import okhttp3.internal.tls.CertificateChainCleaner

/**
 * Android implementation of CertificateChainCleaner using direct Android API calls.
 * Not used if X509TrustManager doesn't implement [X509TrustManager.checkServerTrusted] with
 * an additional host param.
 */
internal class AndroidCertificateChainCleaner(
  private val trustManager: X509TrustManager,
  private val x509TrustManagerExtensions: X509TrustManagerExtensions,

      delegate::class.java.getMethod(
        "checkServerTrusted",
        Array<X509Certificate>::class.java,
        String::class.java,
        String::class.java,
      )
    } catch (_: NoSuchMethodException) {
      null
    }

  /** Android method to clean and sort certificates, called via reflection. */
  @Suppress("unused", "UNCHECKED_CAST")
  fun checkServerTrusted(
    chain: Array<out X509Certificate>,

  override fun checkServerTrusted(
    chain: Array<out X509Certificate>,
    authType: String,
    socket: Socket,
  ) {
    if (socket.peerName() !in insecureHosts) {
      delegate.checkServerTrusted(chain, authType, socket)
    }
  }

  override fun checkServerTrusted(
    chain: Array<out X509Certificate>,
    authType: String,
    engine: SSLEngine,

        ) {}

        override fun checkServerTrusted(
          chain: Array<out X509Certificate>?,
          authType: String?,
        ) {
          withoutHostCalled = true
        }

        // called by Android via reflection in X509TrustManagerExtensions
        @Suppress("unused", "UNUSED_PARAMETER")
        fun checkServerTrusted(
          chain: Array<out X509Certificate>,

      object : X509TrustManager {
        override fun checkClientTrusted(
          chain: Array<X509Certificate>,
          authType: String,
        ) {
        }

        override fun checkServerTrusted(
          chain: Array<X509Certificate>,
          authType: String,
        ) {
        }

        override fun getAcceptedIssuers(): Array<X509Certificate> = arrayOf()
      }

      object : X509TrustManager {
        override fun checkClientTrusted(
          x509Certificates: Array<X509Certificate>,
          s: String,
        ) {
        }

        override fun checkServerTrusted(
          x509Certificates: Array<X509Certificate>,
          s: String,
        ) {
        }

        override fun getAcceptedIssuers(): Array<X509Certificate> = arrayOf()
      }
    client =

     *
     * ```java
     *    @SuppressWarnings("unused")
     *    public List<X509Certificate> checkServerTrusted(
     *        X509Certificate[] chain, String authType, String host) throws CertificateException {
     *    }
     * ```
     *
     * This method works like [X509TrustManager.checkServerTrusted] but it receives the hostname of

    This regression was introduced in OkHttp 4.3.0.
 *  Fix: Don't crash with an `IllegalArgumentException` when using custom trust managers on
    Android 10. Android uses reflection to look up a magic `checkServerTrusted()` method and we
    didn't have it.
 *  Fix: Explicitly specify the remote server name when making HTTPS connections on Android 5. In

        override fun checkClientTrusted(
          chain: Array<X509Certificate>,
          authType: String,
        ) = throw CertificateException()

        override fun checkServerTrusted(
          chain: Array<X509Certificate>,
          authType: String,
        ) = throw AssertionError()

        override fun getAcceptedIssuers(): Array<X509Certificate> = throw AssertionError()

      authType: String,
    ) {
      calls.add("checkClientTrusted " + certificatesToString(chain))
    }

    override fun checkServerTrusted(
      chain: Array<X509Certificate>,
      authType: String,
    ) {
      calls.add("checkServerTrusted " + certificatesToString(chain))
    }

    private fun certificatesToString(certificates: Array<X509Certificate>): String {