Mule : PGP Security
This page last changed on May 31, 2006 by tcarlson.

PGP Security

This extension adds PGP security on endpoint communication.
With PGP you can achieve end-to-end security communication with signed and encrypted messages between parties.

Requirements

You need to add these libraries to Mule classpath:

Install Policy files

If you are running JDK 1.4+ that comes with the
Sun JCE by default, or JDK 1.2/1.3 if you have installed Sun JCE 1.2
manually, you have to install the Unlimited Strength Jurisdiction Policy files,
which can be downloaded from the following URL (note that they are listed
entirely at the bottom of the page, in the Other Dowloads section):

http://java.sun.com/j2se/1.4/download.html
http://java.sun.com/j2se/1.5.0/download.jsp

These files have to be installed in $JAVA_HOME$/jre/lib/security

The default distribution of the JCE allows as Sun calls it 'strong, but limited strength cryptography'. This basically means that you cannot use RSA keys bigger than 2048 bits, and no symmetric ciphers that use more than 128 bits. ElGamal is not allowed at all, thus DH/DSS cannot be used for encryption.

Useful PGP links

How PGP works (intro documentation)
GnuPG (freeware implementation)
enigmail (extension for Thunderbird)

Configuring PGP filter

Using a spring context, we have to define a manager for accessing public and private keys.

securityContext.xml
<beans>
    <bean id="pgpKeyManager" class="org.mule.extras.pgp.PGPKeyRingImpl" 
        init-method="initialise">
    <property name="publicKeyRingFileName">
        <value>pubring.gpg</value>
    </property>
    <property name="secretKeyRingFileName">
        <value>secring.gpg</value>			
    </property>
    <property name="secretAliasId">
        <value>0x6168F39C</value>
    </property>
    <property name="secretPassphrase">
        <value>TestingPassphrase</value>
    </property>
</bean>

<bean id="fakeCredentialAccessor"
    class="org.mule.extras.pgp.FakeCredentialAccessor" />

</beans>

Also we need to know who is the sender of a message.
For this example we simply fake the sender using the org.mule.extras.pgp.FakeCredentialAccessor class (from pgp test src, which returns a fixed user name)

PGP stores keys in files called keyrings
There is a public keyring storing public keys of your trusted parties and a private keyring storing your secret key.
In a keyring, keys are referenced by an alias ID (also named key Id).
Your secret keyring is encrypted on your disk using a passphrase.

Our goal is to define a sample echo application that reads signed (and encrypted) files from a directory (/temp/signedAndEncryptedFiles/in)
and write the decrypted content into /temp/decryptedFiles/out

Then comes Mule configuration...

<mule-configuration id="Test_Mule_Properties" version="1.0">

  <!-- Spring context -->
  <container-context 
    className="org.mule.extras.spring.SpringContainerContext">
    <properties>
      <property name="configFile" value="securityContext.xml"/>
    </properties>
  </container-context>

  <!-- Security manager -->
  <security-manager>
    <security-provider name="PgpProvider" 
      className="org.mule.extras.pgp.PGPSecurityProvider">
      <properties>
        <container-property name="keyManager" reference="pgpKeyManager"/>
      </properties>
    </security-provider>

    <encryption-strategy name="KBE"
      className="org.mule.extras.pgp.KeyBasedEncryptionStrategy">
      <properties>
        <container-property name="keyManager" reference="pgpKeyManager" />
      </properties>
    </encryption-strategy>
  </security-manager>

  <model name="echoTest">
    <mule-descriptor name="echo" containerManaged="false"
      implementation="org.mule.extras.pgp.EchoMsg">

      <inbound-router>

        <endpoint address="file:///temp/signedAndEncryptedFiles/in">
          <security-filter
            className="org.mule.extras.pgp.filters.PGPSecurityFilter">
	   <properties>
              <property name="strategyName" value="KBE"/>
              <property name="signRequired" value="true"/>
              <container-property name="credentialsAccessor" 
                reference="fakeCredentialAccessor"/>
              <container-property name="keyManager" 
                reference="pgpKeyManager" />
            </properties>
         </security-filter>
        </endpoint>

      </inbound-router>

      <outbound-router>
        <router 
          className="org.mule.routing.outbound.OutboundPassThroughRouter">
	
          <endpoint address="file:///temp/decryptedFiles/out" >
	  <security-filter 
             className="org.mule.extras.pgp.filters.PGPSecurityFilter">
	    <properties>
               <property name="strategyName" value="KBE"/>
               <property name="authenticate" value="false"/>
               <container-property name="credentialsAccessor" 
                 reference="fakeCredentialAccessor"/>
               <container-property name="keyManager" 
                 reference="pgpKeyManager" />
	    </properties>
           </security-filter>
         </endpoint>

       </router>
     </outbound-router>
    </mule-descriptor>
  </model>
</mule-configuration>

The property signRequired in the inbound security filter controls if we accept unsigned message or not.

the property authenticate in the outbound security filter controls if we want to encrypt messages for the receiver





..and they said "free email account"...but I read "free persistent message queue"...
– Alessandro Riva
Document generated by Confluence on Nov 27, 2006 10:27