krb5.kdc.bad.policy = tryLast
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
      DSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \

func init() {
	// ES256
	SigningMethodES3256 = &jwt.SigningMethodECDSA{Name: "ES3256", Hash: crypto.SHA3_256, KeySize: 32, CurveBits: 256}
	jwt.RegisterSigningMethod(SigningMethodES3256.Alg(), func() jwt.SigningMethod {
		return SigningMethodES3256
	})

	// ES384
	SigningMethodES3384 = &jwt.SigningMethodECDSA{Name: "ES3384", Hash: crypto.SHA3_384, KeySize: 48, CurveBits: 384}
	jwt.RegisterSigningMethod(SigningMethodES3384.Alg(), func() jwt.SigningMethod {

krb5.kdc.bad.policy = tryLast
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
      DSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \

The certificates are generated using catch-all SAN in the following procedure:

1. Generate the node's keystore:

      apply {
        keyAlgorithm = "EC"
        keySize = 256
      }

    /**
     * Configure the certificate to generate a 2048-bit RSA key, which provides about 112 bits of
     * security. RSA keys are interoperable with very old clients that don't support ECDSA.
     */
    fun rsa2048() =
      apply {
        keyAlgorithm = "RSA"
        keySize = 2048
      }

    fun build(): HeldCertificate {

Counter struct { // c is instantiated with K as the key and V as the counter. c aes.CTR reseedCounter uint64 } const ( keySize = 256 / 8 SeedSize = keySize + aes.BlockSize reseedInterval = 1 << 48 maxRequestSize = (1 << 19) / 8 ) func NewCounter(entropy *[SeedSize]byte) *Counter { // CTR_DRBG_Instantiate_algorithm, per Section 10.2.1.3.1. fips140.RecordApproved() K := make([]byte, keySize) V := make([]byte, aes.BlockSize) // V starts at 0, but is incremented in CTR_DRBG_Update before each use, // unlike...

Counter struct { // c is instantiated with K as the key and V as the counter. c aes.CTR reseedCounter uint64 } const ( keySize = 256 / 8 SeedSize = keySize + aes.BlockSize reseedInterval = 1 << 48 maxRequestSize = (1 << 19) / 8 ) func NewCounter(entropy *[SeedSize]byte) *Counter { // CTR_DRBG_Instantiate_algorithm, per Section 10.2.1.3.1. fips140.RecordApproved() K := make([]byte, keySize) V := make([]byte, aes.BlockSize) // V starts at 0, but is incremented in CTR_DRBG_Update before each use, // unlike...

	serveFunc := func() error {
		return http.ListenAndServe(":8080", nil)
	}

	if certFile != "" || keyFile != "" {
		if certFile == "" || keyFile == "" {
			log.Fatal("Please provide both a key file and a cert file to enable TLS.")
		}
		serveFunc = func() error {
			return http.ListenAndServeTLS(":8080", certFile, keyFile, nil)
		}
	}

	http.HandleFunc("/", mainHandler)

	log.Print("Listening on :8080")

// decrypted using the ENV_VAR: MINIO_CERT_PASSWD.
func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
	certPEMBlock, err := os.ReadFile(certFile)
	if err != nil {
		return tls.Certificate{}, ErrTLSReadError(nil).Msgf("Unable to read the public key: %s", err)
	}
	keyPEMBlock, err := os.ReadFile(keyFile)
	if err != nil {

    private static final String KEY_ALGORITHM = "AES";
    private static final String KEY_DERIVATION_ALGORITHM = "PBKDF2WithHmacSHA256";
    private static final int KEY_SIZE = 256;
    private static final int GCM_TAG_SIZE = 128;
    private static final int GCM_IV_SIZE = 12;
    private static final int SALT_SIZE = 32;
    private static final int PBKDF2_ITERATIONS = 100_000;