* ```
   *
   * The attacker compromises a CA. They take the public key from an intermediate certificate
   * signed by the compromised CA's certificate and uses it in a non-CA certificate. They ask the
   * pinned CA above to sign it for non-certificate-authority uses:
   *
   * ```
   *   pinnedRoot (trusted by CertificatePinner)
   *     -> pinnedIntermediate (trusted by CertificatePinner)
   *         -> attackerSwitch

     * certificates). Set this to 1 so this certificate can sign intermediate certificates that can
     * themselves sign certificates. Add one for each additional layer of intermediates to permit.
     */
    fun certificateAuthority(maxIntermediateCas: Int) =
      apply {
        require(maxIntermediateCas >= 0) {
          "maxIntermediateCas < 0: $maxIntermediateCas"

     * deal with the cases where rounding towards 0 is wrong, which typically depends on the sign of
     * p / q.
     *
     * signum is 1 if p and q are both nonnegative or both negative, and -1 otherwise.
     */
    int signum = 1 | (int) ((p ^ q) >> (Long.SIZE - 1));
    boolean increment;
    switch (mode) {
      case UNNECESSARY:

 * migrate between certificate authorities. Do not use certificate pinning without the blessing of
 * your server's TLS administrator!
 *
 * ### Note about self-signed certificates
 *
 * [CertificatePinner] can not be used to pin self-signed certificate if such certificate is not
 * accepted by [javax.net.ssl.TrustManager].
 *
 * See also [OWASP: Certificate and Public Key Pinning][owasp].
 *

     * and the arithmetic mean is always higher than the geometric mean.
     *
     * b) this iteration converges to floor(sqrt(x)). In fact, the number of correct digits doubles
     * with each iteration, so this algorithm takes O(log(digits)) iterations.
     *
     * We start out with a double-precision approximation, which may be higher or lower than the

        response.readParameterWordsWireFormat(buffer, 0);

        // File size is stored as signed int
        long expectedSize = (int) fileSize;
        assertEquals(expectedSize, response.getSize());
    }

    @Test
    void testFileSizeOverflow() {
        // Test file size that overflows signed int
        response = new SmbComQueryInformationResponse(mockConfig, 0L);

attack](https://www.computerworld.com/article/2510951/cybercrime-hacking/hackers-spied-on-300-000-iranians-using-fake-google-certificate.html). It also assumes your HTTPS servers’ certificates are signed by a certificate authority.

Use [CertificatePinner](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/) to restrict which certificates and certificate authorities are trusted. Certificate pinning increases security, but limits your server team’s abilities to update their TLS certificates....

        @Test
        @DisplayName("Should return true when signed flag is not set")
        void testVerifyNoSignedFlag() {
            // Don't set the signed flag
            SMBUtil.writeInt4(0x00000000, data, 16);

            boolean result = digest.verify(data, 0, data.length, 0, msg);

            assertTrue(result, "Should return true when signed flag is not set");
        }

        @Test

 * signed versions of methods for which signedness is an issue.
 *
 * <p>In addition, this class provides several static methods for converting a {@code long} to a
 * {@code String} and a {@code String} to a {@code long} that treat the {@code long} as an unsigned
 * number.
 *
 * <p>Users of these utilities must be <i>extremely careful</i> not to mix up signed and unsigned

        }

        final int flags = SMBUtil.readInt4(data, offset + 16);
        if ((flags & ServerMessageBlock2.SMB2_FLAGS_SIGNED) == 0) {
            log.error("The server did not sign a message we expected to be signed");
            return true;
        }

        final byte[] sig = new byte[SIGNATURE_LENGTH];
        System.arraycopy(data, offset + SIGNATURE_OFFSET, sig, 0, SIGNATURE_LENGTH);