Banco Central .p12 support (#47)

bryancalisto · t1000 · web-flow · commit a97480c1b827 · 2025-03-26T13:06:24.000-05:00
* Extract the banco central private key with its own method

* updates

---------

Co-authored-by: t1000 &lt;t1000@t1000s-MacBook-Pro.local&gt;
diff --git a/ec-sri-invoice-signer/src/utils/cryptography.ts b/ec-sri-invoice-signer/src/utils/cryptography.ts
@@ -9,6 +9,25 @@ const getHash = (data: string) => {
   return forge.util.encode64(forge.sha1.create().update(data, 'utf8').digest().bytes());
 }
 
+const getBancoCentralPkcs12PrivateKey = (pkcs8ShroudedKeyBags: forge.pkcs12.Bag[]) => {
+    const privateKeyBag = pkcs8ShroudedKeyBags.find((bag) => {
+      const name = bag?.attributes?.friendlyName?.[0];
+      return /signing key/i.test(name);
+    });
+
+    if (!privateKeyBag) {
+      throw new UnsuportedPkcs12Error("No key bag with friendly name 'Signing Key' found in the key bags of 'Banco Central del Ecuador' .p12");
+    }
+
+    const privateKey = privateKeyBag.key as forge.pki.rsa.PrivateKey;
+
+    if (!privateKey) {
+      throw new UnsuportedPkcs12Error("No valid key found in 'Banco Central del Ecuador' .p12");
+    }
+
+    return privateKey;
+}
+
 const extractPrivateKeyAndCertificateFromPkcs12 = (pkcs12RawData: string | Buffer, password: string = '') => {
   const pkcs12InBase64 = typeof pkcs12RawData === 'string' ? pkcs12RawData : pkcs12RawData.toString('base64');
   const pkcs12InDer = forge.util.decode64(pkcs12InBase64);
@@ -17,17 +36,31 @@ const extractPrivateKeyAndCertificateFromPkcs12 = (pkcs12RawData: string | Buffe
   const certBags = p12.getBags({ bagType: forge.pki.oids.certBag });
   const certBag = certBags[forge.pki.oids.certBag]?.[0];
   const pkcs8ShroudedKeyBags = p12.getBags({ bagType: forge.pki.oids.pkcs8ShroudedKeyBag });
-  const pkcs8ShroudedKeyBag = pkcs8ShroudedKeyBags[forge.pki.oids.pkcs8ShroudedKeyBag]?.[0];
 
-  if (!certBag || !pkcs8ShroudedKeyBag) {
+  if (!certBag || !pkcs8ShroudedKeyBags) {
     throw new UnsuportedPkcs12Error();
   }
 
-  const privateKey = pkcs8ShroudedKeyBag.key as forge.pki.rsa.PrivateKey;
+  const friendlyName = certBag?.attributes?.friendlyName?.[0];
+
   const certificate = certBag.cert;
 
-  if (!privateKey || !certificate) {
-    throw new UnsuportedPkcs12Error();
+  if (!certificate) {
+    throw new UnsuportedPkcs12Error("Couldn't find its certificate");
+  }
+
+  let privateKey: forge.pki.rsa.PrivateKey | null = null;
+
+  if (/banco central/i.test(friendlyName)) {
+    privateKey = getBancoCentralPkcs12PrivateKey(pkcs8ShroudedKeyBags[forge.pki.oids.pkcs8ShroudedKeyBag] ?? []);
+  }
+  else {
+    const firstPkcs8ShroudedKeyBag = pkcs8ShroudedKeyBags[forge.pki.oids.pkcs8ShroudedKeyBag]?.[0];
+    privateKey = firstPkcs8ShroudedKeyBag?.key ? firstPkcs8ShroudedKeyBag.key as forge.pki.rsa.PrivateKey : null;
+  }
+
+  if (!privateKey) {
+    throw new UnsuportedPkcs12Error("Couldn't find its private key");
   }
 
   return {
diff --git a/ec-sri-invoice-signer/src/utils/errors.ts b/ec-sri-invoice-signer/src/utils/errors.ts
@@ -10,8 +10,13 @@ class XmlFormatError extends Error {
 class UnsuportedPkcs12Error extends Error {
   name: string = 'UnsuportedPkcs12Error';
 
-  constructor() {
-    const message = "The used pkcs12 file is not supported";
+  constructor(extraMessage?: string) {
+    let message = "The used .p12 file is not supported";
+
+    if (extraMessage) {
+      message += `: ${extraMessage}`;
+    }
+
     super(message);
   }
 }
diff --git a/ec-sri-invoice-signer/test/test-utils/cryptography.ts b/ec-sri-invoice-signer/test/test-utils/cryptography.ts
@@ -4,3 +4,36 @@ export const verifySignature = (preSignData: string, publicKey: forge.pki.rsa.Pu
   const digest = forge.md.sha1.create().update(preSignData, 'utf8');
   return publicKey.verify(digest.digest().bytes(), forge.util.decode64(signature));
 }
+
+/**
+ * NOT WORKING as cannot set the 'Signing Key' friendly name in the pkcs12's cert bag
+ */
+export const createBancoCentralCertificateKeyAndP12 = () => {
+  const keys = forge.pki.rsa.generateKeyPair(4096);
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = '01';
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 10);
+  const attrs = [{ name: 'friendlyName', value: 'Signing Key' }];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+
+  cert.sign(keys.privateKey, forge.md.sha256.create());
+
+  // Create a PKCS12 structure
+  let p12Asn1 = forge.pkcs12.toPkcs12Asn1(
+    keys.privateKey,
+    [cert],
+    '', // No password
+    { friendlyName: 'Banco Central Del Ecuador' }
+  );
+
+  const certPem = forge.pki.certificateToPem(cert);
+  const keyPem = forge.pki.privateKeyToPem(keys.privateKey);
+  const p12Buffer = Buffer.from(forge.asn1.toDer(p12Asn1).getBytes(), 'binary');
+
+  return { certPem, keyPem, p12Buffer };
+}
+
diff --git a/ec-sri-invoice-signer/test/utils/cryptography.test.ts b/ec-sri-invoice-signer/test/utils/cryptography.test.ts
@@ -1,15 +1,15 @@
 import { expect } from 'chai';
 import { extractIssuerData, extractPrivateKeyAndCertificateFromPkcs12, getHash, sign } from '../../src/utils/cryptography';
-import { verifySignature } from '../test-utils/cryptography';
+import { createBancoCentralCertificateKeyAndP12, verifySignature } from '../test-utils/cryptography';
 import fs from 'fs';
 import path from 'path';
 import * as forge from 'node-forge';
-const signatureP12 = fs.readFileSync(path.resolve('test/test-data/pkcs12/signature.p12'));
 
 describe('Given the sign function', () => {
   it('should return the signature for the input data', () => {
     const data = 'something';
-    const { privateKey, certificate } = extractPrivateKeyAndCertificateFromPkcs12(signatureP12);
+    const p12 = fs.readFileSync(path.resolve('test/test-data/pkcs12/signature.p12'));
+    const { privateKey, certificate } = extractPrivateKeyAndCertificateFromPkcs12(p12);
 
     const resultSignature = sign(data, privateKey);
     const verifiedSuccessfully = verifySignature(data, certificate.publicKey as forge.pki.rsa.PublicKey, resultSignature);
@@ -29,15 +29,31 @@ describe('Given the extractPrivateKeyAndCertificateFromPkcs12 function', () => {
   it('should return an object with the private key and certificate contained in the pkcs12 file', () => {
     const privateKeyPem = fs.readFileSync(path.resolve('test/test-data/pkcs12/privateKey.pem')).toString('utf-8');
     const certificatePem = fs.readFileSync(path.resolve('test/test-data/pkcs12/certificate.pem')).toString('utf-8');
+    const p12 = fs.readFileSync(path.resolve('test/test-data/pkcs12/signature.p12'));
     const password = '';
 
-    const result = extractPrivateKeyAndCertificateFromPkcs12(signatureP12, password);
+    const result = extractPrivateKeyAndCertificateFromPkcs12(p12, password);
 
     // Here we convert from fromPem and toPem to overcome format inconsistencies due to new line encoding and pkcs8 shrouding of private key.
     // This way the comparison is delegated to node-forge functions only becoming abstracted and consistent.
     expect(forge.pki.privateKeyToPem(result.privateKey)).to.equal(forge.pki.privateKeyToPem(forge.pki.privateKeyFromPem(privateKeyPem)));
     expect(forge.pki.certificateToPem(result.certificate)).to.equal(forge.pki.certificateToPem(forge.pki.certificateFromPem(certificatePem)));
   });
+
+  /**
+   * Unskip when createBancoCentralCertificateKeyAndP12 is fixed
+   */
+  it.skip("should return the correct private key for a 'Banco Central del Ecuador' .p12", () => {
+    const { keyPem, certPem, p12Buffer } = createBancoCentralCertificateKeyAndP12();
+    const password = '';
+
+    const result = extractPrivateKeyAndCertificateFromPkcs12(p12Buffer, password);
+
+    // Here we convert from fromPem and toPem to overcome format inconsistencies due to new line encoding and pkcs8 shrouding of private key.
+    // This way the comparison is delegated to node-forge functions only becoming abstracted and consistent.
+    expect(forge.pki.privateKeyToPem(result.privateKey)).to.equal(forge.pki.privateKeyToPem(forge.pki.privateKeyFromPem(keyPem)));
+    expect(forge.pki.certificateToPem(result.certificate)).to.equal(forge.pki.certificateToPem(forge.pki.certificateFromPem(certPem)));
+  });
 });
 
 describe('Give the extractIssuerData function', () => {
diff --git a/ec-sri-invoice-signer/test/utils/errors.test.ts b/ec-sri-invoice-signer/test/utils/errors.test.ts
@@ -9,6 +9,10 @@ describe('XmlFormatError', () => {
 
 describe('UnsuportedPkcs12Error', () => {
   it('Show expected message when thrown', () => {
-    expect(() => { throw new UnsuportedPkcs12Error(); }).throws("The used pkcs12 file is not supported");
+    expect(() => { throw new UnsuportedPkcs12Error(); }).throws("The used .p12 file is not supported");
+  });
+
+  it('Show expected message with additional details if available when thrown', () => {
+    expect(() => { throw new UnsuportedPkcs12Error("Extra details"); }).throws("The used .p12 file is not supported: Extra details");
   });
 });
