mockserver-client = { module = "org.mock-server:mockserver-client-java-no-dependencies", version.ref = "mockserverClient" }
nativeImageSvm = { module = "org.graalvm.nativeimage:svm", version.ref = "graalvm" }
openjsse = "org.openjsse:openjsse:1.1.14"
playservices-safetynet = "com.google.android.gms:play-services-safetynet:18.0.1"
robolectric-android = "org.robolectric:android-all:14-robolectric-10818077"

          java-version: 17

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v3

      - name: Run Checks
        run: ./gradlew test -Dtest.java.version=8 -Dokhttp.platform=openjsse

  testconscrypt:
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/master' || contains(github.event.pull_request.labels.*.name, 'conscrypt')

    steps:
      - name: Checkout

 *  Fix: Embed Proguard rules to prevent warnings from tools like DexGuard and R8. These warnings
    were triggered by OkHttp’s feature detection for TLS packages like `org.conscrypt`,
    `org.bouncycastle`, and `org.openjsse`.
 *  Upgrade: Explicitly depend on `kotlin-stdlib-jdk8`. This fixes a problem with dependency
    locking. That's a potential security vulnerability, tracked as [CVE-2022-24329].

		chmod +x kes
fi

if ! openssl version &>/dev/null; then
	apt install openssl || sudo apt install opensssl
fi

# Start KES Server
(./kes server --dev 2>&1 >kes-server.log) &
kes_pid=$!
sleep 5s
API_KEY=$(grep "API Key" <kes-server.log | awk -F" " '{print $3}')
(openssl s_client -connect 127.0.0.1:7373 2>/dev/null 1>public.crt)

export CI=true

		chmod +x kes
fi

if ! openssl version &>/dev/null; then
	apt install openssl || sudo apt install opensssl
fi

# Start KES Server
(./kes server --dev 2>&1 >kes-server.log) &
kes_pid=$!
sleep 5s
API_KEY=$(grep "API Key" <kes-server.log | awk -F" " '{print $3}')
(openssl s_client -connect 127.0.0.1:7373 2>/dev/null 1>public.crt)

export CI=true

	kexAlgoCurve25519SHA256LibSSH = "******@****.***"
	kexAlgoCurve25519SHA256       = "curve25519-sha256"

	chacha20Poly1305ID = "chacha20-poly1305@openssh.com"
	gcm256CipherID     = "aes256-gcm@openssh.com"
	aes128cbcID        = "aes128-cbc"
	tripledescbcID     = "3des-cbc"
)

var (
	errSFTPPublicKeyBadFormat = errors.New("the public key provided could not be parsed")

openssl x509 -req -days 3650 -CA "${WD}/rootA.crt" -CAkey "${WD}/rootA.key" -set_serial 0 -in "${WD}/clientA.csr" -out "${WD}/clientA.crt" -extensions v3_req -extfile "${WD}/client.conf"

openssl genrsa -out "${WD}/serverA.key" 2048
openssl req -new -key "${WD}/serverA.key" -out "${WD}/serverA.csr" -subj "/CN=*.example.com" -config "${WD}/server.conf"

// Generated using:
//
//	openssl ecparam -genkey -name secp521r1 | openssl pkcs8 -topk8 -nocrypt
//
// Note that OpenSSL will truncate the private key if it can (i.e. it emits it
// like an integer, even though it's an OCTET STRING field). Thus if you
// regenerate this you may, randomly, find that it's a byte shorter than
// expected and the Go test will fail to recreate it exactly.

EOF

# Create a certificate authority
openssl genrsa -out CAKey.pem 2048
openssl req -x509 -new -nodes -key CAKey.pem -days 100000 -out CACert.pem -subj "/CN=${CN_BASE}_ca"

# Create a second certificate authority
openssl genrsa -out BadCAKey.pem 2048
openssl req -x509 -new -nodes -key BadCAKey.pem -days 100000 -out BadCACert.pem -subj "/CN=${CN_BASE}_ca"

# Create a server certiticate
openssl genrsa -out ServerKey.pem 2048

#openssl ecparam -genkey -name prime256v1 -out ecc-int-key.pem -noout
openssl req -new -key ecc-int-key.pem -out ecc-int-cert.csr -config int-cert.cfg -batch -sha256

openssl x509 -req -days 3650 -in ecc-int-cert.csr -sha256 -CA ecc-root-cert.pem -CAkey ecc-root-key.pem -CAcreateserial -out ecc-int-cert.pem -extensions v3_req -extfile int-cert.cfg


# Intermediate CA2
#openssl ecparam -genkey -name prime256v1 -out ecc-int2-key.pem -noout