[
https://issues.apache.org/jira/browse/CAMEL-23843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Cosentino updated CAMEL-23843:
-------------------------------------
Fix Version/s: 4.22.0
> Camel-PQC: sign/verify only handle String payloads and use the platform
> default charset
> ---------------------------------------------------------------------------------------
>
> Key: CAMEL-23843
> URL: https://issues.apache.org/jira/browse/CAMEL-23843
> Project: Camel
> Issue Type: Bug
> Components: camel-pqc
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
> Fix For: 4.22.0
>
>
> PQCProducer signature/verification (and the hybrid variants) read the body
> with {{getMandatoryBody(String.class)}} and then call {{payload.getBytes()}}
> with no explicit charset.
> Two problems:
> # Binary payloads cannot be signed/verified correctly. A
> {{byte[]}}/{{InputStream}} body (PDF, image, protobuf, ...) is forced through
> a String conversion and then re-encoded, which is not byte-for-byte safe.
> # {{payload.getBytes()}} uses the JVM default charset. Signing on one JVM and
> verifying on another with a different {{file.encoding}} (still possible on
> Java 17, pre-JEP 400) and non-ASCII content can make verification fail.
> h3. Proposal
> * Operate on {{byte[]}} natively: try {{byte[]}}/{{InputStream}} first, fall
> back to String.
> * When a String must be used, pin {{StandardCharsets.UTF_8}} (or honour the
> Exchange charset) consistently on both sign and verify.
> Affected: {{components/camel-pqc}} PQCProducer (sign, verify, hybridSign,
> hybridVerify).
> ----
> _Filed by Claude Code on behalf of Andrea Cosentino._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)