PeculiarVentures/xadesjs

Adjust the xades-bes signature to the SRI Ecuador requirement

almacenero opened this issue · 32 comments

Hello, I am trying to use the Xadesjs library, to sign a document that will be validated by the entity to manage the payment of Ecuadorian taxpayers, but there are some properties and fields that would be good to adjust to comply with its regulations. Below I present a valid signature for this condition:

image

Also tags with have self-closing is not allowed by the validating entity, for example:

     <tag /> should be put <tag> </tag>. 

Is there an option to change this type of closure?

We are using standard class XMLSerializer to serialize DOM XML document to a string

https://developer.mozilla.org/en-US/docs/Web/API/XMLSerializer

It seems then to make this work we would need to write a function that walks the serialized form and re-writes it to have this less efficient representation? For example, a sed replacing all such tags with the expanded equivalent?

edw19 commented

Hello thanks for the excellent library, I need to know if this improvement is implemented. I am working on an electronic signature solution for Ecuador

No work on this feature request has been done. Depending on the proposed solution we might accept a PR.

Hi
I am Valeria from Russia.
I am also developing an e-signature solution in Ecuador.
I am having difficulties using the API, and I would like help.(https://celcer.sri.gob.ec/comprobantes-electronicos-ws/RecepcionComprobantesOffline?wsdl)
Currently I am developing on Dolibarr.(PHP framework)
I will help you as far as I know
It should be an opportunity to help each other.

Hello thanks for the excellent library, I need to know if this improvement is implemented. I am working on an electronic signature solution for Ecuador

edw19 commented

Hi
I am Valeria from Russia.
I am also developing an e-signature solution in Ecuador.
I am having difficulties using the API, and I would like help.(https://celcer.sri.gob.ec/comprobantes-electronicos-ws/RecepcionComprobantesOffline?wsdl)
Currently I am developing on Dolibarr.(PHP framework)
I will help you as far as I know
It should be an opportunity to help each other.

Hello thanks for the excellent library, I need to know if this improvement is implemented. I am working on an electronic signature solution for Ecuador

hi of course this is my email: edwinpatricionarvaezm@gmail.com

Hi
I am Valeria from Russia.
I am also developing an e-signature solution in Ecuador.
I am having difficulties using the API, and I would like help.(https://celcer.sri.gob.ec/comprobantes-electronicos-ws/RecepcionComprobantesOffline?wsdl)
Currently I am developing on Dolibarr.(PHP framework)
I will help you as far as I know
It should be an opportunity to help each other.

Hello thanks for the excellent library, I need to know if this improvement is implemented. I am working on an electronic signature solution for Ecuador

hi of course this is my email: edwinpatricionarvaezm@gmail.com

Please do update this issue with any findings that allow your case to work with the library, or notify us of what changes the library needs (with possible PR) so others can benefit also.

edw19 commented

i couldnt make to work xadesjs for this requirement, I make decision of do the manually but if in the future I get to use it with success, of course it will contribute

@microshine please ask for additional details so we can update the library as needed.

I could try to sign the XML file and create XAdES signature with the same fields in the image's red boxes.

@edw19 Is it what you need?

<tag /> should be put <tag> </tag>.

It depends on the XML serializer. We are using a standard serializer and I'm not sure it supports it.

@edw19 I think easiest way for us to understand is if you could give us a "valid" document and the same document produced with xadesjs so we can easily diff.

@edw19 Please review this example. It's very close to that from which is on image

TypeScript

import * as XAdES from "../../src";
import * as XMLdSIG from "xmldsigjs";
import { Crypto } from "@peculiar/webcrypto";
import * as x509 from "@peculiar/x509";

const crypto = new Crypto();
x509.cryptoProvider.set(crypto);

context.only("test", () => {

  it("Ecuador", async () => {
    const alg: RsaHashedKeyGenParams = {
      name: "RSASSA-PKCS1-v1_5",
      hash: "SHA-1",
      publicExponent: new Uint8Array([1, 0, 1]),
      modulusLength: 2048,
    }
    const keys = await crypto.subtle.generateKey(alg, false, ["sign", "verify"]);
    const cert = await x509.X509CertificateGenerator.createSelfSigned({
      name: "CN=Test",
      keys,
      notBefore: new Date("2021-07-29"),
      notAfter: new Date("2022-07-29"),
      serialNumber: "010203",
      signingAlgorithm: alg,
    });

    const xml = `<root><child attr="val"/></root>`
    const signature = new XAdES.SignedXml();

    const id = "12345";
    signature.XmlSignature.Id = `Signature-${id}`
    // TODO Move xades namespace to Signature node
    signature.XmlSignature.SignedInfo.Id = `Signature-SignedInfo${id}`
    // TODO Set ID for SignedProperties Reference node
    // TODO Set SignatureValue Id

    const x509Cert = new XMLdSIG.X509Certificate(cert.rawData);
    signature.XmlSignature.KeyInfo.Id = `CertificateID-${id}`;
    signature.XmlSignature.KeyInfo.Add(new XMLdSIG.KeyInfoX509Data(x509Cert));

    // Add Data Object Format
    const dataObjectFormat = new XAdES.xml.DataObjectFormat();
    dataObjectFormat.ObjectReference = `#ReferenceID-${id}`;
    dataObjectFormat.Description = "Some description";
    dataObjectFormat.MimeType = "text/xml";
    signature.SignedProperties.SignedDataObjectProperties.DataObjectFormats.Add(dataObjectFormat);

    await signature.Sign(                        // Signing document
      alg,                                    // algorithm
      keys.privateKey,                        // key
      XAdES.Parse(xml),                       // document
      {                                       // options
        keyValue: keys.publicKey,
        references: [
          { hash: "SHA-1", transforms: ["enveloped"], id: `ReferenceID-${id}` },
          { hash: "SHA-1", uri: `#${signature.XmlSignature.KeyInfo.Id}` },
        ],
        signingCertificate: cert.toString("base64"),
      });

    console.log(signature.toString());
  });

});

XML (formatted)

<root>
  <child attr="val"/>
  <ds:Signature Id="Signature-12345"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo Id="Signature-SignedInfo12345">
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference Id="ReferenceID-12345">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>Xy6Dnk/HWIQhIcsszKjG3WQWL14=</ds:DigestValue>
      </ds:Reference>
      <ds:Reference URI="#CertificateID-12345">
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>vyShbW/i5l7DC8MMOk/s8A9D6YE=</ds:DigestValue>
      </ds:Reference>
      <ds:Reference URI="#xades-id-257f6bd2925c" Type="http://uri.etsi.org/01903#SignedProperties">
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>z15Xr2tdPk/m+C45RdJUoQi/0ts=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>cVtXbbUa2NKmYkXZADX6zmTY3ND5tpbCmJtZlz0AkNQuw7Bs+V9tryWiWQJcPsFOPSiFzTDwnndO35DdU2CG7FeZfvOLdr/xnXYl8mCXVPklTKEoKMBJxG4dolmr+UgI65ReLTq/RfRv5qrLMVBuL93dJ5Rc3YX5M0hD42M/e6CVww0b4B0bw1Nex3Q77eBYHjklw/9aVVOkjOxVdDdIjbsdllYj/qovjMVkbeYjZ53wr7xPLKsWZ5yIxAAocL1O58XxgYq58iIQdWLHHgghIxBQV6JwfYaIayu+HiRUhRB3PoUYX5d67JbL/sZzARgeVEkQmCqR05sqF6FwoJAOgQ==</ds:SignatureValue>
    <ds:KeyInfo Id="CertificateID-12345">
      <ds:X509Data>
        <ds:X509Certificate>MIICnTCCAYWgAwIBAgIDAQIDMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNVBAMTBFRlc3QwHhcNMjEwNzI5MDAwMDAwWhcNMjIwNzI5MDAwMDAwWjAPMQ0wCwYDVQQDEwRUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCe0pV3RPS7P1aN9SmhX85sNPEO62/kWLWntTNh+B9MnAqXU7Sdq4c+gxEIvBfMCu1cODApJyE58dgipkcChlgKoiuuiWr/oWZz9jnWwmqyKX+gwAVhsqB227qg1w2Oxo3oUesoJ07HxD+3y2sNCmOGVWi+aBo+dmUHTPn48tWcy6c+u979BUgiODC+xIHWRDh+Z6PAxNygIKsZ9khxnFas13MFUTJpfIrIbiqqRK08XRO32z5m88hP6F0pc0TLrFifPQjCJx0ZqGiBOloYCtK59Bkjb1pA1AZ3ZZD/XUL3QrZbzM3f3vCzRqQns6K+R6/fcIExYT9Rf0YVqiqQyrQIDAQABowIwADANBgkqhkiG9w0BAQUFAAOCAQEAJWghyzy4xrCW2Rt3tdJVDkKnva/oeqKt2mSg46gb5szZ4+qAmjvDXWBiWBy8Ru/JI2QYjSUYro+SoKGhAhFjksGVjGGwHM5zBinS0mgRGrRihDGkvjsc28+z9G2o1MudrSAjkAiljRuAGkYfSB4GIQVvlbmhlbg3jn7yOEqTLBk+VdsWaG5madQayB4aDTLxhF4XfPaY+zvxfJotpycPQ7ZrPGXXRu+WAZ8IA8t/53JyuQW41FZa97ubKx3UE1hjJJOSQmgNdlu2e2DuD9rOIKO++880xD/hXO79/n2xytb6t3M6wIAbjSQAGp1rqmHvo3iBa05mz1V54WRhltMfhA==</ds:X509Certificate>
      </ds:X509Data>
      <ds:KeyValue>
        <ds:RSAKeyValue>
          <ds:Modulus>rCe0pV3RPS7P1aN9SmhX85sNPEO62/kWLWntTNh+B9MnAqXU7Sdq4c+gxEIvBfMCu1cODApJyE58dgipkcChlgKoiuuiWr/oWZz9jnWwmqyKX+gwAVhsqB227qg1w2Oxo3oUesoJ07HxD+3y2sNCmOGVWi+aBo+dmUHTPn48tWcy6c+u979BUgiODC+xIHWRDh+Z6PAxNygIKsZ9khxnFas13MFUTJpfIrIbiqqRK08XRO32z5m88hP6F0pc0TLrFifPQjCJx0ZqGiBOloYCtK59Bkjb1pA1AZ3ZZD/XUL3QrZbzM3f3vCzRqQns6K+R6/fcIExYT9Rf0YVqiqQyrQ==</ds:Modulus>
          <ds:Exponent>AQAB</ds:Exponent>
        </ds:RSAKeyValue>
      </ds:KeyValue>
    </ds:KeyInfo>
    <ds:Object>
      <xades:QualifyingProperties Target="#id-257f6bd2925c"
        xmlns:xades="http://uri.etsi.org/01903/v1.3.2#">
        <xades:SignedProperties Id="xades-id-257f6bd2925c">
          <xades:SignedSignatureProperties>
            <xades:SigningTime>2021-07-29T12:14:02.978Z</xades:SigningTime>
            <xades:SigningCertificate>
              <xades:Cert>
                <xades:CertDigest>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <ds:DigestValue>0hoBmbCH6Bfqpf2nE60AJohROwZWrCzoptPCJ0HXk1U=</ds:DigestValue>
                </xades:CertDigest>
                <xades:IssuerSerial>
                  <ds:X509IssuerName>CN=Test</ds:X509IssuerName>
                  <ds:X509SerialNumber>66051</ds:X509SerialNumber>
                </xades:IssuerSerial>
              </xades:Cert>
            </xades:SigningCertificate>
          </xades:SignedSignatureProperties>
          <xades:SignedDataObjectProperties>
            <xades:DataObjectFormat ObjectReference="#ReferenceID-12345">
              <xades:Description>Some description</xades:Description>
              <xades:MimeType>text/xml</xades:MimeType>
            </xades:DataObjectFormat>
          </xades:SignedDataObjectProperties>
        </xades:SignedProperties>
      </xades:QualifyingProperties>
    </ds:Object>
  </ds:Signature>
</root>

@Valeria-Konovalova I sent the request via Skype
Skype: microshine82

Hello
Thanks for the many aids
I made a signature XML with PHP, but when I check it at https://tools.chilkat.io/xmlDsigVerify.cshtml, it is displayed as below
Signature Verified
Number of Reference Digests = 3
Reference 1 digest is valid.
Reference 2 digest is valid.
Reference 3 digest is valid.
However, on the WSDL site it is displayed like this
[identificador] => 39
[mensaje] => FIRMA INVALIDA
[informacionAdicional] => La firma es invalida [Firma inválida (firma y/o certificados alterados)]
[tipo] => ERROR
Please help me find the cause.
thank you for your time

Valeria,

The signature you are having problems with was not with our library?

The error suggests that the validating application did not trust the signing certificate, this could be because the signature did not include the entire chain or maybe included wrong certificates?

The first site could just be doing a signature verify rather than signature verify then certificate verification.

Valeria,

The signature you are having problems with was not with our library?

The error suggests that the validating application did not trust the signing certificate, this could be because the signature did not include the entire chain or maybe included wrong certificates?

The first site could just be doing a signature verify rather than signature verify then certificate verification.

Hi. Mr Rmhrisk.
Thanks for the reply
Do you mean there is a problem with the P12 file?
If so, please let me know if there is a way to check the P12 file.
thanks for your efforts

Without the sample file its hard to say. My guess is that the signature does not include all of the certificates needed to validate the signers identity.

Without the sample file its hard to say. My guess is that the signature does not include all of the certificates needed to validate the signers identity.

Hi
Please tell me your e-mail and skype id
I will send you a sample file.
My skypeid is live:.cid.4ca65b97978e6c5f, e-mail is valeria.kon93@gmail.com
Thank you.

Without the sample file its hard to say. My guess is that the signature does not include all of the certificates needed to validate the signers identity.

Hi.
I'm currently struggling with this library too
I am going to attach a valid signed XML generated by a tool provided by the SRI, hopefully it becomes clear what is wrong
Greetings

XML (signed)

<?xml version="1.0" encoding="UTF-8"?>
<factura id="comprobante" version="2.1.0"><infoTributaria><ambiente>1</ambiente><tipoEmision>1</tipoEmision><razonSocial>ServiContabC</razonSocial><nombreComercial>Servicios contables profesionales</nombreComercial><ruc>1710744424001</ruc><claveAcceso>0702202201171074442400110020020000000018765432111</claveAcceso><codDoc>01</codDoc><estab>002</estab><ptoEmi>002</ptoEmi><secuencial>000000001</secuencial><dirMatriz>De los jazmines N54-31 y de los Pinos</dirMatriz><contribuyenteRimpe>CONTRIBUYENTE RÉGIMEN RIMPE</contribuyenteRimpe></infoTributaria><infoFactura><fechaEmision>07/02/2022</fechaEmision><dirEstablecimiento>asasdad</dirEstablecimiento><obligadoContabilidad>NO</obligadoContabilidad><tipoIdentificacionComprador>05</tipoIdentificacionComprador><razonSocialComprador>Nicolas Cisneros</razonSocialComprador><identificacionComprador>1716430390</identificacionComprador><direccionComprador>Manuel Tamayo E15-53 y Victor Martillo</direccionComprador><totalSinImpuestos>0</totalSinImpuestos><totalDescuento>0</totalDescuento><totalConImpuestos><totalImpuesto><codigo>2</codigo><codigoPorcentaje>2</codigoPorcentaje><baseImponible>0</baseImponible><valor>0</valor></totalImpuesto></totalConImpuestos><propina>0</propina><importeTotal>0</importeTotal><moneda>DOLAR</moneda><pagos><pago><formaPago>20</formaPago><total>0</total></pago></pagos></infoFactura><detalles><detalle><codigoPrincipal>asd</codigoPrincipal><descripcion>asdasd</descripcion><cantidad>1</cantidad><precioUnitario>0</precioUnitario><descuento>0</descuento><precioTotalSinImpuesto>0</precioTotalSinImpuesto><impuestos><impuesto><codigo>2</codigo><codigoPorcentaje>2</codigoPorcentaje><tarifa>12</tarifa><baseImponible>0</baseImponible><valor>0</valor></impuesto></impuestos></detalle></detalles><infoAdicional><campoAdicional nombre="DIRECCION">LOS JAZMINES N54-31 Y DE LO9S PINOS</campoAdicional><campoAdicional nombre="DIRECCION">LOS JAZMINES N54-31 Y DE LO9S PINOS</campoAdicional></infoAdicional><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:etsi="http://uri.etsi.org/01903/v1.3.2#" Id="Signature707259">
<ds:SignedInfo Id="Signature-SignedInfo87415">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference Id="SignedPropertiesID977637" Type="http://uri.etsi.org/01903#SignedProperties" URI="#Signature707259-SignedProperties323141">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>I8ukG4vimFuUJ4HZK4l2XzlqxLQ=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Certificate1294821">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>iIG/3Kjw6Eg4lpHzcSk0wbNBoBg=</ds:DigestValue>
</ds:Reference>
<ds:Reference Id="Reference-ID-480222" URI="#comprobante">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>tLph97u5AUvDgDMvYtAK4oS81D8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="SignatureValue339308">
QIjzni1R9jwcGNqT/1ZhbIILMHnFtf0DnxotMg2HJr0xxPUTV+bzkhqt1eCyyoBjn7Qrs0bauzwC
1Rd+vLbKwA+bMy0Euo71OBFPdox05ei05EGp1Gpcb/wdlQeUm3NZgWFvDFO9kmdlFn8pDuPRxyrJ
j3bLMh9l12vQSbsiFHjWQghCYkaaDyzrN+HNcUFbVPw13puoFQX+cS7arVSaWx3wYJNrQ1Ml0htR
G9lmdHdtrsLZd6Ph04hwC0nRdH/HtXicjWrlmF26OQbk7Z2mnlOrKKkfSkcVgX0W9eQKcPAJjT2g
jXRCqhYzsa2lRW5/iHpKExlTvsq2JX2WMPuW7A==
</ds:SignatureValue>
<ds:KeyInfo Id="Certificate1294821">
<ds:X509Data>
<ds:X509Certificate>
MIIM3DCCCsSgAwIBAgIMIDaOnTXMShUVYRwfMA0GCSqGSIb3DQEBCwUAMIG5MRYwFAYDVQQFEw0x
NzkyNjAxMjE1MDAxMQswCQYDVQQGEwJFQzE2MDQGA1UEChMtQU5GQUMgQVVUT1JJREFEIERFIENF
UlRJRklDQUNJT04gRUNVQURPUiBDLkEuMSUwIwYDVQQLExxBTkYgQXV0b3JpZGFkIGludGVybWVk
aWEgIEVDMTMwMQYDVQQDEypBTkYgSGlnaCBBc3N1cmFuY2UgRWN1YWRvciBJbnRlcm1lZGlhdGUg
Q0EwHhcNMjAxMjIzMTQwMjI5WhcNMjIxMjIzMTQwMjI5WjCCAeAxGjAYBgorBgEEAYKkQgoEDAox
NzEwNzQ0NDI0MSswKQYDVQQKDCJDVUFTVFVNQUwgUk9NRVJPIENFQ0lMSUEgRUxJWkFCRVRIMRow
GAYDVQQqDBFDRUNJTElBIEVMSVpBQkVUSDEWMBQGA1UEYRMNMTcxMDc0NDQyNDAwMTELMAkGA1UE
BhMCRUMxEzARBgNVBAUTCjE3MTA3NDQ0MjQxGTAXBgNVBAQMEENVQVNUVU1BTCBST01FUk8xNjA0
BgNVBAMMLTE3MTA3NDQ0MjQgQ0VDSUxJQSBFTElaQUJFVEggQ1VBU1RVTUFMIFJPTUVSTzEnMCUG
CSqGSIb3DQEJARYYc2VydmkuY29udGFiQGhvdG1haWwuY29tMRQwEgYDVQQMDAtQUk9QSUVUQVJJ
QTFFMEMGA1UEDQw8UmVnLiBQdWIuOk5PIENhcmdvOlBST1BJRVRBUklBIE5vdGFyaW86Tk8gTsO6
bS4gUHJvdG9jb2xvOk5PMRIwEAYDVQQIDAlQSUNISU5DSEExDjAMBgNVBAcMBVFVSVRPMUIwQAYD
VQQLDDlDZXJ0aWZpY2FkbyBkZSBSZXByZXNlbnRhbnRlIExlZ2FsIGRlIFBlcnNvbmEgSnVyaWRp
Y2EgRUMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeXLwll3xI2ktos7JmhOiz7LEw
8QP9tZYDRQnaZclf0BCb0UzRiWB5HXKutf1BFFNmnde4TfCVpXmlate/k9Cmqr+bDkGZhcIwNW5e
rE6ea+wwjMIMP/FxDNJKdr/ubWXKEXUgI+NoVgNQLq7STgFauMlc02Dnya14eACvZYEVhGThukhw
6Udmjm7ojmCUsK4O/1rUYLpOHOoamHaJtDcJvOmc22uzurlTGgyFojCfOHDCxPJ9xTEj34239s+I
LmNiOIEuVtDJA+U9Cxc9uY9ukw+gkV3iI3++jCcx/R7gLPl/G2ow5kA5WOtm6WhQqDuJxC5aumb6
zNxXVJgJFf/zAgMBAAGjgga4MIIGtDAfBgNVHSMEGDAWgBSSrtTLgrSZxtF7EWxl6sVNaCH5rDAd
BgNVHQ4EFgQUo81vuAb2iyBtDVCyXrwtznbo4GcwggFgBgNVHREEggFXMIIBU4EYc2VydmkuY29u
dGFiQGhvdG1haWwuY29tpIIBNTCCATExITAfBgorBgEEAYGPHAoBDBFDRUNJTElBIEVMSVpBQkVU
SDEZMBcGCisGAQQBgY8cCgIMCUNVQVNUVU1BTDEWMBQGCisGAQQBgY8cCgMMBlJPTUVSTzEaMBgG
CisGAQQBgY8cCgQMCjE3MTA3NDQ0MjQxITAfBgorBgEEAYKkQgoBDBFDRUNJTElBIEVMSVpBQkVU
SDEZMBcGCisGAQQBgqRCCgIMCUNVQVNUVU1BTDEWMBQGCisGAQQBgqRCCgMMBlJPTUVSTzEaMBgG
CisGAQQBgqRCCgQMCjE3MTA3NDQ0MjQxNjA0BgNVBAMMLTE3MTA3NDQ0MjQgQ0VDSUxJQSBFTEla
QUJFVEggQ1VBU1RVTUFMIFJPTUVSTzETMBEGA1UEBQwKMTcxMDc0NDQyNDAOBgNVHQ8BAf8EBAMC
BsAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMIGZBgNVHR8EgZEwgY4wRaBDoEGGP2h0
dHA6Ly93d3cuYW5mLmVzL2NybC9BTkZIaWdoQXNzdXJhbmNlRWN1YWRvckludGVybWVkaWF0ZUNB
LmNybDBFoEOgQYY/aHR0cDovL2NybC5hbmYuZXMvY3JsL0FORkhpZ2hBc3N1cmFuY2VFY3VhZG9y
SW50ZXJtZWRpYXRlQ0EuY3JsMIIBBwYDVR0gBIH/MIH8MIHjBgwrBgEEAYKkQgIFAQMwgdIwKAYI
KwYBBQUHAgEWHGh0dHA6Ly93d3cuYW5mLmVzL2RvY3VtZW50b3MwgaUGCCsGAQUFBwICMIGYDIGV
Q2VydGlmaWNhZG8gY29uZm9ybWUgYSBsYSBsZWdpc2xhY2nDg8KzbiBkZSBmaXJtYSBlbGVjdHLD
g8KzbmljYS4gQW50ZXMgZGUgYWNlcHRhcmxvIGNvbXBydWViZSBpbnRlZ3JpZGFkLCBsaW1pdGFj
aW9uZXMsIHZpZ2VuY2lhIHkgdXNvcyBhdXRvcml6YWRvcy4wCQYHBACL7EABATAJBgdghVQBAwUI
MIGbBggrBgEFBQcBAQSBjjCBizAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYW5mLmVzL3NwYWlu
L0FWMGAGCCsGAQUFBzAChlRodHRwOi8vd3d3LmFuZi5lcy9lcy9jZXJ0aWZpY2F0ZXMtZG93bmxv
YWQvQU5GSGlnaEFzc3VyYW5jZUVjdWFkb3JJbnRlcm1lZGlhdGVDQS5jZXIwDAYDVR0TAQH/BAIw
ADASBgorBgEEAYKkQgMMBAQMAkVDMBUGCisGAQQBgY8cEwIEBwwFMzc0NDIwHQYKKwYBBAGCpEID
CwQPDA0xNzEwNzQ0NDI0MDAxMDIGCisGAQQBgqRCAwoEJAwiQ1VBU1RVTUFMIFJPTUVSTyBDRUNJ
TElBIEVMSVpBQkVUSDAoBgkrBgEEAYGPHBMEGwwZNTAxNDQ4NDMzODE1LTQ4NDY1ODIxMTA2ODBQ
BgorBgEEAYKkQi8BBEIMQDkzZTY5YjNiN2U5Yzk5YWM1YzJiYTk3NzA3N2Y2MjJhZTEwNzliM2Q5
ZmQxNjlkNTQ2ZjJhZmRlMWJiYTE3YmYwFwYKKwYBBAGCpEIqAQQJDAdVSU8tMDE0MBMGCisGAQQB
gqRCLgEEBQwDNzMwMBUGCisGAQQBgqRCAwkEBwwFUVVJVE8wGwYKKwYBBAGCpEIDBQQNDAtQUk9Q
SUVUQVJJQTAoBgorBgEEAYKkQhMBBBoMGDUwNzIyLTUwMTYxMTkxMzQyMjM3NzUzNjAgBgorBgEE
AYKkQgMDBBIMEENVQVNUVU1BTCBST01FUk8wIQYKKwYBBAGCpEIDAgQTDBFDRUNJTElBIEVMSVpB
QkVUSDAaBgorBgEEAYKkQgMBBAwMCjE3MTA3NDQ0MjQwgZAGCCsGAQUFBwEDBIGDMIGAMAgGBgQA
jkYBATAVBgYEAI5GAQIwCxMDRVVSAgEBAgEDMAsGBgQAjkYBAwIBDzAkBgYEAI5GAQUwGjAYFhJo
dHRwczovL2FuZi5lcy9lbi8TAmVuMBMGBgQAjkYBBjAJBgcEAI5GAQYBMAkGBwQAi+xJAQEwCgYI
KwYBBQUHCwIwEgYKKwYBBAGBjxwTAwQEDAJFQzANBgkqhkiG9w0BAQsFAAOCAgEAnCtiVBusq45H
YcrS37sDix5CJGJ1I3KV0/llmYNXivsbCFGKCbTjVjhnS6FJYU9yzU6ESrKslTxvRXDQcNp4B0sy
OLhRrodq/qrcwC59lwaN65eNozyxNEt9M4J8CNt5CurMwxFJhNm9f5Ei90SlZMbSajnEOPvKN2F9
SDx/KF/f8Gk6ucnfRd3J1X9VfAZxWsmSRbqbmxyK0STvk2dnLtCx9ilc+o2/CpUurEsv/Efmj/8L
nCh+ghx8VV0bTkGguiRi8WfH+dvLysNaA5pEOF/pZxawSWwKNvAlOgriPqSY4WcWsStTZEYdVBV8
eYN1KO7ugv+MmKR1PUzR1bbWJRZUcUfSew3MifcMpO/0clKzFszIbjSkAx2JcIE8bL/Oe4stByIN
pVdzXetqGNkRaZCv6rEyePdPEJbZR4ACPo24RucRccxjxfjul4Jl5talHoE6t/nyO9rP+r5IeBFx
C2OGoefOkGLXJ6F8dj4awgg50rVVIJbaDNZ5M3DjvJ297Bmsh1BkoWs8X2N0v3qMZo7Hjv9taEDx
Lpjc5vmAPsvsebCercNOKZAp3hK0Le/LQ2KgPhwm/ONFXG8Vi5S+9ya1zwA7Ru3t7Om12/rnKYqD
Un4lpP0Kaf5BFL5vJ5I62i0nTPNec+K0t7IUCwHRFSqEclmoWpv0MHMNErIU06s=
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
nly8JZd8SNpLaLOyZoTos+yxMPED/bWWA0UJ2mXJX9AQm9FM0YlgeR1yrrX9QRRTZp3XuE3wlaV5
pWrXv5PQpqq/mw5BmYXCMDVuXqxOnmvsMIzCDD/xcQzSSna/7m1lyhF1ICPjaFYDUC6u0k4BWrjJ
XNNg58mteHgAr2WBFYRk4bpIcOlHZo5u6I5glLCuDv9a1GC6ThzqGph2ibQ3CbzpnNtrs7q5UxoM
haIwnzhwwsTyfcUxI9+Nt/bPiC5jYjiBLlbQyQPlPQsXPbmPbpMPoJFd4iN/vownMf0e4Cz5fxtq
MOZAOVjrZuloUKg7icQuWrpm+szcV1SYCRX/8w==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
<ds:Object Id="Signature707259-Object606921"><etsi:QualifyingProperties Target="#Signature707259"><etsi:SignedProperties Id="Signature707259-SignedProperties323141"><etsi:SignedSignatureProperties><etsi:SigningTime>2022-02-08T10:45:15-05:00</etsi:SigningTime><etsi:SigningCertificate><etsi:Cert><etsi:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>148lsm4WTHtY+1FkYn2kXaP3+10=</ds:DigestValue></etsi:CertDigest><etsi:IssuerSerial><ds:X509IssuerName>CN=ANF High Assurance Ecuador Intermediate CA,OU=ANF Autoridad intermedia  EC,O=ANFAC AUTORIDAD DE CERTIFICACION ECUADOR C.A.,C=EC,2.5.4.5=#130d31373932363031323135303031</ds:X509IssuerName><ds:X509SerialNumber>9969475784598174070319684639</ds:X509SerialNumber></etsi:IssuerSerial></etsi:Cert></etsi:SigningCertificate></etsi:SignedSignatureProperties><etsi:SignedDataObjectProperties><etsi:DataObjectFormat ObjectReference="#Reference-ID-480222"><etsi:Description>contenido comprobante</etsi:Description><etsi:MimeType>text/xml</etsi:MimeType></etsi:DataObjectFormat></etsi:SignedDataObjectProperties></etsi:SignedProperties></etsi:QualifyingProperties></ds:Object></ds:Signature></factura>

@SmartByt3r Thank you. I'll try to reproduce the same signed XML

Hello, I came across this very interesting conversation. Wondering what's the status? Cheers!

Hi, is there any update to this issue?

Here is an updated function that I shared before.

async function signXml({ certBase64: cert, alg, keys, xml, id }: { certBase64: string; alg: RsaHashedKeyGenParams; keys: CryptoKeyPair; xml: string; id: string }) {
    const signature = new XAdES.SignedXml();

    signature.XmlSignature.SignedInfo.Id = `Signature-SignedInfo-${id}`;
    signature.SignedProperties.Id = `Signature-SignedInfo-SignedProperties-${id}`;

    const x509Cert = new XMLdSIG.X509Certificate(Convert.FromBase64(cert));
    signature.XmlSignature.KeyInfo.Id = `Signature-KeyInfo-${id}`;
    signature.XmlSignature.KeyInfo.Add(new XMLdSIG.KeyInfoX509Data(x509Cert));

    // Add Data Object Format
    const dataObjectFormat = new XAdES.xml.DataObjectFormat();
    const referenceID = `Reference-ID-${id}`;
    dataObjectFormat.ObjectReference = `#${referenceID}`;
    dataObjectFormat.Description = "contenido comprobante";
    dataObjectFormat.MimeType = "text/xml";
    signature.SignedProperties.SignedDataObjectProperties.DataObjectFormats.Add(dataObjectFormat);

    await signature.Sign(
        alg,
        keys.privateKey,
        XAdES.Parse(xml),
        {
            id: `Signature-${id}`,
            keyValue: keys.publicKey,
            references: [
                { hash: "SHA-1", transforms: ["enveloped"], id: referenceID, uri: "#comprobante" },
                { hash: "SHA-1", uri: `#${signature.XmlSignature.KeyInfo.Id}` },
            ],
            signingCertificate: {
                certificate: cert,
                digestAlgorithm: "SHA-1",
            },
        });

    return signature.toString();
}

It generates the correct signature. Use Chilkat Online Tools to verify the XML signature.

Here is my generated XML enveloped signature by this function

<factura id="comprobante" version="2.1.0"><infoTributaria><ambiente>1</ambiente><tipoEmision>1</tipoEmision><razonSocial>ServiContabC</razonSocial><nombreComercial>Servicios contables profesionales</nombreComercial><ruc>1710744424001</ruc><claveAcceso>0702202201171074442400110020020000000018765432111</claveAcceso><codDoc>01</codDoc><estab>002</estab><ptoEmi>002</ptoEmi><secuencial>000000001</secuencial><dirMatriz>De los jazmines N54-31 y de los Pinos</dirMatriz><contribuyenteRimpe>CONTRIBUYENTE RÉGIMEN RIMPE</contribuyenteRimpe></infoTributaria><infoFactura><fechaEmision>07/02/2022</fechaEmision><dirEstablecimiento>asasdad</dirEstablecimiento><obligadoContabilidad>NO</obligadoContabilidad><tipoIdentificacionComprador>05</tipoIdentificacionComprador><razonSocialComprador>Nicolas Cisneros</razonSocialComprador><identificacionComprador>1716430390</identificacionComprador><direccionComprador>Manuel Tamayo E15-53 y Victor Martillo</direccionComprador><totalSinImpuestos>0</totalSinImpuestos><totalDescuento>0</totalDescuento><totalConImpuestos><totalImpuesto><codigo>2</codigo><codigoPorcentaje>2</codigoPorcentaje><baseImponible>0</baseImponible><valor>0</valor></totalImpuesto></totalConImpuestos><propina>0</propina><importeTotal>0</importeTotal><moneda>DOLAR</moneda><pagos><pago><formaPago>20</formaPago><total>0</total></pago></pagos></infoFactura><detalles><detalle><codigoPrincipal>asd</codigoPrincipal><descripcion>asdasd</descripcion><cantidad>1</cantidad><precioUnitario>0</precioUnitario><descuento>0</descuento><precioTotalSinImpuesto>0</precioTotalSinImpuesto><impuestos><impuesto><codigo>2</codigo><codigoPorcentaje>2</codigoPorcentaje><tarifa>12</tarifa><baseImponible>0</baseImponible><valor>0</valor></impuesto></impuestos></detalle></detalles><infoAdicional><campoAdicional nombre="DIRECCION">LOS JAZMINES N54-31 Y DE LO9S PINOS</campoAdicional><campoAdicional nombre="DIRECCION">LOS JAZMINES N54-31 Y DE LO9S PINOS</campoAdicional></infoAdicional><ds:Signature Id="Signature-1294821" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo Id="Signature-SignedInfo-1294821"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference Id="Reference-ID-1294821" URI="#comprobante"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>tLph97u5AUvDgDMvYtAK4oS81D8=</ds:DigestValue></ds:Reference><ds:Reference URI="#Signature-KeyInfo-1294821"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Y9CFQ2ZXj24XcBOfBI/WDomBDus=</ds:DigestValue></ds:Reference><ds:Reference URI="#Signature-SignedInfo-SignedProperties-1294821" Type="http://uri.etsi.org/01903#SignedProperties"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>qTSXFUfBDLL3FBm7LtDzk6Kq7js=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Vv0j7TTTsODVBC342drb66JuoXkD39yuWgwXYTheokqO//ea2KHQABw7i2FiOHJf0pzoAz9D74Xc/9xrgHwF0IL6ngLPGrGYZV4OtK45FCeaDD/ajTOxlYoOcvLpZWy58vT6FtomMz5+pJjJqBJoDm6AamSLuzMRaf3PQOgI6jTjKVorujZ+yWjbiZmXNaBpuLwNgP526YWfJ7Byf5Z1d9Si9AdoTCDyTCyPzJ8EnuR2jIrPEtut4CKVfJaQLvcoWZehX/WdQC2GOSWZUJ1sQcONer0cEGGEsvahlBpTJGMlMNTMXFXru7mYpHPwTtwOlXHR6+a0ztvcDbIJ/leeRQ==</ds:SignatureValue><ds:KeyInfo Id="Signature-KeyInfo-1294821"><ds:X509Data><ds:X509Certificate>MIICnTCCAYWgAwIBAgIDAQIDMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNVBAMTBFRlc3QwHhcNMjEwNzI5MDAwMDAwWhcNMjIwNzI5MDAwMDAwWjAPMQ0wCwYDVQQDEwRUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzJ5wQPICktA6gXERP7J8mwr7kBa/Lf45dLeLf2CVUVd/pup3NIUlo5u4brPFKWmdyb3hV+nxyc1jTQwvkaCXtL/GJ17jorOREzXNYtZn+LPOSATXH4EWVJ4BXDj7q8Magv66Ah8nk4FhCSaC3zOFySNgO44KV57POrwCl+7ZRLGmejBwgwuK0tgLHkpSitneyinc3oN6eebzBlRle7VdvDg74/y8ult43FD+Lqevwf/UJGpo54jv7oi2M1o65kEOM90p4P+TNaYfM1ofhi7whlWFvF+pfxQPG88xLX0Vh80WHWTVnCSeHcww9wX+yy8cEPnxmSI+QDjXNvsMWVBapQIDAQABowIwADANBgkqhkiG9w0BAQUFAAOCAQEAc1Z7fGJykn/qRKnUGY6tPTd7wSfno9mguEtBsexXOU86R9jVPduYKsiikR+J6jUimA3zuReOwU8WdqnE9MHfoSwPC5kuYrXzni+3kFj5xLgYWWIOSWcN7yly/xOUToLhwwdqx26GUI3/88w5b7xyYtB0CydxU3bnyntwp6pRlHRVsJplMM9gT42RnNpoT3VOKQbVF5XtEscunic23W3YlrlNxsh+4nb4dn0RcVmtld1dBU7q/8xyUPJZhIxS9sHBqSkSc6ByG1GuitpTaJ8IsprunqqI0d/+0KpLU07TAN8Ex0xvKqD6rMWvNbroklFiefpqbLDq3N/OcPwNLq4nbg==</ds:X509Certificate></ds:X509Data><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>zJ5wQPICktA6gXERP7J8mwr7kBa/Lf45dLeLf2CVUVd/pup3NIUlo5u4brPFKWmdyb3hV+nxyc1jTQwvkaCXtL/GJ17jorOREzXNYtZn+LPOSATXH4EWVJ4BXDj7q8Magv66Ah8nk4FhCSaC3zOFySNgO44KV57POrwCl+7ZRLGmejBwgwuK0tgLHkpSitneyinc3oN6eebzBlRle7VdvDg74/y8ult43FD+Lqevwf/UJGpo54jv7oi2M1o65kEOM90p4P+TNaYfM1ofhi7whlWFvF+pfxQPG88xLX0Vh80WHWTVnCSeHcww9wX+yy8cEPnxmSI+QDjXNvsMWVBapQ==</ds:Modulus><ds:Exponent>AQAB</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo><ds:Object><xades:QualifyingProperties Target="#id-dbcd0dd697ac" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"><xades:SignedProperties Id="Signature-SignedInfo-SignedProperties-1294821"><xades:SignedSignatureProperties><xades:SigningTime>2022-05-27T10:44:09.601Z</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>A1zeUhFcDQw5r3LIxdBGADCD/7s=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>CN=Test</ds:X509IssuerName><ds:X509SerialNumber>66051</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSignatureProperties><xades:SignedDataObjectProperties><xades:DataObjectFormat ObjectReference="#Reference-ID-1294821"><xades:Description>contenido comprobante</xades:Description><xades:MimeType>text/xml</xades:MimeType></xades:DataObjectFormat></xades:SignedDataObjectProperties></xades:SignedProperties></xades:QualifyingProperties></ds:Object></ds:Signature></factura>

Here are some differences between my XML signature and XML which @SmartByt3r (see comment) sent.

- - my XML
+ - @SmartByt3r's XML

  1. XML elements in serialized string are not self-closed
- <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
+ <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  1. Signature element doesn't include xades namespace
- <ds:Signature Id="Signature-1294821"
-   xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+   xmlns:etsi="http://uri.etsi.org/01903/v1.3.2#" Id="Signature707259">

There is no way to do it by existing API. It requires API update.

  1. XML uses xades prefix instead of etsi
+ <xades:SignedSignatureProperties>
- <etsi:SignedSignatureProperties>
  1. Time format for SigningTime element
- <xades:SigningTime>2022-05-27T10:10:52.576Z</xades:SigningTime>
+ <etsi:SigningTime>2022-02-08T10:45:15-05:00</etsi:SigningTime>
  1. Reference for SignedProperties includes Id attribute
- <ds:Reference URI="#Signature-SignedInfo-SignedProperties-1294821" Type="http://uri.etsi.org/01903#SignedProperties">
+ <ds:Reference Id="SignedPropertiesID977637" Type="http://uri.etsi.org/01903#SignedProperties" URI="#Signature707259-SignedProperties323141">

There is no way to do it by existing API. It requires API update.

  1. Id attribute for SignatureValue
- <ds:SignatureValue>Vv0j7TTTsODVBC342drb66JuoXkD39yuWgwXYTheokqO//ea2KHQABw7i2FiOHJf0pzoAz9D74Xc/9xrgHwF0IL6ngLPGrGYZV4OtK45FCeaDD/ajTOxlYoOcvLpZWy58vT6FtomMz5+pJjJqBJoDm6AamSLuzMRaf3PQOgI6jTjKVorujZ+yWjbiZmXNaBpuLwNgP526YWfJ7Byf5Z1d9Si9AdoTCDyTCyPzJ8EnuR2jIrPEtut4CKVfJaQLvcoWZehX/WdQC2GOSWZUJ1sQcONer0cEGGEsvahlBpTJGMlMNTMXFXru7mYpHPwTtwOlXHR6+a0ztvcDbIJ/leeRQ==</ds:SignatureValue>
+ <ds:SignatureValue Id="SignatureValue339308">QIjzni1R9jwcGNqT/1ZhbIILMHnFtf0DnxotMg2HJr0xxPUTV+bzkhqt1eCyyoBjn7Qrs0bauzwC 1Rd+vLbKwA+bMy0Euo71OBFPdox05ei05EGp1Gpcb/wdlQeUm3NZgWFvDFO9kmdlFn8pDuPRxyrJ j3bLMh9l12vQSbsiFHjWQghCYkaaDyzrN+HNcUFbVPw13puoFQX+cS7arVSaWx3wYJNrQ1Ml0htR G9lmdHdtrsLZd6Ph04hwC0nRdH/HtXicjWrlmF26OQbk7Z2mnlOrKKkfSkcVgX0W9eQKcPAJjT2g jXRCqhYzsa2lRW5/iHpKExlTvsq2JX2WMPuW7A==</ds:SignatureValue>

There is no way to do it by existing API. It requires API update.

Does anybody have posibility to point which difference are critical to make this XML signature applyable for SRI Ecuador?

I've published the new version xadesjs@2.4.4. It extends options for signingCertificate

Well, the SRI documentation says that they use the XadES_BES version 1.3.2, with UTF-8 codification.
For the signing algortihm: RSA-SHA1, and a 2048 bit key lenght
For the signature validation they use this set of JAVA libraries:

  • MITyCLibXADES
  • MITyCLibTSA
  • MITyCLibAPI
  • MITyCLibOCSP
  • MITyCLibTrust

Any update?

Hola, alguien ya ha usado esta librería para firma electrónica en ecuador o recomiendan otra ?

to sign a document that will be validated by the entity to manage the payment of Ecuadorian taxpayers

Hello thanks for the excellent library, I've been trying to load the keys from .p12 file to sign a document. Any suggestions on how can I do it?

LChumi commented

hi I am trying to sign with XAdES-BES in spring but after validating in xolidosing it tells me that it does not fit with the integrity of the structure of the signature , what should i do?