"Invalid Crypto Key" error when signing the token in Salesforce

API and Webhooks
1

Hello, I working on a custom integration between Salesforce and Zoom. I’ve set up a marketplace account and installed the Zoom app from AppExchange on my developer edition.

I am able to connect to Zoom via Apex and Postman using the token generated in the “App Credentials” tab. Next, I would like to create the token programmatically using Apex in order to create/update/delete meetings on Zoom via the REST API.

However, running the Apex code below results in “System.SecurityException: Invalid Crypto Key”.

string headerJson = '{"alg": "HS256","typ": "JWT"}';
string payloadJson = '{"iss": "jGim2wjTQROu6r6O_-KbJA", "exp": 1562594400}'; // 07/08/2019 @ 2:00pm (UTC)
string token = EncodingUtil.base64Encode(Blob.valueOf(headerJson)) + '.' + EncodingUtil.base64Encode(Blob.valueOf(payloadJson));
Blob key = EncodingUtil.base64Decode('[API Secret]');
Blob signature = Crypto.sign('RSA-SHA256', Blob.valueOf(token), key);

The documentation for the Crypto.sign method states that “The value of privateKey must be decoded using the EncodingUtilbase64Decode method, and should be in RSA’s PKCS #8 (1.2) Private-Key Information Syntax Standard form. The value cannot exceed 4 KB.”.

Therefore, I tried using openssl to generate a PKCS #8 package.

I first created a file called server.key that had the contents below:
-----BEGIN RSA PRIVATE KEY-----
[API Secret]
-----END RSA PRIVATE KEY-----

And then ran the command to generate the PKCS #8 package but the command failed:

openssl pkcs8 -topk8 -in server.key -out server-pkcs8.key -nocrypt
unable to load key
4294956672:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
4294956672:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1208:
4294956672:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=RSA
4294956672:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:121:
4294956672:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
4294956672:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1208:
4294956672:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=PKCS8_PRIV_KEY_INFO
4294956672:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:142:

I am unable to sign the token or to convert the API Secret to the PKCS #8 form.

Please let me know if there is a different key apart from “API Secret” field shown on the App Credentials tab that I must use.

Thank you.

2

Hi Zgunay,

Thank you for using our SDK.
For token create issue, I checked the code you post. It’s a little different with our sample.

/*
*Hmac AlgSHA256 Encryption.
*/
-(NSString *)hmac:(NSString *)plaintext withKey:(NSString *)key
{
const char *cKey = [key cStringUsingEncoding:NSASCIIStringEncoding];
const char *cData = [plaintext cStringUsingEncoding:NSASCIIStringEncoding];
unsigned char cHMAC[CC_SHA256_DIGEST_LENGTH];
CCHmac(kCCHmacAlgSHA256, cKey, strlen(cKey), cData, strlen(cData), cHMAC);
NSData *HMAC = [[NSData alloc] initWithBytes:cHMAC length:sizeof(cHMAC)];
NSString * hash = [HMAC base64Encoding];
return hash;
}

Would you try to create your “key” with this method?
And, you can get the sample file on Here.

Thanks,
Jackie

3

Hi Jackie.Chen,

Thanks for your reply. I believe your code is in Objective-C. I am using Apex on Salesforce.

Do you happen to have an example of working Apex code that creates the token?

Thanks.

4

Hi Zgunay,

Sorry that we don’t have Apex code sample. After compare the code you list and our sample:
Blob key = EncodingUtil.base64Decode('[API Secret]');
This steps need more action. Would you please checked our sample file and write the same action of that code. Here. Sorry I don’t understand the Apex code again.

Jackie