* the OpenJDK 11 TLS implementation, which itself fails the handshake when it encounters a non-CA
   * certificate.
   */
  @Test
  fun signersMustHaveCaBitSet() {
    val attackerCa =
      HeldCertificate
        .Builder()
        .serialNumber(1L)
        .certificateAuthority(4)
        .commonName("attacker ca")
        .build()