k.updateMetrics(err, time.Since(start))

	return dek, err
}

// Decrypt decrypts a ciphertext using the master key req.Name.
// It returns ErrKeyNotFound if the key does not exist.
func (k *KMS) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, error) {
	start := time.Now()
	plaintext, err := k.conn.Decrypt(ctx, req)
	k.updateMetrics(err, time.Since(start))

	return plaintext, err
}

	if err != nil {
		return encryptedETag
	}
	return hex.EncodeToString(etagBytes)
}

// GetDecryptedRange - To decrypt the range (off, length) of the
// decrypted object stream, we need to read the range (encOff,
// encLength) of the encrypted object stream to decrypt it, and
// compute skipLen, the number of bytes to skip in the beginning of
// the encrypted range.
//

}

// Equal returns true if and only if the two ETags are
// identical.
func Equal(a, b ETag) bool { return bytes.Equal(a, b) }

// Decrypt decrypts the ETag with the given key.
//
// If the ETag is not encrypted, Decrypt returns
// the ETag unmodified.
func Decrypt(key []byte, etag ETag) (ETag, error) {
	const HMACContext = "SSE-etag"

	if !etag.IsEncrypted() {
		return etag, nil
	}

	// ErrDecrypt is an error returned by the KMS when the decryption
	// of a ciphertext failed.
	ErrDecrypt = Error{
		Code:    http.StatusBadRequest,
		APICode: "kms:InvalidCiphertextException",
		Err:     "failed to decrypt ciphertext",
	}

	// ErrNotSupported is an error returned by the KMS when the requested
	// functionality is not supported by the KMS service.
	ErrNotSupported = Error{
		Code:    http.StatusNotImplemented,

		KeyID:      req.Name,
		Version:    0,
		Plaintext:  []byte("stubplaincharswhichare32bytelong"),
		Ciphertext: []byte("stubplaincharswhichare32bytelong"),
	}, nil
}

// Decrypt is a non-functional stub.
func (s StubKMS) Decrypt(_ context.Context, req *DecryptRequest) ([]byte, error) {
	return req.Ciphertext, nil
}

// MAC is a non-functional stub.

* Caddy (that can also handle certificate renewals)
* Nginx
* HAProxy

## Let's Encrypt { #lets-encrypt }

Before Let's Encrypt, these **HTTPS certificates** were sold by trusted third parties.

The process to acquire one of these certificates used to be cumbersome, require quite some paperwork and the certificates were quite expensive.

But then **[Let's Encrypt](https://letsencrypt.org/)** was created.

 * under the License.
 */
package org.apache.maven.settings.crypto;

/**
 * Decrypts passwords in the settings.
 *
 * @deprecated since 4.0.0
 */
@Deprecated(since = "4.0.0")
public interface SettingsDecrypter {

    /**
     * Decrypts passwords in the settings.
     *
     * @param request The settings decryption request that holds the parameters, must not be {@code null}.

	)

	ErrInvalidConfigDecryptionKey = newErrFn(
		"Incorrect encryption key to decrypt internal data",
		"Please set the correct default KMS key value or the correct root credentials for older MinIO versions.",
		`Revert MINIO_KMS_KES_KEY_NAME or MINIO_ROOT_USER/MINIO_ROOT_PASSWORD (for older MinIO versions) to be able to decrypt the internal data again.`,
	)

	ErrInvalidCredentials = newErrFn(
		"Invalid credentials",

                "Should throw IllegalArgumentException for null message");
    }

    @Test
    @DisplayName("Should successfully encrypt and decrypt with refactored methods")
    void testRefactoredEncryptionDecryption() throws Exception {
        // Given - Use same key for both encryption and decryption in test

	EnvKESServerCA       = "MINIO_KMS_KES_CAPATH"       // Path to file/directory containing CA certificates to verify the KES server certificate
	EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key
)

// Environment variables for static KMS key.
const (