00:09:42.389168293Z�#x-minio-internal-replication-status�^arn:minio:replication::36280125-1e9d-414e-bff5-8c88a1b5352e:disney-prod-vod-repository=FAILED;�5X-Minio-Internal-Server-Side-Encryption-S3-Kms-Key-Id�minio_encrypt_key�$X-Minio-Internal-Encrypted-Multipart��9X-Minio-Internal-Server-Side-Encryption-S3-Kms-Sealed-Key��eyJhZWFkIjoiQUVTLTI1Ni1HQ00tSE1BQy1TSEEtMjU2IiwiaXYiOiJnaW1kZjNoVG02VFFhSVZsTmtQQi9nPT0iLCJub25jZSI6IkxQMWVyNTNBU2xkbmJJNGwiLCJieXRlcyI6Ikw3anIyNW1QOVhhbXcvRDY4U1o5YXp5Ull5U...

 */

package jcifs.smb;

import java.security.GeneralSecurityException;
import java.util.Arrays;

import jcifs.CIFSContext;

/**
 * This class stores and encrypts NTLM user credentials. The default
 * credentials are retrieved from the {@code jcifs.smb.client.domain},
 * {@code jcifs.smb.client.username}, and {@code jcifs.smb.client.password}
 * properties.
 * <p>

// access to the ETag computed by a low-level io.Reader:
//
//	content := etag.NewReader(r.Body, nil)
//
//	compressedContent := Compress(content)
//	encryptedContent := Encrypt(compressedContent)
//
//	// Now, we need an io.Reader that can access
//	// the ETag computed over the content.
//	reader := etag.Wrap(encryptedContent, content)
func Wrap(wrapped, content io.Reader) io.Reader {

```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
```

It is not encrypted, so, anyone could recover the information from the contents.

But it's signed. So, when you receive a token that you emitted, you can verify that you actually emitted it.

## **2. Prerequisites**

     */
    public void setWorkstation(final String workstation) {
        this.workstation = workstation;
    }

    /**
     * The real session key if the regular session key is actually
     * the encrypted version used for key exchange.
     *
     * @return A <code>byte[]</code> containing the session key.
     */
    public byte[] getMasterKey() {
        return masterKey;
    }

    /**

 *  * BER: Basic Encoding Rules.
 *
 * This class was implemented according to the [X.690 spec][[x690]], and under the advice of
 * [Lets Encrypt's ASN.1 and DER][asn1_and_der] guide.
 *
 * [x690]: https://www.itu.int/rec/T-REC-X.690
 * [asn1_and_der]: https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/
 */
internal class DerReader(
  source: Source,

	sseS3 := crypto.S3.IsEncrypted(objInfo.UserDefined)
	if !sseKMS && !sseS3 { // neither sse-s3 nor sse-kms disallowed
		return errInvalidEncryptionParameters
	}
	if sseKMS && r.Encryption.Type == sses3 { // previously encrypted with sse-kms, now sse-s3 disallowed
		return errInvalidEncryptionParameters
	}
	versioned := globalBucketVersioningSys.PrefixEnabled(srcBucket, srcObject)

		UserDefined:                srcInfo.UserDefined,
		Versioned:                  dstOpts.Versioned,
		VersionID:                  dstOpts.VersionID,
		MTime:                      dstOpts.MTime,
		EncryptFn:                  dstOpts.EncryptFn,
		WantChecksum:               dstOpts.WantChecksum,
		WantServerSideChecksumType: dstOpts.WantServerSideChecksumType,
	}

// storage specified by the transition ARN, the metadata is left behind on source cluster and original content
// is moved to the transition tier. Note that in the case of encrypted objects, entire encrypted stream is moved
// to the transition tier without decrypting or re-encrypting.
func transitionObject(ctx context.Context, objectAPI ObjectLayer, oi ObjectInfo, lae lcAuditEvent) (err error) {