Andrea Cosentino created CAMEL-23736:
----------------------------------------
Summary: camel-main: make the self-signed (dev) certificate key
algorithm configurable, default to EC
Key: CAMEL-23736
URL: https://issues.apache.org/jira/browse/CAMEL-23736
Project: Camel
Issue Type: Improvement
Components: camel-main
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
h3. Background
{{SelfSignedCertificateGenerator}} in {{camel-main}} (used by
{{BaseMainSupport}} when {{camel.ssl.selfSigned=true}} to enable zero-config
development HTTPS) currently hardcodes:
* an *RSA-2048* key pair ({{KeyPairGenerator.getInstance("RSA")}}), and
* a *SHA256withRSA* X.509 certificate signature (including the hand-rolled DER
{{AlgorithmIdentifier}}).
h3. Proposal
Expose the key algorithm via {{SSLConfigurationProperties}} (e.g.
{{camel.ssl.selfSignedKeyType}}) supporting:
* *EC* -- new default, P-256 (secp256r1) with {{SHA256withECDSA}}
* *RSA* -- 2048-bit with {{SHA256withRSA}}, retained for backward compatibility
{{SelfSignedCertificateGenerator}} selects the matching key-pair generator and
X.509 signature {{AlgorithmIdentifier}} accordingly.
h3. Rationale
EC P-256 is the modern default (smaller keys, faster handshakes) and making the
algorithm pluggable improves crypto-agility -- a stepping stone toward
PQC-capable certificate signing once the JDK exposes ML-DSA X.509 signing.
Note: this certificate is explicitly for development only ("NOT suitable for
production use"), so this is a hygiene/modernization change, not a
security-vulnerability fix.
h3. Acceptance criteria
* New configuration option on {{SSLConfigurationProperties}} (EC default, RSA
selectable)
* {{SelfSignedCertificateGenerator}} supports both EC (ECDSA
{{AlgorithmIdentifier}}) and RSA paths
* {{MainSSLTest}} covers both EC (default) and RSA
* Generated camel-main configuration metadata regenerated
Adjacent (not a duplicate): CAMEL-23250.
_Identified during a PQC-readiness review of Apache Camel._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
