val privateKey =
      keyFactory.generatePrivate(
        PKCS8EncodedKeySpec(privateKeyBytes.toByteArray()),
      )
    val heldCertificate =
      HeldCertificate.Builder()
        .keyPair(publicKey, privateKey)
        .commonName("cash.app")
        .validityInterval(0L, 1000L)
        .rsa2048()
        .build()
    assertThat(
      """
      |-----BEGIN CERTIFICATE-----

- Hashing of KeyID in Logs
  

	public final fun -deprecated_keyPair ()Ljava/security/KeyPair;
	public fun <init> (Ljava/security/KeyPair;Ljava/security/cert/X509Certificate;)V
	public final fun certificate ()Ljava/security/cert/X509Certificate;
	public final fun certificatePem ()Ljava/lang/String;
	public static final fun decode (Ljava/lang/String;)Lokhttp3/tls/HeldCertificate;
	public final fun keyPair ()Ljava/security/KeyPair;

          ),
      )
    assertThat(okHttpCertificateWithBadSignature.checkSignature(root.keyPair.public)).isFalse()

    // Wrong public key.
    assertThat(okHttpCertificate.checkSignature(certificate.keyPair.public)).isFalse()
  }

  @Test
  fun `EC issuer and signature`() {
    val root =
      HeldCertificate.Builder()
        .certificateAuthority(0)

        .commonName("pinned intermediate")
        .signedBy(pinnedRoot)
        .build()
    val attackerSwitch =
      HeldCertificate.Builder()
        .serialNumber(5L)
        .keyPair(attackerIntermediate.keyPair) // share keys between compromised CA and leaf!
        .commonName("attacker")
        .addSubjectAlternativeName("attacker.com")
        .signedBy(pinnedIntermediate)
        .build()

      val chain = arrayOfNulls<Certificate>(1 + intermediates.size)
      chain[0] = heldCertificate.certificate
      intermediates.copyInto(chain, 1)
      keyStore.setKeyEntry("private", heldCertificate.keyPair.private, password, chain)
    }

    val factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
    factory.init(keyStore, password)
    val result = factory.keyManagers!!

 * **Handshake**: cipherSuite, localCertificates, localPrincipal, peerCertificates, peerPrincipal,
   tlsVersion
 * **HandshakeCertificates**: keyManager, trustManager
 * **Headers**: size
 * **HeldCertificate**: certificate, keyPair
 * **HttpLoggingInterceptor**: level
 * **HttpUrl**: encodedFragment, encodedPassword, encodedPath, encodedPathSegments, encodedQuery,
   encodedUsername, fragment, host, password, pathSegments, pathSize, port, query,

  - A `create` or `update` API request with duplicate items in a keyed list no longer wipes out managedFields. Examples include env var entries with the same name, or port entries with the same containerPort in a pod spec.
  - A server-side apply request that makes unrelated changes to an object which has duplicate items in a keyed list no longer fails, and leaves the existing duplicate items as-is.

- Log messages and metrics for the watch cache are now keyed by `<resource>.<group>` instead of `go` struct type. This means e.g. that `*v1.Pod` becomes `pods`. Additionally, resources that come from `CustomResourceDefinitions` are displayed as the correct resource and group, instead of `*unstructured.Unstructured`....

20D0..20E1    ; valid                  ;      ; NV8    # 1.1  COMBINING LEFT HARPOON ABOVE..COMBINING LEFT RIGHT ARROW ABOVE
20E2..20E3    ; valid                  ;      ; NV8    # 3.0  COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING KEYCAP
20E4..20EA    ; valid                  ;      ; NV8    # 3.2  COMBINING ENCLOSING UPWARD POINTING TRIANGLE..COMBINING LEFTWARDS ARROW OVERLAY