LibraryToggle FramesPrintFeedback

Using Apache Camel cryptographic endpoints and Java's Cryptographic extension it is easy to create Digital Signatures for Exchanges. Apache Camel provides a pair of flexible endpoints which get used in concert to create a signature for an exchange in one part of the exchange's workflow and then verify the signature in a later part of the workflow.

Maven users will need to add the following dependency to their pom.xml for this component:

    <!-- use the same version as your Camel core version -->

Name Type Default Description
algorithm String DSA The name of the JCE Signature algorithm that will be used.
alias String null An alias name that will be used to select a key from the keystore.
bufferSize Integer 2048 the size of the buffer used in the signature process.
certificate Certificate null A Certificate used to verify the signature of the exchange's payload. Either this or a Public Key is required.
keystore KeyStore null A reference to a JCE Keystore that stores keys and certificates used to sign and verify.
provider String null The name of the JCE Security Provider that should be used.
privateKey PrivatKey null The private key used to sign the exchange's payload.
publicKey PublicKey null The public key used to verify the signature of the exchange's payload.
secureRandom secureRandom null A reference to a SecureRandom object that wil lbe used to initialize the Signature service.
password char[] null The password for the keystore.

The most basic way to way to sign an verify an exchange is with a KeyPair as follows.

from("direct:keypair").to("crypto:sign://basic?privateKey=#myPrivateKey", "crypto:verify://basic?publicKey=#myPublicKey", "mock:result");

The same can be achieved with the Spring XML Extensions using references to keys

    <from uri="direct:keypair"/>
    <to uri="crypto:sign://basic?privateKey=#myPrivateKey" />
    <to uri="crypto:verify://basic?publicKey=#myPublicKey" />
    <to uri="mock:result"/>

The JCE provides a very versatile KeyStore for housing pairs of PrivateKeys and Certificates keeping them encrypted and password protected. They can be retrieved from it by applying an alias to the retrieval apis. There are a number of ways to get keys and Certificates into a keystore most often this is done with the external 'keytool' application. This is a good example of using keytool to create a KeyStore with a self signed Cert and Private key.

The examples use a Keystore with a key and cert aliased by 'bob'. The password for the keystore and the key is 'letmein'

The following shows how to use a Keystore via the Fluent builders, it also shows how to load and initialize the keystore.

from("direct:keystore").to("crypto:sign://keystore?keystore=#keystore&alias=bob&password=letmein", "crypto:verify://keystore?keystore=#keystore&alias=bob", "mock:result");

Again in Spring a ref is used to lookup an actual keystore instance.

    <from uri="direct:keystore"/>
    <to uri="crypto:sign://keystore?keystore=#keystore&lias=bob&assword=letmein" />
    <to uri="crypto:verify://keystore?keystore=#keystore&lias=bob" />
    <to uri="mock:result"/>

Changing the Signature algorithm or the Security provider is a simple matter of specifying their names. You will need to also use Keys that are compatible with the algorithm you choose.

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(512, new SecureRandom());
keyPair = keyGen.generateKeyPair();
PrivateKey privateKey = keyPair.getPrivate();
PublicKey publicKey = keyPair.getPublic();

// we can set the keys explicitly on the endpoint instances.
context.getEndpoint("crypto:sign://rsa?algorithm=MD5withRSA", DigitalSignatureEndpoint.class).setPrivateKey(privateKey);
context.getEndpoint("crypto:verify://rsa?algorithm=MD5withRSA", DigitalSignatureEndpoint.class).setPublicKey(publicKey);
from("direct:algorithm").to("crypto:sign://rsa?algorithm=MD5withRSA", "crypto:verify://rsa?algorithm=MD5withRSA", "mock:result");
from("direct:provider").to("crypto:sign://provider?privateKey=#myPrivateKey&provider=SUN", "crypto:verify://provider?publicKey=#myPublicKey&provider=SUN", "mock:result");


    <from uri="direct:algorithm"/>
    <to uri="crypto:sign://rsa?algorithm=MD5withRSA&rivateKey=#rsaPrivateKey" />
    <to uri="crypto:verify://rsa?algorithm=MD5withRSA&ublicKey=#rsaPublicKey" />
    <to uri="mock:result"/>
    <from uri="direct:provider"/>
    <to uri="crypto:sign://provider?privateKey=#myPrivateKey&rovider=SUN" />
    <to uri="crypto:verify://provider?publicKey=#myPublicKey&rovider=SUN" />
    <to uri="mock:result"/>

When using a Recipient list or similar EIP the recipient of an exchange can vary dynamically. Using the same key across all recipients may neither be feasible or desirable. It would be useful to be able to specify the signature keys dynamically on a per exchange basis. The exchange could then be dynamically enriched with the key of its target recipient prior to signing. To facilitate this the signature mechanisms allow for keys to be supplied dynamically via the message headers below

from("direct:headerkey-verify").to("crypto:verify://alias", "mock:result");


    <from uri="direct:headerkey-sign"/>
    <to uri="crypto:sign://headerkey" />
    <from uri="direct:headerkey-verify"/>
    <to uri="crypto:verify://headerkey" />
    <to uri="mock:result"/>

Better again would be to dynamically supply a keystore alias. Again the alias can be supplied in a message header

from("direct:alias-verify").to("crypto:verify://alias?keystore=#keystore", "mock:result");


    <from uri="direct:alias-sign"/>
    <to uri="crypto:sign://alias?keystore=#keystore" />
    <from uri="direct:alias-verify"/>
    <to uri="crypto:verify://alias?keystore=#keystore" />
    <to uri="mock:result"/>

The header would be set as follows

Exchange unsigned = getMandatoryEndpoint("direct:alias-sign").createExchange();
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_ALIAS, "bob");
unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_PASSWORD, "letmein".toCharArray());
template.send("direct:alias-sign", unsigned);
Exchange signed = getMandatoryEndpoint("direct:alias-sign").createExchange();
signed.getIn().setHeader(KEYSTORE_ALIAS, "bob");
template.send("direct:alias-verify", signed);

See also:

Comments powered by Disqus