camel-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Franz Forsthofer (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache Camel > Crypto
Date Wed, 23 Oct 2013 09:44:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/de/2176/1/1/_/styles/combined.css?spaceKey=CAMEL&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CAMEL/Crypto">Crypto</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~forsthofer">Franz
Forsthofer</a>
    </h4>
        <br/>
                         <h4>Changes (8)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >| {{armored}} | {{boolean}} | {{false}}
| This option will cause PGP to base64 encode the encrypted text, making it available for
copy/paste, etc. | <br>| {{integrity}} | {{boolean}} | {{true}} | Adds an integrity
check/sign into the encryption file. | <br></td></tr>
            <tr><td class="diff-changed-lines" >| {{passphraseAccessor}} | [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java]
| {{null}} | *Since Camel 2.12.2*; provides passphrases corresponding to user Ids.  If no
passpharase can be found from the option {{password}} or {{signaturePassword}} and from the
headers {{CamelPGPDataFormatKeyPassword}} or {{CamelPGPDataFormatSignatureKeyPassword}} then
the passphrase is feteched from the passphrase accessor. You provide a bean which implements
the interface [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java].
A default implementation is given by [PGPPassphraseAccessorDefault|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessorDefault.java].
 The passphrase accessor is especially useful in the decrypt case; see chapter <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">&#39;Usaage</span>
<span class="diff-added-words"style="background-color: #dfd;">&#39;PGP Decrypting/Verifying</span>
of <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">Passphrase
Accessor&#39;</span> <span class="diff-added-words"style="background-color: #dfd;">Messages
Encrypted/Signed by Different Private/Public Keys&#39;</span>  below. | <br></td></tr>
            <tr><td class="diff-unchanged" >{div} <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code}ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg{code}
<br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">h3.
Usage of PGP Passphrase Accessor <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h3.
PGP Decrypting/Verifying of Messages Encrypted/Signed by Different Private/Public Keys <br></td></tr>
            <tr><td class="diff-unchanged" > <br>Since *Camel  2.12.2*.
<br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">A
PGP Data Formater can decrypt messages which have been encrypted by different public keys.
Just, provide the corresponding private keys in the secret keyring and the  passphrases in
the passphrase accessor. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">A
PGP Data Formater can decrypt/verify messages which have been encrypted by different public
keys or signed by different private keys. Just, provide the corresponding private keys in
the secret keyring, the corresponding public keys in the public keyring, and the  passphrases
in the passphrase accessor. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>{code} <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >PGPDataFormat pgpVerifyAndDecrypt
= new PGPDataFormat(); <br>pgpVerifyAndDecrypt.setPassphraseAccessor(passphraseAccessor);
<br></td></tr>
            <tr><td class="diff-changed-lines" >// the method getSecKeyRing()
provides the secret keyring as byte array <span class="diff-added-words"style="background-color:
#dfd;">containing the private keys</span> <br></td></tr>
            <tr><td class="diff-unchanged" >pgpVerifyAndDecrypt.setEncryptionKeyRing(getSecKeyRing());
// alternatively you can use setKeyFileName(keyfileName) <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">//
the method getPublicKeyRing() provides the public keyring as byte array containing the public
keys <br>pgpVerifyAndDecrypt.setSignatureKeyRing((getPublicKeyRing());  // alternatively
you can use setSignatureKeyFileName(signatgureKeyfileName) <br></td></tr>
            <tr><td class="diff-unchanged" >// it is not necessary to specify
the User Id <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >* The functionality is especially
useful to support the key exchange. If you want to exchange the private key for decrypting
you can accept for a period of time messages which are either encrypted with the old or new
corresponding public key. <span class="diff-added-words"style="background-color: #dfd;">Or
if the sender wants to exchange his signer private key, you can accept for a period of time,
the old or new signer key.</span> <br></td></tr>
            <tr><td class="diff-unchanged" >* Technical background: The PGP encrypted
data contains a Key ID of the public key which was used to encrypt the data. This Key ID can
be used to locate the private key in the secret keyring to decrypt the data. The same mechanism
is also used to locate the public key for verifying a signature. Therefore you no longer must
specify User IDs for the unmarshaling.  <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h2><a name="Crypto-Crypto"></a>Crypto</h2>
<p><b>Available as of Camel 2.3</b><br/>
<b>PGP Available as of Camel 2.9</b></p>

<p>The Crypto <a href="/confluence/display/CAMEL/Data+Format" title="Data Format">Data
Format</a> integrates the Java Cryptographic Extension into Camel, allowing simple and
flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal
formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling
to mean decryption back to the original plaintext. This data format implements only symmetric
(shared-key) encryption and decyption.</p>

<h3><a name="Crypto-Options"></a>Options</h3>
<div class="confluenceTableSmall"><div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Name </th>
<th class='confluenceTh'> Type </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>algorithm</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <tt>DES/CBC/PKCS5Padding</tt> </td>
<td class='confluenceTd'> The JCE algorithm name indicating the cryptographic algorithm
that will be used. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>algorithmParameterSpec</tt> </td>
<td class='confluenceTd'> <tt>java.security.spec.AlgorithmParameterSpec</tt>
</td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'>A JCE AlgorithmParameterSpec used to initialize the Cipher.
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>bufferSize</tt> </td>
<td class='confluenceTd'> <tt>Integer</tt> </td>
<td class='confluenceTd'> <tt>2048</tt> </td>
<td class='confluenceTd'> the size of the buffer used in the signature process. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>cryptoProvider</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> The name of the JCE Security Provider that should be used.
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>initializationVector</tt> </td>
<td class='confluenceTd'> <tt>byte[]</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> A byte array containing the Initialization Vector that will
be used to initialize the Cipher. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>inline</tt> </td>
<td class='confluenceTd'> <tt>boolean</tt> </td>
<td class='confluenceTd'> <tt>false</tt> </td>
<td class='confluenceTd'> Flag indicating that the configured IV should be inlined into
the encrypted data stream. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>macAlgorithm</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> The JCE algorithm name indicating the Message Authentication
algorithm. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>shouldAppendHMAC</tt> </td>
<td class='confluenceTd'> <tt>boolean</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> Flag indicating that a Message Authentication Code should
be calculated and appended to the encrypted data.</td>
</tr>
</tbody></table>
</div>
</div>

<h3><a name="Crypto-BasicUsage"></a>Basic Usage</h3>
<p>At its most basic all that is required to encrypt/decrypt an exchange is a shared
secret key. If one or more instances of the Crypto data format are configured with this key
the format can be used to encrypt the payload in one route (or part of one) and decrypted
in another. For example, using the Java DSL as follows:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: java; gutter: false"><![CDATA[
KeyGenerator generator = KeyGenerator.getInstance("DES");

CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES", generator.generateKey());

from("direct:basic-encryption")
    .marshal(cryptoFormat)
    .to("mock:encrypted")
    .unmarshal(cryptoFormat)
    .to("mock:unencrypted");
]]></script>
</div></div>

<p>In Spring the dataformat is configured first and then used in routes </p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"&gt;
  &lt;dataFormats&gt;
    &lt;crypto id="basic" algorithm="DES" keyRef="desKey" /&gt;
  &lt;/dataFormats&gt;
    ...
  &lt;route&gt;
    &lt;from uri="direct:basic-encryption" /&gt;
    &lt;marshal ref="basic" /&gt;
    &lt;to uri="mock:encrypted" /&gt;
    &lt;unmarshal ref="basic" /&gt;
    &lt;to uri="mock:unencrypted" /&gt;
  &lt;/route&gt;
&lt;/camelContext&gt;
</pre>
</div></div>

<h3><a name="Crypto-SpecifyingtheEncryptionAlgorithm"></a>Specifying the
Encryption Algorithm</h3>

<p>Changing the algorithm is a matter of supplying the JCE algorithm name. If you change
the algorithm you will need to use a compatible key.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: java; gutter: false"><![CDATA[
KeyGenerator generator = KeyGenerator.getInstance("DES");

CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES", generator.generateKey());
cryptoFormat.setShouldAppendHMAC(true);
cryptoFormat.setMacAlgorithm("HmacMD5");

from("direct:hmac-algorithm")
    .marshal(cryptoFormat)
    .to("mock:encrypted")
    .unmarshal(cryptoFormat)
    .to("mock:unencrypted");
]]></script>
</div></div>

<p>A list of the available algorithms in Java 7 is available via the <a href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html"
class="external-link" rel="nofollow">Java Cryptography Architecture Standard Algorithm
Name Documentation</a>.</p>

<h3><a name="Crypto-SpecifyinganInitializationVector"></a>Specifying an
Initialization Vector</h3>

<p>Some crypto algorithms, particularly block algorithms, require configuration with
an initial block of data known as an Initialization Vector. In the JCE this is passed as an
AlgorithmParameterSpec when the Cipher is initialized. To use such a vector with the CryptoDataFormat
you can configure it with a byte[] containing the required data e.g.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: java; gutter: false"><![CDATA[
KeyGenerator generator = KeyGenerator.getInstance("DES");
byte[] initializationVector = new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};

CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES/CBC/PKCS5Padding", generator.generateKey());
cryptoFormat.setInitializationVector(initializationVector);

from("direct:init-vector")
    .marshal(cryptoFormat)
    .to("mock:encrypted")
    .unmarshal(cryptoFormat)
    .to("mock:unencrypted");
]]></script>
</div></div>

<p>or with spring, suppling a reference to a byte[]</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: xml; gutter: false"><![CDATA[
&lt;crypto id="initvector" algorithm="DES/CBC/PKCS5Padding" keyRef="desKey" initVectorRef="initializationVector"
/&gt;
]]></script>
</div></div>

<p>The same vector is required in both the encryption and decryption phases. As it is
not necessary to keep the IV a secret, the DataFormat allows for it to be inlined into the
encrypted data and subsequently read out in the decryption phase to initialize the Cipher.
To inline the IV set the /oinline flag.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: java; gutter: false"><![CDATA[
KeyGenerator generator = KeyGenerator.getInstance("DES");
byte[] initializationVector = new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
SecretKey key = generator.generateKey();

CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES/CBC/PKCS5Padding", key);
cryptoFormat.setInitializationVector(initializationVector);
cryptoFormat.setShouldInlineInitializationVector(true);
CryptoDataFormat decryptFormat = new CryptoDataFormat("DES/CBC/PKCS5Padding", key);
decryptFormat.setShouldInlineInitializationVector(true);

from("direct:inline")
    .marshal(cryptoFormat)
    .to("mock:encrypted")
    .unmarshal(decryptFormat)
    .to("mock:unencrypted");
]]></script>
</div></div>

<p>or with spring.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: xml; gutter: false"><![CDATA[
&lt;crypto id="inline" algorithm="DES/CBC/PKCS5Padding" keyRef="desKey" initVectorRef="initializationVector"
  inline="true" /&gt;
&lt;crypto id="inline-decrypt" algorithm="DES/CBC/PKCS5Padding" keyRef="desKey" inline="true"
/&gt;
]]></script>
</div></div>

<p>For more information of the use of Initialization Vectors, consult</p>

<ul>
	<li><a href="http://en.wikipedia.org/wiki/Initialization_vector" class="external-link"
rel="nofollow">http://en.wikipedia.org/wiki/Initialization_vector</a></li>
	<li><a href="http://www.herongyang.com/Cryptography/" class="external-link" rel="nofollow">http://www.herongyang.com/Cryptography/</a></li>
	<li><a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation" class="external-link"
rel="nofollow">http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation</a></li>
</ul>


<h3><a name="Crypto-HashedMessageAuthenticationCodes%28HMAC%29"></a>Hashed
Message Authentication Codes (HMAC)</h3>

<p>To avoid attacks against the encrypted data while it is in transit the CryptoDataFormat
can also calculate a Message Authentication Code for the encrypted exchange contents based
on a configurable MAC algorithm. The calculated HMAC is appended to the stream after encryption.
It is separated from the stream in the decryption phase. The MAC is recalculated and verified
against the transmitted version to insure nothing was tampered with in transit.For more information
on Message Authentication Codes see <a href="http://en.wikipedia.org/wiki/HMAC" class="external-link"
rel="nofollow">http://en.wikipedia.org/wiki/HMAC</a></p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: java; gutter: false"><![CDATA[
KeyGenerator generator = KeyGenerator.getInstance("DES");

CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES", generator.generateKey());
cryptoFormat.setShouldAppendHMAC(true);

from("direct:hmac")
    .marshal(cryptoFormat)
    .to("mock:encrypted")
    .unmarshal(cryptoFormat)
    .to("mock:unencrypted");
]]></script>
</div></div>

<p>or with spring.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: xml; gutter: false"><![CDATA[
&lt;crypto id="hmac" algorithm="DES" keyRef="desKey" shouldAppendHMAC="true" /&gt;
]]></script>
</div></div>

<p>By default the HMAC is calculated using the HmacSHA1 mac algorithm though this can
be easily changed by supplying a different algorithm name. See <a href="/confluence/pages/createpage.action?spaceKey=CAMEL&amp;title=here&amp;linkCreation=true&amp;fromPageId=17268915"
class="createlink">here</a> for how to check what algorithms are available through
the configured security providers</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: java; gutter: false"><![CDATA[
KeyGenerator generator = KeyGenerator.getInstance("DES");

CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES", generator.generateKey());
cryptoFormat.setShouldAppendHMAC(true);
cryptoFormat.setMacAlgorithm("HmacMD5");

from("direct:hmac-algorithm")
    .marshal(cryptoFormat)
    .to("mock:encrypted")
    .unmarshal(cryptoFormat)
    .to("mock:unencrypted");
]]></script>
</div></div>

<p>or with spring.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: xml; gutter: false"><![CDATA[
&lt;crypto id="hmac-algorithm" algorithm="DES" keyRef="desKey" macAlgorithm="HmacMD5"
shouldAppendHMAC="true" /&gt;
]]></script>
</div></div>

<h3><a name="Crypto-SupplyingKeysDynamically"></a>Supplying Keys Dynamically</h3>

<p>When using a Recipient list or similar EIP the recipient of an exchange can vary
dynamically. Using the same key across all recipients may neither be feasible or desirable.
It would be useful to be able to specify keys dynamically on a per exchange basis. The exchange
could then be dynamically enriched with the key of its target recipient before being processed
by the data format. To facilitate this the DataFormat allow for keys to be supplied dynamically
via the message headers below </p>

<ul>
	<li><tt>CryptoDataFormat.KEY</tt> <tt>"CamelCryptoKey"</tt></li>
</ul>


<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: java; gutter: false"><![CDATA[
CryptoDataFormat cryptoFormat = new CryptoDataFormat("DES", null);
/**
 * Note: the header containing the key should be cleared after
 * marshalling to stop it from leaking by accident and
 * potentially being compromised. The processor version below is
 * arguably better as the key is left in the header when you use
 * the DSL leaks the fact that camel encryption was used.
 */
from("direct:key-in-header-encrypt")
    .marshal(cryptoFormat)
    .removeHeader(CryptoDataFormat.KEY)
    .to("mock:encrypted");

from("direct:key-in-header-decrypt").unmarshal(cryptoFormat).process(new Processor() {
    public void process(Exchange exchange) throws Exception {
        exchange.getIn().getHeaders().remove(CryptoDataFormat.KEY);
        exchange.getOut().copyFrom(exchange.getIn());
    }
}).to("mock:unencrypted");
]]></script>
</div></div>

<p>or with spring.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: xml; gutter: false"><![CDATA[
&lt;crypto id="nokey" algorithm="DES" /&gt;
]]></script>
</div></div>

<h3><a name="Crypto-PGPDataFormatOptions"></a>PGPDataFormat Options</h3>
<div class="confluenceTableSmall"><div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Name </th>
<th class='confluenceTh'> Type </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>keyUserid</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> The userid of the key in the PGP keyring. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>password</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> Password used when opening the private key (not used for encryption).
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>keyFileName</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> Filename of the keyring; must be accessible as a classpath
resource (but you can specify a location in the file system by using the "file:" prefix).
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>encryptionKeyRing</tt> </td>
<td class='confluenceTd'> <tt>byte[]</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> <b>Since camel 2.12.1</b>; encryption keyring;
you can not set the keyFileName and encryptionKeyRing at the same time. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>signatureKeyUserid</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.11.0</b>; optional userid of
the key in the PGP keyring to use for signing (during encryption) or signature verification
(during decryption) .</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>signaturePassword</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.11.0</b>; optional password used
when opening the private key used for signing (during encryption). </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>signatureKeyFileName</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.11.0</b>; optional filename of
the keyring to use for signing (during encryption) or for signature verification (during decryption);
must be accessible as a classpath resource (but you can specify a location in the file system
by using the "file:" prefix). </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>signatureKeyRing</tt> </td>
<td class='confluenceTd'> <tt>byte[]</tt> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> <b>Since camel 2.12.1</b>; signature keyring;
you can not set the signatureKeyFileName and signatureKeyRing at the same time. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>algorithm</tt> </td>
<td class='confluenceTd'> <tt>int</tt> </td>
<td class='confluenceTd'> <tt>SymmetricKeyAlgorithmTags.CAST5</tt> </td>
<td class='confluenceTd'> <b>Since camel 2.12.2</b>; symmetric key encryption
algorithm; possible values are defined in <tt>org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags</tt>;
for example 2 (= TRIPLE DES), 3 (= CAST5), 4 (= BLOWFISH), 6 (= DES), 7 (= AES_128). Only
relevant for encrypting. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>hashAlgorithm</tt> </td>
<td class='confluenceTd'> <tt>int</tt> </td>
<td class='confluenceTd'> <tt>HashAlgorithmTags.SHA1</tt> </td>
<td class='confluenceTd'> <b>Since camel 2.12.2</b>: signature hash algorithm;
possible values are defined in <tt>org.bouncycastle.bcpg.HashAlgorithmTags</tt>;
for example 2 (= SHA1), 8 (= SHA256), 9 (= SHA384), 10 (= SHA512), 11 (=SHA224). Only relevant
for signing. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>armored</tt> </td>
<td class='confluenceTd'> <tt>boolean</tt> </td>
<td class='confluenceTd'> <tt>false</tt> </td>
<td class='confluenceTd'> This option will cause PGP to base64 encode the encrypted
text, making it available for copy/paste, etc. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>integrity</tt> </td>
<td class='confluenceTd'> <tt>boolean</tt> </td>
<td class='confluenceTd'> <tt>true</tt> </td>
<td class='confluenceTd'> Adds an integrity check/sign into the encryption file. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>passphraseAccessor</tt> </td>
<td class='confluenceTd'> <a href="https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java"
class="external-link" rel="nofollow">PGPPassphraseAccessor</a> </td>
<td class='confluenceTd'> <tt>null</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.12.2</b>; provides passphrases
corresponding to user Ids.  If no passpharase can be found from the option <tt>password</tt>
or <tt>signaturePassword</tt> and from the headers <tt>CamelPGPDataFormatKeyPassword</tt>
or <tt>CamelPGPDataFormatSignatureKeyPassword</tt> then the passphrase is feteched
from the passphrase accessor. You provide a bean which implements the interface <a href="https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java"
class="external-link" rel="nofollow">PGPPassphraseAccessor</a>. A default implementation
is given by <a href="https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessorDefault.java"
class="external-link" rel="nofollow">PGPPassphraseAccessorDefault</a>.  The passphrase
accessor is especially useful in the decrypt case; see chapter 'PGP Decrypting/Verifying of
Messages Encrypted/Signed by Different Private/Public Keys'  below. </td>
</tr>
</tbody></table>
</div>
</div>

<h3><a name="Crypto-PGPDataFormatMessageHeaders"></a>PGPDataFormat Message
Headers</h3>
<p>You can override the PGPDataFormat options by applying below headers into message
dynamically.</p>

<div class="confluenceTableSmall"></div>
<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Name </th>
<th class='confluenceTh'> Type </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatKeyFileName</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.11.0</b>; filename of the keyring;
will override existing setting directly on the PGPDataFormat. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatEncryptionKeyRing</tt> </td>
<td class='confluenceTd'> <tt>byte[]</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.12.1</b>; the encryption keyring;
will override existing setting directly on the PGPDataFormat. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatKeyUserid</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.11.0</b>; the userid of the key
in the PGP keyring; will override existing setting directly on the PGPDataFormat. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatKeyPassword</tt> </td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.11.0</b>; password used when
opening the private key; will override existing setting directly on the PGPDataFormat. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatSignatureKeyFileName</tt>
</td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.11.0</b>; filename of the signature
keyring; will override existing setting directly on the PGPDataFormat. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatSignatureKeyRing</tt> </td>
<td class='confluenceTd'> <tt>byte[]</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.12.1</b>; the signature keyring;
will override existing setting directly on the PGPDataFormat. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatSignatureKeyUserid</tt>
</td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.11.0</b>; the userid of the signature
key in the PGP keyring; will override existing setting directly on the PGPDataFormat. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatSignatureKeyPassword</tt>
</td>
<td class='confluenceTd'> <tt>String</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.11.0</b>; password used when
opening the signature private key; will override existing setting directly on the PGPDataFormat.
</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatEncryptionAlgorithm</tt>
</td>
<td class='confluenceTd'> <tt>int</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.12.2</b>; symmetric key encryption
algorithm; will override existing setting directly on the PGPDataFormat. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>CamelPGPDataFormatSignatureHashAlgorithm</tt>
</td>
<td class='confluenceTd'> <tt>int</tt> </td>
<td class='confluenceTd'> <b>Since Camel 2.12.2</b>; signature hash algorithm;
will override existing setting directly on the PGPDataFormat. </td>
</tr>
</tbody></table>
</div>


<h3><a name="Crypto-EncryptingwithPGPDataFormat"></a>Encrypting with PGPDataFormat</h3>

<p>The following sample uses the popular PGP format for encrypting/decrypting files
using the <a href="http://www.bouncycastle.org/java.html" class="external-link" rel="nofollow">Bouncy
Castle Java libraries</a>:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: java; gutter: false"><![CDATA[
// Public Key FileName
String keyFileName = getKeyFileName();
// Private Key FileName
String keyFileNameSec = getKeyFileNameSec();
// Keyring Userid Used to Encrypt
String keyUserid = getKeyUserId();
// Private key password
String keyPassword = getKeyPassword();

from("direct:inline")
        .marshal().pgp(keyFileName, keyUserid)
        .to("mock:encrypted")
        .unmarshal().pgp(keyFileNameSec, keyUserid, keyPassword)
        .to("mock:unencrypted");
]]></script>
</div></div>

<p>The following sample performs signing + encryption, and then signature verification
+ decryption. It uses the same keyring for both signing and encryption, but you can obviously
use different keys:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: java; gutter: false"><![CDATA[
PGPDataFormat pgpSignAndEncrypt = new PGPDataFormat();
pgpSignAndEncrypt.setKeyFileName(keyFileName);
pgpSignAndEncrypt.setKeyUserid(keyUserid);
pgpSignAndEncrypt.setSignatureKeyFileName(keyFileNameSec);
pgpSignAndEncrypt.setSignatureKeyUserid(keyUserid);
pgpSignAndEncrypt.setSignaturePassword(keyPassword);

PGPDataFormat pgpVerifyAndDecrypt = new PGPDataFormat();
pgpVerifyAndDecrypt.setKeyFileName(keyFileNameSec);
pgpVerifyAndDecrypt.setKeyUserid(keyUserid);
pgpVerifyAndDecrypt.setPassword(keyPassword);
pgpVerifyAndDecrypt.setSignatureKeyFileName(keyFileName);
pgpVerifyAndDecrypt.setSignatureKeyUserid(keyUserid);

from("direct:inline-sign")
        .marshal(pgpSignAndEncrypt)
        .to("mock:encrypted")
        .unmarshal(pgpVerifyAndDecrypt)
        .to("mock:unencrypted");
]]></script>
</div></div>

<p>Or using Spring:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<script type="syntaxhighlighter" class="theme: Default; brush: xml; gutter: false"><![CDATA[
&lt;dataFormats&gt;
  &lt;!-- will load the file from classpath by default, but you can prefix with file:
to load from file system --&gt;
  &lt;pgp id="encrypt" keyFileName="org/apache/camel/component/crypto/pubring.gpg"
       keyUserid="sdude@nowhere.net"/&gt;
  &lt;pgp id="decrypt" keyFileName="org/apache/camel/component/crypto/secring.gpg"
       keyUserid="sdude@nowhere.net" password="sdude"/&gt;
&lt;/dataFormats&gt;

&lt;route&gt;
  &lt;from uri="direct:inline"/&gt;
  &lt;marshal ref="encrypt"/&gt;
  &lt;to uri="mock:encrypted"/&gt;
  &lt;unmarshal ref="decrypt"/&gt;
  &lt;to uri="mock:unencrypted"/&gt;
&lt;/route&gt;
]]></script>
</div></div>

<h4><a name="Crypto-Toworkwiththepreviousexampleyouneedthefollowing"></a>To
work with the previous example you need the following</h4>
<ul>
	<li>A public keyring file which contains the public keys used to encrypt the data</li>
	<li>A private keyring file which contains the keys used to decrypt the data</li>
	<li>The keyring password</li>
</ul>


<h4><a name="Crypto-Managingyourkeyring"></a>Managing your keyring</h4>
<p>To manage the keyring, I use the command line tools, I find this to be the simplest
approach in managing the keys. There are also Java libraries available from <a href="http://www.bouncycastle.org/java.html"
class="external-link" rel="nofollow">http://www.bouncycastle.org/java.html</a> if
you would prefer to do it that way.</p>

<ol>
	<li>Install the command line utilities on linux
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">apt-get install gnupg</pre>
</div></div></li>
	<li>Create your keyring, entering a secure password
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">gpg --gen-key</pre>
</div></div></li>
	<li>If you need to import someone elses public key so that you can encrypt a file for
them.
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">gpg --import &lt;filename.key</pre>
</div></div></li>
	<li>The following files should now exist and can be used to run the example
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg</pre>
</div></div></li>
</ol>


<h3><a name="Crypto-PGPDecrypting%2FVerifyingofMessagesEncrypted%2FSignedbyDifferentPrivate%2FPublicKeys"></a>PGP
Decrypting/Verifying of Messages Encrypted/Signed by Different Private/Public Keys</h3>

<p>Since <b>Camel  2.12.2</b>.</p>

<p>A PGP Data Formater can decrypt/verify messages which have been encrypted by different
public keys or signed by different private keys. Just, provide the corresponding private keys
in the secret keyring, the corresponding public keys in the public keyring, and the  passphrases
in the passphrase accessor.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
Map&lt;String, String&gt; userId2Passphrase = new HashMap&lt;String, String&gt;(2);
// add passphrases of several private keys whose corresponding public keys have been used
to encrypt the messages
userId2Passphrase.put("key1","passphrase1");
userId2Passphrase.put("key2","passphrase2");
PGPPassphraseAccessor passphraseAccessor = new PGPPassphraseAccessorDefault(userId2Passphrase);

PGPDataFormat pgpVerifyAndDecrypt = new PGPDataFormat();
pgpVerifyAndDecrypt.setPassphraseAccessor(passphraseAccessor);
// the method getSecKeyRing() provides the secret keyring as byte array containing the private
keys
pgpVerifyAndDecrypt.setEncryptionKeyRing(getSecKeyRing()); // alternatively you can use setKeyFileName(keyfileName)
// the method getPublicKeyRing() provides the public keyring as byte array containing the
public keys
pgpVerifyAndDecrypt.setSignatureKeyRing((getPublicKeyRing());  // alternatively you can use
setSignatureKeyFileName(signatgureKeyfileName)
// it is not necessary to specify the User Id
 
from("direct:start")
         ...     
        .unmarshal(pgpVerifyAndDecrypt) // can decrypt/verify messages encrypted/signed by
different private/public keys
        ...            
</pre>
</div></div>

<ul>
	<li>The functionality is especially useful to support the key exchange. If you want
to exchange the private key for decrypting you can accept for a period of time messages which
are either encrypted with the old or new corresponding public key. Or if the sender wants
to exchange his signer private key, you can accept for a period of time, the old or new signer
key.</li>
	<li>Technical background: The PGP encrypted data contains a Key ID of the public key
which was used to encrypt the data. This Key ID can be used to locate the private key in the
secret keyring to decrypt the data. The same mechanism is also used to locate the public key
for verifying a signature. Therefore you no longer must specify User IDs for the unmarshaling.</li>
</ul>


<h3><a name="Crypto-Dependencies"></a>Dependencies</h3>

<p>To use the <a href="/confluence/display/CAMEL/Crypto" title="Crypto">Crypto</a>
dataformat in your camel routes you need to add the following dependency to your pom.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: xml; gutter: false" style="font-size:12px; font-family:
ConfluenceInstalledFont,monospace;">
&lt;dependency&gt;
  &lt;groupId&gt;org.apache.camel&lt;/groupId&gt;
  &lt;artifactId&gt;camel-crypto&lt;/artifactId&gt;
  &lt;version&gt;x.x.x&lt;/version&gt;
  &lt;!-- use the same version as your Camel core version --&gt;
&lt;/dependency&gt;
</pre>
</div></div>


<h3><a name="Crypto-SeeAlso"></a>See Also</h3>
<ul>
	<li><a href="/confluence/display/CAMEL/Data+Format" title="Data Format">Data
Format</a></li>
	<li><a href="/confluence/display/CAMEL/Crypto+%28Digital+Signatures%29" title="Crypto
(Digital Signatures)">Crypto &#40;Digital Signatures&#41;</a></li>
	<li><a href="http://www.bouncycastle.org/java.html" class="external-link" rel="nofollow">http://www.bouncycastle.org/java.html</a></li>
</ul>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CAMEL">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CAMEL/Crypto">View Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=17268915&revisedVersion=36&originalVersion=35">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message