NVOFBkpdn627G190
    -----END CERTIFICATE-----
    """.trimIndent().decodeCertificatePem()

  // CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
  val entrustRootCertificateAuthority =
    """
    -----BEGIN CERTIFICATE-----
    MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC

import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer;
import okhttp3.tls.HandshakeCertificates;
import okhttp3.tls.HeldCertificate;

/**
 * Create an HTTPS server with a self-signed certificate that OkHttp trusts.
 */
public class HttpsServer {
  public void run() throws Exception {
    HeldCertificate localhostCertificate = new HeldCertificate.Builder()
        .addSubjectAlternativeName("localhost")

      + "jaA9VEhgdaVhxBsT2qzUNDsXlOzGsliznDfoqETb\n"
      + "-----END CERTIFICATE-----\n";

    X509Certificate certificate =
        Certificates.decodeCertificatePem(certificateString);

    assertEquals(certificateString, Certificates.certificatePem(certificate));
  }

import java.util.Map;

import javax.security.auth.kerberos.KerberosKey;

import jcifs.pac.PACDecodingException;
import jcifs.pac.Pac;

/**
 * Kerberos authorization data containing PAC (Privilege Attribute Certificate) information.
 */
public class KerberosPacAuthData extends KerberosAuthData {

    private Pac pac;

    /**
     * Constructs KerberosPacAuthData from token bytes.
     *

## Version 4.2.0

_2019-09-10_

 *  New: API to decode a certificate and private key to create a `HeldCertificate`. This accepts a
    string containing both a certificate and PKCS #8-encoded private key.

    ```kotlin
    val heldCertificate = HeldCertificate.decode("""
        |-----BEGIN CERTIFICATE-----
        |MIIBYTCCAQegAwIBAgIBKjAKBggqhkjOPQQDAjApMRQwEgYDVQQLEwtlbmdpbmVl

    try (Response response = client.newCall(request).execute()) {
      if (!response.isSuccessful()) throw new IOException("Unexpected code " + response);

      for (Certificate certificate : response.handshake().peerCertificates()) {
        System.out.println(CertificatePinner.pin(certificate));
      }
    }
  }

  public static void main(String... args) throws Exception {
    new CertificatePinning().run();
  }

import okhttp3.OkHttpClient;
import okhttp3.Protocol;
import okhttp3.Request;
import okhttp3.Response;
import org.junit.Test;
import org.junit.runner.RunWith;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;

/**
 * Simple test adaptable to show a failure in older versions of OkHttp

                    final SSLHostConfigCertificate certificate =
                            new SSLHostConfigCertificate(sslHostConfig, SSLHostConfigCertificate.Type.UNDEFINED);
                    doSetupServerConfig(logger, props, "certificateKeystoreFile", v -> certificate.setCertificateKeystoreFile(v));
                    doSetupServerConfig(logger, props, "certificateKeystorePassword", v -> certificate.setCertificateKeystorePassword(v));

        try (InputStream in = new FileInputStream(filename)) {
            Certificate certificate = CertificateFactory.getInstance("X.509").generateCertificate(in);

            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setCertificateEntry("server", certificate);

    authType: String,
    host: String,
  ): List<Certificate> {
    if (host in insecureHosts) return listOf()
    try {
      val method =
        checkServerTrustedMethod
          ?: throw CertificateException("Failed to call checkServerTrusted")
      return method.invoke(delegate, chain, authType, host) as List<Certificate>
    } catch (e: InvocationTargetException) {
      throw e.targetException
    }