*/
    protected void offerEncryptoCipher(final Cipher cipher) {
        encryptoQueue.offer(cipher);
    }

    /**
     * Polls a decryption cipher from the queue, creating a new one if none are available.
     *
     * @return a decryption cipher
     */
    protected Cipher pollDecryptoCipher() {
        Cipher cipher = decryptoQueue.poll();
        if (cipher == null) {
            try {

          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted
          message == "Plaintext before ENCRYPTION" || message == "Plaintext after DECRYPTION" -> Type.Plaintext
          message.startsWith("System property ") -> Type.Setup
          message.startsWith("Reload ") -> Type.Setup
          message == "No session to resume." -> Type.Handshake

        assertEquals(invertibleCryptographer, provider.providePrimaryInvertibleCryptographer());
        assertEquals(md5, provider.providePrimaryOneWayCryptographer());
    }

    // Test encryption and decryption functionality
    @Test
    public void test_invertibleCryptography() {
        // Test that invertible cryptography works correctly

          // Produced ClientHello handshake message
          //
          // Raw write
          // Raw read
          // Plaintext before ENCRYPTION
          // Plaintext after DECRYPTION
          val message = record.message
          val parameters = record.parameters

          if (parameters != null && !message.startsWith("Raw") && !message.startsWith("Plaintext")) {
            if (verbose) {

    /**
     * The key for user roles in the request attribute.
     */
    protected static final String USER_ROLES = "userRoles";

    /**
     * The cached cipher for encryption and decryption.
     */
    protected CachedCipher cipher;

    /**
     * The separator for values in the role string.
     */
    protected String valueSeparator = "\n";

    /**

## Changelog since v1.32.3

## Changes by Kind

### Bug or Regression

- Fix a bug where kube-apiserver could emit an further watch even even if decryption failed for earlier event and it was not emitted. ([#131159](https://github.com/kubernetes/kubernetes/pull/131159), [@wojtek-t](https://github.com/wojtek-t)) [SIG API Machinery and Etcd]

R13, ZR CSELW NE, R14, R13, R13 // Fake modulo SUBS $1, R8 VMOV V2.S[0], R0 EORW R0, R4 EORW R4, R5 EORW R5, R6 EORW R6, R7 STPW.P (R4, R5), 8(R10) STPW.P (R6, R7), 8(R10) BNE ks128Loop CBZ R11, ksDone // If dec is nil we are done SUB $176, R10 // Decryption keys are encryption keys with InverseMixColumns applied VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] VMOV V0.B16, V7.B16 AESIMC V1.B16, V6.B16 AESIMC V2.B16, V5.B16 AESIMC V3.B16, V4.B16 VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] AESIMC...

- Fix a bug where kube-apiserver could emit an further watch even even if decryption failed for earlier event and it was not emitted. ([#131020](https://github.com/kubernetes/kubernetes/pull/131020), [@wojtek-t](https://github.com/wojtek-t)) [SIG API Machinery and Etcd]

## Changelog since v1.31.7

## Changes by Kind

### Bug or Regression

- Fix a bug where kube-apiserver could emit an further watch even even if decryption failed for earlier event and it was not emitted. ([#131160](https://github.com/kubernetes/kubernetes/pull/131160), [@wojtek-t](https://github.com/wojtek-t)) [SIG API Machinery and Etcd]