diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/PQCProducer.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/PQCProducer.java index baa64ffe401bf..646a502a85fbd 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/PQCProducer.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/PQCProducer.java @@ -42,6 +42,7 @@ import org.apache.camel.health.WritableHealthCheckRepository; import org.apache.camel.support.DefaultProducer; import org.apache.camel.util.ObjectHelper; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jcajce.SecretKeyWithEncapsulation; import org.bouncycastle.jcajce.spec.KEMExtractSpec; import org.bouncycastle.jcajce.spec.KEMGenerateSpec; @@ -457,7 +458,7 @@ private void generateEncapsulation(Exchange exchange) keyPair.getPublic(), getEndpoint().getConfiguration().getSymmetricKeyAlgorithm(), getEndpoint().getConfiguration().getSymmetricKeyLength()), - new SecureRandom()); + SecureRandomHelper.getSecureRandom()); // SecretKeyWithEncapsulation is the class to use as the secret key, it has additional // methods on it for recovering the encapsulation as well. SecretKeyWithEncapsulation secEnc1 = (SecretKeyWithEncapsulation) keyGenerator.generateKey(); @@ -480,7 +481,7 @@ private void extractEncapsulation(Exchange exchange) keyPair.getPrivate(), payload.getEncapsulation(), PQCSymmetricAlgorithms.valueOf(getConfiguration().getSymmetricKeyAlgorithm()).getAlgorithm(), getEndpoint().getConfiguration().getSymmetricKeyLength()), - new SecureRandom()); + SecureRandomHelper.getSecureRandom()); // initialise for extracting the shared secret from the encapsulation. SecretKeyWithEncapsulation secEnc2 = (SecretKeyWithEncapsulation) keyGenerator.generateKey(); diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultMLDSAMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultMLDSAMaterial.java index ec5f843b3e846..cad34f7e08ab1 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultMLDSAMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultMLDSAMaterial.java @@ -19,6 +19,7 @@ import java.security.*; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jcajce.spec.MLDSAParameterSpec; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; @@ -49,7 +50,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpGen = KeyPairGenerator.getInstance(PQCSignatureAlgorithms.MLDSA.getAlgorithm(), PQCSignatureAlgorithms.MLDSA.getBcProvider()); - kpGen.initialize(MLDSAParameterSpec.ml_dsa_65, new SecureRandom()); + kpGen.initialize(MLDSAParameterSpec.ml_dsa_65, SecureRandomHelper.getSecureRandom()); return kpGen; } } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultSLHDSAMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultSLHDSAMaterial.java index bed39c949ab85..f102214912a59 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultSLHDSAMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultSLHDSAMaterial.java @@ -19,6 +19,7 @@ import java.security.*; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jcajce.spec.SLHDSAParameterSpec; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; @@ -49,7 +50,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpGen = KeyPairGenerator.getInstance(PQCSignatureAlgorithms.SLHDSA.getAlgorithm(), PQCSignatureAlgorithms.SLHDSA.getBcProvider()); - kpGen.initialize(SLHDSAParameterSpec.slh_dsa_sha2_128s, new SecureRandom()); + kpGen.initialize(SLHDSAParameterSpec.slh_dsa_sha2_128s, SecureRandomHelper.getSecureRandom()); return kpGen; } } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultSPHINCSPLUSMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultSPHINCSPLUSMaterial.java index 01506ff5a8853..c39278c9c4f93 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultSPHINCSPLUSMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultSPHINCSPLUSMaterial.java @@ -19,6 +19,7 @@ import java.security.*; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.SPHINCSPlusParameterSpec; @@ -49,7 +50,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpGen = KeyPairGenerator.getInstance(PQCSignatureAlgorithms.SPHINCSPLUS.getAlgorithm(), PQCSignatureAlgorithms.SPHINCSPLUS.getBcProvider()); - kpGen.initialize(SPHINCSPlusParameterSpec.haraka_256s, new SecureRandom()); + kpGen.initialize(SPHINCSPlusParameterSpec.haraka_256s, SecureRandomHelper.getSecureRandom()); return kpGen; } } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultXMSSMTMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultXMSSMTMaterial.java index ae3629cce3948..7180661c90130 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultXMSSMTMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultXMSSMTMaterial.java @@ -19,6 +19,7 @@ import java.security.*; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.XMSSMTParameterSpec; @@ -49,7 +50,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpGen = KeyPairGenerator.getInstance(PQCSignatureAlgorithms.XMSSMT.getAlgorithm(), PQCSignatureAlgorithms.XMSSMT.getBcProvider()); - kpGen.initialize(XMSSMTParameterSpec.XMSSMT_SHA2_20d2_256, new SecureRandom()); + kpGen.initialize(XMSSMTParameterSpec.XMSSMT_SHA2_20d2_256, SecureRandomHelper.getSecureRandom()); return kpGen; } } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultXMSSMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultXMSSMaterial.java index 00e424fd092d2..74fe1e882192a 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultXMSSMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/PQCDefaultXMSSMaterial.java @@ -19,6 +19,7 @@ import java.security.*; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.XMSSParameterSpec; @@ -49,7 +50,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpGen = KeyPairGenerator.getInstance(PQCSignatureAlgorithms.XMSS.getAlgorithm(), PQCSignatureAlgorithms.XMSS.getBcProvider()); - kpGen.initialize(new XMSSParameterSpec(10, XMSSParameterSpec.SHA256), new SecureRandom()); + kpGen.initialize(new XMSSParameterSpec(10, XMSSParameterSpec.SHA256), SecureRandomHelper.getSecureRandom()); return kpGen; } } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/HybridKEM.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/HybridKEM.java index a637abea3ac58..e2dc94b39caaa 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/HybridKEM.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/HybridKEM.java @@ -26,6 +26,7 @@ import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.crypto.digests.SHA256Digest; import org.bouncycastle.crypto.digests.SHA384Digest; import org.bouncycastle.crypto.digests.SHA512Digest; @@ -96,7 +97,7 @@ public static HybridEncapsulationResult encapsulate( // Perform PQC KEM encapsulation pqcKemGenerator.init( new KEMGenerateSpec(pqcPublicKey, symmetricAlgorithm, keyLength), - new SecureRandom()); + SecureRandomHelper.getSecureRandom()); SecretKeyWithEncapsulation pqcResult = (SecretKeyWithEncapsulation) pqcKemGenerator.generateKey(); byte[] pqcSharedSecret = pqcResult.getEncoded(); byte[] pqcEncapsulation = pqcResult.getEncapsulation(); @@ -167,7 +168,7 @@ public static SecretKey extract( // Perform PQC KEM extraction pqcKemGenerator.init( new KEMExtractSpec(pqcPrivateKey, components.pqcEncapsulation(), symmetricAlgorithm, keyLength), - new SecureRandom()); + SecureRandomHelper.getSecureRandom()); SecretKeyWithEncapsulation pqcResult = (SecretKeyWithEncapsulation) pqcKemGenerator.generateKey(); byte[] pqcSharedSecret = pqcResult.getEncoded(); @@ -275,7 +276,7 @@ private static KeyPair generateEphemeralKeyPair(String algorithm) throws Excepti if ("EC".equals(algorithm)) { kpg = KeyPairGenerator.getInstance("EC"); // Default to P-256 - kpg.initialize(new ECGenParameterSpec("secp256r1"), new SecureRandom()); + kpg.initialize(new ECGenParameterSpec("secp256r1"), SecureRandomHelper.getSecureRandom()); } else if ("X25519".equals(algorithm) || "XDH".equals(algorithm)) { kpg = KeyPairGenerator.getInstance("X25519"); } else if ("X448".equals(algorithm)) { diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultECDHMLKEMMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultECDHMLKEMMaterial.java index 2b61a66ac583a..bd6fb9dc41270 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultECDHMLKEMMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultECDHMLKEMMaterial.java @@ -23,6 +23,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jcajce.spec.MLKEMParameterSpec; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; @@ -50,7 +51,7 @@ public class PQCDefaultECDHMLKEMMaterial { try { // Generate ECDH P-256 key pair KeyPairGenerator ecKpg = KeyPairGenerator.getInstance("EC", "BC"); - ecKpg.initialize(new ECGenParameterSpec("secp256r1"), new SecureRandom()); + ecKpg.initialize(new ECGenParameterSpec("secp256r1"), SecureRandomHelper.getSecureRandom()); classicalKeyPair = ecKpg.generateKeyPair(); classicalKeyAgreement = KeyAgreement.getInstance("ECDH", "BC"); @@ -58,7 +59,7 @@ public class PQCDefaultECDHMLKEMMaterial { KeyPairGenerator mlkemKpg = KeyPairGenerator.getInstance( PQCKeyEncapsulationAlgorithms.MLKEM.getAlgorithm(), PQCKeyEncapsulationAlgorithms.MLKEM.getBcProvider()); - mlkemKpg.initialize(MLKEMParameterSpec.ml_kem_768, new SecureRandom()); + mlkemKpg.initialize(MLKEMParameterSpec.ml_kem_768, SecureRandomHelper.getSecureRandom()); pqcKeyPair = mlkemKpg.generateKeyPair(); pqcKeyGenerator = KeyGenerator.getInstance( PQCKeyEncapsulationAlgorithms.MLKEM.getAlgorithm(), diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultECDSAMLDSAMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultECDSAMLDSAMaterial.java index c70e60ac7769c..645c6f70e693d 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultECDSAMLDSAMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultECDSAMLDSAMaterial.java @@ -20,6 +20,7 @@ import java.security.spec.ECGenParameterSpec; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jcajce.spec.MLDSAParameterSpec; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; @@ -49,7 +50,7 @@ public class PQCDefaultECDSAMLDSAMaterial { try { // Generate ECDSA P-256 key pair KeyPairGenerator ecKpg = KeyPairGenerator.getInstance("EC", "BC"); - ecKpg.initialize(new ECGenParameterSpec("secp256r1"), new SecureRandom()); + ecKpg.initialize(new ECGenParameterSpec("secp256r1"), SecureRandomHelper.getSecureRandom()); classicalKeyPair = ecKpg.generateKeyPair(); classicalSigner = Signature.getInstance("SHA256withECDSA", "BC"); @@ -57,7 +58,7 @@ public class PQCDefaultECDSAMLDSAMaterial { KeyPairGenerator mldsaKpg = KeyPairGenerator.getInstance( PQCSignatureAlgorithms.MLDSA.getAlgorithm(), PQCSignatureAlgorithms.MLDSA.getBcProvider()); - mldsaKpg.initialize(MLDSAParameterSpec.ml_dsa_65, new SecureRandom()); + mldsaKpg.initialize(MLDSAParameterSpec.ml_dsa_65, SecureRandomHelper.getSecureRandom()); pqcKeyPair = mldsaKpg.generateKeyPair(); pqcSigner = Signature.getInstance( PQCSignatureAlgorithms.MLDSA.getAlgorithm(), diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultEd25519MLDSAMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultEd25519MLDSAMaterial.java index a5497416fa50b..5399634803111 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultEd25519MLDSAMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultEd25519MLDSAMaterial.java @@ -19,6 +19,7 @@ import java.security.*; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jcajce.spec.MLDSAParameterSpec; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; @@ -53,7 +54,7 @@ public class PQCDefaultEd25519MLDSAMaterial { KeyPairGenerator mldsaKpg = KeyPairGenerator.getInstance( PQCSignatureAlgorithms.MLDSA.getAlgorithm(), PQCSignatureAlgorithms.MLDSA.getBcProvider()); - mldsaKpg.initialize(MLDSAParameterSpec.ml_dsa_65, new SecureRandom()); + mldsaKpg.initialize(MLDSAParameterSpec.ml_dsa_65, SecureRandomHelper.getSecureRandom()); pqcKeyPair = mldsaKpg.generateKeyPair(); pqcSigner = Signature.getInstance( PQCSignatureAlgorithms.MLDSA.getAlgorithm(), diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultX25519MLKEMMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultX25519MLKEMMaterial.java index 8168352f56958..b9108fa2d8b7b 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultX25519MLKEMMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/hybrid/PQCDefaultX25519MLKEMMaterial.java @@ -22,6 +22,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jcajce.spec.MLKEMParameterSpec; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; @@ -63,7 +64,7 @@ public class PQCDefaultX25519MLKEMMaterial { KeyPairGenerator mlkemKpg = KeyPairGenerator.getInstance( PQCKeyEncapsulationAlgorithms.MLKEM.getAlgorithm(), PQCKeyEncapsulationAlgorithms.MLKEM.getBcProvider()); - mlkemKpg.initialize(MLKEMParameterSpec.ml_kem_768, new SecureRandom()); + mlkemKpg.initialize(MLKEMParameterSpec.ml_kem_768, SecureRandomHelper.getSecureRandom()); pqcKeyPair = mlkemKpg.generateKeyPair(); pqcKeyGenerator = KeyGenerator.getInstance( PQCKeyEncapsulationAlgorithms.MLKEM.getAlgorithm(), diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultBIKEMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultBIKEMaterial.java index 30f82ffb59a9f..23945382aa77f 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultBIKEMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultBIKEMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.BIKEParameterSpec; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.BIKE.getAlgorithm(), PQCKeyEncapsulationAlgorithms.BIKE.getBcProvider()); - kpg.initialize(BIKEParameterSpec.bike192, new SecureRandom()); + kpg.initialize(BIKEParameterSpec.bike192, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultCMCEMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultCMCEMaterial.java index 0ff1cf71c7026..ea6060a27c9d2 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultCMCEMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultCMCEMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.CMCEParameterSpec; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.CMCE.getAlgorithm(), PQCKeyEncapsulationAlgorithms.CMCE.getBcProvider()); - kpg.initialize(CMCEParameterSpec.mceliece8192128f, new SecureRandom()); + kpg.initialize(CMCEParameterSpec.mceliece8192128f, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultFRODOMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultFRODOMaterial.java index 0d940431e1d86..b8776ab33d40b 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultFRODOMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultFRODOMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.FrodoParameterSpec; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.FRODO.getAlgorithm(), PQCKeyEncapsulationAlgorithms.FRODO.getBcProvider()); - kpg.initialize(FrodoParameterSpec.frodokem976aes, new SecureRandom()); + kpg.initialize(FrodoParameterSpec.frodokem976aes, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultHQCMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultHQCMaterial.java index 7564f8d16b850..87a8d34efbaa5 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultHQCMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultHQCMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.HQCParameterSpec; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.HQC.getAlgorithm(), PQCKeyEncapsulationAlgorithms.HQC.getBcProvider()); - kpg.initialize(HQCParameterSpec.hqc192, new SecureRandom()); + kpg.initialize(HQCParameterSpec.hqc192, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultKYBERMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultKYBERMaterial.java index aabd580a30aaf..cfb7f8bf4e492 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultKYBERMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultKYBERMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.KyberParameterSpec; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.KYBER.getAlgorithm(), PQCKeyEncapsulationAlgorithms.KYBER.getBcProvider()); - kpg.initialize(KyberParameterSpec.kyber1024, new SecureRandom()); + kpg.initialize(KyberParameterSpec.kyber1024, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultMLKEMMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultMLKEMMaterial.java index 51eb6cdd814db..7a8680b2948d8 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultMLKEMMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultMLKEMMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jcajce.spec.MLKEMParameterSpec; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.MLKEM.getAlgorithm(), PQCKeyEncapsulationAlgorithms.MLKEM.getBcProvider()); - kpg.initialize(MLKEMParameterSpec.ml_kem_512, new SecureRandom()); + kpg.initialize(MLKEMParameterSpec.ml_kem_512, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultNTRULPRimeMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultNTRULPRimeMaterial.java index 57627562c1878..3ffdf191b39a8 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultNTRULPRimeMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultNTRULPRimeMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.NTRULPRimeParameterSpec; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.NTRULPRime.getAlgorithm(), PQCKeyEncapsulationAlgorithms.NTRULPRime.getBcProvider()); - kpg.initialize(NTRULPRimeParameterSpec.ntrulpr761, new SecureRandom()); + kpg.initialize(NTRULPRimeParameterSpec.ntrulpr761, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultNTRUMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultNTRUMaterial.java index 32bd4cd58f1be..1f96b3685bc78 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultNTRUMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultNTRUMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.NTRUParameterSpec; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.NTRU.getAlgorithm(), PQCKeyEncapsulationAlgorithms.NTRU.getBcProvider()); - kpg.initialize(NTRUParameterSpec.ntruhps2048509, new SecureRandom()); + kpg.initialize(NTRUParameterSpec.ntruhps2048509, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultSABERMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultSABERMaterial.java index 0fb9d1d152369..c0355baebd556 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultSABERMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultSABERMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.SABERParameterSpec; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.SABER.getAlgorithm(), PQCKeyEncapsulationAlgorithms.SABER.getBcProvider()); - kpg.initialize(SABERParameterSpec.lightsaberkem256r3, new SecureRandom()); + kpg.initialize(SABERParameterSpec.lightsaberkem256r3, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultSNTRUPrimeMaterial.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultSNTRUPrimeMaterial.java index e15b324668535..276b1bae80232 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultSNTRUPrimeMaterial.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/crypto/kem/PQCDefaultSNTRUPrimeMaterial.java @@ -21,6 +21,7 @@ import javax.crypto.KeyGenerator; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider; import org.bouncycastle.pqc.jcajce.spec.SNTRUPrimeParameterSpec; @@ -51,7 +52,7 @@ protected static KeyPairGenerator prepareKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException { KeyPairGenerator kpg = KeyPairGenerator.getInstance(PQCKeyEncapsulationAlgorithms.SNTRUPrime.getAlgorithm(), PQCKeyEncapsulationAlgorithms.SNTRUPrime.getBcProvider()); - kpg.initialize(SNTRUPrimeParameterSpec.sntrup761, new SecureRandom()); + kpg.initialize(SNTRUPrimeParameterSpec.sntrup761, SecureRandomHelper.getSecureRandom()); return kpg; } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/dataformat/PQCDataFormat.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/dataformat/PQCDataFormat.java index b12101dd9a611..f84c8da0c821d 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/dataformat/PQCDataFormat.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/dataformat/PQCDataFormat.java @@ -22,7 +22,6 @@ import java.io.InputStream; import java.io.OutputStream; import java.security.KeyPair; -import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; import java.util.Set; @@ -42,6 +41,7 @@ import org.apache.camel.spi.annotations.Dataformat; import org.apache.camel.support.ExchangeHelper; import org.apache.camel.support.service.ServiceSupport; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.jcajce.SecretKeyWithEncapsulation; import org.bouncycastle.jcajce.spec.KEMExtractSpec; import org.bouncycastle.jcajce.spec.KEMGenerateSpec; @@ -161,17 +161,15 @@ public void marshal(Exchange exchange, Object graph, OutputStream outputStream) byte[] plaintext = ExchangeHelper.convertToMandatoryType(exchange, byte[].class, graph); try { - SecureRandom random = new SecureRandom(); - // Generate KEM encapsulation and the fresh shared secret KeyGenerator kg = getOrCreateKeyGenerator(kemAlg); - kg.init(new KEMGenerateSpec(kp.getPublic(), symAlg, symmetricKeyLength), random); + kg.init(new KEMGenerateSpec(kp.getPublic(), symAlg, symmetricKeyLength), SecureRandomHelper.getSecureRandom()); SecretKeyWithEncapsulation secretKey = (SecretKeyWithEncapsulation) kg.generateKey(); byte[] encapsulation = secretKey.getEncapsulation(); // Encrypt the payload with an authenticated cipher using a fresh random nonce byte[] nonce = new byte[NONCE_LENGTH_BYTES]; - random.nextBytes(nonce); + SecureRandomHelper.getSecureRandom().nextBytes(nonce); Cipher cipher = initAeadCipher(Cipher.ENCRYPT_MODE, symAlg, secretKey.getEncoded(), nonce); byte[] ciphertext = cipher.doFinal(plaintext); @@ -223,7 +221,8 @@ public Object unmarshal(Exchange exchange, InputStream encryptedStream) throws E // Extract the shared secret from the encapsulation KeyGenerator kg = getOrCreateKeyGenerator(kemAlg); - kg.init(new KEMExtractSpec(kp.getPrivate(), encapsulation, symAlg, symmetricKeyLength), new SecureRandom()); + kg.init(new KEMExtractSpec(kp.getPrivate(), encapsulation, symAlg, symmetricKeyLength), + SecureRandomHelper.getSecureRandom()); SecretKeyWithEncapsulation secretKey = (SecretKeyWithEncapsulation) kg.generateKey(); // Decrypt. doFinal() verifies the authentication tag and throws on tampering; this must not be done with diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/AwsSecretsManagerKeyLifecycleManager.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/AwsSecretsManagerKeyLifecycleManager.java index 267625497f128..dc5cf6d9baebf 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/AwsSecretsManagerKeyLifecycleManager.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/AwsSecretsManagerKeyLifecycleManager.java @@ -23,7 +23,6 @@ import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; -import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; import java.time.Duration; import java.util.ArrayList; @@ -36,6 +35,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.pqc.crypto.lms.LMOtsParameters; import org.bouncycastle.pqc.crypto.lms.LMSigParameters; import org.bouncycastle.pqc.jcajce.spec.*; @@ -184,17 +184,17 @@ public KeyPair generateKeyPair(String algorithm, String keyId, Object parameterS // Initialize with parameter spec if provided if (parameterSpec != null) { if (parameterSpec instanceof AlgorithmParameterSpec algorithmParamSpec) { - generator.initialize(algorithmParamSpec, new SecureRandom()); + generator.initialize(algorithmParamSpec, SecureRandomHelper.getSecureRandom()); } else if (parameterSpec instanceof Integer keySize) { - generator.initialize(keySize, new SecureRandom()); + generator.initialize(keySize, SecureRandomHelper.getSecureRandom()); } } else { // Use default parameter spec for the algorithm AlgorithmParameterSpec defaultSpec = getDefaultParameterSpec(algorithm); if (defaultSpec != null) { - generator.initialize(defaultSpec, new SecureRandom()); + generator.initialize(defaultSpec, SecureRandomHelper.getSecureRandom()); } else { - generator.initialize(getDefaultKeySize(algorithm), new SecureRandom()); + generator.initialize(getDefaultKeySize(algorithm), SecureRandomHelper.getSecureRandom()); } } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/FileBasedKeyLifecycleManager.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/FileBasedKeyLifecycleManager.java index 543b0088e37dd..b93bedf9f11af 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/FileBasedKeyLifecycleManager.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/FileBasedKeyLifecycleManager.java @@ -29,7 +29,6 @@ import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; -import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; @@ -48,6 +47,7 @@ import com.fasterxml.jackson.databind.SerializationFeature; import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.pqc.crypto.lms.LMOtsParameters; import org.bouncycastle.pqc.crypto.lms.LMSigParameters; import org.bouncycastle.pqc.jcajce.spec.*; @@ -101,17 +101,17 @@ public KeyPair generateKeyPair(String algorithm, String keyId, Object parameterS // Initialize with parameter spec if provided if (parameterSpec != null) { if (parameterSpec instanceof AlgorithmParameterSpec algorithmParamSpec) { - generator.initialize(algorithmParamSpec, new SecureRandom()); + generator.initialize(algorithmParamSpec, SecureRandomHelper.getSecureRandom()); } else if (parameterSpec instanceof Integer keySize) { - generator.initialize(keySize, new SecureRandom()); + generator.initialize(keySize, SecureRandomHelper.getSecureRandom()); } } else { // Use default parameter spec for the algorithm AlgorithmParameterSpec defaultSpec = getDefaultParameterSpec(algorithm); if (defaultSpec != null) { - generator.initialize(defaultSpec, new SecureRandom()); + generator.initialize(defaultSpec, SecureRandomHelper.getSecureRandom()); } else { - generator.initialize(getDefaultKeySize(algorithm), new SecureRandom()); + generator.initialize(getDefaultKeySize(algorithm), SecureRandomHelper.getSecureRandom()); } } diff --git a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/HashicorpVaultKeyLifecycleManager.java b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/HashicorpVaultKeyLifecycleManager.java index b9a3dade24304..060f6c44dc6f3 100644 --- a/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/HashicorpVaultKeyLifecycleManager.java +++ b/components/camel-pqc/src/main/java/org/apache/camel/component/pqc/lifecycle/HashicorpVaultKeyLifecycleManager.java @@ -22,7 +22,6 @@ import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; -import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; import java.time.Duration; import java.util.ArrayList; @@ -35,6 +34,7 @@ import org.apache.camel.component.pqc.PQCKeyEncapsulationAlgorithms; import org.apache.camel.component.pqc.PQCSignatureAlgorithms; +import org.apache.camel.util.SecureRandomHelper; import org.bouncycastle.pqc.crypto.lms.LMOtsParameters; import org.bouncycastle.pqc.crypto.lms.LMSigParameters; import org.bouncycastle.pqc.jcajce.spec.*; @@ -198,17 +198,17 @@ public KeyPair generateKeyPair(String algorithm, String keyId, Object parameterS // Initialize with parameter spec if provided if (parameterSpec != null) { if (parameterSpec instanceof AlgorithmParameterSpec algorithmParamSpec) { - generator.initialize(algorithmParamSpec, new SecureRandom()); + generator.initialize(algorithmParamSpec, SecureRandomHelper.getSecureRandom()); } else if (parameterSpec instanceof Integer keySize) { - generator.initialize(keySize, new SecureRandom()); + generator.initialize(keySize, SecureRandomHelper.getSecureRandom()); } } else { // Use default parameter spec for the algorithm AlgorithmParameterSpec defaultSpec = getDefaultParameterSpec(algorithm); if (defaultSpec != null) { - generator.initialize(defaultSpec, new SecureRandom()); + generator.initialize(defaultSpec, SecureRandomHelper.getSecureRandom()); } else { - generator.initialize(getDefaultKeySize(algorithm), new SecureRandom()); + generator.initialize(getDefaultKeySize(algorithm), SecureRandomHelper.getSecureRandom()); } } diff --git a/core/camel-core-model/src/main/java/org/apache/camel/model/app/BeansDefinition.java b/core/camel-core-model/src/main/java/org/apache/camel/model/app/BeansDefinition.java index ad2cc3f95859f..6643d11f6eb34 100644 --- a/core/camel-core-model/src/main/java/org/apache/camel/model/app/BeansDefinition.java +++ b/core/camel-core-model/src/main/java/org/apache/camel/model/app/BeansDefinition.java @@ -143,8 +143,8 @@ public void setBeans(List beans) { } /** - * @deprecated use standard Camel XML DSL (camel-xml-io) instead of legacy Spring/Blueprint XML. - * This feature will be removed in a future release. + * @deprecated use standard Camel XML DSL (camel-xml-io) instead of legacy Spring/Blueprint XML. This feature will + * be removed in a future release. */ @Deprecated(since = "4.22") public List getSpringOrBlueprintBeans() { @@ -152,8 +152,8 @@ public List getSpringOrBlueprintBeans() { } /** - * @deprecated use standard Camel XML DSL (camel-xml-io) instead of legacy Spring/Blueprint XML. - * This feature will be removed in a future release. + * @deprecated use standard Camel XML DSL (camel-xml-io) instead of legacy Spring/Blueprint XML. This feature will + * be removed in a future release. */ @Deprecated(since = "4.22") public void setSpringOrBlueprintBeans(List springOrBlueprintBeans) { diff --git a/core/camel-main/src/main/java/org/apache/camel/main/SelfSignedCertificateGenerator.java b/core/camel-main/src/main/java/org/apache/camel/main/SelfSignedCertificateGenerator.java index 4764b39bbe50a..c453f67ceb341 100644 --- a/core/camel-main/src/main/java/org/apache/camel/main/SelfSignedCertificateGenerator.java +++ b/core/camel-main/src/main/java/org/apache/camel/main/SelfSignedCertificateGenerator.java @@ -23,7 +23,6 @@ import java.security.KeyStore; import java.security.PrivateKey; import java.security.PublicKey; -import java.security.SecureRandom; import java.security.Signature; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; @@ -32,6 +31,8 @@ import java.time.ZonedDateTime; import java.util.Locale; +import org.apache.camel.util.SecureRandomHelper; + /** * Generates a self-signed certificate for development use. This allows enabling HTTPS with minimal configuration when * no keystore is provided. @@ -73,21 +74,20 @@ static KeyStore generateKeyStore(String password, String keyType) throws Excepti String type = keyType == null || keyType.isBlank() ? DEFAULT_KEY_TYPE : keyType.trim().toUpperCase(Locale.ROOT); - SecureRandom random = new SecureRandom(); KeyPairGenerator keyGen; if ("EC".equals(type)) { keyGen = KeyPairGenerator.getInstance("EC"); - keyGen.initialize(new ECGenParameterSpec("secp256r1"), random); + keyGen.initialize(new ECGenParameterSpec("secp256r1"), SecureRandomHelper.getSecureRandom()); } else if ("RSA".equals(type)) { keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(2048, random); + keyGen.initialize(2048, SecureRandomHelper.getSecureRandom()); } else { throw new IllegalArgumentException( "Unsupported self-signed certificate key type: " + keyType + " (supported: EC, RSA)"); } KeyPair keyPair = keyGen.generateKeyPair(); - X509Certificate cert = generateCertificate(keyPair, type, random); + X509Certificate cert = generateCertificate(keyPair, type); KeyStore ks = KeyStore.getInstance("PKCS12"); ks.load(null, password.toCharArray()); @@ -97,7 +97,7 @@ static KeyStore generateKeyStore(String password, String keyType) throws Excepti return ks; } - private static X509Certificate generateCertificate(KeyPair keyPair, String keyType, SecureRandom random) + private static X509Certificate generateCertificate(KeyPair keyPair, String keyType) throws Exception { PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); @@ -106,7 +106,7 @@ private static X509Certificate generateCertificate(KeyPair keyPair, String keyTy ZonedDateTime expiry = now.plusDays(365); // Build self-signed X.509 certificate using DER encoding - byte[] encoded = buildSelfSignedCertificateDer(publicKey, privateKey, keyType, now, expiry, random); + byte[] encoded = buildSelfSignedCertificateDer(publicKey, privateKey, keyType, now, expiry); CertificateFactory cf = CertificateFactory.getInstance("X.509"); return (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(encoded)); @@ -114,8 +114,7 @@ private static X509Certificate generateCertificate(KeyPair keyPair, String keyTy private static byte[] buildSelfSignedCertificateDer( PublicKey publicKey, PrivateKey privateKey, String keyType, - ZonedDateTime notBefore, ZonedDateTime notAfter, - SecureRandom random) + ZonedDateTime notBefore, ZonedDateTime notAfter) throws Exception { boolean ec = "EC".equals(keyType); @@ -127,7 +126,7 @@ private static byte[] buildSelfSignedCertificateDer( // TBS Certificate byte[] tbsCertificate - = buildTbsCertificate(publicKey, issuerDn, signatureAlgorithm, notBefore, notAfter, random); + = buildTbsCertificate(publicKey, issuerDn, signatureAlgorithm, notBefore, notAfter); // Sign the TBS certificate Signature sig = Signature.getInstance(signatureAlgorithmName); @@ -143,15 +142,14 @@ private static byte[] buildSelfSignedCertificateDer( private static byte[] buildTbsCertificate( PublicKey publicKey, byte[] dn, byte[] signatureAlgorithm, - ZonedDateTime notBefore, ZonedDateTime notAfter, - SecureRandom random) { + ZonedDateTime notBefore, ZonedDateTime notAfter) { // Version: v3 (2) byte[] version = wrapExplicitTag(0, wrapInteger(new byte[] { 2 })); // Serial number byte[] serialBytes = new byte[16]; - random.nextBytes(serialBytes); + SecureRandomHelper.getSecureRandom().nextBytes(serialBytes); serialBytes[0] &= 0x7F; // ensure positive byte[] serial = wrapInteger(serialBytes); diff --git a/core/camel-support/src/main/java/org/apache/camel/converter/stream/CipherPair.java b/core/camel-support/src/main/java/org/apache/camel/converter/stream/CipherPair.java index 4a8cf3197672c..c105cd7725039 100644 --- a/core/camel-support/src/main/java/org/apache/camel/converter/stream/CipherPair.java +++ b/core/camel-support/src/main/java/org/apache/camel/converter/stream/CipherPair.java @@ -18,12 +18,12 @@ import java.security.GeneralSecurityException; import java.security.Key; -import java.security.SecureRandom; import javax.crypto.Cipher; import javax.crypto.KeyGenerator; import javax.crypto.spec.IvParameterSpec; +import org.apache.camel.util.SecureRandomHelper; import org.apache.camel.util.StringHelper; /** @@ -41,7 +41,7 @@ public CipherPair(String transformation) throws GeneralSecurityException { String a = StringHelper.before(transformation, "/", transformation); KeyGenerator keygen = KeyGenerator.getInstance(a); - keygen.init(new SecureRandom()); + keygen.init(SecureRandomHelper.getSecureRandom()); key = keygen.generateKey(); enccipher = Cipher.getInstance(transformation); enccipher.init(Cipher.ENCRYPT_MODE, key); diff --git a/core/camel-util/src/main/java/org/apache/camel/util/SecureRandomHelper.java b/core/camel-util/src/main/java/org/apache/camel/util/SecureRandomHelper.java new file mode 100644 index 0000000000000..4328c4b573c7b --- /dev/null +++ b/core/camel-util/src/main/java/org/apache/camel/util/SecureRandomHelper.java @@ -0,0 +1,47 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.util; + +import java.security.SecureRandom; + +/** + * Provides a shared {@link SecureRandom} instance for use across Camel. + *

+ * {@code SecureRandom} is thread-safe but heavyweight to instantiate — each {@code new SecureRandom()} call gathers OS + * entropy. Reusing a single instance avoids repeated initialization overhead while maintaining cryptographic security + * guarantees. + *

+ * This is intended for internal Camel code that needs "give me some randomness" without caring about a specific + * algorithm or provider. For user-configurable secure random (algorithm, provider), see + * {@code org.apache.camel.support.jsse.SecureRandomParameters}. + */ +public final class SecureRandomHelper { + + private static final SecureRandom RANDOM = new SecureRandom(); + + private SecureRandomHelper() { + } + + /** + * Returns a shared, thread-safe {@link SecureRandom} instance using the platform default algorithm. + * + * @return a shared {@link SecureRandom} instance + */ + public static SecureRandom getSecureRandom() { + return RANDOM; + } +} diff --git a/design/security.adoc b/design/security.adoc index 5bf37f69b02b1..f1de140b5596b 100644 --- a/design/security.adoc +++ b/design/security.adoc @@ -237,6 +237,51 @@ Key files in the implementation: - `tooling/maven/camel-package-maven-plugin/.../UpdateSensitizeHelper.java` — code generation from component JSONs +== Shared SecureRandom + +=== Rationale + +`java.security.SecureRandom` is thread-safe but heavyweight to instantiate: each `new SecureRandom()` +call gathers OS entropy (reads from `/dev/urandom` on Linux, `CryptGenRandom` on Windows). Creating +a fresh instance per call is wasteful and measurably slows down startup when many components +initialize cryptographic material (e.g., `camel-pqc` had ~40 separate allocations). + +Since Java 9, the default `SecureRandom` implementation uses DRBG (Deterministic Random Bit +Generator) which handles concurrent access efficiently. A single shared instance is both safe and +performant. + +=== Usage + +`SecureRandomHelper` in `camel-util` provides a shared instance via a static getter: + +[source,java] +---- +import org.apache.camel.util.SecureRandomHelper; + +// Use the shared instance instead of new SecureRandom() +keygen.init(SecureRandomHelper.getSecureRandom()); +kpGen.initialize(paramSpec, SecureRandomHelper.getSecureRandom()); +SecureRandomHelper.getSecureRandom().nextBytes(nonce); +---- + +=== When to use + +- **Internal Camel code** that needs cryptographic randomness with the platform default algorithm: + key generation, nonce creation, certificate serial numbers, cipher initialization. +- **Component and data format implementations** that call JCA APIs (`KeyPairGenerator.initialize()`, + `KeyGenerator.init()`, `KEMGenerateSpec`, etc.). + +=== When NOT to use + +- **User-configurable secure random**: when the user needs to pick a specific algorithm or provider + (e.g., FIPS-certified PRNG), use `SecureRandomParameters` from the JSSE utility + (`org.apache.camel.support.jsse.SecureRandomParameters`) instead. +- **`SecureRandom.getInstanceStrong()`**: for cases requiring the strongest available entropy source + (may block on Linux), create a dedicated instance — the shared one uses the platform default, which + is non-blocking. +- **Test code**: if deterministic randomness is needed for reproducible tests, inject a seeded + `SecureRandom` directly rather than using the shared instance. + === Future Work - **Broader annotation audit**: Systematically audit all 300+ components for missing `secret=true` diff --git a/dsl/camel-xml-io-dsl/src/main/java/org/apache/camel/dsl/xml/io/XmlRoutesBuilderLoader.java b/dsl/camel-xml-io-dsl/src/main/java/org/apache/camel/dsl/xml/io/XmlRoutesBuilderLoader.java index 1c07e3b8a49fc..181aea18d486e 100644 --- a/dsl/camel-xml-io-dsl/src/main/java/org/apache/camel/dsl/xml/io/XmlRoutesBuilderLoader.java +++ b/dsl/camel-xml-io-dsl/src/main/java/org/apache/camel/dsl/xml/io/XmlRoutesBuilderLoader.java @@ -398,7 +398,7 @@ private void registerBeans(Resource resource, BeansDefinition app) { springBlueprintWarned = true; LOG.warn( "Detected legacy Spring or OSGi XML. This feature is deprecated and will be removed in a future release." - + " Migrate to standard Camel XML DSL (camel-xml-io)."); + + " Migrate to standard Camel XML DSL (camel-xml-io)."); } Document doc = app.getSpringOrBlueprintBeans().get(0).getOwnerDocument(); String ns = doc.getDocumentElement().getNamespaceURI();