Camel Component: Crypto (Digital Signatures) - 6.3

Talend ESB Mediation Developer Guide

EnrichVersion
6.3
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Design and Development
EnrichPlatform
Talend ESB

With Camel cryptographic endpoints and Java's Cryptographic extension it is easy to create Digital Signatures for Exchanges. Camel provides a pair of flexible endpoints which get used in concert to create a signature for an exchange in one part of the exchange's workflow and then verify the signature in a later part of the workflow.

Maven users will need to add the following dependency to their pom.xml for this component:

<dependency>
   <groupId>org.apache.camel</groupId>
   <artifactId>camel-crypto</artifactId>
   <!-- use the same version as your Camel core version -->
   <version>x.x.x</version>
</dependency>

Introduction

Digital signatures make use of Asymmetric Cryptographic techniques to sign messages. From a (very) high level, the algorithms use pairs of complimentary keys with the special property that data encrypted with one key can only be decrypted with the other. One, the private key, is closely guarded and used to 'sign' the message while the other, public key, is shared around to anyone interested in verifying the signed messages. Messages are signed by using the private key to encrypting a digest of the message. This encrypted digest is transmitted along with the message. On the other side the verifier recalculates the message digest and uses the public key to decrypt the the digest in the signature. If both digests match the verifier knows only the holder of the private key could have created the signature.

Camel uses the Signature service from the Java Cryptographic Extension to do all the heavy cryptographic lifting required to create exchange signatures. The following are some excellent resources for explaining the mechanics of Cryptography, Message digests and Digital Signatures and how to leverage them with the JCE.

  • Bruce Schneier's Applied Cryptography

  • Beginning Cryptography with Java by David Hook

  • The ever insightful Wikipedia Digital_signatures

URI Format

As mentioned Camel provides a pair of crypto endpoints to create and verify signatures:

crypto:sign:name[?options]
crypto:verify:name[?options]
  • crypto:sign creates the signature and stores it in the Header keyed by the constant Exchange.SIGNATURE, i.e. "CamelDigitalSignature".

  • crypto:sign creates the signature and stores it in the Header keyed by the constant Exchange.SIGNATURE, i.e. "CamelDigitalSignature".

In order to correctly function, the sign and verify process needs a pair of keys to be shared, signing requiring a PrivateKey and verifying a PublicKey (or a Certificate containing one). Using the JCE it is very simple to generate these key pairs but it is usually most secure to use a KeyStore to house and share your keys. The DSL is very flexible about how keys are supplied and provides a number of mechanisms.

The most basic way to way to sign an verify an exchange is with a KeyPair as follows:

from("direct:keypair").to("crypto:sign://basic?privateKey=#myPrivateKey", 
   "crypto:verify://basic?publicKey=#myPublicKey", "mock:result");

The same can be achieved with the Spring XML Extensions using references to keys:

<route>
   <from uri="direct:keypair"/>
   <to uri="crypto:sign://basic?privateKey=#myPrivateKey"/>
   <to uri="crypto:verify://basic?publicKey=#myPublicKey"/>
   <to uri="mock:result"/>
</route>

See the Camel Website for the most up-to-date examples of more advanced usages of this component.

Options

Name

Type

Default

Description

algorithmStringSHA1WithDSAThe name of the JCE Signature algorithm that will be used.
aliasStringnullAn alias name that will be used to select a key from the keystore.
bufferSizeInteger2048The size of the buffer used in the signature process.
certificateCertificatenullA Certificate used to verify the signature of the exchange's payload. Either this or a Public Key is required.
keystoreKeyStorenullA reference to a JCE Keystore that stores keys and certificates used to sign and verify.
providerStringnullThe name of the JCE Security Provider that should be used.
privateKeyPrivateKeynullThe private key used to sign the exchange's payload.
publicKeyPublicKeynullThe public key used to verify the signature of the exchange's payload.
secureRandomsecureRandomnullA reference to a SecureRandom object that will be used to initialize the Signature service.
passwordchar[]nullThe password for the keystore.
clearHeadersStringtrueRemove camel crypto headers from Message after a verify operation (value can be "true"/"false").