}

	keyIDs := make([]string, 0, len(metadata))
	kmsKeys := make([][]byte, 0, len(metadata))
	sealedKeys := make([]SealedKey, 0, len(metadata))

	sameKeyID := true
	for i := range metadata {
		keyID, kmsKey, sealedKey, err := s3.ParseMetadata(metadata[i])
		if err != nil {
			return nil, err
		}
		keyIDs = append(keyIDs, keyID)
		kmsKeys = append(kmsKeys, kmsKey)

//
// ### SSE-S3 and KMS
//
// SSE-S3 requires that the KMS provides two functions:
//
//  1. Generate(KeyID) -> (Key, EncKey)
//
//  2. Unseal(KeyID, EncKey) -> Key
//
//  1. Encrypt:
//     Input: KeyID, bucket, object, metadata, object_data
//     -     Key, EncKey := Generate(KeyID)
//     -              IV := Random({0,1}²⁵⁶)
//     -       ObjectKey := SHA256(Key, Random({0,1}²⁵⁶))

//
// The default key ID will be used if keyID is empty.
//
// The context is associated and tied to the generated DEK.
// The same context must be provided when the generated
// key should be decrypted.
func (c *kesClient) GenerateKey(ctx context.Context, keyID string, cryptoCtx Context) (DEK, error) {
	c.lock.RLock()
	defer c.lock.RUnlock()

	if keyID == "" {
		keyID = c.defaultKeyID
	}

	exit_1
fi
if [ "${rep_obj3_algo}" != "${src_obj3_algo}" ]; then
	echo "BUG: Algorithm: '${rep_obj3_algo}' of replicated object: 'minio2/test-bucket/custpartsize' doesn't match with source value: '${src_obj3_algo}'"
	exit_1
fi
if [ "${rep_obj3_keyid}" != "${src_obj3_keyid}" ]; then
	echo "BUG: KeyId: '${rep_obj3_keyid}' of replicated object: 'minio2/test-bucket/custpartsize' doesn't match with source value: '${src_obj3_keyid}'"
	exit_1

			}
		}
		if !bytes.Equal(dataKey, test.DataKey) {
			t.Errorf("Test %d: got data key '%v' - want data key '%v'", i, dataKey, test.DataKey)
		}
		if keyID != test.KeyID {
			t.Errorf("Test %d: got key-ID '%v' - want key-ID '%v'", i, keyID, test.KeyID)
		}
		if sealedKey.Algorithm != test.SealedKey.Algorithm {

}

func (kms secretKey) CreateKey(_ context.Context, keyID string) error {
	if keyID == kms.keyID {
		return nil
	}
	return Error{
		HTTPStatusCode: http.StatusNotImplemented,
		APICode:        "KMS.NotImplemented",
		Err:            fmt.Errorf("creating custom key %q is not supported", keyID),
	}
}

func (kms secretKey) GenerateKey(_ context.Context, keyID string, context Context) (DEK, error) {
	if keyID == "" {

		if err := json.Unmarshal(b, &ctx); err != nil {
			return "", nil, err
		}
	}

	keyID := h.Get(xhttp.AmzServerSideEncryptionKmsID)
	spaces := strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ")
	if spaces {
		return "", nil, ErrInvalidEncryptionKeyID
	}
	return strings.TrimPrefix(keyID, ARNPrefix), ctx, nil
}

// IsEncrypted returns true if the object metadata indicates

	ImportKey(ctx context.Context, keyID string, bytes []byte) error

	// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
	// The plaintext must not exceed 1 MB
	EncryptKey(keyID string, plaintext []byte, context Context) ([]byte, error)

	// HMAC computes the HMAC of the given msg and key with the given
	// key ID.
	HMAC(ctx context.Context, keyID string, msg []byte) ([]byte, error)

				return nil, errors.New("MasterKeyID is allowed with aws:kms only")
			}
		case AWSKms:
			keyID := rule.DefaultEncryptionAction.MasterKeyID
			if keyID == "" {
				return nil, errors.New("MasterKeyID is missing with aws:kms")
			}
			spaces := strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ")
			if spaces {
				return nil, errors.New("MasterKeyID contains unsupported characters")
			}
		}
	}

		}
		plaintext, err := KMS.DecryptKey(test.KeyID, ciphertext, test.Context)
		if err != nil {
			t.Fatalf("Test %d: failed to decrypt key: %v", i, err)
		}
		if !bytes.Equal(plaintext, dataKey) {
			t.Fatalf("Test %d: decrypted key does not generated one: got %x - want %x", i, plaintext, dataKey)
		}
	}
}

var decryptKeyTests = []struct {
	KeyID      string
	Plaintext  string
	Ciphertext string