}
    try {
      decode(pkcs8Pem + certificatePem + pkcs8Pem)
      fail<Any>()
    } catch (expected: IllegalArgumentException) {
      assertThat(expected.message).isEqualTo("string includes multiple private keys")
    }
  }

  @Test
  fun decodeWrongType() {
    try {
      decode(
        """
        |-----BEGIN CERTIFICATE-----
        |MIIBmjCCAQOgAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhjYXNo

        this.maxIntermediateCas = maxIntermediateCas
      }

    /**
     * Configure the certificate to generate a 256-bit ECDSA key, which provides about 128 bits of
     * security. ECDSA keys are noticeably faster than RSA keys.
     *
     * This is the default configuration and has been since this API was introduced in OkHttp
     * 3.11.0. Note that the default may change in future releases.
     */
    fun ecdsa256() =

  data class HowsMySslResults(
    val unknown_cipher_suite_supported: Boolean,
    val beast_vuln: Boolean,
    val session_ticket_supported: Boolean,
    val tls_compression_supported: Boolean,
    val ephemeral_keys_supported: Boolean,
    val rating: String,
    val tls_version: String,
    val able_to_detect_n_minus_one_splitting: Boolean,
    val insecure_cipher_suites: Map<String, List<String>>,

      cache.edit(key)
    }.also { expected ->
      assertThat(expected.message).isEqualTo("keys must match regex [a-z0-9_-]{1,120}: \"$key\"")
    }
    assertFailsWith<IllegalArgumentException> {
      key = "has_CR\r"
      cache.edit(key)
    }.also { expected ->
      assertThat(expected.message).isEqualTo("keys must match regex [a-z0-9_-]{1,120}: \"$key\"")
    }
    assertFailsWith<IllegalArgumentException> {

import okhttp3.recipes.kt.WireSharkListenerFactory.WireSharkKeyLoggerListener.Launch.Gui
import okio.ByteString.Companion.toByteString

/**
 * Logs SSL keys to a log file, allowing Wireshark to decode traffic and be examined with http2
 * filter. The approach is to hook into JSSE log events for the messages between client and server

      const val BOUNCYCASTLE_PROPERTY = "bouncycastle"
      const val LOOM_PROPERTY = "loom"

      /**
       * For whatever reason our BouncyCastle provider doesn't work with ECDSA keys. Just configure it
       * to use RSA-2048 instead.
       *
       * (We otherwise prefer ECDSA because it's faster.)
       */

    for (entry in lruEntries.values.toTypedArray()) {
      removeEntry(entry)
    }
    mostRecentTrimFailed = false
  }

  private fun validateKey(key: String) {
    require(LEGAL_KEY_PATTERN.matches(key)) { "keys must match regex [a-z0-9_-]{1,120}: \"$key\"" }
  }

  /**
   * Returns an iterator over the cache's current entries. This iterator doesn't throw

  @get:JvmName("scheme") val scheme: String,
  authParams: Map<String?, String>,
) {
  /**
   * Returns the auth params, including [realm] and [charset] if present, but as
   * strings. The map's keys are lowercase and should be treated case-insensitively.
   */
  @get:JvmName("authParams")
  val authParams: Map<String?, String>

  /** Returns the protection space. */
  @get:JvmName("realm")
  val realm: String?

        .signedBy(pinnedRoot)
        .build()
    val attackerSwitch =
      HeldCertificate.Builder()
        .serialNumber(5L)
        .keyPair(attackerIntermediate.keyPair) // share keys between compromised CA and leaf!
        .commonName("attacker")
        .addSubjectAlternativeName("attacker.com")
        .signedBy(pinnedIntermediate)
        .build()
    val phonyVictim =

form of wildcards `*.example.com` where the `*` must be first and doesn't match nested subdomains.

By default certificates use fast and secure 256-bit ECDSA keys. For interoperability with very old
clients use `HeldCertificate.Builder.rsa2048()`.

Download
--------

```kotlin
implementation("com.squareup.okhttp3:okhttp-tls:4.12.0")
```