assertThrows(SmbException.class, () -> transport.isSigningEnforced());
        verify(transport).isSigningOptional();
        verify(transport).isSigningEnforced();
    }

    // Happy path and edge: server encryption key can be non-null, empty, or null
    @Test
    @DisplayName("getServerEncryptionKey returns expected bytes")
    void serverEncryptionKey_variants() {
        byte[] key = new byte[] { 1, 2, 3 };

    /** Whether SMB3 encryption is enabled */
    protected boolean encryptionEnabled = false;
    /** Whether SMB3 compression is enabled */
    protected boolean compressionEnabled = false;
    /** Preferred encryption ciphers in order of preference */
    protected String preferredCiphers = "AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM";
    /** Whether AES-256 encryption is enabled */

                && this.server.encryptionKeyLength != 8 && ctx.getConfig().getLanManCompatibility() == 0) {
            log.warn("Unexpected encryption key length: " + this.server.encryptionKeyLength);
            return false;
        }

        if (req.isSigningEnforced() || this.server.signaturesRequired

        SmbTransport.ServerData serverData = transport.new ServerData();
        serverData.security = 0; // Set to 0 or appropriate value for SECURITY_SHARE
        serverData.encryptionKey = new byte[8]; // Initialize with empty encryption key

        // Configure the mock transport with the server data
        transport.server = serverData;

        smbtStatic = mockStatic(SmbTransport.class);

        void testShareFlags() throws Exception {
            // Test encryption flag
            setPrivateField(response, "shareFlags", Smb2TreeConnectResponse.SMB2_SHAREFLAG_ENCRYPT_DATA);
            assertEquals(Smb2TreeConnectResponse.SMB2_SHAREFLAG_ENCRYPT_DATA, response.getShareFlags(), "Should handle encryption flag");

            // Test multiple flags

import javax.security.auth.DestroyFailedException;
import javax.security.auth.Destroyable;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Secure key management for SMB encryption.
 * Provides centralized management of encryption keys with secure storage and cleanup.
 *
 * Features:
 * - Secure key storage with optional KeyStore integration
 * - Automatic key cleanup on close
 * - Thread-safe key management

     * Creates a byte array representing a Kerberos ticket for testing purposes.
     * @param version Kerberos version
     * @param realm Server realm
     * @param principalName Server principal name
     * @param encType Encryption type
     * @param encryptedData Encrypted data
     * @param unknownTag Optional unknown tag number to test error handling
     * @return A byte array representing the ticket
     * @throws IOException on encoding error

 *
 *  * **A validity interval.** A certificate should not be used before its validity interval starts
 *    or after it ends.
 *
 *  * **A public key.** This cryptographic key is used for asymmetric encryption digital signatures.
 *    Note that the private key is not a part of the certificate!
 *
 *  * **A signature issued by another certificate's private key.** This mechanism allows a trusted

     * @return the transport context used
     */
    public abstract CIFSContext getTransportContext();

    /**
     * Gets the session key from the underlying SMB session for encryption
     * @return session key of the underlying smb session
     * @throws CIFSException if unable to retrieve the session key
     */
    public abstract byte[] getSessionKey() throws CIFSException;

    @Override

        SmbTransportImpl acquired = transport.acquire();
        assertSame(transport, acquired);
        transport.close(); // release once
    }

    @Test
    @DisplayName("Server encryption key is returned for SMB1 negotiation only")
    void serverEncryptionKey() {
        // No negotiation yet -> null
        assertNull(transport.getServerEncryptionKey());

        // SMB1 negotiation with server data