public final class okhttp3/tls/Certificates {
	public static final fun certificatePem (Ljava/security/cert/X509Certificate;)Ljava/lang/String;
	public static final fun decodeCertificatePem (Ljava/lang/String;)Ljava/security/cert/X509Certificate;
}

public final class okhttp3/tls/HandshakeCertificates {
	public final fun -deprecated_keyManager ()Ljavax/net/ssl/X509KeyManager;
	public final fun -deprecated_trustManager ()Ljavax/net/ssl/X509TrustManager;

  /** Returns a possibly-empty list of certificates that identify this peer. */
  @get:JvmName("localCertificates") val localCertificates: List<Certificate>,
  // Delayed provider of peerCertificates, to allow lazy cleaning.
  peerCertificatesFn: () -> List<Certificate>,
) {
  /** Returns a possibly-empty list of certificates that identify the remote peer. */
  @get:JvmName("peerCertificates")

    @Override public Response intercept(Chain chain) throws IOException {
      for (Certificate certificate : chain.connection().handshake().peerCertificates()) {
        String pin = CertificatePinner.pin(certificate);
        if (denylist.contains(pin)) {
          throw new IOException("Denylisted peer certificate: " + pin);
        }
      }
      return chain.proceed(chain.request());
    }
  };

      }
    }

  fun verify(
    host: String,
    certificate: X509Certificate,
  ): Boolean =
    when {
      host.canParseAsIpAddress() -> verifyIpAddress(host, certificate)
      else -> verifyHostname(host, certificate)
    }

  /** Returns true if [certificate] matches [ipAddress]. */
  private fun verifyIpAddress(
    ipAddress: String,
    certificate: X509Certificate,
  ): Boolean {

      )
    } catch (_: NoSuchMethodException) {
      null
    }

  /** Android method to clean and sort certificates, called via reflection. */
  @Suppress("unused", "UNCHECKED_CAST")
  fun checkServerTrusted(
    chain: Array<out X509Certificate>,
    authType: String,
    host: String,
  ): List<Certificate> {
    if (host in insecureHosts) return listOf()
    try {
      val method =
        checkServerTrustedMethod

 * limitations under the License.
 */
package okhttp3.internal.tls

import java.security.cert.X509Certificate
import javax.security.auth.x500.X500Principal

/** A simple index that of trusted root certificates that have been loaded into memory. */
class BasicTrustRootIndex(
  vararg caCerts: X509Certificate,
) : TrustRootIndex {
  private val subjectToCaCerts: Map<X500Principal, Set<X509Certificate>>

  init {

    assertThat(response.handshake!!.localPrincipal).isNull()
    assertThat(response.handshake!!.peerCertificates).isEmpty()
    assertThat(response.handshake!!.peerPrincipal).isNull()
  }

  @Test fun `bad certificates host in insecureHosts fails with SSLException`() {
    val heldCertificate =
      HeldCertificate
        .Builder()
        .addSubjectAlternativeName("example.com")
        .build()
    val serverCertificates =

    enum class Type {
      Handshake,
      Plaintext,
      Encrypted,
      Setup,
      Unknown,
    }

    val type: Type
      get() =
        when {
          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted
          message == "Plaintext before ENCRYPTION" || message == "Plaintext after DECRYPTION" -> Type.Plaintext

        .sslSocketFactory(customSslSocketFactory, trustManager)
        .build();
  }

  /**
   * Returns the VM's default SSL socket factory, using {@code trustManager} for trusted root
   * certificates.
   */
  private SSLSocketFactory defaultSslSocketFactory(X509TrustManager trustManager)
      throws NoSuchAlgorithmException, KeyManagementException {
    SSLContext sslContext = SSLContext.getInstance("TLS");

 * They specify that the call may be plaintext (`http`) or encrypted (`https`), but not which cryptographic algorithms should be used. Nor do they specify how to verify the peer's certificates (the [HostnameVerifier](https://developer.android.com/reference/javax/net/ssl/HostnameVerifier.html)) or which certificates can be trusted (the [SSLSocketFactory](https://developer.android.com/reference/org/apache/http/conn/ssl/SSLSocketFactory.html)).