Harshavardhana <******@****.***> 1699046298 -0700

// at an untrusted location.
type SealedKey struct {
	Key       [64]byte // The encrypted and authenticated object-key.
	IV        [32]byte // The random IV used to encrypt the object-key.
	Algorithm string   // The sealing algorithm used to encrypt the object key.
}

// Seal encrypts the ObjectKey using the 256 bit external key and IV. The sealed
// key is also cryptographically bound to the object's path (bucket/object) and the

	}

	for i, test := range encryptDecryptTests {
		ciphertext, err := Encrypt(KMS, bytes.NewReader(test.Data), test.Context)
		if err != nil {
			t.Fatalf("Test %d: failed to encrypt stream: %v", i, err)
		}
		data, err := io.ReadAll(ciphertext)
		if err != nil {
			t.Fatalf("Test %d: failed to encrypt stream: %v", i, err)
		}

		plaintext, err := Decrypt(KMS, bytes.NewReader(data), test.Context)
		if err != nil {

    }


    /// Encrypt a block of bytes.
    public void encrypt( byte[] clearText, byte[] cipherText )  {
        encrypt( clearText, 0, cipherText, 0 );
    }

    /// Decrypt a block of bytes.
    public void decrypt( byte[] cipherText, byte[] clearText ) {

        decrypt( cipherText, 0, clearText, 0 );
    }

    /**
     * encrypts an array where the length must be a multiple of 8

        assertEquals(expect, ParameterUtil.encrypt(value));

        value = "";
        expect = "";
        assertEquals(expect, ParameterUtil.encrypt(value));

        value = "\n";
        expect = "";
        assertEquals(expect, ParameterUtil.encrypt(value));

        value = "=";
        expect = "unknown.1=";
        assertEquals(expect, ParameterUtil.encrypt(value));

        value = "=1\n=";

	plaintext, err := Decrypt(k, bytes.NewReader(ciphertext), context)
	if err != nil {
		return nil, err
	}
	return io.ReadAll(plaintext)
}

// Encrypt encrypts the plaintext with a key managed by KMS.
// The context is bound to the returned ciphertext.
//
// The same context must be provided when decrypting the
// ciphertext.

//
// ## SSE-C
//
// SSE-C computes the key-encryption-key from the client-provided key, an
// initialization vector (IV) and the bucket/object path.
//
//  1. Encrypt:
//     Input: ClientKey, bucket, object, metadata, object_data
//     -              IV := Random({0,1}²⁵⁶)
//     -       ObjectKey := SHA256(ClientKey || Random({0,1}²⁵⁶))

* Traefik (может обновлять сертификаты)
* Caddy (может обновлять сертификаты)
* Nginx
* HAProxy

## Let's Encrypt (центр сертификации)

До появления Let's Encrypt **сертификаты HTTPS** приходилось покупать у третьих сторон.

Процесс получения такого сертификата был трудоёмким, требовал предоставления подтверждающих документов и сертификаты стоили дорого.

* Nginx
* HAProxy

## Let's Encrypt

Before Let's Encrypt, these **HTTPS certificates** were sold by trusted third parties.

The process to acquire one of these certificates used to be cumbersome, require quite some paperwork and the certificates were quite expensive.

But then **<a href="https://letsencrypt.org/" class="external-link" target="_blank">Let's Encrypt</a>** was created.

			if err != nil {
				return
			}
			if sse, err = encrypt.NewSSEC(clientKey[:]); err != nil {
				return
			}
			opts.ServerSideEncryption = encrypt.SSECopy(sse)
			return
		}
		return
	}

	if crypto.SSEC.IsRequested(header) {
		clientKey, err = crypto.SSEC.ParseHTTP(header)
		if err != nil {
			return
		}
		if sse, err = encrypt.NewSSEC(clientKey[:]); err != nil {
			return
		}