}
		rootCerts = AppendCertByte(pemCert, certBytes)
	}
	return rootCerts, nil
}

// AppendCertByte: Append x.509 rootCert in bytes to existing certificate chain (in bytes)
func AppendCertByte(pemCert []byte, rootCert []byte) []byte {
	rootCerts := []byte{}
	if len(pemCert) > 0 {
		// Copy the input certificate
		rootCerts = []byte(strings.TrimSuffix(string(pemCert), "\n") + "\n")
	}

	var err error
	if cfg != nil {
		certs := []string{}
		endpoints := []string{}
		for _, pemCert := range cfg.GetCaCertificates() {
			cert := pemCert.GetPem()
			if cert != "" {
				certs = append(certs, cert)
			} else if pemCert.GetSpiffeBundleUrl() != "" {
				endpoints = append(endpoints, pemCert.GetSpiffeBundleUrl())
			}
		}

		err = tb.UpdateTrustAnchor(&TrustAnchorUpdate{

	testCases := map[string]struct {
		pemCert          []byte
		rootFile         string
		expectedErr      string
		expectedRootCert []byte
	}{
		"Empty pem cert and root file": {
			pemCert:          []byte{},
			rootFile:         "",
			expectedErr:      "",
			expectedRootCert: []byte{},
		},
		"Non empty root file": {
			pemCert:          []byte{},
			rootFile:         "../testdata/cert.pem",

				pkiCaLog.Warnf("failed to create CA KeyCertBundle (%v)", err)
				return fmt.Errorf("failed to create CA KeyCertBundle (%v)", err)
			}
			// Write the key/cert back to secret, so they will be persistent when CA restarts.
			secret := BuildSecret(caCertName, namespace, nil, nil, pemCert, pemCert, pemKey, istioCASecretType)

	if err != nil {
		return nil, nil, fmt.Errorf("cert generation fails at X509 cert creation (%v)", err)
	}

	pemCert, pemKey, err := encodePem(false, certBytes, priv, options.PKCS8Key)
	return pemCert, pemKey, err
}

func publicKey(priv any) any {
	switch k := priv.(type) {
	case *rsa.PrivateKey:
		return &k.PublicKey
	case *ecdsa.PrivateKey:

}

func (r *KubernetesRA) SetCACertificatesFromMeshConfig(caCertificates []*meshconfig.MeshConfig_CertificateData) {
	r.mutex.Lock()
	for _, pemCert := range caCertificates {
		// TODO:  take care of spiffe bundle format as well
		cert := pemCert.GetPem()
		certSigners := pemCert.CertSigners
		if len(certSigners) != 0 {
			certSigner := strings.Join(certSigners, ",")
			if cert != "" {

	rotator *SelfSignedCARootCertRotator, options util.CertOptions,
) {
	certItem := loadCert(rotator)

	pemCert, pemKey, err := util.GenCertKeyFromOptions(options)
	if err != nil {
		t.Fatalf("failed to rotate secret: %v", err)
	}
	newSecret := certItem.caSecret
	newSecret.Data[CACertFile] = pemCert
	newSecret.Data[CAPrivateKeyFile] = pemKey

	options = util.MergeCertOptions(options, oldCertOptions)
	pemCert, pemKey, ckErr := util.GenRootCertFromExistingKey(options)
	if ckErr != nil {
		rootCertRotatorLog.Errorf("unable to generate CA cert and key for self-signed CA: %s", ckErr.Error())
		return
	}

	pemRootCerts, err := util.AppendRootCerts(pemCert, rotator.config.rootCertFile)
	if err != nil {

`

var ecdsaTests = []struct {
	sigAlgo SignatureAlgorithm
	pemCert string
}{
	{ECDSAWithSHA256, ecdsaSHA256p256CertPem},
	{ECDSAWithSHA256, ecdsaSHA256p384CertPem},
	{ECDSAWithSHA384, ecdsaSHA384p521CertPem},
}

func TestECDSA(t *testing.T) {
	for i, test := range ecdsaTests {
		pemBlock, _ := pem.Decode([]byte(test.pemCert))
		cert, err := ParseCertificate(pemBlock.Bytes)
		if err != nil {

// On many Linux systems, /etc/ssl/cert.pem will contain the system wide set
// of root CAs in a format suitable for this function.
func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) {
	for len(pemCerts) > 0 {
		var block *pem.Block
		block, pemCerts = pem.Decode(pemCerts)
		if block == nil {
			break
		}
		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
			continue
		}

		certBytes := block.Bytes