Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Java PUBLIC App Running into InvalidKeyException

Started by Victor Perepelitsky -   in API Authentication

Hi team.

We have created a PUBLIC app.
I have successfully run through the auth process and the server got token and secret (provided for 30 min).
Unfortunately when trying to get data the server got: java.security.InvalidKeyException: Key must not be null.

As I understood when using PUBLIC app there is no need to defined private-public key pair. So I didn't.

Am I missing something?

Thank you in advance.

The code snippet is:

XeroClient client = new XeroClient();
client.setOAuthToken(connectionDetails.getToken(), connectionDetails.getTokenSecret());
return client.getInvoices();

Exception stack trace

java.security.InvalidKeyException: Key must not be null
at sun.security.rsa.RSAKeyFactory.engineTranslateKey(RSAKeyFactory.java:182)
at sun.security.rsa.RSAKeyFactory.toRSAKey(RSAKeyFactory.java:111)
at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:106)
at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:99)
at java.security.Signature$Delegate.init(Signature.java:1155)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1115)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1179)
at java.security.Signature.initSign(Signature.java:530)
at com.google.api.client.util.SecurityUtils.sign(SecurityUtils.java:145)
at com.google.api.client.auth.oauth.OAuthRsaSigner.computeSignature(OAuthRsaSigner.java:50)
at com.xero.api.OAuthParameters.computeSignature(OAuthParameters.java:208)
at com.xero.api.OAuthParameters.intercept(OAuthParameters.java:289)
at com.xero.api.OAuthRequestResource.execute(OAuthRequestResource.java:261)
at com.xero.api.XeroClient.get(XeroClient.java:87)
at com.xero.api.XeroClient.get(XeroClient.java:73)
at com.xero.api.XeroClient.getInvoices(XeroClient.java:852)
at com.medwizer.xero.server.XeroAdapterServer.getAllInvoices(XeroAdapterServer.java:99)
Hi Victor,

I would checkyour config.json file and confirm that your file looks like this ...

"AppType" : "PUBLIC",
"UserAgent": "JavaDemo4-CDPB2R",
"ConsumerSecret" : "XXXXXXXXXXXXXX",
"CallbackBaseUrl" : "http://localhost:8080/foobar",
"CallbackPath" : "/CallbackServlet"

You should NOT include the following attributes

"PrivateKeyCert" : "/certs/public_privatekey.pfx",
"PrivateKeyPassword" : "1234"


Sidney Maestre (Community Manager)  

Thank you for the quick reply Sidney.

I have finally found the issue:
I load the config from custom location and assumed wherever an object requires config it will get it from outside.

The implementation of com.xero.api.client.AccountingApi constructor loads the default config:
public AccountingApi(ApiClient apiClient) {
this.xeroExceptionHandler = new XeroExceptionHandler();
this.apiClient = apiClient;

The default one assumes it is NOT a public app and thus AccountingApi tried to send the request encrypted.

I would suggest to deprecate this constructor since it contradicts the concept of Config interface as well as dependency injection.


Victor Perepelitsky  

Thanks for the feedback. I've updated the SDK to version 2.2.3 and testes the CustomJsonConfig class - sample code in README.


Sidney Maestre (Community Manager)