// Produce cipher text
int outputOffset = gcm.processBytes(cek.getEncoded(), 0, cek.getEncoded().length, output, 0);
// Produce authentication tag
try {
outputOffset += gcm.doFinal(output, outputOffset);
} catch (InvalidCipherTextException e) {
throw new JOSEException("Couldn't generate GCM authentication tag for key: " + e.getMessage(), e);
}