search

XML-Security / signxml

Python XML Signature and XAdES library
https://xml-security.github.io/signxml/
Apache License 2.0
138 stars 108 forks source link

Unable to get local issuer certificate #15

Closed famoraes closed 4 years ago

famoraes commented 9 years ago

Hey,

I'm trying to use the signxml to sign Brazilian tax documents (called NFSe). I'm signing this documents from a .pfx certificate, which I extracted the private key and public cert. I sign with the follow command:

xmldsig(xml, digest_algorithm="sha1").sign( algorithm="rsa-sha1", key=self.key, cert=self.cert, c14n_algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315")

The webservice always return signature error, and the verify method return "Unable to get local issuer certificate". I know I need the certificate chain, I have it, is a .cer file, but I don't know which parameter I use to verify with the chain, I've tried ca_path and can_pem_file, none of these worked. Another thing, the webservice says that I need the ID in the xml root, this is weird because the transformer is enveloped. I have the xsd's if it help.

Thanks

kislyuk commented 9 years ago

Sorry about the delay in response to this. I'm not certain what went wrong here. As you correctly guessed, the "Unable to get local issuer certificate" error indicates that the validation function doesn't have the necessary CA certificate or chain loaded. To be honest, I'm also not sure if .cer files are supported by pyopenssl. Feel free to send me the files that you're passing (email in my profile) and I'll take a look, and update the docs regarding different kinds of files (.cer, etc.)

rodrigorodriguescosta commented 9 years ago

I had the same problem ! using Python2 when I try to verify verified_data = xmldsig(singned).verify(). When I try with Python3.4 the error is 

  File "../virtualenv/lib/python3.4/site-packages/cffi/api.py", line 237, in new
    return self._backend.newp(cdecl, init)
TypeError: initializer for ctype 'char[]' must be a bytes or list or tuple, not str

does it works with Python3.4? I need to use it for the same reason that @famoraes needs, there is no any lib available with Python3 support. is there?

kislyuk commented 9 years ago

The error indicates that you passed a string object instead of bytes. Supply a byte string as input.

kislyuk commented 9 years ago

Also, I can't help you if you don't provide a complete example of what it is that you're trying to do, with code and inputs. If the inputs are confidential, you can send them over email.

rodrigorodriguescosta commented 9 years ago

I forgot to say, I passed bytes instead of string without success!

I need to sign a XMl like this http://www.javac.com.br/downloads/XML/XML_Assinado-env-lot.xml

I created a function (https://github.com/bittecnologia/AssinaturaDigitalNFE/blob/master/assinatura.py) using signxml but I didn't make it work!

All I need to do is a function to sign a XML, example.

myxml = '<enviNFe xmlns="http://www.portalfiscal.inf.br/nfe" versao="2.00"><idLote>33</idLote><NFe><infNFe Id="NFe99999999999999999999999999999999999999999999" versao="2.00"><ide><cUF>42</cUF><cNF>89424836</cNF><natOp>5405-VENDA PROD/SERV  D.ESTADO</natOp><indPag>1</indPag><mod>55</mod><serie>1</serie><nNF>3</nNF><dEmi>2010-12-07</dEmi><dSaiEnt>2010-12-07</dSaiEnt><tpNF>1</tpNF><cMunFG>4216602</cMunFG><tpImp>1</tpImp><tpEmis>1</tpEmis><cDV>1</cDV><tpAmb>2</tpAmb><finNFe>1</finNFe><procEmi>0</procEmi><verProc>1</verProc></ide><emit><CNPJ>99999999999999</CNPJ><xNome>AAAAAAA AAAAAAAAA A AAAAAAAA LTDA ME.</xNome><xFant>AAAAAAA AAAAAAAAA A AAAAAAAA LTDA ME.</xFant><enderEmit><xLgr>RUA AAAAAA AAAAAAA</xLgr><nro>99</nro><xBairro>AAAAAAAAA</xBairro><cMun>4216602</cMun><xMun>AAA AAAA</xMun><UF>SC</UF><CEP>88117370</CEP><cPais>1058</cPais><xPais>BRASIL</xPais><fone>9999999999</fone></enderEmit><IE>999999999</IE><CRT>1</CRT></emit><dest><CNPJ>99999999999999</CNPJ><xNome>AAAAAAAA AAAAAA A AAAAAAA LTDA</xNome><enderDest><xLgr>RUA AAA AAAAA - AAAAAA 99</xLgr><nro>999</nro><xBairro>AAAAAA AAA AAAAAAA</xBairro><cMun>4202008</cMun><xMun>AAAAAAAAA AAAAAAAA</xMun><UF>SC</UF><CEP>88330000</CEP><cPais>1058</cPais><xPais>BRASIL</xPais><fone>999999999</fone></enderDest><IE>999999999</IE></dest><det nItem="1"><prod><cProd>201</cProd><cEAN/><xProd>AAAAAAA AA AAAAA AA AAAAAAAA AA AAAAA</xProd><NCM>99</NCM><CFOP>5933</CFOP><uCom>Un</uCom><qCom>1.0000</qCom><vUnCom>10.0000</vUnCom><vProd>10.00</vProd><cEANTrib/><uTrib>Un</uTrib><qTrib>1.0000</qTrib><vUnTrib>10.0000</vUnTrib><indTot>1</indTot></prod><imposto><ICMS><ICMSSN102><orig>0</orig><CSOSN>400</CSOSN></ICMSSN102></ICMS><PIS><PISNT><CST>07</CST></PISNT></PIS><COFINS><COFINSNT><CST>07</CST></COFINSNT></COFINS></imposto></det><total><ICMSTot><vBC>0.00</vBC><vICMS>0.00</vICMS><vBCST>0.00</vBCST><vST>0.00</vST><vProd>10.00</vProd><vFrete>0.00</vFrete><vSeg>0.00</vSeg><vDesc>0.00</vDesc><vII>0.00</vII><vIPI>0.00</vIPI><vPIS>0.00</vPIS><vCOFINS>0.00</vCOFINS><vOutro>0.00</vOutro><vNF>10.00</vNF></ICMSTot></total><transp><modFrete>1</modFrete></transp><cobr/><infAdic><infCpl>Docto emitido por ME ou EPP optante pelo Simples Nacional Nao gera direito a Credito Fiscal de ICMS e de ISS. SEM VALOR FISCAL</infCpl></infAdic></infNFe></NFe></enviNFe>'

xml_signed = sign_xml(myxml,'certificate.pfx')

assert xml_signed == ''' 
<enviNFe xmlns="http://www.portalfiscal.inf.br/nfe" versao="2.00">
<idLote>33</idLote>
<NFe>
<infNFe Id="NFe99999999999999999999999999999999999999999999" versao="2.00">
<ide>
<cUF>42</cUF>
<cNF>89424836</cNF>
<natOp>5405-VENDA PROD/SERV D.ESTADO</natOp>
<indPag>1</indPag>
<mod>55</mod>
<serie>1</serie>
<nNF>3</nNF>
<dEmi>2010-12-07</dEmi>
<dSaiEnt>2010-12-07</dSaiEnt>
<tpNF>1</tpNF>
<cMunFG>4216602</cMunFG>
<tpImp>1</tpImp>
<tpEmis>1</tpEmis>
<cDV>1</cDV>
<tpAmb>2</tpAmb>
<finNFe>1</finNFe>
<procEmi>0</procEmi>
<verProc>1</verProc>
</ide>
<emit>
<CNPJ>99999999999999</CNPJ>
<xNome>AAAAAAA AAAAAAAAA A AAAAAAAA LTDA ME.</xNome>
<xFant>AAAAAAA AAAAAAAAA A AAAAAAAA LTDA ME.</xFant>
<enderEmit>
<xLgr>RUA AAAAAA AAAAAAA</xLgr>
<nro>99</nro>
<xBairro>AAAAAAAAA</xBairro>
<cMun>4216602</cMun>
<xMun>AAA AAAA</xMun>
<UF>SC</UF>
<CEP>88117370</CEP>
<cPais>1058</cPais>
<xPais>BRASIL</xPais>
<fone>9999999999</fone>
</enderEmit>
<IE>999999999</IE>
<CRT>1</CRT>
</emit>
<dest>
<CNPJ>99999999999999</CNPJ>
<xNome>AAAAAAAA AAAAAA A AAAAAAA LTDA</xNome>
<enderDest>
<xLgr>RUA AAA AAAAA - AAAAAA 99</xLgr>
<nro>999</nro>
<xBairro>AAAAAA AAA AAAAAAA</xBairro>
<cMun>4202008</cMun>
<xMun>AAAAAAAAA AAAAAAAA</xMun>
<UF>SC</UF>
<CEP>88330000</CEP>
<cPais>1058</cPais>
<xPais>BRASIL</xPais>
<fone>999999999</fone>
</enderDest>
<IE>999999999</IE>
</dest>
<det nItem="1">
<prod>
<cProd>201</cProd>
<cEAN/>
<xProd>AAAAAAA AA AAAAA AA AAAAAAAA AA AAAAA</xProd>
<NCM>99</NCM>
<CFOP>5933</CFOP>
<uCom>Un</uCom>
<qCom>1.0000</qCom>
<vUnCom>10.0000</vUnCom>
<vProd>10.00</vProd>
<cEANTrib/>
<uTrib>Un</uTrib>
<qTrib>1.0000</qTrib>
<vUnTrib>10.0000</vUnTrib>
<indTot>1</indTot>
</prod>
<imposto>
<ICMS>
<ICMSSN102>
<orig>0</orig>
<CSOSN>400</CSOSN>
</ICMSSN102>
</ICMS>
<PIS>
<PISNT>
<CST>07</CST>
</PISNT>
</PIS>
<COFINS>
<COFINSNT>
<CST>07</CST>
</COFINSNT>
</COFINS>
</imposto>
</det>
<total>
<ICMSTot>
<vBC>0.00</vBC>
<vICMS>0.00</vICMS>
<vBCST>0.00</vBCST>
<vST>0.00</vST>
<vProd>10.00</vProd>
<vFrete>0.00</vFrete>
<vSeg>0.00</vSeg>
<vDesc>0.00</vDesc>
<vII>0.00</vII>
<vIPI>0.00</vIPI>
<vPIS>0.00</vPIS>
<vCOFINS>0.00</vCOFINS>
<vOutro>0.00</vOutro>
<vNF>10.00</vNF>
</ICMSTot>
</total>
<transp>
<modFrete>1</modFrete>
</transp>
<cobr/>
<infAdic>
<infCpl>
Docto emitido por ME ou EPP optante pelo Simples Nacional Nao gera direito a Credito Fiscal de ICMS e de ISS. SEM VALOR FISCAL
</infCpl>
</infAdic>
</infNFe>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#NFe99999999999999999999999999999999999999999999">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>z1Mppa7VIFwWF2CPa8FTZh7uHHo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
S1jlsMtiO9D8sc1lR36UM+xfAy/T7xWWAuWokfmh8KeTibiRfCxk8ObVi7OmfX0N8vmtQhIUzeHgfBd4fyimVQGjLlJi8Rza/tziQT/ISIz99thSWpGDqWbPOlY/8cYB5oklVmlXv7lxNnH6UshvHrYOw38yEFEydcpbIhNR6dg=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIGDjCCBPagAwIBAgIQMjAxMDExMjQxMTM0MzQ3NjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxNjA0BgNVBAsTLVNlY3JldGFyaWEgZGEgUmVjZWl0YSBGZWRlcmFsIGRvIEJyYXNpbCAtIFJGQjEuMCwGA1UEAxMlQXV0b3JpZGFkZSBDZXJ0aWZpY2Fkb3JhIGRvIFNFUlBST1JGQjAeFw0xMDExMjQxNjAzMjlaFw0xMTExMjQxNTUxMzZaMIH6MQswCQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDE2MDQGA1UECxMtU2VjcmV0YXJpYSBkYSBSZWNlaXRhIEZlZGVyYWwgZG8gQnJhc2lsIC0gUkZCMRUwEwYDVQQLEwxDT05UUklCVUlOVEUxETAPBgNVBAsTCEFSU0VSUFJPMRYwFAYDVQQLEw1SRkIgZS1DTlBKIEExMREwDwYDVQQHEwhTQU8gSk9TRTELMAkGA1UECBMCU0MxPDA6BgNVBAMTM0tPRVJJQ0ggQVVUT1BFQ0FTIEUgU0VSVklDT1MgTFREQSBNRToxMTcyNzUyNDAwMDEwMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA59/dxowkxf2/jERg2ODCFnGbvnY6S/KQmQoTO5Hg7C17zlPYkGHVSJW2kUQCzACMMMCkGBaYF2D2poiFh0iO+Yqt1Ef/Ve6wALko4RxPvZahbJlBqEMfu+UvbIRPUc6VZchzFDoDq/me+2gU2k8s+V6q+HVzfACThKd+4jl9UX8CAwEAAaOCAoAwggJ8MA8GA1UdEwEB/wQFMAMBAQAwHwYDVR0jBBgwFoAUuSKLhiRG56Kt5yk7jGg7Ta10kRQwDgYDVR0PAQH/BAQDAgXgMGAGA1UdIARZMFcwVQYGYEwBAgEKMEswSQYIKwYBBQUHAgEWPWh0dHBzOi8vY2NkLnNlcnByby5nb3YuYnIvYWNzZXJwcm9yZmIvZG9jcy9kcGNhY3NlcnByb3JmYi5wZGYwgboGA1UdEQSBsjCBr6A9BgVgTAEDBKA0BDIxMDA3MTk4MTAwNjkyMjg2OTg1MDAwMDAwMDAwMDAwMDAwMDAwMDQwNDk5NzZTU1BTQ6AfBgVgTAEDAqAWBBRLQVRJQSBSRUdJTkEgS09FUklDSKAZBgVgTAEDA6AQBA4xMTcyNzUyNDAwMDEwM6AXBgVgTAEDB6AOBAwwMDAwMDAwMDAwMDCBGWtvZXJpY2hzZXJ2aWNvc0BnbWFpbC5jb20wIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIGoBgNVHR8EgaAwgZ0wMqAwoC6GLGh0dHA6Ly9jY2Quc2VycHJvLmdvdi5ici9sY3IvYWNzZXJwcm9yZmIuY3JsMDOgMaAvhi1odHRwOi8vY2NkMi5zZXJwcm8uZ292LmJyL2xjci9hY3NlcnByb3JmYi5jcmwwMqAwoC6GLGh0dHA6Ly93d3cuaXRpLmdvdi5ici9zZXJwcm8vYWNzZXJwcm9yZmIuY3JsMEwGCCsGAQUFBwEBBEAwPjA8BggrBgEFBQcwAoYwaHR0cDovL2NjZC5zZXJwcm8uZ292LmJyL2NhZGVpYXMvYWNzZXJwcm9yZmIucDdiMA0GCSqGSIb3DQEBBQUAA4IBAQBsce1J33eE15FN7Jxbj5xsRcBwWCbK+Jj91fY5k9RXF4y3mhSGXG8a4s2P+sh1D6VJ+w3G0O/ADBR8I2pGj0uW7Nk8gTgUmKpus4ByIEfyB6TGb53dQSkkVVWjT23qRP8Iz+S8Dw0+caNfr7/1X+yG87LVRM7N0Bs0Dk5LaBRSbhYORX9g1SnB38KRfSyrsYlKvqIow1sGVBzmmtR5fZCsWgYRb6yZIY6hyQ5qfBMXGW4Vb1h7OQvGAUY3TKcdgh/XHj/2z0NrKCuPItli36tGHRpWS88arw3xO9m99I+Q9RRIRROeN6Anh2GuEEmjSpdFhmfyfI57bhfVEqqY8Q7D
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</NFe>
</enviNFe>
'''

Not exactly with this certificate data but the xml file signed, can you help-me? I already spent 4 days trying to make it work with Python!

rodrigorodriguescosta commented 9 years ago

How can I sign the xml to insert signature tag?

nagylzs commented 7 years ago

Can you please send a full traceback? Most probably you get this error because you are trying to sign a message with a test certificate that has an untrusted/unknown CA's in its chain. Do you have all certificates in the chain bundled into your cert file? Or just a signle certificate?

kislyuk commented 4 years ago

I'm going to close this because the original poster never provided a reproduction. If you still need help, please open a new issue.