Closed polesapart closed 8 months ago
I think you will find that older xmlsec libraries likely don't work on the Ubuntu 23.03 either. Let me take a look, seems like Ubuntu patched openssl in some interesting way to break things.
The root cause of the problem is that recent Ubuntu version removed access to the "raw" OpenSSL key. So you will need to remove <ds:KeyValue>
and switch to use pkcs12 files instead so you can include the certificate in the output. For xmlsec 1.3.0 or greater you will also need to add --lax-key-search
option as well:
$ xmlsec1 --sign --output /tmp/test.out --pkcs12 tests/keys/largersakey.p12 --pwd secret123 --id-attr:id nfse --lax-key-search ./test.xml
Signature status: OK
$ cat ./test.xml
<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?><nfse id="nota"><identificador>redacted</identificador><nf><valor_total>48,67</valor_total><valor_desconto>0,00</valor_desconto><valor_ir>0,00</valor_ir><valor_contribuicao_social>0,00</valor_contribuicao_social><valor_rps>0,00</valor_rps><valor_pis>0,00</valor_pis><valor_cofins>0,00</valor_cofins><observacao/></nf><prestador><cpfcnpj>39782877000117</cpfcnpj><cidade>8291</cidade></prestador><tomador><tipo>F</tipo><cpfcnpj>redacted</cpfcnpj><ie/><nome_razao_social>Fulano</nome_razao_social><sobrenome_nome_fantasia/><logradouro>Rs 239</logradouro><email>fulano@yahoo.com.bX</email><numero_residencia>13225</numero_residencia><complemento/><ponto_referencia/><bairro>Alto Rolante</bairro><cidade>7353</cidade><cep>95695000</cep><ddd_fone_comercial>51</ddd_fone_comercial><fone_comercial>redacted</fone_comercial><ddd_fone_residencial/><fone_residencial/></tomador><itens><lista><codigo_local_prestacao_servico>8291</codigo_local_prestacao_servico><codigo_item_lista_servico>802</codigo_item_lista_servico><descritivo>Example</descritivo><aliquota_item_lista_servico>2,00</aliquota_item_lista_servico><situacao_tributaria>0</situacao_tributaria><valor_tributavel>48,67</valor_tributavel><valor_deducao>0,00</valor_deducao><valor_issrf>0,00</valor_issrf><tributa_municipio_prestador>S</tributa_municipio_prestador><unidade_codigo/><unidade_quantidade/><unidade_valor_unitario/></lista></itens>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#nota">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</nfse>
Closing, please re-open if you still have problems
When running:
`xmlsec1 --sign --output "signed/12853990.xml" --pwd 0000 --privkey-pem /x/p.pem,x/cert.pem --id-attr:id nfse "12853990.xml"
I get the following error:
The xmlsec version:
xmlsec1 1.2.37 (openssl)
It used to work on older xmlsec (1.2.27 IIRC)
btw, I compiled both 1.2.38 and 1.3.1 from source, using the same openssl libs on ubuntu (3.0.8-1ubuntu1.2), to no avail.
The example file content is below: