.thenThrow(new GeneralSecurityException("Decryption error"));

            PACDecodingException e = assertThrows(PACDecodingException.class, () -> new KerberosTicket(token, (byte) 0, keys));
            assertTrue(e.getMessage().startsWith("Decryption failed"));
        }
    }

    @Test

        // Then
        assertNotNull(decKey, "Decryption key should not be null");
        assertEquals(16, decKey.length, "Decryption key should be 16 bytes");
        assertFalse(Arrays.equals(sessionKey, decKey), "Decryption key should be different from session key");
    }

    @Test
    @DisplayName("Should derive different decryption keys for different dialects")

     */
    protected void offerEncryptoCipher(final Cipher cipher) {
        encryptoQueue.offer(cipher);
    }

    /**
     * Polls a decryption cipher from the queue, creating a new one if none are available.
     *
     * @return a decryption cipher
     */
    protected Cipher pollDecryptoCipher() {
        Cipher cipher = decryptoQueue.poll();
        if (cipher == null) {
            try {

@Deprecated(since = "4.0.0")
public interface SettingsDecrypter {

    /**
     * Decrypts passwords in the settings.
     *
     * @param request The settings decryption request that holds the parameters, must not be {@code null}.
     * @return The result of the settings decryption, never {@code null}.
     */
    SettingsDecryptionResult decrypt(SettingsDecryptionRequest request);

    }

    @Test
    @DisplayName("Should throw exception for null decryption key")
    void testNullDecryptionKey() {
        // When/Then
        assertThrows(NullPointerException.class, () -> {
            new Smb2EncryptionContext(1, DialectVersion.SMB311, testEncryptionKey, null);
        }, "Should throw NullPointerException for null decryption key");
    }

    @Test

        this(token, null);
    }

    /**
     * Constructs a KerberosToken from token bytes with decryption keys.
     *
     * @param token the token bytes
     * @param keys array of Kerberos keys for decryption
     * @throws PACDecodingException if token decoding fails
     */
    public KerberosToken(byte[] token, KerberosKey[] keys) throws PACDecodingException {

    private byte apOptions;
    private KerberosTicket ticket;

    /**
     * Creates a Kerberos AP request from a token.
     *
     * @param token the Kerberos AP-REQ token
     * @param keys the Kerberos keys for decryption
     * @throws PACDecodingException if the token cannot be decoded
     */
    public KerberosApRequest(byte[] token, KerberosKey[] keys) throws PACDecodingException {
        this(parseSequence(token), keys);
    }

				fmt.Println("Added private key from", fn)
			} else {
				break
			}
			n++
		}

		// Prompt for decryption key if no --key or --private-key are provided
		if len(privateKeys) == 0 && !*stdin {
			reader := bufio.NewReader(os.Stdin)
			fmt.Print("Enter Decryption Key: ")

			text, _ := reader.ReadString('\n')
			// convert CRLF to LF
			*keyHex = strings.ReplaceAll(text, "\n", "")

        // It mainly tests the decryption logic path
        Key key = new KerberosKey(null, new byte[16], KerberosConstants.RC4_ENC_TYPE, 0);
        byte[] data = new byte[32]; // Dummy data
        // The test will likely fail with "Checksum failed" as the data is not properly encrypted
        // but it proves the decryption path is taken.

    /**
     * Constructs a KerberosTicket from token bytes.
     *
     * @param token the ticket token bytes
     * @param apOptions AP options flags
     * @param keys array of Kerberos keys for decryption
     * @throws PACDecodingException if ticket decoding fails
     */
    public KerberosTicket(byte[] token, byte apOptions, KerberosKey[] keys) throws PACDecodingException {
        if (token.length <= 0) {