Chapter 71. Crypto (JCE) Component

Available as of Camel version 2.3

With Camel cryptographic endpoints and Java’s Cryptographic extension it is easy to create Digital Signatures for Exchanges. Camel provides a pair of flexible endpoints which get used in concert to create a signature for an exchange in one part of the exchange’s workflow and then verify the signature in a later part of the workflow.

Maven users will need to add the following dependency to their pom.xml for this component:

<dependency>
    <groupId>org.apache.camel</groupId>
    <artifactId>camel-crypto</artifactId>
    <version>x.x.x</version>
    <!-- use the same version as your Camel core version -->
</dependency>

71.1. Introduction

Digital signatures make use of Asymmetric Cryptographic techniques to sign messages. From a (very) high level, the algorithms use pairs of complimentary keys with the special property that data encrypted with one key can only be decrypted with the other. One, the private key, is closely guarded and used to 'sign' the message while the other, public key, is shared around to anyone interested in verifying the signed messages. Messages are signed by using the private key to encrypting a digest of the message. This encrypted digest is transmitted along with the message. On the other side the verifier recalculates the message digest and uses the public key to decrypt the the digest in the signature. If both digests match the verifier knows only the holder of the private key could have created the signature.

Camel uses the Signature service from the Java Cryptographic Extension to do all the heavy cryptographic lifting required to create exchange signatures. The following are some excellent resources for explaining the mechanics of Cryptography, Message digests and Digital Signatures and how to leverage them with the JCE.

  • Bruce Schneier’s Applied Cryptography
  • Beginning Cryptography with Java by David Hook
  • The ever insightful Wikipedia Digital_signatures

71.2. URI format

As mentioned Camel provides a pair of crypto endpoints to create and verify signatures

crypto:sign:name[?options]
crypto:verify:name[?options]
  • crypto:sign creates the signature and stores it in the Header keyed by the constant org.apache.camel.component.crypto.DigitalSignatureConstants.SIGNATURE, i.e. "CamelDigitalSignature".
  • crypto:verify will read in the contents of this header and do the verification calculation.

In order to correctly function, the sign and verify process needs a pair of keys to be shared, signing requiring a PrivateKey and verifying a PublicKey (or a Certificate containing one). Using the JCE it is very simple to generate these key pairs but it is usually most secure to use a KeyStore to house and share your keys. The DSL is very flexible about how keys are supplied and provides a number of mechanisms.

Note a crypto:sign endpoint is typically defined in one route and the complimentary crypto:verify in another, though for simplicity in the examples they appear one after the other. It goes without saying that both signing and verifying should be configured identically.

71.3. Options

The Crypto (JCE) component supports 2 options which are listed below.

NameDescriptionDefaultType

configuration (advanced)

To use the shared DigitalSignatureConfiguration as configuration

 

DigitalSignature Configuration

resolveProperty Placeholders (advanced)

Whether the component should resolve property placeholders on itself when starting. Only properties which are of String type can use property placeholders.

true

boolean

The Crypto (JCE) endpoint is configured using URI syntax:

crypto:cryptoOperation:name

with the following path and query parameters:

71.3.1. Path Parameters (2 parameters):

NameDescriptionDefaultType

cryptoOperation

Required Set the Crypto operation from that supplied after the crypto scheme in the endpoint uri e.g. crypto:sign sets sign as the operation.

 

CryptoOperation

name

Required The logical name of this operation.

 

String

71.3.2. Query Parameters (19 parameters):

NameDescriptionDefaultType

algorithm (producer)

Sets the JCE name of the Algorithm that should be used for the signer.

SHA1WithDSA

String

alias (producer)

Sets the alias used to query the KeyStore for keys and link java.security.cert.Certificate Certificates to be used in signing and verifying exchanges. This value can be provided at runtime via the message header link org.apache.camel.component.crypto.DigitalSignatureConstantsKEYSTORE_ALIAS

 

String

certificateName (producer)

Sets the reference name for a PrivateKey that can be fond in the registry.

 

String

keystore (producer)

Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges. A KeyStore is typically used with an alias, either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore, then this single entry will be used.

 

KeyStore

keystoreName (producer)

Sets the reference name for a Keystore that can be fond in the registry.

 

String

privateKey (producer)

Set the PrivateKey that should be used to sign the exchange

 

PrivateKey

privateKeyName (producer)

Sets the reference name for a PrivateKey that can be fond in the registry.

 

String

provider (producer)

Set the id of the security provider that provides the configured Signature algorithm.

 

String

publicKeyName (producer)

references that should be resolved when the context changes

 

String

secureRandomName (producer)

Sets the reference name for a SecureRandom that can be fond in the registry.

 

String

signatureHeaderName (producer)

Set the name of the message header that should be used to store the base64 encoded signature. This defaults to 'CamelDigitalSignature'

 

String

bufferSize (advanced)

Set the size of the buffer used to read in the Exchange payload data.

2048

Integer

certificate (advanced)

Set the Certificate that should be used to verify the signature in the exchange based on its payload.

 

Certificate

clearHeaders (advanced)

Determines if the Signature specific headers be cleared after signing and verification. Defaults to true, and should only be made otherwise at your extreme peril as vital private information such as Keys and passwords may escape if unset.

true

boolean

keyStoreParameters (advanced)

Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges based on the given KeyStoreParameters. A KeyStore is typically used with an alias, either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore, then this single entry will be used.

 

KeyStoreParameters

publicKey (advanced)

Set the PublicKey that should be used to verify the signature in the exchange.

 

PublicKey

secureRandom (advanced)

Set the SecureRandom used to initialize the Signature service

 

SecureRandom

synchronous (advanced)

Sets whether synchronous processing should be strictly used, or Camel is allowed to use asynchronous processing (if supported).

false

boolean

password (security)

Sets the password used to access an aliased PrivateKey in the KeyStore.

 

String

71.4. Using

71.4.1. Raw keys

The most basic way to way to sign and verify an exchange is with a KeyPair as follows.

The same can be achieved with the Spring XML Extensions using references to keys

71.4.2. KeyStores and Aliases.

The JCE provides a very versatile keystore concept for housing pairs of private keys and certificates, keeping them encrypted and password protected. They can be retrieved by applying an alias to the retrieval APIs. There are a number of ways to get keys and Certificates into a keystore, most often this is done with the external 'keytool' application. This is a good example of using keytool to create a KeyStore with a self signed Cert and Private key.

The examples use a Keystore with a key and cert aliased by 'bob'. The password for the keystore and the key is 'letmein'

The following shows how to use a Keystore via the Fluent builders, it also shows how to load and initialize the keystore.

Again in Spring a ref is used to lookup an actual keystore instance.

71.4.3. Changing JCE Provider and Algorithm

Changing the Signature algorithm or the Security provider is a simple matter of specifying their names. You will need to also use Keys that are compatible with the algorithm you choose.

or

71.4.4. Changing the Signature Message Header

It may be desirable to change the message header used to store the signature. A different header name can be specified in the route definition as follows

or

71.4.5. Changing the buffersize

In case you need to update the size of the buffer…​

or

71.4.6. Supplying Keys dynamically.

When using a Recipient list or similar EIP the recipient of an exchange can vary dynamically. Using the same key across all recipients may be neither feasible nor desirable. It would be useful to be able to specify signature keys dynamically on a per-exchange basis. The exchange could then be dynamically enriched with the key of its target recipient prior to signing. To facilitate this the signature mechanisms allow for keys to be supplied dynamically via the message headers below

  • Exchange.SIGNATURE_PRIVATE_KEY, "CamelSignaturePrivateKey"
  • Exchange.SIGNATURE_PUBLIC_KEY_OR_CERT, "CamelSignaturePublicKeyOrCert"

or

Even better would be to dynamically supply a keystore alias. Again the alias can be supplied in a message header

  • Exchange.KEYSTORE_ALIAS, "CamelSignatureKeyStoreAlias"

or

The header would be set as follows

Exchange unsigned = getMandatoryEndpoint("direct:alias-sign").createExchange();
unsigned.getIn().setBody(payload);
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_ALIAS, "bob");
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_PASSWORD, "letmein".toCharArray());
template.send("direct:alias-sign", unsigned);
Exchange signed = getMandatoryEndpoint("direct:alias-sign").createExchange();
signed.getIn().copyFrom(unsigned.getOut());
signed.getIn().setHeader(KEYSTORE_ALIAS, "bob");
template.send("direct:alias-verify", signed);

71.5. See Also

  • Configuring Camel
  • Component
  • Endpoint
  • Getting Started