// password protected.
const EnvCertPassword = "MINIO_CERT_PASSWD"

// ParsePublicCertFile - parses public cert into its *x509.Certificate equivalent.
func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err error) {
	// Read certificate file.
	var data []byte
	if data, err = os.ReadFile(certFile); err != nil {
		return nil, err
	}

	// Trimming leading and tailing white spaces.

 * ```
 *
 * In this example the HTTP client already knows and trusts the last certificate, "Entrust Root
 * Certification Authority - G2". That certificate is used to verify the signature of the
 * intermediate certificate, "Entrust Certification Authority - L1M". The intermediate certificate
 * is used to verify the signature of the "www.squareup.com" certificate.
 *

  }

  private fun certificate(certificate: String): X509Certificate =
    CertificateFactory
      .getInstance("X.509")
      .generateCertificate(ByteArrayInputStream(certificate.toByteArray()))
      as X509Certificate

  private fun session(certificate: String): SSLSession = FakeSSLSession(certificate(certificate))

    val certificate = heldCertificate.certificate
    assertThat(certificate.getSubjectX500Principal().name, "self-signed")
      .isEqualTo(certificate.getIssuerX500Principal().name)
    assertThat(certificate.getIssuerX500Principal().name).matches(Regex("CN=[0-9a-f-]{36}"))
    assertThat(certificate.serialNumber).isEqualTo(BigInteger.ONE)
    assertThat(certificate.subjectAlternativeNames).isNull()

        .serialNumber(1L)
        .build()
    val rootB =
      HeldCertificate
        .Builder()
        .serialNumber(2L)
        .build()
    assertThat(get(rootB.certificate, rootA.certificate))
      .isEqualTo(get(rootA.certificate, rootB.certificate))
  }

  @Test
  fun equalsFromTrustManager() {
    val handshakeCertificates = HandshakeCertificates.Builder().build()

    // Add a bad intermediate CA and have that issue a rogue certificate for localhost. Prepare
    // an SSL context for an attacking webserver. It includes both these rogue certificates plus the
    // trusted good certificate above. The attack is that by including the good certificate in the
    // chain, we may trick the certificate pinner into accepting the rouge certificate.
    val compromisedIntermediateCa =
      HeldCertificate

        peerCertificates = listOf(serverCertificate.certificate, serverIntermediate.certificate),
        localCertificates = listOf(),
      )

    assertThat(handshake.tlsVersion).isEqualTo(TlsVersion.TLS_1_3)
    assertThat(handshake.cipherSuite).isEqualTo(CipherSuite.TLS_AES_128_GCM_SHA256)
    assertThat(handshake.peerCertificates).containsExactly(
      serverCertificate.certificate,
      serverIntermediate.certificate,
    )

    /**
     * Returns the SHA-256 of `certificate`'s public key.
     *
     * In OkHttp 3.1.2 and earlier, this returned a SHA-1 hash of the public key. Both types are
     * supported, but SHA-256 is preferred.
     */
    @JvmStatic
    fun pin(certificate: Certificate): String {
      require(certificate is X509Certificate) { "Certificate pinning requires X509 certificates" }

		}
		certificate, err := createTempFile(t, "public.crt", testCase.certificate)
		if err != nil {
			os.Remove(privateKey)
			t.Fatalf("Test %d: failed to create tmp certificate file: %v", i, err)
		}

		if testCase.password != "" {
			t.Setenv(EnvCertPassword, testCase.password)
		}
		_, err = LoadX509KeyPair(certificate, privateKey)
		if err != nil && !testCase.shouldFail {

      }
    }

  fun verify(
    host: String,
    certificate: X509Certificate,
  ): Boolean =
    when {
      host.canParseAsIpAddress() -> verifyIpAddress(host, certificate)
      else -> verifyHostname(host, certificate)
    }

  /** Returns true if [certificate] matches [ipAddress]. */
  private fun verifyIpAddress(
    ipAddress: String,
    certificate: X509Certificate,
  ): Boolean {