Crypto (JCE)
Since Camel 2.3
Only producer is supported
With Camel cryptographic endpoints and Java’s Cryptographic extension, it is possible to create Digital Signatures for Exchanges. Camel provides a pair of flexible endpoints which get used in concert to create a signature for an exchange in one part of the exchange’s workflow and then verify the signature in a later part of the workflow.
Maven users will need to add the following dependency to their pom.xml
for this component:
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-crypto</artifactId>
<version>x.x.x</version>
<!-- use the same version as your Camel core version -->
</dependency>
Introduction
Digital signatures make use of Asymmetric Cryptographic techniques to sign messages. From a (very) high level, the algorithms use pairs of complimentary keys with the special property that data encrypted with one key can only be decrypted with the other. One, the private key, is closely guarded and used to 'sign' the message while the other, public key, is shared around to anyone interested in verifying the signed messages. Messages are signed by using the private key to encrypting a digest of the message. This encrypted digest is transmitted along with the message. On the other side, the verifier recalculates the message digest and uses the public key to decrypt the digest in the signature. If both digests match, the verifier knows only the holder of the private key could have created the signature.
Camel uses the Signature service from the Java Cryptographic Extension to do all the heavy cryptographic lifting required to create exchange signatures. The following are some excellent resources for explaining the mechanics of Cryptography, Message digests and Digital Signatures and how to leverage them with the JCE.
-
Bruce Schneier’s Applied Cryptography
-
Beginning Cryptography with Java by David Hook
-
The ever insightful Wikipedia Digital_signatures
URI format
As mentioned, Camel provides a pair of crypto endpoints to create and verify signatures
crypto:sign:name[?options] crypto:verify:name[?options]
-
crypto:sign
creates the signature and stores it in the Header keyed by the constantorg.apache.camel.component.crypto.DigitalSignatureConstants.SIGNATURE
, i.e.,"CamelDigitalSignature"
. -
crypto:verify
will read in the contents of this header and do the verification calculation.
To correctly function, the sign and verify process needs a pair of keys to be shared, signing requiring a PrivateKey
and verifying a PublicKey
(or a Certificate
containing one). Using the JCE it is very simple to generate these key pairs, but it is usually most secure to use a KeyStore to house and share your keys. The DSL is very flexible about how keys are supplied and provides a number of mechanisms.
Note a crypto:sign
endpoint is typically defined in one route and the complimentary crypto:verify
in another, though for simplicity in the examples they appear one after the other. It goes without saying that both signing and verifying should be configured identically.
Configuring Options
Camel components are configured on two separate levels:
-
component level
-
endpoint level
Configuring Component Options
At the component level, you set general and shared configurations that are, then, inherited by the endpoints. It is the highest configuration level.
For example, a component may have security settings, credentials for authentication, urls for network connection and so forth.
Some components only have a few options, and others may have many. Because components typically have pre-configured defaults that are commonly used, then you may often only need to configure a few options on a component; or none at all.
You can configure components using:
-
the Component DSL.
-
in a configuration file (
application.properties
,*.yaml
files, etc). -
directly in the Java code.
Configuring Endpoint Options
You usually spend more time setting up endpoints because they have many options. These options help you customize what you want the endpoint to do. The options are also categorized into whether the endpoint is used as a consumer (from), as a producer (to), or both.
Configuring endpoints is most often done directly in the endpoint URI as path and query parameters. You can also use the Endpoint DSL and DataFormat DSL as a type safe way of configuring endpoints and data formats in Java.
A good practice when configuring options is to use Property Placeholders.
Property placeholders provide a few benefits:
-
They help prevent using hardcoded urls, port numbers, sensitive information, and other settings.
-
They allow externalizing the configuration from the code.
-
They help the code to become more flexible and reusable.
The following two sections list all the options, firstly for the component followed by the endpoint.
Component Options
The Crypto (JCE) component supports 21 options, which are listed below.
Name | Description | Default | Type |
---|---|---|---|
Sets the JCE name of the Algorithm that should be used for the signer. | SHA256withRSA | String | |
Sets the alias used to query the KeyStore for keys and \{link java.security.cert.Certificate Certificates} to be used in signing and verifying exchanges. This value can be provided at runtime via the message header org.apache.camel.component.crypto.DigitalSignatureConstants#KEYSTORE_ALIAS. | String | ||
Sets the reference name for a PrivateKey that can be found in the registry. | String | ||
Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges. A KeyStore is typically used with an alias, either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore, then this single entry will be used. | KeyStore | ||
Sets the reference name for a Keystore that can be found in the registry. | String | ||
Whether the producer should be started lazy (on the first message). By starting lazy you can use this to allow CamelContext and routes to startup in situations where a producer may otherwise fail during starting and cause the route to fail being started. By deferring this startup to be lazy then the startup failure can be handled during routing messages via Camel’s routing error handlers. Beware that when the first message is processed then creating and starting the producer may take a little time and prolong the total processing time of the processing. | false | boolean | |
Set the PrivateKey that should be used to sign the exchange. | PrivateKey | ||
Sets the reference name for a PrivateKey that can be found in the registry. | String | ||
Set the id of the security provider that provides the configured Signature algorithm. | String | ||
references that should be resolved when the context changes. | String | ||
Sets the reference name for a SecureRandom that can be found in the registry. | String | ||
Set the name of the message header that should be used to store the base64 encoded signature. This defaults to 'CamelDigitalSignature'. | String | ||
Whether autowiring is enabled. This is used for automatic autowiring options (the option must be marked as autowired) by looking up in the registry to find if there is a single instance of matching type, which then gets configured on the component. This can be used for automatic configuring JDBC data sources, JMS connection factories, AWS Clients, etc. | true | boolean | |
Set the size of the buffer used to read in the Exchange payload data. | 2048 | Integer | |
Set the Certificate that should be used to verify the signature in the exchange based on its payload. | Certificate | ||
Determines if the Signature specific headers be cleared after signing and verification. Defaults to true, and should only be made otherwise at your extreme peril as vital private information such as Keys and passwords may escape if unset. | true | boolean | |
To use the shared DigitalSignatureConfiguration as configuration. | DigitalSignatureConfiguration | ||
Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges based on the given KeyStoreParameters. A KeyStore is typically used with an alias, either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore, then this single entry will be used. | KeyStoreParameters | ||
Set the PublicKey that should be used to verify the signature in the exchange. | PublicKey | ||
Set the SecureRandom used to initialize the Signature service. | SecureRandom | ||
Sets the password used to access an aliased PrivateKey in the KeyStore. | String |
Endpoint Options
The Crypto (JCE) endpoint is configured using URI syntax:
crypto:cryptoOperation:name
With the following path and query parameters:
Path Parameters (2 parameters)
Name | Description | Default | Type |
---|---|---|---|
Required Set the Crypto operation from that supplied after the crypto scheme in the endpoint uri e.g. crypto:sign sets sign as the operation. Enum values:
| CryptoOperation | ||
Required The logical name of this operation. | String |
Query Parameters (19 parameters)
Name | Description | Default | Type |
---|---|---|---|
Sets the JCE name of the Algorithm that should be used for the signer. | SHA256withRSA | String | |
Sets the alias used to query the KeyStore for keys and \{link java.security.cert.Certificate Certificates} to be used in signing and verifying exchanges. This value can be provided at runtime via the message header org.apache.camel.component.crypto.DigitalSignatureConstants#KEYSTORE_ALIAS. | String | ||
Sets the reference name for a PrivateKey that can be found in the registry. | String | ||
Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges. A KeyStore is typically used with an alias, either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore, then this single entry will be used. | KeyStore | ||
Sets the reference name for a Keystore that can be found in the registry. | String | ||
Set the PrivateKey that should be used to sign the exchange. | PrivateKey | ||
Sets the reference name for a PrivateKey that can be found in the registry. | String | ||
Set the id of the security provider that provides the configured Signature algorithm. | String | ||
references that should be resolved when the context changes. | String | ||
Sets the reference name for a SecureRandom that can be found in the registry. | String | ||
Set the name of the message header that should be used to store the base64 encoded signature. This defaults to 'CamelDigitalSignature'. | String | ||
Whether the producer should be started lazy (on the first message). By starting lazy you can use this to allow CamelContext and routes to startup in situations where a producer may otherwise fail during starting and cause the route to fail being started. By deferring this startup to be lazy then the startup failure can be handled during routing messages via Camel’s routing error handlers. Beware that when the first message is processed then creating and starting the producer may take a little time and prolong the total processing time of the processing. | false | boolean | |
Set the size of the buffer used to read in the Exchange payload data. | 2048 | Integer | |
Set the Certificate that should be used to verify the signature in the exchange based on its payload. | Certificate | ||
Determines if the Signature specific headers be cleared after signing and verification. Defaults to true, and should only be made otherwise at your extreme peril as vital private information such as Keys and passwords may escape if unset. | true | boolean | |
Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges based on the given KeyStoreParameters. A KeyStore is typically used with an alias, either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore, then this single entry will be used. | KeyStoreParameters | ||
Set the PublicKey that should be used to verify the signature in the exchange. | PublicKey | ||
Set the SecureRandom used to initialize the Signature service. | SecureRandom | ||
Sets the password used to access an aliased PrivateKey in the KeyStore. | String |
Message Headers
The Crypto (JCE) component supports 4 message header(s), which is/are listed below:
Name | Description | Default | Type |
---|---|---|---|
CamelSignaturePrivateKey (producer) Constant: | The PrivateKey that should be used to sign the message. | PrivateKey | |
CamelSignaturePublicKeyOrCert (producer) Constant: | The Certificate or PublicKey that should be used to verify the signature. | Certificate or PublicKey | |
CamelSignatureKeyStoreAlias (producer) Constant: | The alias used to query the KeyStore for keys and Certificates to be used in signing and verifying exchanges. | String | |
CamelSignatureKeyStorePassword (producer) Constant: | The password used to access an aliased PrivateKey in the KeyStore. | char[] |
Usage
Raw keys
The most basic way to sign and verify an exchange is with a KeyPair as follows.
KeyPair keyPair = KeyGenerator.getInstance("RSA").generateKeyPair();
from("direct:sign")
.setHeader(DigitalSignatureConstants.SIGNATURE_PRIVATE_KEY, constant(keys.getPrivate()))
.to("crypto:sign:message")
.to("direct:verify");
from("direct:verify")
.setHeader(DigitalSignatureConstants.SIGNATURE_PUBLIC_KEY_OR_CERT, constant(keys.getPublic()))
.to("crypto:verify:check");
The same can be achieved with the Spring XML Extensions using references to keys
KeyStores and Aliases.
The JCE provides a very versatile keystore concept for housing pairs of private keys and certificates, keeping them encrypted and password protected. They can be retrieved by applying an alias to the retrieval APIs. There are a number of ways to get keys and Certificates into a keystore, most often this is done with the external 'keytool' application.
The following command will create a keystore containing a key and certificate aliased by bob
, which can be used in the following examples. The password for the keystore and the key is letmein
.
keytool -genkey -keyalg RSA -keysize 2048 -keystore keystore.jks -storepass letmein -alias bob -dname "CN=Bob,OU=IT,O=Camel" -noprompt
The following route first signs an exchange using Bob’s alias from the KeyStore bound into the Camel Registry, and then verifies it using the same alias.
from("direct:sign")
.to("crypto:sign:keystoreSign?alias=bob&keystoreName=myKeystore&password=letmein")
.log("Signature: ${header.CamelDigitalSignature}")
.to("crypto:verify:keystoreVerify?alias=bob&keystoreName=myKeystore&password=letmein")
.log("Verified: ${body}");
The following code shows how to load the keystore created using the above keytool
command and bind it into the registry with the name myKeystore
for use in the above route. The example makes use of the @Configuration
and @BindToRegistry
annotations introduced in Camel 3 to instantiate the KeyStore and register it with the name myKeyStore
.
@Configuration
public class KeystoreConfig {
@BindToRegistry
public KeyStore myKeystore() throws Exception {
KeyStore store = KeyStore.getInstance("JKS");
try (FileInputStream fis = new FileInputStream("keystore.jks")) {
store.load(fis, "letmein".toCharArray());
}
return store;
}
}
Again in Spring, a ref is used to look up an actual keystore instance.
Changing JCE Provider and Algorithm
Changing the Signature algorithm or the Security provider is a simple matter of specifying their names. You will need to also use Keys that are compatible with the algorithm you choose.
Changing the Signature Message Header
It may be desirable to change the message header used to store the signature. A different header name can be specified in the route definition as follows
from("direct:sign")
.to("crypto:sign:keystoreSign?alias=bob&keystoreName=myKeystore&password=letmein&signatureHeaderName=mySignature")
.log("Signature: ${header.mySignature}")
.to("crypto:verify:keystoreVerify?alias=bob&keystoreName=myKeystore&password=letmein&signatureHeaderName=mySignature");
Supplying Keys dynamically.
When using a Recipient list or similar EIP, the recipient of an exchange can vary dynamically. Using the same key across all recipients may be neither feasible nor desirable. It would be useful to be able to specify signature keys dynamically on a per-exchange basis. The exchange could then be dynamically enriched with the key of its target recipient prior to signing. To facilitate this, the signature mechanisms allow for keys to be supplied dynamically via the message headers below
-
DigitalSignatureConstants.SIGNATURE_PRIVATE_KEY
,"CamelSignaturePrivateKey"
-
DigitalSignatureConstants.SIGNATURE_PUBLIC_KEY_OR_CERT
,"CamelSignaturePublicKeyOrCert"
Even better would be to dynamically supply a keystore alias. Again, the alias can be supplied in a message header
-
DigitalSignatureConstants.KEYSTORE_ALIAS
,"CamelSignatureKeyStoreAlias"
The header would be set as follows:
Exchange unsigned = getMandatoryEndpoint("direct:alias-sign").createExchange();
unsigned.getIn().setBody(payload);
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_ALIAS, "bob");
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_PASSWORD, "letmein".toCharArray());
template.send("direct:alias-sign", unsigned);
Exchange signed = getMandatoryEndpoint("direct:alias-sign").createExchange();
signed.getIn().copyFrom(unsigned.getMessage());
signed.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_ALIAS, "bob");
template.send("direct:alias-verify", signed);
Spring Boot Auto-Configuration
When using crypto with Spring Boot make sure to use the following Maven dependency to have support for auto configuration:
<dependency>
<groupId>org.apache.camel.springboot</groupId>
<artifactId>camel-crypto-starter</artifactId>
<version>x.x.x</version>
<!-- use the same version as your Camel core version -->
</dependency>
The component supports 32 options, which are listed below.
Name | Description | Default | Type |
---|---|---|---|
Sets the JCE name of the Algorithm that should be used for the signer. | SHA256withRSA | String | |
Sets the alias used to query the KeyStore for keys and \{link java.security.cert.Certificate Certificates} to be used in signing and verifying exchanges. This value can be provided at runtime via the message header org.apache.camel.component.crypto.DigitalSignatureConstants#KEYSTORE_ALIAS. | String | ||
Whether autowiring is enabled. This is used for automatic autowiring options (the option must be marked as autowired) by looking up in the registry to find if there is a single instance of matching type, which then gets configured on the component. This can be used for automatic configuring JDBC data sources, JMS connection factories, AWS Clients, etc. | true | Boolean | |
Set the size of the buffer used to read in the Exchange payload data. | 2048 | Integer | |
Set the Certificate that should be used to verify the signature in the exchange based on its payload. The option is a java.security.cert.Certificate type. | Certificate | ||
Sets the reference name for a PrivateKey that can be found in the registry. | String | ||
Determines if the Signature specific headers be cleared after signing and verification. Defaults to true, and should only be made otherwise at your extreme peril as vital private information such as Keys and passwords may escape if unset. | true | Boolean | |
To use the shared DigitalSignatureConfiguration as configuration. The option is a org.apache.camel.component.crypto.DigitalSignatureConfiguration type. | DigitalSignatureConfiguration | ||
Whether to enable auto configuration of the crypto component. This is enabled by default. | Boolean | ||
Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges based on the given KeyStoreParameters. A KeyStore is typically used with an alias, either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore, then this single entry will be used. The option is a org.apache.camel.support.jsse.KeyStoreParameters type. | KeyStoreParameters | ||
Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges. A KeyStore is typically used with an alias, either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore, then this single entry will be used. The option is a java.security.KeyStore type. | KeyStore | ||
Sets the reference name for a Keystore that can be found in the registry. | String | ||
Whether the producer should be started lazy (on the first message). By starting lazy you can use this to allow CamelContext and routes to startup in situations where a producer may otherwise fail during starting and cause the route to fail being started. By deferring this startup to be lazy then the startup failure can be handled during routing messages via Camel’s routing error handlers. Beware that when the first message is processed then creating and starting the producer may take a little time and prolong the total processing time of the processing. | false | Boolean | |
Sets the password used to access an aliased PrivateKey in the KeyStore. | String | ||
Set the PrivateKey that should be used to sign the exchange. The option is a java.security.PrivateKey type. | PrivateKey | ||
Sets the reference name for a PrivateKey that can be found in the registry. | String | ||
Set the id of the security provider that provides the configured Signature algorithm. | String | ||
Set the PublicKey that should be used to verify the signature in the exchange. The option is a java.security.PublicKey type. | PublicKey | ||
references that should be resolved when the context changes. | String | ||
Set the SecureRandom used to initialize the Signature service. The option is a java.security.SecureRandom type. | SecureRandom | ||
Sets the reference name for a SecureRandom that can be found in the registry. | String | ||
Set the name of the message header that should be used to store the base64 encoded signature. This defaults to 'CamelDigitalSignature'. | String | ||
The JCE algorithm name indicating the cryptographic algorithm that will be used. | String | ||
A JCE AlgorithmParameterSpec used to initialize the Cipher. Will lookup the type using the given name as a java.security.spec.AlgorithmParameterSpec type. | String | ||
The size of the buffer used in the signature process. | 4096 | Integer | |
The name of the JCE Security Provider that should be used. | String | ||
Whether to enable auto configuration of the crypto data format. This is enabled by default. | Boolean | ||
Refers to a byte array containing the Initialization Vector that will be used to initialize the Cipher. | String | ||
Flag indicating that the configured IV should be inlined into the encrypted data stream. Is by default false. | false | Boolean | |
Refers to the secret key to lookup from the register to use. | String | ||
The JCE algorithm name indicating the Message Authentication algorithm. | HmacSHA1 | String | |
Flag indicating that a Message Authentication Code should be calculated and appended to the encrypted data. | true | Boolean |