cat "$certchain" >> "$FINAL_DIR/workload-$sa-cert.pem"
cp "$certchain" "$FINAL_DIR/workload-$sa-root-certs.pem"
cat "$rootcert" >> "$FINAL_DIR/workload-$sa-root-certs.pem"

echo "Generated workload-$sa-[cert|key].pem with URI SAN $san"

		Roots:         roots,
	}
	host := ""
	if expectedFields != nil {
		host = expectedFields.Host
		san := host
		// uri scheme is currently not supported in go VerifyOptions. We verify
		// this uri at the end as a special case.
		if strings.HasPrefix(host, "spiffe") {
			san = ""
		}
		opts.DNSName = san
	}
	opts.KeyUsages = append(opts.KeyUsages, x509.ExtKeyUsageAny)

	if _, err = cert.Verify(opts); err != nil {

							TlsSettings: &v1alpha3.ClientTLSSettings{
								SubjectAltNames: []string{"san"},
							},
						},
					}),
				},
			},
			// nolint: lll
			`{"PROXY_CONFIG":{"configPath":"foo","drainDuration":"5s","controlPlaneAuthPolicy":"MUTUAL_TLS","envoyAccessLogService":{"address":"address","tlsSettings":{"subjectAltNames":["san"]}}}}`,
			model.BootstrapNodeMetadata{
				NodeMetadata: model.NodeMetadata{

kind: feature
area: security

issue:
 - https://github.com/istio/istio/issues/41666

releaseNotes:
  - |

			caller:             nil,
			authenticateErrMsg: "no verified chain is found",
		},
		"Certificate has no SAN": {
			certChain: [][]*x509.Certificate{
				{
					{
						Version: 1,
					},
				},
			},
			authenticateErrMsg: "the SAN extension does not exist",
		},
		"With client certificate": {
			certChain: [][]*x509.Certificate{
				{
					{

			exp:    false,
		},
		"does not default to kubelet-serving if it specifies a URI SAN": {
			req:    newCSR(kubeletServerPEMOptions, pemOptions{uris: []string{"http://something"}}),
			usages: kubeletServerUsages,
			exp:    false,
		},
		"does not default to kubelet-serving if it specifies an emailAddress SAN": {
			req:    newCSR(kubeletServerPEMOptions, pemOptions{emailAddresses: []string{"something"}}),

}

func NewSANDeprecatedChecker(counter *metrics.Counter) *missingSANChecker {
	return &missingSANChecker{
		counterRaiser: counterRaiser{
			counter: counter,
			id:      "missing-san",
			reason:  "relies on a legacy Common Name field instead of the SAN extension for subject validation",
		},
	}
}

// CheckRoundTripError returns true when we're running w/o GODEBUG=x509ignoreCN=0

	pod.Namespace = ns
	pod.Spec.ServiceAccountName = sa

	mesh := &meshconfig.MeshConfig{TrustDomain: "td.local"}

	san := SecureNamingSAN(pod, mesh)

	expectedSAN := fmt.Sprintf("spiffe://td.local/ns/%v/sa/%v", ns, sa)

	if san != expectedSAN {
		t.Fatalf("SAN match failed, SAN:%v  expectedSAN:%v", san, expectedSAN)
	}

	ExtCAK8s CaExternalType = "ISTIOD_RA_KUBERNETES_API"

	// DefaultExtCACertDir : Location of external CA certificate
	DefaultExtCACertDir string = "./etc/external-ca-cert"
)

// ValidateCSR : Validate all SAN extensions in csrPEM match authenticated identities
func ValidateCSR(csrPEM []byte, subjectIDs []string) bool {
	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		return false
	}

	ttl := time.Hour
	cases := map[string]struct {
		certOptions  CertOptions
		verifyFields *VerifyFields
	}{
		// These certs are signed by the CA cert
		"RSA: Server cert with DNS SAN": {
			certOptions: CertOptions{
				Host:         "test_server.com",
				NotBefore:    notBefore,
				TTL:          ttl,
				SignerCert:   rsaCaCert,
				SignerPriv:   rsaCaPriv,
				Org:          "",