Modified: websites/production/camel/content/crypto.html
==============================================================================
--- websites/production/camel/content/crypto.html (original)
+++ websites/production/camel/content/crypto.html Fri Aug 25 09:20:43 2017
@@ -36,17 +36,6 @@
<![endif]-->
- <link href='//camel.apache.org/styles/highlighter/styles/shCoreCamel.css'
rel='stylesheet' type='text/css' />
- <link href='//camel.apache.org/styles/highlighter/styles/shThemeCamel.css'
rel='stylesheet' type='text/css' />
- <script src='//camel.apache.org/styles/highlighter/scripts/shCore.js'
type='text/javascript'></script>
- <script src='//camel.apache.org/styles/highlighter/scripts/shBrushJava.js'
type='text/javascript'></script>
- <script src='//camel.apache.org/styles/highlighter/scripts/shBrushXml.js'
type='text/javascript'></script>
- <script src='//camel.apache.org/styles/highlighter/scripts/shBrushPlain.js'
type='text/javascript'></script>
-
- <script type="text/javascript">
- SyntaxHighlighter.defaults['toolbar'] = false;
- SyntaxHighlighter.all();
- </script>
<title>
Apache Camel: Crypto
@@ -86,219 +75,23 @@
<tbody>
<tr>
<td valign="top" width="100%">
-<div class="wiki-content maincontent"><h2
id="Crypto-Crypto">Crypto</h2><p><strong>Available as of Camel 2.3</strong><br
clear="none"> <strong>PGP Available as of Camel 2.9</strong></p><p>The Crypto
<a shape="rect" href="data-format.html">Data Format</a> integrates the Java
Cryptographic Extension into Camel, allowing simple and flexible encryption and
decryption of messages using Camel's familiar marshall and unmarshal formatting
mechanism. It assumes marshalling to mean encryption to cyphertext and
unmarshalling to mean decryption back to the original plaintext. This data
format implements only symmetric (shared-key) encryption and decyption.</p><h3
id="Crypto-Options">Options</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1"
class="conflu
enceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>algorithm</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>DES/CBC/PKCS5Padding</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The JCE algorithm name
indicating the cryptographic algorithm that will be used.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>algorithmParameterSpec</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>java.security.spec.AlgorithmParameterSpec</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A JCE AlgorithmParameterSpec
used to initialize the Cipher.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>bufferSize</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"
><p><code>Integer</code></p></td><td colspan="1" rowspan="1"
>class="confluenceTd"><p><code>4096</code></p></td><td colspan="1" rowspan="1"
>class="confluenceTd"><p>the size of the buffer used in the signature
>process.</p></td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd"><p><code>cryptoProvider</code></p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
>colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
>colspan="1" rowspan="1" class="confluenceTd"><p>The name of the JCE Security
>Provider that should be used.</p></td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd"><p><code>initializationVector</code></p></td><td
>colspan="1" rowspan="1"
>class="confluenceTd"><p><code>byte[]</code></p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p>A byte array containing the
>Initialization Vector that will be used to initialize the
Cipher.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>inline</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>boolean</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Flag indicating that the configured IV
should be inlined into the encrypted data stream.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>macAlgorithm</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The JCE algorithm name indicating the
Message Authentication algorithm.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>shouldAppendHMAC</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>boolean</code></p></td><td
colspan="1" r
owspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Flag indicating that a Message
Authentication Code should be calculated and appended to the encrypted
data.</p></td></tr></tbody></table></div><h3 id="Crypto-BasicUsage">Basic
Usage</h3><p>At its most basic all that is required to encrypt/decrypt an
exchange is a shared secret key. If one or more instances of the Crypto data
format are configured with this key the format can be used to encrypt the
payload in one route (or part of one) and decrypted in another. For example,
using the Java DSL as follows:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-KeyGenerator generator = KeyGenerator.getInstance("DES");
-
-CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES",
generator.generateKey());
-
-from("direct:basic-encryption")
- .marshal(cryptoFormat)
- .to("mock:encrypted")
- .unmarshal(cryptoFormat)
- .to("mock:unencrypted");
-]]></script>
-</div></div>In Spring the dataformat is configured first and then used in
routes<div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[<camelContext id="camel"
xmlns="http://camel.apache.org/schema/spring">
+<div class="wiki-content maincontent"><h2
id="Crypto-Crypto">Crypto</h2><p><strong>Available as of Camel 2.3</strong><br
clear="none"> <strong>PGP Available as of Camel 2.9</strong></p><p>The Crypto
<a shape="rect" href="data-format.html">Data Format</a> integrates the Java
Cryptographic Extension into Camel, allowing simple and flexible encryption and
decryption of messages using Camel's familiar marshall and unmarshal formatting
mechanism. It assumes marshalling to mean encryption to cyphertext and
unmarshalling to mean decryption back to the original plaintext. This data
format implements only symmetric (shared-key) encryption and decyption.</p><h3
id="Crypto-Options">Options</h3><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1"
class="conflu
enceTh"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>algorithm</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>DES/CBC/PKCS5Padding</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The JCE algorithm name
indicating the cryptographic algorithm that will be used.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>algorithmParameterSpec</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>java.security.spec.AlgorithmParameterSpec</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A JCE AlgorithmParameterSpec
used to initialize the Cipher.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>bufferSize</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"
><p><code>Integer</code></p></td><td colspan="1" rowspan="1"
>class="confluenceTd"><p><code>4096</code></p></td><td colspan="1" rowspan="1"
>class="confluenceTd"><p>the size of the buffer used in the signature
>process.</p></td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd"><p><code>cryptoProvider</code></p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
>colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
>colspan="1" rowspan="1" class="confluenceTd"><p>The name of the JCE Security
>Provider that should be used.</p></td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd"><p><code>initializationVector</code></p></td><td
>colspan="1" rowspan="1"
>class="confluenceTd"><p><code>byte[]</code></p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p>A byte array containing the
>Initialization Vector that will be used to initialize the
Cipher.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>inline</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>boolean</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Flag indicating that the configured IV
should be inlined into the encrypted data stream.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>macAlgorithm</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The JCE algorithm name indicating the
Message Authentication algorithm.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>shouldAppendHMAC</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>boolean</code></p></td><td
colspan="1" r
owspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Flag indicating that a Message
Authentication Code should be calculated and appended to the encrypted
data.</p></td></tr></tbody></table></div><h3 id="Crypto-BasicUsage">Basic
Usage</h3><p>At its most basic all that is required to encrypt/decrypt an
exchange is a shared secret key. If one or more instances of the Crypto data
format are configured with this key the format can be used to encrypt the
payload in one route (or part of one) and decrypted in another. For example,
using the Java DSL as
follows:<plain-text-body>{snippet:id=basic|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/CryptoDataFormatTest.java}</plain-text-body>In
Spring the dataformat is configured first and then used in
routes</p><parameter
ac:name="lang">xml</parameter><plain-text-body><camelContext id="camel"
xmlns="http://camel.apache.org/schema/spr
ing">
<dataFormats>
- <crypto id="basic" algorithm="DES"
keyRef="desKey" />
+ <crypto id="basic" algorithm="DES" keyRef="desKey" />
</dataFormats>
...
<route>
- <from uri="direct:basic-encryption" />
- <marshal ref="basic" />
- <to uri="mock:encrypted" />
- <unmarshal ref="basic" />
- <to uri="mock:unencrypted" />
+ <from uri="direct:basic-encryption" />
+ <marshal ref="basic" />
+ <to uri="mock:encrypted" />
+ <unmarshal ref="basic" />
+ <to uri="mock:unencrypted" />
</route>
</camelContext>
-]]></script>
-</div></div><h3 id="Crypto-SpecifyingtheEncryptionAlgorithm">Specifying the
Encryption Algorithm</h3><p>Changing the algorithm is a matter of supplying the
JCE algorithm name. If you change the algorithm you will need to use a
compatible key.</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-KeyGenerator generator = KeyGenerator.getInstance("DES");
-
-CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES",
generator.generateKey());
-cryptoFormat.setShouldAppendHMAC(true);
-cryptoFormat.setMacAlgorithm("HmacMD5");
-
-from("direct:hmac-algorithm")
- .marshal(cryptoFormat)
- .to("mock:encrypted")
- .unmarshal(cryptoFormat)
- .to("mock:unencrypted");
-]]></script>
-</div></div>A list of the available algorithms in Java 7 is available via the
<a shape="rect" class="external-link"
href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html";
rel="nofollow">Java Cryptography Architecture Standard Algorithm Name
Documentation</a>.<h3 id="Crypto-SpecifyinganInitializationVector">Specifying
an Initialization Vector</h3><p>Some crypto algorithms, particularly block
algorithms, require configuration with an initial block of data known as an
Initialization Vector. In the JCE this is passed as an AlgorithmParameterSpec
when the Cipher is initialized. To use such a vector with the CryptoDataFormat
you can configure it with a byte[] containing the required data e.g.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-KeyGenerator generator = KeyGenerator.getInstance("DES");
-byte[] initializationVector = new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05,
0x06, 0x07};
-
-CryptoDataFormat cryptoFormat = new
CryptoDataFormat("DES/CBC/PKCS5Padding", generator.generateKey());
-cryptoFormat.setInitializationVector(initializationVector);
-
-from("direct:init-vector")
- .marshal(cryptoFormat)
- .to("mock:encrypted")
- .unmarshal(cryptoFormat)
- .to("mock:unencrypted");
-]]></script>
-</div></div>or with spring, suppling a reference to a byte[]<div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<crypto id="initvector"
algorithm="DES/CBC/PKCS5Padding" keyRef="desKey"
initVectorRef="initializationVector" />
-]]></script>
-</div></div>The same vector is required in both the encryption and decryption
phases. As it is not necessary to keep the IV a secret, the DataFormat allows
for it to be inlined into the encrypted data and subsequently read out in the
decryption phase to initialize the Cipher. To inline the IV set the /oinline
flag.<div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-KeyGenerator generator = KeyGenerator.getInstance("DES");
-byte[] initializationVector = new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05,
0x06, 0x07};
-SecretKey key = generator.generateKey();
-
-CryptoDataFormat cryptoFormat = new
CryptoDataFormat("DES/CBC/PKCS5Padding", key);
-cryptoFormat.setInitializationVector(initializationVector);
-cryptoFormat.setShouldInlineInitializationVector(true);
-CryptoDataFormat decryptFormat = new
CryptoDataFormat("DES/CBC/PKCS5Padding", key);
-decryptFormat.setShouldInlineInitializationVector(true);
-
-from("direct:inline")
- .marshal(cryptoFormat)
- .to("mock:encrypted")
- .unmarshal(decryptFormat)
- .to("mock:unencrypted");
-]]></script>
-</div></div>or with spring.<div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<crypto id="inline" algorithm="DES/CBC/PKCS5Padding"
keyRef="desKey" initVectorRef="initializationVector"
- inline="true" />
-<crypto id="inline-decrypt"
algorithm="DES/CBC/PKCS5Padding" keyRef="desKey"
inline="true" />
-]]></script>
-</div></div>For more information of the use of Initialization Vectors,
consult<ul><li><a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Initialization_vector";
rel="nofollow">http://en.wikipedia.org/wiki/Initialization_vector</a></li><li><a
shape="rect" class="external-link"
href="http://www.herongyang.com/Cryptography/";
rel="nofollow">http://www.herongyang.com/Cryptography/</a></li><li><a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation";
rel="nofollow">http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation</a></li></ul><h3
id="Crypto-HashedMessageAuthenticationCodes(HMAC)">Hashed Message
Authentication Codes (HMAC)</h3><p>To avoid attacks against the encrypted data
while it is in transit the CryptoDataFormat can also calculate a Message
Authentication Code for the encrypted exchange contents based on a configurable
MAC algorithm. The calculated HMAC is appended to the stream after encryption.
It is sep
arated from the stream in the decryption phase. The MAC is recalculated and
verified against the transmitted version to insure nothing was tampered with in
transit.For more information on Message Authentication Codes see <a
shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/HMAC";
rel="nofollow">http://en.wikipedia.org/wiki/HMAC</a></p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-KeyGenerator generator = KeyGenerator.getInstance("DES");
-
-CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES",
generator.generateKey());
-cryptoFormat.setShouldAppendHMAC(true);
-
-from("direct:hmac")
- .marshal(cryptoFormat)
- .to("mock:encrypted")
- .unmarshal(cryptoFormat)
- .to("mock:unencrypted");
-]]></script>
-</div></div>or with spring.<div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<crypto id="hmac" algorithm="DES"
keyRef="desKey" shouldAppendHMAC="true" />
-]]></script>
-</div></div>By default the HMAC is calculated using the HmacSHA1 mac algorithm
though this can be easily changed by supplying a different algorithm name. See
<a shape="rect" class="unresolved" href="#">here</a> for how to check what
algorithms are available through the configured security providers<div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-KeyGenerator generator = KeyGenerator.getInstance("DES");
-
-CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES",
generator.generateKey());
-cryptoFormat.setShouldAppendHMAC(true);
-cryptoFormat.setMacAlgorithm("HmacMD5");
-
-from("direct:hmac-algorithm")
- .marshal(cryptoFormat)
- .to("mock:encrypted")
- .unmarshal(cryptoFormat)
- .to("mock:unencrypted");
-]]></script>
-</div></div>or with spring.<div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<crypto id="hmac-algorithm" algorithm="DES"
keyRef="desKey" macAlgorithm="HmacMD5"
shouldAppendHMAC="true" />
-]]></script>
-</div></div><h3 id="Crypto-SupplyingKeysDynamically">Supplying Keys
Dynamically</h3><p>When using a Recipient list or similar EIP the recipient of
an exchange can vary dynamically. Using the same key across all recipients may
neither be feasible or desirable. It would be useful to be able to specify keys
dynamically on a per exchange basis. The exchange could then be dynamically
enriched with the key of its target recipient before being processed by the
data format. To facilitate this the DataFormat allow for keys to be supplied
dynamically via the message headers
below</p><ul><li><code>CryptoDataFormat.KEY</code>
<code>"CamelCryptoKey"</code></li></ul><p></p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES", null);
-/**
- * Note: the header containing the key should be cleared after
- * marshalling to stop it from leaking by accident and
- * potentially being compromised. The processor version below is
- * arguably better as the key is left in the header when you use
- * the DSL leaks the fact that camel encryption was used.
- */
-from("direct:key-in-header-encrypt")
- .marshal(cryptoFormat)
- .removeHeader(CryptoDataFormat.KEY)
- .to("mock:encrypted");
-
-from("direct:key-in-header-decrypt").unmarshal(cryptoFormat).process(new
Processor() {
- public void process(Exchange exchange) throws Exception {
- exchange.getIn().getHeaders().remove(CryptoDataFormat.KEY);
- exchange.getOut().copyFrom(exchange.getIn());
- }
-}).to("mock:unencrypted");
-]]></script>
-</div></div>or with spring.<div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<crypto id="nokey" algorithm="DES" />
-]]></script>
-</div></div><h3 id="Crypto-PGPMessage">PGP Message</h3><p>The PGP Data
Formater can create and decrypt/verify PGP Messages of the following PGP packet
structure (entries in brackets are optional and ellipses indicate repetition,
comma represents  sequential composition, and vertical bar separates
alternatives):</p><p>    Public Key Encrypted Session Key ...,
Symmetrically Encrypted Data | Sym. Encrypted and Integrity Protected Data,
(Compressed Data,) (One Pass Signature ...,) Literal Data, (Signature
...,)</p><p><strong>Since Camel 2.16</strong>.<strong>0</strong> the Compressed
Data packet is optional, before it was mandatory.</p><p> </p><h3
id="Crypto-PGPDataFormatOptions">PGPDataFormat Options</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Default</p></
th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>keyUserid</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The user ID of the key in the
PGP keyring used during encryption. See also option <code>keyUserids</code>.
Can also be only a part of a user ID. For example, if the user ID is "Test User
<[email protected]>" then you can use the part "Test User" or
"<[email protected]>" to address the user ID.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>keyUserids</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>List<String></code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"
><p><strong>Since camel 2.12.2</strong>: PGP allows to encrypt the symmetric
>key by several asymmetric public receiver keys. You can specify here the User
>IDs or parts of User IDs of several public keys contained in the PGP keyring.
>If you just have one User ID, then you can also use the option
><code>keyUserid</code>. The User ID specified in <code>keyUserid</code> and
>the User IDs in <code>keyUserids</code> will be merged together and the
>corresponding public keys will be used for the
>encryption.</p></td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd"><p><code>password</code></p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
>colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
>colspan="1" rowspan="1" class="confluenceTd"><p>Password used when opening
>the private key (not used for encryption).</p></td></tr><tr><td colspan="1"
>rowspan="1" class="confluenceTd"><p><code>keyFileName</code></p></td><td
>colspan="
1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Filename of the keyring; must
be accessible as a classpath resource (but you can specify a location in the
file system by using the "file:" prefix).</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>encryptionKeyRing</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>byte[]</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
2.12.1</strong>: encryption keyring; you can not set the keyFileName and
encryptionKeyRing at the same time.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>signatureKeyUserid</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>;
optional User ID of the key in the PGP keyring used for signing (during
encryption) or signature verification (during decryption). During the signature
verification process the specified User ID restricts the public keys from the
public keyring which can be used for the verification. If no User ID is
specified for the signature verficiation then any public key in the public
keyring can be used for the verification. Can also be only a part of a user ID.
For example, if the user ID is "Test User <[email protected]>" then you can
use the part "Test User" or "<[email protected]>" to address the User
ID.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>signatureKeyUserids</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>List<String></code></p></td><td colspan="1"
rowspan="1" cl
ass="confluenceTd"><p><code>null</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.12.3</strong>: optional list of
User IDs of the key in the PGP keyring used for signing (during encryption) or
signature verification (during decryption). You can specify here the User IDs
or parts of User IDs of several keys contained in the PGP keyring. If you just
have one User ID, then you can also use the option <code>keyUserid</code>. The
User ID specified in <code>keyUserid</code> and the User IDs in
<code>keyUserids</code> will be merged together and the corresponding keys will
be used for the signing or signature verification. If the specified User IDs
reference several keys then for each key a signature is added to the PGP result
during the encryption-signing process. In the decryption-verifying process the
list of User IDs restricts the list of public keys which can be used for
signature verification. If the list of User IDs is empty then any public ke
y in the public keyring can be used for the signature
verification.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>signaturePassword</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>:
optional password used when opening the private key used for signing (during
encryption).</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>signatureKeyFileName</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.11.0</strong>: optional filename of the keyring to use for signing (during
encryption) or for signature verification (during decryption); mus
t be accessible as a classpath resource (but you can specify a location in the
file system by using the "file:" prefix).</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>signatureKeyRing</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>byte[]</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
2.12.1</strong>: signature keyring; you can not set the signatureKeyFileName
and signatureKeyRing at the same time.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>algorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>SymmetricKeyAlgorithmTags.CAST5</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
2.12.2</strong>: symmetric key encryption algorithm; possible values
are defined in <code>org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags</code>;
for example 2 (= TRIPLE DES), 3 (= CAST5), 4 (= BLOWFISH), 6 (= DES), 7 (=
AES_128). Only relevant for encrypting.</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>compressionAlgorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>CompressionAlgorithmTags.ZIP</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
2.12.2</strong>: compression algorithm; possible values are defined in
<code>org.bouncycastle.bcpg.CompressionAlgorithmTags</code>; for example 0 (=
UNCOMPRESSED), 1 (= ZIP), 2 (= ZLIB), 3 (= BZIP2). Only relevant for
encrypting.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>hashAlgorithm</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td colspan="1"
rowspan="1" clas
s="confluenceTd"><p><code>HashAlgorithmTags.SHA1</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
2.12.2</strong>: signature hash algorithm; possible values are defined in
<code>org.bouncycastle.bcpg.HashAlgorithmTags</code>; for example 2 (= SHA1), 8
(= SHA256), 9 (= SHA384), 10 (= SHA512), 11 (=SHA224). Only relevant for
signing.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>armored</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>boolean</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>This option will cause PGP to
base64 encode the encrypted text, making it available for copy/paste,
etc.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>integrity</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>boolean</code></p></td><td
colspan="1" rowspan="1" c
lass="confluenceTd"><p><code>true</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Adds an integrity check/sign into the encryption
file.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>passphraseAccessor</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code><a shape="rect" class="external-link"
href="https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java";
rel="nofollow">PGPPassphraseAccessor</a></code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.12.2</strong>:
provides passphrases corresponding to user Ids. If no passpharase can be found
from the option <code>password</code> or <code>signaturePassword</code> and
from the headers <code>CamelPGPDataFormatKeyPassword</code> or
<code>CamelPGPDataFormatSignatureKeyPassword<
/code> then the passphrase is fetched from the passphrase accessor. You
provide a bean which implements the interface <a shape="rect"
class="external-link"
href="https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java";
rel="nofollow">PGPPassphraseAccessor</a>. A default implementation is given by
<a shape="rect" class="external-link"
href="https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/DefaultPGPPassphraseAccessor.java";
rel="nofollow">DefaultPGPPassphraseAccessor</a>. The passphrase accessor is
especially useful in the decrypt case; see chapter 'PGP Decrypting/Verifying of
Messages Encrypted/Signed by Different Private/Public Keys'
below.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>signatureVerificationOption</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p><
/td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>"optional"</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.13.0</strong>:
controls the behavior for verifying the signature during unmarshaling. There
are three values possible:</p><ul><li><code>"optional"</code>: The PGP message
may or may not contain signatures; if it does contain signatures, then a
signature verification is executed. Use the constant
PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_OPTIONAL.</li><li><code>"required"</code>:
The PGP message must contain at least one signature; if this is not the case
an exception (PGPException) is thrown. A signature verification is executed.
Use the constant
PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_REQUIRED.</li><li><code>"ignore"</code>:
Contained signatures in the PGP message are ignored; no signature verification
is executed. Use the constant
PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_IGNORE.</li><li
><code>"no_signature_allowed"</code>: The PGP message must not contain a
>signature; otherwise an exception (PGPException) is thrown. Use the constant
>PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_NO_SIGNATURE_ALLOWED.</li></ul></td></tr><tr><td
> colspan="1" rowspan="1"
>class="confluenceTd"><p><code>FileName</code></p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><code>String</code></td><td colspan="1"
>rowspan="1" class="confluenceTd"><code>"_CONSOLE"</code></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p><strong>Since camel 2.15.0</strong>: Sets
>the file name for the literal data packet. Can be overwritten by the 
>header {@link Exchange#FILE_NAME}.</p><p>"<code>_CONSOLE</code>" indicates
>that the message is considered to be "for your eyes only". This advises that
>the message data is unusually sensitive, and the receiving program should
>process it more carefully, perhaps avoiding storing the received data to
>disk, for example.Only used for marshaling.</p></
td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>withCompressedDataPacket</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>boolean</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>true</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.16.0</strong>:
Indicator whether the PGP Message shall be created with or without a Compressed
Data packet. If the value is set to false, then no Compressed Data packet is
added and the compressionAlgorithm value is ignored. Only used for
marshaling.</p></td></tr></tbody></table></div><h3
id="Crypto-PGPDataFormatMessageHeaders">PGPDataFormat Message
Headers</h3><p>You can override the PGPDataFormat options by applying below
headers into message dynamically.</p><p> </p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Type</
p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatKeyFileName</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.11.0</strong>; filename of the keyring; will override existing setting
directly on the PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatEncryptionKeyRing</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>byte[]</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.12.1</strong>; the encryption
keyring; will override existing setting directly on the
PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatKeyUserid</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p
><code>String</code></p></td><td colspan="1" rowspan="1"
>class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>; the User ID of
>the key in the PGP keyring; will override existing setting directly on the
>PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
>class="confluenceTd"><p><code>CamelPGPDataFormatKeyUserids</code></p></td><td
>colspan="1" rowspan="1"
>class="confluenceTd"><p><code>List<String></code></p></td><td
>colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
>2.12.2</strong>: the User IDs of the key in the PGP keyring; will override
>existing setting directly on the PGPDataFormat.</p></td></tr><tr><td
>colspan="1" rowspan="1"
>class="confluenceTd"><p><code>CamelPGPDataFormatKeyPassword</code></p></td><td
> colspan="1" rowspan="1"
>class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
>rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>;
>password used when opening the private key; will override existing setting
>dire
ctly on the PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureKeyFileName</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>String</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>; filename of the
signature keyring; will override existing setting directly on the
PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureKeyRing</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>byte[]</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.12.1</strong>; the signature
keyring; will override existing setting directly on the
PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureKeyUserid</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</cod
e></p></td><td colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since
Camel 2.11.0</strong>; the User ID of the signature key in the PGP keyring;
will override existing setting directly on the
PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><code>CamelPGPDataFormatSignatureKeyUserids</code></td><td
colspan="1" rowspan="1"
class="confluenceTd"><code>List<String></code></td><td colspan="1"
rowspan="1" class="confluenceTd"><strong>Since Camel 2.12.3</strong>; the User
IDs of the signature keys in the PGP keyring; will override existing setting
directly on the PGPDataFormat.</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureKeyPassword</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>String</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>; password used when
opening the signature private key; will override existing se
tting directly on the PGPDataFormat.</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatEncryptionAlgorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.12.2</strong>; symmetric key encryption algorithm; will override existing
setting directly on the PGPDataFormat.</p></td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureHashAlgorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.12.2</strong>; signature hash algorithm; will override existing setting
directly on the PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatCompressionAlgorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><c
ode>int</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.12.2</strong>; compression
algorithm; will override existing setting directly on the
PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatNumberOfEncryptionKeys</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><code>Integer</code></td><td
colspan="1" rowspan="1"
class="confluenceTd"><strong>Since</strong> <strong>Camel 2.12.3; 
</strong>number of public keys used for encrypting the symmectric key, set by
PGPDataFormat during encryptiion process</td></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatNumberOfSigningKeys</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><code>Integer</code></td><td
colspan="1" rowspan="1"
class="confluenceTd"><strong>Since</strong> <strong>Camel 2.12.3; 
</strong>number of private keys used for creating signatures, set by
PGPDataFormat during signing process</td></tr></tbody></table></div><h3
id="Crypto-EncryptingwithPGPDataFormat">Encrypting with
PGPDataFormat</h3><p>The following sample uses the popular PGP format for
encrypting/decrypting files using the <a shape="rect" class="external-link"
href="http://www.bouncycastle.org/java.html"; rel="nofollow">Bouncy Castle Java
libraries</a>:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-// Public Key FileName
-String keyFileName = getKeyFileName();
-// Private Key FileName
-String keyFileNameSec = getKeyFileNameSec();
-// Keyring Userid Used to Encrypt
-String keyUserid = getKeyUserId();
-// Private key password
-String keyPassword = getKeyPassword();
-
-from("direct:inline").marshal().pgp(keyFileName,
keyUserid).to("mock:encrypted").unmarshal()
- .pgp(keyFileNameSec, null,
keyPassword).to("mock:unencrypted");
-]]></script>
-</div></div>The following sample performs signing + encryption, and then
signature verification + decryption. It uses the same keyring for both signing
and encryption, but you can obviously use different keys:<div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-PGPDataFormat pgpSignAndEncrypt = new PGPDataFormat();
-pgpSignAndEncrypt.setKeyFileName(keyFileName);
-pgpSignAndEncrypt.setKeyUserid(keyUserid);
-pgpSignAndEncrypt.setSignatureKeyFileName(keyFileNameSec);
-PGPPassphraseAccessor passphraseAccessor = getPassphraseAccessor();
-pgpSignAndEncrypt.setSignatureKeyUserid("Super
<[email protected]>"); // must be the exact user Id because
passphrase is searched in accessor
-pgpSignAndEncrypt.setPassphraseAccessor(passphraseAccessor);
-pgpSignAndEncrypt.setProvider(getProvider());
-pgpSignAndEncrypt.setAlgorithm(getAlgorithm());
-pgpSignAndEncrypt.setHashAlgorithm(getHashAlgorithm());
-pgpSignAndEncrypt.setCompressionAlgorithm(getCompressionAlgorithm());
-
-PGPDataFormat pgpVerifyAndDecrypt = new PGPDataFormat();
-pgpVerifyAndDecrypt.setKeyFileName(keyFileNameSec);
-pgpVerifyAndDecrypt.setPassword(keyPassword);
-pgpVerifyAndDecrypt.setSignatureKeyFileName(keyFileName);
-pgpVerifyAndDecrypt.setProvider(getProvider());
-pgpVerifyAndDecrypt.setSignatureKeyUserid(keyUserid); // restrict verification
to public keys with certain User ID
-
-from("direct:inline-sign").marshal(pgpSignAndEncrypt).to("mock:encrypted").unmarshal(pgpVerifyAndDecrypt)
- .to("mock:unencrypted");
-]]></script>
-</div></div>Or using Spring:<div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<dataFormats>
- <!-- will load the file from classpath by default, but you can prefix
with file: to load from file system -->
- <pgp id="encrypt"
keyFileName="org/apache/camel/component/crypto/pubring.gpg"
- keyUserid="[email protected]"/>
- <pgp id="decrypt"
keyFileName="org/apache/camel/component/crypto/secring.gpg"
- password="sdude"/>
-</dataFormats>
-
-<route>
- <from uri="direct:inline"/>
- <marshal ref="encrypt"/>
- <to uri="mock:encrypted"/>
- <unmarshal ref="decrypt"/>
- <to uri="mock:unencrypted"/>
-</route>
-]]></script>
-</div></div><h4 id="Crypto-Toworkwiththepreviousexampleyouneedthefollowing">To
work with the previous example you need the following</h4><ul><li>A public
keyring file which contains the public keys used to encrypt the data</li><li>A
private keyring file which contains the keys used to decrypt the
data</li><li>The keyring password</li></ul><h4
id="Crypto-Managingyourkeyring">Managing your keyring</h4><p>To manage the
keyring, I use the command line tools, I find this to be the simplest approach
in managing the keys. There are also Java libraries available from <a
shape="rect" class="external-link" href="http://www.bouncycastle.org/java.html";
rel="nofollow">http://www.bouncycastle.org/java.html</a> if you would prefer to
do it that way.</p><ol><li><p>Install the command line utilities on
linux</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[apt-get install gnupg]]></script>
-</div></div></li><li><p>Create your keyring, entering a secure
password</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[gpg --gen-key]]></script>
-</div></div></li><li><p>If you need to import someone elses public key so that
you can encrypt a file for them.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[gpg --import <filename.key]]></script>
-</div></div></li><li><p>The following files should now exist and can be used
to run the example</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[ls -l ~/.gnupg/pubring.gpg
~/.gnupg/secring.gpg]]></script>
-</div></div></li></ol><h3
id="Crypto-PGPDecrypting/VerifyingofMessagesEncrypted/SignedbyDifferentPrivate/PublicKeys">PGP
Decrypting/Verifying of Messages Encrypted/Signed by Different Private/Public
Keys</h3><p>Since <strong>Camel 2.12.2</strong>.</p><p>A PGP Data Formater can
decrypt/verify messages which have been encrypted by different public keys or
signed by different private keys. Just, provide the corresponding private keys
in the secret keyring, the corresponding public keys in the public keyring, and
the passphrases in the passphrase accessor.</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[Map<String, String> userId2Passphrase =
new HashMap<String, String>(2);
+</plain-text-body><h3 id="Crypto-SpecifyingtheEncryptionAlgorithm">Specifying
the Encryption Algorithm</h3><p>Changing the algorithm is a matter of supplying
the JCE algorithm name. If you change the algorithm you will need to use a
compatible
key.<plain-text-body>{snippet:id=algorithm|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/CryptoDataFormatTest.java}</plain-text-body>A
list of the available algorithms in Java 7 is available via the <a
shape="rect" class="external-link"
href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html";
rel="nofollow">Java Cryptography Architecture Standard Algorithm Name
Documentation</a>.</p><h3
id="Crypto-SpecifyinganInitializationVector">Specifying an Initialization
Vector</h3><p>Some crypto algorithms, particularly block algorithms, require
configuration with an initial block of data known as an Initialization Vector.
In the JCE this is passed as an AlgorithmParamete
rSpec when the Cipher is initialized. To use such a vector with the
CryptoDataFormat you can configure it with a byte[] containing the required
data
e.g.<plain-text-body>{snippet:id=init-vector|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/CryptoDataFormatTest.java}</plain-text-body>or
with spring, suppling a reference to a
byte[]<plain-text-body>{snippet:id=init-vector|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringCryptoDataFormatTest.xml}</plain-text-body>The
same vector is required in both the encryption and decryption phases. As it is
not necessary to keep the IV a secret, the DataFormat allows for it to be
inlined into the encrypted data and subsequently read out in the decryption
phase to initialize the Cipher. To inline the IV set the /oinline
flag.<plain-text-body>{snippet:id=inline-init-vector|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/a
pache/camel/converter/crypto/CryptoDataFormatTest.java}</plain-text-body>or
with
spring.<plain-text-body>{snippet:id=inline|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringCryptoDataFormatTest.xml}</plain-text-body>For
more information of the use of Initialization Vectors, consult</p><ul><li><a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Initialization_vector";
rel="nofollow">http://en.wikipedia.org/wiki/Initialization_vector</a></li><li><a
shape="rect" class="external-link"
href="http://www.herongyang.com/Cryptography/";
rel="nofollow">http://www.herongyang.com/Cryptography/</a></li><li><a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation";
rel="nofollow">http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation</a></li></ul><h3
id="Crypto-HashedMessageAuthenticationCodes(HMAC)">Hashed Message
Authentication Codes (HMAC)</h3><p>To avoid attacks a
gainst the encrypted data while it is in transit the CryptoDataFormat can also
calculate a Message Authentication Code for the encrypted exchange contents
based on a configurable MAC algorithm. The calculated HMAC is appended to the
stream after encryption. It is separated from the stream in the decryption
phase. The MAC is recalculated and verified against the transmitted version to
insure nothing was tampered with in transit.For more information on Message
Authentication Codes see <a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/HMAC";
rel="nofollow">http://en.wikipedia.org/wiki/HMAC</a><plain-text-body>{snippet:id=hmac|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/CryptoDataFormatTest.java}</plain-text-body>or
with
spring.<plain-text-body>{snippet:id=hmac|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringCryptoDataFormatTest.xml}</plain-text-body>By
default the HMAC is calculated using the HmacSHA1 mac algorithm though this
can be easily changed by supplying a different algorithm name. See <a
shape="rect" class="unresolved" href="#">here</a> for how to check what
algorithms are available through the configured security
providers<plain-text-body>{snippet:id=hmac-algorithm|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/CryptoDataFormatTest.java}</plain-text-body>or
with
spring.<plain-text-body>{snippet:id=hmac-algorithm|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringCryptoDataFormatTest.xml}</plain-text-body></p><h3
id="Crypto-SupplyingKeysDynamically">Supplying Keys Dynamically</h3><p>When
using a Recipient list or similar EIP the recipient of an exchange can vary
dynamically. Using the same key across all recipients may neither be feasible
or desirable. It would be useful to be able to specify keys dynamically on a p
er exchange basis. The exchange could then be dynamically enriched with the
key of its target recipient before being processed by the data format. To
facilitate this the DataFormat allow for keys to be supplied dynamically via
the message headers below</p><ul><li><code>CryptoDataFormat.KEY</code>
<code>"CamelCryptoKey"</code></li></ul><p><plain-text-body>{snippet:id=key-in-header|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/CryptoDataFormatTest.java}</plain-text-body>or
with
spring.<plain-text-body>{snippet:id=header-key|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringCryptoDataFormatTest.xml}</plain-text-body></p><h3
id="Crypto-PGPMessage">PGP Message</h3><p>The PGP Data Formater can create and
decrypt/verify PGP Messages of the following PGP packet structure (entries in
brackets are optional and ellipses indicate repetition, comma represents
 sequential composition
, and vertical bar separates alternatives):</p><p>    Public Key
Encrypted Session Key ..., Symmetrically Encrypted Data | Sym. Encrypted and
Integrity Protected Data, (Compressed Data,) (One Pass Signature
...,) Literal Data, (Signature ...,)</p><p><strong>Since Camel
2.16</strong>.<strong>0</strong> the Compressed Data packet is optional, before
it was mandatory.</p><p> </p><h3
id="Crypto-PGPDataFormatOptions">PGPDataFormat Options</h3><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>keyUserid</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>null</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The user ID of the key in the PGP keyring used during
encryption. See also option <code>keyUserids</code>. Can also be only a part of
a user ID. For example, if the user ID is "Test User <[email protected]>"
then you can use the part "Test User" or "<[email protected]>" to address
the user ID.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>keyUserids</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>List<String></code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
2.12.2</strong>: PGP allows to encrypt the symmetric key by several asymmetric
public receiver keys. You can specify here the User IDs or parts of User IDs of
several public keys contained in the PGP keyring. If you just have one User ID,
then you ca
n also use the option <code>keyUserid</code>. The User ID specified in
<code>keyUserid</code> and the User IDs in <code>keyUserids</code> will be
merged together and the corresponding public keys will be used for the
encryption.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>password</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Password used when opening the private key
(not used for encryption).</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>keyFileName</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Filename of the keyring; must be accessible
as a classpath resource (but you
can specify a location in the file system by using the "file:"
prefix).</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>encryptionKeyRing</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>byte[]</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since camel 2.12.1</strong>:
encryption keyring; you can not set the keyFileName and encryptionKeyRing at
the same time.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>signatureKeyUserid</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>;
optional User ID of the key in the PGP keyring used for signing (during
encryption) or signature verification (during decr
yption). During the signature verification process the specified User ID
restricts the public keys from the public keyring which can be used for the
verification. If no User ID is specified for the signature verficiation then
any public key in the public keyring can be used for the verification. Can also
be only a part of a user ID. For example, if the user ID is "Test User
<[email protected]>" then you can use the part "Test User" or
"<[email protected]>" to address the User ID.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>signatureKeyUserids</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>List<String></code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.12.3</strong>:
optional list of User IDs of the key in the PGP keyring used for signing
(during encryption) or signature verification (during decryption
). You can specify here the User IDs or parts of User IDs of several keys
contained in the PGP keyring. If you just have one User ID, then you can also
use the option <code>keyUserid</code>. The User ID specified in
<code>keyUserid</code> and the User IDs in <code>keyUserids</code> will be
merged together and the corresponding keys will be used for the signing or
signature verification. If the specified User IDs reference several keys then
for each key a signature is added to the PGP result during the
encryption-signing process. In the decryption-verifying process the list of
User IDs restricts the list of public keys which can be used for signature
verification. If the list of User IDs is empty then any public key in the
public keyring can be used for the signature verification.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>signaturePassword</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
ro
wspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>:
optional password used when opening the private key used for signing (during
encryption).</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>signatureKeyFileName</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.11.0</strong>: optional filename of the keyring to use for signing (during
encryption) or for signature verification (during decryption); must be
accessible as a classpath resource (but you can specify a location in the file
system by using the "file:" prefix).</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>signatureKeyRing</code></p></td><td
colspan="1" rowspan="1" class="confluenceT
d"><p><code>byte[]</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>null</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since camel 2.12.1</strong>: signature keyring;
you can not set the signatureKeyFileName and signatureKeyRing at the same
time.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>algorithm</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>SymmetricKeyAlgorithmTags.CAST5</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
2.12.2</strong>: symmetric key encryption algorithm; possible values are
defined in <code>org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags</code>; for
example 2 (= TRIPLE DES), 3 (= CAST5), 4 (= BLOWFISH), 6 (= DES), 7 (=
AES_128). Only relevant for encrypting.</p></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>compres
sionAlgorithm</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>int</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CompressionAlgorithmTags.ZIP</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
2.12.2</strong>: compression algorithm; possible values are defined in
<code>org.bouncycastle.bcpg.CompressionAlgorithmTags</code>; for example 0 (=
UNCOMPRESSED), 1 (= ZIP), 2 (= ZLIB), 3 (= BZIP2). Only relevant for
encrypting.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>hashAlgorithm</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>HashAlgorithmTags.SHA1</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since camel
2.12.2</strong>: signature hash algorithm; possible values are defined in
<code>org.bouncycastle.bcpg.HashAlgorithmTags</code>; for exampl
e 2 (= SHA1), 8 (= SHA256), 9 (= SHA384), 10 (= SHA512), 11 (=SHA224). Only
relevant for signing.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>armored</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>boolean</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>false</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>This option will cause PGP to
base64 encode the encrypted text, making it available for copy/paste,
etc.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>integrity</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>boolean</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>true</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>Adds an integrity check/sign
into the encryption file.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>passphraseAccessor</code></p></td><td colsp
an="1" rowspan="1" class="confluenceTd"><p><code><a shape="rect"
class="external-link"
href="https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java";
rel="nofollow">PGPPassphraseAccessor</a></code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.12.2</strong>:
provides passphrases corresponding to user Ids. If no passpharase can be found
from the option <code>password</code> or <code>signaturePassword</code> and
from the headers <code>CamelPGPDataFormatKeyPassword</code> or
<code>CamelPGPDataFormatSignatureKeyPassword</code> then the passphrase is
fetched from the passphrase accessor. You provide a bean which implements the
interface <a shape="rect" class="external-link"
href="https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/cry
pto/PGPPassphraseAccessor.java" rel="nofollow">PGPPassphraseAccessor</a>. A
default implementation is given by <a shape="rect" class="external-link"
href="https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/DefaultPGPPassphraseAccessor.java";
rel="nofollow">DefaultPGPPassphraseAccessor</a>. The passphrase accessor is
especially useful in the decrypt case; see chapter 'PGP Decrypting/Verifying of
Messages Encrypted/Signed by Different Private/Public Keys'
below.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>signatureVerificationOption</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>"optional"</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since Camel 2.13.0</strong>:
controls the behavior for verifying the signature during unmarshaling. There
are three values pos
sible:</p><ul><li><code>"optional"</code>: The PGP message may or may not
contain signatures; if it does contain signatures, then a signature
verification is executed. Use the constant
PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_OPTIONAL.</li><li><code>"required"</code>:
The PGP message must contain at least one signature; if this is not the case
an exception (PGPException) is thrown. A signature verification is executed.
Use the constant
PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_REQUIRED.</li><li><code>"ignore"</code>:
Contained signatures in the PGP message are ignored; no signature verification
is executed. Use the constant
PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_IGNORE.</li><li><code>"no_signature_allowed"</code>:
The PGP message must not contain a signature; otherwise an exception
(PGPException) is thrown. Use the constant
PGPKeyAccessDataFormat.SIGNATURE_VERIFICATION_OPTION_NO_SIGNATURE_ALLOWED.</li></ul></td></tr><tr><td
colspan="1" rowspan="1
" class="confluenceTd"><p><code>FileName</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><code>String</code></td><td colspan="1"
rowspan="1" class="confluenceTd"><code>"_CONSOLE"</code></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since camel 2.15.0</strong>: Sets
the file name for the literal data packet. Can be overwritten by the 
header {@link Exchange#FILE_NAME}.</p><p>"<code>_CONSOLE</code>" indicates that
the message is considered to be "for your eyes only". This advises that the
message data is unusually sensitive, and the receiving program should process
it more carefully, perhaps avoiding storing the received data to disk, for
example.Only used for marshaling.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>withCompressedDataPacket</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>boolean</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>true</code></p></td><td colspan="1" ro
wspan="1" class="confluenceTd"><p><strong>Since Camel 2.16.0</strong>:
Indicator whether the PGP Message shall be created with or without a Compressed
Data packet. If the value is set to false, then no Compressed Data packet is
added and the compressionAlgorithm value is ignored. Only used for
marshaling.</p></td></tr></tbody></table></div><h3
id="Crypto-PGPDataFormatMessageHeaders">PGPDataFormat Message
Headers</h3><p>You can override the PGPDataFormat options by applying below
headers into message dynamically.</p><p> </p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatKeyFileName</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.11.0</strong>; filename of the keyring; will override existing setting
directly on the PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatEncryptionKeyRing</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>byte[]</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.12.1</strong>; the encryption
keyring; will override existing setting directly on the
PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatKeyUserid</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.11.0</strong>; the User ID of the key in the PGP keyring; will override
existing setting directly on the PGPDataFormat.</p></td></tr><tr><td
colspan="1" rowspan="1" class=
"confluenceTd"><p><code>CamelPGPDataFormatKeyUserids</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>List<String></code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><strong>Since camel 2.12.2</strong>: the
User IDs of the key in the PGP keyring; will override existing setting directly
on the PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatKeyPassword</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.11.0</strong>; password used when opening the private key; will override
existing setting directly on the PGPDataFormat.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureKeyFileName</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>String</code></p></td><td colspan="1" rowspan="1"
class="con
fluenceTd"><p><strong>Since Camel 2.11.0</strong>; filename of the signature
keyring; will override existing setting directly on the
PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureKeyRing</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>byte[]</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.12.1</strong>; the signature
keyring; will override existing setting directly on the
PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureKeyUserid</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>String</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>; the User ID of the
signature key in the PGP keyring; will override existing setting directly on
the PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1" class="conflue
nceTd"><code>CamelPGPDataFormatSignatureKeyUserids</code></td><td colspan="1"
rowspan="1" class="confluenceTd"><code>List<String></code></td><td
colspan="1" rowspan="1" class="confluenceTd"><strong>Since Camel
2.12.3</strong>; the User IDs of the signature keys in the PGP keyring; will
override existing setting directly on the PGPDataFormat.</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureKeyPassword</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>String</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><strong>Since Camel 2.11.0</strong>; password used when
opening the signature private key; will override existing setting directly on
the PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatEncryptionAlgorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td
colspan="1" rowspan="1" clas
s="confluenceTd"><p><strong>Since Camel 2.12.2</strong>; symmetric key
encryption algorithm; will override existing setting directly on the
PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatSignatureHashAlgorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.12.2</strong>; signature hash algorithm; will override existing setting
directly on the PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatCompressionAlgorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>int</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><strong>Since Camel
2.12.2</strong>; compression algorithm; will override existing setting directly
on the PGPDataFormat.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>Ca
melPGPDataFormatNumberOfEncryptionKeys</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><code>Integer</code></td><td colspan="1"
rowspan="1" class="confluenceTd"><strong>Since</strong> <strong>Camel
2.12.3;  </strong>number of public keys used for encrypting the symmectric
key, set by PGPDataFormat during encryptiion process</td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>CamelPGPDataFormatNumberOfSigningKeys</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><code>Integer</code></td><td
colspan="1" rowspan="1"
class="confluenceTd"><strong>Since</strong> <strong>Camel 2.12.3; 
</strong>number of private keys used for creating signatures, set by
PGPDataFormat during signing process</td></tr></tbody></table></div><h3
id="Crypto-EncryptingwithPGPDataFormat">Encrypting with
PGPDataFormat</h3><p>The following sample uses the popular PGP format for
encrypting/decrypting files using the <a shape="rect" class="external-l
ink" href="http://www.bouncycastle.org/java.html"; rel="nofollow">Bouncy Castle
Java
libraries</a>:<plain-text-body>{snippet:id=pgp-format|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/PGPDataFormatTest.java}</plain-text-body>The
following sample performs signing + encryption, and then signature
verification + decryption. It uses the same keyring for both signing and
encryption, but you can obviously use different
keys:<plain-text-body>{snippet:id=pgp-format-signature|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/converter/crypto/PGPDataFormatTest.java}</plain-text-body>Or
using
Spring:<plain-text-body>{snippet:id=pgp-xml-basic|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringPGPDataFormatTest.xml}</plain-text-body></p><h4
id="Crypto-Toworkwiththepreviousexampleyouneedthefollowing">To work with the
previous example you need the following</h
4><ul><li>A public keyring file which contains the public keys used to encrypt
the data</li><li>A private keyring file which contains the keys used to decrypt
the data</li><li>The keyring password</li></ul><h4
id="Crypto-Managingyourkeyring">Managing your keyring</h4><p>To manage the
keyring, I use the command line tools, I find this to be the simplest approach
in managing the keys. There are also Java libraries available from <a
shape="rect" class="external-link" href="http://www.bouncycastle.org/java.html";
rel="nofollow">http://www.bouncycastle.org/java.html</a> if you would prefer to
do it that way.</p><ol><li><p>Install the command line utilities on
linux</p><plain-text-body>apt-get install
gnupg</plain-text-body></li><li><p>Create your keyring, entering a secure
password</p><plain-text-body>gpg --gen-key</plain-text-body></li><li><p>If you
need to import someone elses public key so that you can encrypt a file for
them.</p><plain-text-body>gpg --import <filename.key</plain-te
xt-body></li><li><p>The following files should now exist and can be used to
run the example</p><plain-text-body>ls -l ~/.gnupg/pubring.gpg
~/.gnupg/secring.gpg</plain-text-body></li></ol><h3
id="Crypto-PGPDecrypting/VerifyingofMessagesEncrypted/SignedbyDifferentPrivate/PublicKeys">PGP
Decrypting/Verifying of Messages Encrypted/Signed by Different Private/Public
Keys</h3><p>Since <strong>Camel 2.12.2</strong>.</p><p>A PGP Data Formater can
decrypt/verify messages which have been encrypted by different public keys or
signed by different private keys. Just, provide the corresponding private keys
in the secret keyring, the corresponding public keys in the public keyring, and
the passphrases in the passphrase accessor.</p><parameter
ac:name="language">java</parameter><plain-text-body>Map<String, String>
userId2Passphrase = new HashMap<String, String>(2);
// add passphrases of several private keys whose corresponding public keys
have been used to encrypt the messages
-userId2Passphrase.put("UserIdOfKey1","passphrase1"); //
you must specify the exact User ID!
-userId2Passphrase.put("UserIdOfKey2","passphrase2");
+userId2Passphrase.put("UserIdOfKey1","passphrase1"); // you must specify the
exact User ID!
+userId2Passphrase.put("UserIdOfKey2","passphrase2");
PGPPassphraseAccessor passphraseAccessor = new
PGPPassphraseAccessorDefault(userId2Passphrase);
PGPDataFormat pgpVerifyAndDecrypt = new PGPDataFormat();
@@ -309,52 +102,45 @@ pgpVerifyAndDecrypt.setEncryptionKeyRing
pgpVerifyAndDecrypt.setSignatureKeyRing((getPublicKeyRing()); //
alternatively you can use setSignatureKeyFileName(signatgureKeyfileName)
// it is not necessary to specify the encryption or signer User Id
-from("direct:start")
+from("direct:start")
...
.unmarshal(pgpVerifyAndDecrypt) // can decrypt/verify messages
encrypted/signed by different private/public keys
...
-]]></script>
-</div></div><ul><li>The functionality is especially useful to support the key
exchange. If you want to exchange the private key for decrypting you can accept
for a period of time messages which are either encrypted with the old or new
corresponding public key. Or if the sender wants to exchange his signer private
key, you can accept for a period of time, the old or new signer
key.</li><li>Technical background: The PGP encrypted data contains a Key ID of
the public key which was used to encrypt the data. This Key ID can be used to
locate the private key in the secret keyring to decrypt the data. The same
mechanism is also used to locate the public key for verifying a signature.
Therefore you no longer must specify User IDs for the
unmarshaling.</li></ul><h3
id="Crypto-RestrictingtheSignerIdentitiesduringPGPSignatureVerification">Restricting
the Signer Identities during PGP Signature
Verification</h3><p>Since <strong>Camel 2.12.3.</strong></p><p>If you
verify a signature you not
only want to verify the correctness of the signature but you also want check
that the signature comes from a certain identity or a specific set of
identities. Therefore it is possible to restrict the number of public keys from
the public keyring which can be used for the verification of a signature.
 </p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>Signature User IDs</b></div><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[// specify the User IDs of the expected
signer identities
+</plain-text-body><ul><li>The functionality is especially useful to support
the key exchange. If you want to exchange the private key for decrypting you
can accept for a period of time messages which are either encrypted with the
old or new corresponding public key. Or if the sender wants to exchange his
signer private key, you can accept for a period of time, the old or new signer
key.</li><li>Technical background: The PGP encrypted data contains a Key ID of
the public key which was used to encrypt the data. This Key ID can be used to
locate the private key in the secret keyring to decrypt the data. The same
mechanism is also used to locate the public key for verifying a signature.
Therefore you no longer must specify User IDs for the
unmarshaling.</li></ul><h3
id="Crypto-RestrictingtheSignerIdentitiesduringPGPSignatureVerification">Restricting
the Signer Identities during PGP Signature
Verification</h3><p>Since <strong>Camel 2.12.3.</strong></p><p>If you
verify a signature yo
u not only want to verify the correctness of the signature but you also want
check that the signature comes from a certain identity or a specific set of
identities. Therefore it is possible to restrict the number of public keys from
the public keyring which can be used for the verification of a signature.
 </p><parameter ac:name="language">java</parameter><parameter
ac:name="title">Signature User IDs</parameter><plain-text-body>// specify the
User IDs of the expected signer identities
List<String> expectedSigUserIds = new ArrayList<String>();
- expectedSigUserIds.add("Trusted company1");
- expectedSigUserIds.add("Trusted company2");
-Â
+ expectedSigUserIds.add("Trusted company1");
+ expectedSigUserIds.add("Trusted company2");
+ 
PGPDataFormat pgpVerifyWithSpecificKeysAndDecrypt = new PGPDataFormat();
- pgpVerifyWithSpecificKeysAndDecrypt.setPassword("my password"); //
for decrypting with private key
+ pgpVerifyWithSpecificKeysAndDecrypt.setPassword("my password"); // for
decrypting with private key
pgpVerifyWithSpecificKeysAndDecrypt.setKeyFileName(keyfileName);
pgpVerifyWithSpecificKeysAndDecrypt.setSignatureKeyFileName(signatgureKeyfileName);
-
pgpVerifyWithSpecificKeysAndDecrypt.setSignatureKeyUserids(expectedSigUserIds);
// if you have only one signer identity then you can also use
setSignatureKeyUserid("expected Signer")
-Â
-from("direct:start")
+
pgpVerifyWithSpecificKeysAndDecrypt.setSignatureKeyUserids(expectedSigUserIds);
// if you have only one signer identity then you can also use
setSignatureKeyUserid("expected Signer")
+ 
+from("direct:start")
...
.unmarshal(pgpVerifyWithSpecificKeysAndDecrypt)
- ... ]]></script>
-</div></div><ul><li>If the PGP content has several signatures the verification
is successful as soon as one signature can be verified.</li><li>If you do not
want to restrict the signer identities for verification then do not specify the
signature key User IDs. In this case all public keys in the public keyring are
taken into account.</li></ul><h3
id="Crypto-SeveralSignaturesinOnePGPDataFormat">Several Signatures in One PGP
Data Format</h3><p>Since <strong>Camel 2.12.3.</strong></p><p>The PGP
specification allows that one PGP data format can contain several signatures
from different keys. Since Camel 2.13.3 it is possible to create such kind of
PGP content via specifying signature User IDs which relate to several private
keys in the secret keyring.</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>Several Signatures</b></div><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[ PGPDataFormat
pgpSignAndEncryptSeveralSignerKeys = new PGPDataFormat();
+ ... </plain-text-body><ul><li>If the PGP content has several
signatures the verification is successful as soon as one signature can be
verified.</li><li>If you do not want to restrict the signer identities for
verification then do not specify the signature key User IDs. In this case all
public keys in the public keyring are taken into account.</li></ul><h3
id="Crypto-SeveralSignaturesinOnePGPDataFormat">Several Signatures in One PGP
Data Format</h3><p>Since <strong>Camel 2.12.3.</strong></p><p>The PGP
specification allows that one PGP data format can contain several signatures
from different keys. Since Camel 2.13.3 it is possible to create such kind of
PGP content via specifying signature User IDs which relate to several private
keys in the secret keyring.</p><parameter
ac:name="language">java</parameter><parameter ac:name="title">Several
Signatures</parameter><plain-text-body> PGPDataFormat
pgpSignAndEncryptSeveralSignerKeys = new PGPDataFormat();
pgpSignAndEncryptSeveralSignerKeys.setKeyUserid(keyUserid); // for
encrypting, you can also use setKeyUserids if you want to encrypt with several
keys
pgpSignAndEncryptSeveralSignerKeys.setKeyFileName(keyfileName);
pgpSignAndEncryptSeveralSignerKeys.setSignatureKeyFileName(signatgureKeyfileName);
- pgpSignAndEncryptSeveralSignerKeys.setSignaturePassword("sdude");
// here we assume that all private keys have the same password, if this is not
the case then you can use setPassphraseAccessor
+ pgpSignAndEncryptSeveralSignerKeys.setSignaturePassword("sdude"); // here we
assume that all private keys have the same password, if this is not the case
then you can use setPassphraseAccessor
List<String> signerUserIds = new ArrayList<String>();
- signerUserIds.add("company old key");
- signerUserIds.add("company new key");
+ signerUserIds.add("company old key");
+ signerUserIds.add("company new key");
pgpSignAndEncryptSeveralSignerKeys.setSignatureKeyUserids(signerUserIds);
-Â
-from("direct:start")
+ 
+from("direct:start")
...
.marshal(pgpSignAndEncryptSeveralSignerKeys)
- ... ]]></script>
[... 15 lines stripped ...]
