This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-spring-boot.git
The following commit(s) were added to refs/heads/main by this push:
new e4e7b075bae CAMEL-23162 - Post-Quantum Cryptography (PQC) readiness:
Add PQC readiness support to Camel Spring Boot SSL auto-configuration (#1705)
e4e7b075bae is described below
commit e4e7b075bae3c4507de79f557f731d9bcfcce94a
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Mar 9 19:11:12 2026 +0100
CAMEL-23162 - Post-Quantum Cryptography (PQC) readiness: Add PQC readiness
support to Camel Spring Boot SSL auto-configuration (#1705)
Align with Camel core changes (CAMEL-23154, CAMEL-23158, CAMEL-23159) by
exposing namedGroups, namedGroupsFilter, signatureSchemes, and
signatureSchemesFilter in CamelSSLConfigurationProperties and wiring them
through CamelSSLAutoConfiguration, enabling Spring Boot users to configure
post-quantum TLS key exchange groups and signature algorithms.
Signed-off-by: Andrea Cosentino <[email protected]>
---
.../boot/security/CamelSSLAutoConfiguration.java | 35 +++++++++++++
.../security/CamelSSLConfigurationProperties.java | 58 ++++++++++++++++++++++
.../security/CamelSSLAutoConfigurationTest.java | 47 ++++++++++++++++++
3 files changed, 140 insertions(+)
diff --git
a/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfiguration.java
b/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfiguration.java
index cd62c5bba97..823f3392e35 100644
---
a/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfiguration.java
+++
b/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfiguration.java
@@ -56,6 +56,9 @@ public class CamelSSLAutoConfiguration {
// override with any camel.ssl props
SSLContextParameters config = new
SSLContextBuilder(sslContext).certAlias(properties.getCertAlias())
.cipherSuites(properties.getCipherSuites()).cipherSuitesFilter(properties.getCipherSuitesFilter())
+
.namedGroups(properties.getNamedGroups()).namedGroupsFilter(properties.getNamedGroupsFilter())
+ .signatureSchemes(properties.getSignatureSchemes())
+ .signatureSchemesFilter(properties.getSignatureSchemesFilter())
.clientParameters(properties.getClientParameters()).keyManagers(properties.getKeyManagers())
.provider(properties.getProvider()).secureRandom(properties.getSecureRandom())
.secureSocketProtocol(properties.getSecureSocketProtocol())
@@ -114,6 +117,10 @@ public class CamelSSLAutoConfiguration {
copy.setCertAlias(sslContextParameters.getCertAlias());
copy.setCipherSuites(sslContextParameters.getCipherSuites());
copy.setCipherSuitesFilter(sslContextParameters.getCipherSuitesFilter());
+ copy.setNamedGroups(sslContextParameters.getNamedGroups());
+ copy.setNamedGroupsFilter(sslContextParameters.getNamedGroupsFilter());
+ copy.setSignatureSchemes(sslContextParameters.getSignatureSchemes());
+
copy.setSignatureSchemesFilter(sslContextParameters.getSignatureSchemesFilter());
copy.setClientParameters(sslContextParameters.getClientParameters());
copy.setKeyManagers(sslContextParameters.getKeyManagers());
copy.setProvider(sslContextParameters.getProvider());
@@ -156,6 +163,34 @@ public class CamelSSLAutoConfiguration {
return this;
}
+ public SSLContextBuilder namedGroups(NamedGroupsParameters
namedGroups) {
+ if (namedGroups != null) {
+ sslContextParameters.setNamedGroups(namedGroups);
+ }
+ return this;
+ }
+
+ public SSLContextBuilder namedGroupsFilter(FilterParameters
namedGroupsFilter) {
+ if (namedGroupsFilter != null) {
+ sslContextParameters.setNamedGroupsFilter(namedGroupsFilter);
+ }
+ return this;
+ }
+
+ public SSLContextBuilder signatureSchemes(SignatureSchemesParameters
signatureSchemes) {
+ if (signatureSchemes != null) {
+ sslContextParameters.setSignatureSchemes(signatureSchemes);
+ }
+ return this;
+ }
+
+ public SSLContextBuilder signatureSchemesFilter(FilterParameters
signatureSchemesFilter) {
+ if (signatureSchemesFilter != null) {
+
sslContextParameters.setSignatureSchemesFilter(signatureSchemesFilter);
+ }
+ return this;
+ }
+
public SSLContextBuilder clientParameters(SSLContextClientParameters
clientParameters) {
if (clientParameters != null) {
sslContextParameters.setClientParameters(clientParameters);
diff --git
a/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLConfigurationProperties.java
b/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLConfigurationProperties.java
index 456d8807482..133e11c99a1 100644
---
a/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLConfigurationProperties.java
+++
b/core/camel-spring-boot/src/main/java/org/apache/camel/spring/boot/security/CamelSSLConfigurationProperties.java
@@ -19,11 +19,13 @@ package org.apache.camel.spring.boot.security;
import org.apache.camel.support.jsse.CipherSuitesParameters;
import org.apache.camel.support.jsse.FilterParameters;
import org.apache.camel.support.jsse.KeyManagersParameters;
+import org.apache.camel.support.jsse.NamedGroupsParameters;
import org.apache.camel.support.jsse.SSLContextClientParameters;
import org.apache.camel.support.jsse.SSLContextParameters;
import org.apache.camel.support.jsse.SSLContextServerParameters;
import org.apache.camel.support.jsse.SecureRandomParameters;
import org.apache.camel.support.jsse.SecureSocketProtocolsParameters;
+import org.apache.camel.support.jsse.SignatureSchemesParameters;
import org.apache.camel.support.jsse.TrustManagersParameters;
import org.springframework.boot.context.properties.ConfigurationProperties;
@@ -104,6 +106,30 @@ public class CamelSSLConfigurationProperties {
*/
private FilterParameters cipherSuitesFilter;
+ /**
+ * The optional explicitly configured named groups (key exchange groups)
for this configuration. Named groups control
+ * which key exchange algorithms are available during the TLS handshake,
including post-quantum hybrid groups such as
+ * X25519MLKEM768.
+ */
+ private NamedGroupsParameters namedGroups;
+
+ /**
+ * The optional named groups filter configuration for this configuration.
+ */
+ private FilterParameters namedGroupsFilter;
+
+ /**
+ * The optional explicitly configured signature schemes for this
configuration. Signature schemes control which
+ * signature algorithms are available during the TLS handshake, including
post-quantum signature algorithms such as
+ * ML-DSA.
+ */
+ private SignatureSchemesParameters signatureSchemes;
+
+ /**
+ * The optional signature schemes filter configuration for this
configuration.
+ */
+ private FilterParameters signatureSchemesFilter;
+
/**
* The optional explicitly configured secure socket protocol names for
this configuration.
*/
@@ -215,6 +241,38 @@ public class CamelSSLConfigurationProperties {
this.cipherSuitesFilter = cipherSuitesFilter;
}
+ public NamedGroupsParameters getNamedGroups() {
+ return this.namedGroups;
+ }
+
+ public void setNamedGroups(NamedGroupsParameters namedGroups) {
+ this.namedGroups = namedGroups;
+ }
+
+ public FilterParameters getNamedGroupsFilter() {
+ return this.namedGroupsFilter;
+ }
+
+ public void setNamedGroupsFilter(FilterParameters namedGroupsFilter) {
+ this.namedGroupsFilter = namedGroupsFilter;
+ }
+
+ public SignatureSchemesParameters getSignatureSchemes() {
+ return this.signatureSchemes;
+ }
+
+ public void setSignatureSchemes(SignatureSchemesParameters
signatureSchemes) {
+ this.signatureSchemes = signatureSchemes;
+ }
+
+ public FilterParameters getSignatureSchemesFilter() {
+ return this.signatureSchemesFilter;
+ }
+
+ public void setSignatureSchemesFilter(FilterParameters
signatureSchemesFilter) {
+ this.signatureSchemesFilter = signatureSchemesFilter;
+ }
+
public SecureSocketProtocolsParameters getSecureSocketProtocols() {
return this.secureSocketProtocols;
}
diff --git
a/core/camel-spring-boot/src/test/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfigurationTest.java
b/core/camel-spring-boot/src/test/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfigurationTest.java
index 75f901f26d0..39350fb5216 100644
---
a/core/camel-spring-boot/src/test/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfigurationTest.java
+++
b/core/camel-spring-boot/src/test/java/org/apache/camel/spring/boot/security/CamelSSLAutoConfigurationTest.java
@@ -219,6 +219,53 @@ public class CamelSSLAutoConfigurationTest {
});
}
+ @Test
+ public void checkSSLPQCPropertiesPresent() {
+ new ApplicationContextRunner()
+
.withConfiguration(AutoConfigurations.of(CamelSSLAutoConfiguration.class,
CamelAutoConfiguration.class))
+ .withPropertyValues(
+ "camel.ssl.cert-alias=pqc-test",
+ "camel.ssl.named-groups.named-group[0]=X25519MLKEM768",
+ "camel.ssl.named-groups.named-group[1]=x25519",
+ "camel.ssl.named-groups-filter.include[0]=.*MLKEM.*",
+ "camel.ssl.named-groups-filter.exclude[0]=.*legacy.*",
+
"camel.ssl.signature-schemes.signature-scheme[0]=ML-DSA",
+
"camel.ssl.signature-schemes.signature-scheme[1]=ed25519",
+
"camel.ssl.signature-schemes-filter.include[0]=.*DSA.*",
+
"camel.ssl.signature-schemes-filter.exclude[0]=.*SHA1.*")
+ .run(context -> {
+ SSLContextParameters contextParams =
context.getBean(SSLContextParameters.class);
+ assertNotNull(contextParams);
+ assertEquals("pqc-test", contextParams.getCertAlias());
+
+ // verify named groups (PQC key exchange)
+ assertNotNull(contextParams.getNamedGroups());
+ assertEquals(2,
contextParams.getNamedGroups().getNamedGroup().size());
+ assertEquals("X25519MLKEM768",
contextParams.getNamedGroups().getNamedGroup().get(0));
+ assertEquals("x25519",
contextParams.getNamedGroups().getNamedGroup().get(1));
+
+ // verify named groups filter
+ assertNotNull(contextParams.getNamedGroupsFilter());
+ assertEquals(1,
contextParams.getNamedGroupsFilter().getInclude().size());
+ assertEquals(".*MLKEM.*",
contextParams.getNamedGroupsFilter().getInclude().get(0));
+ assertEquals(1,
contextParams.getNamedGroupsFilter().getExclude().size());
+ assertEquals(".*legacy.*",
contextParams.getNamedGroupsFilter().getExclude().get(0));
+
+ // verify signature schemes (PQC signatures)
+ assertNotNull(contextParams.getSignatureSchemes());
+ assertEquals(2,
contextParams.getSignatureSchemes().getSignatureScheme().size());
+ assertEquals("ML-DSA",
contextParams.getSignatureSchemes().getSignatureScheme().get(0));
+ assertEquals("ed25519",
contextParams.getSignatureSchemes().getSignatureScheme().get(1));
+
+ // verify signature schemes filter
+ assertNotNull(contextParams.getSignatureSchemesFilter());
+ assertEquals(1,
contextParams.getSignatureSchemesFilter().getInclude().size());
+ assertEquals(".*DSA.*",
contextParams.getSignatureSchemesFilter().getInclude().get(0));
+ assertEquals(1,
contextParams.getSignatureSchemesFilter().getExclude().size());
+ assertEquals(".*SHA1.*",
contextParams.getSignatureSchemesFilter().getExclude().get(0));
+ });
+ }
+
@Test
public void checkNoSSLPropertiesPresent() {
new ApplicationContextRunner()
