) : CertificateChainCleaner() {
  @Suppress("UNCHECKED_CAST")
  @Throws(SSLPeerUnverifiedException::class)
  @SuppressSignatureCheck
  override fun clean(
    chain: List<Certificate>,
    hostname: String,
  ): List<Certificate> {
    val certificates = (chain as List<X509Certificate>).toTypedArray()
    try {
      return x509TrustManagerExtensions.checkServerTrusted(certificates, "RSA", hostname)

    client =
      client.newBuilder()
        .addInterceptor(
          Interceptor { chain: Interceptor.Chain ->
            try {
              chain.proceed(chain.request())
              throw AssertionError()
            } catch (expected: IOException) {
              chain.proceed(chain.request())
            }
          },
        )
        .build()

    assumeNetwork()

    val trustManager =
      object : X509TrustManager {
        override fun checkClientTrusted(
          chain: Array<out X509Certificate>?,
          authType: String?,
        ) {}

        override fun checkServerTrusted(
          chain: Array<out X509Certificate>?,
          authType: String?,
        ) {}

    this.server = server
    client =
      OkHttpClient.Builder()
        .addNetworkInterceptor(
          Interceptor { chain ->
            when {
              extraNetworkInterceptor != null -> extraNetworkInterceptor!!.intercept(chain)
              else -> chain.proceed(chain.request())
            }
          },
        )
        .addNetworkInterceptor(networkInterceptor)

 *    other properties.
 *
 * Certificates are signed by other certificates and a sequence of them is called a certificate
 * chain. The chain terminates in a self-signed "root" certificate. Signing certificates in the
 * middle of the chain are called "intermediates". Organizations that offer certificate signing are
 * called certificate authorities (CAs).
 *

 * ```
 *
 * As expected, this fails with a certificate pinning exception:
 *
 * ```java
 * javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!
 * Peer certificate chain:
 *     sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL
 *     sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA

     * a line containing the cipher suite. Next is the length of the peer certificate chain. These
     * certificates are base64-encoded and appear each on their own line. The next line contains the
     * length of the local certificate chain. These certificates are also base64-encoded and appear
     * each on their own line. A length of -1 is used to encode a null array. The last line is

  fun networkInterceptorsCannotCallProceedMultipleTimes() {
    server.enqueue(MockResponse())
    server.enqueue(MockResponse())
    val interceptor =
      Interceptor { chain: Interceptor.Chain ->
        chain.proceed(chain.request())
        chain.proceed(chain.request())
      }
    client =
      client.newBuilder()
        .addNetworkInterceptor(interceptor)
        .build()
    val request =
      Request.Builder()

  override fun checkServerTrusted(
    chain: Array<out X509Certificate>,
    authType: String,
    socket: Socket,
  ) {
    if (socket.peerName() !in insecureHosts) {
      delegate.checkServerTrusted(chain, authType, socket)
    }
  }

  override fun checkServerTrusted(
    chain: Array<out X509Certificate>,
    authType: String,
    engine: SSLEngine,
  ) {

import okhttp3.internal.connection.Exchange
import okhttp3.internal.connection.RealCall

/**
 * A concrete interceptor chain that carries the entire interceptor chain: all application
 * interceptors, the OkHttp core, all network interceptors, and finally the network caller.
 *
 * If the chain is for an application interceptor then [exchange] must be null. Otherwise it is for
 * a network interceptor and [exchange] must be non-null.
 */