function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
dclaardclaar 

Getting salesforce's crypt to match openssl

Anyone have any ideas on how to get the same results from apex and openssl?

 

Here's my apex code:

private blob encrypt() {
String algorithmName = 'RSA';
String key = 'MIc' +
'key' +
'mouse=';
Blob privateKey = EncodingUtil.base64Decode(key);
Blob input = Blob.valueOf('Donald Duck');
Blob signature = Crypto.sign(algorithmName, input, privateKey);
return signature;
}

I generated the key as follows:

openssl genrsa -out key.pem
openssl pkcs8 -topk8 -nocrypt -in key.pem -outform PEM

and copied the private key into the "MIckeymouse=" key in my apex code.

And here's what I'm trying to do in openssl:

fp = fopen("key.pem","rb");
rsa=PEM_read_RSAPrivateKey(fp,NULL, NULL, NULL);
license="Donald Duck";
l_len=strlen(license);
s_len=RSA_size(rsa);
signature=(char *)malloc(s_len);
nid=OBJ_txt2nid("rsa-sha1");
RSA_sign(nid,license,l_len,signature,&s_len,rsa);
printf("signature: len=%d, value=%s\n",s_len,base64(signature,s_len));

I can't get them to match. I've also tried plain "rsa" as my nid. This gave different results, but they still didn't match.

Best Answer chosen by Admin (Salesforce Developers) 
dclaardclaar

OK, so the deal is that salesforce is creating a digest and signing that:

 openssl dgst -sha1 -sign key.private license.nonl |openssl enc -base64

 The openssl dgst command gives me the same result. So, although the doc says that it is signing, it is really signing the digest. Sigh.