if err = r.Encryption.Validate(); err != nil {
			return err
		}
		newKeyID = strings.TrimPrefix(r.Encryption.Key, crypto.ARNPrefix)
		newKeyContext = r.Encryption.kmsContext
	}
	if err = rotateKey(ctx, []byte{}, newKeyID, []byte{}, r.Bucket, oi.Name, encMetadata, newKeyContext); err != nil {
		return err
	}

	// Since we are rotating the keys, make sure to update the metadata.
	oi.metadataOnly = true

		return key, crypto.ErrIncompatibleEncryptionMethod
	}

	k, err := crypto.SSEC.ParseHTTP(header)
	return k[:], err
}

// This function rotates old to new key.
func rotateKey(ctx context.Context, oldKey []byte, newKeyID string, newKey []byte, bucket, object string, metadata map[string]string, cryptoCtx kms.Context) error {
	kind, _ := crypto.IsEncrypted(metadata)
	switch kind {
	case crypto.S3:

			return
		}

		for k, v := range srcInfo.UserDefined {
			if stringsHasPrefixFold(k, ReservedMetadataPrefixLower) {
				encMetadata[k] = v
			}
		}

		if err = rotateKey(ctx, oldKey, newKeyID, newKey, srcBucket, srcObject, encMetadata, kmsCtx); err != nil {
			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
			return
		}

     *
     * @param newEncryptionKey the new encryption key
     * @param newDecryptionKey the new decryption key
     * @throws GeneralSecurityException if key rotation fails
     */
    public void rotateKeys(byte[] newEncryptionKey, byte[] newDecryptionKey) throws GeneralSecurityException {
        if (closed) {
            throw new IllegalStateException("Cannot rotate keys on closed context");
        }

        byte[] newDecKey = new byte[16];
        new SecureRandom().nextBytes(newEncKey);
        new SecureRandom().nextBytes(newDecKey);

        // Use same key for enc/dec in test for simplicity
        context.rotateKeys(newEncKey, newEncKey);

        // Then - Can encrypt with new keys
        byte[] plaintext2 = "After rotation".getBytes();
        byte[] encrypted2 = context.encryptMessage(plaintext2, 2L);