Closed oliveryepez closed 5 years ago
Ah, sorry I didnt see that sorry.
gracias a todos
Hi, how can i compute cert digest value from certificate? e.g.
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>HztSei8GFoIA5ErBVG+n6NvgnlzSSlaW3eEVgXlPvl8=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>xxxxxxxxxxxxx</ds:X509IssuerName> <ds:X509SerialNumber>8686902302304054064065050</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
Can you help me?
Thanks
@paulotovo You can use this source code
XmlDSigJs.X509Certificate
has Thumbprint
method
@charlienux Do you happen to make it work? I'm getting "La firma del comprobante electrónico no es válida". Not sure what is going on.
Hi @danchije, is a common error related to various causes you'll need to contact to "Ministerio de Hacienda" to check your error specifically, I got this error some months ago with this library and I contacted the support, thus they said me that
"Me indican los compañeros que la firma que genera es inválida, la referencia a la data a firmar esta incorrectamente referenciada. Debe revisar como genera la firma o contactar a su proveedor de firma para que le oriente." [Spanish]
"The worteam indicate that the signature that you generate is invalid, the reference to the data to be signed is incorrectly referenced. You should check how the signature is generated or contact your signature provider for guidance."
The answer wasn't really descriptive so I was unable to fix the error
have you tried validating with one of the online xmldsig validation services? Maybe it will give a clearer error?
@rmhrisk yes and the signature is correct that's why I don't know what they were telling me
I have some xml signed with other tools and validated by "Ministerio de Hacienda" with a "correct" signature, I see some differences but not enough to determine what is actually the problem
@variux Can you send me valid and invalid signature files to my email?
microshine@mail.ru
@microshine I just sent you a couple. The valid signature was signed with a Java tool and actually is working, and the one signed with xadesjs is "invalid"
@microshine I sent you both, also is with a java tool
@danchije @variux thank you I'll verify and compare files
Both files seem to validate ok with xmlsec1:
$ xmlsec1 verify --insecure valid.xml
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0
$ xmlsec1 verify --insecure invalid.xml
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0
@rmhrisk yeah, I verify them with xmlsec1 also and they work but "Ministerio de Hacienda" told me the message I put above
"The workteam indicates that the signature that you generate is invalid, the reference to the data to be signed is incorrectly referenced. You should check how the signature is generated or contact your signature provider for guidance."
Inside the tags there're some differences but I don't know what of those differences are causing the error
If we assume .NET and XMLSEC1 as correct XMLDSIG (which both seem to work) implementations it sounds like they may have a bug in their C14N of the data.
Can you find out what implementation they are using? It may allow us to reproduce the issue and implement a hack to be compatible (if my assumptuon here is correct).
@rmhrisk so I found this, not sure if this is you are asking for: The canonicalization algorithm should be version C14n-20010315
Sorry, I should have been clearer. I think .NET, XMLSEC1 and XADESJS implement C14n-20010315 correctly.
The question is, what implementation for verification are they using, with that we may be able to debug further.
Ryan
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
Interesting, it seems the invalid specifies two transforms, is that on purpose?
@microshine also noted the X509 RDN values are ordered differently between the two samples but the ordering doesnt match the ASN.1 in the certificate so that shouldnt be an issue.
<ds:X509IssuerName>CN=CA PERSONA JURIDICA - SANDBOX,OU=DGT,O=MINISTERIO DE HACIENDA - SANDBOX,C=CR</ds:X509IssuerName>
<ds:X509IssuerName>C=CR, O=MINISTERIO DE HACIENDA - SANDBOX, OU=DGT, CN=CA PERSONA JURIDICA - SANDBOX</ds:X509IssuerName>
If I comment the transform "c14n", that line does not appear in the xml, however, the file will continue to reject it.
const signature = await xadesXml.Sign( // Signing document
alg, // algorithm
key, // key
xml, // document
{ // options
keyValue: publicKey,
references: [
{
id: "Reference-"+referenceId,
uri: "",
hash: hash,
transforms: [ // "c14n",
"enveloped"]
}
],
x509: [x509],
signingCertificate: x509,
policy: {
hash: "SHA-1",
identifier: {
value: "https://tribunet.hacienda.go.cr/docs/esquemas/2016/v4/Resolucion%20Comprobantes%20Electronicos%20%20DGT-R-48-2016.pdf",
}
},
});
@variux can you try without specifying C14N and see if they like it? Also maybe try changing the order of the canonicalization choices.
@charlienux What app do you use to verify signature?
Like @variux, if I validate the file with xmlsec1, it indicates that the signature is valid. But when I send it to the Ministry of Finance, they reject it indicating that the signature is invalid.
@charlienux did you also specify two transforms?
@charlienux is there any way I can get access to upload test signatures?
The Ministry of Finance has a testing environment to send the signed documents. I will write to your email with some details for the tests.
Thanks to your help, the documents signed with this library have been accepted by the Ministry of Finance.
@charlienux could you post the example on how you do it?
Good morning, I need to sign an xml document, I'm from Colombia and in the element of the signature they refer to an identification, this is the fragment:
Id="xmldsig-79c270e3-50bb-4fcf-b9bc-3a95bcf2466d"?
Exactly, I want to know where the different identifiers are from, I know they have 32, but I have no idea where they can be obtained, a response would be a great help.
Are obtained from the digital certificate, its value may vary according to the document xml ?, please from where I get these values, I have some notion of encryption, canonization method, but that identifier is confusing to me now
In XML each node can have a unique ID so you can reference it by that value These values are commonly made guids by underlying XML library.
Thank you very much! The identifier, is a random value, which refers to the node (namespace) xml, another question arose, the value provided is a uuid of 32 digits separated by dashes of the form 8-4-4-4-12, in this value I can assign any number or is there a way to calculate the value? Does this depend on the namespace? I mean, can I put a number that I want? And, to the extent that I have been able to investigate, they inherit in other xml nodes, the question is, how do I know which ones should be inherited? I am infinitely grateful for your help
They are not inherited, they identify the node.
XML does not require they heba guid, they can be any unique value.
I do not recall how to set the value, @microshine will.
@TSISTEMAS You can use any unique value for Id
Use source code of the ApplySignOptions function for Id
setting
@charlienux @variux I create one slack group so we can help each other with hacienda problems. I really would like to talk to you guys if you guys could sign the document. I saw the code @charlienux shared and I think I build the function was missing to get the pems from the .p12 file. can you guys connect with me on slack: https://join.slack.com/t/hacienda-api/shared_invite/enQtNDMyMDU3MjcxMDI0LWU2YTM4ZWEzM2QzZjhiMjRjM2U1MDA4MWVlNGY3ZGU3YTA0NDJjMDVjYTQ1NTNhZjBjMGJhNGI2OTdjYTUwMzk
@rafaelrgl this is example code https://drive.google.com/file/d/1dQzpLN-1xwCLGLQc-XJg860IjtGyhNN-/view?usp=sharing
package
foldercert.pem
, key.pem
, publickey.pem
package
dir
npm install
npm run start
@microshine Good Morning, I have a problem with the library, When I verified the sign with a tools said: "no file was associated with the signature". I use the method like this:
xadesXml.Sign(
algorithm,
key,
xmlForSign,
{
keyValue: key.private_key,
x509: [x509Aux],
signingCertificate: x509Aux,
references: [{hash, transforms: ["c14n", "enveloped"] }, { uri: 'KeyInfo', hash }],
signerRole: {
claimed: ["supplier"]
},
policy: {
hash,
identifier: {
value: process.env.IDENTIFIER,
},
},
});
@gponceleon I checked xml-core
, xmldsigjs
and xadesjs
libraries for key words no file
and associated
. Can you open a new issue and share signed XML and code with xml verification?
Hi, I need to make an electronic signature with the xades-bes method, however I can only do it with a key already created as pfx. How can I embed the key to make the signature of the document?
the signature should look like this:
This new question really isnt relevant to this closed bug, it seems you asked the same question in a new bug (good); I answered it there: https://github.com/PeculiarVentures/xadesjs/issues/78
Hi, i create a package using the solution provided here: https://github.com/aazcast/haciendacostarica-signer
checking the signature is approved, but is not adding the X509SubjectName.
Technically that is a new issue, would be better if you created a separate issue that referenced this one and closed this.
Since this thread is related to Costa Rica and signing maybe you guys can help with: https://github.com/PeculiarVentures/fortify/issues/173
Hi a love this package!!! but I'm newbie on this stuff of digital signatures... Can guys give us an example of generate a XADES-EPES signature with xadesjs.
Thanks in advance for your colaboration