Matt Lloyd <******@****.***> 1745728257 +0100

}

func TestNatsConnNKeySeed(t *testing.T) {
	opts := natsserver.DefaultTestOptions
	opts.Port = 14223
	opts.Nkeys = []*server.NkeyUser{
		{
			// Not a real NKey
			// Taken from https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/nkey_auth
			Nkey: "UDXU4RCSJNZOIQHZNWXHXORDPRTGNJAHAHFRGZNEEJCPQTT2M7NLCNF4",
		},
	}
	s := natsserver.RunServer(&opts)
	defer s.Shutdown()

}

// SealedKey represents a sealed object key. It can be stored
// at an untrusted location.
type SealedKey struct {
	Key       [64]byte // The encrypted and authenticated object-key.
	IV        [32]byte // The random IV used to encrypt the object-key.
	Algorithm string   // The sealing algorithm used to encrypt the object key.
}

// Seal encrypts the ObjectKey using the 256 bit external key and IV. The sealed

Bag Attributes
    friendlyName: test-node
    localKeyID: 54 69 6D 65 20 31 36 31 30 35 34 37 34 31 31 36 37 37 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIjQ0GSNxFPlcCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEhMiHamDL3EBIIEyDhQlJjJhfPN
Tve2KwhJsADvo6POTXw0tJzTKCHek7iYLcsMK7EQhH3fLRkYDCOufBIZEgqxxCiH
l3q89eg5qd4lqne4yTW5SYLVW+L6xnE5FpacpfLCWWm4LmZlg3BynDZykG/cDHS8

Harshavardhana <******@****.***> 1620513629 -0700

	}
	return NewBuiltin(keyID, key)
}

// NewBuiltin returns a single-key KMS that derives new DEKs from the
// given key.
func NewBuiltin(keyID string, key []byte) (*KMS, error) {
	if len(key) != 32 {
		return nil, errors.New("kms: invalid key length " + strconv.Itoa(len(key)))
	}
	return &KMS{
		Type:       Builtin,
		DefaultKey: keyID,
		conn: secretKey{
			keyID: keyID,
			key:   key,
		},

Bag Attributes
    friendlyName: test-client
    localKeyID: 54 69 6D 65 20 31 36 31 30 35 34 37 32 31 38 33 33 39 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIV/BaQuOROI8CAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECDimqPUDaqRVBIIEyBNPeVp351IS
v8s0Jscjmh/PkXe6Zb4etlvhOMbTrLdsUiXYaPaX+pwNDo61D3LR3UTz1Yt9MaIM
hgbClVQo2WhEIywJcaloEccxZ2mkP0ZWGVvm3NqfGD5ruevRxra9fvrQcpr81Sro

         "Effect":"Deny",
         "Principal":"*",
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::multi-key-poc/*",
         "Condition":{
            "StringNotEquals":{
               "s3:x-amz-server-side-encryption-aws-kms-key-id":"minio-default-key"
            }
         }
      }
   ]

	*sync.RWMutex

	// map of kid to public key
	pkMap map[string]any
}

func (pk *publicKeys) parseAndAdd(b io.Reader) error {
	var jwk JWKS
	err := json.NewDecoder(b).Decode(&jwk)
	if err != nil {
		return err
	}

	for _, key := range jwk.Keys {
		pkey, err := key.DecodePublicKey()
		if err != nil {
			return err
		}
		pk.add(key.Kid, pkey)
	}

	return nil
}

    /**
     * Gets the user properties to use for interpolation and profile activation. The user properties have been
     * configured directly by the user on his discretion, e.g. via the {@code -Dkey=value} parameter on the command
     * line.
     *
     * @return The user properties, never {@code null}.
     */
    Map<String, String> getUserProperties();

    /**