feat: Enable offline encryption cert listing and version selection support during contract encryption by Priyanga-M-001 · Pull Request #118 · ibm-hyper-protect/contract-cli

Priyanga-M-001 · 2026-05-10T11:27:17Z

Description

This PR adds support for specifying encryption certificate versions in contract-cli commands while encrypting a contract and introduces a new command to list available certificate versions.

Related Issue

Fixes #116

Type of Change

Testing

Describe the tests you ran and how to reproduce them

make test passes
make fmt applied (no formatting changes needed)
New tests added for new functionality (if applicable)

The functionality is tested using CLI tool and here are the results :

priya@macbookpro contract-cli % ./contract-cli encrypt --in samples/contract.yaml --os ccco --ver 25.10.0
env: hyper-protect-basic.a8YzKhUmzW2yzkxTsXqpSBboXd4...
envWorkloadSignature: P4WIGTwAiQ2V7ZI8geR4lqwsXJ6jdo...
workload: hyper-protect-basic.aL63ffPj9XfEfGNeL7ahEN702...

priya@macbookpro contract-cli % ./contract-cli encrypt --in samples/contract.yaml                        
env: hyper-protect-basic.ZNd6fX/hSC5S4iFZN3I8luIPP92u...
envWorkloadSignature: WpWeDuQI6XGyniq3R0KxR4lGakY...
workload: hyper-protect-basic.DzByTO5TPB/leBNrLCljYAt+...`

priya@macbookpro contract-cli % ./contract-cli list-encryptioncert-versions       
{"ccco":["25.12.0","25.10.0"],"ccrt":["26.2.0","25.11.0","25.8.1"],"ccrv":["26.4.1","25.11.0","25.8.1"]}

priya@macbookpro contract-cli % ./contract-cli list-encryptioncert-versions --os ccrv --format yaml
ccrv:
    - 26.4.1
    - 25.11.0
    - 25.8.1

Checklist

My code follows the project's coding standards
I have performed a self-review of my code
I have commented my code where necessary
I have updated the documentation
I have added tests that prove my fix/feature works
All new and existing tests pass

Priyanga-M-001 · 2026-05-10T11:43:07Z

What's Changed

New Features

1. Certificate Version Selection (--ver flag)

Added --ver flag to all encryption commands: encrypt, encrypt-string, and base64-tgz
Users can now specify a specific certificate version (e.g., 26.2.0, 25.11.0) from the available list instead of always using the latest
Empty/omitted flag defaults to latest version for backward compatibility

2. New Command: list-encryptioncert-versions

Lists all available encryption certificate versions for each platform
Supports JSON and YAML output formats via --output flag
Supports platform filtering via --os flag (ccrt, ccrv, ccco, or hpvs as legacy alias for ccrt)

Examples:

./contract-cli list-encryptioncert-versions --output json
./contract-cli list-encryptioncert-versions --os ccrt --output yaml
./contract-cli encrypt --in samples/contract.yaml --os ccco --ver 25.10.0

Dependencies

go.mod - Updated to contract-go v2.23.0
go.sum - Updated checksums

Test coverage includes:

Certificate version selection with valid versions
Default behavior (empty version = latest)
Platform-specific certificate retrieval
JSON and YAML output formats for list command
Platform filtering in list command

Sashwat-K · 2026-05-11T17:16:27Z

Hey @Rohit-Singh43-1 @vikas-sharma24 , Please review this PR.

Rohit-Singh43-1

Thanks @Priyanga-M-001 for feature update, Changes overall Looks good to me , Just added few readme comments , Please have look of those

Rohit-Singh43-1 · 2026-05-11T17:42:28Z

+
+Output:
+```yaml
+ccco:


@Priyanga-M-001 for CCCO in contract-go only 2 certs are uploaded , Can you please update the example out here it show one extra 25.7.1

https://github.com/ibm-hyper-protect/contract-go/tree/main/encryption/ccco

Good catch !, thanks for bringing this up. I'll update it

Rohit-Singh43-1 · 2026-05-11T17:44:04Z

+
+#### Use Cases
+
+1. **Discover Available Versions**: Find out which certificate versions are embedded in your CLI installation


certificates are embedded in contract-go library , Please update
embedded in your CLI installation --> embedded in contract-go library

@Rohit-Singh43-1 , all the functions internally call contract-go, but for a user, contract-cli is the front face. Hence, I hope no changes are needed here.
@Sashwat-K can confirm once.

Hey @Rohit-Singh43-1 , make @Priyanga-M-001 said makes sense. The customer only sees the CLI documentation.

vikas-sharma24 · 2026-05-12T05:49:10Z

+	"github.com/spf13/cobra"
+)
+
+// listCertVersionsCmd represents the list-cert-versions command


update comment with correct command list-encryptioncert-versions

is this is not updated yet @Priyanga-M-001

vikas-sharma24 · 2026-05-12T05:50:33Z

+			if err != nil {
+				log.Fatal(err)
+			}
+			fmt.Println("Successfully stored certificate versions")


maybe we can mention encryption certificate as in future will have one more command to store attestation certificate.

vikas-sharma24 · 2026-05-12T05:51:31Z

+		"",
+		"",
+		listCertVersions.FormatFlagDescription,
+	)


Need to add SetCustomHelpTemplate and SetCustomErrorTemplate function as well.
Take reference of other command.
This is used if someone give wrong command or flag

Please check this @Priyanga-M-001

vikas-sharma24 · 2026-05-12T05:53:40Z

+	sampleListCcrvCertVersionsCommand = []string{listCertVersions.ParameterName, "--os", "ccrv"}
+	sampleListCccoCertVersionsCommand = []string{listCertVersions.ParameterName, "--os", "ccco"}
+	sampleListInvalidPlatformCommand  = []string{listCertVersions.ParameterName, "--os", "invalid"}
+	sampleListCaseInsensitiveCommand  = []string{listCertVersions.ParameterName, "--os", "CCRT"}


we can add one testcase for hpvs flag as well

vikas-sharma24 · 2026-05-12T06:02:26Z

+
+#### Examples
+
+**List all available certificate versions in JSON format (default):**


encryption certificate

vikas-sharma24 · 2026-05-12T06:14:21Z

+  --in docker-compose.yaml \
+  --os ccco \
+  --ver 25.12.0 \
+  --encrypt


there is no --encrypt flag in base64-tgz command

Good catch, thanks, updating it

Priyanga-M-001 · 2026-05-22T07:48:29Z

@Sashwat-K @vikas-sharma24 @Rohit-Singh43-1 , I have pushed the changes made for addressing the review comments. Please review and resolve the conversation if all expected changes are good

Rohit-Singh43-1

LGTM , Thanks @Priyanga-M-001 for the changes.

Sashwat-K

Looks to good @Priyanga-M-001 . @vikas-sharma24 would you confirm as well?

github-actions · 2026-05-25T06:34:56Z

🎉 This PR is included in version 1.23.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sashwat-K · 2026-05-25T06:41:12Z

Thank you @Priyanga-M-001 for this feature!

Priyanga-M-001 · 2026-05-25T07:00:30Z

Thanks everyone for the approvals and thank you @Sashwat-K for merging the PR

Priyanga-M-001 and others added 2 commits May 10, 2026 15:38

feat: Built-in store for n, n-1, n-2 encryption certs

2e9dee6

Merge branch 'main' into built-in-enc-certs

646c402

Priyanga-M-001 added 2 commits May 11, 2026 17:56

feat: Miscellaneous updates

1567b5d

feat: fixing a test failure

d24026e

Sashwat-K requested a review from vikas-sharma24 May 11, 2026 17:16

Rohit-Singh43-1 reviewed May 11, 2026

View reviewed changes