This is an automated email from the ASF dual-hosted git repository. davsclaus pushed a commit to branch feature/CAMEL-23789-wave2-multi-dsl-docs in repository https://gitbox.apache.org/repos/asf/camel.git
commit 3bbe036dda5bf5434055883a1a650aac0b2aa165 Author: Claus Ibsen <[email protected]> AuthorDate: Thu Jun 18 12:05:49 2026 +0200 CAMEL-23789: Add multi-DSL tabs to pqc docs (Wave 2) Co-Authored-By: Claude <[email protected]> Signed-off-by: Claus Ibsen <[email protected]> --- .../camel-pqc/src/main/docs/pqc-component.adoc | 745 +++++++++++++++++++-- 1 file changed, 693 insertions(+), 52 deletions(-) diff --git a/components/camel-pqc/src/main/docs/pqc-component.adoc b/components/camel-pqc/src/main/docs/pqc-component.adoc index fe62173d257e..8e6dc49da967 100644 --- a/components/camel-pqc/src/main/docs/pqc-component.adoc +++ b/components/camel-pqc/src/main/docs/pqc-component.adoc @@ -115,16 +115,57 @@ TIP: To combine a classical signature (ECDSA, Ed25519, RSA) with a PQC signature - ML-DSA +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- - from("direct:sign").to("pqc:sign?operation=sign").to("mock:sign").to("pqc:verify?operation=verify") - .to("mock:verify"); --------------------------------------------------------------------------------- +---- +from("direct:sign").to("pqc:sign?operation=sign").to("mock:sign").to("pqc:verify?operation=verify") + .to("mock:verify"); +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:sign?operation=sign"/> + <to uri="mock:sign"/> + <to uri="pqc:verify?operation=verify"/> + <to uri="mock:verify"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:sign + parameters: + operation: sign + - to: + uri: mock:sign + - to: + uri: pqc:verify + parameters: + operation: verify + - to: + uri: mock:verify +---- +==== With the following beans registered in the Registry +._Java-only: registering ML-DSA KeyPair and Signature beans_ [source,java] --------------------------------------------------------------------------------- +-------------------------------------------------------------------------------- @BindToRegistry("Keypair") public KeyPair setKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpGen = KeyPairGenerator.getInstance("ML-DSA", "BC"); @@ -142,12 +183,54 @@ With the following beans registered in the Registry This could be done even without the Registry beans, by specifying the `signatureAlgorithm` parameter in the following way +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- - from("direct:sign").to("pqc:sign?operation=sign&signatureAlgorithm=MLDSA").to("mock:sign") +---- +from("direct:sign").to("pqc:sign?operation=sign&signatureAlgorithm=MLDSA").to("mock:sign") .to("pqc:verify?operation=verify&signatureAlgorithm=MLDSA") .to("mock:verify"); --------------------------------------------------------------------------------- +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:sign?operation=sign&signatureAlgorithm=MLDSA"/> + <to uri="mock:sign"/> + <to uri="pqc:verify?operation=verify&signatureAlgorithm=MLDSA"/> + <to uri="mock:verify"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:sign + parameters: + operation: sign + signatureAlgorithm: MLDSA + - to: + uri: mock:sign + - to: + uri: pqc:verify + parameters: + operation: verify + signatureAlgorithm: MLDSA + - to: + uri: mock:verify +---- +==== With this approach the component will use the class `org.apache.camel.component.pqc.crypto.PQCDefaultMLDSAMaterial`, which will create the Signature and KeyPair objects to be used. @@ -155,16 +238,57 @@ The Spec used for the KeyPair will be, in this case, `ML-DSA-65`. - SLH-DSA +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- - from("direct:sign").to("pqc:sign?operation=sign").to("mock:sign").to("pqc:verify?operation=verify") - .to("mock:verify"); --------------------------------------------------------------------------------- +---- +from("direct:sign").to("pqc:sign?operation=sign").to("mock:sign").to("pqc:verify?operation=verify") + .to("mock:verify"); +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:sign?operation=sign"/> + <to uri="mock:sign"/> + <to uri="pqc:verify?operation=verify"/> + <to uri="mock:verify"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:sign + parameters: + operation: sign + - to: + uri: mock:sign + - to: + uri: pqc:verify + parameters: + operation: verify + - to: + uri: mock:verify +---- +==== With the following beans registered in the Registry +._Java-only: registering SLH-DSA KeyPair and Signature beans_ [source,java] --------------------------------------------------------------------------------- +-------------------------------------------------------------------------------- @BindToRegistry("Keypair") public KeyPair setKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpGen = KeyPairGenerator.getInstance("SLH-DSA", "BC"); @@ -182,12 +306,54 @@ With the following beans registered in the Registry This could be done even without the Registry beans, by specifying the `signatureAlgorithm` parameter in the following way +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- - from("direct:sign").to("pqc:sign?operation=sign&signatureAlgorithm=SLHDSA").to("mock:sign") +---- +from("direct:sign").to("pqc:sign?operation=sign&signatureAlgorithm=SLHDSA").to("mock:sign") .to("pqc:verify?operation=verify&signatureAlgorithm=SLHDSA") .to("mock:verify"); --------------------------------------------------------------------------------- +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:sign?operation=sign&signatureAlgorithm=SLHDSA"/> + <to uri="mock:sign"/> + <to uri="pqc:verify?operation=verify&signatureAlgorithm=SLHDSA"/> + <to uri="mock:verify"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:sign + parameters: + operation: sign + signatureAlgorithm: SLHDSA + - to: + uri: mock:sign + - to: + uri: pqc:verify + parameters: + operation: verify + signatureAlgorithm: SLHDSA + - to: + uri: mock:verify +---- +==== With this approach the component will use the class `org.apache.camel.component.pqc.crypto.PQCDefaultSLHDSAMaterial`, which will create the Signature and KeyPair objects to be used. @@ -195,16 +361,57 @@ The Spec used for the KeyPair will be, in this case, `SLH-DSA-SHA2-128s`. - LMS +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- - from("direct:sign").to("pqc:sign?operation=sign").to("mock:sign").to("pqc:verify?operation=verify") - .to("mock:verify"); --------------------------------------------------------------------------------- +---- +from("direct:sign").to("pqc:sign?operation=sign").to("mock:sign").to("pqc:verify?operation=verify") + .to("mock:verify"); +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:sign?operation=sign"/> + <to uri="mock:sign"/> + <to uri="pqc:verify?operation=verify"/> + <to uri="mock:verify"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:sign + parameters: + operation: sign + - to: + uri: mock:sign + - to: + uri: pqc:verify + parameters: + operation: verify + - to: + uri: mock:verify +---- +==== With the following beans registered in the Registry +._Java-only: registering LMS KeyPair and Signature beans_ [source,java] --------------------------------------------------------------------------------- +-------------------------------------------------------------------------------- @BindToRegistry("Keypair") public KeyPair setKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpGen = KeyPairGenerator.getInstance("LMS", "BC"); @@ -222,12 +429,54 @@ With the following beans registered in the Registry This could be done even without the Registry beans, by specifying the `signatureAlgorithm` parameter in the following way +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- - from("direct:sign").to("pqc:sign?operation=sign&signatureAlgorithm=LMS").to("mock:sign") +---- +from("direct:sign").to("pqc:sign?operation=sign&signatureAlgorithm=LMS").to("mock:sign") .to("pqc:verify?operation=verify&signatureAlgorithm=LMS") .to("mock:verify"); --------------------------------------------------------------------------------- +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:sign?operation=sign&signatureAlgorithm=LMS"/> + <to uri="mock:sign"/> + <to uri="pqc:verify?operation=verify&signatureAlgorithm=LMS"/> + <to uri="mock:verify"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:sign + parameters: + operation: sign + signatureAlgorithm: LMS + - to: + uri: mock:sign + - to: + uri: pqc:verify + parameters: + operation: verify + signatureAlgorithm: LMS + - to: + uri: mock:verify +---- +==== With this approach the component will use the class `org.apache.camel.component.pqc.crypto.PQCDefaultLMSMaterial`, which will create the Signature and KeyPair objects to be used. @@ -235,16 +484,57 @@ The Parameters used will be `LMS-SHA256-N32-H5` for the signature and `SHA256-n3 - XMSS +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- - from("direct:sign").to("pqc:sign?operation=sign").to("mock:sign").to("pqc:verify?operation=verify") - .to("mock:verify"); --------------------------------------------------------------------------------- +---- +from("direct:sign").to("pqc:sign?operation=sign").to("mock:sign").to("pqc:verify?operation=verify") + .to("mock:verify"); +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:sign?operation=sign"/> + <to uri="mock:sign"/> + <to uri="pqc:verify?operation=verify"/> + <to uri="mock:verify"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:sign + parameters: + operation: sign + - to: + uri: mock:sign + - to: + uri: pqc:verify + parameters: + operation: verify + - to: + uri: mock:verify +---- +==== With the following beans registered in the Registry +._Java-only: registering XMSS KeyPair and Signature beans_ [source,java] --------------------------------------------------------------------------------- +-------------------------------------------------------------------------------- @BindToRegistry("Keypair") public KeyPair setKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpGen = KeyPairGenerator.getInstance("XMSS", "BCPQC"); @@ -262,12 +552,54 @@ With the following beans registered in the Registry This could be done even without the Registry beans, by specifying the `signatureAlgorithm` parameter in the following way +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- - from("direct:sign").to("pqc:sign?operation=sign&signatureAlgorithm=XMSS").to("mock:sign") +---- +from("direct:sign").to("pqc:sign?operation=sign&signatureAlgorithm=XMSS").to("mock:sign") .to("pqc:verify?operation=verify&signatureAlgorithm=XMSS") .to("mock:verify"); --------------------------------------------------------------------------------- +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:sign?operation=sign&signatureAlgorithm=XMSS"/> + <to uri="mock:sign"/> + <to uri="pqc:verify?operation=verify&signatureAlgorithm=XMSS"/> + <to uri="mock:verify"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:sign + parameters: + operation: sign + signatureAlgorithm: XMSS + - to: + uri: mock:sign + - to: + uri: pqc:verify + parameters: + operation: verify + signatureAlgorithm: XMSS + - to: + uri: mock:verify +---- +==== With this approach the component will use the class `org.apache.camel.component.pqc.crypto.PQCDefaultXMSSMaterial`, which will create the Signature and KeyPair objects to be used. @@ -317,17 +649,60 @@ A possible flow of the operation could be the following: - ML-KEM +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- +---- from("direct:encapsulate").to("pqc:keyenc?operation=generateSecretKeyEncapsulation&symmetricKeyAlgorithm=AES") - .to("mock:encapsulate") - .to("pqc:keyenc?operation=extractSecretKeyEncapsulation&symmetricKeyAlgorithm=AES").to("mock:extract"); --------------------------------------------------------------------------------- + .to("mock:encapsulate") + .to("pqc:keyenc?operation=extractSecretKeyEncapsulation&symmetricKeyAlgorithm=AES").to("mock:extract"); +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:encapsulate"/> + <to uri="pqc:keyenc?operation=generateSecretKeyEncapsulation&symmetricKeyAlgorithm=AES"/> + <to uri="mock:encapsulate"/> + <to uri="pqc:keyenc?operation=extractSecretKeyEncapsulation&symmetricKeyAlgorithm=AES"/> + <to uri="mock:extract"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:encapsulate + steps: + - to: + uri: pqc:keyenc + parameters: + operation: generateSecretKeyEncapsulation + symmetricKeyAlgorithm: AES + - to: + uri: mock:encapsulate + - to: + uri: pqc:keyenc + parameters: + operation: extractSecretKeyEncapsulation + symmetricKeyAlgorithm: AES + - to: + uri: mock:extract +---- +==== With the following beans registered in the Registry +._Java-only: registering ML-KEM KeyPair and KeyGenerator beans_ [source,java] --------------------------------------------------------------------------------- +-------------------------------------------------------------------------------- @BindToRegistry("Keypair") public KeyPair setKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.MLKEM.getAlgorithm(), @@ -348,14 +723,58 @@ With the following beans registered in the Registry This could be done even without the Registry beans, by specifying the `symmetricKeyAlgorithm` and `keyEncapsulationAlgorithm` parameters in the following way +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- - from("direct:encapsulate").to( - "pqc:keyenc?operation=generateSecretKeyEncapsulation&symmetricKeyAlgorithm=AES&keyEncapsulationAlgorithm=MLKEM") - .to("mock:encapsulate") - .to("pqc:keyenc?operation=extractSecretKeyEncapsulation&symmetricKeyAlgorithm=AES&keyEncapsulationAlgorithm=MLKEM") - .to("mock:extract"); --------------------------------------------------------------------------------- +---- +from("direct:encapsulate").to( + "pqc:keyenc?operation=generateSecretKeyEncapsulation&symmetricKeyAlgorithm=AES&keyEncapsulationAlgorithm=MLKEM") + .to("mock:encapsulate") + .to("pqc:keyenc?operation=extractSecretKeyEncapsulation&symmetricKeyAlgorithm=AES&keyEncapsulationAlgorithm=MLKEM") + .to("mock:extract"); +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:encapsulate"/> + <to uri="pqc:keyenc?operation=generateSecretKeyEncapsulation&symmetricKeyAlgorithm=AES&keyEncapsulationAlgorithm=MLKEM"/> + <to uri="mock:encapsulate"/> + <to uri="pqc:keyenc?operation=extractSecretKeyEncapsulation&symmetricKeyAlgorithm=AES&keyEncapsulationAlgorithm=MLKEM"/> + <to uri="mock:extract"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:encapsulate + steps: + - to: + uri: pqc:keyenc + parameters: + operation: generateSecretKeyEncapsulation + symmetricKeyAlgorithm: AES + keyEncapsulationAlgorithm: MLKEM + - to: + uri: mock:encapsulate + - to: + uri: pqc:keyenc + parameters: + operation: extractSecretKeyEncapsulation + symmetricKeyAlgorithm: AES + keyEncapsulationAlgorithm: MLKEM + - to: + uri: mock:extract +---- +==== With this approach the component will use the class `org.apache.camel.component.pqc.crypto.kem.PQCDefaultMLKEMMaterial`, which will create the KeyGenerator and KeyPair objects to be used. @@ -369,6 +788,7 @@ All of this could be done to use the secret key coming from the encapsulation in As example you could use the secret key to dynamically instruct the CryptoDataFormat to use it, like in the following route. +._Java-only: extracting secret key from encapsulation for downstream CryptoDataFormat usage_ [source,java] -------------------------------------------------------------------------------- CryptoDataFormat cryptoFormat = new CryptoDataFormat("AES", null); @@ -437,6 +857,7 @@ A production-ready implementation that persists keys and metadata to disk. **Example:** +._Java-only: FileBasedKeyLifecycleManager usage_ [source,java] -------------------------------------------------------------------------------- KeyLifecycleManager keyManager = new FileBasedKeyLifecycleManager("/secure/keys"); @@ -471,6 +892,7 @@ A lightweight implementation that stores keys in memory only. **Example:** +._Java-only: InMemoryKeyLifecycleManager usage_ [source,java] -------------------------------------------------------------------------------- InMemoryKeyLifecycleManager keyManager = new InMemoryKeyLifecycleManager(); @@ -539,6 +961,7 @@ To use HashicorpVaultKeyLifecycleManager, add the following optional dependency: **Example with VaultTemplate:** +._Java-only: HashicorpVaultKeyLifecycleManager with VaultTemplate_ [source,java] -------------------------------------------------------------------------------- // Option 1: Using existing VaultTemplate (recommended when using camel-hashicorp-vault) @@ -570,6 +993,7 @@ KeyPair keyPair = keyManager.generateKeyPair("DILITHIUM", "app-signing-key", **Example with Direct Configuration:** +._Java-only: HashicorpVaultKeyLifecycleManager with direct configuration_ [source,java] -------------------------------------------------------------------------------- // Option 2: Direct configuration with connection parameters @@ -590,6 +1014,7 @@ KeyPair keyPair = keyManager.generateKeyPair("DILITHIUM", "vault-key", **Example with HashiCorp Cloud Platform (HCP) Vault:** +._Java-only: HashicorpVaultKeyLifecycleManager with HCP Vault_ [source,java] -------------------------------------------------------------------------------- // Option 3: Configuration for HCP Vault with namespace @@ -748,6 +1173,7 @@ admin/ # Namespace HashicorpVaultKeyLifecycleManager can share the same VaultTemplate with the camel-hashicorp-vault component: +._Java-only: reusing VaultTemplate from camel-hashicorp-vault_ [source,java] -------------------------------------------------------------------------------- // Reuse VaultTemplate from camel-hashicorp-vault @@ -962,6 +1388,7 @@ To use AwsSecretsManagerKeyLifecycleManager, add the following optional dependen **Example with SecretsManagerClient:** +._Java-only: AwsSecretsManagerKeyLifecycleManager with SecretsManagerClient_ [source,java] -------------------------------------------------------------------------------- // Option 1: Using existing SecretsManagerClient (recommended when using camel-aws-secrets-manager) @@ -989,6 +1416,7 @@ KeyPair keyPair = keyManager.generateKeyPair("DILITHIUM", "app-signing-key", **Example with Direct Configuration:** +._Java-only: AwsSecretsManagerKeyLifecycleManager with direct configuration_ [source,java] -------------------------------------------------------------------------------- // Option 2: Direct configuration with AWS credentials @@ -1007,6 +1435,7 @@ KeyPair keyPair = keyManager.generateKeyPair("DILITHIUM", "aws-key", **Example with LocalStack (Testing):** +._Java-only: AwsSecretsManagerKeyLifecycleManager with LocalStack_ [source,java] -------------------------------------------------------------------------------- // Option 3: Configuration for LocalStack testing @@ -1305,6 +1734,7 @@ Limit access to specific key IDs only: AwsSecretsManagerKeyLifecycleManager can share the same SecretsManagerClient with the camel-aws-secrets-manager component: +._Java-only: reusing SecretsManagerClient from camel-aws-secrets-manager_ [source,java] -------------------------------------------------------------------------------- // Reuse SecretsManagerClient from camel-aws-secrets-manager @@ -1405,6 +1835,7 @@ The key lifecycle manager supports all PQC algorithms with sensible default para ==== Signature Algorithms +._Java-only: generating key pairs for various PQC signature algorithms_ [source,java] -------------------------------------------------------------------------------- // ML-DSA (uses default ML-DSA-65) @@ -1429,6 +1860,7 @@ KeyPair lmsKey = keyManager.generateKeyPair("LMS", "lms-key"); ==== Key Encapsulation Algorithms +._Java-only: generating key pairs for various PQC KEM algorithms_ [source,java] -------------------------------------------------------------------------------- // ML-KEM (uses default) @@ -1448,6 +1880,7 @@ KeyPair bikeKey = keyManager.generateKeyPair("BIKE", "bike-key"); Each key is associated with metadata that tracks its lifecycle: +._Java-only: retrieving and inspecting key metadata_ [source,java] -------------------------------------------------------------------------------- KeyMetadata metadata = keyManager.getKeyMetadata("my-key"); @@ -1474,6 +1907,7 @@ System.out.println("Next rotation: " + metadata.getNextRotationAt()); Key rotation is essential for maintaining security. The lifecycle manager supports automated rotation: +._Java-only: checking rotation need and rotating a key_ [source,java] -------------------------------------------------------------------------------- // Check if key needs rotation @@ -1504,6 +1938,7 @@ Keys can be exported and imported in multiple formats: **Export Example:** +._Java-only: exporting keys in PEM and DER formats_ [source,java] -------------------------------------------------------------------------------- KeyPair keyPair = keyManager.getKey("my-key"); @@ -1526,6 +1961,7 @@ byte[] fullExport = keyManager.exportKey(keyPair, KeyFormat.DER, true); **Import Example:** +._Java-only: importing a key from PEM format_ [source,java] -------------------------------------------------------------------------------- // Import from PEM format @@ -1541,6 +1977,7 @@ keyManager.storeKey("imported-key", imported, metadata); **Expire a Key:** +._Java-only: setting expiration and manually expiring a key_ [source,java] -------------------------------------------------------------------------------- // Set expiration time @@ -1559,6 +1996,7 @@ if (metadata.isExpired()) { **Revoke a Key:** +._Java-only: revoking a compromised key_ [source,java] -------------------------------------------------------------------------------- // Revoke a compromised key @@ -1571,6 +2009,7 @@ assert metadata.getDescription().contains("Revoked: Private key exposed"); === Listing and Managing Keys +._Java-only: listing, filtering, and deleting keys_ [source,java] -------------------------------------------------------------------------------- // List all keys @@ -1727,6 +2166,7 @@ The lifecycle manager provides sensible defaults for all algorithms: Implement automated key rotation policies: +._Java-only: automated key rotation policy_ [source,java] -------------------------------------------------------------------------------- // Rotate keys every 90 days or after 10,000 uses @@ -1751,6 +2191,7 @@ For FileBasedKeyLifecycleManager: Always update metadata when using keys: +._Java-only: updating key usage metadata_ [source,java] -------------------------------------------------------------------------------- KeyMetadata metadata = keyManager.getKeyMetadata(keyId); @@ -1780,6 +2221,7 @@ When exporting keys: Use InMemoryKeyLifecycleManager for tests: +._Java-only: test setup and cleanup with InMemoryKeyLifecycleManager_ [source,java] -------------------------------------------------------------------------------- @BeforeEach @@ -1802,6 +2244,7 @@ Both implementations are thread-safe: Concurrent key operations are safe: +._Java-only: concurrent key generation with thread pool_ [source,java] -------------------------------------------------------------------------------- ExecutorService executor = Executors.newFixedThreadPool(10); @@ -1826,6 +2269,7 @@ executor.awaitTermination(1, TimeUnit.MINUTES); To migrate from InMemoryKeyLifecycleManager to FileBasedKeyLifecycleManager: +._Java-only: migrating keys between lifecycle manager implementations_ [source,java] -------------------------------------------------------------------------------- InMemoryKeyLifecycleManager memoryManager = new InMemoryKeyLifecycleManager(); @@ -1871,8 +2315,12 @@ The component supports hybrid signatures that combine a classical signature (e.g **Example - Hybrid Signature with ECDSA P-256 + ML-DSA:** +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- +---- from("direct:sign") .to("pqc:hybrid?operation=hybridSign" + "&signatureAlgorithm=MLDSA" @@ -1884,18 +2332,99 @@ from("direct:verify") + "&signatureAlgorithm=MLDSA" + "&classicalSignatureAlgorithm=ECDSA_P256") .to("mock:verified"); --------------------------------------------------------------------------------- +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:hybrid?operation=hybridSign&signatureAlgorithm=MLDSA&classicalSignatureAlgorithm=ECDSA_P256"/> + <to uri="mock:signed"/> +</route> +<route> + <from uri="direct:verify"/> + <to uri="pqc:hybrid?operation=hybridVerify&signatureAlgorithm=MLDSA&classicalSignatureAlgorithm=ECDSA_P256"/> + <to uri="mock:verified"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:hybrid + parameters: + operation: hybridSign + signatureAlgorithm: MLDSA + classicalSignatureAlgorithm: ECDSA_P256 + - to: + uri: mock:signed +- route: + from: + uri: direct:verify + steps: + - to: + uri: pqc:hybrid + parameters: + operation: hybridVerify + signatureAlgorithm: MLDSA + classicalSignatureAlgorithm: ECDSA_P256 + - to: + uri: mock:verified +---- +==== **Example - Hybrid Signature with Ed25519 + ML-DSA:** +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- +---- from("direct:sign") .to("pqc:hybrid?operation=hybridSign" + "&signatureAlgorithm=MLDSA" + "&classicalSignatureAlgorithm=ED25519") .to("mock:signed"); --------------------------------------------------------------------------------- +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:sign"/> + <to uri="pqc:hybrid?operation=hybridSign&signatureAlgorithm=MLDSA&classicalSignatureAlgorithm=ED25519"/> + <to uri="mock:signed"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:sign + steps: + - to: + uri: pqc:hybrid + parameters: + operation: hybridSign + signatureAlgorithm: MLDSA + classicalSignatureAlgorithm: ED25519 + - to: + uri: mock:signed +---- +==== **Hybrid Signature Wire Format:** @@ -1934,8 +2463,12 @@ The component supports hybrid Key Encapsulation Mechanisms that combine classica **Example - Hybrid KEM with X25519 + ML-KEM:** +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- +---- from("direct:encapsulate") .to("pqc:hybridkem?operation=hybridGenerateSecretKeyEncapsulation" + "&keyEncapsulationAlgorithm=MLKEM" @@ -1951,12 +2484,67 @@ from("direct:extract") + "&symmetricKeyAlgorithm=AES" + "&symmetricKeyLength=256") .to("mock:extracted"); --------------------------------------------------------------------------------- +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:encapsulate"/> + <to uri="pqc:hybridkem?operation=hybridGenerateSecretKeyEncapsulation&keyEncapsulationAlgorithm=MLKEM&classicalKEMAlgorithm=X25519&symmetricKeyAlgorithm=AES&symmetricKeyLength=256"/> + <to uri="mock:encapsulated"/> +</route> +<route> + <from uri="direct:extract"/> + <to uri="pqc:hybridkem?operation=hybridExtractSecretKeyEncapsulation&keyEncapsulationAlgorithm=MLKEM&classicalKEMAlgorithm=X25519&symmetricKeyAlgorithm=AES&symmetricKeyLength=256"/> + <to uri="mock:extracted"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:encapsulate + steps: + - to: + uri: pqc:hybridkem + parameters: + operation: hybridGenerateSecretKeyEncapsulation + keyEncapsulationAlgorithm: MLKEM + classicalKEMAlgorithm: X25519 + symmetricKeyAlgorithm: AES + symmetricKeyLength: 256 + - to: + uri: mock:encapsulated +- route: + from: + uri: direct:extract + steps: + - to: + uri: pqc:hybridkem + parameters: + operation: hybridExtractSecretKeyEncapsulation + keyEncapsulationAlgorithm: MLKEM + classicalKEMAlgorithm: X25519 + symmetricKeyAlgorithm: AES + symmetricKeyLength: 256 + - to: + uri: mock:extracted +---- +==== **Example - Hybrid KEM with ECDH P-256 + ML-KEM:** +[tabs] +==== +Java:: ++ [source,java] --------------------------------------------------------------------------------- +---- from("direct:encapsulate") .to("pqc:hybridkem?operation=hybridGenerateSecretKeyEncapsulation" + "&keyEncapsulationAlgorithm=MLKEM" @@ -1965,7 +2553,40 @@ from("direct:encapsulate") + "&symmetricKeyLength=128" + "&hybridKdfAlgorithm=HKDF-SHA256") .to("mock:encapsulated"); --------------------------------------------------------------------------------- +---- + +XML:: ++ +[source,xml] +---- +<route> + <from uri="direct:encapsulate"/> + <to uri="pqc:hybridkem?operation=hybridGenerateSecretKeyEncapsulation&keyEncapsulationAlgorithm=MLKEM&classicalKEMAlgorithm=ECDH_P256&symmetricKeyAlgorithm=AES&symmetricKeyLength=128&hybridKdfAlgorithm=HKDF-SHA256"/> + <to uri="mock:encapsulated"/> +</route> +---- + +YAML:: ++ +[source,yaml] +---- +- route: + from: + uri: direct:encapsulate + steps: + - to: + uri: pqc:hybridkem + parameters: + operation: hybridGenerateSecretKeyEncapsulation + keyEncapsulationAlgorithm: MLKEM + classicalKEMAlgorithm: ECDH_P256 + symmetricKeyAlgorithm: AES + symmetricKeyLength: 128 + hybridKdfAlgorithm: HKDF-SHA256 + - to: + uri: mock:encapsulated +---- +==== **Hybrid KEM Wire Format:** @@ -2077,6 +2698,7 @@ The `PQCAlgorithmId` enum maps every supported algorithm — classical signature **Lookup by JCA name:** +._Java-only: resolving PQCAlgorithmId from JCA algorithm names_ [source,java] -------------------------------------------------------------------------------- // Resolve from a JCA algorithm string (case-insensitive) @@ -2090,6 +2712,7 @@ PQCAlgorithmId unknown = PQCAlgorithmId.fromJcaName("FutureAlg"); // UNKNOWN **Lookup by wire format ID:** +._Java-only: resolving PQCAlgorithmId from wire format identifier_ [source,java] -------------------------------------------------------------------------------- // Resolve from a 16-bit identifier read from the wire @@ -2100,6 +2723,7 @@ String jca = alg.getJcaName(); // "ML-DSA" **Inspecting algorithm metadata from a parsed hybrid output:** +._Java-only: parsing and inspecting v2 hybrid signature components_ [source,java] -------------------------------------------------------------------------------- // After parsing a v2 hybrid signature @@ -2199,6 +2823,7 @@ This format allows the receiver to identify the algorithms used, extract the enc ==== Java DSL +._Java-only: PQC DataFormat basic encrypt and decrypt routes_ [source,java] -------------------------------------------------------------------------------- // Create PQC DataFormat @@ -2299,6 +2924,7 @@ The DataFormat requires a KeyPair to be available either: ==== Option 1: Registry-based Configuration +._Java-only: registering ML-KEM KeyPair in Camel registry_ [source,java] -------------------------------------------------------------------------------- @BindToRegistry("pqcKeyPair") @@ -2316,6 +2942,7 @@ pqcFormat.setSymmetricKeyAlgorithm("AES"); ==== Option 2: Direct Configuration +._Java-only: configuring PQCDataFormat with KeyPair directly_ [source,java] -------------------------------------------------------------------------------- KeyPairGenerator kpg = KeyPairGenerator.getInstance("ML-KEM", "BCPQC"); @@ -2330,6 +2957,7 @@ pqcFormat.setSymmetricKeyAlgorithm("AES"); ==== Option 3: Header-based Configuration +._Java-only: providing KeyPair via message header_ [source,java] -------------------------------------------------------------------------------- from("direct:encrypt") @@ -2377,6 +3005,7 @@ from("direct:encrypt") ==== Secure File Transfer +._Java-only: PQC DataFormat for secure file encrypt and decrypt_ [source,java] -------------------------------------------------------------------------------- PQCDataFormat pqcFormat = new PQCDataFormat(); @@ -2399,6 +3028,7 @@ from("file:encrypted?noop=true") ==== API Message Encryption +._Java-only: PQC DataFormat for API message encrypt and decrypt_ [source,java] -------------------------------------------------------------------------------- from("direct:secure-api") @@ -2413,6 +3043,7 @@ from("direct:secure-api") ==== Multiple Algorithm Support +._Java-only: PQC DataFormat with multiple security levels_ [source,java] -------------------------------------------------------------------------------- // Different algorithms for different security levels @@ -2440,6 +3071,7 @@ from("direct:classify") ==== Dynamic Algorithm Selection via Headers +._Java-only: PQC DataFormat with dynamic algorithm selection_ [source,java] -------------------------------------------------------------------------------- PQCDataFormat pqcFormat = new PQCDataFormat(); @@ -2455,6 +3087,7 @@ from("direct:dynamic-encrypt") The PQC DataFormat can be integrated with the Key Lifecycle Manager for automated key management: +._Java-only: integrating PQC DataFormat with Key Lifecycle Manager_ [source,java] -------------------------------------------------------------------------------- @BindToRegistry("keyLifecycleManager") @@ -2489,6 +3122,7 @@ public KeyPair createKeyPair() throws Exception { **Manual Approach (using PQC component endpoints):** +._Java-only: manual KEM encrypt with multiple endpoint steps_ [source,java] -------------------------------------------------------------------------------- from("direct:manual-encrypt") @@ -2503,6 +3137,7 @@ from("direct:manual-encrypt") **DataFormat Approach (simplified):** +._Java-only: simplified encrypt using PQCDataFormat_ [source,java] -------------------------------------------------------------------------------- from("direct:dataformat-encrypt") @@ -2547,6 +3182,7 @@ The DataFormat approach is significantly simpler and handles all KEM operations Adjust bufferSize based on message size: +._Java-only: configuring PQCDataFormat buffer size_ [source,java] -------------------------------------------------------------------------------- PQCDataFormat pqcFormat = new PQCDataFormat(); @@ -2557,6 +3193,7 @@ pqcFormat.setBufferSize(8192); // Larger buffer for big files Configure a KeyGenerator once to avoid repeated initialization: +._Java-only: caching a KeyGenerator to avoid repeated initialization_ [source,java] -------------------------------------------------------------------------------- @BindToRegistry("kemKeyGenerator") @@ -2572,6 +3209,7 @@ pqcFormat.setKeyGenerator(kemKeyGenerator); The DataFormat supports streaming for large payloads, avoiding memory issues: +._Java-only: streaming large files with PQCDataFormat_ [source,java] -------------------------------------------------------------------------------- from("file:large-files?noop=true") @@ -2584,6 +3222,7 @@ from("file:large-files?noop=true") Example test demonstrating round-trip encryption/decryption: +._Java-only: JUnit 5 test for PQC DataFormat round-trip encryption_ [source,java] -------------------------------------------------------------------------------- @Test @@ -2641,6 +3280,7 @@ void testPQCDataFormatRoundTrip() throws Exception { * **Solution**: Add Bouncy Castle providers: + +._Java-only: adding Bouncy Castle security providers_ [source,java] -------------------------------------------------------------------------------- Security.addProvider(new BouncyCastleProvider()); @@ -2656,6 +3296,7 @@ Security.addProvider(new BouncyCastlePQCProvider()); * **Solution**: Increase buffer size or enable stream caching: + +._Java-only: increasing buffer size or enabling stream caching_ [source,java] -------------------------------------------------------------------------------- pqcFormat.setBufferSize(16384);
