oscerd opened a new pull request, #22495: URL: https://github.com/apache/camel/pull/22495
## Summary _Claude Code on behalf of Andrea Cosentino_ Backport of #22034 to `camel-4.18.x`. Fixes CWE-502 (Deserialization of Untrusted Data) in `FileBasedKeyLifecycleManager` which used `ObjectInputStream.readObject()` to deserialize key pairs and metadata from `.key` and `.metadata` files, enabling arbitrary code execution via gadget chains. The fix replaces Java serialization with PKCS#8/X.509 (Base64 JSON) for keys and JSON for metadata. ## Test plan - [ ] CI passes on `camel-4.18.x` - [ ] Verify camel-pqc key lifecycle operations work with new serialization format 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
