[CryptoAPI] Invalid syntax on line 9
Forge component by João Barata

Hello everyone, 

I'm having this error message when trying to encrypt a text using a public key generated on an authentication server here in the company. As you can see in the OML file, I created a server action with RSA_Encrypt and put the public key in the PublicKey parameter and a text 123456 in the PlainText parameter. When running WebScreen the error "Invalid syntax on line 9" is displayed on the screen. Can you help me with this?

If you need the public key I am using is:

----- BEGIN PUBLIC KEY -----


HCQbbfNMjoB8BDOcGi63R / wlxl4SAQZp5J5BTPtAI5h6Ym9j7 + IJYC8qZyZzq7Z6

mhOAlDWztPT + Eidn4tF2NzIXLaQRNJMxpvIArZs8Oigh7s3WqDPH2ENPKxECbiQ0

sbzDMZ0Cy98BCsHadmGY8sszQjT63dSwAgOhmvQdxABwDtC / w955XDWOAjKYX + Xd

yyr / aNVKEuM / E8Vn / 0JyiDow4EgDgBpR4hyXELUiyZFBHT3AyNvik / qHrlwGbAwn



----- END PUBLIC KEY -----

The OML file is attached.


Hi Thiago,

CryptoAPI actions don't directly support PEM encoded RSA keys. You'll need to convert them to XML notation using RSA_PrivateKeyFromPEM (yes, I'm aware the name doesn't make it obvious you should use it for a public key).

I don't remember if I tried it with a public key directly, but think it should work.

Please give it a go and let me know if you're having issues so I can look further into it.

Hi Ricardo,

I tried to use RSA_PrivateKeyFromPEM, but I did not succeed.

However, since you said that I needed to convert my PEM file to XML I made this conversion through https://superdry.apphb.com/tools/online-rsa-key-converter

With a public key generated for testing it worked. But with my public key generated by the authentication platform did not work, I'm not sure if the error could be in PKCS format or in another detail that I have not seen.

I keep trying here.


What exactly didn't work with the key generated by the application?

Was it the online tool for converting that failed? Or was CryptoAPI which then failed to use the converted XML key?

Hi Ricardo,

Sorry for the delay in coming back here.

So I had some evolution from yesterday to today.

I was able to use the RSA_PrivateKeyFromPEM.

I believe that the manipulation of private and public keys is already ok.

But I believe I'm having trouble with the encryption type.

I believe that the error reported in the topic has already been remedied. I'll open another post, because I think the error is already related to something else.

Thank you so far Ricardo.

Not working please advise.

Error detail

Back to Log



Request Key








Session Id






Length cannot be less than zero.
Parameter name: length

Environment Information

eSpaceVer: Id=311, PubId=0, CompiledWith=
RequestUrl: https://hkust-dev.jku3mkvfan.getoutsystems.com/calvinust02_SFO_SOAP/moduleservices/log?clientTimeInMillis=1630898510720 (Method: POST)
AppDomain: /LM/W3SVC/1/ROOT/calvinust02_SFO_SOAP-321-132753720728033366
FilePath: D:\OutSystems\Platform Server\running\calvinust02_SFO_SOAP.01577510155\
ClientIp: X-Forwarded-For:
Locale: en-US
DateFormat: yyyy-MM-dd
PID: 3504 ('w3wp', Started='8/17/2021 10:21:51 PM', Priv=965Mb, Virt=2109827Mb)
TID: 154
Thread Name:
.NET: 4.0.30319.42000
Client Runtime Packages: client-runtime-core= 3.0.7;client-runtime-view-framework-react= 1.5.6;client-runtime-widgets= 1.5.6;
Client-Side Log


System.ArgumentOutOfRangeException: Length cannot be less than zero.
Parameter name: length
at Object.s [as getException] (https://hkust-dev.jku3mkvfan.getoutsystems.com/calvinust02_SFO_SOAP/scripts/OutSystems.js?LTlhHECPOUxqT4vuxlhDGg:2:6362)
at c.onSuccess (https://hkust-dev.jku3mkvfan.getoutsystems.com/calvinust02_SFO_SOAP/scripts/OutSystems.js?LTlhHECPOUxqT4vuxlhDGg:3:709)
    at XMLHttpRequest.<anonymous> (https://hkust-dev.jku3mkvfan.getoutsystems.com/calvinust02_SFO_SOAP/scripts/OutSystems.js?LTlhHECPOUxqT4vuxlhDGg:2:28299)

I cannot use the RSA_PrivateKeyFromPEM.

My private key is RSA Encrypted 2048 Bytes PKCS-1 Padding required.

My Private Key is 


base 64 encoded string here


I copy the string as shown above exactly.

I tried to removed the -----BEGIN PRIVATE KEY-----,

-----END PRIVATE KEY----- and place the string into the private Key input parameters it does not work.

Only XML notation of the key worked.  To get the XML notation key, I need to do manual calculation of the RSA algorithm which is quite time consuming.  The C# .NET 4.0 supports ImportParameters or FromXMLString.

If I need to use an online XML converter,


My Private key is submitted via the internet which is undesirable.  

If I need to convert my PEM to XML String, I do not need this extension, I can write me own C# Extension because the specification required to Sign the Data with custom parameters , furthermore I have to create an Extension to Call the SOAP Request , Parse the Response and decrypt the message to get the security token.

This is the Actions I have been using 


The PEM I input is the private key I copied directly and the following error occured.

System.ArgumentOutOfRangeException: Length cannot be less than zero.
Parameter name: length

Development platform: Reactive

Outsystems Service Studio Versions:11.11.13, Build 47944

Could you provide me an example of a Private key that causes this error so I can try to replicate it?

In the meantime, could you also check if the private key that you have is valid by using openssl

openssl rsa -in privateKey.key -check



Sorry I had missed it before, you mentioned that your private key is "RSA Encrypted 2048 Bytes".

That means that it looks like:


Proc-Type: 4,ENCRYPTED

DEK-Info: <encryption algorithm info here>

<base 64 encoded string here >


Unfortunately, that is not supported at the moment but I'll make sure I'll add it to my backlog for a future version.

Currently, only unencrypted private keys are supported.
They look like this:


<base 64 encoded string here >


Try it with 


Did you try my suggestion? 

Thanks freek, but it does not work

Keep in mind only a private key kan be transformed.

Try the private key generated on this site:


I tried it myself and the RSA_PrivateKeyFromPEM function works.

Hi Nick,

I just found an issue on the Demo application where the input text area was being limited to 500 characters. This was clearly not enough characters to receive a 2048bit RSA key in PEM format.

I've just uploaded the version of the fix to the component as well as to the "Try Now" example.
Using the private key from the example link you provided, is working fine now.

Alternatively, you could use OpenSSL to generate a Private key.

Please be aware that the current version only supports unencrypted private keys, so in order to generate one you will need to run the following commands:

openssl genrsa -des3 -out private.pem 2048
openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM


Then use the contents of the private_unencrypted.pem on the demo application and check that it was able to parse it.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.