}
	return &KMS{
		Type:       Builtin,
		DefaultKey: keyID,
		conn: secretKey{
			keyID: keyID,
			key:   key,
		},
		latencyBuckets: defaultLatencyBuckets,
		latency:        make([]atomic.Uint64, len(defaultLatencyBuckets)),
	}, nil
}

// secretKey is a KMS implementation that derives new DEKs
// from a single key.
type secretKey struct {
	keyID string
	key   []byte
}

//
// ### SSE-S3 and KMS
//
// SSE-S3 requires that the KMS provides two functions:
//
//  1. Generate(KeyID) -> (Key, EncKey)
//
//  2. Unseal(KeyID, EncKey) -> Key
//
//  1. Encrypt:
//     Input: KeyID, bucket, object, metadata, object_data
//     -     Key, EncKey := Generate(KeyID)
//     -              IV := Random({0,1}²⁵⁶)
//     -       ObjectKey := SHA256(Key, Random({0,1}²⁵⁶))

// KMS master key ID nor a sealed KMS data key it returns an empty keyID and
// KMS data key. Otherwise, it returns an error.
func (sses3) ParseMetadata(metadata map[string]string) (keyID string, kmsKey []byte, sealedKey SealedKey, err error) {
	// Extract all required values from object metadata
	b64IV, ok := metadata[MetaIV]
	if !ok {
		return keyID, kmsKey, sealedKey, errMissingInternalIV
	}

		if err := json.Unmarshal(b, &ctx); err != nil {
			return "", nil, err
		}
	}

	keyID := h.Get(xhttp.AmzServerSideEncryptionKmsID)
	spaces := strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ")
	if spaces {
		return "", nil, ErrInvalidEncryptionKeyID
	}
	return strings.TrimPrefix(keyID, ARNPrefix), ctx, nil
}

// IsEncrypted returns true if the object metadata indicates

				t.Errorf("Test case %d: Expected %s but got %s", i+1, tc.expectedErr, err)
			}
			continue
		}

		if tc.keyID != "" && tc.keyID != ssec.KeyID() {
			t.Errorf("Test case %d: Expected bucket encryption KeyID %s but got %s", i+1, tc.keyID, ssec.KeyID())
		}

		if expectedXML, err := xml.Marshal(tc.expectedConfig); err != nil || !bytes.Equal(expectedXML, []byte(tc.inputXML)) {

// MarshalText encodes the DEK's key ID and ciphertext
// as JSON.
func (d DEK) MarshalText() ([]byte, error) {
	type JSON struct {
		KeyID      string `json:"keyid"`
		Version    uint32 `json:"version,omitempty"`
		Ciphertext []byte `json:"ciphertext"`
	}
	return json.Marshal(JSON{
		KeyID:      d.KeyID,
		Version:    uint32(d.Version),
		Ciphertext: d.Ciphertext,
	})
}

		}
	}
}

var decryptKeyTests = []struct {
	KeyID      string
	Plaintext  string
	Ciphertext string
	Context    Context
}{
	{
		KeyID:      "my-key",
		Plaintext:  "zmS7NrG765UZ0ZN85oPjybelxqVvpz01vxsSpOISy2M=",

				return nil, errors.New("MasterKeyID is allowed with aws:kms only")
			}
		case AWSKms:
			keyID := rule.DefaultEncryptionAction.MasterKeyID
			if keyID == "" {
				return nil, errors.New("MasterKeyID is missing with aws:kms")
			}
			spaces := strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ")
			if spaces {
				return nil, errors.New("MasterKeyID contains unsupported characters")
			}
		}
	}

		}
		return DEK{}, errKeyGenerationFailed(err)
	}
	return DEK{
		KeyID:      name,
		Plaintext:  dek.Plaintext,
		Ciphertext: dek.Ciphertext,
	}, nil
}

// ImportKey imports a cryptographic key into the KMS.
func (c *kesConn) ImportKey(ctx context.Context, keyID string, bytes []byte) error {
	return c.client.ImportKey(ctx, keyID, &kes.ImportKeyRequest{
		Key: bytes,
	})
}

		Version         = 1
	)
	var (
		header [5]byte
		buffer bytes.Buffer
	)
	json := jsoniter.ConfigCompatibleWithStandardLibrary
	metadata, err := json.Marshal(encryptedObject{
		KeyID:     key.KeyID,
		KMSKey:    key.Ciphertext,
		Algorithm: algorithm,
		Nonce:     nonce,
	})
	if err != nil {
		return nil, err
	}
	if len(metadata) > MaxMetadataSize {