if err != nil {
		t.Fatalf("Failed to create KMS: %v", err)
	}

	for i, test := range encryptDecryptTests {
		ciphertext, err := Encrypt(KMS, bytes.NewReader(test.Data), test.Context)
		if err != nil {
			t.Fatalf("Test %d: failed to encrypt stream: %v", i, err)
		}
		data, err := io.ReadAll(ciphertext)
		if err != nil {
			t.Fatalf("Test %d: failed to encrypt stream: %v", i, err)
		}

					}

					expectedCiphertext := mustDecodeHex(t, enc["ct"])
					ciphertext, err := context.Seal(mustDecodeHex(t, enc["aad"]), mustDecodeHex(t, enc["pt"]))
					if err != nil {
						t.Fatal(err)
					}
					if !bytes.Equal(ciphertext, expectedCiphertext) {
						t.Errorf("unexpected ciphertext: got %x want %x", ciphertext, expectedCiphertext)
					}
				})
			}
		})
	}

		Err:     "key with given key ID does not exit",
	}

	// ErrDecrypt is an error returned by the KMS when the decryption
	// of a ciphertext failed.
	ErrDecrypt = Error{
		Code:    http.StatusBadRequest,
		APICode: "kms:InvalidCiphertextException",
		Err:     "failed to decrypt ciphertext",
	}

	// ErrNotSupported is an error returned by the KMS when the requested
	// functionality is not supported by the KMS service.

type PrivateKeyRSA struct{ _ int }

func DecryptRSAOAEP(h, mgfHash hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
	panic("boringcrypto: not available")
}
func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
	panic("boringcrypto: not available")
}
func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
	panic("boringcrypto: not available")
}

		}
		if errors.Is(err, kes.ErrNotAllowed) {
			return DEK{}, ErrPermission
		}
		return DEK{}, errKeyGenerationFailed(err)
	}
	return DEK{
		KeyID:      name,
		Plaintext:  dek.Plaintext,
		Ciphertext: dek.Ciphertext,
	}, nil
}

// ImportKey imports a cryptographic key into the KMS.
func (c *kesConn) ImportKey(ctx context.Context, keyID string, bytes []byte) error {

// IsEncryptedPEMBlock returns whether the PEM block is password encrypted
// according to RFC 1423.
//
// Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by
// design. Since it does not authenticate the ciphertext, it is vulnerable to
// padding oracle attacks that can let an attacker recover the plaintext.
func IsEncryptedPEMBlock(b *pem.Block) bool {
	_, ok := b.Headers["DEK-Info"]
	return ok
}

		panic("message limit reached")
	}
	s.seqNum = s.seqNum.addOne()
	return nonce
}

func (s *Sender) Seal(aad, plaintext []byte) ([]byte, error) {

	ciphertext := s.aead.Seal(nil, s.nextNonce(), plaintext, aad)
	return ciphertext, nil
}

func SuiteID(kemID, kdfID, aeadID uint16) []byte {
	suiteID := make([]byte, 0, 4+2+2+2)
	suiteID = append(suiteID, []byte("HPKE")...)

		return
	}

	// 2. Verify that we can indeed decrypt the (encrypted) key
	decryptedKey, err := GlobalKMS.Decrypt(ctx, &kms.DecryptRequest{
		Name:           key.KeyID,
		Ciphertext:     key.Ciphertext,
		AssociatedData: kmsContext,
	})
	if err != nil {
		response.DecryptionErr = err.Error()
		resp, err := json.Marshal(response)
		if err != nil {

  // keyID must satisfy the following constraints:
  // 1. The keyID is not empty.
  // 2. The size of keyID is less than 1 kB.
  string keyID = 2;

  // EncryptedDEKSource is the ciphertext of the source of the DEK used to encrypt the data stored in encryptedData.
  // encryptedDEKSourceType defines the process of using the plaintext of this field to determine the aforementioned DEK.

	XC	$32, 16(R1), 16(R1) // set hash subkey and tag
	SLD	$3, R7, R12
	MOVD	R12, 48(R1)         // set total AAD length
	SLD	$3, R5, R12
	MOVD	R12, 56(R1)         // set total plaintext/ciphertext length

	LMG	key+8(FP), R8, R9   // R8=base R9=len
	MVC	$16, (R8), 80(R1)   // set key
	CMPBEQ	R9, $16, kma
	MVC	$8, 16(R8), 96(R1)
	CMPBEQ	R9, $24, kma
	MVC	$8, 24(R8), 104(R1)

kma: