object TlsUtil {
  val password = "password".toCharArray()

  private val localhost: HandshakeCertificates by lazy {
    // Generate a self-signed cert for the server to serve and the client to trust.
    val heldCertificate =
      HeldCertificate.Builder()
        .commonName("localhost")
        .addSubjectAlternativeName("localhost")
        .addSubjectAlternativeName("localhost.localdomain")
        .build()

  private val sslExcludeFilter =
    Regex(
      buildString {
        append("^(?:")
        append(
          listOf(
            "Inaccessible trust store",
            "trustStore is",
            "Reload the trust store",
            "Reload trust certs",
            "Reloaded",
            "adding as trusted certificates",
            "Ignore disabled cipher suite",
            "Ignore unsupported cipher suite",

  /**
   * Returns a cleaned chain for [chain].
   *
   * This method throws if the complete chain to a trusted CA certificate cannot be constructed.
   * This is unexpected unless the trust root index in this class has a different trust manager than
   * what was used to establish [chain].
   */
  @Throws(SSLPeerUnverifiedException::class)
  override fun clean(
    chain: List<Certificate>,
    hostname: String,

    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {},
    "ghcr.io/mpriscella/features/kind:1": {}
  },
  "customizations": {
    "vscode": {
      "extensions": [
        "golang.go",
        "rust-lang.rust-analyzer",
        "eamodio.gitlens",
        "zxh404.vscode-proto3",
        "ms-azuretools.vscode-docker",
        "redhat.vscode-yaml",
        "IBM.output-colorizer"
      ],
      "settings": {

    assertThat(actual).isNotNull()
  }

  private fun enableTls() {
    // Generate a self-signed cert for the server to serve and the client to trust.
    // can't use TlsUtil.localhost with a non OpenJSSE trust manager
    val heldCertificate =
      HeldCertificate.Builder()
        .commonName("localhost")
        .addSubjectAlternativeName("localhost")
        .build()

        "The SAM database on the Windows NT Server does not have a computer account for this workstation trust relationship.",
        "The logon request failed because the trust relationship between the primary domain and the trusted domain failed.",
        "The logon request failed because the trust relationship between this workstation and the primary domain failed.",

    else
      echo "No directory at ${ZTUNNEL_DIR}"
      return
    fi
  fi
  if [[ "${BUILD_ZTUNNEL_REPO:-}" == "" ]]; then
    return
  fi

  if ! which cargo; then
    echo "the rust toolchain (cargo, etc) is required for building ztunnel"
    return 1
  fi

  pushd "${BUILD_ZTUNNEL_REPO}"
  cargo build --profile="${BUILD_ZTUNNEL_PROFILE:-dev}" ${BUILD_ZTUNNEL_TARGET:+--target=${BUILD_ZTUNNEL_TARGET}}

RESOURCE NAME     TYPE           STATUS     VALID CERT     SERIAL NUMBER                                NOT AFTER                NOT BEFORE               TRUST DOMAIN
default           Cert Chain     ACTIVE     false          cd4902e499169b11ec171dad1668adbb             2024-10-27T22:44:37Z     2024-10-27T21:44:27Z     east.local

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(null, new TrustManager[] { trustManager }, null);

    return sslContext.getSocketFactory();
  }

  /** Returns a trust manager that trusts the VM's default certificate authorities. */
  private X509TrustManager defaultTrustManager() throws GeneralSecurityException {
    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(

//     - object_data := DAREv2_Dec(ObjectKey, enc_object_data)
//     Output: object_data
//
// ## SSE-S3
//
// SSE-S3 can use either a master key or a KMS as root-of-trust.
// The en/decryption slightly depens upon which root-of-trust is used.
//
// ### SSE-S3 and single master key
//
// The master key is used to derive unique object- and key-encryption-keys.