.thenThrow(new GeneralSecurityException("Decryption error"));

            PACDecodingException e = assertThrows(PACDecodingException.class, () -> new KerberosTicket(token, (byte) 0, keys));
            assertTrue(e.getMessage().startsWith("Decryption failed"));
        }
    }

    @Test

        // Then
        assertNotNull(decKey, "Decryption key should not be null");
        assertEquals(16, decKey.length, "Decryption key should be 16 bytes");
        assertFalse(Arrays.equals(sessionKey, decKey), "Decryption key should be different from session key");
    }

    @Test
    @DisplayName("Should derive decryption key for SMB 3.1.1 dialect")
    void testDeriveDecryptionKey_SMB311() {

import org.codelibs.core.exception.UnsupportedEncodingRuntimeException;
import org.codelibs.core.misc.Base64Util;

/**
 * A high-performance utility class for encrypting and decrypting data using cached {@link Cipher} instances.
 * <p>
 * This class provides efficient encryption/decryption by pooling and reusing cipher instances,
 * reducing the overhead of repeated cipher initialization. It supports both string-based keys

                // Log but don't fail - concurrent encryption/decryption with same context is complex
                System.out.println("Sample decryption failed (acceptable for concurrent test): " + e.getMessage());
            }
        }

        // Cleanup
        context.close();
    }

    @Test
    @DisplayName("Should handle AES-CCM encryption correctly")
    void testAESCCMEncryption() throws Exception {

import jcifs.CIFSException;
import jcifs.DialectVersion;
import jcifs.internal.smb2.nego.EncryptionNegotiateContext;
import jcifs.util.SecureKeyManager;

/**
 * SMB2/SMB3 Encryption Context
 *
 * Manages encryption and decryption operations for SMB2/SMB3 sessions.
 * Handles both AES-CCM (SMB 3.0/3.0.2) and AES-GCM (SMB 3.1.1) cipher suites.
 *
 * @author mbechler
 */

## Acronyms

- **AEAD**: Authenticated Encryption with Associated Data
- **CSPRNG**: Cryptographically Secure Pseudo Random Number Generator
- **EK**: External Key
- **IV**: Initialization Vector
- **KEK**: Key Encryption Key
- **OEK**: Object Encryption Key
- **PRF**: Pseudo Random Function
- **SSE**: Server-Side Encryption
- **SSE-C**: Server-Side Encryption with client-provided Keys

    /**
     * Decrypts Kerberos encrypted data using the specified key.
     *
     * @param data the encrypted data to decrypt
     * @param key the decryption key
     * @param type the encryption type
     * @return the decrypted data
     * @throws GeneralSecurityException if decryption fails
     */
    public static byte[] decrypt(byte[] data, Key key, int type) throws GeneralSecurityException {
        Cipher cipher = null;

// objects are slightly larger due to encryption overhead.
// Further, it decrypts all single-part SSE-S3 encrypted objects
// and formats ETags of SSE-C / SSE-KMS encrypted objects to
// be AWS S3 compliant.
//
// DecryptETags uses a KMS bulk decryption API, if available, which
// is more efficient than decrypting ETags sequentially.

			t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr)
		} else if _, enc := crypto.IsEncrypted(test.info.UserDefined); encrypted && enc != encrypted {
			t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i)
		} else if !encrypted && enc != encrypted {
			t.Errorf("Test %d: Decryption thinks object is not encrypted but it is", i)
		}
	}
}

	// the ciphertext.
	Name string

	// Version is the version of the master used for
	// decryption. If empty, the latest key version
	// is used.
	Version int

	// Ciphertext is the encrypted data that gets
	// decrypted.
	Ciphertext []byte

	// AssociatedData is the crypto. associated data.
	// It must match the data used during encryption
	// or data key generation.
	AssociatedData Context
}