*  * `com.twitter.hpack.HuffmanDecoder`
 *  * `com.twitter.hpack.HpackUtil`
 *
 * [twitter_hpack]: https://github.com/twitter/hpack
 */
object Huffman {
  // Appendix C: Huffman Codes
  // http://tools.ietf.org/html/draft-ietf-httpbis-header-compression-12#appendix-B
  private val CODES =
    intArrayOf(
      0x1ff8, 0x7fffd8, 0xfffffe2, 0xfffffe3, 0xfffffe4, 0xfffffe5, 0xfffffe6,

    throw IllegalArgumentException("failed to decode certificate", e)
  }
}

/**
 * Returns the certificate encoded in [PEM format][rfc_7468].
 *
 * [rfc_7468]: https://tools.ietf.org/html/rfc7468
 */
fun X509Certificate.certificatePem(): String {
  return buildString {
    append("-----BEGIN CERTIFICATE-----\n")
    encodeBase64Lines(encoded.toByteString())
    append("-----END CERTIFICATE-----\n")

  //
  // +optional
  optional int32 expirationSeconds = 8;

  // allowedUsages specifies a set of usage contexts the key will be
  // valid for.
  // See:
  // 	https://tools.ietf.org/html/rfc5280#section-4.2.1.3
  // 	https://tools.ietf.org/html/rfc5280#section-4.2.1.12
  //
  // Valid values are:
  //  "signing",
  //  "digital signature",
  //  "content commitment",
  //  "key encipherment",

 * > of this section.  The DNS API server defines the URI used by the
 * > request through the use of a URI Template.
 *
 * [doh_spec]: https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-13
 */
class DnsOverHttps internal constructor(
  @get:JvmName("client") val client: OkHttpClient,
  @get:JvmName("url") val url: HttpUrl,
  @get:JvmName("includeIPv6") val includeIPv6: Boolean,

        sslSocket.enabledProtocols.intersect(tlsVersionsAsString, naturalOrder())
      } else {
        sslSocket.enabledProtocols
      }

    // In accordance with https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 the SCSV
    // cipher is added to signal that a protocol fallback has taken place.
    val supportedCipherSuites = sslSocket.supportedCipherSuites
    val indexOfFallbackScsv =

        self,
        code: Annotated[
            int,
            Doc(
                """
                A closing code from the
                [valid codes defined in the specification](https://datatracker.ietf.org/doc/html/rfc6455#section-7.4.1).
                """
            ),
        ],
        reason: Annotated[
            Union[str, None],
            Doc(
                """

 * database to hold accepted cookies. The [cookie storage model][rfc_6265_53] specifies policies for
 * updating and expiring cookies.
 *
 * [rfc_6265_53]: https://tools.ietf.org/html/rfc6265#section-5.3
 */
interface CookieJar {
  /**
   * Saves [cookies] from an HTTP response to this store according to this jar's policy.
   *

   * Returns the string representation of an {@link InetAddress}.
   *
   * <p>For IPv4 addresses, this is identical to {@link InetAddress#getHostAddress()}, but for IPv6
   * addresses, the output follows <a href="http://tools.ietf.org/html/rfc5952">RFC 5952</a> section
   * 4. The main difference is that this method uses "::" for zero compression, while Java's version

 * direct translation of the pseudocode presented there.
 *
 * Partner this class with [UTS #46] to implement IDNA2008 [RFC 5890] like most browsers do.
 *
 * [RFC 3492]: https://datatracker.ietf.org/doc/html/rfc3492
 * [RFC 5890]: https://datatracker.ietf.org/doc/html/rfc5890
 * [UTS #46]: https://www.unicode.org/reports/tr46/
 */
object Punycode {
  val PREFIX_STRING = "xn--"
  val PREFIX = PREFIX_STRING.encodeUtf8()

import java.math.BigInteger
import java.net.ProtocolException
import okio.ByteString

/**
 * ASN.1 adapters adapted from the specifications in [RFC 5280][rfc_5280].
 *
 * [rfc_5280]: https://tools.ietf.org/html/rfc5280
 */
@Suppress("UNCHECKED_CAST") // This needs to cast decoded collections.
internal object CertificateAdapters {
  /**
   * ```
   * Time ::= CHOICE {
   *   utcTime        UTCTime,