.certificateAuthority(0)
        .commonName("compromised intermediate")
        .signedBy(pinnedRoot)
        .build()
    val attackerIntermediate =
      HeldCertificate.Builder()
        .keyPair(attackerCa.keyPair) // Share keys between compromised CA and intermediate!
        .serialNumber(4L)
        .certificateAuthority(0) // More intermediates than permitted by signer!
        .commonName("attacker intermediate")

        .build()
    serverIntermediateCa =
      HeldCertificate.Builder()
        .signedBy(serverRootCa)
        .certificateAuthority(0)
        .serialNumber(2L)
        .commonName("intermediate_ca")
        .addSubjectAlternativeName("intermediate_ca.com")
        .build()
    serverCert =
      HeldCertificate.Builder()
        .signedBy(serverIntermediateCa)
        .serialNumber(3L)
        .commonName("Local Host")

    val root =
      HeldCertificate.Builder()
        .certificateAuthority(1)
        .build()
    val intermediate =
      HeldCertificate.Builder()
        .certificateAuthority(0)
        .signedBy(root)
        .build()
    val certificate =
      HeldCertificate.Builder()
        .signedBy(intermediate)
        .build()
    val handshakeCertificates =
      HandshakeCertificates.Builder()

     *
     * The chain should include all intermediate certificates but does not need the root certificate
     * that we expect to be known by the remote peer. The peer already has that certificate so
     * transmitting it is unnecessary.
     */
    fun heldCertificate(
      heldCertificate: HeldCertificate,
      vararg intermediates: X509Certificate,
    ) = apply {

 *
 * In this example the HTTP client already knows and trusts the last certificate, "Entrust Root
 * Certification Authority - G2". That certificate is used to verify the signature of the
 * intermediate certificate, "Entrust Certification Authority - L1M". The intermediate certificate
 * is used to verify the signature of the "www.squareup.com" certificate.
 *
 * This roles are reversed for client authentication. In that case the client has a private key and

representative of real-world HTTPS deployment. To get closer to that we can use `HeldCertificate`
to generate a trusted root certificate, an intermediate certificate, and a server certificate.
We use `certificateAuthority(int)` to create certificates that can sign other certificates. The
int specifies how many intermediate certificates are allowed beneath it in the chain.

```java
HeldCertificate rootCertificate = new HeldCertificate.Builder()

# Istio Agent

This document describes the internal architecture of Istio agent.

## High Level overview

![High Level overview](docs/overview.svg)

At a high level, the Istio agent acts as an intermediate proxy between Istiod and Envoy. This is done
at two levels. For distributing workload certificates, Envoy will send [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)

### Choosing between application and network interceptors

Each interceptor chain has relative merits.

**Application interceptors**

 * Don't need to worry about intermediate responses like redirects and retries.
 * Are always invoked once, even if the HTTP response is served from the cache.
 * Observe the application's original intent. Unconcerned with OkHttp-injected headers like `If-None-Match`.

  }

  /**
   * Returns true if [toVerify] was signed by [signingCert]'s public key.
   *
   * @param minIntermediates the minimum number of intermediate certificates in [signingCert]. This
   *     is -1 if signing cert is a lone self-signed certificate.
   */
  private fun verifySignature(
    toVerify: X509Certificate,
    signingCert: X509Certificate,

internal data class BasicConstraints(
  /** True if this certificate can be used as a Certificate Authority (CA). */
  val ca: Boolean,
  /** The maximum number of intermediate CAs between this and leaf certificates. */
  val maxIntermediateCas: Long?,
)

/** A private key. Note that this class doesn't support attributes or an embedded public key. */
internal data class PrivateKeyInfo(