[PR] CAMEL-23736: Make self-signed dev certificate key algorithm configurable (default EC) [camel]

Thu, 11 Jun 2026 06:06:20 -0700 


oscerd opened a new pull request, #23963:
URL: https://github.com/apache/camel/pull/23963

   ## Description
   
   `camel-main` generates a self-signed certificate for zero-config development 
HTTPS when `camel.ssl.selfSigned=true`. The generator 
(`SelfSignedCertificateGenerator`) hardcoded an **RSA-2048** key pair signed 
with **SHA256withRSA**.
   
   This PR makes the key algorithm configurable and switches the default to 
**EC**:
   
   - New option **`camel.ssl.selfSignedKeyType`** on 
`SSLConfigurationProperties` — `EC` (default, NIST P-256 / secp256r1, signed 
with SHA256withECDSA) or `RSA` (2048-bit, SHA256withRSA, retained for 
compatibility).
   - `SelfSignedCertificateGenerator` learns an EC path while keeping the 
existing **dependency-free, hand-rolled DER** encoding (no BouncyCastle in 
core) — adds an `ecdsa-with-SHA256` `AlgorithmIdentifier` (OID 
1.2.840.10045.4.3.2, parameters absent per RFC 5758).
   - Threaded through `BaseMainSupport`.
   
   EC P-256 is a modern default (smaller keys, faster handshakes) and a 
pluggable algorithm improves crypto-agility. This certificate is 
**development-only** ("NOT suitable for production use") and is regenerated 
each restart, so this is a hygiene/modernization change, not a security fix.
   
   ## JIRA
   
   https://issues.apache.org/jira/browse/CAMEL-23736
   
   ## Changes
   
   - `SSLConfigurationProperties`: new `selfSignedKeyType` option (default 
`EC`, enums `EC,RSA`)
   - `SelfSignedCertificateGenerator`: EC + RSA paths, ECDSA 
`AlgorithmIdentifier`
   - `BaseMainSupport`: pass the configured key type
   - `MainSSLTest`: assert EC default (`SHA256withECDSA`) + new RSA case 
(`SHA256withRSA`)
   - Regenerated camel-main config metadata (configurer, metadata JSON, 
`main.adoc`)
   - Upgrade-guide entry for the changed default 
(`camel-4x-upgrade-guide-4_21.adoc`)
   
   ## Testing
   
   `mvn -pl core/camel-main test -Dtest=MainSSLTest` → 16/16 green (EC default 
+ RSA verified end-to-end via the generated X.509 certificate's 
`getSigAlgName()` and public-key algorithm).
   
   ---
   _Submitted by Claude Code on behalf of Andrea Cosentino._


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to