XML Security component
Available as of Camel 2.12.0
With this Apache Camel component, you can generate and validate XML signatures as described in the W3C standard XML Signature Syntax and Processing or as described in the successor version 1.1. For XML Encryption support, please refer to the XML Security Data Format.
You can find an introduction to XML signature here. The implementation of the component is based on JSR 105, the Java API corresponding to the W3C standard and supports the Apache Santuario and the JDK provider for JSR 105. The implementation will first try to use the Apache Santuario provider; if it does not find the Santuario provider, it will use the JDK provider. Further, the implementation is DOM based.
Since Camel 2.15.0 we also provide support for XAdES-BES/EPES for the signer endpoint; see subsection "XAdES-BES/EPES for the Signer Endpoint".
Maven users will need to add the following dependency to their
pom.xml for this component:
XML Signature Wrapping Modes
XML Signature differs between enveloped, enveloping, and detached XML signature. In the enveloped XML signature case, the XML Signature is wrapped by the signed XML Document; which means that the XML signature element is a child element of a parent element, which belongs to the signed XML Document. In the enveloping XML signature case, the XML Signature contains the signed content. All other cases are called detached XML signatures. A certain form of detached XML signature is supported since 2.14.0.
In the enveloped XML signature case, the supported generated XML signature has the following structure (Variables are surrounded by ).
In the enveloping XML signature case, the supported generated XML signature has the structure:
As of 2.14.0 detached XML signatures with the following structure are supported (see also sub-chapter XML Signatures as Siblings of Signed Elements):
The camel component consists of two endpoints which have the following URI format.
- With the signer endpoint, you can generate a XML signature for the body of the in-message which can be either a XML document or a plain text. The enveloped, enveloping, or detached (as of 12.14) XML signature(s) will be set to the body of the out-message.
- With the verifier endpoint, you can validate an enveloped or enveloping XML signature or even several detached (as of 2.14.0) XML signatures contained in the body of the in-message; if the validation is successful, then the original content is extracted from the XML signature and set to the body of the out-message.
namepart in the URI can be chosen by the user to distinguish between different signer/verifier endpoints within the camel context.
The following example shows the basic usage of the component.
In Spring XML:
For the signing process, a private key is necessary. You specify a key accessor bean which provides this private key. For the validation, the corresponding public key is necessary; you specify a key selector bean which provides this public key.
The key accessor bean must implement the KeyAccessor interface. The package
org.apache.camel.component.xmlsecurity.api contains the default implementation class DefaultKeyAccessor which reads the private key from a Java keystore.
The key selector bean must implement the javax.xml.crypto.KeySelector interface. The package
org.apache.camel.component.xmlsecurity.api contains the default implementation class DefaultKeySelector which reads the public key from a keystore.
In the example, the default signature algorithm
http://www.w3.org/2000/09/xmldsig#rsa-sha1 is used. You can set the signature algorithm of your choice by the option
signatureAlgorithm (see below). The signer endpoint creates an enveloping XML signature. If you want to create an enveloped XML signature then you must specify the parent element of the Signature element; see option
parentLocalName for more details.
For creating detached XML signatures, see sub-chapter "Detached XML Signatures as Siblings of the Signed Elements".
Common Signing and Verifying Options
There are options which can be used for both endpoints, signer and verifier.
URI dereferencer. You can specify here your own URI dereferencer, if you want to restrict the dereferencing or have special requirements for dereferencing.
Base URI used in the URI dereferencer. Relative URIs are concatenated with the base URI.
Map<String, ? extends Object>
Crypto context properties. See
Indicator whether DTD DOCTYPE declarations shall be disallowed in the incoming XML message.
Indicator whether the XML declaration header shall be omitted in the output XML message.
Indicator whether the XML signature message headers defined in XmlSignatureConstants shall be deleted at the end of the signer or verifier processing.
|schemaResourceUri||String||null||Since 2.14.0. Classpath to the XML Schema file. If set then the XML document is validated against the XML schema. Must be set in the case of detached signatures in order to determine the attributes of type ID. This value can be overwritten by the header "|
|outputXmlEncoding||String||null||Since 2.15.0. Character encoding of the output XML document. If |
The signer endpoint has the following options.
Provides the signing key and the KeyInfo instance. There is an example implementation which uses a keystore, see DefaultKeyAccessor
Indicator whether a Reference element refering the KeyInfo element provided by the key accessor should be added to the XML signature.
signature algorithm consisting of a digest and encryption algorithm. The digest algorithm is used to calculate the digest of the SignedInfo element and the encryption algorithm is used to sign this digest. Possible values: http://www.w3.org/2000/09/xmldsig#dsa-sha1, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Digest algorithm for calculating the digest of the in-message body. If not specified then the digest algorithm of the signature algorithm is used. Possible values: http://www.w3.org/2000/09/xmldsig#sha1, http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512
Local name of the parent of the Signature element. The Signature element will be added at the end of the children of the parent. Necessary for enveloped XML signature. If this option and the option
Namespace of the parent of the Signature element. See option
|parentXpath||XPathFilterParameterSpec||null||Since 2.15.0. XPath to the parent of the Signature element. The Signature element will be added at the end of the children of the parent. Necessary for enveloped XML signature. If this option and the option |
Canonicalization method used to canonicalize the SignedInfo element before the digest is calculated. You can use the helper methods XmlSignatureHelper.getCanonicalizationMethod(String algorithm) or getCanonicalizationMethod(String algorithm, List<String> inclusiveNamespacePrefixes) to create a canonicalization method.
Transforms which are executed on the message body before the digest is calculated. By default, C14n is added and in the case of enveloped signature (see option
The Camel header "CamelXmlSignatureTransformMethods" overwrites this option (since Camel 2.17.0). The header value must be of type string; you specify in a comma separated list the transform algorithms, for example "http://www.w3.org/2000/09/xmldsig#enveloped-signature,http://www.w3.org/TR/2001/REC-xml-c14n-20010315". In the header you cannot specify transform algorithms which need parameters, like http://www.w3.org/TR/1999/REC-xslt-19991116, http://www.w3.org/2002/06/xmldsig-filter2, or http://www.w3.org/TR/1999/REC-xpath-19991116.
Prefix for the XML signature namespace. If
The URI of the reference to the signed content (in-message body). If
Value of the type attribute of the content reference. This value can be overwritten by the header "
Indicator whether the in-message body contains plain text. Normally, the signature generator treats the incoming message body as XML. If the message body is plain text, then you must set this option to
Only used when the option
For adding additional References and Objects to the XML signature which contain additional properties, you can provide a bean which implements the XmlSignatureProperties interface.
Value of the Id attribute of the Object element. Only used in the enveloping XML signature case. If
|xpathsToIdAttributes||List<XPathFilterParameterSpec>||empty list||Since 2.14.0. List of XPATH expressions to ID attributes of elements to be signed. Used for the detached XML Signatures. Can only be used in combination with the option |
|signatureId||String||null||Since 2.14.0. Value of the Id attribute of the Signature element. If |
The verifier endpoint has the following options.
Provides the key for validating the XML signature. There is an example implementation which uses a keystore, see DefaultKeySelector.
This interface allows the application to check the XML signature before the validation is executed. This step is recommended in http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed
Handles the different validation failed situations. The default implementation throws specific exceptions for the different situations (All exceptions have the package name
Bean which maps the XML signature to the ouput-message after the validation. How this mapping should be done can be configured by the options
Determines the type of the search of the output node. See option
Search value of the output node search. The type depends on the search type. For the default search implementation
Indicator for removing Signature elements in the output message in the enveloped XML signature case. Used in the
Enables secure validation. If true then secure validation is enabled - see here for more information.
Output Node Determination in Enveloping XML Signature Case
After the validation the node is extracted from the XML signature document which is finally returned to the output-message body. In the enveloping XML signature case, the default implementation DefaultXmlSignature2Message of XmlSignature2Message does this for the node search type "Default" in the following way (see option
First an Object reference is determined:
- Only same document references are taken into account (URI must start with '#')
- Also indirect same document references to an object via manifest are taken into account.
- The resulting number of Object references must be 1.
Then, the Object is dereferenced and the Object must only contain one XML element. This element is returned as output node.
This does mean that the enveloping XML signature must have either the structure
or the structure
Detached XML Signatures as Siblings of the Signed Elements
You can create detached signatures where the signature is a sibling of the signed element. The following example contains two detached signatures. The first signature is for the element "C" and the second signature is for element "A". The signatures are nested; the second signature is for the element A which also contains the first signature.
The example shows that you can sign several elements and that for each element a signature is created as sibling. The elements to be signed must have an attribute of type ID. The ID type of the attribute must be defined in the XML schema (see option schemaResourceUri). You specify a list of XPATH expressions pointing to attributes of type ID (see option xpathsToIdAttributes). These attributes determine the elements to be signed. The elements are signed by the same key given by the keyAccessor bean. Ements with higher (=deeper) hierarachy level are signed first. In the example, the element "C" is signed before the element "A".
XAdES-BES/EPES for the Signer Endpoint
Available as of Camel 2.15.0
The properties of the XAdES-BES form are the same except that the
SignaturePolicyIdentifier property is not part of XAdES-BES.
You can configure the XAdES-BES/EPES properties via the bean
org.apache.camel.component.xmlsecurity.api.DefaultXAdESSignatureProperties. XAdESSignatureProperties does support all properties mentioned above except the
SigningCertificate property. To get the
SigningCertificate property, you must overwrite either the method
XAdESSignatureProperties.getSigningCertificateChain(). The class
DefaultXAdESSignatureProperties overwrites the method
getSigningCertificate() and allows you to specify the signing certificate via a keystore and alias. The following example shows all parameters you can specify. If you do not need certain parameters you can just omit them.
|String||for the 'Id' attribute value of QualifyingProperties element|
|String||for the 'Id' attribute value of SignedDataObjectProperties element|
|String||for the 'Id' attribute value of SignedSignatureProperties element|
|String||for the value of the Encoding element of the DataObjectFormat element|
|String||overwrites the XAdES namespace parameter value|
|String||overwrites the XAdES prefix parameter value|
Limitations with regard to XAdES version 1.4.2
- No support for signature form XAdES-T and XAdES-C
- Only signer part implemented. Verifier part currently not available.
- No support for the '
QualifyingPropertiesReference' element (see section 6.3.2 of spec).
- No support for the
Transformselement contained in the
SignaturePolicyIdelement contained in the
- No support of the
CounterSignatureelement --> no support for the
- At most one
DataObjectFormatelement. More than one
DataObjectFormatelement makes no sense because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint).
- At most one
CommitmentTypeIndicationelement. More than one
CommitmentTypeIndicationelement makes no sense because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint).
CommitmentTypeIndicationelement contains always the
CommitmentTypeIndicationelement is not supported.
AllDataObjectsTimeStampelement is not supported
IndividualDataObjectsTimeStampelement is not supported