E-Social. Invalid event signature

1

Hello, I'm having problems in the event query with the protocol, it returns the error (405 - Invalid Signature), event (1 - 142 - Invalid event signature) Suggested Actions: Check if event has changed after signing. of the signature.)

follows signature submitted ...

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
              <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
              <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
              <Reference URI="">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>h2IWj/yBmVC1XM7qrc31hLPXDmECI45abGgzTbCpfb8=</DigestValue>
              </Reference>
            </SignedInfo>
            <SignatureValue>...</SignatureValue>
            <KeyInfo>
              <X509Data>
                <X509Certificate>...</X509Certificate>
              </X509Data>
            </KeyInfo>
          </Signature>

Has anyone had this problem?

    
asked by anonymous 02.10.2017 / 14:33

2 answers

3

I solved the problem.

In version 2.3 of the layouts it was mandatory to inform the Event Namespaces.

<eSocial  xmlns="http://www.esocial.gov.br/schema/evt/evtInfoEmpregador/v02_04_01"
	  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	  xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<evtInfoEmpregador Id="ID1111111110000002017121316041098000">

As the error is not suggestive I thought it might be the order in which I was signing in the batch or out of the batch.

But the problem was simply to remove these Namespaces and leave only the event ID namespace:

<eSocial xmlns="http://www.esocial.gov.br/schema/evt/evtInfoEmpregador/v02_04_01">

The order I signed was:

1- Assemble event; 2- Validate event; 3- Sign event; 4- Insert event in lot; 5- Shipping

Once signed, the event can not undergo any modification. I will send the example of the signed lot immediately below. So you can compare the structure.

I will only remove certificate and signature details for security reasons. Here is a complete and signed batch, it was sent and returned successful.

<eSocial xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.esocial.gov.br/schema/lote/eventos/envio/v1_1_1">
  <envioLoteEventos grupo="1">
    <ideEmpregador>
      <tpInsc>1</tpInsc>
      <nrInsc>12345678</nrInsc>
    </ideEmpregador>
    <ideTransmissor>
      <tpInsc>1</tpInsc>
      <nrInsc>87654321</nrInsc>
    </ideTransmissor>
    <eventos>
      <evento Id="ID1234567800000002017121415120771000">
        <eSocial xmlns="http://www.esocial.gov.br/schema/evt/evtInfoEmpregador/v02_04_01">
          <evtInfoEmpregador Id="ID1123456780000002017121415120771000">
            <ideEvento>
              <tpAmb>2</tpAmb>
              <procEmi>1</procEmi>
              <verProc>SDA.ABM 1.0</verProc>
            </ideEvento>
            <ideEmpregador>
              <tpInsc>1</tpInsc>
              <nrInsc>12345678</nrInsc>
            </ideEmpregador>
            <infoEmpregador>
              <inclusao>
                <idePeriodo>
                  <iniValid>2017-12</iniValid>
                </idePeriodo>
                <infoCadastro>
                  <nmRazao>Razao da Empresa</nmRazao>
                  <classTrib>99</classTrib>
                  <natJurid>3999</natJurid>
                  <indCoop>0</indCoop>
                  <indConstr>0</indConstr>
                  <indDesFolha>1</indDesFolha>
                  <indOptRegEletron>1</indOptRegEletron>
                  <indEntEd>N</indEntEd>
                  <indEtt>N</indEtt>
                  <contato>
                    <nmCtt>James Bond</nmCtt>
                    <cpfCtt>12345678910</cpfCtt>
                    <foneCel>1234707070</foneCel>
                    <email>[email protected]</email>
                  </contato>
                  <softwareHouse>
                    <cnpjSoftHouse>123456789</cnpjSoftHouse>
                    <nmRazao>Minha SoftwareHouse</nmRazao>
                    <nmCont>Cia</nmCont>
                    <telefone>1931117070</telefone>
                    <email>[email protected]</email>
                  </softwareHouse>
                  <infoComplementares>
                    <situacaoPJ>
                      <indSitPJ>0</indSitPJ>
                    </situacaoPJ>
                  </infoComplementares>
                </infoCadastro>
              </inclusao>
            </infoEmpregador>
          </evtInfoEmpregador>
          <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
              <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
              <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
              <Reference URI="">
                <Transforms>
                  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>............................................</DigestValue>
              </Reference>
            </SignedInfo>
            <SignatureValue>...........................................</SignatureValue>
            <KeyInfo>
              <X509Data>
                <X509Certificate>..................................</X509Certificate>
              </X509Data>
            </KeyInfo>
          </Signature>
        </eSocial>
      </evento>
    </eventos>
  </envioLoteEventos>
</eSocial>

I'm developing using the .Net tool and the C # If I can help with anything else.

I hope I have helped,

Jean Guilherme

    
15.12.2017 / 12:35
1

Jean already listed most of the problems that normally cause this invalid signature error, but as it is a very common problem, I will reply here the answer I gave in other posts, which adds some points and gives an example code in C #.

Some basic tips to follow to successfully sign up:

  • You must use only the event XML to generate the signature, and then the signed event XML is embedded in the batch XML. The batch XML must never be signed, only the events are individually signed.
  • The eSocial event root tag should not contain the xmlns: xsi and xmlns: xsd elements, which are typically added automatically by the serializer.
  • Once signed, the event XML should not be no change, otherwise the signature becomes invalid. I've seen people who changed things manually in XML after signed, and it happened to me that the XML of the event was written to disk using an encoding and writing the batch XML, with the event signed in, using another enconding, which also invalidated the signature.

I made a page a while back with some tips on signing an eSocial event XML:

  

link

But, briefly, the code I am using for eSocial is as follows:

  //
  // SignedXml.CheckSignature Method (X509Certificate2, Boolean) -> Examples [SHA1]
  // https://msdn.microsoft.com/en-us/library/ms148731(v=vs.110).aspx
  //
  // Using SHA256 with the SignedXml Class
  // https://blogs.msdn.microsoft.com/winsdk/2015/11/14/using-sha256-with-the-signedxml-class/
  //
  private static void SignXmlDoc(XmlDocument xmlDoc, X509Certificate2 certificate)
  {
     //
     // https://docs.microsoft.com/en-us/dotnet/framework/whats-new/#Crypto462
     //
     // SignedXml support for SHA-2 hashing The .NET Framework 4.6.2 adds support
     // to the SignedXml class for RSA-SHA256, RSA-SHA384, and RSA-SHA512 PKCS#1
     // signature methods, and SHA256, SHA384, and SHA512 reference digest algorithms.
     //
     // Any programs that have registered a custom SignatureDescription handler into CryptoConfig
     // to add support for these algorithms will continue to function as they did in the past, but
     // since there are now platform defaults, the CryptoConfig registration is no longer necessary.
     //
     //// First of all, we need to register a SignatureDescription class that defines the DigestAlgorithm as SHA256.
     //// You have to reference the System.Deployment assembly in your project.
     //CryptoConfig.AddAlgorithm(
     //   typeof(System.Deployment.Internal.CodeSigning.RSAPKCS1SHA256SignatureDescription),
     //   "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
     // RSAPKCS1SHA256SignatureDescription -> Disponível desde .NET Framework 4.5

     SignedXml signedXml = new SignedXml(xmlDoc);

     // Add the key to the SignedXml document. 
     signedXml.SigningKey = certificate.GetRSAPrivateKey();   // Disponível desde .NET Framework 4.6
     //signedXml.SigningKey = GetRSAPrivateKey(certificate);

     //
     // https://docs.microsoft.com/en-us/dotnet/framework/whats-new/#Crypto462
     //
     // SignedXml support for SHA-2 hashing The .NET Framework 4.6.2 adds support
     // to the SignedXml class for RSA-SHA256, RSA-SHA384, and RSA-SHA512 PKCS#1
     // signature methods, and SHA256, SHA384, and SHA512 reference digest algorithms.
     signedXml.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA256Url; //"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

     // Create a reference to be signed. Pass "" to specify that
     // all of the current XML document should be signed.
     Reference reference = new Reference(string.Empty);

     reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
     reference.AddTransform(new XmlDsigC14NTransform());
     reference.DigestMethod = SignedXml.XmlDsigSHA256Url; //""http://www.w3.org/2001/04/xmlenc#sha256"

     // Add the reference to the SignedXml object.
     signedXml.AddReference(reference);

     signedXml.KeyInfo = new KeyInfo();
     // Load the certificate into a KeyInfoX509Data object
     // and add it to the KeyInfo object.
     signedXml.KeyInfo.AddClause(new KeyInfoX509Data(certificate));

     // Compute the signature.
     signedXml.ComputeSignature();

     // Get the XML representation of the signature and save
     // it to an XmlElement object.
     XmlElement xmlDigitalSignature = signedXml.GetXml();

     // Append the element to the XML document.
     xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));

     if (xmlDoc.FirstChild is XmlDeclaration)
        xmlDoc.RemoveChild(xmlDoc.FirstChild);
  }

If you have to also sign the EFD-Reinf events, the only difference is that there the Reference.URI element should contain the event ID, with the # character at the front, in eSocial this element must be empty. So for EFD-Reinf the line that creates the reference object, in this function I showed, should be changed to:

     Reference reference = new Reference("#" + idEvento);

I have a page with some examples of eSocial XML that, although they are outdated (all examples of the page are in the layout v2.2.02, and the current one is v2.4.01), are interesting to see well what should be signed (only the event XML) and what should not be signed (the batch XML):

  

link

    
20.02.2018 / 04:55