Repository: camel Updated Branches: refs/heads/master 22371f5a4 -> 4c4f24c0f
Automatic docs generations for camel-crypto and pgp-dataformat added to Gitbook Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/4c4f24c0 Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/4c4f24c0 Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/4c4f24c0 Branch: refs/heads/master Commit: 4c4f24c0f7803162c4cb0df2f20b6d5d111af736 Parents: 22371f5 Author: Andrea Cosentino <[email protected]> Authored: Tue Aug 23 14:18:22 2016 +0200 Committer: Andrea Cosentino <[email protected]> Committed: Tue Aug 23 14:18:22 2016 +0200 ---------------------------------------------------------------------- .../src/main/docs/crypto-component.adoc | 79 ++++- .../src/main/docs/pgp-dataformat.adoc | 351 +++++++++++++++++++ 2 files changed, 411 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/4c4f24c0/components/camel-crypto/src/main/docs/crypto-component.adoc ---------------------------------------------------------------------- diff --git a/components/camel-crypto/src/main/docs/crypto-component.adoc b/components/camel-crypto/src/main/docs/crypto-component.adoc index b1c60f9..0f913d5 100644 --- a/components/camel-crypto/src/main/docs/crypto-component.adoc +++ b/components/camel-crypto/src/main/docs/crypto-component.adoc @@ -16,32 +16,73 @@ the original plaintext. This data format implements only symmetric [[Crypto-Options]] Options ^^^^^^^ -[width="70%",cols="10%,10%,10%,70%",options="header",] -|======================================================================= -|Name |Type |Default |Description - -|`algorithm` |`String` |`DES/CBC/PKCS5Padding` |The JCE algorithm name indicating the cryptographic algorithm that will -be used. - -|`algorithmParameterSpec` |`java.security.spec.AlgorithmParameterSpec` |`null` |A JCE AlgorithmParameterSpec used to initialize the Cipher. -|`bufferSize` |`Integer` |`4096` |the size of the buffer used in the signature process. +// component options: START +The Crypto (JCE) component supports 21 options which are listed below. -|`cryptoProvider` |`String` |`null` |The name of the JCE Security Provider that should be used. -|`initializationVector` |`byte[]` |`null` |A byte array containing the Initialization Vector that will be used to -initialize the Cipher. -|`inline` |`boolean` |`false` |Flag indicating that the configured IV should be inlined into the -encrypted data stream. +{% raw %} +[width="100%",cols="2,1m,7",options="header"] +|======================================================================= +| Name | Java Type | Description +| configuration | DigitalSignatureConfiguration | To use the shared DigitalSignatureConfiguration as configuration. Properties of the shared configuration can also be set individually. +| name | String | The logical name of this operation. +| algorithm | String | Sets the JCE name of the Algorithm that should be used for the signer. +| alias | String | Sets the alias used to query the KeyStore for keys and link Certificate Certificates to be used in signing and verifying exchanges. This value can be provided at runtime via the message header link DigitalSignatureConstantsKEYSTORE_ALIAS +| privateKey | PrivateKey | Set the PrivateKey that should be used to sign the exchange +| privateKeyName | String | Sets the reference name for a PrivateKey that can be fond in the registry. +| publicKey | PublicKey | Set the PublicKey that should be used to verify the signature in the exchange. +| publicKeyName | String | Sets the reference name for a publicKey that can be fond in the registry. +| certificate | Certificate | Set the Certificate that should be used to verify the signature in the exchange based on its payload. +| certificateName | String | Sets the reference name for a PrivateKey that can be fond in the registry. +| keystore | KeyStore | Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges. A KeyStore is typically used with an alias either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore then this single entry will be used. +| keystoreName | String | Sets the reference name for a Keystore that can be fond in the registry. +| password | char[] | Sets the password used to access an aliased PrivateKey in the KeyStore. +| keyStoreParameters | KeyStoreParameters | Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges based on the given KeyStoreParameters. A KeyStore is typically used with an alias either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore then this single entry will be used. +| secureRandomName | String | Sets the reference name for a SecureRandom that can be fond in the registry. +| secureRandom | SecureRandom | Set the SecureRandom used to initialize the Signature service +| bufferSize | Integer | Set the size of the buffer used to read in the Exchange payload data. +| provider | String | Set the id of the security provider that provides the configured Signature algorithm. +| signatureHeaderName | String | Set the name of the message header that should be used to store the base64 encoded signature. This defaults to 'CamelDigitalSignature' +| clearHeaders | boolean | Determines if the Signature specific headers be cleared after signing and verification. Defaults to true and should only be made otherwise at your extreme peril as vital private information such as Keys and passwords may escape if unset. +| cryptoOperation | String | Set the Crypto operation from that supplied after the crypto scheme in the endpoint uri e.g. crypto:sign sets sign as the operation. +|======================================================================= +{% endraw %} +// component options: END -|`macAlgorithm` |`String` |`null` |The JCE algorithm name indicating the Message Authentication algorithm. +// endpoint options: START +The Crypto (JCE) component supports 22 endpoint options which are listed below: -|`shouldAppendHMAC` |`boolean` |`null` +{% raw %} +[width="100%",cols="2,1,1m,1m,5",options="header"] |======================================================================= - -Flag indicating that a Message Authentication Code should be calculated -and appended to the encrypted data. +| Name | Group | Default | Java Type | Description +| cryptoOperation | producer | | CryptoOperation | *Required* Set the Crypto operation from that supplied after the crypto scheme in the endpoint uri e.g. crypto:sign sets sign as the operation. +| name | producer | | String | *Required* The logical name of this operation. +| algorithm | producer | SHA1WithDSA | String | Sets the JCE name of the Algorithm that should be used for the signer. +| alias | producer | | String | Sets the alias used to query the KeyStore for keys and link java.security.cert.Certificate Certificates to be used in signing and verifying exchanges. This value can be provided at runtime via the message header link org.apache.camel.component.crypto.DigitalSignatureConstantsKEYSTORE_ALIAS +| bufferSize | producer | 2048 | Integer | Set the size of the buffer used to read in the Exchange payload data. +| certificate | producer | | Certificate | Set the Certificate that should be used to verify the signature in the exchange based on its payload. +| certificateName | producer | | String | Sets the reference name for a PrivateKey that can be fond in the registry. +| clearHeaders | producer | true | boolean | Determines if the Signature specific headers be cleared after signing and verification. Defaults to true and should only be made otherwise at your extreme peril as vital private information such as Keys and passwords may escape if unset. +| keystore | producer | | KeyStore | Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges. A KeyStore is typically used with an alias either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore then this single entry will be used. +| keystoreName | producer | | String | Sets the reference name for a Keystore that can be fond in the registry. +| keyStoreParameters | producer | | KeyStoreParameters | Sets the KeyStore that can contain keys and Certficates for use in signing and verifying exchanges based on the given KeyStoreParameters. A KeyStore is typically used with an alias either one supplied in the Route definition or dynamically via the message header CamelSignatureKeyStoreAlias. If no alias is supplied and there is only a single entry in the Keystore then this single entry will be used. +| password | producer | | String | Sets the password used to access an aliased PrivateKey in the KeyStore. +| privateKey | producer | | PrivateKey | Set the PrivateKey that should be used to sign the exchange +| privateKeyName | producer | | String | Sets the reference name for a PrivateKey that can be fond in the registry. +| provider | producer | | String | Set the id of the security provider that provides the configured Signature algorithm. +| publicKey | producer | | PublicKey | Set the PublicKey that should be used to verify the signature in the exchange. +| publicKeyName | producer | | String | references that should be resolved when the context changes +| secureRandom | producer | | SecureRandom | Set the SecureRandom used to initialize the Signature service +| secureRandomName | producer | | String | Sets the reference name for a SecureRandom that can be fond in the registry. +| signatureHeaderName | producer | | String | Set the name of the message header that should be used to store the base64 encoded signature. This defaults to 'CamelDigitalSignature' +| exchangePattern | advanced | InOnly | ExchangePattern | Sets the default exchange pattern when creating an exchange +| synchronous | advanced | false | boolean | Sets whether synchronous processing should be strictly used or Camel is allowed to use asynchronous processing (if supported). +|======================================================================= +{% endraw %} +// endpoint options: END [[Crypto-BasicUsage]] Basic Usage http://git-wip-us.apache.org/repos/asf/camel/blob/4c4f24c0/components/camel-crypto/src/main/docs/pgp-dataformat.adoc ---------------------------------------------------------------------- diff --git a/components/camel-crypto/src/main/docs/pgp-dataformat.adoc b/components/camel-crypto/src/main/docs/pgp-dataformat.adoc new file mode 100644 index 0000000..5918dfe --- /dev/null +++ b/components/camel-crypto/src/main/docs/pgp-dataformat.adoc @@ -0,0 +1,351 @@ +[[Crypto-Crypto]] +Crypto +~~~~~~ + +*Available as of Camel 2.3* +*PGP Available as of Camel 2.9* + +The Crypto link:data-format.html[Data Format] integrates the Java +Cryptographic Extension into Camel, allowing simple and flexible +encryption and decryption of messages using Camel's familiar marshall +and unmarshal formatting mechanism. It assumes marshalling to mean +encryption to cyphertext and unmarshalling to mean decryption back to +the original plaintext. This data format implements only symmetric +(shared-key) encryption and decyption. + +[[Crypto-PGPDataFormatOptions]] +PGPDataFormat Options +^^^^^^^^^^^^^^^^^^^^^ + +// dataformat options: START +The PGP dataformat supports 14 options which are listed below. + + + +{% raw %} +[width="100%",cols="2s,1m,1m,6",options="header"] +|======================================================================= +| Name | Default | Java Type | Description +| keyUserid | | String | The user ID of the key in the PGP keyring used during encryption. Can also be only a part of a user ID. For example if the user ID is Test User then you can use the part Test User or to address the user ID. +| signatureKeyUserid | | String | User ID of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). During the signature verification process the specified User ID restricts the public keys from the public keyring which can be used for the verification. If no User ID is specified for the signature verficiation then any public key in the public keyring can be used for the verification. Can also be only a part of a user ID. For example if the user ID is Test User then you can use the part Test User or to address the User ID. +| password | | String | Password used when opening the private key (not used for encryption). +| signaturePassword | | String | Password used when opening the private key used for signing (during encryption). +| keyFileName | | String | Filename of the keyring; must be accessible as a classpath resource (but you can specify a location in the file system by using the file: prefix). +| signatureKeyFileName | | String | Filename of the keyring to use for signing (during encryption) or for signature verification (during decryption); must be accessible as a classpath resource (but you can specify a location in the file system by using the file: prefix). +| signatureKeyRing | | String | Keyring used for signing/verifying as byte array. You can not set the signatureKeyFileName and signatureKeyRing at the same time. +| armored | false | Boolean | This option will cause PGP to base64 encode the encrypted text making it available for copy/paste etc. +| integrity | true | Boolean | Adds an integrity check/sign into the encryption file. The default value is true. +| provider | | String | Java Cryptography Extension (JCE) provider default is Bouncy Castle (BC). Alternatively you can use for example the IAIK JCE provider; in this case the provider must be registered beforehand and the Bouncy Castle provider must not be registered beforehand. The Sun JCE provider does not work. +| algorithm | | Integer | Symmetric key encryption algorithm; possible values are defined in org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags; for example 2 (= TRIPLE DES) 3 (= CAST5) 4 (= BLOWFISH) 6 (= DES) 7 (= AES_128). Only relevant for encrypting. +| compressionAlgorithm | | Integer | Compression algorithm; possible values are defined in org.bouncycastle.bcpg.CompressionAlgorithmTags; for example 0 (= UNCOMPRESSED) 1 (= ZIP) 2 (= ZLIB) 3 (= BZIP2). Only relevant for encrypting. +| hashAlgorithm | | Integer | Signature hash algorithm; possible values are defined in org.bouncycastle.bcpg.HashAlgorithmTags; for example 2 (= SHA1) 8 (= SHA256) 9 (= SHA384) 10 (= SHA512) 11 (=SHA224). Only relevant for signing. +| signatureVerificationOption | | String | Controls the behavior for verifying the signature during unmarshaling. There are 4 values possible: optional: The PGP message may or may not contain signatures; if it does contain signatures then a signature verification is executed. required: The PGP message must contain at least one signature; if this is not the case an exception (PGPException) is thrown. A signature verification is executed. ignore: Contained signatures in the PGP message are ignored; no signature verification is executed. no_signature_allowed: The PGP message must not contain a signature; otherwise an exception (PGPException) is thrown. +|======================================================================= +{% endraw %} +// dataformat options: END + +[[Crypto-PGPDataFormatMessageHeaders]] +PGPDataFormat Message Headers +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You can override the PGPDataFormat options by applying below headers +into message dynamically. + +[width="70%",cols="10%,10%,80%",options="header",] +|======================================================================= +|Name |Type |Description + +|`CamelPGPDataFormatKeyFileName` |`String` |*Since Camel 2.11.0*; filename of the keyring; will override existing +setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatEncryptionKeyRing` |`byte[]` |*Since Camel 2.12.1*; the encryption keyring; will override existing +setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatKeyUserid` |`String` |*Since Camel 2.11.0*; the User ID of the key in the PGP keyring; will +override existing setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatKeyUserids` |`List<String>` |*Since camel 2.12.2*: the User IDs of the key in the PGP keyring; will +override existing setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatKeyPassword` |`String` |*Since Camel 2.11.0*; password used when opening the private key; will +override existing setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatSignatureKeyFileName` |`String` |*Since Camel 2.11.0*; filename of the signature keyring; will override +existing setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatSignatureKeyRing` |`byte[]` |*Since Camel 2.12.1*; the signature keyring; will override existing +setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatSignatureKeyUserid` |`String` |*Since Camel 2.11.0*; the User ID of the signature key in the PGP +keyring; will override existing setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatSignatureKeyUserids` |`List<String>` |*Since Camel 2.12.3*; the User IDs of the signature keys in the PGP +keyring; will override existing setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatSignatureKeyPassword` |`String` |*Since Camel 2.11.0*; password used when opening the signature private +key; will override existing setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatEncryptionAlgorithm` |`int` |*Since Camel 2.12.2*; symmetric key encryption algorithm; will override +existing setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatSignatureHashAlgorithm` |`int` |*Since Camel 2.12.2*; signature hash algorithm; will override existing +setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatCompressionAlgorithm` |`int` |*Since Camel 2.12.2*; compression algorithm; will override existing +setting directly on the PGPDataFormat. + +|`CamelPGPDataFormatNumberOfEncryptionKeys` |`Integer` |*Since* *Camel 2.12.3; *number of public keys used for encrypting the +symmectric key, set by PGPDataFormat during encryptiion process + +|`CamelPGPDataFormatNumberOfSigningKeys` |`Integer` |*Since* *Camel 2.12.3; *number of private keys used for creating +signatures, set by PGPDataFormat during signing process +|======================================================================= + +[[Crypto-EncryptingwithPGPDataFormat]] +Encrypting with PGPDataFormat +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The following sample uses the popular PGP format for +encrypting/decrypting files using the +http://www.bouncycastle.org/java.html[Bouncy Castle Java libraries]: + +The following sample performs signing + encryption, and then signature +verification + decryption. It uses the same keyring for both signing and +encryption, but you can obviously use different keys: + +Or using Spring: + +[[Crypto-Toworkwiththepreviousexampleyouneedthefollowing]] +To work with the previous example you need the following +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +* A public keyring file which contains the public keys used to encrypt +the data +* A private keyring file which contains the keys used to decrypt the +data +* The keyring password + +[[Crypto-Managingyourkeyring]] +Managing your keyring ++++++++++++++++++++++ + +To manage the keyring, I use the command line tools, I find this to be +the simplest approach in managing the keys. There are also Java +libraries available from +http://www.bouncycastle.org/java.html[http://www.bouncycastle.org/java.html] +if you would prefer to do it that way. + +1. Install the command line utilities on linux + +[source,java] +--------------------- +apt-get install gnupg +--------------------- +2. Create your keyring, entering a secure password + +[source,java] +------------- +gpg --gen-key +------------- +3. If you need to import someone elses public key so that you can +encrypt a file for them. + +[source,java] +-------------------------- +gpg --import <filename.key +-------------------------- +4. The following files should now exist and can be used to run the +example + +[source,java] +----------------------------------------------- +ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg +----------------------------------------------- + +[[Crypto-PGPDecrypting/VerifyingofMessagesEncrypted/SignedbyDifferentPrivate/PublicKeys]] +PGP Decrypting/Verifying of Messages Encrypted/Signed by Different +Private/Public Keys +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Since *Camel 2.12.2*. + +A PGP Data Formater can decrypt/verify messages which have been +encrypted by different public keys or signed by different private keys. +Just, provide the corresponding private keys in the secret keyring, the +corresponding public keys in the public keyring, and the passphrases in +the passphrase accessor. + +[source,java] +------------------------------------------------------------------------------------------------------------------------------------------ +Map<String, String> userId2Passphrase = new HashMap<String, String>(2); +// add passphrases of several private keys whose corresponding public keys have been used to encrypt the messages +userId2Passphrase.put("UserIdOfKey1","passphrase1"); // you must specify the exact User ID! +userId2Passphrase.put("UserIdOfKey2","passphrase2"); +PGPPassphraseAccessor passphraseAccessor = new PGPPassphraseAccessorDefault(userId2Passphrase); + +PGPDataFormat pgpVerifyAndDecrypt = new PGPDataFormat(); +pgpVerifyAndDecrypt.setPassphraseAccessor(passphraseAccessor); +// the method getSecKeyRing() provides the secret keyring as byte array containing the private keys +pgpVerifyAndDecrypt.setEncryptionKeyRing(getSecKeyRing()); // alternatively you can use setKeyFileName(keyfileName) +// the method getPublicKeyRing() provides the public keyring as byte array containing the public keys +pgpVerifyAndDecrypt.setSignatureKeyRing((getPublicKeyRing()); // alternatively you can use setSignatureKeyFileName(signatgureKeyfileName) +// it is not necessary to specify the encryption or signer User Id + +from("direct:start") + ... + .unmarshal(pgpVerifyAndDecrypt) // can decrypt/verify messages encrypted/signed by different private/public keys + ... +------------------------------------------------------------------------------------------------------------------------------------------ + +* The functionality is especially useful to support the key exchange. If +you want to exchange the private key for decrypting you can accept for a +period of time messages which are either encrypted with the old or new +corresponding public key. Or if the sender wants to exchange his signer +private key, you can accept for a period of time, the old or new signer +key. +* Technical background: The PGP encrypted data contains a Key ID of the +public key which was used to encrypt the data. This Key ID can be used +to locate the private key in the secret keyring to decrypt the data. The +same mechanism is also used to locate the public key for verifying a +signature. Therefore you no longer must specify User IDs for the +unmarshaling. + +[[Crypto-RestrictingtheSignerIdentitiesduringPGPSignatureVerification]] +Restricting the Signer Identities during PGP Signature Verification +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Since *Camel 2.12.3.* + +If you verify a signature you not only want to verify the correctness of +the signature but you also want check that the signature comes from a +certain identity or a specific set of identities. Therefore it is +possible to restrict the number of public keys from the public keyring +which can be used for the verification of a signature.  + +*Signature User IDs* + +[source,java] +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- +// specify the User IDs of the expected signer identities + List<String> expectedSigUserIds = new ArrayList<String>(); + expectedSigUserIds.add("Trusted company1"); + expectedSigUserIds.add("Trusted company2"); + + PGPDataFormat pgpVerifyWithSpecificKeysAndDecrypt = new PGPDataFormat(); + pgpVerifyWithSpecificKeysAndDecrypt.setPassword("my password"); // for decrypting with private key + pgpVerifyWithSpecificKeysAndDecrypt.setKeyFileName(keyfileName); + pgpVerifyWithSpecificKeysAndDecrypt.setSignatureKeyFileName(signatgureKeyfileName); + pgpVerifyWithSpecificKeysAndDecrypt.setSignatureKeyUserids(expectedSigUserIds); // if you have only one signer identity then you can also use setSignatureKeyUserid("expected Signer") + +from("direct:start") + ... + .unmarshal(pgpVerifyWithSpecificKeysAndDecrypt) + ... +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +* If the PGP content has several signatures the verification is +successful as soon as one signature can be verified. +* If you do not want to restrict the signer identities for verification +then do not specify the signature key User IDs. In this case all public +keys in the public keyring are taken into account. + +[[Crypto-SeveralSignaturesinOnePGPDataFormat]] +Several Signatures in One PGP Data Format +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Since *Camel 2.12.3.* + +The PGP specification allows that one PGP data format can contain +several signatures from different keys. Since Camel 2.13.3 it is +possible to create such kind of PGP content via specifying signature +User IDs which relate to several private keys in the secret keyring. + +*Several Signatures* + +[source,java] +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + PGPDataFormat pgpSignAndEncryptSeveralSignerKeys = new PGPDataFormat(); + pgpSignAndEncryptSeveralSignerKeys.setKeyUserid(keyUserid); // for encrypting, you can also use setKeyUserids if you want to encrypt with several keys + pgpSignAndEncryptSeveralSignerKeys.setKeyFileName(keyfileName); + pgpSignAndEncryptSeveralSignerKeys.setSignatureKeyFileName(signatgureKeyfileName); + pgpSignAndEncryptSeveralSignerKeys.setSignaturePassword("sdude"); // here we assume that all private keys have the same password, if this is not the case then you can use setPassphraseAccessor + + List<String> signerUserIds = new ArrayList<String>(); + signerUserIds.add("company old key"); + signerUserIds.add("company new key"); + pgpSignAndEncryptSeveralSignerKeys.setSignatureKeyUserids(signerUserIds); + +from("direct:start") + ... + .marshal(pgpSignAndEncryptSeveralSignerKeys) + ... +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +[[Crypto-SupportofSub-KeysandKeyFlagsinPGPDataFormatMarshaler]] +Support of Sub-Keys and Key Flags in PGP Data Format Marshaler +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Since *Camel 2.12.3. + +*An https://tools.ietf.org/html/rfc4880#section-12.1[OpenPGP V4 key] can +have a primary key and sub-keys. The usage of the keys is indicated by +the so called https://tools.ietf.org/html/rfc4880#section-5.2.3.21[Key +Flags]. For example, you can have a primary key with two sub-keys; the +primary key shall only be used for certifying other keys (Key Flag +0x01), the first sub-key shall only be used for signing (Key Flag +0x02), and the second sub-key shall only be used for encryption (Key +Flag 0x04 or 0x08). The PGP Data Format marshaler takes into account +these Key Flags of the primary key and sub-keys in order to determine +the right key for signing and encryption. This is necessary because the +primary key and its sub-keys have the same User IDs. + +[[Crypto-SupportofCustomKeyAccessors]] +Support of Custom Key Accessors +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Since *Camel 2.13.0. + +*You can implement custom key accessors for encryption/signing. The +above PGPDataFormat class selects in a certain predefined way the keys +which should be used for signing/encryption or verifying/decryption. If +you have special requirements how your keys should be selected you +should use the +https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPKeyAccessDataFormat.java[PGPKeyAccessDataFormat] +class instead and implement the interfaces +https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPublicKeyAccessor.java[PGPPublicKeyAccessor] +and +https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPSecretKeyAccessor.java[PGPSecretKeyAccessor] +as beans. There are default implementations +https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/DefaultPGPPublicKeyAccessor.java[DefaultPGPPublicKeyAccessor] +and +https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/DefaultPGPSecretKeyAccessor.java[DefaultPGPSecretKeyAccessor] +which cache the keys, so that not every time the keyring is parsed when +the processor is called. + +PGPKeyAccessDataFormat has the same options as PGPDataFormat except +password, keyFileName, encryptionKeyRing, signaturePassword, +signatureKeyFileName, and signatureKeyRing. + +[[Crypto-Dependencies]] +Dependencies +^^^^^^^^^^^^ + +To use the link:crypto.html[Crypto] dataformat in your camel routes you +need to add the following dependency to your pom. + +[source,xml] +---------------------------------------------------------- +<dependency> + <groupId>org.apache.camel</groupId> + <artifactId>camel-crypto</artifactId> + <version>x.x.x</version> + <!-- use the same version as your Camel core version --> +</dependency> +---------------------------------------------------------- + +[[Crypto-SeeAlso]] +See Also +^^^^^^^^ + +* link:data-format.html[Data Format] +* link:crypto-digital-signatures.html[Crypto (Digital Signatures)] +* http://www.bouncycastle.org/java.html[http://www.bouncycastle.org/java.html] +
