Side-Encryption-S3-Kms-Sealed-Key":"IAAfAJjZ2dY7iCAom9rP/UK/5mmg/gpSloOs8Xjy5gYKtTDfL==","X-Minio-Internal-Server-Side-Encryption-S3-Sealed-Key":"IAAfAN+0R4CsC3ibYvamkvm9KIg+hidIQ==","X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm":"DAREv2-HMAC-SHA256","content-type":"text/plain"}},{"Bucket":"buck1","Name":"go_113/src/cmd/go/testdata/mod/rsc.io_breaker_v1.0.0.txt","UserDef":{"X-Minio-Internal-Server-Side-Encryption-Iv":"HaaoKKQdysUQRnLF1tKF+a0BiM=","X-Minio-Internal-Server-Side-Encryptio...

        }
    }

    // Integration test with actual MD5 to verify HMAC calculation logic
    @Test
    void testHMACT64WithActualMD5() throws NoSuchAlgorithmException {
        // This test uses a real MD5 instance to verify the HMAC calculation logic
        // HMACT64 is a modified HMAC-MD5 where the key is truncated at 64 bytes
        // instead of being hashed when it exceeds the block size.

	streamingContentSHA256        = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD"
	streamingContentSHA256Trailer = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER"
	signV4ChunkedAlgorithm        = "AWS4-HMAC-SHA256-PAYLOAD"
	signV4ChunkedAlgorithmTrailer = "AWS4-HMAC-SHA256-TRAILER"
	streamingContentEncoding      = "aws-chunked"
	awsTrailerHeader              = "X-Amz-Trailer"

        HMACT64 hmac = new HMACT64(TEST_KEY);
        // MD5 digest length is 16 bytes
        assertEquals(16, hmac.engineGetDigestLength());
    }

    @Test
    void testEngineDigest() {
        // Test engineDigest()
        HMACT64 hmac = new HMACT64(TEST_KEY);
        hmac.engineUpdate(TEST_DATA, 0, TEST_DATA.length);
        byte[] result = hmac.engineDigest();

        assertNotNull(result);

 * supporting various checksum algorithms including HMAC-MD5 and HMAC-SHA1 with AES.
 */
public class PacSignature {

    /**
     * Kerberos checksum type for HMAC-MD5 (ARCFOUR-HMAC).
     */
    public static final int KERB_CHECKSUM_HMAC_MD5 = 0xFFFFFF76;
    /**
     * Kerberos checksum type for HMAC-SHA1-96 with AES-128.
     */
    public static final int HMAC_SHA1_96_AES128 = 0x0000000F;

//     Input: ClientKey, bucket, object, metadata, object_data
//     -              IV := Random({0,1}²⁵⁶)
//     -       ObjectKey := SHA256(ClientKey || Random({0,1}²⁵⁶))
//     -       KeyEncKey := HMAC-SHA256(ClientKey, IV || 'SSE-C' || 'DAREv2-HMAC-SHA256' || bucket || '/' || object)
//     -       SealedKey := DAREv2_Enc(KeyEncKey, ObjectKey)
//     - enc_object_data := DAREv2_Enc(ObjectKey, object_data)
//     -        metadata <- IV

	"github.com/minio/minio/internal/auth"
	"github.com/minio/minio/internal/hash/sha256"
	xhttp "github.com/minio/minio/internal/http"
)

// AWS Signature Version '4' constants.
const (
	signV4Algorithm = "AWS4-HMAC-SHA256"
	iso8601Format   = "20060102T150405Z"
	yyyymmdd        = "20060102"
)

type serviceType string

const (
	serviceS3  serviceType = "s3"
	serviceSTS serviceType = "sts"
)

		{
			policy:  `{"conditions":[["eq","$bucket","asdf"],["eq","$key","hello.txt"]],"conditions":[["eq","$success_action_status","201"],["eq","$Content-Type","plain/text"],["eq","$success_action_status","201"],["eq","$x-amz-algorithm","AWS4-HMAC-SHA256"],["eq","$x-amz-credential","Q3AM3UQ867SPQQA43P2F/20210315/us-east-1/s3/aws4_request"],["eq","$x-amz-date","20210315T091621Z"]]}`,
			success: false,
		},
		// invalid json.
		{

 * ARCFOUR-HMAC-MD5 and AES-based HMAC algorithms.
 */
public class PacMac {

    /**
     * Private constructor to prevent instantiation of utility class.
     */
    private PacMac() {
        // Utility class
    }

    /**
     *
     */
    private static final String HMAC_KEY = "HMAC";

This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed because they have 
reached the end of their useful life.

Valid values: 

```
hmac******@****.***
hmac******@****.***
hmac-sha2-256
hmac-sha2-512
hmac-sha1
hmac-sha1-96
```

### Certificate-based authentication