Crypto component for Digital Signatures

最新推荐文章于 2023-12-05 18:33:19 发布
最新推荐文章于 2023-12-05 18:33:19 发布
阅读量671 收藏
点赞数
文章标签: exchange algorithm cryptography header null extension
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/xgbjmxn/article/details/6165372
版权

Crypto component for Digital Signatures

Available as of Camel 2.3

Using Camel cryptographic endpoints and Java's Cryptographic extension it is easy to create Digital Signatures for Exchange s. Camel provides a pair of flexible endpoints which get used in concert to create a signature for an exchange in one part of the exchange's workflow and then verify the signature in a later part of the workflow.

Maven users will need to add the following dependency to their pom.xml for this component:

<dependency>


    <groupId>
org.apache.camel</groupId>


    <artifactId>
camel-crypto</artifactId>


    <version>
x.x.x</version>


    <!-- use the same version as your Camel core version -->



</dependency>

Introduction

Digital signatures make use Asymmetric Cryptographic techniques to sign messages. From a (very) high level, the algorithms use pairs of complimentary keys with the special property that data encrypted with one key can only be decrypted with the other. One, the private key, is closely guarded and used to 'sign' the message while the other, public key, is shared around to anyone interested in verifying your messages. Messages are signed by encrypting a digest of the message with the private key. This encrypted digest is transmitted along with the message. On the other side the verifier recalculates the message digest and uses the public key to decrypt the the digest in the signature. If both digest match the verifier knows only the holder of the private key could have created the signature.

Camel uses the Signature service from the Java Cryptographic Extension to do all the heavy cryptographic lifting required to create exchange signatures. The following are some excellent sources for explaining the mechanics of Cryptography, Message digests and Digital Signatures and how to leverage them with the JCE.

  • Bruce Schneier's Applied Cryptography
  • Beginning Cryptography with Java by David Hook
  • The ever insightful, Wikipedia Digital_signatures

URI format

As mentioned Camel provides a pair of crypto endpoints to create and verify signatures

crypto:sign:name[?options]

crypto:verify:name[?options]
  • crypto:sign creates the signature and stores it in the Header keyed by the constant Exchange.SIGNATURE , i.e. "CamelDigitalSignature" .
  • crypto:verify will read in the contents of this header and do the verification calculation.

In order to correctly function, sign and verify need to share a pair of keys, sign requiring a PrivateKey and verify a PublicKey (or a Certificate containing one). Using the JCE is is very simple to generate these key pairs but it is usually most secure to use a KeyStore to house and share your keys. The DSL is very flexible about how keys are supplied and provides a number of mechanisms.

Note a crypto:sign endpoint is typically defined in one route and the complimentary crypto:verify in another, though for simplicity in the examples they appear one after the other. It goes without saying that both sign and verify should be configured identically.

Options

Name Type Default Description
algorithm String DSA The name of the JCE Signature algorithm that will be used.
alias String null An alias name that will be used to select a key from the keystore.
bufferSize Integer 2048 the size of the buffer used in the signature process.
certificate Certificate null A Certificate used to verify the signature of the exchange's payload. Either this or a Public Key is required.
keystore KeyStore null A reference to a JCE Keystore that stores keys and certificates used to sign and verify.
provider String null The name of the JCE Security Provider that should be used.
privateKey PrivatKey null The private key used to sign the exchange's payload.
publicKey PublicKey null The public key used to verify the signature of the exchange's payload.
secureRandom secureRandom null A reference to a SecureRandom object that wil lbe used to initialize the Signature service.
password char[] null The password for the keystore.

Using

1) Raw keys

The most basic way to way to sign an verify an exchange is with a KeyPair as follows. 

from("direct:keypair"
).to("crypto:sign://basic?privateKey=#myPrivateKey"
, "crypto:verify://basic?publicKey=#myPublicKey"
, "mock:result"
);

The same can be achieved with the Spring XML Extensions using references to keys 

<route>


    <from uri="direct:keypair"
/>


    <to uri="crypto:sign://basic?privateKey=#myPrivateKey"
 />


    <to uri="crypto:verify://basic?publicKey=#myPublicKey"
 />


    <to uri="mock:result"
/>


</route>
2) KeyStores and Aliases.

The JCE provides a very versatile KeyStore for housing pairs of PrivateKeys and Certificates keeping them encrypted and password protected. They can be retrieved from it by applying an alias to the retrieval apis. There are a number of ways to get keys and Certificates into a keystore most often this is done with the external 'keytool' application. This is a good example of using keytool to create a KeyStore with a self signed Cert and Private key.

The examples use a Keystore with a key and cert aliased by 'bob'. The password for the keystore and the key is 'letmein'

The following shows how to use a Keystore via the Fluent builders, it also shows how to load and initialize the keystore.

from("direct:keystore"
).to("crypto:sign://keystore?keystore=#keystore&alias=bob&password=letmein"
, "crypto:verify://keystore?keystore=#keystore&alias=bob"
, "mock:result"
);

Again in Spring a ref is used to lookup an actual keystore instance. 

<route>


    <from uri="direct:keystore"
/>


    <to uri="crypto:sign://keystore?keystore=#keystore&amp;alias=bob&amp;password=letmein"
 />


    <to uri="crypto:verify://keystore?keystore=#keystore&amp;alias=bob"
 />


    <to uri="mock:result"
/>


</route>
3) Changing JCE Provider and Algorithm

Changing the Signature algorithm or the Security provider is a simple matter of specifying their names. You will need to also use Keys that are compatible with the algorithm you choose.

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"
);

keyGen.initialize(512, new
 SecureRandom());

keyPair = keyGen.generateKeyPair();

PrivateKey privateKey = keyPair.getPrivate();

PublicKey publicKey = keyPair.getPublic();



// we can set the keys explicitly on the endpoint instances.


context.getEndpoint("crypto:sign://rsa?algorithm=MD5withRSA"
, DigitalSignatureEndpoint.class).setPrivateKey(privateKey);


context.getEndpoint("crypto:verify://rsa?algorithm=MD5withRSA"
, DigitalSignatureEndpoint.class).setPublicKey(publicKey);


from("direct:algorithm"
).to("crypto:sign://rsa?algorithm=MD5withRSA"
, "crypto:verify://rsa?algorithm=MD5withRSA"
, "mock:result"
);



from("direct:provider"
).to("crypto:sign://provider?privateKey=#myPrivateKey&provider=SUN"
, "crypto:verify://provider?publicKey=#myPublicKey&provider=SUN"
, "mock:result"
);

or

<route>


    <from uri="direct:algorithm"
/>


    <to uri="crypto:sign://rsa?algorithm=MD5withRSA&amp;privateKey=#rsaPrivateKey"
 />


    <to uri="crypto:verify://rsa?algorithm=MD5withRSA&amp;publicKey=#rsaPublicKey"
 />


    <to uri="mock:result"
/>


</route>
        


<route>


    <from uri="direct:provider"
/>


    <to uri="crypto:sign://provider?privateKey=#myPrivateKey&amp;provider=SUN"
 />


    <to uri="crypto:verify://provider?publicKey=#myPublicKey&amp;provider=SUN"
 />


    <to uri="mock:result"
/>


</route>
4) Changing the Signature Mesasge Header

It may be desirable to change the message header used to store the signature. A different header name can be specified in the route definition as follows

from("direct:signature-header"
).to("crypto:sign://another?privateKey=#myPrivateKey&signatureHeader=AnotherDigitalSignature"
,


                                   "crypto:verify://another?publicKey=#myPublicKey&signatureHeader=AnotherDigitalSignature"
, "mock:result"
);

or

<route>


    <from uri="direct:signature-header"
/>


    <to uri="crypto:sign://another?privateKey=#myPrivateKey&amp;signatureHeader=AnotherDigitalSignature"
 />


    <to uri="crypto:verify://another?publicKey=#myPublicKey&amp;signatureHeader=AnotherDigitalSignature"
 />


    <to uri="mock:result"
/>


</route>
5) Changing the buffersize

In case you need to update the size of the buffer...

from("direct:buffersize"
).to("crypto:sign://buffer?privateKey=#myPrivateKey&buffersize=1024"
, "crypto:verify://buffer?publicKey=#myPublicKey&buffersize=1024"
, "mock:result"
);

or

<route>


    <from uri="direct:buffersize"
 />


    <to uri="crypto:sign://buffer?privateKey=#myPrivateKey&amp;buffersize=1024"
 />


    <to uri="crypto:verify://buffer?publicKey=#myPublicKey&amp;buffersize=1024"
 />


    <to uri="mock:result"
/>


</route>
6) Supplying Keys dynamically.

When using a Recipient list or similar EIP the recipient of an exchange can vary dynamically. Using the same key across all recipients may neither be feasible or desirable. It would be useful to be able to specify the signature keys dynamically on a per exchange basis. The exchange could then be dynamically enriched with the key of its target recipient prior to signing. To facilitate this the signature mechanisms allow for keys to be supplied dynamically via the message headers below

  • Exchange.SIGNATURE_PRIVATE_KEY , "CamelSignaturePrivateKey"
  • Exchange.SIGNATURE_PUBLIC_KEY_OR_CERT , "CamelSignaturePublicKeyOrCert" 
from("direct:headerkey-sign"
).to("crypto:sign://alias"
);


from("direct:headerkey-verify"
).to("crypto:verify://alias"
, "mock:result"
);

or

<route>


    <from uri="direct:headerkey-sign"
/>


    <to uri="crypto:sign://headerkey"
 />


</route>
       

<route>


    <from uri="direct:headerkey-verify"
/>


    <to uri="crypto:verify://headerkey"
 />


    <to uri="mock:result"
/>


</route>

Better again would be to dynamically supply a keystore alias. Again the alias can be supplied in a message header

  • Exchange.KEYSTORE_ALIAS , "CamelSignatureKeyStoreAlias" 
from("direct:alias-sign"
).to("crypto:sign://alias?keystore=#keystore"
);


from("direct:alias-verify"
).to("crypto:verify://alias?keystore=#keystore"
, "mock:result"
);

or

<route>


    <from uri="direct:alias-sign"
/>


    <to uri="crypto:sign://alias?keystore=#keystore"
 />


</route>
       

<route>


    <from uri="direct:alias-verify"
/>


    <to uri="crypto:verify://alias?keystore=#keystore"
 />


    <to uri="mock:result"
/>


</route>

The header would be set as follows

Exchange unsigned = getMandatoryEndpoint("direct:alias-sign"
).createExchange();

unsigned.getIn().setBody(payload);

unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_ALIAS, "bob"
);

unsigned.getIn().setHeader(DigitalSignatureConstants.KEYSTORE_PASSWORD, "letmein"
.toCharArray());

template.send("direct:alias-sign"
, unsigned);

Exchange signed = getMandatoryEndpoint("direct:alias-sign"
).createExchange();

signed.getIn().copyFrom(unsigned.getOut());

signed.getIn().setHeader(KEYSTORE_ALIAS, "bob"
);

template.send("direct:alias-verify"
, signed);
xgbjmxn
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
LogicNP Crypto Obfuscator For .Net Version 2015 Build 170126
09-07
LogicNP Crypto Obfuscator For .Net Version 2015 Build 170126 Powerful Obfuscation & Code Protection For .Net That Actually Works! .Net Assembly Code Protection & Obfuscation Automatic Exception ...
LogicNP Crypto Obfuscator For .Net Version 2015 Build 160701
08-16
LogicNP Crypto Obfuscator For .Net Version 2015 Build 160701。 .NET应用混淆,合并工具. 最新版本. 此版本可使用co.exe进行命令行编译,也可集成进.csproj项目中,编译的同时进行混淆。(以前的所有版本均不支持...
Node.js v12.16.2 Documentation Crypto
BLOG域名:programb.blog.csdn.net
04-16 775
Node.js v12.16.2 Documentation Index View on single page View as JSON View another version ▼ Edit on GitHub Table of Contents Crypto Determining if crypto support is unavailable Class: Ce...
How regulated financial institutions drive adoption of digital assets
just2gooo的博客
12-05 147
All right. Hello everyone. Let's get started. Welcome on a Monday morning. Very happy to see you here in this breakout session.Uh let's wait until the, the background music. It's a very rousing music. I think I'd like to talk to some songs, but here we're
zkLedger: Privacy-Preserving Auditing for Distributed Ledgers zkLedger:保护分布式分类帐的隐私审计
跨链技术践行者
10-08 1万+
zkLedger: Privacy-Preserving Auditing for Distributed Ledgers zkLedger:保护分布式分类帐的隐私审计 论文:https://www.usenix.org/system/files/conference/nsdi18/nsdi18-narula.pdf Abstract 摘要 Distributed ledgers ...
Go 语言学习资源合集(推荐)
静静是我女朋友
02-22 4504
Awesome Go    A curated list of awesome Go frameworks, libraries and software. Inspired by awesome-python. Contributing Please take a quick gander at the contribution guidelines first. Thanks t
Java Secure Socket Extension (JSSE) Reference Guide
太阳火神的美丽人生
03-03 3756
Java Secure Socket Extension (JSSE) Reference Guide
“为物联网提供分散的隐私保护医疗区块链”外文翻译——2019年5月份
charlottehe的博客
05-31 6139
原文链接:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6359727/ 翻译人:FJTCM区块链开发学习小组 时间:2019/05/31 为物联网提供分散的隐私保护医疗区块链 原文链接:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6359727/ Abstract Medi...
X509 证书详解
热门推荐
blue0bird的专栏
12-01 2万+
X509 证书详解 1 Certificates 1-1 Structure of a Certificate 1-2 Extensions informing a specific usage of a certficate 1-3 Certificate filename extensions 2 Certificate chains and cross-certifica
【学习笔记】Big Data Analytics
noobiee的博客
09-17 2738
Big data can be described in terms of data management challenges that – due to increasing volume, velocity and variety of data – cannot be solved with traditional databases. While there are plenty of definitions for big data, most of them include the conce
IPSec无法建立?注意第一阶段hash sha !
剪刀石头布
10-18 2338
该篇注意记录一下,有些情况下,我们配置了IPSec ,但是就是无法建立,发现连第一阶段都无法建立起来。 1、检查配置无问题 2、开启debug crypto isakmp发现有IKE的重传 3、show crypto session、show crypto isakmp sa等会话肯定是没有建立起来的 如果遇到这样的情况,请检查IKE第一阶段是否配置了hash sha256 / sh...
vH Crypto API for Java-开源
05-13
Java的vH Crypto API是一个专为解决Sun的Java密码学扩展(JCE)文档不足和学习难度高的问题而设计的开源项目。这个API的目标是提供一个更易理解和使用的接口,来处理加密和解密等密码学中的常见任务,使得开发者能够...
A Cryptographic File System for Unix_CRYPTO_
09-30
《Unix下的加密文件系统》(A Cryptographic File System for Unix)是关于在Unix操作系统中实现安全数据存储的技术性文档。该文件系统的核心理念是通过密码学技术为用户提供对文件的透明加密,确保数据的隐私性和完整...
IIS Crypto 3.2 下载
07-26
IIS Crypto 是一个免费工具,让管理员能够在 Windows Server 2008、2012、2016 和 2019 上启用或禁用协议、密码、哈希和密钥交换算法。一键禁用不安全的 SSL 3、TLS 1.0,开启TLS 1.2、TLS 1.3 非常方便
ASP基于BS结构的学生在线选课系统的实现(源代码+论文).rar
08-10
资源包主要包含以下内容: ASP项目源码:每个资源包中都包含完整的ASP项目源码,这些源码采用了经典的ASP技术开发,结构清晰、注释详细,帮助用户轻松理解整个项目的逻辑和实现方式。通过这些源码,用户可以学习到ASP的基本语法、服务器端脚本编写方法、数据库操作、用户权限管理等关键技术。 数据库设计文件:为了方便用户更好地理解系统的后台逻辑,每个项目中都附带了完整的数据库设计文件。这些文件通常包括数据库结构图、数据表设计文档,以及示例数据SQL脚本。用户可以通过这些文件快速搭建项目所需的数据库环境,并了解各个数据表之间的关系和作用。 详细的开发文档:每个资源包都附有详细的开发文档,文档内容包括项目背景介绍、功能模块说明、系统流程图、用户界面设计以及关键代码解析等。这些文档为用户提供了深入的学习材料,使得即便是从零开始的开发者也能逐步掌握项目开发的全过程。 项目演示与使用指南:为帮助用户更好地理解和使用这些ASP项目,每个资源包中都包含项目的演示文件和使用指南。演示文件通常以视频或图文形式展示项目的主要功能和操作流程,使用指南则详细说明了如何配置开发环境、部署项目以及常见问题的解决方法。 毕业设计参考:对于正在准备毕业设计的学生来说,这些资源包是绝佳的参考材料。每个项目不仅功能完善、结构清晰,还符合常见的毕业设计要求和标准。通过这些项目,学生可以学习到如何从零开始构建一个完整的Web系统,并积累丰富的项目经验。
基于SSM的高校实验室预约管理系统的设计与实现源码
08-10
本系统结合当前实验室预约、使用和管理中存在的问题和现状进行分析,设计一套可以解决实验室使用冲突、预约流程简单的实验室预约管理系统,满足实验室的在线预约申请与审核的基本需求,可以方便对实验室和实验室设备进行信息化管理。本系统中的教师可以查看当前实验室以及设备的基本信息,在线进行实验室的预约。管理员可以对实验室和实验室的设备进行管理,以及实验室的预约申请进行审核。
毕业设计javajsp超市会员管理系统ssm源码含文档工具包
08-10
毕业设计javajsp超市会员管理系统ssm源码含文档工具包 后台是ssm框架,页面是jsp,数据库mysql,jdk1.8,开发工具用ecplise、myecplise、sts、idea都可以 会员管理 公告育理 评论管理 前台 邮箱管理 积分管理 帮动 修改密码 退出系统 会员管理 公告管理 评论管理 工具管理 包含:源码、数据库脚本、论文、答辩ppt、开题报告、环境工具包、相同框架项目的安装教程(在说明文档中)
STM32F103C8T6 CAN通讯HAL库代码,采用中断接收,含Stm32CubeMX工程
最新发布
08-10
STM32F103C8T6 CAN通讯HAL库例程代码,采用中断接收,含Stm32CubeMX工程
Crypto Toolbox for MATLAB如何安装
04-17
您可以按照以下步骤安装Crypto Toolbox for MATLAB: 1. 在Matlab的命令窗口中执行"ver"命令,确保您使用的Matlab版本是7.0或更高版本; 2. 下载Crypto Toolbox for MATLAB的安装文件; 3. 运行安装文件,并按照...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值