}

// The test of CertOptions
func TestCertOptionsAndRetrieveID(t *testing.T) {
	testCases := map[string]struct {
		caCertFile    string
		caKeyFile     string
		certChainFile []string
		rootCertFile  string
		certOptions   *CertOptions
		expectedErr   string
	}{
		"No SAN RSA": {
			caCertFile:    rootCertFile,
			caKeyFile:     rootKeyFile,
			certChainFile: nil,
			rootCertFile:  rootCertFile,

	rootCertInKeyCertBundle []byte
}

func verifyRootCertAndPrivateKey(t *testing.T, shouldMatch bool, itemA, itemB rootCertItem) {
	isMatched := bytes.Equal(itemA.caSecret.Data[CACertFile], itemB.caSecret.Data[CACertFile])
	if isMatched != shouldMatch {
		t.Errorf("Verification of root cert in CA secret failed. Want %v got %v", shouldMatch, isMatched)
	}

		// Reload root certificate into key cert bundle.
		if !bytes.Equal(caCertInMem, caSecret.Data[CACertFile]) {
			rootCertRotatorLog.Warnf("CA cert in KeyCertBundle does not match CA cert in "+
				"%s. Start to reload root cert into KeyCertBundle", rotator.config.secretName)
			rootCerts, err := util.AppendRootCerts(caSecret.Data[CACertFile], rotator.config.rootCertFile)
			if err != nil {

	// MaxCertTTL: Maximum Certificate TTL that can be requested
	MaxCertTTL time.Duration
	// CaCertFile : File containing PEM encoded CA root certificate of external CA
	CaCertFile string
	// CaSigner : To indicate custom CA Signer name when using external K8s CA
	CaSigner string
	// VerifyAppendCA : Whether to use caCertFile containing CA root cert to verify and append to signed cert-chain
	VerifyAppendCA bool

		if certSignerDomain == "" {
			log.Infof("CA cert file %q not found, using %q.", caCertFile, defaultCACertPath)
			caCertFile = defaultCACertPath
		} else {
			log.Infof("CA cert file %q not found - ignoring.", caCertFile)
			caCertFile = ""
		}
	}

	if s.kubeClient == nil {
		return nil, fmt.Errorf("kubeClient is nil")
	}
	raOpts := &ra.IstioRAOptions{
		ExternalCAType:   opts.ExternalCAType,

		Key:                     opts.TLS.Key,
		CaCert:                  opts.TLS.CaCert,
		CertFile:                opts.TLS.CertFile,
		KeyFile:                 opts.TLS.KeyFile,
		CaCertFile:              opts.TLS.CaCertFile,
		InsecureSkipVerify:      opts.TLS.InsecureSkipVerify,
		Alpn:                    getProtoALPN(opts.TLS.Alpn),
		FollowRedirects:         opts.HTTP.FollowRedirects,

// NewKubernetesRA : Create a RA that interfaces with K8S CSR CA
func NewKubernetesRA(raOpts *IstioRAOptions) (*KubernetesRA, error) {
	keyCertBundle, err := util.NewKeyCertBundleWithRootCertFromFile(raOpts.CaCertFile)
	if err != nil {
		return nil, raerror.NewError(raerror.CAInitFail, fmt.Errorf("error processing Certificate Bundle for Kubernetes RA"))
	}
	istioRA := &KubernetesRA{
		csrInterface:                 raOpts.K8sClient,

	}
	if caSecret.Data[PrivateKeyFile] != nil {
		t.Fatalf("Private key should be nil but got %v", caSecret.Data[PrivateKeyFile])
	}
	if !bytes.Equal(caSecret.Data[CACertFile], CertPem) {
		t.Fatalf("CA cert does not match, want %v got %v", CertPem, caSecret.Data[CACertFile])
	}
	if !bytes.Equal(caSecret.Data[CAPrivateKeyFile], KeyPem) {
		t.Fatalf("CA cert does not match, want %v got %v", KeyPem, caSecret.Data[CAPrivateKeyFile])
	}

  string caCert = 12;
  // If non-empty, make the request with the corresponding cert and key file.
  string certFile = 16;
  string keyFile = 17;
  // If non-empty, verify the server CA with the ca cert file.
  string caCertFile = 18;
  // Skip verifying peer's certificate.
  bool insecureSkipVerify = 19;
  // List of ALPNs to present. If not set, this will be automatically be set based on the protocol
  Alpn alpn = 13;

	}

	return nil
}

func getX509FromFile(t framework.TestContext, caCertFile string) *x509.Certificate {
	certBytes, err := cert.ReadSampleCertFromFile(caCertFile)
	if err != nil {
		t.Errorf("failed to read %s file: %v", caCertFile, err)
	}
	return parseCert(t, certBytes)
}

func parseCert(t framework.TestContext, certBytes []byte) *x509.Certificate {