// the ETag unmodified.
func Decrypt(key []byte, etag ETag) (ETag, error) {
	const HMACContext = "SSE-etag"

	if !etag.IsEncrypted() {
		return etag, nil
	}
	mac := hmac.New(sha256.New, key)
	mac.Write([]byte(HMACContext))
	decryptionKey := mac.Sum(nil)

	plaintext := make([]byte, 0, 16)
	etag, err := sio.DecryptBuffer(plaintext, etag, sio.Config{
		Key:          decryptionKey,
		CipherSuites: fips.DARECiphers(),

            signingKey = Smb3KeyDerivation.deriveSigningKey(dialect, sessionKey, preauthIntegrityHash);
            m = Mac.getInstance("AESCMAC", Crypto.getProvider());
            break;
        default:
            throw new IllegalArgumentException("Unknown dialect");
        }

        m.init(new SecretKeySpec(signingKey, "HMAC"));
        this.digest = m;
    }


    /**
     * {@inheritDoc}
     *

	var partIDbin [4]byte
	binary.LittleEndian.PutUint32(partIDbin[:], uint32(partID)) // marshal part ID

	mac := hmac.New(sha256.New, d.objectEncryptionKey) // derive part encryption key from part ID and object key
	mac.Write(partIDbin[:])
	partEncryptionKey := mac.Sum(nil)

	// Limit the reader, so the decryptor doesn't receive bytes
	// from the next part (different DARE stream)

          && !method.getName().equals("concatenating") // don't test Hashing.concatenating()
          && !method.getName().equals("goodFastHash") // tested in testGoodFastHashEquals
          && !method.getName().startsWith("hmac")) { // skip hmac functions
        Object[] params1 = new Object[method.getParameterTypes().length];
        Object[] params2 = new Object[method.getParameterTypes().length];
        for (int i = 0; i < params1.length; i++) {

// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package cmd

import (
	"archive/zip"
	"bufio"
	"bytes"
	"context"
	"crypto/ecdsa"
	"crypto/hmac"
	crand "crypto/rand"
	"crypto/rsa"
	"crypto/sha1"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/base64"
	"encoding/hex"
	"encoding/pem"
	"encoding/xml"
	"errors"
	"flag"
	"fmt"

			return nil, ErrPermission
		}
		return nil, errDecryptionFailed(err)
	}
	return plaintext, nil
}

// MAC generates the checksum of the given req.Message using the key
// with the req.Name at the KMS.
func (c *kesConn) MAC(ctx context.Context, req *MACRequest) ([]byte, error) {
	mac, err := c.client.HMAC(context.Background(), req.Name, req.Message)
	if err != nil {
		if errors.Is(err, kes.ErrKeyNotFound) {

  }

  /**
   * Returns a hash function implementing the Message Authentication Code (MAC) algorithm, using the
   * MD5 (128 hash bits) hash function and the given secret key.
   *
   * <p>If you are designing a new system that needs HMAC, prefer {@link #hmacSha256} or other
   * future-proof algorithms <a

	fmt.Println(presignedURL)
}
```

Use the Presigned URL via `curl` to receive the transformed object.
```
curl -v $(go run presigned.go)
...
...

func (r *Config) PopulatePublicKey(arn arn.ARN) error {
	pCfg := r.arnProviderCfgsMap[arn]
	if pCfg.JWKS.URL == nil || pCfg.JWKS.URL.String() == "" {
		return nil
	}

	// Add client secret for the client ID for HMAC based signature.
	r.pubKeys.add(pCfg.ClientID, []byte(pCfg.ClientSecret))

	client := &http.Client{
		Transport: r.transport,
	}

	resp, err := client.Get(pCfg.JWKS.URL.String())
	if err != nil {
		return err

		}
		if iv, ok := test.metadata[crypto.MetaIV]; !ok {
			t.Errorf("Test %d: crypto.SSEIV must be part of metadata: %v", i, iv)
		}
		if mac, ok := test.metadata[crypto.MetaSealedKeySSEC]; !ok {
			t.Errorf("Test %d: ServerSideEncryptionKeyMAC must be part of metadata: %v", i, mac)
		}
	}
}

var decryptObjectMetaTests = []struct {
	info    ObjectInfo
	request *http.Request
	expErr  error
}{
	{