JiriOndrusek opened a new pull request, #504: URL: https://github.com/apache/camel-quarkus-examples/pull/504
Fixes https://github.com/apache/camel-quarkus/issues/8648 Adds a new Camel Quarkus example demonstrating native Post-Quantum Cryptography (PQC) support in TLS on Java 21 using BouncyCastle JSSE provider. ## Summary This example demonstrates the **recommended approach for PQC on Java 21+**, which is significantly simpler than the Java 17 workaround ([http-pqc-j17](https://github.com/apache/camel-quarkus-examples/tree/main/http-pqc-j17)). ### Key Features - **TLS 1.3 with X25519MLKEM768** hybrid cipher suite combining classical X25519 with quantum-resistant ML-KEM-768 - **BouncyCastle JSSE provider** (`bctls-jdk18on`) for native PQC support - **Standard Quarkus SSL configuration** - no custom trust managers or manual signature validation needed - **Auto-generated self-signed certificates** for development and testing - **Comprehensive documentation** comparing Java 17 vs Java 21 approaches ### Comparison with Java 17 Example | Aspect | Java 17 (http-pqc-j17) | Java 21 (http-pqc-j21) | |--------|------------------------|------------------------| | **PQC Location** | Application-level validation via custom X509TrustManager | Native TLS 1.3 protocol support | | **Certificate Type** | Hybrid Chimera certificates (RSA + ML-DSA-65) | Standard X.509 certificates | | **Cipher Suite** | Standard TLS, PQC validated separately | TLS_X25519MLKEM768 hybrid key exchange | | **Complexity** | High - custom certificate generation, manual signature validation (2314 lines) | Low - standard Quarkus SSL configuration (622 lines) | | **Production Ready** | Workaround for Java 17 limitations | Recommended approach for Java 21+ | ### Implementation Details 1. **Security Provider**: Registers BouncyCastle JSSE as primary provider on startup 2. **Certificate Generation**: Auto-generates RSA-2048 keypairs and self-signed certificates 3. **TLS Configuration**: Standard Quarkus SSL properties with mTLS enabled 4. **Hybrid Key Exchange**: X25519 + ML-KEM-768 provides both classical and quantum resistance ### Test Plan - ✅ Unit tests verify certificate generation and PQC endpoints - ✅ Integration test (HttpPqcIT) runs in native mode - ✅ All tests passing in JVM and native modes ## Documentation The example includes: - Comprehensive README with architecture diagrams - Comparison table showing differences from Java 17 approach - Migration guide from Java 17 to Java 21 - References to NIST standards and IETF drafts 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
