if objInfo.DeleteMarker || !objInfo.VersionPurgeStatus.Empty() {
		return nil
	}
	sseKMS := crypto.S3KMS.IsEncrypted(objInfo.UserDefined)
	sseS3 := crypto.S3.IsEncrypted(objInfo.UserDefined)
	if !sseKMS && !sseS3 { // neither sse-s3 nor sse-kms disallowed
		return errInvalidEncryptionParameters
	}
	if sseKMS && r.Encryption.Type == sses3 { // previously encrypted with sse-kms, now sse-s3 disallowed

	etag := strings.TrimSpace(hdr.Get(xhttp.MinIOSourceETag))
	if crypto.S3KMS.IsRequested(hdr) {
		keyID, context, err := crypto.S3KMS.ParseHTTP(hdr)
		if err != nil {
			return ObjectOptions{}, err
		}
		sseKms, err := encrypt.NewSSEKMS(keyID, context)
		if err != nil {
			return ObjectOptions{}, err
		}
		op := ObjectOptions{
			ServerSideEncryption: sseKms,
			UserDefined:          metadata,
			MTime:                mtime,

		return nil
	case crypto.S3KMS:
		if GlobalKMS == nil {
			return errKMSNotConfigured
		}
		objectKey, err := crypto.S3KMS.UnsealObjectKey(GlobalKMS, metadata, bucket, object)
		if err != nil {
			return err
		}

		if len(cryptoCtx) == 0 {
			_, _, _, cryptoCtx, err = crypto.S3KMS.ParseMetadata(metadata)
			if err != nil {
				return err
			}
		}

			writeErrorResponse(ctx, w, toAPIError(ctx, crypto.ErrIncompatibleEncryptionMethod), r.URL)
			return
		}

		if crypto.SSEC.IsRequested(r.Header) && crypto.S3KMS.IsRequested(r.Header) {
			writeErrorResponse(ctx, w, toAPIError(ctx, crypto.ErrIncompatibleEncryptionMethod), r.URL)
			return
		}

		_, sourceReplReq := r.Header[xhttp.MinIOSourceReplicationRequest]

	m := cloneMSS(metadata)

	switch kind, _ := crypto.IsEncrypted(metadata); kind {
	case crypto.S3:
		m[xhttp.AmzServerSideEncryption] = xhttp.AmzEncryptionAES
	case crypto.S3KMS:
		m[xhttp.AmzServerSideEncryption] = xhttp.AmzEncryptionKMS
		m[xhttp.AmzServerSideEncryptionKmsID] = kmsKeyIDFromMetadata(metadata)
		if kmsCtx, ok := metadata[crypto.MetaContext]; ok {

func (api objectAPIHandlers) getObjectInArchiveFileHandler(ctx context.Context, objectAPI ObjectLayer, bucket, object string, w http.ResponseWriter, r *http.Request) {
	if crypto.S3.IsRequested(r.Header) || crypto.S3KMS.IsRequested(r.Header) { // If SSE-S3 or SSE-KMS present -> AWS fails with undefined error
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrBadRequest), r.URL)
		return
	}

						<goals>
							<goal>check</goal>
						</goals>
					</execution>
				</executions>
				<configuration>
					<failOnError>false</failOnError>
					<ignored>
						<difference>
							<!-- seems to be a clirr bug that it cannot handle the different inherited 
								return types -->
							<className>**</className>
							<differenceType>7006</differenceType>
							<method>*</method>
							<from>*</from>

        }
        checkExceptionClassValidity(exceptionClass);

        /*
         * It's very unlikely that any loaded Futures class will see getChecked called with more
         * than a handful of exceptions. But it seems prudent to set a cap on how many we'll cache.
         * This avoids out-of-control memory consumption, and it keeps the cache from growing so
         * large that doing the lookup is noticeably slower than redoing the work would be.

      /*
       * I assume that this check can't fail because JELLY_BEAN will be present only if we're
       * running under Jelly Bean or higher. But it seems safest to check.
       */
      if (version < jellyBean) {
        return new ThrowingCreator();
      }

      // Don't merge these catch() blocks, let alone use ReflectiveOperationException directly:

      ).build()
  }

  private fun buildServerSslSocketFactory(): SSLSocketFactory {
    // The test uses JDK default SSL Context instead of the Platform provided one
    // as Conscrypt seems to have some differences, we only want to test client side here.
    return try {
      val keyManager =
        newKeyManager(
          null,
          serverCert,
          serverIntermediateCa.certificate,