//
// ### SSE-S3 and KMS
//
// SSE-S3 requires that the KMS provides two functions:
//
//  1. Generate(KeyID) -> (Key, EncKey)
//
//  2. Unseal(KeyID, EncKey) -> Key
//
//  1. Encrypt:
//     Input: KeyID, bucket, object, metadata, object_data
//     -     Key, EncKey := Generate(KeyID)
//     -              IV := Random({0,1}²⁵⁶)
//     -       ObjectKey := SHA256(Key, Random({0,1}²⁵⁶))

        // When
        byte[] encKey = Smb3KeyDerivation.deriveEncryptionKey(dialect, sessionKey, preauthIntegrity);

        // Then
        assertNotNull(encKey, "Encryption key should not be null");
        assertEquals(16, encKey.length, "Encryption key should be 16 bytes");
        assertFalse(Arrays.equals(sessionKey, encKey), "Encryption key should be different from session key");
    }

        // Given
        byte[] encKey = new byte[16];
        byte[] decKey = new byte[16];
        new SecureRandom().nextBytes(encKey);
        new SecureRandom().nextBytes(decKey);

        // When using try-with-resources
        assertDoesNotThrow(() -> {
            try (Smb2EncryptionContext context = new Smb2EncryptionContext(1, DialectVersion.SMB311, encKey, decKey)) {

        // Validate key lengths
        try {
            int expectedKeyLength = getKeyLength();
            byte[] encKey = getEncryptionKey();
            byte[] decKey = getDecryptionKey();

            try {
                boolean valid =
                        encKey != null && encKey.length == expectedKeyLength && decKey != null && decKey.length == expectedKeyLength;
                return valid;
            } finally {

	if p.rawReader != nil {
		return p.rawReader.ServerSideChecksumResult
	}
	return nil
}

func sealETag(encKey crypto.ObjectKey, md5CurrSum []byte) []byte {
	var emptyKey [32]byte
	if bytes.Equal(encKey[:], emptyKey[:]) {
		return md5CurrSum
	}
	return encKey.SealETag(md5CurrSum)
}

func sealETagFn(key crypto.ObjectKey) SealMD5CurrFn {
	fn := func(md5sumcurr []byte) []byte {