...
In Spring the dataformat is configured first and then used in routes
Code Block |
|
<camelContext id="camel" xmlns="http://camel.apache.org/schema/spring">
<dataFormats>
<crypto id="basic" algorithm="DES" keyRef="desKey" />
</dataFormats>
...
<route>
<from uri="direct:basic-encryption" />
<marshal ref="basic" />
<to uri="mock:encrypted" />
<unmarshal ref="basic" />
<to uri="mock:unencrypted" />
</route>
</camelContext>
|
...
Wiki Markup |
{div:class=confluenceTableSmall}
|| Name || Type || Default || Description ||
| {{keyUserid}} | {{String}} | {{null}} | The user ID of the key in the PGP keyring used during encryption. See also option {{keyUserids}}. Can also be only a part of a user ID. For example, if the user ID is "Test User <t...@camel.com>" then you can use the part "Test User" or "<t...@camel.com>" to address the user ID. |
| {{keyUserids}} | {{List<String>}} | {{null}} | *Since camel 2.12.2*: PGP allows to encrypt the symmetric key by several asymmetric public receiver keys. You can specify here the User IDs or parts of User IDs of several public keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding public keys will be used for the encryption. |
| {{password}} | {{String}} | {{null}} | Password used when opening the private key (not used for encryption). |
| {{keyFileName}} | {{String}} | {{null}} | Filename of the keyring; must be accessible as a classpath resource (but you can specify a location in the file system by using the "file:" prefix). |
| {{encryptionKeyRing}} | {{byte\[\]}} | {{null}} | *Since camel 2.12.1*; encryption keyring; you can not set the keyFileName and encryptionKeyRing at the same time. |
| {{signatureKeyUserid}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional useridUser ID of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). Can also be only a part of a user ID. For example, if the user ID is "Test User <t...@camel.com>" then you can use the part "Test User" or "<t...@camel.com>" to address the userUser ID. |
| {{signatureKeyUserids}} | {{List<String>}} | {{null}} | *Since Camel 2.12.3*; optional list of User IDs of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). You can specify here the User IDs or parts of User IDs of several keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding keys will be used for the signing or signature verification. If the specified User IDs reference several keys then for each key a signature is added to the PGP result during the encryption-signing process. In the decryption-verifying process the the list of User IDs restricts the list of keys which can be used for signature verification. |
| {{signaturePassword}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional password used when opening the private key used for signing (during encryption). |
| {{signatureKeyFileName}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional filename of the keyring to use for signing (during encryption) or for signature verification (during decryption); must be accessible as a classpath resource (but you can specify a location in the file system by using the "file:" prefix). |
| {{signatureKeyRing}} | {{byte\[\]}} | {{null}} | *Since camel 2.12.1*; signature keyring; you can not set the signatureKeyFileName and signatureKeyRing at the same time. |
| {{algorithm}} | {{int}} | {{SymmetricKeyAlgorithmTags.CAST5}} | *Since camel 2.12.2*; symmetric key encryption algorithm; possible values are defined in {{org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags}}; for example 2 (= TRIPLE DES), 3 (= CAST5), 4 (= BLOWFISH), 6 (= DES), 7 (= AES_128). Only relevant for encrypting. |
| {{compressionAlgorithm}} | {{int}} | {{CompressionAlgorithmTags.ZIP}} | *Since camel 2.12.2*; compression algorithm; possible values are defined in {{org.bouncycastle.bcpg.CompressionAlgorithmTags}}; for example 0 (= UNCOMPRESSED), 1 (= ZIP), 2 (= ZLIB), 3 (= BZIP2). Only relevant for encrypting. |
| {{hashAlgorithm}} | {{int}} | {{HashAlgorithmTags.SHA1}} | *Since camel 2.12.2*: signature hash algorithm; possible values are defined in {{org.bouncycastle.bcpg.HashAlgorithmTags}}; for example 2 (= SHA1), 8 (= SHA256), 9 (= SHA384), 10 (= SHA512), 11 (=SHA224). Only relevant for signing. |
| {{armored}} | {{boolean}} | {{false}} | This option will cause PGP to base64 encode the encrypted text, making it available for copy/paste, etc. |
| {{integrity}} | {{boolean}} | {{true}} | Adds an integrity check/sign into the encryption file. |
| {{passphraseAccessor}} | [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java] | {{null}} | *Since Camel 2.12.2*; provides passphrases corresponding to user Ids. If no passpharase can be found from the option {{password}} or {{signaturePassword}} and from the headers {{CamelPGPDataFormatKeyPassword}} or {{CamelPGPDataFormatSignatureKeyPassword}} then the passphrase is feteched from the passphrase accessor. You provide a bean which implements the interface [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java]. A default implementation is given by [PGPPassphraseAccessorDefault|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessorDefault.java]. The passphrase accessor is especially useful in the decrypt case; see chapter 'PGP Decrypting/Verifying of Messages Encrypted/Signed by Different Private/Public Keys' below. |
{div} |
...
To manage the keyring, I use the command line tools, I find this to be the simplest approach in managing the keys. There are also Java libraries available from http://www.bouncycastle.org/java.html if you would prefer to do it that way.
-
Install the command line utilities on linux
Code Block |
apt-get install gnupg |
-
Create your keyring, entering a secure password
Code Block |
gpg --gen-key |
-
If you need to import someone elses public key so that you can encrypt a file for them.
Code Block |
gpg --import <filename.key |
-
The following files should now exist and can be used to run the example
Code Block |
ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg |
...
A PGP Data Formater can decrypt/verify messages which have been encrypted by different public keys or signed by different private keys. Just, provide the corresponding private keys in the secret keyring, the corresponding public keys in the public keyring, and the passphrases in the passphrase accessor.
Code Block |
Map<String, String> userId2Passphrase = new HashMap<String, String>(2);
// add passphrases of several private keys whose corresponding public keys have been used to encrypt the messages
userId2Passphrase.put("UserIdOfKey1","passphrase1"); // you must specify the exact User ID!
userId2Passphrase.put("UserIdOfKey2","passphrase2");
PGPPassphraseAccessor passphraseAccessor = new PGPPassphraseAccessorDefault(userId2Passphrase);
PGPDataFormat pgpVerifyAndDecrypt = new PGPDataFormat();
pgpVerifyAndDecrypt.setPassphraseAccessor(passphraseAccessor);
// the method getSecKeyRing() provides the secret keyring as byte array containing the private keys
pgpVerifyAndDecrypt.setEncryptionKeyRing(getSecKeyRing()); // alternatively you can use setKeyFileName(keyfileName)
// the method getPublicKeyRing() provides the public keyring as byte array containing the public keys
pgpVerifyAndDecrypt.setSignatureKeyRing((getPublicKeyRing()); // alternatively you can use setSignatureKeyFileName(signatgureKeyfileName)
// it is not necessary to specify the encryption or signer User Id
from("direct:start")
...
.unmarshal(pgpVerifyAndDecrypt) // can decrypt/verify messages encrypted/signed by different private/public keys
...
|
...
To use the Crypto dataformat in your camel routes you need to add the following dependency to your pom.
Code Block |
|
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-crypto</artifactId>
<version>x.x.x</version>
<!-- use the same version as your Camel core version -->
</dependency>
|
...