digital signature in xml files for E-social

Asked

Viewed 1,325 times

0

Hello, I need to clear the doubt about the signature in the xml sending to the E-social, see I am basing the article Problem with eSocial digital signature - Invalid signature I have the following doubts:

$objXMLSecurityDSig->add509Cert(file_get_contents('/path_para_chave_PEM_publica'));

This key would be what exactly? It comes from the chain of certificates that the E-social asks to be installed in the machine that will make the access?

The same doubt applies here

$objXMLSecurityKey->loadKey('/path_para_chave_PEM_privada', TRUE);

In another case I have the following:

'local_cert' => '/path_para_chaves_PEM_privada_e_publica_combinadas_em_um_unico_arquivo',

this left me with more questions, has this configured public and private key in a single file?

Use the library PHP library for digital signature of xml files

1 answer

3


I don’t know PHP, and had never seen the library Xmlseclibs of Robrichards, but, I’m also developing for eSocial (.NET) and know something of the procedure of how to sign events and how to communicate to the service, so I’ll try to help.

You said you were having doubts in those three passages, regarding the certificate:

$objXMLSecurityDSig->add509Cert(file_get_contents('/path_para_chave_PEM_publica'));

$objXMLSecurityKey->loadKey('/path_para_chave_PEM_privada', TRUE);

'local_cert' => '/path_para_chaves_PEM_privada_e_publica_combinadas_em_um_unico_arquivo',

eSocial requires a digital certificate A1 or A3, both to sign events and to communicate with the service. In Windows, the A1 certificate usually comes in a file .pfx, which contains the public key and the private key, and you can install that file on Windows and use it from the Windows certificate repository, or open the file directly. In my case I’m always getting the certificate installed in the Windows repository.

Like I said, I don’t know the library Xmlseclibs, so I can’t tell if she directly accepts a file .pfx or if it accepts only files .pitch, but, I did a quick search and found that the files .pitch can also store public key and private key such as file .pfx, and, it is possible to convert a file format .pfx for the format .pitch.

Here are some links that explain this better:

Summary of Digital Certificate - Knowledge Base
http://fantastsoft.com.br/basecon/base-conhecimento/resumo-sobre-certificado-digital/

SECURITY, What are the differences between PEM, DER, P7B / PKCS # 7, PFX / PKCS # 12 certificates?
https://discursa.rknet.top/t/seguranca-quais-sao-as-diferencas-entre-os-certificados-pem-der-p7b-pkcs-7-pfx-pkcs-12/258

Conversion of CA certificate (TYPE A1) from PFX to PEM
https://www.rafaeltheodoro.com.br/nfe/conversao-de-certificado-ca-tipo-a1-de-pfx-para-pem/

So I guess you can catch one A1 digital certificate valid in format .pfx and convert it to a file .pitch, as in the link examples (using some application Openssl):

openssl pkcs12 -in certificado.pfx -out certificado.pem –nodes

Done that I imagine you can use that file certified.pem. in all 3 lines you were in doubt because it will contain the public key and the private key of your A1 certificate, and it is your A1 certificate that is required to sign eSocial events and to open communication with the eSocial service (the first two lines of doubt refer to the signature, and the third refers to the transmission).

This certificate used for the signature must have the same root CNPJ of the employer whose events are being signed (or CPF), or it may be another CNPJ/CPF provided that you have done an electronic power of attorney on the site e-CAC of Receita Federal.

  • Friend Pedro Gaspar, on top of that, generated me other doubts, for example, only the A1 generates the pfx file? In the system that will access eSocial, for example I will send data from various companies, in this case, I would have to have an A1 for each company that I have to send the data to eSocial?

  • 1

    So Edson, if you need to sign the events of other companies, that is, you will sign on their behalf, or you need to have the certificate of those companies in hand, or, as I said at the end of the reply, you need these companies to register an electronic power of attorney at the IRS, which will allow you to sign events for eSocial on their behalf. On the eSocial website you have a step-by-step on electronic power of attorney: http://portal.esocial.gov.br/manuais/orientacoes-assinatura-digital-e-procuracao-electronic

  • Edson, you managed to use the library Xmlseclibs to sign XML files in PHP? If so, you have even tested whether it directly accepts the digital certificate with extension .pfx? If you can post this information here, because it can help others with the same problem!

  • No Pedro, I couldn’t even, I’m trying so far to do this, but I’m having serious problems understanding this, so my delay in returning

  • But are you making a mistake? Anything puts a new question with the details, if it’s any problem other than what you asked here.

  • It’s kind of complicated to understand this, I’m going to do a general overview to be able to put the doubts here

Show 1 more comment

Browser other questions tagged

You are not signed in. Login or sign up in order to post.