Crypto component for Digital Signatures

Available as of Camel 2.3

Using Camel cryptographic endpoints and Java's Cryptographic extension it is easy to create Digital Signatures for Exchanges. Camel provides a pair of flexible endpoints which get used in concert to create a signature for an exchange in one part of the exchange's workflow and then verify the signature in a later part of the workflow.

Maven users will need to add the following dependency to their pom.xml for this component:

<dependency>
    <groupId>org.apache.camel</groupId>
    <artifactId>camel-crypto</artifactId>
    <version>x.x.x</version>
    <!-- use the same version as your Camel core version -->
</dependency>


Introduction

Digital signatures make use Asymmetric Cryptographic techniques to sign messages. From a (very) high level, the algorithms use pairs of complimentary keys with the special property that data encrypted with one key can only be decrypted with the other. One, the private key, is closely guarded and used to 'sign' the message while the other, public key, is shared around to anyone interested in verifying your messages. Messages are signed by encrypting a digest of the message with the private key. This encrypted digest is transmitted along with the message. On the other side the verifier recalculates the message digest and uses the public key to decrypt the the digest in the signature. If both digest match the verifier knows only the holder of the private key could have created the signature. 

Camel uses the Signature service from the Java Cryptographic Extension to do all the heavy cryptographic lifting required to create exchange signatures. The following are some excellent sources for explaining the mechanics of Cryptography, Message digests and Digital Signatures and how to leverage them with the JCE.


	Bruce Schneier's Applied Cryptography
	Beginning Cryptography with Java by David Hook
	The ever insightful, Wikipedia Digital_signatures



URI format

As mentioned Camel provides a pair of crypto endpoints to create and verify signatures


crypto:sign:name[?options]
crypto:verify:name[?options]




	crypto:sign creates the signature and stores it in the Header keyed by the constant Exchange.SIGNATURE, i.e. "CamelDigitalSignature".
	crypto:verify will read in the contents of this header and do the verification calculation.



In order to correctly function, sign and verify need to share a pair of keys, sign requiring a PrivateKey and verify a PublicKey (or a Certificate containing one). Using the JCE is is very simple to generate these key pairs but it is usually most secure to use a KeyStore to house and share your keys. The DSL is very flexible about how keys are supplied and provides a number of mechanisms. 

Note a crypto:sign endpoint is typically defined in one route and the complimentary crypto:verify in another, though for simplicity in the examples they appear one after the other. It goes without saying that both sign and verify should be configured identically.

Options



 Name 
 Type 
 Default 
 Description 


 algorithm 
 String 
 DSA 
 The name of the JCE Signature algorithm that will be used. 


 alias 
 String 
 null 
 An alias name that will be used to select a key from the keystore. 


 bufferSize 
 Integer 
 2048 
 the size of the buffer used in the signature process. 


 certificate 
 Certificate 
 null 
 A Certificate used to verify the signature of the exchange's payload. Either this or a Public Key is required. 


 keystore 
 KeyStore 
 null 
 A reference to a JCE Keystore that stores keys and certificates used to sign and verify. 


 provider 
 String 
 null 
 The name of the JCE Security Provider that should be used. 


 privateKey 
 PrivatKey 
 null 
 The private key used to sign the exchange's payload. 


 publicKey 
 PublicKey 
 null 
 The public key used to verify the signature of the exchange's payload. 


 secureRandom 
 secureRandom 
 null 
 A reference to a SecureRandom object that wil lbe used to initialize the Signature service. 


 password 
 char[] 
 null 
 The password for the keystore. 


 clearHeaders 
 {{"true"
"false"}} 
 true 
 Remove camel crypto headers from Message after a verify operation. 





Using

1) Raw keys
The most basic way to way to sign an verify an exchange is with a KeyPair as follows. 

from("direct:keypair").to("crypto:sign://basic?privateKey=#myPrivateKey", "crypto:verify://basic?publicKey=#myPublicKey", "mock:result");



The same can be achieved with the Spring XML Extensions using references to keys 

<route>
    <from uri="direct:keypair"/>
    <to uri="crypto:sign://basic?privateKey=#myPrivateKey" />
    <to uri="crypto:verify://basic?publicKey=#myPublicKey" />
    <to uri="mock:result"/>
</route>



2) KeyStores and Aliases.
The JCE provides a very versatile KeyStore for housing pairs of PrivateKeys and Certificates keeping them encrypted and password protected. They can be retrieved from it by applying an alias to the retrieval apis. There are a number of ways to get keys and Certificates into a keystore most often this is done with the external 'keytool' application. This is a good example of using keytool to create a KeyStore with a self signed Cert and Private key.

The examples use a Keystore with a key and cert aliased by 'bob'. The password for the keystore and the key is 'letmein'

The following shows how to use a Keystore via the Fluent builders, it also shows how to load and initialize the keystore.

from("direct:keystore").to("crypto:sign://keystore?keystore=#keystore&alias=bob&password=letmein", "crypto:verify://keystore?keystore=#keystore&alias=bob", "mock:result");



Again in Spring a ref is used to lookup an actual keystore instance. 

<route>
    <from uri="direct:keystore"/>
    <to uri="crypto:sign://keystore?keystore=#keystore&amp;alias=bob&amp;password=letmein" />
    <to uri="crypto:verify://keystore?keystore=#keystore&amp;alias=bob" />
    <to uri="mock:result"/>
</route>        



3) Changing JCE Provider and Algorithm
Changing the Signature algorithm or the Security provider is a simple matter of specifying their names. You will need to also use Keys that are compatible with the algorithm you choose.


KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(512, new SecureRandom());
keyPair = keyGen.generateKeyPair();
PrivateKey privateKey = keyPair.getPrivate();
PublicKey publicKey = keyPair.getPublic();

// we can set the keys explicitly on the endpoint instances.
context.getEndpoint("crypto:sign://rsa?algorithm=MD5withRSA", DigitalSignatureEndpoint.class).setPrivateKey(privateKey);
context.getEndpoint("crypto:verify://rsa?algorithm=MD5withRSA", DigitalSignatureEndpoint.class).setPublicKey(publicKey);
from("direct:algorithm").to("crypto:sign://rsa?algorithm=MD5withRSA", "crypto:verify://rsa?algorithm=MD5withRSA", "mock:result");



from("direct:provider").to("crypto:sign://provider?privateKey=#myPrivateKey&provider=SUN", "crypto:verify://provider?publicKey=#myPublicKey&provider=SUN", "mock:result");



or


<route>
    <from uri="direct:algorithm"/>
    <to uri="crypto:sign://rsa?algorithm=MD5withRSA&amp;privateKey=#rsaPrivateKey" />
    <to uri="crypto:verify://rsa?algorithm=MD5withRSA&amp;publicKey=#rsaPublicKey" />
    <to uri="mock:result"/>
</route>        



<route>
    <from uri="direct:provider"/>
    <to uri="crypto:sign://provider?privateKey=#myPrivateKey&amp;provider=SUN" />
    <to uri="crypto:verify://provider?publicKey=#myPublicKey&amp;provider=SUN" />
    <to uri="mock:result"/>
</route>        



4) Changing the Signature Mesasge Header
It may be desirable to change the message header used to store the signature. A different header name can be specified in the route definition as follows

from("direct:signature-header").to("crypto:sign://another?privateKey=#myPrivateKey&signatureHeader=AnotherDigitalSignature",
                                   "crypto:verify://another?publicKey=#myPublicKey&signatureHeader=AnotherDigitalSignature", "mock:result");



or


<route>
    <from uri="direct:signature-header"/>
    <to uri="crypto:sign://another?privateKey=#myPrivateKey&amp;signatureHeader=AnotherDigitalSignature" />
    <to uri="crypto:verify://another?publicKey=#myPublicKey&amp;signatureHeader=AnotherDigitalSignature" />
    <to uri="mock:result"/>
</route>        



5) Changing the buffersize
In case you need to update the size of the buffer...

from("direct:buffersize").to("crypto:sign://buffer?privateKey=#myPrivateKey&buffersize=1024", "crypto:verify://buffer?publicKey=#myPublicKey&buffersize=1024", "mock:result");



or


<route>
    <from uri="direct:buffersize" />
    <to uri="crypto:sign://buffer?privateKey=#myPrivateKey&amp;buffersize=1024" />
    <to uri="crypto:verify://buffer?publicKey=#myPublicKey&amp;buffersize=1024" />
    <to uri="mock:result"/>
</route>        



6) Supplying Keys dynamically.
When using a Recipient list or similar EIP the recipient of an exchange can vary dynamically. Using the same key across all recipients may neither be feasible or desirable. It would be useful to be able to specify the signature keys dynamically on a per exchange basis. The exchange could then be dynamically enriched with the key of its target recipient prior to signing. To facilitate this the signature mechanisms allow for keys to be supplied dynamically via the message headers below 


	Exchange.SIGNATURE_PRIVATE_KEY, "CamelSignaturePrivateKey"
	Exchange.SIGNATURE_PUBLIC_KEY_OR_CERT, "CamelSignaturePublicKeyOrCert"




from("direct:headerkey-sign").to("crypto:sign://alias");
from("direct:headerkey-verify").to("crypto:verify://alias", "mock:result");



or


<route>
    <from uri="direct:headerkey-sign"/>
    <to uri="crypto:sign://headerkey" />
</route>       
<route>
    <from uri="direct:headerkey-verify"/>
    <to uri="crypto:verify://headerkey" />
    <to uri="mock:result"/>
</route>    



Better again would be to dynamically supply a keystore alias. Again the alias can be supplied in a message header

	Exchange.KEYSTORE_ALIAS, "CamelSignatureKeyStoreAlias"




from("direct:alias-sign").to("crypto:sign://alias?keystore=#keystore");
from("direct:alias-verify").to("crypto:verify://alias?keystore=#keystore", "mock:result");



or


<route>
    <from uri="direct:alias-sign"/>
    <to uri="crypto:sign://alias?keystore=#keystore" />
</route>       
<route>
    <from uri="direct:alias-verify"/>
    <to uri="crypto:verify://alias?keystore=#keystore" />
    <to uri="mock:result"/>
</route>    



The header would be set as follows

Exchange unsigned = getMandatoryEndpoint("direct:alias-sign").createExchange();
unsigned.getIn().setBody(payload);
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_ALIAS, "bob");
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_PASSWORD, "letmein".toCharArray());
template.send("direct:alias-sign", unsigned);
Exchange signed = getMandatoryEndpoint("direct:alias-sign").createExchange();
signed.getIn().copyFrom(unsigned.getOut());
signed.getIn().setHeader(KEYSTORE_ALIAS, "bob");
template.send("direct:alias-verify", signed);



See Also

	Configuring Camel
	Component
	Endpoint
	Getting Started



	Crypto Crypto is also available as a Data Format

Change Notification Preferences

View Online | View Changes | Add Comment

[CONF] Apache Camel > Crypto (Digital Signatures)

Crypto (Digital Signatures)

Page edited by Hadrian Zbarcea

Changes (1)

Full Content

Crypto component for Digital Signatures

Introduction

URI format

Options

Using

1) Raw keys

2) KeyStores and Aliases.

3) Changing JCE Provider and Algorithm

4) Changing the Signature Mesasge Header

5) Changing the buffersize

6) Supplying Keys dynamically.

See Also

Reply via email to