From 51cc8544132675b091f99811ef4b18f8959b4535 Mon Sep 17 00:00:00 2001
From: Elizabeth Healy <ehealy@virtru.com>
Date: Tue, 3 Mar 2026 11:17:31 -0500
Subject: [PATCH 1/3] support 4096

---
 .github/workflows/checks.yaml                          | 2 +-
 sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index dc1870bf..dd468850 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -246,7 +246,7 @@ jobs:
       packages: read
       checks: write
       pull-requests: write
-    uses: opentdf/tests/.github/workflows/xtest.yml@main
+    uses: opentdf/tests/.github/workflows/xtest.yml@dspx-2517-enable-rsa-extended-java
     with:
       focus-sdk: java
       java-ref: ${{ github.ref }} latest
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java b/sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java
index 373bf33e..06be4cf6 100644
--- a/sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java
+++ b/sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java
@@ -11,6 +11,7 @@
 
 public enum KeyType {
     RSA2048Key("rsa:2048"),
+    RSA4096Key("rsa:4096"),
     EC256Key("ec:secp256r1", SECP256R1),
     EC384Key("ec:secp384r1", SECP384R1),
     EC521Key("ec:secp521r1", SECP521R1);
@@ -56,6 +57,8 @@ public static KeyType fromAlgorithm(Algorithm algorithm) {
         switch (algorithm) {
             case ALGORITHM_RSA_2048:
                 return KeyType.RSA2048Key;
+            case ALGORITHM_RSA_4096:
+                return KeyType.RSA4096Key;
             case ALGORITHM_EC_P256:
                 return KeyType.EC256Key;
             case ALGORITHM_EC_P384:
@@ -74,6 +77,8 @@ public static KeyType fromPublicKeyAlgorithm(KasPublicKeyAlgEnum algorithm) {
         switch (algorithm) {
             case KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048:
                 return KeyType.RSA2048Key;
+            case KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096:
+                return KeyType.RSA4096Key;
             case KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1:
                 return KeyType.EC256Key;
             case KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1:

From 11b10cb37fdd9322e5d9ef48112d0245183caf1e Mon Sep 17 00:00:00 2001
From: Elizabeth Healy <ehealy@virtru.com>
Date: Tue, 3 Mar 2026 12:27:28 -0500
Subject: [PATCH 2/3] bump version for testing, try adding key id to request

---
 .../src/main/java/io/opentdf/platform/Command.java  |  2 +-
 .../main/java/io/opentdf/platform/sdk/Planner.java  |  1 +
 .../main/java/io/opentdf/platform/sdk/Version.java  | 13 +++++++------
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/cmdline/src/main/java/io/opentdf/platform/Command.java b/cmdline/src/main/java/io/opentdf/platform/Command.java
index 48f943ed..7beb56f3 100644
--- a/cmdline/src/main/java/io/opentdf/platform/Command.java
+++ b/cmdline/src/main/java/io/opentdf/platform/Command.java
@@ -53,7 +53,7 @@
  */
 class Versions {
     // Version of the SDK, managed by release-please.
-    public static final String SDK = "0.12.0"; // x-release-please-version
+    public static final String SDK = "0.13.0"; // x-release-please-version
 
     // This sdk aims to support this version of the TDF spec; currently 4.3.0.
     public static final String TDF_SPEC = "4.3.0";
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/Planner.java b/sdk/src/main/java/io/opentdf/platform/sdk/Planner.java
index b07c735c..477d315a 100644
--- a/sdk/src/main/java/io/opentdf/platform/sdk/Planner.java
+++ b/sdk/src/main/java/io/opentdf/platform/sdk/Planner.java
@@ -163,6 +163,7 @@ Map<String, List<Config.KASInfo>> resolveKeys(List<Autoconfigure.KeySplitTemplat
                 logger.info("no public key provided for KAS at {}, retrieving", splitInfo.kas);
                 var getKI = new Config.KASInfo();
                 getKI.URL = splitInfo.kas;
+                getKI.KID = splitInfo.kid;
                 getKI.Algorithm = splitInfo.keyType == null
                         ? (tdfConfig.wrappingKeyType == null ? null : tdfConfig.wrappingKeyType.toString())
                         : splitInfo.keyType.toString();
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/Version.java b/sdk/src/main/java/io/opentdf/platform/sdk/Version.java
index 508c9151..546c4905 100644
--- a/sdk/src/main/java/io/opentdf/platform/sdk/Version.java
+++ b/sdk/src/main/java/io/opentdf/platform/sdk/Version.java
@@ -1,18 +1,19 @@
 package io.opentdf.platform.sdk;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.annotation.Nonnull;
-import javax.annotation.Nullable;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.regex.Pattern;
 
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 class Version implements Comparable<Version> {
 
     // Version of the SDK, managed by release-please.
-    public static final String SDK = "0.12.0"; // x-release-please-version
+    public static final String SDK = "0.13.0"; // x-release-please-version
 
     private final int major;
     private final int minor;

From 9969bdd81797f57a15eba2dc4a4f46b6fe35923c Mon Sep 17 00:00:00 2001
From: Elizabeth Healy <ehealy@virtru.com>
Date: Tue, 3 Mar 2026 12:55:40 -0500
Subject: [PATCH 3/3] add unit tests, undo version changes, go back to main
 xtest

---
 .github/workflows/checks.yaml                              | 2 +-
 cmdline/src/main/java/io/opentdf/platform/Command.java     | 2 +-
 sdk/src/main/java/io/opentdf/platform/sdk/Version.java     | 2 +-
 sdk/src/test/java/io/opentdf/platform/sdk/KeyTypeTest.java | 5 +++++
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index dd468850..dc1870bf 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -246,7 +246,7 @@ jobs:
       packages: read
       checks: write
       pull-requests: write
-    uses: opentdf/tests/.github/workflows/xtest.yml@dspx-2517-enable-rsa-extended-java
+    uses: opentdf/tests/.github/workflows/xtest.yml@main
     with:
       focus-sdk: java
       java-ref: ${{ github.ref }} latest
diff --git a/cmdline/src/main/java/io/opentdf/platform/Command.java b/cmdline/src/main/java/io/opentdf/platform/Command.java
index 7beb56f3..48f943ed 100644
--- a/cmdline/src/main/java/io/opentdf/platform/Command.java
+++ b/cmdline/src/main/java/io/opentdf/platform/Command.java
@@ -53,7 +53,7 @@
  */
 class Versions {
     // Version of the SDK, managed by release-please.
-    public static final String SDK = "0.13.0"; // x-release-please-version
+    public static final String SDK = "0.12.0"; // x-release-please-version
 
     // This sdk aims to support this version of the TDF spec; currently 4.3.0.
     public static final String TDF_SPEC = "4.3.0";
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/Version.java b/sdk/src/main/java/io/opentdf/platform/sdk/Version.java
index 546c4905..53f131c7 100644
--- a/sdk/src/main/java/io/opentdf/platform/sdk/Version.java
+++ b/sdk/src/main/java/io/opentdf/platform/sdk/Version.java
@@ -13,7 +13,7 @@
 class Version implements Comparable<Version> {
 
     // Version of the SDK, managed by release-please.
-    public static final String SDK = "0.13.0"; // x-release-please-version
+    public static final String SDK = "0.12.0"; // x-release-please-version
 
     private final int major;
     private final int minor;
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/KeyTypeTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/KeyTypeTest.java
index 6dc72f47..980404f1 100644
--- a/sdk/src/test/java/io/opentdf/platform/sdk/KeyTypeTest.java
+++ b/sdk/src/test/java/io/opentdf/platform/sdk/KeyTypeTest.java
@@ -6,16 +6,19 @@
 import static io.opentdf.platform.policy.Algorithm.ALGORITHM_EC_P384;
 import static io.opentdf.platform.policy.Algorithm.ALGORITHM_EC_P521;
 import static io.opentdf.platform.policy.Algorithm.ALGORITHM_RSA_2048;
+import static io.opentdf.platform.policy.Algorithm.ALGORITHM_RSA_4096;
 import static io.opentdf.platform.policy.KasPublicKeyAlgEnum.KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1;
 import static io.opentdf.platform.policy.KasPublicKeyAlgEnum.KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1;
 import static io.opentdf.platform.policy.KasPublicKeyAlgEnum.KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1;
 import static io.opentdf.platform.policy.KasPublicKeyAlgEnum.KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048;
+import static io.opentdf.platform.policy.KasPublicKeyAlgEnum.KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096;
 import static org.junit.jupiter.api.Assertions.*;
 
 class KeyTypeTest {
     @Test
     void testFromString() {
         assertEquals(KeyType.RSA2048Key, KeyType.fromString("rsa:2048"));
+        assertEquals(KeyType.RSA4096Key, KeyType.fromString("rsa:4096"));
         assertEquals(KeyType.EC256Key, KeyType.fromString("ec:secp256r1"));
         assertEquals(KeyType.EC384Key, KeyType.fromString("ec:secp384r1"));
         assertEquals(KeyType.EC521Key, KeyType.fromString("ec:secp521r1"));
@@ -29,6 +32,7 @@ void testFromStringInvalid() {
     @Test
     void testFromAlgorithm() {
         assertEquals(KeyType.RSA2048Key, KeyType.fromAlgorithm(ALGORITHM_RSA_2048));
+        assertEquals(KeyType.RSA4096Key, KeyType.fromAlgorithm(ALGORITHM_RSA_4096));
         assertEquals(KeyType.EC256Key, KeyType.fromAlgorithm(ALGORITHM_EC_P256));
         assertEquals(KeyType.EC384Key, KeyType.fromAlgorithm(ALGORITHM_EC_P384));
         assertEquals(KeyType.EC521Key, KeyType.fromAlgorithm(ALGORITHM_EC_P521));
@@ -37,6 +41,7 @@ void testFromAlgorithm() {
     @Test
     void testFromPublicKeyAlgEnum() {
         assertEquals(KeyType.RSA2048Key, KeyType.fromPublicKeyAlgorithm(KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048));
+        assertEquals(KeyType.RSA4096Key, KeyType.fromPublicKeyAlgorithm(KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096));
         assertEquals(KeyType.EC256Key, KeyType.fromPublicKeyAlgorithm(KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1));
         assertEquals(KeyType.EC384Key, KeyType.fromPublicKeyAlgorithm(KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1));
         assertEquals(KeyType.EC521Key, KeyType.fromPublicKeyAlgorithm(KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1));