Andrea Cosentino created CAMEL-23843:
----------------------------------------
Summary: Camel-PQC: sign/verify only handle String payloads and
use the platform default charset
Key: CAMEL-23843
URL: https://issues.apache.org/jira/browse/CAMEL-23843
Project: Camel
Issue Type: Bug
Components: camel-pqc
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
PQCProducer signature/verification (and the hybrid variants) read the body with
{{getMandatoryBody(String.class)}} and then call {{payload.getBytes()}} with no
explicit charset.
Two problems:
# Binary payloads cannot be signed/verified correctly. A
{{byte[]}}/{{InputStream}} body (PDF, image, protobuf, ...) is forced through a
String conversion and then re-encoded, which is not byte-for-byte safe.
# {{payload.getBytes()}} uses the JVM default charset. Signing on one JVM and
verifying on another with a different {{file.encoding}} (still possible on Java
17, pre-JEP 400) and non-ASCII content can make verification fail.
h3. Proposal
* Operate on {{byte[]}} natively: try {{byte[]}}/{{InputStream}} first, fall
back to String.
* When a String must be used, pin {{StandardCharsets.UTF_8}} (or honour the
Exchange charset) consistently on both sign and verify.
Affected: {{components/camel-pqc}} PQCProducer (sign, verify, hybridSign,
hybridVerify).
----
_Filed by Claude Code on behalf of Andrea Cosentino._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)