EnvKMSEnclave    = "MINIO_KMS_ENCLAVE" // MinIO KMS enclave in which the key and identity exists
	EnvKMSDefaultKey = "MINIO_KMS_SSE_KEY" // Default key used for SSE-S3 or when no SSE-KMS key ID is specified
	EnvKMSAPIKey     = "MINIO_KMS_API_KEY" // Credential to access the MinIO KMS.
)

// Environment variables for MinIO KES.
const (

	meta, _, err := sys.GetConfig(GlobalContext, bucket)
	if err != nil {
		return nil, err
	}
	return meta.notificationConfig, nil
}

// GetSSEConfig returns configured SSE config
// The returned object may not be modified.
func (sys *BucketMetadataSys) GetSSEConfig(bucket string) (*bucketsse.BucketSSEConfig, time.Time, error) {
	meta, _, err := sys.GetConfig(GlobalContext, bucket)

	ObjectLockLegalHoldTimestamp = "objectlock-legalhold-timestamp"

	// ReplicationSsecChecksumHeader - the encrypted checksum of the SSE-C encrypted object.
	ReplicationSsecChecksumHeader = "X-Minio-Replication-Ssec-Crc"
)

// gets replication config associated to a given bucket name.

	ErrPolicyAlreadyAttached
	ErrPolicyNotAttached
	ErrExcessData
	ErrPolicyInvalidName
	ErrNoTokenRevokeType
	ErrAdminOpenIDNotEnabled
	ErrAdminNoSuchAccessKey
	// Add new error codes here.

	// SSE-S3/SSE-KMS related API errors
	ErrInvalidEncryptionMethod
	ErrInvalidEncryptionKeyID

	// Server-Side-Encryption (with Customer provided key) related API errors.
	ErrInsecureSSECustomerRequest
	ErrSSEMultipartEncrypted

	"strconv"
	"strings"
	"sync"
	"sync/atomic"
	"time"

	"github.com/google/uuid"
	"github.com/minio/madmin-go/v3"
	"github.com/minio/minio-go/v7/pkg/tags"
	"github.com/minio/minio/internal/amztime"
	sse "github.com/minio/minio/internal/bucket/encryption"
	"github.com/minio/minio/internal/bucket/lifecycle"
	"github.com/minio/minio/internal/event"
	xhttp "github.com/minio/minio/internal/http"

    The upcoming Android Studio runs in a JVM but has classes from Android and that confused OkHttp!

 *  Fix: Include the header `Accept: text/event-stream` for SSE calls. This header is not added if
    the request already contains an `Accept` header.

 *  Fix: Don't crash with a `NullPointerException` if a server sends a close while we're sending a

				}
				defer logger.AuditLog(r.Context(), w, r, mustGetClaimsFromToken(r))
				writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidBucketName), r.URL)
				return
			}
		}
		// Deny SSE-C requests if not made over TLS
		if !globalIsTLS && (crypto.SSEC.IsRequested(r.Header) || crypto.SSECopy.IsRequested(r.Header)) {
			if r.Method == http.MethodHead {
				if ok {
					tc.FuncName = "handler.ValidRequest"

    for DNS offers better security and potentially better performance. This feature is a preview:
    the API is subject to change.
 *  New: `okhttp-sse` is an early preview of Server-Sent Events (SSE). This feature is incomplete
    and is only suitable for experimental use.
 *  New: MockWebServer now supports client authentication (mutual TLS). Call `requestClientAuth()`

		}
		// Make sure to return object info to provide extra information.
		return &GetObjectReader{
			ObjInfo: objInfo,
		}, toObjectErr(errMethodNotAllowed, bucket, object)
	}

	// Set NoDecryption for SSE-C objects and if replication request
	if crypto.SSEC.IsEncrypted(objInfo.UserDefined) && opts.ReplicationRequest {
		opts.NoDecryption = true
	}

	if objInfo.Size == 0 {

		if err != nil {
			return wrapSRErr(err)
		}
		return nil
	}

	return nil
}

// PeerBucketSSEConfigHandler - copies/deletes SSE config to local cluster.
func (c *SiteReplicationSys) PeerBucketSSEConfigHandler(ctx context.Context, bucket string, sseConfig *string, updatedAt time.Time) error {
	// skip overwrite if local update is newer than peer update.