.header("Host", "square.com")
        .header("TE", "gzip")
        .build()
    val expected =
      headerEntries(
        ":method",
        "GET",
        ":path",
        "/",
        ":authority",
        "square.com",
        ":scheme",
        "http",
      )
    assertThat(http2HeadersList(request)).isEqualTo(expected)
  }

  @Test fun http2HeadersListDontDropTeIfTrailersHttp2() {

    0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
    NVOFBkpdn627G190
    -----END CERTIFICATE-----
    """.trimIndent().decodeCertificatePem()

  // CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
  val entrustRootCertificateAuthority =
    """
    -----BEGIN CERTIFICATE-----

    const val RESPONSE_STATUS_UTF8 = ":status"
    const val TARGET_METHOD_UTF8 = ":method"
    const val TARGET_PATH_UTF8 = ":path"
    const val TARGET_SCHEME_UTF8 = ":scheme"
    const val TARGET_AUTHORITY_UTF8 = ":authority"

    @JvmField val RESPONSE_STATUS: ByteString = RESPONSE_STATUS_UTF8.encodeUtf8()

    @JvmField val TARGET_METHOD: ByteString = TARGET_METHOD_UTF8.encodeUtf8()

    version = "HTTP/2",
  )

private fun requestUrl(
  socket: MockWebServerSocket,
  requestLine: RequestLine,
  headers: Headers,
): HttpUrl {
  val hostAndPort =
    headers[":authority"]
      ?: headers["Host"]
      ?: when (val inetAddress = socket.localAddress) {
        is Inet6Address -> "[${inetAddress.hostAddress}]:${socket.localPort}"

     *
     * The server’s TLS certificate **does not need to be signed** by a trusted certificate
     * authority. Instead, it will trust any well-formed certificate, even if it is self-signed.
     * This is necessary for testing against localhost or in development environments where a
     * certificate authority is not possible.
     *
     * The server’s TLS certificate still must match the requested hostname. For example, if the

  /**
   * Describes the request that the server intends to push a response for.
   *
   * @param streamId server-initiated stream ID: an even number.
   * @param requestHeaders minimally includes `:method`, `:scheme`, `:authority`,
   * and `:path`.
   */
  fun onRequest(
    streamId: Int,
    requestHeaders: List<Header>,
  ): Boolean

  /**
   * The response headers corresponding to a pushed request.  When [last] is true, there are

      throw UnknownHostException("$hostname: SERVFAIL")
    }

    val questionCount = buf.readShort().toInt() and 0xffff
    val answerCount = buf.readShort().toInt() and 0xffff
    buf.readShort() // authority record count
    buf.readShort() // additional record count

    for (i in 0 until questionCount) {
      skipName(buf) // name
      buf.readShort() // type
      buf.readShort() // class
    }

   * header to create the request URL.
   *
   * For HTTP proxy requests this will be either an absolute-form string like
   * `http://example.com/index.html` (HTTP proxy) or an authority-form string like
   * `example.com:443` (HTTPS proxy).
   *
   * For OPTIONS requests, this may be an asterisk, `*`.
   */
  public val target: String,
  /** A string like `HTTP/1.1` or `HTTP/2`. */

  val value: Any?,
)

@IgnoreJRERequirement // As of AGP 3.4.1, D8 desugars API 24 hashCode methods.
internal data class BasicConstraints(
  /** True if this certificate can be used as a Certificate Authority (CA). */
  val ca: Boolean,
  /** The maximum number of intermediate CAs between this and leaf certificates. */
  val maxIntermediateCas: Long?,
)

******@****.***
hmac-sha2-256
hmac-sha2-512
hmac-sha1
hmac-sha1-96
```

### Certificate-based authentication

`--sftp=trusted-user-ca-key=...` specifies a file containing public key of certificate authority that is trusted
to sign user certificates for authentication.

Implementation is identical with "TrustedUserCAKeys" setting in OpenSSH server with exception that only one CA
key can be defined.