val keyPair: KeyPair = heldCertificate.keyPair
    val certificatePem: String = heldCertificate.certificatePem()
    val privateKeyPkcs8Pem: String = heldCertificate.privateKeyPkcs8Pem()
    val privateKeyPkcs1Pem: String = heldCertificate.privateKeyPkcs1Pem()
  }

  @Test
  fun heldCertificateBuilder() {
    val keyPair: KeyPair = KeyPairGenerator.getInstance("").genKeyPair()

	ImportKey(ctx context.Context, keyID string, bytes []byte) error

	// EncryptKey Encrypts and authenticates a (small) plaintext with the cryptographic key
	// The plaintext must not exceed 1 MB
	EncryptKey(keyID string, plaintext []byte, context Context) ([]byte, error)

	// HMAC computes the HMAC of the given msg and key with the given
	// key ID.
	HMAC(ctx context.Context, keyID string, msg []byte) ([]byte, error)

}

func (kms secretKey) CreateKey(_ context.Context, keyID string) error {
	if keyID == kms.keyID {
		return nil
	}
	return Error{
		HTTPStatusCode: http.StatusNotImplemented,
		APICode:        "KMS.NotImplemented",
		Err:            fmt.Errorf("creating custom key %q is not supported", keyID),
	}
}

func (kms secretKey) GenerateKey(_ context.Context, keyID string, context Context) (DEK, error) {
	if keyID == "" {

		if err := json.Unmarshal(b, &ctx); err != nil {
			return "", nil, err
		}
	}

	keyID := h.Get(xhttp.AmzServerSideEncryptionKmsID)
	spaces := strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ")
	if spaces {
		return "", nil, ErrInvalidEncryptionKeyID
	}
	return strings.TrimPrefix(keyID, ARNPrefix), ctx, nil
}

// IsEncrypted returns true if the object metadata indicates

	}
	return err
}

func (ies *IAMEtcdStore) watch(ctx context.Context, keyPath string) <-chan iamWatchEvent {
	ch := make(chan iamWatchEvent)

	// go routine to read events from the etcd watch channel and send them
	// down `ch`
	go func() {
		for {
		outerLoop:
			watchCh := ies.client.Watch(ctx,
				keyPath, etcd.WithPrefix(), etcd.WithKeysOnly())

			for {
				select {
				case <-ctx.Done():

	return json.Marshal(JSON{
		KeyID:      d.KeyID,
		Ciphertext: d.Ciphertext,
	})
}

// UnmarshalText tries to decode text as JSON representation
// of a DEK and sets DEK's key ID and ciphertext to the
// decoded values.
//
// It sets DEK's plaintext to nil.
func (d *DEK) UnmarshalText(text []byte) error {
	type JSON struct {
		KeyID      string `json:"keyid"`
		Ciphertext []byte `json:"ciphertext"`
	}

        .commonName("pinned intermediate")
        .signedBy(pinnedRoot)
        .build()
    val attackerSwitch =
      HeldCertificate.Builder()
        .serialNumber(5L)
        .keyPair(attackerIntermediate.keyPair) // share keys between compromised CA and leaf!
        .commonName("attacker")
        .addSubjectAlternativeName("attacker.com")
        .signedBy(pinnedIntermediate)
        .build()

	usersPrefix := strings.HasPrefix(event.keyPath, iamConfigUsersPrefix)
	groupsPrefix := strings.HasPrefix(event.keyPath, iamConfigGroupsPrefix)
	stsPrefix := strings.HasPrefix(event.keyPath, iamConfigSTSPrefix)
	svcPrefix := strings.HasPrefix(event.keyPath, iamConfigServiceAccountsPrefix)
	policyPrefix := strings.HasPrefix(event.keyPath, iamConfigPoliciesPrefix)

	SSEDAREPackageMetaSize = 32 // 32 bytes

)

// KMSKeyID returns in AWS compatible KMS KeyID() format.
func (o *ObjectInfo) KMSKeyID() string { return kmsKeyIDFromMetadata(o.UserDefined) }

// KMSKeyID returns in AWS compatible KMS KeyID() format.
func (o *MultipartInfo) KMSKeyID() string { return kmsKeyIDFromMetadata(o.UserDefined) }

		return
	}

	keyID := r.Form.Get("key-id")
	if keyID == "" {
		keyID = stat.DefaultKey
	}
	response := madmin.KMSKeyStatus{
		KeyID: keyID,
	}

	kmsContext := kms.Context{"MinIO admin API": "KMSKeyStatusHandler"} // Context for a test key operation
	// 1. Generate a new key using the KMS.
	key, err := GlobalKMS.GenerateKey(ctx, keyID, kmsContext)
	if err != nil {