mockedEncData.when(() -> KerberosEncData.decrypt(ENCRYPTED_DATA, kerberosKey, ENCRYPTION_TYPE))
                    .thenThrow(new GeneralSecurityException("Decryption error"));

            PACDecodingException e = assertThrows(PACDecodingException.class, () -> new KerberosTicket(token, (byte) 0, keys));
            assertTrue(e.getMessage().startsWith("Decryption failed"));
        }
    }

    @Test

        assertTrue(encrypted.length >= 52, "Encrypted message should include transform header");

        // When - Decrypt
        byte[] decrypted = context.decryptMessage(encrypted);

        // Then - Verify decryption
        assertArrayEquals(plaintext, decrypted, "Decrypted message should match original plaintext");
    }

    @Test
    @DisplayName("Should handle concurrent encryption operations safely")

                trunc = this.sealServerHandle.doFinal(trunc);
                if (log.isDebugEnabled()) {
                    log.debug("Decrypted " + Hexdump.toHexString(trunc));
                }
            } catch (final GeneralSecurityException e) {
                throw new CIFSException("Failed to decrypt MIC", e);
            }
        }

        final int expectSeq = this.verifySequence.getAndIncrement();

        encrypt(clearText, 0, cipherText, 0);
    }

    /// Decrypt a block of bytes.
    /**
     * Decrypts an 8-byte block using DES
     * @param cipherText the 8-byte ciphertext block
     * @param clearText the output 8-byte plaintext block
     */
    public void decrypt(final byte[] cipherText, final byte[] clearText) {

        decrypt(cipherText, 0, clearText, 0);
    }

    /**

        // Decrypt
        char[] decrypted = storage.decryptCredentials(encrypted);
        assertNotNull(decrypted, "Decrypted data should not be null");
        assertArrayEquals(plaintext, decrypted, "Decrypted should match original");

        // Clean up sensitive data
        Arrays.fill(plaintext, '\0');
        Arrays.fill(decrypted, '\0');
    }

    @Test

            s[i] = s[j];
            s[j] = t;
        }

        i = j = 0;
    }

    /**
     * Encrypts or decrypts data using the RC4 stream cipher.
     * Since RC4 is a stream cipher, the same operation is used for both encryption and decryption.
     *
     * @param src the source data array
     * @param soff the offset in the source array
     * @param slen the length of data to process

 */
package jcifs.internal.smb2;

import java.nio.charset.StandardCharsets;

import org.bouncycastle.crypto.DerivationParameters;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.generators.KDFCounterBytesGenerator;
import org.bouncycastle.crypto.macs.HMac;
import org.bouncycastle.crypto.params.KDFCounterParameters;

/**
 * SMB3 SP800-108 Counter Mode Key Derivation
 *
 * @author mbechler
 *

    void setUp() throws NoSuchAlgorithmException {
        // Mock Crypto.getMD5() to return our mockMd5 instance
        // This requires Mockito 3.4.0+ for MockedStatic
        // For simplicity, we'll assume Crypto.getMD5() is static and mock it.
        // If it's not static, we'd need to inject it or mock the class that provides it.
        try (MockedStatic<Crypto> mockedCrypto = mockStatic(Crypto.class)) {

        // Then
        assertNotNull(decKey, "Decryption key should not be null");
        assertEquals(16, decKey.length, "Decryption key should be 16 bytes");
        assertFalse(Arrays.equals(sessionKey, decKey), "Decryption key should be different from session key");
    }

    @Test
    @DisplayName("Should derive different decryption keys for different dialects")

    private byte apOptions;
    private KerberosTicket ticket;

    /**
     * Creates a Kerberos AP request from a token.
     *
     * @param token the Kerberos AP-REQ token
     * @param keys the Kerberos keys for decryption
     * @throws PACDecodingException if the token cannot be decoded
     */
    public KerberosApRequest(byte[] token, KerberosKey[] keys) throws PACDecodingException {
        this(parseSequence(token), keys);
    }