.SignatureAlgorithm == x509.ECDSAWithSHA1 {
			// the SHA-1 deprecation does not involve self-signed root certificates
			if !reflect.DeepEqual(cert.Issuer, cert.Subject) {
				return true
			}
		}
	}

pkg crypto/x509, type RevocationList struct, Number *big.Int
pkg crypto/x509, type RevocationList struct, RevokedCertificates []pkix.RevokedCertificate
pkg crypto/x509, type RevocationList struct, SignatureAlgorithm SignatureAlgorithm
pkg crypto/x509, type RevocationList struct, ThisUpdate time.Time
pkg database/sql, method (*DB) SetConnMaxIdleTime(time.Duration)
pkg database/sql, method (*Row) Err() error

			csrTemplate: &x509.CertificateRequest{
				SignatureAlgorithm: x509.SHA256WithRSA,
				DNSNames:           []string{"name_in_csr"},
				Version:            3,
			},
		},
		{
			name:       "Two subject IDs",
			subjectIDs: []string{"spiffe://test.com/abc/def", "test.com"},
			signeeKey:  rsaSigneeKey,
			csrTemplate: &x509.CertificateRequest{
				SignatureAlgorithm: x509.SHA256WithRSA,