Klaus Post <******@****.***> 1712870567 -0700

Klaus Post <******@****.***> 1712870567 -0700

	if err != nil {
		return encryptedETag
	}
	return hex.EncodeToString(etagBytes)
}

// GetDecryptedRange - To decrypt the range (off, length) of the
// decrypted object stream, we need to read the range (encOff,
// encLength) of the encrypted object stream to decrypt it, and
// compute skipLen, the number of bytes to skip in the beginning of
// the encrypted range.
//

			if err != nil {
				return nil, 0, 0, err
			}
			decrypt := func(b []byte) ([]byte, error) {
				return b, nil
			}
			if isEncrypted {
				decrypt = oi.compressionIndexDecrypt
			}
			// In case of range based queries on multiparts, the offset and length are reduced.
			off, decOff, firstPart, decryptSkip, seqNum = getCompressedOffsets(oi, off, decrypt)
			decLength = length
			length = oi.Size - off

	mac.Write([]byte("SSE-etag"))
	if _, err := sio.Encrypt(&buffer, bytes.NewReader(etag), sio.Config{Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()}); err != nil {
		logger.CriticalIf(context.Background(), errors.New("Unable to encrypt ETag using object key"))
	}
	return buffer.Bytes()
}

// UnsealETag unseals the etag using the provided object key.
// It does not try to decrypt the ETag if len(etag) == 16

import (
	"bytes"
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"os"

	"github.com/minio/pkg/v2/env"
)

// EnvCertPassword is the environment variable which contains the password used
// to decrypt the TLS private key. It must be set if the TLS private key is
// password protected.
const EnvCertPassword = "MINIO_CERT_PASSWD"

// ParsePublicCertFile - parses public cert into its *x509.Certificate equivalent.

	Verify(cxt context.Context) []VerifyResult
}

// VerifyResult describes the verification result details a KMS endpoint
type VerifyResult struct {
	Endpoint string
	Decrypt  string
	Encrypt  string
	Version  string
	Status   string
}

// Status describes the current state of a KMS.
type Status struct {
	Name      string   // The name of the KMS

		if err != nil {
			result.Encrypt = fmt.Sprintf("Encryption failed: %v", err)
		} else {
			result.Encrypt = "success"
		}
		// 3. Verify that we can indeed decrypt the (encrypted) key
		decryptedKey, err := client.Decrypt(ctx, env.Get(EnvKESKeyName, ""), key.Ciphertext, kmsCtx)
		switch {
		case err != nil:
			result.Decrypt = fmt.Sprintf("Decryption failed: %v", err)

		}
	}

	// Open the input and create the output file
	input, err := os.Open(inputFileName)
	fatalErr(err)
	defer input.Close()
	output, err := os.Create(outputFileName)
	fatalErr(err)

	// Decrypt the inspect data
	msg := fmt.Sprintf("output written to %s", outputFileName)

	switch {
	case *keyHex != "":
		err = extractInspectV1(*keyHex, input, output, msg)
	case len(privateKey) != 0:

// Parse parses s as single-key KMS. The given string
// is expected to have the following format:
//
//	<key-id>:<base64-key>
//
// The returned KMS implementation uses the parsed
// key ID and key to derive new DEKs and decrypt ciphertext.
func Parse(s string) (KMS, error) {
	v := strings.SplitN(s, ":", 2)
	if len(v) != 2 {
		return nil, errors.New("kms: invalid master key format")
	}

	keyID, b64Key := v[0], v[1]