XADES-EPES Signature Example

[oliveryepez]

Hi a love this package!!! but I'm newbie on this stuff of digital signatures... Can guys give us an example of generate a XADES-EPES signature with xadesjs.

Thanks in advance for your colaboration

[rmhrisk]

Ah, sorry I didnt see that sorry.

[avalohack]

gracias a todos

[paulotovo]

Hi, how can i compute cert digest value from certificate? e.g.

<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>HztSei8GFoIA5ErBVG+n6NvgnlzSSlaW3eEVgXlPvl8=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>xxxxxxxxxxxxx</ds:X509IssuerName>                                                <ds:X509SerialNumber>8686902302304054064065050</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>

Can you help me?

Thanks

[microshine]

@paulotovo You can use this source code

XmlDSigJs.X509Certificate has Thumbprint method

[danchije]

@charlienux Do you happen to make it work? I'm getting "La firma del comprobante electrónico no es válida". Not sure what is going on.

[variux]

Hi @danchije, is a common error related to various causes you'll need to contact to "Ministerio de Hacienda" to check your error specifically, I got this error some months ago with this library and I contacted the support, thus they said me that

"Me indican los compañeros que la firma que genera es inválida, la referencia a la data a firmar esta incorrectamente referenciada. Debe revisar como genera la firma o contactar a su proveedor de firma para que le oriente." [Spanish]

"The worteam indicate that the signature that you generate is invalid, the reference to the data to be signed is incorrectly referenced. You should check how the signature is generated or contact your signature provider for guidance."

The answer wasn't really descriptive so I was unable to fix the error

[rmhrisk]

have you tried validating with one of the online xmldsig validation services? Maybe it will give a clearer error?

[variux]

@rmhrisk yes and the signature is correct that's why I don't know what they were telling me

I have some xml signed with other tools and validated by "Ministerio de Hacienda" with a "correct" signature, I see some differences but not enough to determine what is actually the problem

[microshine]

@variux Can you send me valid and invalid signature files to my email?

microshine@mail.ru

[danchije]

@microshine I just sent you a couple. The valid signature was signed with a Java tool and actually is working, and the one signed with xadesjs is "invalid"

[variux]

@microshine I sent you both, also is with a java tool

[microshine]

@danchije @variux thank you I'll verify and compare files

[rmhrisk]

Both files seem to validate ok with xmlsec1:

$ xmlsec1 verify --insecure valid.xml
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0

$ xmlsec1 verify --insecure invalid.xml
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0

[variux]

@rmhrisk yeah, I verify them with xmlsec1 also and they work but "Ministerio de Hacienda" told me the message I put above

"The workteam indicates that the signature that you generate is invalid, the reference to the data to be signed is incorrectly referenced. You should check how the signature is generated or contact your signature provider for guidance."

Inside the tags there're some differences but I don't know what of those differences are causing the error

[rmhrisk]

If we assume .NET and XMLSEC1 as correct XMLDSIG (which both seem to work) implementations it sounds like they may have a bug in their C14N of the data.

Can you find out what implementation they are using? It may allow us to reproduce the issue and implement a hack to be compatible (if my assumptuon here is correct).

[danchije]

@rmhrisk so I found this, not sure if this is you are asking for: The canonicalization algorithm should be version C14n-20010315

[rmhrisk]

Sorry, I should have been clearer. I think .NET, XMLSEC1 and XADESJS implement C14n-20010315 correctly.

The question is, what implementation for verification are they using, with that we may be able to debug further.

Ryan

[microshine]

valid.xml

<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>

invalid.xml

<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>

[rmhrisk]

Interesting, it seems the invalid specifies two transforms, is that on purpose?

@microshine also noted the X509 RDN values are ordered differently between the two samples but the ordering doesnt match the ASN.1 in the certificate so that shouldnt be an issue.

[microshine]

valid.xml

<ds:X509IssuerName>CN=CA PERSONA JURIDICA - SANDBOX,OU=DGT,O=MINISTERIO DE HACIENDA - SANDBOX,C=CR</ds:X509IssuerName>

invalid.xml

<ds:X509IssuerName>C=CR, O=MINISTERIO DE HACIENDA - SANDBOX, OU=DGT, CN=CA PERSONA JURIDICA - SANDBOX</ds:X509IssuerName>

[calvarezm70]

If I comment the transform "c14n", that line does not appear in the xml, however, the file will continue to reject it.

    const signature = await xadesXml.Sign(   // Signing document
        alg,                                    // algorithm
        key,                                    // key
        xml,                                    // document
        {                                       // options
            keyValue: publicKey,
            references: [
                {
                    id: "Reference-"+referenceId,
                    uri: "",
                    hash: hash,
                    transforms: [  // "c14n",
                                  "enveloped"]
                }
            ],
            x509: [x509],
            signingCertificate: x509,
            policy: {
                hash: "SHA-1",
                identifier: {
                    value: "https://tribunet.hacienda.go.cr/docs/esquemas/2016/v4/Resolucion%20Comprobantes%20Electronicos%20%20DGT-R-48-2016.pdf",
                }
            },
        });

[rmhrisk]

@variux can you try without specifying C14N and see if they like it? Also maybe try changing the order of the canonicalization choices.

[microshine]

@charlienux What app do you use to verify signature?

[calvarezm70]

Like @variux, if I validate the file with xmlsec1, it indicates that the signature is valid. But when I send it to the Ministry of Finance, they reject it indicating that the signature is invalid.

[rmhrisk]

@charlienux did you also specify two transforms?

[microshine]

@charlienux is there any way I can get access to upload test signatures?

[calvarezm70]

The Ministry of Finance has a testing environment to send the signed documents. I will write to your email with some details for the tests.

[calvarezm70]

Thanks to your help, the documents signed with this library have been accepted by the Ministry of Finance.

[variux]

@charlienux could you post the example on how you do it?

[TSISTEMAS]

Good morning, I need to sign an xml document, I'm from Colombia and in the element of the signature they refer to an identification, this is the fragment:

21GME6Y4G7l+35aMpi+nzB/Di88= 0iE/FGZgLfbnV9DhUaDBBVPjn44= k/NyUxvsY6yGVV61NofEz5FaNmU= AvkA/W71FvZs659Id1Xrn9JMgYY1gaEVWtek/6DcqA9FvezeUPxGWCXQ07rgCSDMMdz2mX6nbp3L DscgWqVy4VIogV/zok60j92iFRjCUzUGI6MVON5G8jxX+dZkZRjFAEAwLQvoYJo/1rxLFQ+uQYZ3 kp/O+bDfQ+ybPagoDAQbU/vdrZnC9fzS7C9X0MlKqkGUIKJp+4MztMPjDmnfPKagrWo1T51N9TfA xR4KHhFDAtEDFB/55dAI3lAiI7TL5US6Ety+D1taefGj48lVsEDNo+kbe/7UcdYSiww+QX/BSpgP AV7+Zh/GdR8u+FMe/ut+WidNpZseIynWIE1uYA== MIIILDCCBhSgAwIBAgIIfq9P6xyRMBEwDQYJKoZIhvcNAQELBQAwgbQxIzAhBgkqhkiG9w0BCQEW ........ I would like to know where the identifiers of the references are obtained to perform the calculation, I really need it urgently, thank you for your attention.

[rmhrisk]

Id="xmldsig-79c270e3-50bb-4fcf-b9bc-3a95bcf2466d"?

[TSISTEMAS]

Exactly, I want to know where the different identifiers are from, I know they have 32, but I have no idea where they can be obtained, a response would be a great help.

[TSISTEMAS]

Are obtained from the digital certificate, its value may vary according to the document xml ?, please from where I get these values, I have some notion of encryption, canonization method, but that identifier is confusing to me now

[rmhrisk]

In XML each node can have a unique ID so you can reference it by that value These values are commonly made guids by underlying XML library.

[TSISTEMAS]

Thank you very much! The identifier, is a random value, which refers to the node (namespace) xml, another question arose, the value provided is a uuid of 32 digits separated by dashes of the form 8-4-4-4-12, in this value I can assign any number or is there a way to calculate the value? Does this depend on the namespace? I mean, can I put a number that I want? And, to the extent that I have been able to investigate, they inherit in other xml nodes, the question is, how do I know which ones should be inherited? I am infinitely grateful for your help

[rmhrisk]

They are not inherited, they identify the node.

XML does not require they heba guid, they can be any unique value.

I do not recall how to set the value, @microshine will.

[microshine]

@TSISTEMAS You can use any unique value for Id Use source code of the ApplySignOptions function for Id setting

[rafaelrglima]

@charlienux @variux I create one slack group so we can help each other with hacienda problems. I really would like to talk to you guys if you guys could sign the document. I saw the code @charlienux shared and I think I build the function was missing to get the pems from the .p12 file. can you guys connect with me on slack: https://join.slack.com/t/hacienda-api/shared_invite/enQtNDMyMDU3MjcxMDI0LWU2YTM4ZWEzM2QzZjhiMjRjM2U1MDA4MWVlNGY3ZGU3YTA0NDJjMDVjYTQ1NTNhZjBjMGJhNGI2OTdjYTUwMzk

[microshine]

@rafaelrgl this is example code https://drive.google.com/file/d/1dQzpLN-1xwCLGLQc-XJg860IjtGyhNN-/view?usp=sharing

1. Extract files
2. Enter to package folder
3. Add files cert.pem, key.pem, publickey.pem
4. Run npm commands from package dir

   npm install
   npm run start

[gponceleon]

@microshine Good Morning, I have a problem with the library, When I verified the sign with a tools said: "no file was associated with the signature". I use the method like this:

xadesXml.Sign(
algorithm,
key,
xmlForSign,
{ keyValue: key.private_key, x509: [x509Aux], signingCertificate: x509Aux, references: [{hash, transforms: ["c14n", "enveloped"] }, { uri: 'KeyInfo', hash }], signerRole: { claimed: ["supplier"] }, policy: { hash, identifier: { value: process.env.IDENTIFIER, }, }, });

[microshine]

@gponceleon I checked xml-core, xmldsigjs and xadesjs libraries for key words no file and associated. Can you open a new issue and share signed XML and code with xml verification?

[Clemenshemmerling]

Hi, I need to make an electronic signature with the xades-bes method, however I can only do it with a key already created as pfx. How can I embed the key to make the signature of the document?

the signature should look like this:

r3F+fJc/lAte9veqOCqbEmkYtyfnFtfI9rOlaz2WHUo=BwqtH5URkflcWis8P9SAhY+qeODkt/daxRWHyT/Y8iw=rUtWT3llyhTNKMYppRtGwcoJQ2im/OO1vtJfnsEKOFI=wHxEDRHQcOg87pg9LPdayDUVd9XfWiZ5iAhkB2QTlbuKAI/HguMoEBnqoPajmYcasPUoOx+ZQVcqkcAg8BRggUIL5o+Xw/4JcHw6JdDTayUjGLBgvVImK69N2fH3Qy6+MQ/5HxN4xPX7qR35asGCx48cHvlf4dBzWfWA4lhA5CNzHQBeg49mkR6NVV1Ca/IK9fsDsIjVQCHgG22K9ce59m2B2cmTHI3ELX/t9MTncPQ+mDItYs6qLBqDA7cPjsyT867a6vOL11UxnRBjkztTDCfB+LCqMQnP6u5EzYOrupZwJ0FAYnbbAMIao5Li/uL+LCvDPRowGpKbfJy/66bk9Q==MIIDUjCCAjqgAwIBAgIISF6w2fgaROIwDQYJKoZIhvcNAQELBQAwKTEMMAoGA1UEAwwDRkVMMQwwCgYDVQQKDANTQVQxCzAJBgNVBAYTAkdUMB4XDTE5MDIyNTEzNTE1NloXDTIxMDIyNDEzNTE1NlowKDERMA8GA1UEAwwINDcyNTA3NjMxEzARBgNVBAoMCnNhdC5nb2IuZ3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBaDT6B0SaBu0UZnc3X6jBoqipINceo9ZaZJqU6es5Vhls6UZdxSzaHU+NMjdtbsPCvdI2F02LKZUOJkI+Y4f08TCj0k2a6Tda1+iB8U7wwWEusp0bqZpUop0xGGEYSZE4wmnbQODWISz0YGJfQ3M6WCREOSjoqdWoTWS6g5+vwGwmaQu6OLUwQ3rVg1g8AXaQ3QuSglGqwGphAxzkqz9zpcMmWZY5r4mfigyAm25/AQUEYIEXZEBKJs4++MbwznsVst/kGVgrm6FI7LxvyvfysY4qaKjPadPAcqswftisVnFg/Duy3mWVFo4z+Ki00WGKs4tnxIdk3IN9B/zDtWBLAgMBAAGjfzB9MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUc73zilJsM5hZ1/fQrbFzjLRQSgowHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBQPwcfKFe+ObJ7M5N5OliAciRG6izAOBgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQELBQADggEBAChaQI1Fc+6icZqqWJ/LulGTCTPcE2DRi5wKwFL1wyiMCcpCkyLomiXCneh9osjAutHkWmn/QBxy74wblIhtzZFkfr1AlbgO902phI4nM4ttjOqOtaJnlCIy7/uKQeMAADB8DG2rvK9SlKjqv1OCA7exegV2/h+bwQ1P2pZVFEXZek4WXIwVJFSuAMRjs0zQEkQ3dLU5fCff+AfcgcI2ZEJd622rJjRphGf186IgVNYWHCearien6V1i+FT2PsmKIYdvkkVXsgrQCMOw5Z9nZiA3CafaKHHpGvY/b/hwHqyr0DpIuV/tHlR+tK+vXgwyQcrQ0lX2soWEz16+8TXJ7Kw=wWg0+gdEmgbtFGZ3N1+owaKoqSDXHqPWWmSalOnrOVYZbOlGXcUs2h1PjTI3bW7Dwr3SNhdNiymVDiZCPmOH9PEwo9JNmuk3WtfogfFO8MFhLrKdG6maVKKdMRhhGEmROMJp20Dg1iEs9GBiX0NzOlgkRDko6KnVqE1kuoOfr8BsJmkLuji1MEN61YNYPAF2kN0LkoJRqsBqYQMc5Ks/c6XDJlmWOa+Jn4oMgJtufwEFBGCBF2RASibOPvjG8M57FbLf5BlYK5uhSOy8b8r38rGOKmioz2nTwHKrMH7YrFZxYPw7st5llRaOM/iotNFhirOLZ8SHZNyDfQf8w7VgSw==AQAB2019-03-25T11:02:58-06:003dG5+4D5zw0SLBEibIJ6gVYhDk+RPxSURPjcHr5AEa0=C=GT, O=SAT, CN=FEL5214799868758476002text/xmlUTF-8

[rmhrisk]

This new question really isnt relevant to this closed bug, it seems you asked the same question in a new bug (good); I answered it there: https://github.com/PeculiarVentures/xadesjs/issues/78

[aazcast]

Hi, i create a package using the solution provided here: https://github.com/aazcast/haciendacostarica-signer

checking the signature is approved, but is not adding the X509SubjectName.

[rmhrisk]

Technically that is a new issue, would be better if you created a separate issue that referenced this one and closed this.

[rmhrisk]

Since this thread is related to Costa Rica and signing maybe you guys can help with: https://github.com/PeculiarVentures/fortify/issues/173