t.Fatalf("Test %d: ciphertext mismatch: got %x - want %x", i, key.Ciphertext, test.Key.Ciphertext)
		}
	}
}

func mustDecodeB64(s string) []byte {
	b, err := base64.StdEncoding.DecodeString(s)
	if err != nil {
		panic(err)
	}
	return b

	// as Base64 encoding of a value is not unique:
	// For example "aGVsbG8=" and "aGVsbG8=\r" will result in the same byte slice.
	signature1, err := base64.StdEncoding.DecodeString(sig1)
	if err != nil {
		return false
	}
	signature2, err := base64.StdEncoding.DecodeString(sig2)
	if err != nil {
		return false
	}
	return subtle.ConstantTimeCompare(signature1, signature2) == 1
}

// Return canonical headers.

	}

	if item.Versioning != nil {
		configData, err := base64.StdEncoding.DecodeString(*item.Versioning)
		if err != nil {
			return wrapSRErr(err)
		}
		meta.VersioningConfigXML = configData
		meta.VersioningConfigUpdatedAt = item.UpdatedAt
	}

	if item.Tags != nil {
		configData, err := base64.StdEncoding.DecodeString(*item.Tags)
		if err != nil {
			return wrapSRErr(err)
		}

}

func TestIsETagSealed(t *testing.T) {
	for i, test := range isETagSealedTests {
		etag, err := hex.DecodeString(test.ETag)
		if err != nil {
			t.Errorf("Test %d: failed to decode etag: %s", i, err)
		}
		if sealed := IsETagSealed(etag); sealed != test.IsSealed {

	}

	// Success.
	return totalWritten, nil
}

// returns deploymentID from uploadID
func getDeplIDFromUpload(uploadID string) (string, error) {
	uploadBytes, err := base64.RawURLEncoding.DecodeString(uploadID)
	if err != nil {
		return "", fmt.Errorf("error parsing uploadID %s (%w)", uploadID, err)
	}
	slc := strings.SplitN(string(uploadBytes), ".", 2)
	if len(slc) != 2 {

		}
	}()

	fields := strings.Fields(data)
	if len(fields) != 2 {
		err = fmt.Errorf("Unknown release data `%s`", data)
		return sha256Sum, releaseTime, releaseInfo, err
	}

	sha256Sum, err = hex.DecodeString(fields[0])
	if err != nil {
		return sha256Sum, releaseTime, releaseInfo, err
	}

	releaseInfo = fields[1]

	releaseTime, err = releaseInfoToReleaseTime(releaseInfo)

		HighwayHash256S: "39c0407ed3f01b18d22c85db4aeff11e060ca5f43131b0126731ca197cd42313",
	}
	for algorithm := range bitrotAlgorithms {
		if !algorithm.Available() {
			continue
		}

		checksum, err := hex.DecodeString(checksums[algorithm])
		if err != nil {
			logger.Fatal(errSelfTestFailure, fmt.Sprintf("bitrot: failed to decode %v checksum %s for selftest: %v", algorithm, checksums[algorithm], err))
		}
		var (

func Parse(s string) (KMS, error) {
	v := strings.SplitN(s, ":", 2)
	if len(v) != 2 {
		return nil, errors.New("kms: invalid master key format")
	}

	keyID, b64Key := v[0], v[1]
	key, err := base64.StdEncoding.DecodeString(b64Key)
	if err != nil {
		return nil, err
	}
	return New(keyID, key)
}

// New returns a single-key KMS that derives new DEKs from the
// given key.
func New(keyID string, key []byte) (KMS, error) {

			return "", errObjectTampered
		}
		if _, err := hex.DecodeString(object.ETag[:32]); err != nil {
			return "", errObjectTampered
		}
		if _, err := strconv.ParseInt(object.ETag[i+1:], 10, 32); err != nil {
			return "", errObjectTampered
		}
		return object.ETag, nil
	}

	etag, err := hex.DecodeString(object.ETag)
	if err != nil {
		return "", err
	}

	pt, ptok := jwtClaims.Lookup(iamPolicyClaimNameSA())
	sp, spok := jwtClaims.Lookup(policy.SessionPolicyName)
	if ptok && spok && pt == embeddedPolicyType {
		policyBytes, err := base64.StdEncoding.DecodeString(sp)
		if err != nil {
			return UserIdentity{}, nil, err
		}
		embeddedPolicy, err = policy.ParseConfig(bytes.NewReader(policyBytes))
		if err != nil {
			return UserIdentity{}, nil, err
		}
	}