opentdf · dmihalcik-virtru · Feb 17, 2026 · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026
@@ -40,18 +40,28 @@ if [ "$1" == "supports" ]; then
       exit 0
       ;;
     assertions)
+      set -o pipefail
       java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep with-assertions
       exit $?
       ;;
     assertion_verification)
+      set -o pipefail
       java -jar "$SCRIPT_DIR"/cmdline.jar help decrypt | grep with-assertion-verification-keys
       exit $?
       ;;
     kasallowlist)
+      set -o pipefail
       java -jar "$SCRIPT_DIR"/cmdline.jar help decrypt | grep kas-allowlist
       exit $?
       ;;
+    key_management)
+      # Advanced key management from SDK version >= 0.10.0
+      set -o pipefail
+      java -jar "$SCRIPT_DIR"/cmdline.jar --version | jq -re .version | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 >= 10)) exit 0; else exit 1; }'
+      exit $?
+      ;;
     ecwrap)
+      set -o pipefail
       if java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep encap-key; then
         # versions 0.7.6 and earlier used an older value for EC HKDF salt; check for 0.7.7 or later
         java -jar "$SCRIPT_DIR"/cmdline.jar --version | jq -re .version | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 7) || ($1 == 0 && $2 == 7 && $3 >= 7)) exit 0; else exit 1; }'
@@ -69,6 +79,7 @@ if [ "$1" == "supports" ]; then
       ;;
 
     hexaflexible)
+      set -o pipefail
       java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep with-target-mode
       exit $?
       ;;

@@ -33,25 +33,30 @@ if [ "$1" == "supports" ]; then
   fi
   case "$2" in
     assertions)
+      set -o pipefail
       npx $CTL help | grep assertions
       exit $?
       ;;
     assertion_verification)
+      set -o pipefail
       npx $CTL help | grep assertionVerificationKeys
       exit $?
       ;;
     autoconfigure | ns_grants)
+      set -o pipefail
       npx $CTL help | grep autoconfigure
       exit $?
       ;;
     kasallowlist)
+      set -o pipefail
       npx $CTL help | grep 'from "/key-access-servers" endpoint'
       exit $?
       ;;
     ecwrap)
+      set -o pipefail
       if npx $CTL help | grep encapKeyType; then
         # Claims to support ecwrap, but maybe with old salt? Look up version
-        npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 2) exit 0; else exit 1; }'
+        npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 4)) exit 0; else exit 1; }'
         exit $?
       else
         echo "ecwrap not supported"
@@ -64,9 +69,16 @@ if [ "$1" == "supports" ]; then
       exit $?
       ;;
     hexaflexible)
+      set -o pipefail
       npx $CTL help | grep tdfSpecVersion
       exit $?
       ;;
+    key_management)
+      # Advanced key management from SDK version >= 0.8.0
+      set -o pipefail
+      npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 7)) exit 0; else exit 1; }'
+      exit $?
+      ;;
     obligations)
       # Obligations support from SDK version >= 0.6.0
       set -o pipefail

@@ -31,6 +31,13 @@ def skip_dspx1153(encrypt_sdk: tdfs.SDK, decrypt_sdk: tdfs.SDK):
         pytest.skip("dspx1153 fails with this SDK version combination")
 
 
+def skip_dspx2457(encrypt_sdk: tdfs.SDK):
+    if encrypt_sdk.sdk == "java":
+        pytest.skip(
+            "DSPX-2457 Java SDK unable to handle KAS grants with different types"
+        )
+
+
 def assert_decrypt_fails_with_patterns(
     decrypt_sdk: tdfs.SDK,
     ct_file: Path,
@@ -71,6 +78,7 @@ def test_key_mapping_multiple_mechanisms(
     global counter
 
     tdfs.skip_if_unsupported(encrypt_sdk, "key_management")
+    skip_dspx2457(encrypt_sdk)
     skip_dspx1153(encrypt_sdk, decrypt_sdk)
     if not in_focus & {encrypt_sdk, decrypt_sdk}:
         pytest.skip("Not in focus")
@@ -815,6 +823,7 @@ def test_autoconfigure_key_management_two_kas_two_keys(
         pytest.skip("Not in focus")
     tdfs.skip_if_unsupported(encrypt_sdk, "key_management")
     tdfs.skip_if_unsupported(encrypt_sdk, "autoconfigure")
+    skip_dspx2457(encrypt_sdk)
     pfs = tdfs.PlatformFeatureSet()
     tdfs.skip_connectrpc_skew(encrypt_sdk, decrypt_sdk, pfs)
     tdfs.skip_hexless_skew(encrypt_sdk, decrypt_sdk)