.thenThrow(new GeneralSecurityException("Decryption error"));

            PACDecodingException e = assertThrows(PACDecodingException.class, () -> new KerberosTicket(token, (byte) 0, keys));
            assertTrue(e.getMessage().startsWith("Decryption failed"));
        }
    }

    @Test

        // Then
        assertNotNull(decKey, "Decryption key should not be null");
        assertEquals(16, decKey.length, "Decryption key should be 16 bytes");
        assertFalse(Arrays.equals(sessionKey, decKey), "Decryption key should be different from session key");
    }

    @Test
    @DisplayName("Should derive different decryption keys for different dialects")

     */
    protected void offerEncryptoCipher(final Cipher cipher) {
        encryptoQueue.offer(cipher);
    }

    /**
     * Polls a decryption cipher from the queue, creating a new one if none are available.
     *
     * @return a decryption cipher
     */
    protected Cipher pollDecryptoCipher() {
        Cipher cipher = decryptoQueue.poll();
        if (cipher == null) {

import jcifs.CIFSException;
import jcifs.DialectVersion;
import jcifs.internal.smb2.nego.EncryptionNegotiateContext;
import jcifs.util.SecureKeyManager;

/**
 * SMB2/SMB3 Encryption Context
 *
 * Manages encryption and decryption operations for SMB2/SMB3 sessions.
 * Handles both AES-CCM (SMB 3.0/3.0.2) and AES-GCM (SMB 3.1.1) cipher suites.
 *
 * @author mbechler
 */
public class Smb2EncryptionContext implements AutoCloseable {

    }

    @Test
    @DisplayName("Should throw exception for null decryption key")
    void testNullDecryptionKey() {
        // When/Then
        assertThrows(NullPointerException.class, () -> {
            new Smb2EncryptionContext(1, DialectVersion.SMB311, testEncryptionKey, null);
        }, "Should throw NullPointerException for null decryption key");
    }

    @Test

			t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr)
		} else if _, enc := crypto.IsEncrypted(test.info.UserDefined); encrypted && enc != encrypted {
			t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i)
		} else if !encrypted && enc != encrypted {
			t.Errorf("Test %d: Decryption thinks object is not encrypted but it is", i)
		}
	}
}

SSE-C allows an S3 client to en/decrypt an object at the MinIO server. Therefore the S3 client sends a secret key as part of the HTTP request. This secret key is **never** stored by the MinIO server and only resides in RAM during the en/decryption process.

    /**
     * Decrypts Kerberos encrypted data using the specified key.
     *
     * @param data the encrypted data to decrypt
     * @param key the decryption key
     * @param type the encryption type
     * @return the decrypted data
     * @throws GeneralSecurityException if decryption fails
     */
    public static byte[] decrypt(byte[] data, Key key, int type) throws GeneralSecurityException {
        Cipher cipher = null;

				}
			}
			objects = objects[N:]
			continue
		}

		// There is at least one SSE-S3 single-part object.
		// For all SSE-S3 single-part objects we have to
		// fetch their decryption keys. We do this using
		// a Bulk-Decryption API call, if available.
		keys, err := crypto.S3.UnsealObjectKeys(ctx, k, metadata, buckets, names)
		if err != nil {
			return err
		}

        assertEquals(invertibleCryptographer, provider.providePrimaryInvertibleCryptographer());
        assertEquals(md5, provider.providePrimaryOneWayCryptographer());
    }

    // Test encryption and decryption functionality
    public void test_invertibleCryptography() {
        // Test that invertible cryptography works correctly