NFE Digital Signature(Electronic Invoice)

Asked

Viewed 2,258 times

5

I am developing NFE in the Python language, I already Gero the XML, I can send it to Webservice and I get the answer, what I need now is the digital signature

The signature is an xml tag with some values, follows the model

 <NFe xmlns="http://www.portalfiscal.inf.br/nfe" >
     <infNFe Id="NFe31060243816719000108550000000010001234567897"     versao="1.01">
     ...
     </infNFe>
     <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
           <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-  c14n-20010315"/>
           <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
           <Reference URI="#NFe31060243816719000108550000000010001234567897">
           <Transforms>
              <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped- signature"/>
              <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml- c14n-20010315"/>
           </Transforms>
           <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
              <DigestValue>vFL68WETQ+mvj1aJAMDx+oVi928=</DigestValue>
          </Reference>
       </SignedInfo>
     <SignatureValue>IhXNhbdL1F9UGb2ydVc5v/gTB/y6r0KIFaf5evUi1i ...    </SignatureValue>
     <KeyInfo>
        <X509Data>
            <X509Certificate>MIIFazCCBFOgAwIBAgIQaHEfNaxSeOEvZGlVDANB ...     </X509Certificate>
        </X509Data>
    </KeyInfo>
    </Signature>
</NFe>

What I know is that I need to generate the values for the tags <DigestValue>, <SignatureValue> and <X509Certificate>.

I can already read the digital certificate A1 through the archive .pfx I can already extract the information:

  • Name of the certificate owner
  • Date of commencement and end of validity of the certificate
  • Private Key
  • Certificate Key

    According to the Nfe Integration Manual, says the following to fill in these fields. Page 17 and 18

Contributor signature on NF-e will be made on the TAG identified by the attribute Id, the content of which shall be a unique identifier (access key) preceded by the literal Nfe' for each NF-e as layout described in Annex I. The unique identifier preceded of the literal#Nfe' must be entered in the URI attribute of the TAG. For the other messages to be signed, the process is the same always keeping an identifier unique to the Id attribute in the TAG to be signed. Below is an example:

From what I understand, in the key NFe31060243816719000108550000000010001234567897(in that case) ta Tag <Reference URI="#NFe31060243816719000108550000000010001234567897">

To the tag <DigestValue> he says it has to be an algorithm SH-1 base 64, Okay, I can do that, but it doesn’t speak based on what I need to generate this key

What I want to know is, how are these field values actually generated?

<DigestValue>
<SignatureValue>
<X509Certificate>
  • 2

    Did you follow the links just below? If I had more experience with this, I would reply, but I can only give the following comment: 1) The DigestValue is a hash of what is being signed (probably a simple SHA-1 of the same encoded in Base64); 2) The X509Certificate is the identification of the certificate used to sign (the one whose private key you control, the way you read); 3) The SignatureValue is the signature of DigestValue with the private key of the certificate, according to the specified algorithms (signature and transformations).

  • This may not have helped much, I imagine, but my suggestion is to try to find some library for Python that does XML signing (because this is an international standard, what Nfe uses). Again, I have no experience, but a quick search has brought me that, that and that.

  • Very good your tips, the problem is that these libraries use the xmlsec and it doesn’t work at all in Python 3.4, I’ve tried everything, it might work but it doesn’t work so far, it would have to be in Python 3. DigestValue using SHA-1 however it is never the same that has these examples. in relation to SignatureValue what type of algorithm?

  • 1

    If the Digest is going wrong, maybe you are not hashing the right data. For example, here says that the element to be hashed is the Object, and in its text all \r\n of the text have to be replaced by a single \n, are you doing this? Maybe they have other details too, I don’t know... As for the SignatureValue, the type of algorithm is described in SignatureMethod: RSA-SHA-1. And also has the CanonicalizationMethod I’m not sure what it’s for, other than Transforms. If I had to do it by hand, I’d be lost rsrs.

  • As for the links, I entered the links but did not understand, I did not see how I can generate these values, it is a very great document rsrsrs. Yeah, I think this part I’ll see if I can make a script with Python2 just to sign, that’s the way. rsrs

  • If I make the blessed xmlsec work, then I’ll settle the matter

  • I believe you are doing everything in the arm. If yes, I think you could take a look at this lib, library project to interface with the web service of electronic Invoice for Python, which will already give you possibilities to do many things in a much simpler way.

Show 2 more comments

1 answer

2

To calculate the Digestvalue

   1 add the xmlns namespace with the value http://www.portalfiscal.inf.br/nfe in the tag infNFe

   2 canonize the tag infNFe

   3 Calculate Digest using SHA1 and convert the result to Base64

To sign the note

   1 add the xmlns namespace with the value http://www.w3.org/2000/09/xmldsig# on the Signedinfo tag

   2 canonize the tag Signedinfo

   3 Sign the Signedinfo tag, convert the result to Base64

Something was missing?

more details about the subscription https://dev.thiago.pro/assinatura-digital-nfe

Browser other questions tagged

You are not signed in. Login or sign up in order to post.