.Builder()
        .serialNumber(1L)
        .build()
    val cleaner = get(root.certificate)
    assertThat(cleaner.clean(list(root), "hostname")).isEqualTo(list(root))
  }

  @Test
  fun normalizeUnknownSelfSignedCertificate() {
    val root =
      HeldCertificate
        .Builder()
        .serialNumber(1L)
        .build()
    val cleaner = get()
    assertFailsWith<SSLPeerUnverifiedException> {

    assertThat(serverSocket.isClosed()).isTrue();
  }

  @SuppressWarnings("Java8ApiChecker")
  static class MyServerExampleWithCleaner implements AutoCloseable {
    private static final Cleaner cleaner = Cleaner.create();

    private static Runnable closeServerSocketRunnable(
        ServerSocket serverSocket, AtomicBoolean cleanerRan) {
      return () -> {
        try {
          serverSocket.close();

 *     serverSocket.close();
 *   }
 * }
 * }
 *
 * <p id="cleaner">Here is how you might achieve the same thing using {@link java.lang.ref.Cleaner
 * Cleaner}, if you are using a Java version where that is available:
 *
 * {@snippet :
 * public class MyServer implements Closeable {
 *   private static final Cleaner cleaner = Cleaner.create();
 *   // You might also share this between several objects.
 *

 * certificate is signed by the certificate that follows, and the last certificate is a trusted CA
 * certificate.
 *
 * Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
 * the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
 * pinning.
 */
abstract class CertificateChainCleaner {

import java.security.cert.Certificate
import java.security.cert.X509Certificate
import java.util.ArrayDeque
import java.util.Deque
import javax.net.ssl.SSLPeerUnverifiedException

/**
 * A certificate chain cleaner that uses a set of trusted root certificates to build the trusted
 * chain. This class duplicates the clean chain building performed during the TLS handshake. We
 * prefer other mechanisms where they exist, such as with

   * has consumed the entire input and they are ready to output a {@code HashCode}. The order of the
   * hashers are the same order as the functions given to the constructor.
   */
  // this could be cleaner if it passed HashCode[], but that would create yet another array...
  /* protected */ abstract HashCode makeHash(Hasher[] hashers);

  @Override
  public Hasher newHasher() {

      }
    }
  }

  /**
   * Not checking the CA bit created a vulnerability in old OkHttp releases. It is exploited by
   * triggering different chains to be discovered by the TLS engine and our chain cleaner. In this
   * attack there's several different chains.
   *
   *
   * The victim's gets a non-CA certificate signed by a CA, and pins the CA root and/or
   * intermediate. This is business as usual.
   *

                  // is undefined in shutdown hooks.
                  // This is because the logging code installs a shutdown hook of its
                  // own. See Cleaner class inside {@link LogManager}.
                  service.awaitTermination(terminationTimeout, timeUnit);
                } catch (InterruptedException ignored) {
                  // We're shutting down anyway, so just ignore.

- Migrated the bootstrap signer controller and the token cleaner controller (within `kube-controller-manager`) to use [contextual logging](https://k8s.io/docs/concepts/cluster-administration/system-logs/#contextual-logging). ([#113464](https://github.com/kubernetes/kubernetes/pull/113464), [@mengjiao-liu](http...

- The helping message of commands which have sub-commands is now clearer and more instructive. It will show the full command instead of `kubectl <command> --help ...`