distribution: 'zulu'
          java-version: 17

      - name: Enable KVM group perms
        # https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/
        run: |
          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
          sudo udevadm control --reload-rules

      }
    }
  }

  /**
   * Not checking the CA bit created a vulnerability in old OkHttp releases. It is exploited by
   * triggering different chains to be discovered by the TLS engine and our chain cleaner. In this
   * attack there's several different chains.
   *
   *
   * The victim's gets a non-CA certificate signed by a CA, and pins the CA root and/or
   * intermediate. This is business as usual.
   *

xerox

// xfinity : 2015-07-09 Comcast IP Holdings I, LLC
xfinity

// xihuan : 2015-01-08 Beijing Qihu Keji Co., Ltd.
xihuan

// xin : 2014-12-11 Elegant Leader Limited
xin

// xn--11b4c3d : 2015-01-15 VeriSign Sarl
कॉम

// xn--1ck2e1b : 2015-02-26 Amazon Registry Services, Inc.
セール

2FAF          ; mapped                 ; 9762          # 3.0  KANGXI RADICAL FACE
2FB0          ; mapped                 ; 9769          # 3.0  KANGXI RADICAL LEATHER
2FB1          ; mapped                 ; 97CB          # 3.0  KANGXI RADICAL TANNED LEATHER
2FB2          ; mapped                 ; 97ED          # 3.0  KANGXI RADICAL LEEK
2FB3          ; mapped                 ; 97F3          # 3.0  KANGXI RADICAL SOUND

    assertThat(CertificateAdapters.extension.toDer(extension))
      .isEqualTo(bytes)
    assertThat(CertificateAdapters.extension.fromDer(bytes))
      .isEqualTo(extension)
  }

  /** Tags larger than 30 are a special case. */
  @Test fun `large tag`() {
    val bytes = "df83fb6800".decodeHex()

    val adapter = Adapters.NULL.withTag(tagClass = DerHeader.TAG_CLASS_PRIVATE, tag = 65_000L)

      MockResponse(
        code = 401,
        headers = headersOf("WWW-Authenticate", "Bearer realm=\"oauthed\""),
        body = "Please authenticate.",
      ),
    )
    server.enqueue(
      MockResponse(body = "A"),
    )
    val authenticator = RecordingOkAuthenticator("oauthed abc123", "Bearer")
    client =
      client.newBuilder()
        .authenticator(authenticator)
        .build()

    compressing outbound web socket messages. Configure this with 0L to always compress outbound
    messages and `Long.MAX_VALUE` to never compress outbound messages. The default is 1024L which
    compresses messages of size 1 KiB and larger. (Inbound messages are compressed or not based on
    the web socket server's configuration.)
 *  New: Defer constructing `Inflater` and `Deflater` instances until they are needed. This saves

        .build()
    val cleaner = get(root.certificate)
    assertThat(cleaner.clean(list(root), "hostname")).isEqualTo(list(root))
  }

  @Test
  fun normalizeUnknownSelfSignedCertificate() {
    val root =
      HeldCertificate.Builder()
        .serialNumber(1L)
        .build()
    val cleaner = get()
    assertFailsWith<SSLPeerUnverifiedException> {
      cleaner.clean(list(root), "hostname")
    }
  }

 *
 * This class may be used to stream very large responses. For example, it is possible to use this
 * class to read a response that is larger than the entire memory allocated to the current process.
 * It can even stream a response larger than the total storage on the current device, which is a
 * common requirement for video streaming applications.
 *

 * certificate is signed by the certificate that follows, and the last certificate is a trusted CA
 * certificate.
 *
 * Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
 * the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
 * pinning.
 */
abstract class CertificateChainCleaner {