digital signature in xml files for e-social

0

Hello, I need to heal the doubts regarding the signature in sending the xml to the e-social, here I am based on the article #

$objXMLSecurityDSig->add509Cert(file_get_contents('/path_para_chave_PEM_publica'));

That key would be exactly what? It comes from the chain of certificates that the e-social asks to be installed in the machine that will make the access?

The same question applies here

$objXMLSecurityKey->loadKey('/path_para_chave_PEM_privada', TRUE);

Being that in another case I have the following:

'local_cert' => '/path_para_chaves_PEM_privada_e_publica_combinadas_em_um_unico_arquivo',

This left me with more doubts, is this configured public and private key in a single file?

Uses the PHP library for digital signature of xml files

    
asked by anonymous 08.03.2018 / 14:23

1 answer

3

I do not know PHP, and I've never seen the XMLSecLibs library of RobRichards , but I'm also developing for eSocial (.NET) and know something about procedure how to sign the events and how to communicate to the service, then I will try to help.

You said that you are in doubt on these 3 passages, regarding the certificate:

$objXMLSecurityDSig->add509Cert(file_get_contents('/path_para_chave_PEM_publica'));

$objXMLSecurityKey->loadKey('/path_para_chave_PEM_privada', TRUE);

'local_cert' => '/path_para_chaves_PEM_privada_e_publica_combinadas_em_um_unico_arquivo',

eSocial requires a A1 or A3 digital certificate, both to sign the events and to communicate with the service. In Windows, the A1 certificate usually comes in a .pfx file, which contains both the public key and the private key, and you can install this file in Windows and use it from the Windows certificate store, or open the file directly. In my case I'm always getting the certificate installed in the Windows repository.

As I said, I do not know the XMLSecLibs library, so I can not tell you if it accepts a .pfx file directly, or if it accepts only .pem , but I did a quick search and found that .pem files can also store the public key and private key, such as the .pfx file, and , you can convert a .pfx format file to the .pem format.

Here are some links that explain this better:

  

Digital Certificate Summary - Knowledge Base link

     

SECURITY, What are the differences between the PEM, DER, P7B / PKCS # 7, PFX / PKCS # 12 certificates?
link

     

Conversion of PFX CA certificate (TYPE A1) to PEM
link

So I think you can get a valid A1 digital certificate in .pfx format and convert it to a .pem file, as in the links examples (using some OpenSSL application):

openssl pkcs12 -in certificado.pfx -out certificado.pem –nodes

Once you have done this, I imagine you can use this certificate.pem file on all 3 lines you were in doubt because it will contain the public key and private key of your A1 certificate, and is your A1 certificate that is required to sign the eSocial events and to open communication with the eSocial service (the first two lines of doubt refer to the signature, and the third refers to the transmission).

This certificate used for the signature must have the same CNPJ of the employer whose events are being signed (or CPF), or it may be another CNPJ / CPF as long as you have done a power of attorney on the e-CAC site of the IRS.

    
09.03.2018 / 13:06