.addSubjectAlternativeName(hostname)
          .build()
      HandshakeCertificates
        .Builder()
        .heldCertificate(heldCertificate)
        .addTrustedCertificate(heldCertificate.certificate)
        .build()
    }
  private var acceptedHostName: String? = null

  @StartStop
  private val server = MockWebServer()

  @BeforeEach
  fun setUp() {
    // Test designed for Conscrypt and JSSE

 * limitations under the License.
 */
package okhttp3.tls.internal.der

import okio.Buffer
import okio.ByteString

/**
 * Encode and decode a model object like a [Long] or [Certificate] as DER bytes.
 */
internal interface DerAdapter<T> {
  /** Returns true if this adapter can read [header] in a choice. */
  fun matches(header: DerHeader): Boolean

  /**
   * Returns a value from this adapter.

import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.kerberos.KerberosKey;

/**
 * Utility class for calculating and verifying PAC (Privilege Attribute Certificate) message authentication codes.
 * This class provides methods for computing MACs using various Kerberos encryption types including
 * ARCFOUR-HMAC-MD5 and AES-based HMAC algorithms.
 */
public class PacMac {

    /**

set FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Dlog4j2.disable.jmx=true
set FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Dlog4j2.formatMsgNoLookups=true
set FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Dlog4j.skipJansi=true

REM SSL truststore for certificate validation over https
REM FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Djavax.net.ssl.trustStore=/tech/elastic/config/truststore.jks
REM FESS_JAVA_OPTS=%FESS_JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit

        * requests from a node for a TLS serving certificate for itself are approved if the CSR creator has `create` permission on the `certificatesigningrequests` resource and the `selfnodeserver` subresource in the `certificates.k8s.io` API group

    server.enqueue(MockResponse())

    // Make a first request without certificate pinning. Use it to collect certificates to pin.
    val request1 = Request.Builder().url(server.url("/")).build()
    val response1 = client.newCall(request1).execute()
    val certificatePinnerBuilder = CertificatePinner.Builder()
    for (certificate in response1.handshake!!.peerCertificates) {
      certificatePinnerBuilder.add(

			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         target.KafkaClientTLSCert,
			Description: "path to client certificate for mTLS auth",
			Optional:    true,
			Type:        "path",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         target.KafkaClientTLSKey,
			Description: "path to client key for mTLS auth",

- The CertificateSigningRequest API is promoted to certificates.k8s.io/v1 with the following changes:
  - `spec.signerName` is now required, and requests for `kubernetes.io/legacy-unknown` are not allowed to be created via the `certificates.k8s.io/v1` API
  - `spec.usages` is now required, may not contain duplicate values, and must only contain known usages

   *
   * This class exploits knowledge of Android implementation details. This class is potentially
   * much faster to initialize than [BasicTrustRootIndex] because it doesn't need to load and
   * index trusted CA certificates.
   */
  internal data class CustomTrustRootIndex(
    private val trustManager: X509TrustManager,
    private val findByIssuerAndSignatureMethod: Method,
  ) : TrustRootIndex {

  /**
   * Returns true if the host and port are unchanged from when this was created. This is used to
   * detect if followups need to do a full connection-finding process including DNS resolution, and
   * certificate pin checks.
   */
  fun sameHostAndPort(url: HttpUrl): Boolean

  /**
   * A plan holds either an immediately-usable connection, or one that must be connected first.