deleteUserCodeFromCookie(request);
        return userCode;
    }

    /**
     * Creates an encrypted user code from a user ID.
     * The user ID is encrypted using the primary cipher and validated against the configuration.
     *
     * @param userCode the raw user ID to encrypt
     * @return the encrypted and validated user code, or null if invalid
     */
    protected String createUserCodeFromUserId(String userCode) {

        byte[] encrypted = cipher.doFinal(plaintext);

        cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
        byte[] decrypted = cipher.doFinal(encrypted);

        // Then
        assertNotNull(encrypted);
        assertNotNull(decrypted);
        assertArrayEquals(plaintext, decrypted);
        assertNotEquals(new String(plaintext), new String(encrypted));
    }

        }
    }

    /**
     * Encrypt credentials to a base64 string for storage
     *
     * @param plaintext the credentials to encrypt
     * @return base64 encoded encrypted credentials
     * @throws GeneralSecurityException if encryption fails
     */
    public String encryptToString(char[] plaintext) throws GeneralSecurityException {
        byte[] encrypted = encryptCredentials(plaintext);

     * Parses the role set from a string.
     * @param value The string to parse.
     * @param encrypted Whether the string is encrypted.
     * @param roleSet The set of roles.
     */
    protected void parseRoleSet(final String value, final boolean encrypted, final Set<String> roleSet) {
        String rolesStr = value;
        if (encrypted && cipher != null) {
            try {
                rolesStr = cipher.decryptoText(rolesStr);

        String value;
        String result;

        // Test with already encrypted values (using valid hex)
        value = "password={cipher}5691346cc398a4450114883140fa84a7";
        result = ParameterUtil.encrypt(value);
        assertEquals("password={cipher}5691346cc398a4450114883140fa84a7", result);

        // Test with mixed encrypted and unencrypted

        ByteBuffer buffer = ByteBuffer.allocate(34);
        buffer.order(ByteOrder.LITTLE_ENDIAN);
        buffer.putShort((short) 0); // dialectIndex
        buffer.put((byte) 0x0F); // securityMode (user, encrypted, sigs enabled, sigs required)
        buffer.putShort((short) 50); // maxMpxCount
        buffer.putShort((short) 10); // maxNumberVcs
        buffer.putInt(8192); // maxBufferSize
        buffer.putInt(65536); // maxRawSize

/**
 * Represents encrypted Kerberos ticket data.
 */
public class KerberosEncData {

    private String userRealm;
    private String userPrincipalName;
    private ArrayList<InetAddress> userAddresses;
    private List<KerberosAuthData> userAuthorizations;

    /**
     * Constructs KerberosEncData from encrypted token bytes.
     *
     * @param token the encrypted Kerberos token

    val param: String?,
  ) {
    enum class Type {
      Handshake,
      Plaintext,
      Encrypted,
      Setup,
      Unknown,
    }

    val type: Type
      get() =
        when {
          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted

        // Then
        assertEquals(52, headerSize); // SMB2 Transform Header is 52 bytes
    }

    // Note: SMB2 Transform Header doesn't have a protocol ID field
    // The protocol ID is part of the encrypted SMB2 message, not the transform header

    @Test
    @DisplayName("Should set and get signature")
    void testSignature() {
        // Given
        byte[] signature = new byte[16];

        byte[] decrypted = KerberosEncData.decrypt(data, key, KerberosConstants.DES_ENC_TYPE);
        assertNotNull(decrypted);
        // With dummy data, we can't verify the content, just that it decrypts without error
        // and returns a result of the expected size.
        assertEquals(data.length - 24, decrypted.length);
    }

    /**