[CONF] Apache Camel > Crypto

[willem jiang (Confluence)]

Crypto Page edited by willem jiang Comment: CAMEL-6742 Changes (4) ... | {{password}} | {{String}} | {{null}} | Password used when opening the private key (not used for encryption). | | {{keyFileName}} | {{String}} | {{null}} | Filename of the keyring; must be accessible as a classpath resource (but you can specify a location in the file system by using the "file:" prefix). | | {{encryptionKeyRing}} | {{byte\[\]}} | {{null}} | *Since camel 2.12.1* encryption keyring; you can not set the keyFileName and encryptionKeyRing at the same time. | | {{signatureKeyUserid}} | {{String}} | {{null}} | *Since Camel 2.11.0* Optional userid of the key in the PGP keyring to use for signing (during encryption) or signature verification (during decryption) .| | {{signaturePassword}} | {{String}} | {{null}} | *Since Camel 2.11.0* Optional password used when opening the private key used for signing (during encryption). | | {{signatureKeyFileName}} | {{String}} | {{null}} | *Since Camel 2.11.0* Optional filename of the keyring to use for signing (during encryption) or for signature verification (during decryption); must be accessible as a classpath resource (but you can specify a location in the file system by using the "file:" prefix). | | {{signatureKeyRing}} | {{byte\[\]}} | {{null}} | *Since camel 2.12.1* signature keyring; you can not set the signatureKeyFileName and signatureKeyRing at the same time. | | {{armored}} | {{boolean}} | {{false}} | This option will cause PGP to base64 encode the encrypted text, making it available for copy/paste, etc. | | {{integrity}} | {{boolean}} | {{true}} | Adds an integrity check/sign into the encryption file. | ... || Name || Type || Description || | {{CamelPGPDataFormatKeyFileName}} | {{String}} | *Since Camel 2.11.0* Filename of the keyring; will override existing setting directly on the PGPDataFormat. | | {{CamelPGPDataFormatEncryptionKeyRing}} | {{byte\[\]}} | *Since Camel 2.12.1* the encryption keyring; will override existing setting directly on the PGPDataFormat. | | {{CamelPGPDataFormatKeyUserid}} | {{String}} | *Since Camel 2.11.0* The userid of the key in the PGP keyring; will override existing setting directly on the PGPDataFormat. | | {{CamelPGPDataFormatKeyPassword}} | {{String}} | *Since Camel 2.11.0* Password used when opening the private key; will override existing setting directly on the PGPDataFormat. | | {{CamelPGPDataFormatSignatureKeyFileName}} | {{String}} | *Since Camel 2.11.0* Filename of the signature keyring; will override existing setting directly on the PGPDataFormat. | | {{CamelPGPDataFormatSignatureKeyRing}} | {{byte\[\]}} | *Since Camel 2.12.1* the signature keyring; will override existing setting directly on the PGPDataFormat. | | {{CamelPGPDataFormatSignatureKeyUserid}} | {{String}} | *Since Camel 2.11.0* The userid of the signature key in the PGP keyring; will override existing setting directly on the PGPDataFormat. | | {{CamelPGPDataFormatSignatureKeyPassword}} | {{String}} | *Since Camel 2.11.0* Password used when opening the signature private key; will override existing setting directly on the PGPDataFormat. | ... Full Content Crypto Available as of Camel 2.3 PGP Available as of Camel 2.9 The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. Options Name Type Default Description algorithm String DES/CBC/PKCS5Padding The JCE algorithm name indicating the cryptographic algorithm that will be used. algorithmParamterSpec AlgorithmParameterSpec null A JCE AlgorithmParameterSpec used to initialize the Cipher. bufferSize Integer 2048 the size of the buffer used in the signature process. cryptoProvider String null The name of the JCE Security Provider that should be used. initializationVector byte[] null A byte array containing the Initialization Vector that will be used to initialize the Cipher. inline boolean false Flag indicating that the configured IV should be inlined into the encrypted data stream. macAlgorithm String null The JCE algorithm name indicating the Message Authentication algorithm. shouldAppendHMAC boolean null Flag indicating that a Message Authentication Code should be calculated and appended to the encrypted data. Basic Usage At its most basic all that is required to encrypt/decrypt an exchange is a shared secret key. If one or more instances of the Crypto data format are configured with this key the format can be used to encrypt the payload in one route (or part of one) and decrypted in another. For example, using the Java DSL as follows: In Spring the dataformat is configured first and then used in routes <camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"> <dataFormats> <crypto id="basic" algorithm="DES" keyRef="desKey" /> </dataFormats> ... <route> <from uri="direct:basic-encryption" /> <marshal ref="basic" /> <to uri="mock:encrypted" /> <unmarshal ref="basic" /> <to uri="mock:unencrypted" /> </route> </camelContext> Specifying the Encryption Algorithm Changing the algorithm is a matter of supplying the JCE algorithm name. If you change the algorithm you will need to use a compatible key. A list of the available algorithms in Java 7 is available via the Java Cryptography Architecture Standard Algorithm Name Documentation. Specifying an Initialization Vector Some crypto algorithms, particularly block algorithms, require configuration with an initial block of data known as an Initialization Vector. In the JCE this is passed as an AlgorithmParameterSpec when the Cipher is initialized. To use such a vector with the CryptoDataFormat you can configure it with a byte[] containing the required data e.g. or with spring, suppling a reference to a byte[] The same vector is required in both the encryption and decryption phases. As it is not necessary to keep the IV a secret, the DataFormat allows for it to be inlined into the encrypted data and subsequently read out in the decryption phase to initialize the Cipher. To inline the IV set the /oinline flag. or with spring. For more information of the use of Initialization Vectors, consult http://en.wikipedia.org/wiki/Initialization_vector http://www.herongyang.com/Cryptography/ http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation Hashed Message Authentication Codes (HMAC) To avoid attacks against the encrypted data while it is in transit the CryptoDataFormat can also calculate a Message Authentication Code for the encrypted exchange contents based on a configurable MAC algorithm. The calculated HMAC is appended to the stream after encryption. It is separated from the stream in the decryption phase. The MAC is recalculated and verified against the transmitted version to insure nothing was tampered with in transit.For more information on Message Authentication Codes see http://en.wikipedia.org/wiki/HMAC or with spring. By default the HMAC is calculated using the HmacSHA1 mac algorithm though this can be easily changed by supplying a different algorithm name. See here for how to check what algorithms are available through the configured security providers or with spring. Supplying Keys Dynamically When using a Recipient list or similar EIP the recipient of an exchange can vary dynamically. Using the same key across all recipients may neither be feasible or desirable. It would be useful to be able to specify keys dynamically on a per exchange basis. The exchange could then be dynamically enriched with the key of its target recipient before being processed by the data format. To facilitate this the DataFormat allow for keys to be supplied dynamically via the message headers below CryptoDataFormat.KEY "CamelCryptoKey" or with spring. PGPDataFormat Options Name Type Default Description keyUserid String null The userid of the key in the PGP keyring. password String null Password used when opening the private key (not used for encryption). keyFileName String null Filename of the keyring; must be accessible as a classpath resource (but you can specify a location in the file system by using the "file:" prefix). encryptionKeyRing byte[] null Since camel 2.12.1 encryption keyring; you can not set the keyFileName and encryptionKeyRing at the same time. signatureKeyUserid String null Since Camel 2.11.0 Optional userid of the key in the PGP keyring to use for signing (during encryption) or signature verification (during decryption) . signaturePassword String null Since Camel 2.11.0 Optional password used when opening the private key used for signing (during encryption). signatureKeyFileName String null Since Camel 2.11.0 Optional filename of the keyring to use for signing (during encryption) or for signature verification (during decryption); must be accessible as a classpath resource (but you can specify a location in the file system by using the "file:" prefix). signatureKeyRing byte[] null Since camel 2.12.1 signature keyring; you can not set the signatureKeyFileName and signatureKeyRing at the same time. armored boolean false This option will cause PGP to base64 encode the encrypted text, making it available for copy/paste, etc. integrity boolean true Adds an integrity check/sign into the encryption file. PGPDataFormat Message Headers You can override the PGPDataFormat options by applying below headers into message dynamically. Name Type Description CamelPGPDataFormatKeyFileName String Since Camel 2.11.0 Filename of the keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatEncryptionKeyRing byte[] Since Camel 2.12.1 the encryption keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatKeyUserid String Since Camel 2.11.0 The userid of the key in the PGP keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatKeyPassword String Since Camel 2.11.0 Password used when opening the private key; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatSignatureKeyFileName String Since Camel 2.11.0 Filename of the signature keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatSignatureKeyRing byte[] Since Camel 2.12.1 the signature keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatSignatureKeyUserid String Since Camel 2.11.0 The userid of the signature key in the PGP keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatSignatureKeyPassword String Since Camel 2.11.0 Password used when opening the signature private key; will override existing setting directly on the PGPDataFormat. Encrypting with PGPDataFormat The following sample uses the popular PGP format for encrypting/decrypting files using the Bouncy Castle Java libraries: The following sample performs signing + encryption, and then signature verification + decryption. It uses the same keyring for both signing and encryption, but you can obviously use different keys: Or using Spring: To work with the previous example you need the following A public keyring file which contains the public keys used to encrypt the data A private keyring file which contains the keys used to decrypt the data The keyring password Managing your keyring To manage the keyring, I use the command line tools, I find this to be the simplest approach in managing the keys. There are also Java libraries available from http://www.bouncycastle.org/java.html if you would prefer to do it that way. Install the command line utilities on linux apt-get install gnupg Create your keyring, entering a secure password gpg --gen-key If you need to import someone elses public key so that you can encrypt a file for them. gpg --import <filename.key The following files should now exist and can be used to run the example ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg Dependencies To use the Crypto dataformat in your camel routes you need to add the following dependency to your pom. <dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-crypto</artifactId> <version>2.9.0</version> </dependency> See Also Data Format Crypto (Digital Signatures) http://www.bouncycastle.org/java.html Stop watching space | Change email notification preferences View Online | View Changes | Add Comment