[
https://issues.apache.org/jira/browse/CAMEL-23736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Cosentino resolved CAMEL-23736.
--------------------------------------
Resolution: Fixed
Resolved via apache/camel PR #23963 (merge commit d7c8879fd48). camel-main: the
development-only self-signed certificate key algorithm is now configurable via
camel.ssl.selfSignedKeyType and defaults to EC (NIST P-256, SHA256withECDSA);
RSA remains selectable.
_Claude Code on behalf of Andrea Cosentino_
> camel-main: make the self-signed (dev) certificate key algorithm
> configurable, default to EC
> --------------------------------------------------------------------------------------------
>
> Key: CAMEL-23736
> URL: https://issues.apache.org/jira/browse/CAMEL-23736
> Project: Camel
> Issue Type: Improvement
> Components: camel-main
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Minor
> Fix For: 4.21.0
>
>
> h3. Background
> {{SelfSignedCertificateGenerator}} in {{camel-main}} (used by
> {{BaseMainSupport}} when {{camel.ssl.selfSigned=true}} to enable zero-config
> development HTTPS) currently hardcodes:
> * an *RSA-2048* key pair ({{KeyPairGenerator.getInstance("RSA")}}), and
> * a *SHA256withRSA* X.509 certificate signature (including the hand-rolled
> DER {{AlgorithmIdentifier}}).
> h3. Proposal
> Expose the key algorithm via {{SSLConfigurationProperties}} (e.g.
> {{camel.ssl.selfSignedKeyType}}) supporting:
> * *EC* -- new default, P-256 (secp256r1) with {{SHA256withECDSA}}
> * *RSA* -- 2048-bit with {{SHA256withRSA}}, retained for backward
> compatibility
> {{SelfSignedCertificateGenerator}} selects the matching key-pair generator
> and X.509 signature {{AlgorithmIdentifier}} accordingly.
> h3. Rationale
> EC P-256 is the modern default (smaller keys, faster handshakes) and making
> the algorithm pluggable improves crypto-agility -- a stepping stone toward
> PQC-capable certificate signing once the JDK exposes ML-DSA X.509 signing.
> Note: this certificate is explicitly for development only ("NOT suitable for
> production use"), so this is a hygiene/modernization change, not a
> security-vulnerability fix.
> h3. Acceptance criteria
> * New configuration option on {{SSLConfigurationProperties}} (EC default, RSA
> selectable)
> * {{SelfSignedCertificateGenerator}} supports both EC (ECDSA
> {{AlgorithmIdentifier}}) and RSA paths
> * {{MainSSLTest}} covers both EC (default) and RSA
> * Generated camel-main configuration metadata regenerated
> Adjacent (not a duplicate): CAMEL-23250.
> _Identified during a PQC-readiness review of Apache Camel._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
