if err != nil {
		return nil, fmt.Errorf("error parsing root certificate: %s", err.Error())
	}
	rootCert := certChain[len(certChain)-1]

	if !rootCert.IsCA {
		return nil, fmt.Errorf("found root cert is not a ca type cert: %v", rootCert)
	}

	return cert, nil
}

// IsCertExpired returns  whether a cert expires
func IsCertExpired(filepath string) (bool, error) {

func (c *CAClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error) {
	atomic.AddUint64(&c.SignInvokeCount, 1)
	signingCert, signingKey, certChain, rootCert := c.bundle.GetAll()
	csr, err := util.ParsePemEncodedCSR(csrPEM)
	if err != nil {
		return nil, fmt.Errorf("csr sign error: %v", err)
	}
	subjectIDs := []string{"test"}

		return nil, err
	}
	caKey, err := file.AsString(ca.KeyFile)
	if err != nil {
		return nil, err
	}
	rootCert, err := file.AsString(ca.Root.CertFile)
	if err != nil {
		return nil, err
	}

	// Create the cert chain by concatenating the intermediate and root certs.
	certChain := caCert + rootCert

	return &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name: "cacerts",
		},

package common

import "istio.io/istio/pkg/config/protocol"

// TLSSettings defines TLS configuration for Echo server
type TLSSettings struct {
	// If not empty, RootCert supplies the extra root cert that will be appended to the system cert pool.
	RootCert   string
	ClientCert string
	Key        string
	// If provided, override the host name used for the connection

	s.t.Helper()
	s.store.Set(name, secret)
	s.server.OnSecretUpdate(name)
}

type Expectation struct {
	ResourceName string
	CertChain    []byte
	Key          []byte
	RootCert     []byte
}

func (s *TestServer) extractPrivateKeyProvider(provider *tlsv3.PrivateKeyProvider) []byte {
	var cmb cryptomb.CryptoMbPrivateKeyMethodConfig
	provider.GetTypedConfig().UnmarshalTo(&cmb)

func (w *Watcher) SetFromFilesAndNotify(keyFile, certFile, rootCert string) error {
	cert, err := os.ReadFile(certFile)
	if err != nil {
		return err
	}
	key, err := os.ReadFile(keyFile)
	if err != nil {
		return err
	}
	caBundle, err := os.ReadFile(rootCert)
	if err != nil {
		return err
	}
	w.SetAndNotify(key, cert, caBundle)
	return nil
}

	err        error
}

// TestBuildUpstreamClusterTLSContext tests the buildUpstreamClusterTLSContext function
func TestBuildUpstreamClusterTLSContext(t *testing.T) {
	clientCert := "/path/to/cert"
	rootCert := "path/to/cacert"
	clientKey := "/path/to/key"

	credentialName := "some-fake-credential"

	testCases := []struct {
		name                     string
		opts                     *buildClusterOpts

				WorkloadPort: 8092,
				TLS:          true,
			},
		},
		// Set up TLS certs on the server. This will make the server listen with these credentials.
		TLSSettings: &common.TLSSettings{
			RootCert:   mustReadCert("root-cert.pem"),
			ClientCert: mustReadCert("cert-chain.pem"),
			Key:        mustReadCert("key.pem"),
			// Override hostname to match the SAN in the cert we are using
			Hostname: "server.default.svc",

			rootCerts, err := util.AppendRootCerts(caSecret.Data[CACertFile], rotator.config.rootCertFile)
			if err != nil {
				rootCertRotatorLog.Errorf("failed to append root certificates from file: %s", err.Error())
				return
			}

			if err := rotator.ca.GetCAKeyCertBundle().VerifyAndSetAll(caSecret.Data[CACertFile],
				caSecret.Data[CAPrivateKeyFile], nil, rootCerts); err != nil {

		Ports:             ports.All(),
		// Set up TLS certs on the server. This will make the server listen with these credentials.
		TLSSettings: &common.TLSSettings{
			// Echo has these test certs baked into the docker image
			RootCert:   file.MustAsString(path.Join(env.IstioSrc, "tests/testdata/certs/dns/root-cert.pem")),
			ClientCert: file.MustAsString(path.Join(env.IstioSrc, "tests/testdata/certs/dns/cert-chain.pem")),