Skip to content

CAMEL-23843: Camel-PQC - sign and verify String payloads as UTF-8#24716

Merged
oscerd merged 2 commits into
apache:mainfrom
oscerd:fix/CAMEL-23843
Jul 16, 2026
Merged

CAMEL-23843: Camel-PQC - sign and verify String payloads as UTF-8#24716
oscerd merged 2 commits into
apache:mainfrom
oscerd:fix/CAMEL-23843

Conversation

@oscerd

@oscerd oscerd commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

CAMEL-23843: Camel-PQC — sign and verify String payloads as UTF-8

The bug

PQCProducer sign/verify (and the hybrid variants) read the body and, when it is not already binary,
encode it with String.getBytes() — i.e. the JVM default charset. The default charset is platform
dependent, so signing on one JVM and verifying on another with a different default disagrees on the
bytes of a non-ASCII payload and verification fails.

The issue also called out that binary payloads were forced through a String conversion. That half is
already fixed on main
by CAMEL-23847 (#24644, merged): byte[] and InputStream bodies are now fed
to the signature byte-for-byte. What remained is the charset.

The fix

Pin StandardCharsets.UTF_8 in both body-to-bytes fallbacks (updateSignatureFromBody, used by
sign/verify, and bodyToByteArray, used by the hybrid variants), so sign and verify always agree on
the encoding. Binary bodies are untouched.

Scope / honesty about impact

On Java 18+ the default charset is already UTF-8 (JEP 400), so this is a no-op there — the value
of the change is that the encoding becomes explicit and deterministic rather than
environment-dependent. On Java 17 with a non-UTF-8 default (which Camel still supports) the bug is
live, and this fixes it.

Because it can change the signature of a non-ASCII String payload on such a JVM, it is documented in
the 4.22 upgrade guide.

Testing

New PQCSignatureCharsetTest (2 tests):

  • a String body and its UTF-8 bytes are interchangeable — signing the String verifies against the
    UTF-8 bytes and vice versa;
  • a negative check: a signature over the String must not verify against the same text encoded as
    ISO-8859-1.

The existing PQCStreamingSignatureTest (5) still passes. Module build green, no generated drift.

Backport

4.18.x (4.18.4) and 4.14.x (4.14.9)charset only. Those branches never received the
streaming/binary-payload work (CAMEL-23847, an improvement kept to main), so the backport pins UTF-8
for String bodies but does not add native byte[]/InputStream handling: that remains the
main-only improvement. The determinism bug for String payloads is fixed on all three lines.


Claude Code on behalf of Andrea Cosentino.

sign/verify (and the hybrid variants) encoded a String message body with
String.getBytes(), which uses the JVM default charset. The default charset is
platform dependent, so signing on one JVM and verifying on another with a different
default could disagree on the bytes of a non-ASCII payload and fail verification.

Pin StandardCharsets.UTF_8 in both body-to-bytes fallbacks, so signing and verifying
always agree. Binary bodies (byte[], InputStream) are unaffected: they are already
signed byte-for-byte (CAMEL-23847).

On Java 18 and newer the default charset is already UTF-8 (JEP 400), so this is a
no-op there; on Java 17 with a non-UTF-8 default it changes the signature of a
non-ASCII String payload, which is documented in the 4.22 upgrade guide.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@davsclaus davsclaus left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minimal, well-scoped fix for the last remaining piece after CAMEL-23847 handled binary bodies. Both String-to-bytes conversion points (updateSignatureFromBody and bodyToByteArray) are pinned to UTF-8, so sign and verify always agree regardless of the JVM default charset.

The test covers both directions (String ↔ UTF-8 bytes interchangeable, String ↛ ISO-8859-1 bytes) with non-ASCII text where the encodings genuinely differ. Upgrade guide entry is honest about impact (no-op on Java 18+, live fix on Java 17 with non-UTF-8 default). Component docs updated.

LGTM.

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

@gnodet gnodet left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean fix that pins UTF-8 encoding in both String-to-bytes fallback paths for PQC sign/verify operations. Correct, well-tested, and thoroughly documented.

Key observations:

  • The fix is applied consistently to both conversion points: updateSignatureFromBody (used by sign/verify) and bodyToByteArray (used by hybridSign/hybridVerify). This symmetry prevents encoding mismatches between standard and hybrid code paths.

  • Good use of StandardCharsets.UTF_8 (compile-time constant) rather than Charset.forName("UTF-8"). The inline comments explaining the platform-dependent charset rationale are helpful for future maintainers.

  • The test uses non-ASCII characters (accented Latin, em-dash) which is the right choice for detecting encoding mismatches — these are multi-byte in UTF-8 but single-byte in ISO-8859-1. The explicit cross-check at line 87 that ISO-8859-1 produces different bytes confirms the test's discriminating power.

  • The upgrade guide entry correctly notes this is a no-op on Java 18+ (where UTF-8 is the default charset) and only a live fix on Java 17 with a non-UTF-8 default. This is exactly the kind of precision users need.

  • The PR description's honesty about scope and impact ("no-op on Java 18+, live fix on Java 17 with non-UTF-8 default") is a model for security-sensitive changes.

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

Claude Code review on behalf of @gnodet

@apupier

apupier commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

conflict to resolve

@oscerd oscerd closed this Jul 16, 2026
@oscerd oscerd reopened this Jul 16, 2026
@oscerd oscerd merged commit 3b3f581 into apache:main Jul 16, 2026
6 checks passed
oscerd added a commit that referenced this pull request Jul 16, 2026
…ng payloads as UTF-8 (#24723)

[backport camel-4.18.x] CAMEL-23843: Camel-PQC sign and verify String payloads as UTF-8

sign/verify encoded a String message body with String.getBytes(), which uses the JVM
default charset. The default charset is platform dependent, so signing on one JVM and
verifying on another with a different default could disagree on the bytes of a
non-ASCII payload and fail verification. Pin StandardCharsets.UTF_8.

Charset-only backport of #24716. The native byte[]/InputStream handling from
CAMEL-23847 is an improvement that stays on main only, so it is intentionally not
part of this backport.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

  • First-time contributors require MANUAL approval for the GitHub Actions to run
  • You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
  • You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
  • Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

oscerd added a commit that referenced this pull request Jul 16, 2026
…ng payloads as UTF-8 (#24725)

[backport camel-4.14.x] CAMEL-23843: Camel-PQC sign and verify String payloads as UTF-8

sign/verify encoded a String message body with String.getBytes(), which uses the JVM
default charset. The default charset is platform dependent, so signing on one JVM and
verifying on another with a different default could disagree on the bytes of a
non-ASCII payload and fail verification. Pin StandardCharsets.UTF_8.

Charset-only backport of #24716. The native byte[]/InputStream handling from
CAMEL-23847 is an improvement that stays on main only, so it is intentionally not
part of this backport.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

🧪 CI tested the following changed modules:

  • components/camel-pqc
  • docs

🔬 Scalpel shadow comparison — Scalpel: 10 tested, 28 compile-only — current: 9 all tested

Maveniverse Scalpel detected 38 affected modules (current approach: 9).

⚠️ Modules only in Scalpel (29)
  • apache-camel
  • camel-allcomponents
  • camel-catalog
  • camel-catalog-console
  • camel-catalog-lucene
  • camel-catalog-maven
  • camel-catalog-suggest
  • camel-componentdsl
  • camel-csimple-maven-plugin
  • camel-endpointdsl
  • camel-endpointdsl-support
  • camel-itest
  • camel-jbang-core
  • camel-jbang-it
  • camel-jbang-main
  • camel-jbang-plugin-edit
  • camel-jbang-plugin-generate
  • camel-jbang-plugin-kubernetes
  • camel-jbang-plugin-test
  • camel-kamelet-main
  • camel-launcher
  • camel-report-maven-plugin
  • camel-route-parser
  • camel-yaml-dsl
  • camel-yaml-dsl-deserializers
  • camel-yaml-dsl-maven-plugin
  • coverage
  • docs
  • dummy-component

Skip-tests mode would test 10 modules (2 direct + 8 downstream), skip tests for 28 (generated code, meta-modules)

Modules Scalpel would test (10)
  • camel-jbang-mcp
  • camel-jbang-plugin-mcp
  • camel-jbang-plugin-route-parser
  • camel-jbang-plugin-tui
  • camel-jbang-plugin-validate
  • camel-launcher-container
  • camel-pqc
  • camel-yaml-dsl-validator
  • camel-yaml-dsl-validator-maven-plugin
  • docs
Modules with tests skipped (28)
  • apache-camel
  • camel-allcomponents
  • camel-catalog
  • camel-catalog-console
  • camel-catalog-lucene
  • camel-catalog-maven
  • camel-catalog-suggest
  • camel-componentdsl
  • camel-csimple-maven-plugin
  • camel-endpointdsl
  • camel-endpointdsl-support
  • camel-itest
  • camel-jbang-core
  • camel-jbang-it
  • camel-jbang-main
  • camel-jbang-plugin-edit
  • camel-jbang-plugin-generate
  • camel-jbang-plugin-kubernetes
  • camel-jbang-plugin-test
  • camel-kamelet-main
  • camel-launcher
  • camel-report-maven-plugin
  • camel-route-parser
  • camel-yaml-dsl
  • camel-yaml-dsl-deserializers
  • camel-yaml-dsl-maven-plugin
  • coverage
  • dummy-component

ℹ️ Shadow mode — Scalpel observes but does not affect test execution. Learn more

All tested modules (38 modules)
  • Camel :: All Components Sync point
  • Camel :: Assembly
  • Camel :: Catalog :: CSimple Maven Plugin (deprecated)
  • Camel :: Catalog :: Camel Catalog
  • Camel :: Catalog :: Camel Report Maven Plugin
  • Camel :: Catalog :: Camel Route Parser
  • Camel :: Catalog :: Console
  • Camel :: Catalog :: Dummy Component
  • Camel :: Catalog :: Lucene (deprecated)
  • Camel :: Catalog :: Maven
  • Camel :: Catalog :: Suggest
  • Camel :: Component DSL
  • Camel :: Coverage
  • Camel :: Docs
  • Camel :: Endpoint DSL
  • Camel :: Endpoint DSL :: Support
  • Camel :: Integration Tests
  • Camel :: JBang :: Core
  • Camel :: JBang :: Integration tests
  • Camel :: JBang :: MCP
  • Camel :: JBang :: Main
  • Camel :: JBang :: Plugin :: Edit
  • Camel :: JBang :: Plugin :: Generate
  • Camel :: JBang :: Plugin :: Kubernetes
  • Camel :: JBang :: Plugin :: MCP
  • Camel :: JBang :: Plugin :: Route Parser
  • Camel :: JBang :: Plugin :: TUI
  • Camel :: JBang :: Plugin :: Testing
  • Camel :: JBang :: Plugin :: Validate
  • Camel :: Kamelet Main
  • Camel :: Launcher
  • Camel :: Launcher :: Container
  • Camel :: PQC
  • Camel :: YAML DSL
  • Camel :: YAML DSL :: Deserializers
  • Camel :: YAML DSL :: Maven Plugins
  • Camel :: YAML DSL :: Validator
  • Camel :: YAML DSL :: Validator Maven Plugin

⚙️ View full build and test results

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants