I have heard a couple of comments regarding the bytes field in the decryption envelope, that it is not completely clear in the published standard. Here is an unofficial clarification from one implementation team that completed successful interoperability testing:
The “bytes” field in the decryption record is the number of bytes before base64 encoding—it’s the length of the initialization vector plus the length of the encrypted text. It’s not an essential field—it conveys no information that the base64 encoding doesn’t, and could be a candidate to deprecate. It’s also impossible to compute if you’re doing on-the-fly encryption and don’t know the length of your encrypted text until you’re done.