e-social. Invalid event subscription

Asked

Viewed 4,348 times

1

hello, I am having problems in the query of events with the protocol, returns in xml the error (405 - Invalid Signature), occurrence (1 - 142 - Invalid event signature. Suggested Actions: Check for event changes after signing. Check for signature validity.)

following signature sent...

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
              <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
              <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
              <Reference URI="">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>h2IWj/yBmVC1XM7qrc31hLPXDmECI45abGgzTbCpfb8=</DigestValue>
              </Reference>
            </SignedInfo>
            <SignatureValue>...</SignatureValue>
            <KeyInfo>
              <X509Data>
                <X509Certificate>...</X509Certificate>
              </X509Data>
            </KeyInfo>
          </Signature>

Someone had that problem?

2 answers

3

I managed to solve the problem.

In version 2.3 of the layouts it was mandatory to inform the Event Namespaces.

<eSocial  xmlns="http://www.esocial.gov.br/schema/evt/evtInfoEmpregador/v02_04_01"
	  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	  xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<evtInfoEmpregador Id="ID1111111110000002017121316041098000">

As the error is not suggestive I thought it might be the order in which I was signing inside the lot or outside the lot.

But the problem was simply to remove these Namespaces and leave only the event identification namespace:

<eSocial xmlns="http://www.esocial.gov.br/schema/evt/evtInfoEmpregador/v02_04_01">

The order I signed was:

1- Mount an event; 2- Validate the event; 3- To sign event; 4- I insert event into the lot; 5- Sending

Once signed, the event cannot undergo any kind of modification. I will send below the example of the signed lot. So you can compare the structure.

I will only remove the details of the certificate and signature for security reasons. Follow complete and signed batch, this was shipped and returned success.

<eSocial xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.esocial.gov.br/schema/lote/eventos/envio/v1_1_1">
  <envioLoteEventos grupo="1">
    <ideEmpregador>
      <tpInsc>1</tpInsc>
      <nrInsc>12345678</nrInsc>
    </ideEmpregador>
    <ideTransmissor>
      <tpInsc>1</tpInsc>
      <nrInsc>87654321</nrInsc>
    </ideTransmissor>
    <eventos>
      <evento Id="ID1234567800000002017121415120771000">
        <eSocial xmlns="http://www.esocial.gov.br/schema/evt/evtInfoEmpregador/v02_04_01">
          <evtInfoEmpregador Id="ID1123456780000002017121415120771000">
            <ideEvento>
              <tpAmb>2</tpAmb>
              <procEmi>1</procEmi>
              <verProc>SDA.ABM 1.0</verProc>
            </ideEvento>
            <ideEmpregador>
              <tpInsc>1</tpInsc>
              <nrInsc>12345678</nrInsc>
            </ideEmpregador>
            <infoEmpregador>
              <inclusao>
                <idePeriodo>
                  <iniValid>2017-12</iniValid>
                </idePeriodo>
                <infoCadastro>
                  <nmRazao>Razao da Empresa</nmRazao>
                  <classTrib>99</classTrib>
                  <natJurid>3999</natJurid>
                  <indCoop>0</indCoop>
                  <indConstr>0</indConstr>
                  <indDesFolha>1</indDesFolha>
                  <indOptRegEletron>1</indOptRegEletron>
                  <indEntEd>N</indEntEd>
                  <indEtt>N</indEtt>
                  <contato>
                    <nmCtt>James Bond</nmCtt>
                    <cpfCtt>12345678910</cpfCtt>
                    <foneCel>1234707070</foneCel>
                    <email>[email protected]</email>
                  </contato>
                  <softwareHouse>
                    <cnpjSoftHouse>123456789</cnpjSoftHouse>
                    <nmRazao>Minha SoftwareHouse</nmRazao>
                    <nmCont>Cia</nmCont>
                    <telefone>1931117070</telefone>
                    <email>[email protected]</email>
                  </softwareHouse>
                  <infoComplementares>
                    <situacaoPJ>
                      <indSitPJ>0</indSitPJ>
                    </situacaoPJ>
                  </infoComplementares>
                </infoCadastro>
              </inclusao>
            </infoEmpregador>
          </evtInfoEmpregador>
          <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
              <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
              <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
              <Reference URI="">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>............................................</DigestValue>
              </Reference>
            </SignedInfo>
            <SignatureValue>...........................................</SignatureValue>
            <KeyInfo>
              <X509Data>
                <X509Certificate>..................................</X509Certificate>
              </X509Data>
            </KeyInfo>
          </Signature>
        </eSocial>
      </evento>
    </eventos>
  </envioLoteEventos>
</eSocial>

I am developing using the tool . Net and the language C# If there’s anything else I can do.

I hope I’ve helped,

Jean Guilherme

1

Jean already listed most of the problems that normally cause this invalid signature error, but, as it is a very common problem, I will replicate here the answer I gave in other posts, which adds some points and gives an example of code in C#.

Some basic tips that should be followed to successfully subscribe:

  • You must use only the event XML to generate the signature, and then the signed event XML is embedded in the batch XML. Batch XML should never be signed, only events individually are signed.
  • The root tag of the event, eSocial, shall not contain the elements xmlns:xsi and xmlns:xsd, which are normally automatically added by the serializer.
  • Once signed, the event XML should not suffer none change because otherwise the signature becomes invalid. I’ve seen people manually change things in XML after signing, and it’s happened to me that the event’s XML is written to disk using an encoding and batch XML recording, with the event signed in, using another enconding, which also invalidated the signature.

I made a page a while back with some tips on signing an eSocial event XML:

http://suporte.quarta.com.br/eSocial/AssinaturaXml.htm

But in short, the code I’m using for eSocial is as follows::

  //
  // SignedXml.CheckSignature Method (X509Certificate2, Boolean) -> Examples [SHA1]
  // https://msdn.microsoft.com/en-us/library/ms148731(v=vs.110).aspx
  //
  // Using SHA256 with the SignedXml Class
  // https://blogs.msdn.microsoft.com/winsdk/2015/11/14/using-sha256-with-the-signedxml-class/
  //
  private static void SignXmlDoc(XmlDocument xmlDoc, X509Certificate2 certificate)
  {
     //
     // https://docs.microsoft.com/en-us/dotnet/framework/whats-new/#Crypto462
     //
     // SignedXml support for SHA-2 hashing The .NET Framework 4.6.2 adds support
     // to the SignedXml class for RSA-SHA256, RSA-SHA384, and RSA-SHA512 PKCS#1
     // signature methods, and SHA256, SHA384, and SHA512 reference digest algorithms.
     //
     // Any programs that have registered a custom SignatureDescription handler into CryptoConfig
     // to add support for these algorithms will continue to function as they did in the past, but
     // since there are now platform defaults, the CryptoConfig registration is no longer necessary.
     //
     //// First of all, we need to register a SignatureDescription class that defines the DigestAlgorithm as SHA256.
     //// You have to reference the System.Deployment assembly in your project.
     //CryptoConfig.AddAlgorithm(
     //   typeof(System.Deployment.Internal.CodeSigning.RSAPKCS1SHA256SignatureDescription),
     //   "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
     // RSAPKCS1SHA256SignatureDescription -> Disponível desde .NET Framework 4.5

     SignedXml signedXml = new SignedXml(xmlDoc);

     // Add the key to the SignedXml document. 
     signedXml.SigningKey = certificate.GetRSAPrivateKey();   // Disponível desde .NET Framework 4.6
     //signedXml.SigningKey = GetRSAPrivateKey(certificate);

     //
     // https://docs.microsoft.com/en-us/dotnet/framework/whats-new/#Crypto462
     //
     // SignedXml support for SHA-2 hashing The .NET Framework 4.6.2 adds support
     // to the SignedXml class for RSA-SHA256, RSA-SHA384, and RSA-SHA512 PKCS#1
     // signature methods, and SHA256, SHA384, and SHA512 reference digest algorithms.
     signedXml.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA256Url; //"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

     // Create a reference to be signed. Pass "" to specify that
     // all of the current XML document should be signed.
     Reference reference = new Reference(string.Empty);

     reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
     reference.AddTransform(new XmlDsigC14NTransform());
     reference.DigestMethod = SignedXml.XmlDsigSHA256Url; //""http://www.w3.org/2001/04/xmlenc#sha256"

     // Add the reference to the SignedXml object.
     signedXml.AddReference(reference);

     signedXml.KeyInfo = new KeyInfo();
     // Load the certificate into a KeyInfoX509Data object
     // and add it to the KeyInfo object.
     signedXml.KeyInfo.AddClause(new KeyInfoX509Data(certificate));

     // Compute the signature.
     signedXml.ComputeSignature();

     // Get the XML representation of the signature and save
     // it to an XmlElement object.
     XmlElement xmlDigitalSignature = signedXml.GetXml();

     // Append the element to the XML document.
     xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));

     if (xmlDoc.FirstChild is XmlDeclaration)
        xmlDoc.RemoveChild(xmlDoc.FirstChild);
  }

If you have to also sign the EFD-Reinf events the only difference is that there the Reference.URI element must contain the event ID, with the character # ahead, whereas in eSocial that element must be empty. So for EFD-Reinf the line that creates the object Reference, in this function I have shown, should be changed to:

     Reference reference = new Reference("#" + idEvento);

I have a page with some XML examples of eSocial that, although they are outdated (all the examples of the page are in the v2.2.02 layout, and the current one is v2.4.01), are interesting to see well what should be signed (only the XML of the event) and what should not be signed (the batch XML):

http://suporte.quarta.com.br/eSocial/ExemplosEventosXml.htm

Browser other questions tagged

You are not signed in. Login or sign up in order to post.