This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch 23162 in repository https://gitbox.apache.org/repos/asf/camel-spring-boot.git
commit 3772e7e0d617d65f38559f7ef5a4039abf02c74d Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Mar 9 18:31:36 2026 +0100 CAMEL-23162 - Post-Quantum Cryptography (PQC) readiness: Add PQC readiness support to Camel Spring Boot SSL auto-configuration Align with Camel core changes (CAMEL-23154, CAMEL-23158, CAMEL-23159) by exposing namedGroups, namedGroupsFilter, signatureSchemes, and signatureSchemesFilter in CamelSSLConfigurationProperties and wiring them through CamelSSLAutoConfiguration, enabling Spring Boot users to configure post-quantum TLS key exchange groups and signature algorithms. Signed-off-by: Andrea Cosentino <[email protected]> --- .../boot/security/CamelSSLAutoConfiguration.java | 35 +++++++++++++ .../security/CamelSSLConfigurationProperties.java | 58 ++++++++++++++++++++++ .../security/CamelSSLAutoConfigurationTest.java | 47 ++++++++++++++++++ 3 files changed, 140 insertions(+) diff --git a/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfiguration.java b/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfiguration.java index cd62c5bba97..823f3392e35 100644 --- a/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfiguration.java +++ b/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfiguration.java @@ -56,6 +56,9 @@ public class CamelSSLAutoConfiguration { // override with any camel.ssl props SSLContextParameters config = new SSLContextBuilder(sslContext).certAlias(properties.getCertAlias()) .cipherSuites(properties.getCipherSuites()).cipherSuitesFilter(properties.getCipherSuitesFilter()) + .namedGroups(properties.getNamedGroups()).namedGroupsFilter(properties.getNamedGroupsFilter()) + .signatureSchemes(properties.getSignatureSchemes()) + .signatureSchemesFilter(properties.getSignatureSchemesFilter()) .clientParameters(properties.getClientParameters()).keyManagers(properties.getKeyManagers()) .provider(properties.getProvider()).secureRandom(properties.getSecureRandom()) .secureSocketProtocol(properties.getSecureSocketProtocol()) @@ -114,6 +117,10 @@ public class CamelSSLAutoConfiguration { copy.setCertAlias(sslContextParameters.getCertAlias()); copy.setCipherSuites(sslContextParameters.getCipherSuites()); copy.setCipherSuitesFilter(sslContextParameters.getCipherSuitesFilter()); + copy.setNamedGroups(sslContextParameters.getNamedGroups()); + copy.setNamedGroupsFilter(sslContextParameters.getNamedGroupsFilter()); + copy.setSignatureSchemes(sslContextParameters.getSignatureSchemes()); + copy.setSignatureSchemesFilter(sslContextParameters.getSignatureSchemesFilter()); copy.setClientParameters(sslContextParameters.getClientParameters()); copy.setKeyManagers(sslContextParameters.getKeyManagers()); copy.setProvider(sslContextParameters.getProvider()); @@ -156,6 +163,34 @@ public class CamelSSLAutoConfiguration { return this; } + public SSLContextBuilder namedGroups(NamedGroupsParameters namedGroups) { + if (namedGroups != null) { + sslContextParameters.setNamedGroups(namedGroups); + } + return this; + } + + public SSLContextBuilder namedGroupsFilter(FilterParameters namedGroupsFilter) { + if (namedGroupsFilter != null) { + sslContextParameters.setNamedGroupsFilter(namedGroupsFilter); + } + return this; + } + + public SSLContextBuilder signatureSchemes(SignatureSchemesParameters signatureSchemes) { + if (signatureSchemes != null) { + sslContextParameters.setSignatureSchemes(signatureSchemes); + } + return this; + } + + public SSLContextBuilder signatureSchemesFilter(FilterParameters signatureSchemesFilter) { + if (signatureSchemesFilter != null) { + sslContextParameters.setSignatureSchemesFilter(signatureSchemesFilter); + } + return this; + } + public SSLContextBuilder clientParameters(SSLContextClientParameters clientParameters) { if (clientParameters != null) { sslContextParameters.setClientParameters(clientParameters); diff --git a/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLConfigurationProperties.java b/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLConfigurationProperties.java index 456d8807482..133e11c99a1 100644 --- a/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLConfigurationProperties.java +++ b/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLConfigurationProperties.java @@ -19,11 +19,13 @@ package org.apache.camel.spring.boot.security; import org.apache.camel.support.jsse.CipherSuitesParameters; import org.apache.camel.support.jsse.FilterParameters; import org.apache.camel.support.jsse.KeyManagersParameters; +import org.apache.camel.support.jsse.NamedGroupsParameters; import org.apache.camel.support.jsse.SSLContextClientParameters; import org.apache.camel.support.jsse.SSLContextParameters; import org.apache.camel.support.jsse.SSLContextServerParameters; import org.apache.camel.support.jsse.SecureRandomParameters; import org.apache.camel.support.jsse.SecureSocketProtocolsParameters; +import org.apache.camel.support.jsse.SignatureSchemesParameters; import org.apache.camel.support.jsse.TrustManagersParameters; import org.springframework.boot.context.properties.ConfigurationProperties; @@ -104,6 +106,30 @@ public class CamelSSLConfigurationProperties { */ private FilterParameters cipherSuitesFilter; + /** + * The optional explicitly configured named groups (key exchange groups) for this configuration. Named groups control + * which key exchange algorithms are available during the TLS handshake, including post-quantum hybrid groups such as + * X25519MLKEM768. + */ + private NamedGroupsParameters namedGroups; + + /** + * The optional named groups filter configuration for this configuration. + */ + private FilterParameters namedGroupsFilter; + + /** + * The optional explicitly configured signature schemes for this configuration. Signature schemes control which + * signature algorithms are available during the TLS handshake, including post-quantum signature algorithms such as + * ML-DSA. + */ + private SignatureSchemesParameters signatureSchemes; + + /** + * The optional signature schemes filter configuration for this configuration. + */ + private FilterParameters signatureSchemesFilter; + /** * The optional explicitly configured secure socket protocol names for this configuration. */ @@ -215,6 +241,38 @@ public class CamelSSLConfigurationProperties { this.cipherSuitesFilter = cipherSuitesFilter; } + public NamedGroupsParameters getNamedGroups() { + return this.namedGroups; + } + + public void setNamedGroups(NamedGroupsParameters namedGroups) { + this.namedGroups = namedGroups; + } + + public FilterParameters getNamedGroupsFilter() { + return this.namedGroupsFilter; + } + + public void setNamedGroupsFilter(FilterParameters namedGroupsFilter) { + this.namedGroupsFilter = namedGroupsFilter; + } + + public SignatureSchemesParameters getSignatureSchemes() { + return this.signatureSchemes; + } + + public void setSignatureSchemes(SignatureSchemesParameters signatureSchemes) { + this.signatureSchemes = signatureSchemes; + } + + public FilterParameters getSignatureSchemesFilter() { + return this.signatureSchemesFilter; + } + + public void setSignatureSchemesFilter(FilterParameters signatureSchemesFilter) { + this.signatureSchemesFilter = signatureSchemesFilter; + } + public SecureSocketProtocolsParameters getSecureSocketProtocols() { return this.secureSocketProtocols; } diff --git a/core/camel-spring-boot/src/test/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfigurationTest.java b/core/camel-spring-boot/src/test/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfigurationTest.java index 75f901f26d0..39350fb5216 100644 --- a/core/camel-spring-boot/src/test/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfigurationTest.java +++ b/core/camel-spring-boot/src/test/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfigurationTest.java @@ -219,6 +219,53 @@ public class CamelSSLAutoConfigurationTest { }); } + @Test + public void checkSSLPQCPropertiesPresent() { + new ApplicationContextRunner() + .withConfiguration(AutoConfigurations.of(CamelSSLAutoConfiguration.class, CamelAutoConfiguration.class)) + .withPropertyValues( + "camel.ssl.cert-alias=pqc-test", + "camel.ssl.named-groups.named-group[0]=X25519MLKEM768", + "camel.ssl.named-groups.named-group[1]=x25519", + "camel.ssl.named-groups-filter.include[0]=.*MLKEM.*", + "camel.ssl.named-groups-filter.exclude[0]=.*legacy.*", + "camel.ssl.signature-schemes.signature-scheme[0]=ML-DSA", + "camel.ssl.signature-schemes.signature-scheme[1]=ed25519", + "camel.ssl.signature-schemes-filter.include[0]=.*DSA.*", + "camel.ssl.signature-schemes-filter.exclude[0]=.*SHA1.*") + .run(context -> { + SSLContextParameters contextParams = context.getBean(SSLContextParameters.class); + assertNotNull(contextParams); + assertEquals("pqc-test", contextParams.getCertAlias()); + + // verify named groups (PQC key exchange) + assertNotNull(contextParams.getNamedGroups()); + assertEquals(2, contextParams.getNamedGroups().getNamedGroup().size()); + assertEquals("X25519MLKEM768", contextParams.getNamedGroups().getNamedGroup().get(0)); + assertEquals("x25519", contextParams.getNamedGroups().getNamedGroup().get(1)); + + // verify named groups filter + assertNotNull(contextParams.getNamedGroupsFilter()); + assertEquals(1, contextParams.getNamedGroupsFilter().getInclude().size()); + assertEquals(".*MLKEM.*", contextParams.getNamedGroupsFilter().getInclude().get(0)); + assertEquals(1, contextParams.getNamedGroupsFilter().getExclude().size()); + assertEquals(".*legacy.*", contextParams.getNamedGroupsFilter().getExclude().get(0)); + + // verify signature schemes (PQC signatures) + assertNotNull(contextParams.getSignatureSchemes()); + assertEquals(2, contextParams.getSignatureSchemes().getSignatureScheme().size()); + assertEquals("ML-DSA", contextParams.getSignatureSchemes().getSignatureScheme().get(0)); + assertEquals("ed25519", contextParams.getSignatureSchemes().getSignatureScheme().get(1)); + + // verify signature schemes filter + assertNotNull(contextParams.getSignatureSchemesFilter()); + assertEquals(1, contextParams.getSignatureSchemesFilter().getInclude().size()); + assertEquals(".*DSA.*", contextParams.getSignatureSchemesFilter().getInclude().get(0)); + assertEquals(1, contextParams.getSignatureSchemesFilter().getExclude().size()); + assertEquals(".*SHA1.*", contextParams.getSignatureSchemesFilter().getExclude().get(0)); + }); + } + @Test public void checkNoSSLPropertiesPresent() { new ApplicationContextRunner()
