"The number of errors occurred when parsing the CSR.",
	)

	idExtractionErrorCounts = monitoring.NewSum(
		"citadel_server_id_extraction_err_count",
		"The number of errors occurred when extracting the ID from CSR.",
	)

	certSignErrorCounts = monitoring.NewSum(
		"citadel_server_csr_sign_err_count",
		"The number of errors occurred when signing the CSR.",
	)

	successCounts = monitoring.NewSum(

	org     = flag.String("organization", "Juju org", "Organization for the cert.")
	outCsr  = flag.String("out-csr", "csr.pem", "Output csr file.")
	outPriv = flag.String("out-priv", "priv.pem", "Output private key file.")
	keySize = flag.Int("key-size", 2048, "Size of the generated private key")
	ec      = flag.String("ec-sig-alg", "", "Generate an elliptical curve private key with the specified algorithm")

		return admission.NewForbidden(a, fmt.Errorf("user not permitted to approve requests with signerName %q", csr.Spec.SignerName))
	}

	return nil

	var cert []byte
	var respCertChain []string
	if certSigner == "" {
		cert, signErr = s.ca.Sign([]byte(request.Csr), certOpts)
	} else {
		serverCaLog.Debugf("signing CSR with cert chain")
		respCertChain, signErr = s.ca.SignWithCertChain([]byte(request.Csr), certOpts)
	}
	if signErr != nil {
		serverCaLog.Errorf("CSR signing error: %v", signErr.Error())
		s.monitoring.GetCertSignError(signErr.(*caerror.Error).ErrorType()).Increment()

openssl genrsa -out ca-key.pem 2048

echo 'Generate CSR for Istio CA.'
openssl req -new -key ca-key.pem -out ca-cert.csr -config ca.cfg -batch -sha256

echo 'Sign the cert for Istio CA.'
openssl x509 -req -days 36500 -in ca-cert.csr -sha256 -CA root-cert.pem -CAkey root-key.pem -CAcreateserial -out ca-cert.pem -extensions v3_req -extfile ca.cfg

rm ./*csr
rm ./*srl

echo 'Generate cert chain file.'

			oldCSR, ok := old.(*certificates.CertificateSigningRequest)
			if !ok {
				return
			}

			// if the old CSR already has a certificate, do not double count it
			if len(oldCSR.Status.Certificate) > 0 {
				return
			}

			if oldCSR.Spec.ExpirationSeconds == nil {
				return // ignore CSRs that are not using the CSR duration feature
			}

			newCSR, ok := obj.(*certificates.CertificateSigningRequest)
			if !ok {

	MAXREG
)

const (
	C_NONE = iota
	C_REG
	C_REGREG
	C_REGREG2
	C_REGLIST
	C_SHIFT     /* register shift R>>x */
	C_SHIFTADDR /* memory address with shifted offset R>>x(R) */
	C_FREG
	C_PSR
	C_FCR
	C_SPR /* REG_MB_SY */

	C_RCON   /* 0xff rotated */
	C_NCON   /* ~RCON */
	C_RCON2A /* OR of two disjoint C_RCON constants */
	C_RCON2S /* subtraction of two disjoint C_RCON constants */

openssl req -new -key serverKey.pem -out server.csr -subj "/CN=webhook_imagepolicy_server" -config server.conf
openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf

# Create a client certiticate
openssl genrsa -out clientKey.pem 2048
openssl req -new -key clientKey.pem -out client.csr -subj "/CN=webhook_imagepolicy_client" -config client.conf

package monitoring

import "istio.io/istio/pkg/monitoring"

// RequestType specifies the type of request we are monitoring. Current supported are CSR and TokenExchange
var RequestType = monitoring.CreateLabel("request_type")

const (
	TokenExchange = "token_exchange"
	CSR           = "csr"
)

var NumOutgoingRetries = monitoring.NewSum(
	"num_outgoing_retries",

	"encoding/pem"
	"errors"
)

// ParseCSR decodes a PEM encoded CSR
func ParseCSR(pemBytes []byte) (*x509.CertificateRequest, error) {
	// extract PEM from request object
	block, _ := pem.Decode(pemBytes)
	if block == nil || block.Type != "CERTIFICATE REQUEST" {
		return nil, errors.New("PEM block type must be CERTIFICATE REQUEST")
	}
	csr, err := x509.ParseCertificateRequest(block.Bytes)
	if err != nil {
		return nil, err