if !rootCert.Equal(signingCert) {
		t.Error("CA root cert does not match signing cert")
	}

	if ttl := rootCert.NotAfter.Sub(rootCert.NotBefore); ttl != caCertTTL {
		t.Errorf("Unexpected CA certificate TTL (expecting %v, actual %v)", caCertTTL, ttl)
	}

	if certOrg := rootCert.Issuer.Organization[0]; certOrg != org {

		if err != nil {
			return
		}

		// create cert options
		certOpts := CertOpts{}
		err = ff.GenerateStruct(&certOpts)
		if err != nil {
			return
		}
		TTL, err := time.ParseDuration("800ms")
		if err != nil {
			return
		}
		certOpts.TTL = TTL

		// call target
		ca.Sign(csrPEM, certOpts)
	})

	record, ok := c.cache.Get(key)
	if !ok {
		return nil, false
	}
	value, ok := record.(*cacheRecord)
	return value, ok
}

func (c *simpleCache) set(key string, value *cacheRecord, ttl time.Duration) {
	c.cache.Set(key, value, ttl)
}

func (c *simpleCache) remove(key string) {
	c.cache.Delete(key)

//   - It sets allowed usages as configured in the policy.
//   - It sets NotAfter based on the TTL configured in the policy.
//   - It zeros all extensions.
//   - It sets BasicConstraints to true.
//   - It sets IsCA to false.
type PermissiveSigningPolicy struct {
	// TTL is the certificate TTL. It's used to calculate the NotAfter value of
	// the certificate.
	TTL time.Duration
	// Usages are the allowed usages of a certificate.
	Usages []capi.KeyUsage

}

func newSimpleCache(clock clock.Clock, ttl time.Duration, providerName string) *simpleCache {
	cache := utilcache.NewExpiringWithClock(clock)
	cache.AllowExpiredGet = true // for a given key, the value (the decryptTransformer) is always the same
	return &simpleCache{
		cache: cache,
		ttl:   ttl,
		hashPool: &sync.Pool{
			New: func() interface{} {
				return sha256.New()
			},
		},

func (w ResponseWriter) header() dnsmessage.ResourceHeader {
	q := w.a.q
	return dnsmessage.ResourceHeader{
		Name:  q.Name,
		Type:  q.Type,
		Class: q.Class,
		TTL:   w.a.ttl,
	}
}

// SetTTL sets the TTL for subsequent written resources.
// Once a resource has been written, SetTTL calls are no-ops.
// That is, it can only be called at most once, before anything
// else is written.

		ttl, exists := GetObjectTTLFromNodeFunc(getNode)()
		if exists != testCase.exists {
			t.Errorf("%d: incorrect parsing: %t", i, exists)
			continue
		}
		if exists && ttl != testCase.ttl {
			t.Errorf("%d: incorrect ttl: %v", i, ttl)
		}
	}
}

type envSecrets struct {
	envVarNames  []string
	envFromNames []string
}

type secretsToAttach struct {

import java.io.*;

public class Dfs {

    static class CacheEntry {
        long expiration;
        HashMap map;

        CacheEntry(long ttl) {
            if (ttl == 0)
                ttl = Dfs.TTL;
            expiration = System.currentTimeMillis() + ttl * 1000L;
            map = new HashMap();
        }
    }

    static LogStream log = LogStream.getInstance();

	getTTL     GetObjectTTLFunc
}

// NewObjectStore returns a new ttl-based instance of Store interface.
func NewObjectStore(getObject GetObjectFunc, clock clock.Clock, getTTL GetObjectTTLFunc, ttl time.Duration) Store {
	return &objectStore{
		getObject:  getObject,
		clock:      clock,
		items:      make(map[objectKey]*objectStoreItem),
		defaultTTL: ttl,
		getTTL:     getTTL,
	}
}

			return fmt.Errorf("unexpected value for 'NotBefore' field: want %v but got %v", nb, cert.NotBefore)
		}

		if ttl := expectedFields.TTL; ttl != 0 && ttl != (cert.NotAfter.Sub(cert.NotBefore)) {
			return fmt.Errorf("unexpected value for 'NotAfter' - 'NotBefore': want %v but got %v", ttl, cert.NotAfter.Sub(cert.NotBefore))
		}