}
)

func TestVerifyCert(t *testing.T) {
	testCases := map[string]struct {
		privPem        []byte
		certChainPem   []byte
		rootCertPem    []byte
		expectedFields *VerifyFields
		expectedErr    string
	}{
		"Root cert bad": {
			privPem:        nil,
			certChainPem:   nil,
			rootCertPem:    []byte(rootCertBad),
			expectedFields: verifyField1,
			expectedErr:    "failed to parse root certificate",

func VerifyCertificate(privPem []byte, certChainPem []byte, rootCertPem []byte, expectedFields *VerifyFields) error {
	roots := x509.NewCertPool()
	if rootCertPem != nil {
		if ok := roots.AppendCertsFromPEM(rootCertPem); !ok {
			return fmt.Errorf("failed to parse root certificate")
		}
	}

	intermediates := x509.NewCertPool()
	if ok := intermediates.AppendCertsFromPEM(certChainPem); !ok {

	privPem, err := f.GetBytes()
	if err != nil {
		return 0
	}
	certChainPem, err := f.GetBytes()
	if err != nil {
		return 0
	}
	rootCertPem, err := f.GetBytes()
	if err != nil {
		return 0
	}
	expectedFields := &util.VerifyFields{}
	err = f.GenerateStruct(expectedFields)
	if err != nil {
		return 0
	}
	util.VerifyCertificate(privPem, certChainPem, rootCertPem, expectedFields)
	return 1
}

		},
	}
	for _, tc := range cases {
		t.Run(tc.name, func(t *testing.T) {
			csrPEM := createFakeCsr(t)
			certChainPem, err := os.ReadFile(tc.certChain)
			if err != nil {
				t.Errorf("Failed to read sample %s", tc.certChain)
			}
			client := initFakeKubeClient(t, certChainPem)
			ra, err := createFakeK8sRA(client, "")
			if err != nil {
				t.Errorf("Failed to create Fake K8s RA")
			}

	}
	certChainExpiryTimestamp.Record(certChainExpiry)

	certChainPem, err := util.ParsePemEncodedCertificate(keyCertBundle.GetCertChainPem())
	if err != nil {
		serverCaLog.Errorf("failed to parse the cert chain: %v", err)
	}
	certChainExpirySeconds.ValueFrom(func() float64 { return time.Until(certChainPem.NotAfter).Seconds() })
}

// Register registers a GRPC server on the specified port.

	if len(trustBundlePEM) > 0 {
		rootCertPEM = concatCerts(trustBundlePEM)
	} else {
		// If CA Client has no explicit mechanism to retrieve CA root, infer it from the root of the certChain
		rootCertPEM = []byte(certChainPEM[len(certChainPEM)-1])
	}

	return &security.SecretItem{
		CertificateChain: certChain,
		PrivateKey:       keyPEM,
		ResourceName:     resourceName,
		CreatedTime:      time.Now(),

	return certPEM, privPEM, nil
}

func (ca *IstioCA) minTTL(defaultCertTTL time.Duration) (time.Duration, error) {
	certChainPem := ca.keyCertBundle.GetCertChainPem()
	if len(certChainPem) == 0 {
		return defaultCertTTL, nil
	}

	certChainExpiration, err := util.TimeBeforeCertExpires(certChainPem, time.Now())
	if err != nil {
		return 0, fmt.Errorf("failed to get cert chain TTL %s", err.Error())
	}