[CONF] Apache Camel XmlJson
Franz Forsthofer edited the page:
XmlJson
...
Just instantiate the XmlJsonDataFormat from package org.apache.camel.dataformat.xmljson. Make sure you have installed the camel-xmljson feature (if running on OSGi) or that you've included camel-xmljson-{version}.jar and its transitive dependencies in your classpath. Example initialization with a default configuration:
Code Block
lang
java
XmlJsonDataFormat xmlJsonFormat = new XmlJsonDataFormat();
To tune the behaviour of the data format as per the options above, use the appropriate setters:
Code Block
lang
java
XmlJsonDataFormat xmlJsonFormat = new XmlJsonDataFormat();
xmlJsonFormat.setEncoding(UTF-8);
xmlJsonFormat.setForceTopLevelObject(true);
xmlJsonFormat.setTrimSpaces(true);
[CONF] Apache Camel XML Security component
Franz Forsthofer edited the page:
XML Security component
...
Name
Type
Default
Description
uriDereferencer
javax.xml.crypto.URIDereferencer
null
URI dereferencer. You can specify here your own URI dereferencer, if you want to restrict the dereferencing or have special requirements for dereferencing.
baseUri
String
null
Base URI used in the URI dereferencer. Relative URIs are concatenated with the base URI.
cryptoContextProperties
MapString, ? extends Object
null
Crypto context properties. See javax.xml.crypto.XMLCryptoContext.setProperty(String, Object). The properties can depend on the provider. For example, the JDK provider XMLDSig has the property org.jcp.xml.dsig.validateManifests for enabling manifest validation. The following properties are set by default to the value Boolean.TRUE for the XML verifier: org.jcp.xml.dsig.validateManifests, javax.xml.crypto.dsig.cacheReference. If the option secureValidation} is {{true then additionally the properties org.apache.jcp.xml.dsig.secureValidation and org.jcp.xml.dsig.secureValidation are set to Boolean.TRUE for the XML verifier. If you want to switch these features off you must set the property values to Boolean.FALSE.
disallowDoctypeDecl
Boolean
Boolean.TRUE
Indicator whether DTD DOCTYPE declarations shall be disallowed in the incoming XML message.
omitXmlDeclaration
Boolean
Boolean.FALSE
[CONF] Apache Camel Crypto
Franz Forsthofer bearbeitete die Seite:
Crypto
...
Wiki-Markup
|| Name || Type || Default || Description ||
| {{keyUserid}} | {{String}} | {{null}} | The user ID of the key in the PGP keyring used during encryption. See also option {{keyUserids}}. Can also be only a part of a user ID. For example, if the user ID is Test User t...@camel.com then you can use the part Test User or t...@camel.com to address the user ID. |
| {{keyUserids}} | {{ListString}} | {{null}} | *Since camel 2.12.2*: PGP allows to encrypt the symmetric key by several asymmetric public receiver keys. You can specify here the User IDs or parts of User IDs of several public keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding public keys will be used for the encryption. |
| {{password}} | {{String}} | {{null}} | Password used when opening the private key (not used for encryption). |
| {{keyFileName}} | {{String}} | {{null}} | Filename of the keyring; must be accessible as a classpath resource (but you can specify a location in the file system by using the file: prefix). |
| {{encryptionKeyRing}} | {{byte\[\]}} | {{null}} | *Since camel 2.12.1*; encryption keyring; you can not set the keyFileName and encryptionKeyRing at the same time. |
| {{signatureKeyUserid}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional User ID of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). During the signature verification process the specified User ID restricts the public keys from the public keyring which can be used for the verification. If no User ID is specified for the signature verficiation then any public key in the public keyring can be used for the verification. Can also be only a part of a user ID. For example, if the user ID is Test User t...@camel.com then you can use the part Test User or t...@camel.com to address the User ID. |
| {{signatureKeyUserids}} | {{ListString}} | {{null}} | *Since Camel 2.12.3*; optional list of User IDs of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). You can specify here the User IDs or parts of User IDs of several keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding keys will be used for the signing or signature verification. If the specified User IDs reference several keys then for each key a signature is added to the PGP result during the encryption-signing process. In the decryption-verifying process the list of User IDs restricts the list of public keys which can be used for signature verification. If the list of User IDs is empty then any public key in the public keyring can be used for the signature verification. |
| {{signaturePassword}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional password used when opening the private key used for signing (during encryption). |
| {{signatureKeyFileName}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional filename of the keyring to use for signing (during encryption) or for
[CONF] Apache Camel Crypto
Franz Forsthofer bearbeitete die Seite:
Crypto
...
SinceCamel 2.12.3. An OpenPGP V4 key can have a primary key and sub-keys. The usage of the keys is indicated by the so called Key Flags. For example, you can have a primary key with two sub-keys; the primary key shall only be used for certifying other keys (Key Flag 0x01), the first sub-key shall only be used for signing (Key Flag 0x02), and the second sub-key shall only be used for encryption (Key Flag 0x04 or 0x08). The PGP Data Format marshaler takes into account these Key Flags of the primary key and sub-keys in order to determine the right key for signing and encryption. This is necessary because the primary key and its sub-keys have the same User IDs.
Support of Custom Key Accessors
Since Camel 2.13.0. There is the possibility to define your custom key accessors for encryption/signing. The above PGPDataFormat class selects in a certain predefined way the keys which should be used for signing/encryption or verifying/decryption. If you have special requirements how your keys should be selected you should use the PGPKeyAccessDataFormat class instead and implement the interfaces[PGPPublicKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPublicKeyAccessor.java] and [PGPSecretKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPSecretKeyAccessor.java]. There are default implementations[DefaultPGPPublicKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/DefaultPGPPublicKeyAccessor.java] and[DefaultPGPSecretKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/DefaultPGPSecretKeyAccessor.java] which cache the keys, so that not every time the keyring is parsed when the processor is called.
PGPKeyAccessDataFormat has the same options as PGPDataFormat except
{{password}}, {{keyFileName}}, {{encryptionKeyRing}},{{signaturePassword}}, {{signatureKeyFileName}}, and {{signatureKeyRing}}
Dependencies
To use the Crypto dataformat in your camel routes you need to add the following dependency to your pom.
...
Online anzeigen Gefllt mir nderungen anzeigen
berwachung des Bereichs beenden Benachrichtigungen verwalten
Diese Nachricht wurde von Atlassian Confluence 5.0.3, der Kollaborationssoftware fr Teams, gesendet
[CONF] Apache Camel Crypto
Franz Forsthofer bearbeitete die Seite: Crypto ... Support of Custom Key Accessors Since Camel 2.13.0. There is the possibility to define your You can implement custom key accessors for encryption/signing. The above PGPDataFormat class selects in a certain predefined way the keys which should be used for signing/encryption or verifying/decryption. If you have special requirements how your keys should be selected you should use the PGPKeyAccessDataFormat class instead and implement the interfaces[PGPPublicKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPublicKeyAccessor.java] and [PGPSecretKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPSecretKeyAccessor.java]. There are default implementations[DefaultPGPPublicKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/DefaultPGPPublicKeyAccessor.java] and[DefaultPGPSecretKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/DefaultPGPSecretKeyAccessor.java] interfaces PGPPublicKeyAccessor and PGPSecretKeyAccessor as beans. There are default implementations DefaultPGPPublicKeyAccessor and DefaultPGPSecretKeyAccessor which cache the keys, so that not every time the keyring is parsed when the processor is called. PGPKeyAccessDataFormat has the same options as PGPDataFormat except ... password ... , ... keyFileName ... , ... encryptionKeyRing ... , ... signaturePassword ... , ... signatureKeyFileName ... , ... and ... signatureKeyRing ... . Dependencies To use the Crypto dataformat in your camel routes you need to add the following dependency to your pom. ...
[CONF] Apache Camel Crypto
Franz Forsthofer bearbeitete die Seite:
Crypto
...
Wiki-Markup
|| Name || Type || Default || Description ||
| {{keyUserid}} | {{String}} | {{null}} | The user ID of the key in the PGP keyring used during encryption. See also option {{keyUserids}}. Can also be only a part of a user ID. For example, if the user ID is Test User t...@camel.com then you can use the part Test User or t...@camel.com to address the user ID. |
| {{keyUserids}} | {{ListString}} | {{null}} | *Since camel 2.12.2*: PGP allows to encrypt the symmetric key by several asymmetric public receiver keys. You can specify here the User IDs or parts of User IDs of several public keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding public keys will be used for the encryption. |
| {{password}} | {{String}} | {{null}} | Password used when opening the private key (not used for encryption). |
| {{keyFileName}} | {{String}} | {{null}} | Filename of the keyring; must be accessible as a classpath resource (but you can specify a location in the file system by using the file: prefix). |
| {{encryptionKeyRing}} | {{byte\[\]}} | {{null}} | *Since camel 2.12.1*; encryption keyring; you can not set the keyFileName and encryptionKeyRing at the same time. |
| {{signatureKeyUserid}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional User ID of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). During the signature verification process the specified User ID restricts the public keys from the public keyring which can be used for the verification. If no User ID is specified for the signature verficiation then any public key in the public keyring can be used for the verification. Can also be only a part of a user ID. For example, if the user ID is Test User t...@camel.com then you can use the part Test User or t...@camel.com to address the User ID. |
| {{signatureKeyUserids}} | {{ListString}} | {{null}} | *Since Camel 2.12.3*; optional list of User IDs of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). You can specify here the User IDs or parts of User IDs of several keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding keys will be used for the signing or signature verification. If the specified User IDs reference several keys then for each key a signature is added to the PGP result during the encryption-signing process. In the decryption-verifying process the list of User IDs restricts the list of public keys which can be used for signature verification. If the list of User IDs is empty then any public key in the public keyring can be used for the signature verification. |
| {{signaturePassword}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional password used when opening the private key used for signing (during encryption). |
| {{signatureKeyFileName}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional filename of the keyring to use for signing (during encryption) or for
[CONF] Apache Camel Crypto
Franz Forsthofer bearbeitete die Seite: Crypto ... Name Type Description CamelPGPDataFormatKeyFileName String Since Camel 2.11.0; filename of the keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatEncryptionKeyRing byte[] Since Camel 2.12.1; the encryption keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatKeyUserid String Since Camel 2.11.0; the User ID of the key in the PGP keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatKeyUserids ListString Since camel 2.12.2: the User IDs of the key in the PGP keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatKeyPassword String Since Camel 2.11.0; password used when opening the private key; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatSignatureKeyFileName String Since Camel 2.11.0; filename of the signature keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatSignatureKeyRing byte[]
[CONF] Apache Camel Crypto
Franz Forsthofer edited the page:
Crypto
...
Wiki Markup
{div:class=confluenceTableSmall}
|| Name || Type || Default || Description ||
| {{keyUserid}} | {{String}} | {{null}} | The user ID of the key in the PGP keyring used during encryption. See also option {{keyUserids}}. Can also be only a part of a user ID. For example, if the user ID is Test User t...@camel.com then you can use the part Test User or t...@camel.com to address the user ID. |
| {{keyUserids}} | {{ListString}} | {{null}} | *Since camel 2.12.2*: PGP allows to encrypt the symmetric key by several asymmetric public receiver keys. You can specify here the User IDs or parts of User IDs of several public keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding public keys will be used for the encryption. |
| {{password}} | {{String}} | {{null}} | Password used when opening the private key (not used for encryption). |
| {{keyFileName}} | {{String}} | {{null}} | Filename of the keyring; must be accessible as a classpath resource (but you can specify a location in the file system by using the file: prefix). |
| {{encryptionKeyRing}} | {{byte\[\]}} | {{null}} | *Since camel 2.12.1*; encryption keyring; you can not set the keyFileName and encryptionKeyRing at the same time. |
| {{signatureKeyUserid}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional User ID of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). During the signature verification process the specified User ID restricts the public keys from the public keyring which can be used for the verification. If no User ID is specified for the signature verficiation then any public key in the public keyring can be used for the verification. Can also be only a part of a user ID. For example, if the user ID is Test User t...@camel.com then you can use the part Test User or t...@camel.com to address the User ID. |
| {{signatureKeyUserids}} | {{ListString}} | {{null}} | *Since Camel 2.12.3*; optional list of User IDs of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). You can specify here the User IDs or parts of User IDs of several keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding keys will be used for the signing or signature verification. If the specified User IDs reference several keys then for each key a signature is added to the PGP result during the encryption-signing process. In the decryption-verifying process the the list of User IDs restricts the list of public keys which can be used for signature verification. If the list of User IDs is empty then any public key in the public keyring can be used for the signature verification. |
| {{signaturePassword}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional password used when opening the private key used for signing (during encryption). |
| {{signatureKeyFileName}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional filename of the keyring to use for
[CONF] Apache Camel Crypto
Franz Forsthofer edited the page: Crypto ... The functionality is especially useful to support the key exchange. If you want to exchange the private key for decrypting you can accept for a period of time messages which are either encrypted with the old or new corresponding public key. Or if the sender wants to exchange his signer private key, you can accept for a period of time, the old or new signer key. Technical background: The PGP encrypted data contains a Key ID of the public key which was used to encrypt the data. This Key ID can be used to locate the private key in the secret keyring to decrypt the data. The same mechanism is also used to locate the public key for verifying a signature. Therefore you no longer must specify User IDs for the unmarshaling. Restricting the Signer Identities during PGP Signature Verification SinceCamel 2.12.3. If you verify a signature you not only want to verify the correctness of the signature but you also want check that the signature comes from a certain identity or a specific set of identities. Therefore it is possible to restrict the number of public keys from the public keyring which can be used for the verification of a signature. Code Block title Signature User IDs language java // specify the User IDs of the expected signer identities ListString expectedSigUserIds = new ArrayListString(); expectedSigUserIds.add(Trusted company1); expectedSigUserIds.add(Trusted company2); PGPDataFormat pgpVerifyWithSpecificKeysAndDecrypt = new PGPDataFormat(); pgpVerifyWithSpecificKeysAndDecrypt.setPassword(my password); // for decrypting with private key pgpVerifyWithSpecificKeysAndDecrypt.setKeyFileName(keyfileName); pgpVerifyWithSpecificKeysAndDecrypt.setSignatureKeyFileName(signatgureKeyfileName);
[CONF] Apache Camel Crypto
Franz Forsthofer edited the page: Crypto ... If the PGP content has several signatures the verification is successful as soon as one signature can be verified. If you do not want to restrict the signer identities for verification then do not specify the signature key User IDs. In this case all public keys in the public keyring are taken into account. Several Signatures in One PGP Data Format SinceCamel 2.12.3. The PGP specification allows that one PGP data format can contain several signatures from different keys. Since Camel 2.13.3 it is possible to create such kind of PGP content via specifying signature User IDs which relate to several private keys in the secret keyring. Code Block title Several Signatures language java PGPDataFormat pgpSignAndEncryptSeveralSignerKeys = new PGPDataFormat(); pgpSignAndEncryptSeveralSignerKeys.setKeyUserid(keyUserid); // for encrypting, you can also use setKeyUserids if you want to encrypt with several keys pgpSignAndEncryptSeveralSignerKeys.setKeyFileName(keyfileName); pgpSignAndEncryptSeveralSignerKeys.setSignatureKeyFileName(signatgureKeyfileName); pgpSignAndEncryptSeveralSignerKeys.setSignaturePassword(sdude); // here we assume that all private keys have the same password, if this is not the case then you can use setPassphraseAccessor ListString signerUserIds = new ArrayListString(); signerUserIds.add(company old key); signerUserIds.add(company new key); pgpSignAndEncryptSeveralSignerKeys.setSignatureKeyUserids(signerUserIds); from(direct:start) ... .marshal(pgpSignAndEncryptSeveralSignerKeys) ...
[CONF] Apache Camel Crypto
Franz Forsthofer edited the page:
Crypto
...
In Spring the dataformat is configured first and then used in routes
Code Block
lang
xml
camelContext id=camel xmlns=http://camel.apache.org/schema/spring
dataFormats
crypto id=basic algorithm=DES keyRef=desKey /
/dataFormats
...
route
from uri=direct:basic-encryption /
marshal ref=basic /
to uri=mock:encrypted /
unmarshal ref=basic /
to uri=mock:unencrypted /
/route
/camelContext
...
Wiki Markup
{div:class=confluenceTableSmall}
|| Name || Type || Default || Description ||
| {{keyUserid}} | {{String}} | {{null}} | The user ID of the key in the PGP keyring used during encryption. See also option {{keyUserids}}. Can also be only a part of a user ID. For example, if the user ID is Test User t...@camel.com then you can use the part Test User or t...@camel.com to address the user ID. |
| {{keyUserids}} | {{ListString}} | {{null}} | *Since camel 2.12.2*: PGP allows to encrypt the symmetric key by several asymmetric public receiver keys. You can specify here the User IDs or parts of User IDs of several public keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding public keys will be used for the encryption. |
| {{password}} | {{String}} | {{null}} | Password used when opening the private key (not used for encryption). |
| {{keyFileName}} | {{String}} | {{null}} | Filename of the keyring; must be accessible as a classpath resource (but you can specify a location in the file
[CONF] Apache Camel Crypto
Franz Forsthofer edited the page: Crypto ... Name Type Description CamelPGPDataFormatKeyFileName String Since Camel 2.11.0; filename of the keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatEncryptionKeyRing byte[] Since Camel 2.12.1; the encryption keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatKeyUserid String Since Camel 2.11.0; the User ID of the key in the PGP keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatKeyUserids ListString Since camel 2.12.2: the User IDs of the key in the PGP keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatKeyPassword String Since Camel 2.11.0; password used when opening the private key; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatSignatureKeyFileName String Since Camel 2.11.0; filename of the signature keyring; will override existing setting directly on the PGPDataFormat. CamelPGPDataFormatSignatureKeyRing byte[]
[CONF] Apache Camel Crypto
Crypto Page edited by Franz Forsthofer Changes (4) ... MapString, String userId2Passphrase = new HashMapString, String(2); // add passphrases of several private keys whose corresponding public keys have been used to encrypt the messages userId2Passphrase.put(UserIdOfKey1,passphrase1); // you must specify the exact User ID! userId2Passphrase.put(key1,passphrase1); userId2Passphrase.put(UserIdOfKey2,passphrase2); userId2Passphrase.put(key2,passphrase2); PGPPassphraseAccessor passphraseAccessor = new PGPPassphraseAccessorDefault(userId2Passphrase); ... // the method getPublicKeyRing() provides the public keyring as byte array containing the public keys pgpVerifyAndDecrypt.setSignatureKeyRing((getPublicKeyRing()); // alternatively you can use setSignatureKeyFileName(signatgureKeyfileName) // it is not necessary to specify the encryption or signer User Id from(direct:start) ... Full Content Crypto Available as of Camel 2.3 PGP Available as of Camel 2.9 The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. This data format implements only symmetric (shared-key) encryption and decyption. Options Name Type Default Description algorithm String DES/CBC/PKCS5Padding The JCE algorithm name indicating the cryptographic algorithm that will be used. algorithmParameterSpec java.security.spec.AlgorithmParameterSpec null A JCE AlgorithmParameterSpec used to initialize the Cipher. bufferSize Integer 2048 the size of the buffer used in the signature process. cryptoProvider String null The name of the JCE Security Provider that should be used. initializationVector byte[] null A byte array containing the Initialization Vector that will be used to initialize the Cipher. inline boolean false Flag indicating that the configured IV should be inlined into the encrypted data stream. macAlgorithm String null The JCE algorithm name indicating the Message Authentication algorithm. shouldAppendHMAC boolean null Flag indicating that a Message Authentication Code should be calculated and appended to the encrypted data. Basic Usage At its most basic all that is required to encrypt/decrypt an exchange is a shared secret key. If one or more instances of the Crypto data format are configured with this key the format can be used to encrypt the payload in one route (or part of one) and decrypted in another. For example, using the Java DSL as follows: In Spring the dataformat is configured first and then used in routes camelContext id="camel" xmlns="http://camel.apache.org/schema/spring" dataFormats crypto id="basic" algorithm="DES" keyRef="desKey" / /dataFormats ... route from uri="direct:basic-encryption" / marshal ref="basic" / to uri="mock:encrypted" / unmarshal ref="basic" / to uri="mock:unencrypted" / /route /camelContext Specifying the Encryption Algorithm Changing the algorithm is a matter of supplying the JCE algorithm name. If you change the algorithm you will need to use a compatible key. A list of the available algorithms in Java 7 is available via the Java Cryptography Architecture Standard Algorithm Name Documentation. Specifying an Initialization Vector Some crypto algorithms, particularly block algorithms, require configuration with an initial block of data known as an Initialization Vector. In the JCE this is passed as an AlgorithmParameterSpec when the Cipher is initialized. To use such a vector with the CryptoDataFormat you can configure it with a byte[] containing the required data e.g. or with spring, suppling a reference to a byte[] The same vector is required in both the encryption and decryption phases. As it is not necessary to keep the IV a secret, the DataFormat allows for it to be inlined into the encrypted data and subsequently read out in the decryption phase to initialize the Cipher. To inline the IV set the /oinline flag. or with spring. For more information of the use of Initialization Vectors, consult http://en.wikipedia.org/wiki/Initialization_vector http://www.herongyang.com/Cryptography/ http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation Hashed Message Authentication Codes (HMAC) To avoid attacks against the encrypted data while it is in transit the CryptoDataFormat can also calculate a Message
[CONF] Apache Camel Crypto
Crypto
Page edited by Franz Forsthofer
Changes (4)
...
{div:class=confluenceTableSmall} || Name || Type || Default || Description ||
| {{keyUserid}} | {{String}} | {{null}} | The userid user ID of the key in the PGP keyring used during encryption. See also option {{keyUserids}}. Can also be only a part of a user ID. For example, if the user ID is Test User t...@camel.com then you can use the part Test User or t...@camel.com to address the user ID. |
| {{keyUserids}} | {{ListString}} | {{null}} | *Since camel 2.12.2*: PGP allows to encrypt the symmetric key by several asymmetric public receiver keys. You can specify here the User IDs or parts of User IDs of several public keys contained in the PGP keyring. If you just have one User ID, then you can also use the option {{keyUserid}}. The User ID specified in {{keyUserid}} and the User IDs in {{keyUserids}} will be merged together and the corresponding public keys will be used for the encryption. |
| {{password}} | {{String}} | {{null}} | Password used when opening the private key (not used for encryption). | | {{keyFileName}} | {{String}} | {{null}} | Filename of the keyring; must be accessible as a classpath resource (but you can specify a location in the file system by using the file: prefix). | | {{encryptionKeyRing}} | {{byte\[\]}} | {{null}} | *Since camel 2.12.1*; encryption keyring; you can not set the keyFileName and encryptionKeyRing at the same time. |
| {{signatureKeyUserid}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional userid of the key in the PGP keyring to use for signing (during encryption) or signature verification (during decryption) .|
| {{signatureKeyUserid}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional userid of the key in the PGP keyring used for signing (during encryption) or signature verification (during decryption). Can also be only a part of a user ID. For example, if the user ID is Test User t...@camel.com then you can use the part Test User or t...@camel.com to address the user ID. |
| {{signaturePassword}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional password used when opening the private key used for signing (during encryption). | | {{signatureKeyFileName}} | {{String}} | {{null}} | *Since Camel 2.11.0*; optional filename of the keyring to use for signing (during encryption) or for signature verification (during decryption); must be accessible as a classpath resource (but you can specify a location in the file system by using the file: prefix). |
...
Full Content
Crypto
Available as of Camel 2.3
PGP Available as of Camel 2.9
The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. This data format implements only symmetric (shared-key) encryption and decyption.
Options
Name
Type
Default
Description
algorithm
String
DES/CBC/PKCS5Padding
The JCE algorithm name indicating the cryptographic algorithm that will be used.
algorithmParameterSpec
java.security.spec.AlgorithmParameterSpec
null
A JCE AlgorithmParameterSpec used to initialize the Cipher.
bufferSize
Integer
2048
the size of the buffer used in the signature process.
cryptoProvider
String
null
The name of the JCE Security Provider that should be used.
initializationVector
byte[]
null
A byte array containing the Initialization Vector that will be used to initialize the Cipher.
inline
boolean
false
Flag indicating that the configured IV should be inlined into the encrypted data stream.
macAlgorithm
String
null
The JCE algorithm name indicating the Message Authentication algorithm.
shouldAppendHMAC
boolean
null
Flag indicating that a Message Authentication Code should be calculated and appended to the encrypted data.
Basic Usage
At its most basic all that is required to encrypt/decrypt an exchange is a shared secret key. If one or more instances of the Crypto data format are configured with this key the format can be used to encrypt the payload in one route (or part of one) and decrypted in another. For example, using the Java DSL as follows:
In Spring the dataformat is configured first and then used in routes
camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"
dataFormats
crypto id="basic" algorithm="DES" keyRef="desKey" /
/dataFormats
...
route
from uri="direct:basic-encryption" /
marshal ref="basic"
[CONF] Apache Camel Crypto
Crypto
Page edited by Franz Forsthofer
Changes (12)
...
| {{armored}} | {{boolean}} | {{false}} | This option will cause PGP to base64 encode the encrypted text, making it available for copy/paste, etc. | | {{integrity}} | {{boolean}} | {{true}} | Adds an integrity check/sign into the encryption file. |
| {{passphraseAccessor}} | [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java] | {{null}} | *Since Camel 2.12.2*; provides passphrases corresponding to user Ids. If no passpharase can be found from the option {{password}} or {{signaturePassword}} and from the headers {{CamelPGPDataFormatKeyPassword}} or {{CamelPGPDataFormatSignatureKeyPassword}} then the passphrase is feteched from the passphrase accessor. You provide a bean which implements the interface [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java]. A default implementation is given by [PGPPassphraseAccessorDefault|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessorDefault.java]. This The passphrase accessor is especially useful in the decrypt case, where the private decryption key is chosen by the key Id given in the encrypted data. See [example|Usage of Passphrase Accessor] below. |
{div}
...
{div:class=confluenceTableSmall} || Name || Type || Description ||
| {{CamelPGPDataFormatKeyFileName}} | {{String}} | *Since Camel 2.11.0* Filename 2.11.0*; filename of the keyring; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatEncryptionKeyRing}} | {{byte\[\]}} | *Since Camel 2.12.1*; the encryption keyring; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatKeyUserid}} | {{String}} | *Since Camel 2.11.0* The 2.11.0*; the userid of the key in the PGP keyring; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatKeyPassword}} | {{String}} | *Since Camel 2.11.0* Password 2.11.0*; password used when opening the private key; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatSignatureKeyFileName}} | {{String}} | *Since Camel 2.11.0* Filename 2.11.0*; filename of the signature keyring; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatSignatureKeyRing}} | {{byte\[\]}} | *Since Camel 2.12.1*; the signature keyring; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatSignatureKeyUserid}} | {{String}} | *Since Camel 2.11.0* The 2.11.0*; the userid of the signature key in the PGP keyring; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatSignatureKeyPassword}} | {{String}} | *Since Camel 2.11.0* Password 2.11.0*; password used when opening the signature private key; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatEncryptionAlgorithm}} | {{int}} | *Since Camel 2.12.2*; symmetric key encryption algorithm; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatSignatureHashAlgorithm}} | {{int}} | *Since Camel 2.12.2*; signature hash algorithm; will override existing setting directly on the PGPDataFormat. |
h3. Encrypting with PGPDataFormat
...
{code}ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg{code}
h3. Usage of Passphrase Accessor The{snippet:id=pgp-format-signature-key-ring-byte-array|lang=java|url=""
h3. Dependencies
...
Full Content
Crypto
Available as of Camel 2.3
PGP Available as of Camel 2.9
The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. This data format implements only symmetric (shared-key) encryption and decyption.
Options
Name
Type
Default
Description
algorithm
String
DES/CBC/PKCS5Padding
The JCE algorithm name indicating the cryptographic algorithm that will be used.
algorithmParameterSpec
java.security.spec.AlgorithmParameterSpec
null
A JCE AlgorithmParameterSpec used to initialize the Cipher.
bufferSize
Integer
[CONF] Apache Camel Crypto
Crypto
Page edited by Franz Forsthofer
Changes (6)
...
| {{armored}} | {{boolean}} | {{false}} | This option will cause PGP to base64 encode the encrypted text, making it available for copy/paste, etc. | | {{integrity}} | {{boolean}} | {{true}} | Adds an integrity check/sign into the encryption file. |
| {{passphraseAccessor}} | [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java] | {{null}} | *Since Camel 2.12.2*; provides passphrases corresponding to user Ids. If no passpharase can be found from the option {{password}} or {{signaturePassword}} and from the headers {{CamelPGPDataFormatKeyPassword}} or {{CamelPGPDataFormatSignatureKeyPassword}} then the passphrase is feteched from the passphrase accessor. You provide a bean which implements the interface [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java]. A default implementation is given by [PGPPassphraseAccessorDefault|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessorDefault.java]. The passphrase accessor is especially useful in the decrypt case, where the private decryption key is chosen by the key Id given in the encrypted data. See [example|Usage case; see chapter Usaage of Passphrase Accessor] Accessor below. |
{div}
...
h3. Usage of Passphrase Accessor
The
Since *Camel 2.12.2*.
A PGP Data Formater can decrypt messages which have been encrypted by different public keys. In this case you must provide the corresponding private keys in the secret keyring and the passphrases of the private keys in the passphrase accessor.
{snippet:id=pgp-format-signature-key-ring-byte-array|lang=java|url=""
*Remark* The PGP encrypted data contains a Key ID of the public key which was used to encrypt the data. This Key ID can be used to locate the private key in the secret keyring to decrypt the data.
h3. Dependencies
...
Full Content
Crypto
Available as of Camel 2.3
PGP Available as of Camel 2.9
The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. This data format implements only symmetric (shared-key) encryption and decyption.
Options
Name
Type
Default
Description
algorithm
String
DES/CBC/PKCS5Padding
The JCE algorithm name indicating the cryptographic algorithm that will be used.
algorithmParameterSpec
java.security.spec.AlgorithmParameterSpec
null
A JCE AlgorithmParameterSpec used to initialize the Cipher.
bufferSize
Integer
2048
the size of the buffer used in the signature process.
cryptoProvider
String
null
The name of the JCE Security Provider that should be used.
initializationVector
byte[]
null
A byte array containing the Initialization Vector that will be used to initialize the Cipher.
inline
boolean
false
Flag indicating that the configured IV should be inlined into the encrypted data stream.
macAlgorithm
String
null
The JCE algorithm name indicating the Message Authentication algorithm.
shouldAppendHMAC
boolean
null
Flag indicating that a Message Authentication Code should be calculated and appended to the encrypted data.
Basic Usage
At its most basic all that is required to encrypt/decrypt an exchange is a shared secret key. If one or more instances of the Crypto data format are configured with this key the format can be used to encrypt the payload in one route (or part of one) and decrypted in another. For example, using the Java DSL as follows:
In Spring the dataformat is configured first and then used in routes
camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"
dataFormats
crypto id="basic" algorithm="DES" keyRef="desKey" /
/dataFormats
...
route
from uri="direct:basic-encryption" /
marshal ref="basic" /
to uri="mock:encrypted" /
unmarshal ref="basic" /
to uri="mock:unencrypted" /
/route
/camelContext
Specifying the Encryption Algorithm
Changing the algorithm is a matter of supplying the JCE algorithm name. If you change the algorithm you will need to use a compatible key.
[CONF] Apache Camel Crypto
Crypto
Page edited by Franz Forsthofer
Changes (3)
...
{code}ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg{code}
h3. Usage of PGP Passphrase Accessor
Since *Camel 2.12.2*.
...
{code}
*Remark* The PGP encrypted data contains a Key ID of the public key which was used to encrypt the data. This Key ID can be used to locate the private key in the secret keyring to decrypt the data. The same mechanism is also used to locate the public key for verifying a signature. Therefore you no longer must specify User IDs for the unmarshaling.
* The PGP encrypted data contains a Key ID of the public key which was used to encrypt the data. This Key ID can be used to locate the private key in the secret keyring to decrypt the data. The same mechanism is also used to locate the public key for verifying a signature. Therefore you no longer must specify User IDs for the unmarshaling. * The functionality is especially useful to support the key exchange. If you want to exchange the private key for decrypting you can accept for a period of time messages which are either encrypted with the old or new corresponding public key.
h3. Dependencies
...
Full Content
Crypto
Available as of Camel 2.3
PGP Available as of Camel 2.9
The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. This data format implements only symmetric (shared-key) encryption and decyption.
Options
Name
Type
Default
Description
algorithm
String
DES/CBC/PKCS5Padding
The JCE algorithm name indicating the cryptographic algorithm that will be used.
algorithmParameterSpec
java.security.spec.AlgorithmParameterSpec
null
A JCE AlgorithmParameterSpec used to initialize the Cipher.
bufferSize
Integer
2048
the size of the buffer used in the signature process.
cryptoProvider
String
null
The name of the JCE Security Provider that should be used.
initializationVector
byte[]
null
A byte array containing the Initialization Vector that will be used to initialize the Cipher.
inline
boolean
false
Flag indicating that the configured IV should be inlined into the encrypted data stream.
macAlgorithm
String
null
The JCE algorithm name indicating the Message Authentication algorithm.
shouldAppendHMAC
boolean
null
Flag indicating that a Message Authentication Code should be calculated and appended to the encrypted data.
Basic Usage
At its most basic all that is required to encrypt/decrypt an exchange is a shared secret key. If one or more instances of the Crypto data format are configured with this key the format can be used to encrypt the payload in one route (or part of one) and decrypted in another. For example, using the Java DSL as follows:
In Spring the dataformat is configured first and then used in routes
camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"
dataFormats
crypto id="basic" algorithm="DES" keyRef="desKey" /
/dataFormats
...
route
from uri="direct:basic-encryption" /
marshal ref="basic" /
to uri="mock:encrypted" /
unmarshal ref="basic" /
to uri="mock:unencrypted" /
/route
/camelContext
Specifying the Encryption Algorithm
Changing the algorithm is a matter of supplying the JCE algorithm name. If you change the algorithm you will need to use a compatible key.
A list of the available algorithms in Java 7 is available via the Java Cryptography Architecture Standard Algorithm Name Documentation.
Specifying an Initialization Vector
Some crypto algorithms, particularly block algorithms, require configuration with an initial block of data known as an Initialization Vector. In the JCE this is passed as an AlgorithmParameterSpec when the Cipher is initialized. To use such a vector with the CryptoDataFormat you can configure it with a byte[] containing the required data e.g.
or with spring, suppling a reference to a byte[]
The same vector is required in both the encryption and decryption phases. As it is not necessary to keep the IV a secret, the DataFormat allows for it to be inlined into the encrypted data and subsequently read out in the decryption phase to initialize the Cipher. To inline the IV set the /oinline flag.
or with spring.
For more information of the use of Initialization Vectors, consult
http://en.wikipedia.org/wiki/Initialization_vector
[CONF] Apache Camel Crypto
Crypto
Page edited by Franz Forsthofer
Changes (3)
...
Since *Camel 2.12.2*.
A PGP Data Formater can decrypt messages which have been encrypted by different public keys. In this case you must Just, provide the corresponding private keys in the secret keyring and the passphrases of the private keys in the passphrase accessor.
{code}
...
PGPDataFormat pgpVerifyAndDecrypt = new PGPDataFormat(); pgpVerifyAndDecrypt.setPassphraseAccessor(passphraseAccessor);
pgpVerifyAndDecrypt.setEncryptionKeyRing(getSecKeyRing());
// the method getSecKeyRing() provides the secret keyring as byte array pgpVerifyAndDecrypt.setEncryptionKeyRing(getSecKeyRing()); // alternatively you can use setkeyFileName(keyfileName)
// it is not necessary to specify the User Id
...
Full Content
Crypto
Available as of Camel 2.3
PGP Available as of Camel 2.9
The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. This data format implements only symmetric (shared-key) encryption and decyption.
Options
Name
Type
Default
Description
algorithm
String
DES/CBC/PKCS5Padding
The JCE algorithm name indicating the cryptographic algorithm that will be used.
algorithmParameterSpec
java.security.spec.AlgorithmParameterSpec
null
A JCE AlgorithmParameterSpec used to initialize the Cipher.
bufferSize
Integer
2048
the size of the buffer used in the signature process.
cryptoProvider
String
null
The name of the JCE Security Provider that should be used.
initializationVector
byte[]
null
A byte array containing the Initialization Vector that will be used to initialize the Cipher.
inline
boolean
false
Flag indicating that the configured IV should be inlined into the encrypted data stream.
macAlgorithm
String
null
The JCE algorithm name indicating the Message Authentication algorithm.
shouldAppendHMAC
boolean
null
Flag indicating that a Message Authentication Code should be calculated and appended to the encrypted data.
Basic Usage
At its most basic all that is required to encrypt/decrypt an exchange is a shared secret key. If one or more instances of the Crypto data format are configured with this key the format can be used to encrypt the payload in one route (or part of one) and decrypted in another. For example, using the Java DSL as follows:
In Spring the dataformat is configured first and then used in routes
camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"
dataFormats
crypto id="basic" algorithm="DES" keyRef="desKey" /
/dataFormats
...
route
from uri="direct:basic-encryption" /
marshal ref="basic" /
to uri="mock:encrypted" /
unmarshal ref="basic" /
to uri="mock:unencrypted" /
/route
/camelContext
Specifying the Encryption Algorithm
Changing the algorithm is a matter of supplying the JCE algorithm name. If you change the algorithm you will need to use a compatible key.
A list of the available algorithms in Java 7 is available via the Java Cryptography Architecture Standard Algorithm Name Documentation.
Specifying an Initialization Vector
Some crypto algorithms, particularly block algorithms, require configuration with an initial block of data known as an Initialization Vector. In the JCE this is passed as an AlgorithmParameterSpec when the Cipher is initialized. To use such a vector with the CryptoDataFormat you can configure it with a byte[] containing the required data e.g.
or with spring, suppling a reference to a byte[]
The same vector is required in both the encryption and decryption phases. As it is not necessary to keep the IV a secret, the DataFormat allows for it to be inlined into the encrypted data and subsequently read out in the decryption phase to initialize the Cipher. To inline the IV set the /oinline flag.
or with spring.
For more information of the use of Initialization Vectors, consult
http://en.wikipedia.org/wiki/Initialization_vector
http://www.herongyang.com/Cryptography/
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
Hashed Message Authentication Codes (HMAC)
To avoid attacks against the encrypted data while it is in transit the CryptoDataFormat can also calculate a Message Authentication Code for the encrypted exchange contents based on a configurable MAC algorithm. The calculated HMAC is appended to the stream
[CONF] Apache Camel Crypto
Crypto
Page edited by Franz Forsthofer
Changes (3)
...
pgpVerifyAndDecrypt.setPassphraseAccessor(passphraseAccessor); // the method getSecKeyRing() provides the secret keyring as byte array
pgpVerifyAndDecrypt.setEncryptionKeyRing(getSecKeyRing()); // alternatively you can use setkKeyFileName(keyfileName)
// it is not necessary to specify the User Id
...
{code}
* The functionality is especially useful to support the key exchange. If you want to exchange the private key for decrypting you can accept for a period of time messages which are either encrypted with the old or new corresponding public key. * Technical background: The PGP encrypted data contains a Key ID of the public key which was used to encrypt the data. This Key ID can be used to locate the private key in the secret keyring to decrypt the data. The same mechanism is also used to locate the public key for verifying a signature. Therefore you no longer must specify User IDs for the unmarshaling.
* The PGP encrypted data contains a Key ID of the public key which was used to encrypt the data. This Key ID can be used to locate the private key in the secret keyring to decrypt the data. The same mechanism is also used to locate the public key for verifying a signature. Therefore you no longer must specify User IDs for the unmarshaling. * The functionality is especially useful to support the key exchange. If you want to exchange the private key for decrypting you can accept for a period of time messages which are either encrypted with the old or new corresponding public key.
h3. Dependencies
...
Full Content
Crypto
Available as of Camel 2.3
PGP Available as of Camel 2.9
The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. This data format implements only symmetric (shared-key) encryption and decyption.
Options
Name
Type
Default
Description
algorithm
String
DES/CBC/PKCS5Padding
The JCE algorithm name indicating the cryptographic algorithm that will be used.
algorithmParameterSpec
java.security.spec.AlgorithmParameterSpec
null
A JCE AlgorithmParameterSpec used to initialize the Cipher.
bufferSize
Integer
2048
the size of the buffer used in the signature process.
cryptoProvider
String
null
The name of the JCE Security Provider that should be used.
initializationVector
byte[]
null
A byte array containing the Initialization Vector that will be used to initialize the Cipher.
inline
boolean
false
Flag indicating that the configured IV should be inlined into the encrypted data stream.
macAlgorithm
String
null
The JCE algorithm name indicating the Message Authentication algorithm.
shouldAppendHMAC
boolean
null
Flag indicating that a Message Authentication Code should be calculated and appended to the encrypted data.
Basic Usage
At its most basic all that is required to encrypt/decrypt an exchange is a shared secret key. If one or more instances of the Crypto data format are configured with this key the format can be used to encrypt the payload in one route (or part of one) and decrypted in another. For example, using the Java DSL as follows:
In Spring the dataformat is configured first and then used in routes
camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"
dataFormats
crypto id="basic" algorithm="DES" keyRef="desKey" /
/dataFormats
...
route
from uri="direct:basic-encryption" /
marshal ref="basic" /
to uri="mock:encrypted" /
unmarshal ref="basic" /
to uri="mock:unencrypted" /
/route
/camelContext
Specifying the Encryption Algorithm
Changing the algorithm is a matter of supplying the JCE algorithm name. If you change the algorithm you will need to use a compatible key.
A list of the available algorithms in Java 7 is available via the Java Cryptography Architecture Standard Algorithm Name Documentation.
Specifying an Initialization Vector
Some crypto algorithms, particularly block algorithms, require configuration with an initial block of data known as an Initialization Vector. In the JCE this is passed as an AlgorithmParameterSpec when the Cipher is initialized. To use such a vector with the CryptoDataFormat you can configure it with a byte[] containing the required data e.g.
or with spring, suppling a reference to a byte[]
The same vector is
[CONF] Apache Camel Crypto
Crypto
Page edited by Franz Forsthofer
Changes (8)
...
| {{armored}} | {{boolean}} | {{false}} | This option will cause PGP to base64 encode the encrypted text, making it available for copy/paste, etc. | | {{integrity}} | {{boolean}} | {{true}} | Adds an integrity check/sign into the encryption file. |
| {{passphraseAccessor}} | [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java] | {{null}} | *Since Camel 2.12.2*; provides passphrases corresponding to user Ids. If no passpharase can be found from the option {{password}} or {{signaturePassword}} and from the headers {{CamelPGPDataFormatKeyPassword}} or {{CamelPGPDataFormatSignatureKeyPassword}} then the passphrase is feteched from the passphrase accessor. You provide a bean which implements the interface [PGPPassphraseAccessor|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessor.java]. A default implementation is given by [PGPPassphraseAccessorDefault|https://github.com/apache/camel/blob/master/components/camel-crypto/src/main/java/org/apache/camel/converter/crypto/PGPPassphraseAccessorDefault.java]. The passphrase accessor is especially useful in the decrypt case; see chapter Usaage PGP Decrypting/Verifying of Passphrase Accessor Messages Encrypted/Signed by Different Private/Public Keys below. |
{div}
...
{code}ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg{code}
h3. Usage of PGP Passphrase Accessor
h3. PGP Decrypting/Verifying of Messages Encrypted/Signed by Different Private/Public Keys
Since *Camel 2.12.2*.
A PGP Data Formater can decrypt messages which have been encrypted by different public keys. Just, provide the corresponding private keys in the secret keyring and the passphrases in the passphrase accessor.
A PGP Data Formater can decrypt/verify messages which have been encrypted by different public keys or signed by different private keys. Just, provide the corresponding private keys in the secret keyring, the corresponding public keys in the public keyring, and the passphrases in the passphrase accessor.
{code}
...
PGPDataFormat pgpVerifyAndDecrypt = new PGPDataFormat(); pgpVerifyAndDecrypt.setPassphraseAccessor(passphraseAccessor);
// the method getSecKeyRing() provides the secret keyring as byte array containing the private keys
pgpVerifyAndDecrypt.setEncryptionKeyRing(getSecKeyRing()); // alternatively you can use setKeyFileName(keyfileName)
// the method getPublicKeyRing() provides the public keyring as byte array containing the public keys pgpVerifyAndDecrypt.setSignatureKeyRing((getPublicKeyRing()); // alternatively you can use setSignatureKeyFileName(signatgureKeyfileName)
// it is not necessary to specify the User Id
...
{code}
* The functionality is especially useful to support the key exchange. If you want to exchange the private key for decrypting you can accept for a period of time messages which are either encrypted with the old or new corresponding public key. Or if the sender wants to exchange his signer private key, you can accept for a period of time, the old or new signer key.
* Technical background: The PGP encrypted data contains a Key ID of the public key which was used to encrypt the data. This Key ID can be used to locate the private key in the secret keyring to decrypt the data. The same mechanism is also used to locate the public key for verifying a signature. Therefore you no longer must specify User IDs for the unmarshaling.
...
Full Content
Crypto
Available as of Camel 2.3
PGP Available as of Camel 2.9
The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. This data format implements only symmetric (shared-key) encryption and decyption.
Options
Name
Type
Default
Description
algorithm
String
DES/CBC/PKCS5Padding
The JCE algorithm name indicating the cryptographic algorithm that will be used.
algorithmParameterSpec
java.security.spec.AlgorithmParameterSpec
null
A JCE AlgorithmParameterSpec used to initialize the Cipher.
bufferSize
Integer
2048
the size of the buffer used in the signature
[CONF] Apache Camel Crypto
Crypto
Page edited by Franz Forsthofer
Changes (2)
...
| {{signatureKeyFileName}} | {{String}} | {{null}} | *Since Camel 2.11.0* Optional filename of the keyring to use for signing (during encryption) or for signature verification (during decryption); must be accessible as a classpath resource (but you can specify a location in the file system by using the file: prefix). | | {{signatureKeyRing}} | {{byte\[\]}} | {{null}} | *Since camel 2.12.1* signature keyring; you can not set the signatureKeyFileName and signatureKeyRing at the same time. |
| {{algorithm}} | {{int}} | {{SymmetricKeyAlgorithmTags.CAST5}} | *Since camel 2.12.2* symmetric key encryption algorithm; possible values are defined in {{org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags}}; for example 2 (= TRIPLE DES), 3 (= CAST5), 4 (= BLOWFISH), 6 (= DES), 7 (= AES_128) | | {{hashAlgorithm}} | {{int}} | {{HashAlgorithmTags.SHA1}} | *Since camel 2.12.2* signature hash algorithm; possible values are defined in {{org.bouncycastle.bcpg.HashAlgorithmTags}}; for example 2 (= SHA1), 8 (= SHA256), 9 (= SHA384), 10 (= SHA512), 11 (=SHA224) |
| {{armored}} | {{boolean}} | {{false}} | This option will cause PGP to base64 encode the encrypted text, making it available for copy/paste, etc. | | {{integrity}} | {{boolean}} | {{true}} | Adds an integrity check/sign into the encryption file. |
...
| {{CamelPGPDataFormatSignatureKeyUserid}} | {{String}} | *Since Camel 2.11.0* The userid of the signature key in the PGP keyring; will override existing setting directly on the PGPDataFormat. | | {{CamelPGPDataFormatSignatureKeyPassword}} | {{String}} | *Since Camel 2.11.0* Password used when opening the signature private key; will override existing setting directly on the PGPDataFormat. |
| {{CamelPGPDataFormatEncryptionAlgorithm}} | {{int}} | *Since Camel 2.12.2* symmetric key encryption algorithm; will override existing setting directly on the PGPDataFormat. | | {{CamelPGPDataFormatSignatureHashAlgorithm}} | {{int}} | *Since Camel 2.12.2* signature hash algorithm; will override existing setting directly on the PGPDataFormat. |
h3. Encrypting with PGPDataFormat
...
Full Content
Crypto
Available as of Camel 2.3
PGP Available as of Camel 2.9
The Crypto Data Format integrates the Java Cryptographic Extension into Camel, allowing simple and flexible encryption and decryption of messages using Camel's familiar marshall and unmarshal formatting mechanism. It assumes marshalling to mean encryption to cyphertext and unmarshalling to mean decryption back to the original plaintext. This data format implements only symmetric (shared-key) encryption and decyption.
Options
Name
Type
Default
Description
algorithm
String
DES/CBC/PKCS5Padding
The JCE algorithm name indicating the cryptographic algorithm that will be used.
algorithmParameterSpec
java.security.spec.AlgorithmParameterSpec
null
A JCE AlgorithmParameterSpec used to initialize the Cipher.
bufferSize
Integer
2048
the size of the buffer used in the signature process.
cryptoProvider
String
null
The name of the JCE Security Provider that should be used.
initializationVector
byte[]
null
A byte array containing the Initialization Vector that will be used to initialize the Cipher.
inline
boolean
false
Flag indicating that the configured IV should be inlined into the encrypted data stream.
macAlgorithm
String
null
The JCE algorithm name indicating the Message Authentication algorithm.
shouldAppendHMAC
boolean
null
Flag indicating that a Message Authentication Code should be calculated and appended to the encrypted data.
Basic Usage
At its most basic all that is required to encrypt/decrypt an exchange is a shared secret key. If one or more instances of the Crypto data format are configured with this key the format can be used to encrypt the payload in one route (or part of one) and decrypted in another. For example, using the Java DSL as follows:
In Spring the dataformat is configured first and then used in routes
camelContext id="camel" xmlns="http://camel.apache.org/schema/spring"
dataFormats
crypto id="basic" algorithm="DES" keyRef="desKey" /
/dataFormats
...
route
from uri="direct:basic-encryption" /
marshal ref="basic" /
to uri="mock:encrypted" /
unmarshal ref="basic" /
to uri="mock:unencrypted" /
/route
/camelContext
Specifying the Encryption Algorithm
Changing the algorithm is a matter of supplying the JCE algorithm name. If you change the algorithm you will need to use a compatible key.
A list of the available algorithms in Java 7 is available via the Java
[CONF] Apache Camel XML Security component
XML Security component
Page edited by Franz Forsthofer
Changes (12)
...
With this Apache Camel component, you can generate and validate XML signatures as described in the W3C standard [XML Signature Syntax and Processing|http://www.w3.org/TR/xmldsig-core/] or as described in the successor [version 1.1|http://www.w3.org/TR/xmldsig-core1/]. For XML Encryption support, please refer to the XML Security [Data Format].
You can find an introduction to XML signature [here|http://www.oracle.com/technetwork/articles/javase/dig-signatures-141823.html/]. The implementation of the component is based on [JSR 105|http://docs.oracle.com/javase/6/docs/technotes/guides/security/xmldsig/overview.html], the Java API corresponding to the W3C standard and supports the Apache Santuario and the JDK provider for JSR 105. The implementation will first try to use the Apache Santuario provider; if it does not find the Santuario provider, it will use the JDK provider. Further, the implementation is DOM based.
Maven users will need to add the following dependency to their {{pom.xml}} for this component:
...
h3. XML Signature wrapping modes
XML Signature differs between enveloped, enveloping, and detached XML signature. In the enveloped XML signature case, the XML Signature is wrapped by the signed XML Document; which means that the XML signature element is a child element of a parent element, which belongs to the signed XML Document. In the enveloping XML signature case, the XML Signature contains the signed content. All other cases are called detached XML signatures. Detached XML signatures are not supported in the current implementation.
In the *enveloped XML signature* case, the supported generated XML signature has the following structure (Variables are surrounded by \[\]).
{code}
...
Reference URI=Transform Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/
(Transform)* !-- By default http://www.w3.org/2006/12/xml-c14n11 is also added to the transforms --
DigestMethodDigestValue
...
{code}
In the *enveloping XML signature* case, the supported generated XML signature has the structure:
{code}
Signature Id=generated_unique_signature_id
SignedInfo
Reference URI=#generated_unique_object_id type=[optional_type_value] !-- the URI can also be set by the option contentReferenceUri; see below. --
(Transform)* !-- By default http://www.w3.org/2006/12/xml-c14n11 is added to the transforms --DigestMethod
...
* With the signer endpoint, you can generate a XML signature for the body of the in-message which can be either a XML document or a plain text. The enveloped or enveloping XML signature will be set to the body of the out-message.
* With the verifier endpoint, you can validate a an enveloped or enveloping XML signature contained in the body of the in-message; if the validation is successful, then the original content is extracted from the XML signature and set to the body of the out-message.
* The {{name}} part in the URI can be chosen by the user to distinguish between different signer/verifier endpoints within one camel context.
...
The key selector bean must implement the [javax.xml.crypto.KeySelector|http://docs.oracle.com/javase/6/docs/api/javax/xml/crypto/KeySelector.html] interface. The package {{org.apache.camel.component.xmlsecurity.api}} contains the default implementation class [DefaultKeySelector|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeySelector.java] which reads the public key from a keystore.
In the example, the default signature algorithm {{[http://www.w3.org/2000/09/xmldsig#rsa-sha1]}} is used. You can set the signature algorithm of your choice by the option {{signatureAlgorithm}} (see below). The signer endpoint creates an *enveloping* XML signature. If you want to create an *enveloped* XML signature then you must specify the parent element of the Signature element; see option {{parentLocalName}} for more details.
h3. Common Signing and Verifying Options
...
|| Name || Type || Default || Description || | keyAccessor | [KeyAccessor|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/KeyAccessor.java] | null | Provides the signing key and the KeyInfo instance. There
[CONF] Apache Camel XML Security component
XML Security component
Page edited by Franz Forsthofer
Changes (1)
...
| uriDereferencer | [javax.xml.crypto.URIDereferencer|http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/URIDereferencer.html] | null | URI dereferencer. You can specify here your own URI dereferencer, if you want to restrict the dereferencing or have special requirements for dereferencing. | | baseUri | String | null | Base URI used in the URI dereferencer. Relative URIs are concatenated with the base URI. |
| cryptoContextProperties | MapString, ? extends Object | null | Crypto context properties. See {{javax.xml.crypto.XMLCryptoContext.setProperty(String, Object)}}. The properties can depend on the provider. For example, the JDK provider XMLDSig has the property org.jcp.xml.dsig.validateManifests for enabling manifest validation. The following properties are set by default to the value {{Boolean.TRUE}} for the XML validation: verifier: org.jcp.xml.dsig.validateManifests, javax.xml.crypto.dsig.cacheReference. If the option {{secureValidation} is {{true}} then additionally the properties org.apache.jcp.xml.dsig.secureValidation and org.jcp.xml.dsig.secureValidation are set to {{Boolean.TRUE}} for the XML verifier. If you want to switch these features off you must set the property values to Boolean.FALSE. {{Boolean.FALSE}}. |
| disallowDoctypeDecl | Boolean | Boolean.TRUE | Indicator whether DTD DOCTYPE declarations shall be disallowed in the incoming XML message. | | omitXmlDeclaration | Boolean | Boolean.FALSE | Indicator whether the XML declaration header shall be omitted in the output XML message. |
...
Full Content
XML Security component
Available as of Camel 2.12.0
With this Apache Camel component, you can generate and validate XML signatures as described in the W3C standard XML Signature Syntax and Processing or as described in the successor version 1.1. For XML Encryption support, please refer to the XML Security Data Format.
You can find an introduction to XML signature here. The implementation of the component is based on JSR 105, the Java API corresponding to the W3C standard and supports the Apache Santuario and the JDK provider for JSR 105. The implementation will first try to use the Apache Santuario provider; if it does not find the Santuario provider, it will use the JDK provider. Further, the implementation is DOM based.
Maven users will need to add the following dependency to their pom.xml for this component:
dependency
groupIdorg.apache.camel/groupId
artifactIdcamel-xmlsecurity/artifactId
versionx.x.x/version
!-- use the same version as your Camel core version --
/dependency
XML Signature wrapping modes
XML Signature differs between enveloped, enveloping, and detached XML signature. In the enveloped XML signature case, the XML Signature is wrapped by the signed XML Document; which means that the XML signature element is a child element of a parent element, which belongs to the signed XML Document. In the enveloping XML signature case, the XML Signature contains the signed content. All other cases are called detached XML signatures. Detached XML signatures are not supported in the current implementation.
In the enveloped XML signature case, the supported generated XML signature has the following structure (Variables are surrounded by []).
[parent element]
... !-- Signature element is added as last child of the parent element--
Signature Id="generated_unique_signature_id"
SignedInfo
Reference URI=""
Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/
(Transform)* !-- By default "http://www.w3.org/2006/12/xml-c14n11" is added to the transforms --
DigestMethod
DigestValue
/Reference
(Reference URI="#[keyinfo_Id]"
Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/
DigestMethod
DigestValue
/Reference)?
!-- further references possible, see option 'properties' below --
/SignedInfo
SignatureValue
(KeyInfo Id="[keyinfo_id]")?
!-- Object elements possible, see option 'properties' below --
/Signature
/[parent element]
In the enveloping XML signature case, the supported generated XML signature has the structure:
Signature Id="generated_unique_signature_id"
SignedInfo
Reference URI="#generated_unique_object_id" type="[optional_type_value]" !-- the URI can also be set by the option 'contentReferenceUri'; see below. --
[CONF] Apache Camel XML Security component
XML Security component
Page edited by Franz Forsthofer
Changes (1)
...
| keySelector | [javax.xml.crypto.KeySelector|http://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/KeySelector.html] | null | Provides the key for validating the XML signature. There is an example implementation which uses a keystore, see [DefaultKeySelector|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeySelector.java]. | | xmlSignatureChecker | [XmlSignatureChecker|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureChecker.java] | null | This interface allows the application to check the XML signature before the validation is executed. This step is recommended in [http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed] |
| validationFailedHandler | [ValidationFailedHandler|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/ValidationFailedHandler.java] | [DefaultValidationFailedHandler|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultValidationFailedHandler.java] | Handles the different validation failed situations. The default implementation throws specific exceptions for the different situations (All exceptions have the package name {{org.apache.camel.component.xmlsecurity.api}} and are a sub-class of {{XmlSignatureInvalidException}}. If the signature value validation fails, a {{XmlSignatureInvalidValueException}} is thrown. If a reference validation fails, a {{XmlSignatureInvalidContentHashException}} is thrown. For more detailed information, see the JavaDoc. |
| xmlSignature2Message | [XmlSignature2Message|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignature2Message.java] | [DefaultXmlSignature2Message|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultXmlSignature2Message.java] | Bean which maps the XML signature to the ouput-message after the validation. How this mapping should be done can be configured by the options {{outputNodeSearchType}}, {{outputNodeSearch}}, and {{removeSignatureElements}}. The default implementation offers three possibilities which are related to the three output node search types Default, ElementName, and XPath. The default implementation determines a node which is then serialized and set to the body of the ouput message. If the search type is ElementName then the ouput node (which must be in this case an element) is determined by the local name and namespace defined in the search value (see option {{outputNodeSearch}}). If the search type is XPath then the output node is determined by the XPath specified in the search value (in this case the ouput node can be of type Element, TextNode or Document). If the output node search type is Default then the following rules apply: In the enveloped XML signature case (there is a reference with URI= and transform http://www.w3.org/2000/09/xmldsig#enveloped-signature), the incoming XML document without the Signature element is set to the output message body. In the non-enveloped XML signature case, the message body is determined from a referenced Object; this is explained in more detail in chapter Output Node Determination in Enveloping XML Signature Case. | | outputNodeSearchType | String | Default | Determines the type of the search of the output node. See option {{xmlSignature2Message}}. The default implementation {{DefaultXmlSignature2Message}} supports the three search types Default, ElementName, and XPath. |
...
Full Content
XML Security component
Available as of Camel 2.12.0
With this Apache Camel component, you can generate and validate XML signatures as described in the W3C standard XML Signature Syntax and Processing or as described in the successor version 1.1. For XML Encryption support, please refer to the XML Security Data Format.
You can find an introduction to XML signature here. The implementation of the component is based on JSR 105, the Java API corresponding to the W3C standard and supports the Apache Santuario and the JDK provider for JSR 105. The implementation will first try to use the Apache Santuario provider; if it does not find the Santuario provider, it will use the JDK provider. Further, the implementation is DOM based.
Maven users will need to add the following dependency to their pom.xml for this component:
dependency
[CONF] Apache Camel XML Security component
XML Security component
Page edited by Franz Forsthofer
Changes (1)
...
| plainTextEncoding | String | null | Only used when the option {{plainText}} is set to {{true}}. Then you can specify the encoding of the plain text. If {{null}} then UTF-8 is used. The value can be overwritten by the header CamelXmlSignatureMessageIsPlainTextEncoding. | | properties | [XmlSignatureProperties|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java] | null | For adding additional References and Objects to the XML signature which contain additional properties, you can provide a bean which implements the [XmlSignatureProperties|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java] interface. |
|contentObjectId|String|null|Id value of the Object element. Only used in the enveloped XML signature case. If {{null}} then a unique value is generated. Available as of *2.12.2*|
...
Full Content
XML Security component
Available as of Camel 2.12.0
With this Apache Camel component, you can generate and validate XML signatures as described in the W3C standard XML Signature Syntax and Processing or as described in the successor version 1.1. For XML Encryption support, please refer to the XML Security Data Format.
You can find an introduction to XML signature here. The implementation of the component is based on JSR 105, the Java API corresponding to the W3C standard and supports the Apache Santuario and the JDK provider for JSR 105. The implementation will first try to use the Apache Santuario provider; if it does not find the Santuario provider, it will use the JDK provider. Further, the implementation is DOM based.
Maven users will need to add the following dependency to their pom.xml for this component:
dependency
groupIdorg.apache.camel/groupId
artifactIdcamel-xmlsecurity/artifactId
versionx.x.x/version
!-- use the same version as your Camel core version --
/dependency
XML Signature wrapping modes
XML Signature differs between enveloped, enveloping, and detached XML signature. In the enveloped XML signature case, the XML Signature is wrapped by the signed XML Document; which means that the XML signature element is a child element of a parent element, which belongs to the signed XML Document. In the enveloping XML signature case, the XML Signature contains the signed content. All other cases are called detached XML signatures. Detached XML signatures are not supported in the current implementation.
In the enveloped XML signature case, the supported generated XML signature has the following structure (Variables are surrounded by []).
[parent element]
... !-- Signature element is added as last child of the parent element--
Signature Id="generated_unique_signature_id"
SignedInfo
Reference URI=""
Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/
(Transform)* !-- By default "http://www.w3.org/2006/12/xml-c14n11" is added to the transforms --
DigestMethod
DigestValue
/Reference
(Reference URI="#[keyinfo_Id]"
Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/
DigestMethod
DigestValue
/Reference)?
!-- further references possible, see option 'properties' below --
/SignedInfo
SignatureValue
(KeyInfo Id="[keyinfo_id]")?
!-- Object elements possible, see option 'properties' below --
/Signature
/[parent element]
In the enveloping XML signature case, the supported generated XML signature has the structure:
Signature Id="generated_unique_signature_id"
SignedInfo
Reference URI="#generated_unique_object_id" type="[optional_type_value]" !-- the URI can also be set by the option 'contentReferenceUri'; see below. --
(Transform)* !-- By default "http://www.w3.org/2006/12/xml-c14n11" is added to the transforms --
DigestMethod
DigestValue
/Reference
(Reference URI="#[keyinfo_id]"
Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/
DigestMethod
DigestValue
/Reference)?
!-- further references possible, see option 'properties' below --
/SignedInfo
SignatureValue
[CONF] Apache Camel XML Security component
XML Security component
Page edited by Franz Forsthofer
Changes (5)
...
| keyAccessor | [KeyAccessor|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/KeyAccessor.java] | null | Provides the signing key and the KeyInfo instance. There is an example implementation which uses a keystore, see [DefaultKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeyAccessor.java] | | addKeyInfoReference | Boolean | Boolean.TRUE | Indicator whether a Reference element refering the KeyInfo element provided by the key accessor should be added to the XML signature. |
| signatureAlgorithm | String | [http://www.w3.org/2000/09/xmldsig#rsa-sha1] | signature algorithm consisting of a digest and encryption algorithm. The digest algorithm is used to calculate the digest of the SignedInfo element and the encryption algorithm is used to sign this digest. Which algorithm are supported depends on the JSR 105 provider. | Possible values: http://www.w3.org/2000/09/xmldsig#dsa-sha1
, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 |
| digestAlgorithm | String | see description | Digest algorithm for calculating the digest of the in-message body. If not specified then the digest algorithm of the signature algorithm is used (e.g. [http://www.w3.org/2001/04/xmlenc#sha256]). Which digest algorithm can be used depends on the JSR 105 provider. | used. Possible values: http://www.w3.org/2000/09/xmldsig#sha1
, http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512 |
| parentLocalName | String | null | Local name of the parent of the Signature element. The Signature element will be added at the end of the children of the parent. Necessary for enveloped XML signature. If this option is null, then an enveloping XML signature is created. See also option {{parentNamespace}}. | | parentNamespace | String | null | Namespace of the parent of the Signature element. See option {{parentLocalName}} |
...
| plainTextEncoding | String | null | Only used when the option {{plainText}} is set to {{true}}. Then you can specify the encoding of the plain text. If {{null}} then UTF-8 is used. The value can be overwritten by the header CamelXmlSignatureMessageIsPlainTextEncoding. | | properties | [XmlSignatureProperties|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java] | null | For adding additional References and Objects to the XML signature which contain additional properties, you can provide a bean which implements the [XmlSignatureProperties|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureProperties.java] interface. |
|contentObjectId|String|null|Id value |contentObjectId|String|null|Value of the Id attribute of the Object element. Only used in the enveloped XML signature case. If {{null}} then a unique value is generated. Available as of *2.12.2*|
...
Full Content
XML Security component
Available as of Camel 2.12.0
With this Apache Camel component, you can generate and validate XML signatures as described in the W3C standard XML Signature Syntax and Processing or as described in the successor version 1.1. For XML Encryption support, please refer to the XML Security Data Format.
You can find an introduction to XML signature here. The implementation of the component is based on JSR 105, the Java API corresponding to the W3C standard and supports the Apache Santuario and the JDK provider for JSR 105. The implementation will first try to use the Apache Santuario provider; if it does not find the Santuario provider, it will use the JDK provider. Further, the implementation is DOM based.
Maven users will need to add the following dependency to their pom.xml for this component:
dependency
groupIdorg.apache.camel/groupId
artifactIdcamel-xmlsecurity/artifactId
versionx.x.x/version
!-- use the same version as your Camel core version --
/dependency
XML Signature wrapping modes
XML Signature differs between enveloped, enveloping, and detached XML signature. In the enveloped XML signature case, the XML Signature is wrapped by the signed XML Document; which means that the XML signature element is a
[CONF] Apache Camel XML Security component
XML Security component
Page edited by Franz Forsthofer
Changes (4)
...
| keyAccessor | [KeyAccessor|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/KeyAccessor.java] | null | Provides the signing key and the KeyInfo instance. There is an example implementation which uses a keystore, see [DefaultKeyAccessor|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/DefaultKeyAccessor.java] | | addKeyInfoReference | Boolean | Boolean.TRUE | Indicator whether a Reference element refering the KeyInfo element provided by the key accessor should be added to the XML signature. |
| signatureAlgorithm | String | [http://www.w3.org/2000/09/xmldsig#rsa-sha1] | signature algorithm consisting of a digest and encryption algorithm. The digest algorithm is used to calculate the digest of the SignedInfo element and the encryption algorithm is used to sign this digest. Possible values: [http://www.w3.org/2000/09/xmldsig#dsa-sha1], [http://www.w3.org/2000/09/xmldsig#rsa-sha1], [http://www.w3.org/2001/04/xmldsig-more#rsa-sha256], [http://www.w3.org/2001/04/xmldsig-more#rsa-sha384], [http://www.w3.org/2001/04/xmldsig-more#rsa-sha512] |
, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 |
| digestAlgorithm | String | see description | Digest algorithm for calculating the digest of the in-message body. If not specified then the digest algorithm of the signature algorithm is used. Possible values: [http://www.w3.org/2000/09/xmldsig#sha1], [http://www.w3.org/2001/04/xmlenc#sha256], [http://www.w3.org/2001/04/xmldsig-more#sha384], [http://www.w3.org/2001/04/xmlenc#sha512] |
, http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512 |
| parentLocalName | String | null | Local name of the parent of the Signature element. The Signature element will be added at the end of the children of the parent. Necessary for enveloped XML signature. If this option is null, then an enveloping XML signature is created. See also option {{parentNamespace}}. | | parentNamespace | String | null | Namespace of the parent of the Signature element. See option {{parentLocalName}} |
...
Full Content
XML Security component
Available as of Camel 2.12.0
With this Apache Camel component, you can generate and validate XML signatures as described in the W3C standard XML Signature Syntax and Processing or as described in the successor version 1.1. For XML Encryption support, please refer to the XML Security Data Format.
You can find an introduction to XML signature here. The implementation of the component is based on JSR 105, the Java API corresponding to the W3C standard and supports the Apache Santuario and the JDK provider for JSR 105. The implementation will first try to use the Apache Santuario provider; if it does not find the Santuario provider, it will use the JDK provider. Further, the implementation is DOM based.
Maven users will need to add the following dependency to their pom.xml for this component:
dependency
groupIdorg.apache.camel/groupId
artifactIdcamel-xmlsecurity/artifactId
versionx.x.x/version
!-- use the same version as your Camel core version --
/dependency
XML Signature wrapping modes
XML Signature differs between enveloped, enveloping, and detached XML signature. In the enveloped XML signature case, the XML Signature is wrapped by the signed XML Document; which means that the XML signature element is a child element of a parent element, which belongs to the signed XML Document. In the enveloping XML signature case, the XML Signature contains the signed content. All other cases are called detached XML signatures. Detached XML signatures are not supported in the current implementation.
In the enveloped XML signature case, the supported generated XML signature has the following structure (Variables are surrounded by []).
[parent element]
... !-- Signature element is added as last child of the parent element--
Signature Id="generated_unique_signature_id"
SignedInfo
Reference URI=""
Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/
(Transform)* !-- By default "http://www.w3.org/2006/12/xml-c14n11" is added to the transforms --
DigestMethod
DigestValue
/Reference
[CONF] Apache Camel XML Security component
XML Security component
Page edited by Franz Forsthofer
Changes (1)
...
| transformMethods | Listjavax.xml.crypto.AlgorithmMethod | see description | Transforms which are executed on the message body before the digest is calculated. By default, C14n is added and in the case of enveloped signature (see option {{parentLocalName}}) also [http://www.w3.org/2000/09/xmldsig#enveloped-signature] is added at position 0 of the list. Use methods in [XmlSignatureHelper|https://github.com/apache/camel/blob/master/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java] to create the transform methods. | | prefixForXmlSignatureNamespace | String | {{ds}} | Prefix for the XML signature namespace. If {{null}} is specified or an empty string then no prefix is used for the signature namespace. |
| contentReferenceUri | String | see description | The URI of the reference to the signed content (in-message body). If {{null}} and we are in the enveloped XML signature case then the URI is set to . If {{null}} and we are in the enveloping XML signature case then the URI is set to generated_object_id which means that the reference points to the Object element containing the in-message body. You can use this option to reference a specific part in your in-message body if you do not want to sign the complete in-message body. This value can be overwritten by the header CamelXmlSignatureContentReferenceUri. Please be aware, if you want to use a value of an XML ID attribute (example: #ID_value), then you must provide the information about the ID attribute via a doctype definition contained in the input XML document. |
| contentReferenceType | String | null | Value of the type attribute of the content reference. This value can be overwritten by the header CamelXmlSignatureContentReferenceType | | plainText | Boolean | Boolean.FALSE | Indicator whether the in-message body contains plain text. Normally, the signature generator treats the incoming message body as XML. If the message body is plain text, then you must set this option to {{true}}. The value can be overwritten by the header CamelXmlSignatureMessageIsPlainText. |
...
Full Content
XML Security component
Available as of Camel 2.12.0
With this Apache Camel component, you can generate and validate XML signatures as described in the W3C standard XML Signature Syntax and Processing or as described in the successor version 1.1. For XML Encryption support, please refer to the XML Security Data Format.
You can find an introduction to XML signature here. The implementation of the component is based on JSR 105, the Java API corresponding to the W3C standard and supports the Apache Santuario and the JDK provider for JSR 105. The implementation will first try to use the Apache Santuario provider; if it does not find the Santuario provider, it will use the JDK provider. Further, the implementation is DOM based.
Maven users will need to add the following dependency to their pom.xml for this component:
dependency
groupIdorg.apache.camel/groupId
artifactIdcamel-xmlsecurity/artifactId
versionx.x.x/version
!-- use the same version as your Camel core version --
/dependency
XML Signature wrapping modes
XML Signature differs between enveloped, enveloping, and detached XML signature. In the enveloped XML signature case, the XML Signature is wrapped by the signed XML Document; which means that the XML signature element is a child element of a parent element, which belongs to the signed XML Document. In the enveloping XML signature case, the XML Signature contains the signed content. All other cases are called detached XML signatures. Detached XML signatures are not supported in the current implementation.
In the enveloped XML signature case, the supported generated XML signature has the following structure (Variables are surrounded by []).
[parent element]
... !-- Signature element is added as last child of the parent element--
Signature Id="generated_unique_signature_id"
SignedInfo
Reference URI=""
Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/
(Transform)* !-- By default "http://www.w3.org/2006/12/xml-c14n11" is added to the transforms --
DigestMethod
DigestValue
/Reference
(Reference URI="#[keyinfo_Id]"
Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/
DigestMethod
DigestValue
/Reference)?
!-- further references possible, see
