keys.put(PacSignature.ETYPE_ARCFOUR_HMAC, hmacKey);
        keys.put(PacSignature.ETYPE_AES128_CTS_HMAC_SHA1_96, aes128Key);
        keys.put(PacSignature.ETYPE_AES256_CTS_HMAC_SHA1_96, aes256Key);

        // Test HMAC-MD5
        byte[] mac1 = PacMac.calculateMac(PacSignature.KERB_CHECKSUM_HMAC_MD5, keys, TEST_DATA);
        assertNotNull(mac1);
        assertEquals(16, mac1.length);

        // Test AES128

   * Returns a hash function implementing the Message Authentication Code (MAC) algorithm, using the
   * MD5 (128 hash bits) hash function and the given secret key.
   *
   * <p>If you are designing a new system that needs HMAC, prefer {@link #hmacSha256} or other
   * future-proof algorithms <a
   * href="https://datatracker.ietf.org/doc/html/rfc6151#section-2.3">over {@code hmacMd5}</a>.
   *
   * @param key the secret key

            m = Mac.getInstance(this.algorithmName, this.provider);
        } else {
            m = Mac.getInstance(this.algorithmName);
        }
        m.init(new SecretKeySpec(this.signingKey, "HMAC"));
        return m;
    }

    /**
     * {@inheritDoc}
     *
     * @see jcifs.internal.SMBSigningDigest#sign(byte[], int, int, jcifs.internal.CommonServerMessageBlock,

}

// MAC generates the checksum of the given req.Message using the key
// with the req.Name at the KMS.
func (c *kesConn) MAC(ctx context.Context, req *MACRequest) ([]byte, error) {
	mac, err := c.client.HMAC(context.Background(), req.Name, req.Message)
	if err != nil {
		if errors.Is(err, kes.ErrKeyNotFound) {
			return nil, ErrKeyNotFound
		}
		if errors.Is(err, kes.ErrNotAllowed) {
			return nil, ErrPermission
		}

func (r *Config) PopulatePublicKey(arn arn.ARN) error {
	pCfg := r.arnProviderCfgsMap[arn]
	if pCfg.JWKS.URL == nil || pCfg.JWKS.URL.String() == "" {
		return nil
	}

	// Add client secret for the client ID for HMAC based signature.
	r.pubKeys.add(pCfg.ClientID, []byte(pCfg.ClientSecret))

	client := &http.Client{
		Transport: r.transport,
	}

	resp, err := client.Get(pCfg.JWKS.URL.String())
	if err != nil {
		return err

    private static final String USER_PRINCIPAL_NAME = "******@****.***";
    private static final String USER_REALM = "EXAMPLE.COM";
    private static final int ENCRYPTION_TYPE = 23; // aes128-cts-hmac-sha1-96
    private static final byte[] ENCRYPTED_DATA = "encrypted-data".getBytes();

    @BeforeEach
    void setUp() {
        keys = new KerberosKey[] { kerberosKey };
    }

    /**

	fmt.Println(presignedURL)
}
```

Use the Presigned URL via `curl` to receive the transformed object.
```
curl -v $(go run presigned.go)
...
...

		Size:   595160760,
		UserDefined: map[string]string{
			crypto.MetaMultipart:                   "",
			crypto.MetaIV:                          "HTexa=",
			crypto.MetaAlgorithm:                   "DAREv2-HMAC-SHA256",
			crypto.MetaSealedKeySSEC:               "IAA8PGAA==",
			ReservedMetadataPrefix + "actual-size": "594870264",
			"content-type":                         "application/octet-stream",

�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�`�&�m�Size�
6m:M�MTime�|>���e��MetaSys��6X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm�DAREv2-HMAC-SHA256�&x-minio-internal-replication-timestamp�2023-08-18T00:09:42.389168293Z�#x-minio-internal-replication-status�^arn:minio:replication::36280125-1e9d-414e-bff5-8c88a1b5352e:disney-prod-vod-repository=FAILED;�5X-Minio-Internal-Server-Side-Encry...

- [PRF](#prf): HMAC-SHA-256
- [AEAD](#aead): AES-256-GCM if the CPU supports AES-NI, ChaCha20-Poly1305 otherwise. More specifically AES-256-GCM is only selected for X86-64 CPUs with AES-NI extension.