Catch and rethrow the exception of session key not being base64 encoded.

Change-Id: I5fa0c25fe020e9612735e4ac5df2b85a2a5aab11

cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java

@@ -518,7 +518,14 @@ private Expr compileCel(String expr) throws CelValidationException {
    * Encrypts the given bytes using a sessionKey using Tink Aead.
    */
   private byte[] encryptRestrictions(byte[] restriction, String sessionKey) throws GeneralSecurityException {
-    byte[] rawKey = Base64.getDecoder().decode(sessionKey);
+    byte[] rawKey;
+
+    try {
+      rawKey = Base64.getDecoder().decode(sessionKey);
+    } catch (IllegalArgumentException e) {
+      // Session key from the server is expected to be Base64 encoded
+      throw new IllegalStateException("Session key is not Base64 encoded", e);
+    }
 
     KeysetHandle keysetHandle = TinkProtoKeysetFormat.parseKeyset(
         rawKey, InsecureSecretKeyAccess.get());

cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java

@@ -36,7 +36,6 @@
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertThrows;
-import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -876,7 +875,7 @@ public void generateToken_withSessionKeyNotBase64Encoded_failure() throws Except
                     .build())
             .build();
 
-    assertThrows(IllegalArgumentException.class,
+    assertThrows(IllegalStateException.class,
                  () -> { factory.generateToken(accessBoundary); });
   }