Camel
  1. Camel
  2. CAMEL-4061

Add asymmetric encryption support to the XMLSecurity component

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.7.3, 2.8.0
    • Component/s: None
    • Labels:
      None
    • Patch Info:
      Patch Available

      Description

      Enhance the camel-xmlsecurity data format to support asymmetric key encryption algorithms.

      This enhancement provides the following capabilities:

      1. Expands the xmlsecurity data format API with a public method that accepts a key transport algorithm and recipient key alias
      2. Supports the RSA 1.5 and RSA OAEP asymmetric key encryption algorithms
      3. Alternatively allows the recipient public key alias to be defined within a message exchange or in camel context
      4. Allows key store and trust store information to be defined in the camel context

      Example configuration:

      // context properties for encryption
      contextProps.put(XMLSecurityDataFormat.XML_ENC_TRUST_STORE_URL, getClass().getClassLoader().getResource("sender.ts").toString());
      contextProps.put(XMLSecurityDataFormat.XML_ENC_TRUST_STORE_PASSWORD, "password");
      contextProps.put(XMLSecurityDataFormat.XML_ENC_RECIPIENT_ALIAS, "recipient");
          	
      // context properties for decryption
      contextProps.put(XMLSecurityDataFormat.XML_ENC_KEY_STORE_URL, getClass().getClassLoader().getResource("recipient.ks").toString());
      contextProps.put(XMLSecurityDataFormat.XML_ENC_KEY_STORE_PASSWORD, "password");
      contextProps.put(XMLSecurityDataFormat.XML_ENC_KEY_STORE_ALIAS, "recipient");
          
      context.addRoutes(new RouteBuilder() {	  
        public void configure() {
          from("direct:start")
           .marshal().secureXML("//privatenode", true, "some-pub-key-alias", XMLCipher.AES_256, XMLCipher.RSA_v1dot5).to("mock:encrypted")
           .unmarshal().secureXML("//privatenode", true, "somet-pub-key-alias",XMLCipher.AES_256,XMLCipher.RSA_v1dot5).to("mock:decrypted")	            
        }
      });
      
      1. 2011.06.06-CAMEL-4061-camel-core-2.7.x.patch
        4 kB
        Rich Newcomb
      2. 2011.06.06-CAMEL-4061-xmlsecurity-2.7.x.patch
        39 kB
        Rich Newcomb
      3. recipient.ks
        1 kB
        Rich Newcomb
      4. sender.ts
        0.7 kB
        Rich Newcomb

        Activity

        Hide
        Ashwin Karpe added a comment -

        Really nice patch, Rich...

        Wish I had done it myself ... Keep em coming.

        Cheers,

        Ashwin...

        Show
        Ashwin Karpe added a comment - Really nice patch, Rich... Wish I had done it myself ... Keep em coming. Cheers, Ashwin...
        Hide
        Hadrian Zbarcea added a comment -

        Fixed.

        Show
        Hadrian Zbarcea added a comment - Fixed.
        Hide
        Hadrian Zbarcea added a comment -

        Looks like I forgot to also commit the the fix. Done.

        Show
        Hadrian Zbarcea added a comment - Looks like I forgot to also commit the the fix. Done.
        Hide
        Claus Ibsen added a comment -

        Hadrian can you get this fixed so we are starting to be ready to cut Camel 2.8?

        Show
        Claus Ibsen added a comment - Hadrian can you get this fixed so we are starting to be ready to cut Camel 2.8?
        Hide
        Rich Newcomb added a comment - - edited

        Changing all of the AES_256 algorithms to AES_128 should fix that problem.

        Show
        Rich Newcomb added a comment - - edited Changing all of the AES_256 algorithms to AES_128 should fix that problem.
        Hide
        Claus Ibsen added a comment -

        Back in the days when using Java security you could hit issues when key lengths got too big. Well there was some US export restrictions upon the JDK so you had to install an add-on to your JDK/JRE so it could support keys with bigger lengths.

        And the JDK wasn't so informative when you had such a situation so it could take a while to figure it out. So anything I see something with security and key length issues then I think about that.

        Show
        Claus Ibsen added a comment - Back in the days when using Java security you could hit issues when key lengths got too big. Well there was some US export restrictions upon the JDK so you had to install an add-on to your JDK/JRE so it could support keys with bigger lengths. And the JDK wasn't so informative when you had such a situation so it could take a while to figure it out. So anything I see something with security and key length issues then I think about that.
        Hide
        Hadrian Zbarcea added a comment -

        I applied the second patch, but there are 5 tests failing which I @Ignore. I will look into it tomorrow to figure out the cause of an InvalidKeyException("Illegal key size or default parameters").

        Show
        Hadrian Zbarcea added a comment - I applied the second patch, but there are 5 tests failing which I @Ignore. I will look into it tomorrow to figure out the cause of an InvalidKeyException("Illegal key size or default parameters").
        Hide
        Claus Ibsen added a comment -

        Did the 2nd patch ever get committed?

        Show
        Claus Ibsen added a comment - Did the 2nd patch ever get committed?
        Hide
        Hadrian Zbarcea added a comment -

        Rich, thanks for the patch. I applied the camel-core part, I am testing the second one now and will commit shortly. Thanks again, and keep them coming.

        Show
        Hadrian Zbarcea added a comment - Rich, thanks for the patch. I applied the camel-core part, I am testing the second one now and will commit shortly. Thanks again, and keep them coming.
        Hide
        Edstrom Johan added a comment -

        Rich, this is really nice!
        One comment, in the CXF/SMX codebase you have shell scripts to re-generate keystores as they will expire, that might be a good addition.

        Show
        Edstrom Johan added a comment - Rich, this is really nice! One comment, in the CXF/SMX codebase you have shell scripts to re-generate keystores as they will expire, that might be a good addition.
        Hide
        Rich Newcomb added a comment -

        This patch fixes a few other issues. I will create new issues for those to provide searchable pointers.

        I will be happy to update the patch as necessary, and could integrate with appropriate elements from CAMEL-3750 on the trunk. Please provide tasks / direction as useful.

        Show
        Rich Newcomb added a comment - This patch fixes a few other issues. I will create new issues for those to provide searchable pointers. I will be happy to update the patch as necessary, and could integrate with appropriate elements from CAMEL-3750 on the trunk. Please provide tasks / direction as useful.

          People

          • Assignee:
            Hadrian Zbarcea
            Reporter:
            Rich Newcomb
          • Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development