Modified: websites/production/camel/content/crypto-digital-signatures.html
==============================================================================
--- websites/production/camel/content/crypto-digital-signatures.html (original)
+++ websites/production/camel/content/crypto-digital-signatures.html Fri Aug 25
09:20:43 2017
@@ -36,17 +36,6 @@
<![endif]-->
- <link href='//camel.apache.org/styles/highlighter/styles/shCoreCamel.css'
rel='stylesheet' type='text/css' />
- <link href='//camel.apache.org/styles/highlighter/styles/shThemeCamel.css'
rel='stylesheet' type='text/css' />
- <script src='//camel.apache.org/styles/highlighter/scripts/shCore.js'
type='text/javascript'></script>
- <script src='//camel.apache.org/styles/highlighter/scripts/shBrushJava.js'
type='text/javascript'></script>
- <script src='//camel.apache.org/styles/highlighter/scripts/shBrushXml.js'
type='text/javascript'></script>
- <script src='//camel.apache.org/styles/highlighter/scripts/shBrushPlain.js'
type='text/javascript'></script>
-
- <script type="text/javascript">
- SyntaxHighlighter.defaults['toolbar'] = false;
- SyntaxHighlighter.all();
- </script>
<title>
Apache Camel: Crypto (Digital Signatures)
@@ -86,154 +75,24 @@
<tbody>
<tr>
<td valign="top" width="100%">
-<div class="wiki-content maincontent"><h2
id="Crypto(DigitalSignatures)-CryptocomponentforDigitalSignatures">Crypto
component for Digital Signatures</h2><p><strong>Available as of Camel
2.3</strong></p><p>With Camel cryptographic endpoints and Java's Cryptographic
extension it is easy to create Digital Signatures for <a shape="rect"
href="exchange.html">Exchange</a>s. Camel provides a pair of flexible endpoints
which get used in concert to create a signature for an exchange in one part of
the exchange's workflow and then verify the signature in a later part of the
workflow.</p><p>Maven users will need to add the following dependency to their
<code>pom.xml</code> for this component:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[<dependency>
+<div class="wiki-content maincontent"><h2
id="Crypto(DigitalSignatures)-CryptocomponentforDigitalSignatures">Crypto
component for Digital Signatures</h2><p><strong>Available as of Camel
2.3</strong></p><p>With Camel cryptographic endpoints and Java's Cryptographic
extension it is easy to create Digital Signatures for <a shape="rect"
href="exchange.html">Exchange</a>s. Camel provides a pair of flexible endpoints
which get used in concert to create a signature for an exchange in one part of
the exchange's workflow and then verify the signature in a later part of the
workflow.</p><p>Maven users will need to add the following dependency to their
<code>pom.xml</code> for this component:</p><parameter
ac:name="">xml</parameter><plain-text-body><dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-crypto</artifactId>
<version>x.x.x</version>
<!-- use the same version as your Camel core version -->
</dependency>
-]]></script>
-</div></div><h3
id="Crypto(DigitalSignatures)-Introduction">Introduction</h3><p>Digital
signatures make use of Asymmetric Cryptographic techniques to sign messages.
From a (very) high level, the algorithms use pairs of complimentary keys with
the special property that data encrypted with one key can only be decrypted
with the other. One, the private key, is closely guarded and used to 'sign' the
message while the other, public key, is shared around to anyone interested in
verifying the signed messages. Messages are signed by using the private key to
encrypting a digest of the message. This encrypted digest is transmitted along
with the message. On the other side the verifier recalculates the message
digest and uses the public key to decrypt the the digest in the signature. If
both digests match the verifier knows only the holder of the private key could
have created the signature.</p><p>Camel uses the Signature service from the
Java Cryptographic Extension to do all the heavy crypto
graphic lifting required to create exchange signatures. The following are some
excellent resources for explaining the mechanics of Cryptography, Message
digests and Digital Signatures and how to leverage them with the JCE.</p><ul
class="alternate"><li>Bruce Schneier's Applied Cryptography</li><li>Beginning
Cryptography with Java by David Hook</li><li>The ever insightful Wikipedia <a
shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Digital_signature";
rel="nofollow">Digital_signatures</a></li></ul><h3
id="Crypto(DigitalSignatures)-URIformat">URI format</h3><p>As mentioned Camel
provides a pair of crypto endpoints to create and verify signatures</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[crypto:sign:name[?options]
+</plain-text-body><h3
id="Crypto(DigitalSignatures)-Introduction">Introduction</h3><p>Digital
signatures make use of Asymmetric Cryptographic techniques to sign messages.
From a (very) high level, the algorithms use pairs of complimentary keys with
the special property that data encrypted with one key can only be decrypted
with the other. One, the private key, is closely guarded and used to 'sign' the
message while the other, public key, is shared around to anyone interested in
verifying the signed messages. Messages are signed by using the private key to
encrypting a digest of the message. This encrypted digest is transmitted along
with the message. On the other side the verifier recalculates the message
digest and uses the public key to decrypt the the digest in the signature. If
both digests match the verifier knows only the holder of the private key could
have created the signature.</p><p>Camel uses the Signature service from the
Java Cryptographic Extension to do all the heavy
cryptographic lifting required to create exchange signatures. The following
are some excellent resources for explaining the mechanics of Cryptography,
Message digests and Digital Signatures and how to leverage them with the
JCE.</p><ul class="alternate"><li>Bruce Schneier's Applied
Cryptography</li><li>Beginning Cryptography with Java by David Hook</li><li>The
ever insightful Wikipedia <a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Digital_signature";
rel="nofollow">Digital_signatures</a></li></ul><h3
id="Crypto(DigitalSignatures)-URIformat">URI format</h3><p>As mentioned Camel
provides a pair of crypto endpoints to create and verify
signatures</p><plain-text-body>crypto:sign:name[?options]
crypto:verify:name[?options]
-]]></script>
-</div></div><ul><li><code>crypto:sign</code> creates the signature and stores
it in the Header keyed by the constant
<code>org.apache.camel.component.crypto.DigitalSignatureConstants.SIGNATURE</code>,
i.e. <code>"CamelDigitalSignature"</code>.</li><li><code>crypto:verify</code>
will read in the contents of this header and do the verification
calculation.</li></ul><p>In order to correctly function, the sign and verify
process needs a pair of keys to be shared, signing requiring a
<code>PrivateKey</code> and verifying a <code>PublicKey</code> (or a
<code>Certificate</code> containing one). Using the JCE it is very simple to
generate these key pairs but it is usually most secure to use a KeyStore to
house and share your keys. The DSL is very flexible about how keys are supplied
and provides a number of mechanisms.</p><p>Note a <code>crypto:sign</code>
endpoint is typically defined in one route and the complimentary
<code>crypto:verify</code> in another, though for simplicity in the exa
mples they appear one after the other. It goes without saying that both
signing and verifying should be configured identically.</p><h3
id="Crypto(DigitalSignatures)-Options">Options</h3><div
class="confluenceTableSmall"><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>algorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>SHA1WithDSA</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The name of the JCE Signature algorithm
that will be used.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><cod
e>alias</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>String</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>null</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>An alias name that will be used to select a key from
the keystore.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>bufferSize</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>Integer</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>2048</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>the size of the buffer used in
the signature process.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>certificate</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>Certificate</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A Certificate
used to verify the signature of the exchange's payload. Either this or a
Public Key is required.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>keystore</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>KeyStore</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a JCE Keystore
that stores keys and certificates used to sign and verify.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">keyStoreParameters <strong>Camel
2.14.1</strong></td><td colspan="1" rowspan="1"
class="confluenceTd">KeyStoreParameters</td><td colspan="1" rowspan="1"
class="confluenceTd">null</td><td colspan="1" rowspan="1"
class="confluenceTd">A reference to a Camel KeyStoreParameters Object which
wraps a Java KeyStore Object</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>provider</code></p></td><td colspan="1" rowspan
="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The name of the JCE Security Provider that
should be used.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>privateKey</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>PrivateKey</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The private key used to sign
the exchange's payload.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>publicKey</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>PublicKey</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The public key used to verify
the signature of the exchange's payload.
</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>secureRandom</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>secureRandom</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
<code>SecureRandom</code> object that will be used to initialize the Signature
service.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>password</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>char[]</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The password to access the private key from
the keystore</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>clearHeaders</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td colspan="1"
rowspan
="1" class="confluenceTd"><p><code>true</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>Remove camel crypto headers from Message
after a verify operation (value can be
<code>"true"</code>/<code>"false"</code>).</p></td></tr></tbody></table></div></div>
-
-
-<h3 id="Crypto(DigitalSignatures)-Using">Using</h3><h4
id="Crypto(DigitalSignatures)-1)Rawkeys">1) Raw keys</h4><p>The most basic way
to way to sign and verify an exchange is with a KeyPair as follows.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-from("direct:keypair").to("crypto:sign:basic?privateKey=#myPrivateKey",
"crypto:verify:basic?publicKey=#myPublicKey",
"mock:result");
-]]></script>
-</div></div>The same can be achieved with the <a shape="rect"
href="spring-xml-extensions.html">Spring XML Extensions</a> using references to
keys<div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<route>
- <from uri="direct:keypair"/>
- <to uri="crypto:sign:basic?privateKey=#myPrivateKey" />
- <to uri="crypto:verify:basic?publicKey=#myPublicKey" />
- <to uri="mock:result"/>
-</route>
-]]></script>
-</div></div><h4 id="Crypto(DigitalSignatures)-2)KeyStoresandAliases.">2)
KeyStores and Aliases.</h4><p>The JCE provides a very versatile keystore
concept for housing pairs of private keys and certificates, keeping them
encrypted and password protected. They can be retrieved by applying an alias to
the retrieval APIs. There are a number of ways to get keys and Certificates
into a keystore, most often this is done with the external 'keytool'
application. <a shape="rect" class="external-link"
href="http://www.exampledepot.com/egs/java.security.cert/CreateCert.html";
rel="nofollow">This</a> is a good example of using keytool to create a KeyStore
with a self signed Cert and Private key.</p><p>The examples use a Keystore with
a key and cert aliased by 'bob'. The password for the keystore and the key is
'letmein'</p><p>The following shows how to use a Keystore via the Fluent
builders, it also shows how to load and initialize the keystore.</p><div
class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-from("direct:keystore").to("crypto:sign:keystore?keystore=#keystore&alias=bob&password=letmein",
"crypto:verify:keystore?keystore=#keystore&alias=bob",
"mock:result");
-]]></script>
-</div></div>Again in Spring a ref is used to lookup an actual keystore
instance.<div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<route>
- <from uri="direct:keystore"/>
- <to
uri="crypto:sign:keystore?keystore=#keystore&amp;alias=bob&amp;password=letmein"
/>
- <to
uri="crypto:verify:keystore?keystore=#keystore&amp;alias=bob"
/>
- <to uri="mock:result"/>
-</route>
-]]></script>
-</div></div><h4
id="Crypto(DigitalSignatures)-3)ChangingJCEProviderandAlgorithm">3) Changing
JCE Provider and Algorithm</h4><p>Changing the Signature algorithm or the
Security provider is a simple matter of specifying their names. You will need
to also use Keys that are compatible with the algorithm you choose.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-keyPair = getKeyPair("RSA");
-PrivateKey privateKey = keyPair.getPrivate();
-PublicKey publicKey = keyPair.getPublic();
-
-// we can set the keys explicitly on the endpoint instances.
-context.getEndpoint("crypto:sign:rsa?algorithm=MD5withRSA",
DigitalSignatureEndpoint.class).setPrivateKey(privateKey);
-context.getEndpoint("crypto:verify:rsa?algorithm=MD5withRSA",
DigitalSignatureEndpoint.class).setPublicKey(publicKey);
-from("direct:algorithm").to("crypto:sign:rsa?algorithm=MD5withRSA",
"crypto:verify:rsa?algorithm=MD5withRSA", "mock:result");
-]]></script>
-</div></div><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-from("direct:provider").to("crypto:sign:provider?privateKey=#myPrivateKey&provider=SUN",
"crypto:verify:provider?publicKey=#myPublicKey&provider=SUN",
"mock:result");
-]]></script>
-</div></div>or<div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<route>
- <from uri="direct:algorithm"/>
- <to
uri="crypto:sign:rsa?algorithm=MD5withRSA&amp;privateKey=#rsaPrivateKey"
/>
- <to
uri="crypto:verify:rsa?algorithm=MD5withRSA&amp;publicKey=#rsaPublicKey"
/>
- <to uri="mock:result"/>
-</route>
-]]></script>
-</div></div><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<route>
- <from uri="direct:provider"/>
- <to
uri="crypto:sign:provider?privateKey=#myPrivateKey&amp;provider=SUN"
/>
- <to
uri="crypto:verify:provider?publicKey=#myPublicKey&amp;provider=SUN"
/>
- <to uri="mock:result"/>
-</route>
-]]></script>
-</div></div><h4
id="Crypto(DigitalSignatures)-4)ChangingtheSignatureMessageHeader">4) Changing
the Signature Message Header</h4><p>It may be desirable to change the message
header used to store the signature. A different header name can be specified in
the route definition as follows</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-from("direct:signature-header").to("crypto:sign:another?privateKey=#myPrivateKey&signatureHeader=AnotherDigitalSignature",
-
"crypto:verify:another?publicKey=#myPublicKey&signatureHeader=AnotherDigitalSignature",
"mock:result");
-]]></script>
-</div></div>or<div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<route>
- <from uri="direct:signature-header"/>
- <to
uri="crypto:sign:another?privateKey=#myPrivateKey&amp;signatureHeaderName=AnotherDigitalSignature"
/>
- <to
uri="crypto:verify:another?publicKey=#myPublicKey&amp;signatureHeaderName=AnotherDigitalSignature"
/>
- <to uri="mock:result"/>
-</route>
-]]></script>
-</div></div><h4 id="Crypto(DigitalSignatures)-5)Changingthebuffersize">5)
Changing the buffersize</h4><p>In case you need to update the size of the
buffer...</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-from("direct:buffersize").to("crypto:sign:buffer?privateKey=#myPrivateKey&buffersize=1024",
"crypto:verify:buffer?publicKey=#myPublicKey&buffersize=1024",
"mock:result");
-]]></script>
-</div></div>or<div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<route>
- <from uri="direct:buffersize" />
- <to
uri="crypto:sign:buffer?privateKey=#myPrivateKey&amp;bufferSize=1024"
/>
- <to
uri="crypto:verify:buffer?publicKey=#myPublicKey&amp;bufferSize=1024"
/>
- <to uri="mock:result"/>
-</route>
-]]></script>
-</div></div><h4 id="Crypto(DigitalSignatures)-6)SupplyingKeysdynamically.">6)
Supplying Keys dynamically.</h4><p>When using a Recipient list or similar EIP
the recipient of an exchange can vary dynamically. Using the same key across
all recipients may be neither feasible nor desirable. It would be useful to be
able to specify signature keys dynamically on a per-exchange basis. The
exchange could then be dynamically enriched with the key of its target
recipient prior to signing. To facilitate this the signature mechanisms allow
for keys to be supplied dynamically via the message headers
below</p><ul><li><code>Exchange.SIGNATURE_PRIVATE_KEY</code>,
<code>"CamelSignaturePrivateKey"</code></li><li><code>Exchange.SIGNATURE_PUBLIC_KEY_OR_CERT</code>,
<code>"CamelSignaturePublicKeyOrCert"</code></li></ul><p></p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-from("direct:headerkey-sign").to("crypto:sign:alias");
-from("direct:headerkey-verify").to("crypto:verify:alias",
"mock:result");
-]]></script>
-</div></div>or<div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<route>
- <from uri="direct:headerkey-sign"/>
- <to uri="crypto:sign:headerkey" />
-</route>
-<route>
- <from uri="direct:headerkey-verify"/>
- <to uri="crypto:verify:headerkey" />
- <to uri="mock:result"/>
-</route>
-]]></script>
-</div></div>Even better would be to dynamically supply a keystore alias. Again
the alias can be supplied in a message
header<ul><li><code>Exchange.KEYSTORE_ALIAS</code>,
<code>"CamelSignatureKeyStoreAlias"</code></li></ul><p></p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-from("direct:alias-sign").to("crypto:sign:alias?keystore=#keystore");
-from("direct:alias-verify").to("crypto:verify:alias?keystore=#keystore",
"mock:result");
-]]></script>
-</div></div>or<div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
-<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
-<route>
- <from uri="direct:alias-sign"/>
- <to uri="crypto:sign:alias?keystore=#keystore" />
-</route>
-<route>
- <from uri="direct:alias-verify"/>
- <to uri="crypto:verify:alias?keystore=#keystore" />
- <to uri="mock:result"/>
-</route>
-]]></script>
-</div></div>The header would be set as follows<div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="brush: java; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[Exchange unsigned =
getMandatoryEndpoint("direct:alias-sign").createExchange();
+</plain-text-body><ul><li><code>crypto:sign</code> creates the signature and
stores it in the Header keyed by the constant
<code>org.apache.camel.component.crypto.DigitalSignatureConstants.SIGNATURE</code>,
i.e. <code>"CamelDigitalSignature"</code>.</li><li><code>crypto:verify</code>
will read in the contents of this header and do the verification
calculation.</li></ul><p>In order to correctly function, the sign and verify
process needs a pair of keys to be shared, signing requiring a
<code>PrivateKey</code> and verifying a <code>PublicKey</code> (or a
<code>Certificate</code> containing one). Using the JCE it is very simple to
generate these key pairs but it is usually most secure to use a KeyStore to
house and share your keys. The DSL is very flexible about how keys are supplied
and provides a number of mechanisms.</p><p>Note a <code>crypto:sign</code>
endpoint is typically defined in one route and the complimentary
<code>crypto:verify</code> in another, though for simplicity in t
he examples they appear one after the other. It goes without saying that both
signing and verifying should be configured identically.</p><h3
id="Crypto(DigitalSignatures)-Options">Options</h3><parameter
ac:name="class">confluenceTableSmall</parameter><rich-text-body><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Name</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Type</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Default</p></th><th colspan="1" rowspan="1"
class="confluenceTh"><p>Description</p></th></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>algorithm</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>SHA1WithDSA</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The name of the JCE Signature algorithm
that will be used.</p></td></tr><tr><td colsp
an="1" rowspan="1" class="confluenceTd"><p><code>alias</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>String</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>An alias name that will be used
to select a key from the keystore.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>bufferSize</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>Integer</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>2048</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>the size of the buffer used in
the signature process.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>certificate</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>Certificate</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" row
span="1" class="confluenceTd"><p>A Certificate used to verify the signature of
the exchange's payload. Either this or a Public Key is
required.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>keystore</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>KeyStore</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a JCE Keystore
that stores keys and certificates used to sign and verify.</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd">keyStoreParameters <strong>Camel
2.14.1</strong></td><td colspan="1" rowspan="1"
class="confluenceTd">KeyStoreParameters</td><td colspan="1" rowspan="1"
class="confluenceTd">null</td><td colspan="1" rowspan="1"
class="confluenceTd">A reference to a Camel KeyStoreParameters Object which
wraps a Java KeyStore Object</td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>
provider</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>String</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>null</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>The name of the JCE Security Provider that should be
used.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>privateKey</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>PrivateKey</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The private key used to sign
the exchange's payload.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>publicKey</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>PublicKey</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>The public key used to
verify the signature of the exchange's payload.</p></td></tr><tr><td
colspan="1" rowspan="1"
class="confluenceTd"><p><code>secureRandom</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>secureRandom</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>A reference to a
<code>SecureRandom</code> object that will be used to initialize the Signature
service.</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>password</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>char[]</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><code>null</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>The password to access the private key from
the keystore</p></td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>clearHeaders</code></p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p><cod
e>String</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p><code>true</code></p></td><td colspan="1" rowspan="1"
class="confluenceTd"><p>Remove camel crypto headers from Message after a verify
operation (value can be
<code>"true"</code>/<code>"false"</code>).</p></td></tr></tbody></table></div></rich-text-body><h3
id="Crypto(DigitalSignatures)-Using">Using</h3><h4
id="Crypto(DigitalSignatures)-1)Rawkeys">1) Raw keys</h4><p>The most basic way
to way to sign and verify an exchange is with a KeyPair as
follows.<plain-text-body>{snippet:id=basic|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/SignatureTests.java}</plain-text-body>The
same can be achieved with the <a shape="rect"
href="spring-xml-extensions.html">Spring XML Extensions</a> using references to
keys<plain-text-body>{snippet:id=basic|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringSignatureTests.xml}
</plain-text-body></p><h4
id="Crypto(DigitalSignatures)-2)KeyStoresandAliases.">2) KeyStores and
Aliases.</h4><p>The JCE provides a very versatile keystore concept for housing
pairs of private keys and certificates, keeping them encrypted and password
protected. They can be retrieved by applying an alias to the retrieval APIs.
There are a number of ways to get keys and Certificates into a keystore, most
often this is done with the external 'keytool' application. <a shape="rect"
class="external-link"
href="http://www.exampledepot.com/egs/java.security.cert/CreateCert.html";
rel="nofollow">This</a> is a good example of using keytool to create a KeyStore
with a self signed Cert and Private key.</p><p>The examples use a Keystore with
a key and cert aliased by 'bob'. The password for the keystore and the key is
'letmein'</p><p>The following shows how to use a Keystore via the Fluent
builders, it also shows how to load and initialize the
keystore.<plain-text-body>{snippet:id=keystore|lang=
java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/SignatureTests.java}</plain-text-body>Again
in Spring a ref is used to lookup an actual keystore
instance.<plain-text-body>{snippet:id=keystore|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringSignatureTests.xml}</plain-text-body></p><h4
id="Crypto(DigitalSignatures)-3)ChangingJCEProviderandAlgorithm">3) Changing
JCE Provider and Algorithm</h4><p>Changing the Signature algorithm or the
Security provider is a simple matter of specifying their names. You will need
to also use Keys that are compatible with the algorithm you
choose.<plain-text-body>{snippet:id=algorithm|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/SignatureTests.java}</plain-text-body><plain-text-body>{snippet:id=provider|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/
SignatureTests.java}</plain-text-body>or<plain-text-body>{snippet:id=algorithm|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringSignatureTests.xml}</plain-text-body><plain-text-body>{snippet:id=provider|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringSignatureTests.xml}</plain-text-body></p><h4
id="Crypto(DigitalSignatures)-4)ChangingtheSignatureMessageHeader">4) Changing
the Signature Message Header</h4><p>It may be desirable to change the message
header used to store the signature. A different header name can be specified in
the route definition as
follows<plain-text-body>{snippet:id=signature-header|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/SignatureTests.java}</plain-text-body>or<plain-text-body>{snippet:id=signature-header|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel
/component/crypto/SpringSignatureTests.xml}</plain-text-body></p><h4
id="Crypto(DigitalSignatures)-5)Changingthebuffersize">5) Changing the
buffersize</h4><p>In case you need to update the size of the
buffer...<plain-text-body>{snippet:id=buffersize|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/SignatureTests.java}</plain-text-body>or<plain-text-body>{snippet:id=buffersize|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringSignatureTests.xml}</plain-text-body></p><h4
id="Crypto(DigitalSignatures)-6)SupplyingKeysdynamically.">6) Supplying Keys
dynamically.</h4><p>When using a Recipient list or similar EIP the recipient of
an exchange can vary dynamically. Using the same key across all recipients may
be neither feasible nor desirable. It would be useful to be able to specify
signature keys dynamically on a per-exchange basis. The exchange could then be
dynamically enriched with
the key of its target recipient prior to signing. To facilitate this the
signature mechanisms allow for keys to be supplied dynamically via the message
headers below</p><ul><li><code>Exchange.SIGNATURE_PRIVATE_KEY</code>,
<code>"CamelSignaturePrivateKey"</code></li><li><code>Exchange.SIGNATURE_PUBLIC_KEY_OR_CERT</code>,
<code>"CamelSignaturePublicKeyOrCert"</code></li></ul><p><plain-text-body>{snippet:id=headerkey|lang=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/SignatureTests.java}</plain-text-body>or<plain-text-body>{snippet:id=headerkey|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringSignatureTests.xml}</plain-text-body>Even
better would be to dynamically supply a keystore alias. Again the alias can be
supplied in a message header</p><ul><li><code>Exchange.KEYSTORE_ALIAS</code>,
<code>"CamelSignatureKeyStoreAlias"</code></li></ul><p><plain-text-body>{snippet:id=alias|lang
=java|url=camel/trunk/components/camel-crypto/src/test/java/org/apache/camel/component/crypto/SignatureTests.java}</plain-text-body>or<plain-text-body>{snippet:id=alias|lang=xml|url=camel/trunk/components/camel-crypto/src/test/resources/org/apache/camel/component/crypto/SpringSignatureTests.xml}</plain-text-body>The
header would be set as follows</p><plain-text-body>Exchange unsigned =
getMandatoryEndpoint("direct:alias-sign").createExchange();
unsigned.getIn().setBody(payload);
-unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_ALIAS,
"bob");
-unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_PASSWORD,
"letmein".toCharArray());
-template.send("direct:alias-sign", unsigned);
-Exchange signed =
getMandatoryEndpoint("direct:alias-sign").createExchange();
+unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_ALIAS, "bob");
+unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_PASSWORD,
"letmein".toCharArray());
+template.send("direct:alias-sign", unsigned);
+Exchange signed = getMandatoryEndpoint("direct:alias-sign").createExchange();
signed.getIn().copyFrom(unsigned.getOut());
-signed.getIn().setHeader(KEYSTORE_ALIAS, "bob");
-template.send("direct:alias-verify", signed);
-]]></script>
-</div></div><p></p><h3 id="Crypto(DigitalSignatures)-SeeAlso">See Also</h3>
-<ul><li><a shape="rect" href="configuring-camel.html">Configuring
Camel</a></li><li><a shape="rect"
href="component.html">Component</a></li><li><a shape="rect"
href="endpoint.html">Endpoint</a></li><li><a shape="rect"
href="getting-started.html">Getting Started</a></li></ul><ul><li><a
shape="rect" href="crypto.html">Crypto</a> Crypto is also available as a <a
shape="rect" href="data-format.html">Data Format</a></li></ul></div>
+signed.getIn().setHeader(KEYSTORE_ALIAS, "bob");
+template.send("direct:alias-verify", signed);
+</plain-text-body><p><parameter ac:name=""><a shape="rect"
href="endpoint-see-also.html">Endpoint See Also</a></parameter></p><ul><li><a
shape="rect" href="crypto.html">Crypto</a> Crypto is also available as a <a
shape="rect" href="data-format.html">Data Format</a></li></ul></div>
</td>
<td valign="top">
<div class="navigation">
