// ErrInvalidEncryptionKeyID returns error when KMS key id contains invalid characters
	ErrInvalidEncryptionKeyID = Errorf("KMS KeyID contains unsupported characters")
)

var (
	errMissingInternalIV            = Errorf("The object metadata is missing the internal encryption IV")

		metadata = make(map[string]string)
	}

	etag := strings.TrimSpace(hdr.Get(xhttp.MinIOSourceETag))
	if crypto.S3KMS.IsRequested(hdr) {
		keyID, context, err := crypto.S3KMS.ParseHTTP(hdr)
		if err != nil {
			return ObjectOptions{}, err
		}
		sseKms, err := encrypt.NewSSEKMS(keyID, context)
		if err != nil {
			return ObjectOptions{}, err
		}
		op := ObjectOptions{
			ServerSideEncryption: sseKms,

		return
	}

	// Return error if KMS is not initialized
	if GlobalKMS == nil {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL)
		return
	}
	kmsKey := encConfig.KeyID()
	if kmsKey != "" {
		kmsContext := kms.Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation
		_, err := GlobalKMS.GenerateKey(ctx, &kms.GenerateKeyRequest{Name: kmsKey, AssociatedData: kmsContext})

			return DEK{}, ErrKeyNotFound
		}
		if errors.Is(err, kms.ErrPermission) {
			return DEK{}, ErrPermission
		}
		return DEK{}, errKeyGenerationFailed(err)
	}

	return DEK{
		KeyID:      name,
		Version:    resp[0].Version,
		Plaintext:  resp[0].Plaintext,
		Ciphertext: resp[0].Ciphertext,
	}, nil
}

func (c *kmsConn) Decrypt(ctx context.Context, req *DecryptRequest) ([]byte, error) {

			// Return error if KMS is not initialized
			if GlobalKMS == nil {
				rpt.SetStatus(bucket, fileName, fmt.Errorf("%s", errorCodes[ErrKMSNotConfigured].Description))
				continue
			}
			kmsKey := encConfig.KeyID()
			if kmsKey != "" {
				_, err := GlobalKMS.GenerateKey(ctx, &kms.GenerateKeyRequest{
					Name:           kmsKey,

		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrInvalidEncryptionKeyID: {
		Code:           "InvalidRequest",
		Description:    "The specified KMS KeyID contains unsupported characters",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrInsecureSSECustomerRequest: {
		Code:           "InvalidRequest",

		// always set the SSE-KMS header. If no KMS key ID is
		// specified, MinIO is supposed to use whatever default
		// config applies on the site or bucket.
		var keyID string
		if kms.ReplicateKeyID() {
			keyID = objInfo.KMSKeyID()
		}

		sseEnc, err := encrypt.NewSSEKMS(keyID, nil)
		if err != nil {
			return putOpts, false, err
		}
		putOpts.ServerSideEncryption = sseEnc
	}
	return putOpts, isMP, err
}

- Hashing of KeyID in Logs
  

- Added apiserver_envelope_encryption_invalid_key_id_from_status_total to measure number of times an invalid keyID is returned by the Status RPC call. ([#115846](https://github.com/kubernetes/kubernetes/pull/115846), [@ritazh](https://github.com/ritazh)) [SIG API Machinery and Auth]

/**
 * This realizes the metadata source via the default hint to provide backward-compat with Maven 2.x whose Plexus version
 * registered component descriptors twice: once keyed by role+roleHint and once keyed by role only. This effectively
 * made the metadata source available with its original role hint ("maven") as well as the default hint.
 *
 */
@Named
@Singleton
@Deprecated