Versions Compared

Old Version 1

changes.mady.by.user Stephen Gargan

Saved on

compared with

New Version 2

changes.mady.by.user Claus Ibsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Crypto component for Digital Signatures

Available as of Camel 2.3

Using Camel cryptographic endpoints and Java's Cryptographic extension it is easy to create Digital Signatures for Exchanges Exchanges. Camel provides a pair of flexible endpoints which get used in concert to create a signature for an exchange in one part of the exchange's workflow and then verify the signature in a later part of the workflow.

...

Code Block
crypto:sign:name[?options]
crypto:verify:name[?options]
  • 'crypto:sign' creates the signature and stores it in the Header keyed by the constant Exchange.SIGNATURE, i.e. "CamelDigitalSignature".
  • 'crypto:verify' will read in the contents of this header and do the verification calculation.

In order to correctly function, sign and verify need to share a pair of keys, sign requiring a PrivateKey and verify a PublicKey (or a Certificate containing one). Using the JCE is is very simple to generate these key pairs but it is usually most secure to use a KeyStore to house and share your keys. The DSL is very flexible about how keys are supplied and provides a number of mechanisms.

Note a 'crypto:sign' endpoint is typically defined in one route and the complimentary 'crypto:verify' in another, though for simplicity in the examples they appear one after the other. It goes without saying that both sign and verify should be configured identically.

...

Name

Type

Default

Description

algorithm

String

DSA

The name of the JCE Signature algorithm that will be used.

alias

String

null

An alias name that will be used to select a key from the keystore.

bufferSize

Integer

2048

the size of the buffer used in the signature process.

certificate

Certificate

null

A Certificate used to verify the signature of the exchange's payload. Either this or a Public Key is required.

keystore

KeyStore

null

A reference to a JCE Keystore that stores keys and certificates used to sign and verify.

provider

String

null

The name of the JCE Security Provider that should be used.

privateKey

PrivatKey

null

The private key used to sign the exchange's payload.

publicKey

PublicKey

null

The public key used to verify the signature of the exchange's payload.

secureRandom

secureRandom

null

A reference to a SecureRandom object that wil lbe used to initialize the Signature service.

password

char[]

null

The password for the keystore.

...

The JCE provides a very versatile KeyStore for housing pairs of PrivateKeys and Certificates keeping them encrypted and password protected. They can be retireved retrieved from it by applying an alias to the retrieval apis. There are a number of ways to get keys and Certificates into a keystore most often this is done with the external 'keytool' application. This is a good example of using keytool to create a KeyStore with a self signed Cert and Private key.

...

When using a Recipient list or similar EIP the recipient of an exchange can vary dynamically. Using the same key across all recipients may neither be feasible or desirable. It would be useful to be able to specify the signature keys dynamically on a per exchange basis. The exchange could then be dynamically enriched with the key of its target recipient prior to signing. To facilitate this the signature mechanisms allow for keys to be supplied dynamically via the message headers below

  • Exchange.SIGNATURE_PRIVATE_KEY, "CamelSignaturePrivateKey"
  • Exchange.SIGNATURE_PUBLIC_KEY_OR_CERT, "CamelSignaturePublicKeyOrCert"
Wiki Markup
{snippet:id=headerkey|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/SignatureTests.java}

...

Better again would be to dynamically supply a keystore alias. Again the alias can be supplied in a message header

  • Exchange.KEYSTORE_ALIAS, "CamelSignatureKeyStoreAlias"
Wiki Markup
{snippet:id=alias|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/SignatureTests.java}

...

The header would be set as follows

lang
Code Block
java
Exchange unsigned = getMandatoryEndpoint("direct:alias-sign").createExchange();
unsigned.getIn().setBody(payload);
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_ALIAS, "bob");
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_PASSWORD, "letmein".toCharArray());
template.send("direct:alias-sign", unsigned);
Exchange signed = getMandatoryEndpoint("direct:alias-sign").createExchange();
signed.getIn().copyFrom(unsigned.getOut());
signed.getIn().setHeader(KEYSTORE_ALIAS, "bob");
template.send("direct:alias-verify", signed);
Include Page
CAMEL:Endpoint See Also
CAMEL:Endpoint See Also