{
			name:    "happy path no errors",
			fv:      defaultFormVals.Clone(),
			wantErr: "",
		},
		{
			name:    "expired policy document",
			fv:      defaultFormVals.Clone(),
			expired: true,
			wantErr: "Invalid according to Policy: Policy expired",
		},
		{
			name:    "different AMZ date",
			fv:      defaultFormVals.Clone().Set(xhttp.AmzDate, "2017T000000Z"),
			wantErr: policyCondFailedErr,
		},

            orig.refresh();
            // Clone should retain its cached Subject
            assertSame(copySubj, copy.getSubject(), "Clone should retain its cached Subject");
        } else {
            // If JAAS is not configured and getSubject() returns null, verify cloning still works
            assertNull(first, "First call to getSubject() returned null - JAAS not configured");

            // Clone should also return null for getSubject() calls

            when(mockMd5.clone()).thenReturn(clonedMd5);

            HMACT64 clonedHmac = (HMACT64) originalHmac.clone();

            assertNotNull(clonedHmac);
            assertNotSame(originalHmac, clonedHmac);
            verify(mockMd5, times(1)).clone(); // Verify that the internal MD5 was cloned
        }
    }

    @Test
    void testCloneNotSupportedException() throws NoSuchAlgorithmException, CloneNotSupportedException {

	if sqldb, ok := connPool.(*sql.DB); ok && sqldb != nil {
		return sqldb, nil
	}

	return nil, ErrInvalidDB
}

func (db *DB) getInstance() *DB {
	if db.clone > 0 {
		tx := &DB{Config: db.Config, Error: db.Error}

		if db.clone == 1 {
			// clone with new statement
			tx.Statement = &Statement{
				DB:        tx,
				ConnPool:  db.Statement.ConnPool,
				Context:   db.Statement.Context,

        // Cast and check we can call clone() from CredentialsInternal contract
        CredentialsInternal ci = (CredentialsInternal) impl;
        CredentialsInternal cloned = ci.clone();
        assertNotNull(cloned, "clone() should return a non-null CredentialsInternal");
    }

    }

    @Test
    @DisplayName("clone returns a distinct copy with same properties")
    void clone_returns_copy() {
        // Arrange
        Subject subject = new Subject();
        TestCredentials creds = new TestCredentials("A", true, false, subject, false);

        // Act
        TestCredentials copy = creds.clone();

        // Assert

        SecurityBlob copy = assertDoesNotThrow(() -> (SecurityBlob) original.clone(), "clone() should not throw");

        // Assert
        assertNotSame(original, copy, "clone should return a different instance");
        assertTrue(original.equals(copy), "Cloned instance should be equal by content");

        // Mutate original backing array; clone should remain based on previous snapshot
        data[0] = 99;

        char[] plaintext = "SamePassword".toCharArray();

        // Encrypt twice
        byte[] encrypted1 = storage.encryptCredentials(plaintext.clone());
        byte[] encrypted2 = storage.encryptCredentials(plaintext.clone());

        // Should produce different ciphertexts due to random IV
        assertFalse(Arrays.equals(encrypted1, encrypted2), "Different encryptions should produce different ciphertexts");

        assertArrayEquals(originalPassword, clonedPassword, "Cloned password content should match");

        // Wipe original - should not affect clone
        authenticator.secureWipePassword();

        char[] originalAfterWipe = (char[]) passwordField.get(authenticator);
        char[] clonedAfterWipe = (char[]) passwordField.get(cloned);

        this.contextHandle = contextHandle != null ? contextHandle.clone() : new byte[20];
    }

    /**
     * Sets the context handle for unregistration.
     *
     * @param contextHandle the context handle from registration
     */
    public void setContextHandle(byte[] contextHandle) {
        this.contextHandle = contextHandle != null ? contextHandle.clone() : null;
    }

    /**
     * Gets the context handle.