@timbra-ec/sri 0.1.0

package/src/signing/xades-bes.ts

@@ -0,0 +1,188 @@
+import forge from 'node-forge'
+import { DOMParser, XMLSerializer } from '@xmldom/xmldom'
+import * as xmlCrypto from 'xml-crypto'
+import type { ParsedCertificate } from './certificate'
+import { SriSigningError } from '../errors'
+
+const DS_NS = 'http://www.w3.org/2000/09/xmldsig#'
+const ETSI_NS = 'http://uri.etsi.org/01903/v1.3.2#'
+const C14N_ALGO = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'
+const SHA1_ALGO = 'http://www.w3.org/2000/09/xmldsig#sha1'
+const RSA_SHA1_ALGO = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+const ENVELOPED_ALGO = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
+
+/** Compute SHA-1 digest and return base64-encoded result */
+function sha1Base64(data: string): string {
+  const md = forge.md.sha1.create()
+  md.update(data, 'utf8')
+  return forge.util.encode64(md.digest().getBytes())
+}
+
+/** Canonicalize an XML node using C14N 1.0 */
+function canonicalize(node: Node): string {
+  const c14n = new xmlCrypto.C14nCanonicalization()
+  return c14n.process(node, { defaultNsForPrefix: {}, ancestorNamespaces: [] })
+}
+
+/** Get base64-encoded DER certificate */
+function certToBase64(cert: forge.pki.Certificate): string {
+  const asn1 = forge.pki.certificateToAsn1(cert)
+  const der = forge.asn1.toDer(asn1).getBytes()
+  return forge.util.encode64(der)
+}
+
+/** Get RSA modulus as base64 */
+function getModulus(key: forge.pki.rsa.PrivateKey): string {
+  const n = (key as unknown as { n: forge.jsbn.BigInteger }).n
+  return forge.util.encode64(forge.util.hexToBytes(n.toString(16)))
+}
+
+/** Get RSA public exponent as base64 */
+function getExponent(key: forge.pki.rsa.PrivateKey): string {
+  const e = (key as unknown as { e: forge.jsbn.BigInteger }).e
+  return forge.util.encode64(forge.util.hexToBytes(e.toString(16)))
+}
+
+/** RSA-SHA1 sign data and return base64 signature */
+function rsaSha1Sign(data: string, privateKey: forge.pki.rsa.PrivateKey): string {
+  const md = forge.md.sha1.create()
+  md.update(data, 'utf8')
+  const signature = privateKey.sign(md)
+  return forge.util.encode64(signature)
+}
+
+/** Format issuer DN in RFC 2253 format for XAdES */
+function issuerDN(cert: forge.pki.Certificate): string {
+  return cert.issuer.attributes
+    .reverse()
+    .map((a) => `${a.shortName ?? a.name}=${a.value}`)
+    .join(',')
+}
+
+/**
+ * Sign an XML document using XAdES-BES as required by Ecuador's SRI.
+ *
+ * The XML must have `id="comprobante"` on its root element.
+ * Uses SHA-1 digest and RSA-SHA1 signature (SRI requirement).
+ * The `<ds:Signature>` is inserted as the last child of the root element.
+ */
+export function signXml(xml: string, certificate: ParsedCertificate): string {
+  const { privateKey, certificate: cert } = certificate
+
+  const parser = new DOMParser()
+  const doc = parser.parseFromString(xml, 'text/xml')
+  const root = doc.documentElement
+  if (!root) {
+    throw new SriSigningError('Invalid XML: no root element')
+  }
+
+  const signingTime = new Date().toISOString().replace('Z', '-05:00')
+  const certBase64 = certToBase64(cert)
+  const certDigest = sha1Base64(forge.asn1.toDer(forge.pki.certificateToAsn1(cert)).getBytes())
+  const issuerName = issuerDN(cert)
+  const serialNumber = cert.serialNumber
+
+  // --- Build QualifyingProperties ---
+  const signedPropsXml = [
+    `<etsi:SignedProperties xmlns:etsi="${ETSI_NS}" xmlns:ds="${DS_NS}" Id="SignedProperties">`,
+    `<etsi:SignedSignatureProperties>`,
+    `<etsi:SigningTime>${signingTime}</etsi:SigningTime>`,
+    `<etsi:SigningCertificate>`,
+    `<etsi:Cert>`,
+    `<etsi:CertDigest>`,
+    `<ds:DigestMethod Algorithm="${SHA1_ALGO}"/>`,
+    `<ds:DigestValue>${certDigest}</ds:DigestValue>`,
+    `</etsi:CertDigest>`,
+    `<etsi:IssuerSerial>`,
+    `<ds:X509IssuerName>${issuerName}</ds:X509IssuerName>`,
+    `<ds:X509SerialNumber>${parseInt(serialNumber, 16)}</ds:X509SerialNumber>`,
+    `</etsi:IssuerSerial>`,
+    `</etsi:Cert>`,
+    `</etsi:SigningCertificate>`,
+    `</etsi:SignedSignatureProperties>`,
+    `<etsi:SignedDataObjectProperties>`,
+    `<etsi:DataObjectFormat ObjectReference="#Reference-ID">`,
+    `<etsi:Description>contenido comprobante</etsi:Description>`,
+    `<etsi:MimeType>text/xml</etsi:MimeType>`,
+    `</etsi:DataObjectFormat>`,
+    `</etsi:SignedDataObjectProperties>`,
+    `</etsi:SignedProperties>`,
+  ].join('')
+
+  // --- Build KeyInfo ---
+  const keyInfoXml = [
+    `<ds:KeyInfo xmlns:ds="${DS_NS}" Id="Certificate">`,
+    `<ds:X509Data>`,
+    `<ds:X509Certificate>${certBase64}</ds:X509Certificate>`,
+    `</ds:X509Data>`,
+    `<ds:KeyValue>`,
+    `<ds:RSAKeyValue>`,
+    `<ds:Modulus>${getModulus(privateKey)}</ds:Modulus>`,
+    `<ds:Exponent>${getExponent(privateKey)}</ds:Exponent>`,
+    `</ds:RSAKeyValue>`,
+    `</ds:KeyValue>`,
+    `</ds:KeyInfo>`,
+  ].join('')
+
+  // --- Compute digests ---
+
+  // 1. Document digest (with enveloped-signature transform — digest the doc as-is since signature isn't inserted yet)
+  const docDigest = sha1Base64(canonicalize(root))
+
+  // 2. SignedProperties digest
+  const signedPropsDoc = parser.parseFromString(signedPropsXml, 'text/xml')
+  const signedPropsDigest = sha1Base64(canonicalize(signedPropsDoc))
+
+  // 3. KeyInfo digest
+  const keyInfoDoc = parser.parseFromString(keyInfoXml, 'text/xml')
+  const keyInfoDigest = sha1Base64(canonicalize(keyInfoDoc))
+
+  // --- Build SignedInfo ---
+  const signedInfoXml = [
+    `<ds:SignedInfo xmlns:ds="${DS_NS}" Id="SignedInfo">`,
+    `<ds:CanonicalizationMethod Algorithm="${C14N_ALGO}"/>`,
+    `<ds:SignatureMethod Algorithm="${RSA_SHA1_ALGO}"/>`,
+    `<ds:Reference Id="Reference-ID" URI="#comprobante">`,
+    `<ds:Transforms>`,
+    `<ds:Transform Algorithm="${ENVELOPED_ALGO}"/>`,
+    `</ds:Transforms>`,
+    `<ds:DigestMethod Algorithm="${SHA1_ALGO}"/>`,
+    `<ds:DigestValue>${docDigest}</ds:DigestValue>`,
+    `</ds:Reference>`,
+    `<ds:Reference URI="#SignedProperties" Type="http://uri.etsi.org/01903#SignedProperties">`,
+    `<ds:DigestMethod Algorithm="${SHA1_ALGO}"/>`,
+    `<ds:DigestValue>${signedPropsDigest}</ds:DigestValue>`,
+    `</ds:Reference>`,
+    `<ds:Reference URI="#Certificate">`,
+    `<ds:DigestMethod Algorithm="${SHA1_ALGO}"/>`,
+    `<ds:DigestValue>${keyInfoDigest}</ds:DigestValue>`,
+    `</ds:Reference>`,
+    `</ds:SignedInfo>`,
+  ].join('')
+
+  // --- Sign ---
+  const signedInfoDoc = parser.parseFromString(signedInfoXml, 'text/xml')
+  const canonicalSignedInfo = canonicalize(signedInfoDoc)
+  const signatureValue = rsaSha1Sign(canonicalSignedInfo, privateKey)
+
+  // --- Assemble full Signature element ---
+  const signatureXml = [
+    `<ds:Signature xmlns:ds="${DS_NS}" xmlns:etsi="${ETSI_NS}" Id="Signature">`,
+    signedInfoXml,
+    `<ds:SignatureValue>${signatureValue}</ds:SignatureValue>`,
+    keyInfoXml,
+    `<ds:Object Id="XadesObjectId">`,
+    `<etsi:QualifyingProperties Target="#Signature">`,
+    signedPropsXml,
+    `</etsi:QualifyingProperties>`,
+    `</ds:Object>`,
+    `</ds:Signature>`,
+  ].join('')
+
+  // --- Insert signature into document ---
+  const sigDoc = parser.parseFromString(signatureXml, 'text/xml')
+  const imported = doc.importNode(sigDoc.documentElement!, true)
+  root.appendChild(imported)
+
+  return new XMLSerializer().serializeToString(doc)
+}

package/src/soap/autorizacion.ts

@@ -0,0 +1,139 @@
+import { DOMParser } from '@xmldom/xmldom'
+import type { SriEnvironment, SriAutorizacionResponse, SriMensaje } from '@timbra-ec/types'
+import { SRI_URLS } from '@timbra-ec/types'
+import { SriSoapError, SriTimeoutError } from '../errors'
+import { soapCall } from './client'
+
+export interface PollOptions {
+  /** Maximum number of authorization queries (default: 10) */
+  maxAttempts?: number
+  /** Milliseconds between retries (default: 2000) */
+  intervalMs?: number
+  /** AbortSignal for cancellation */
+  signal?: AbortSignal
+}
+
+/** Extract text content of a tag from a parent element */
+function getTagText(parent: Element | Document, tag: string): string {
+  const el = parent.getElementsByTagName(tag)[0]
+  return el?.textContent ?? ''
+}
+
+/** Parse SRI mensajes from an autorizacion element */
+function parseMensajes(parent: Element | Document): SriMensaje[] {
+  const mensajes: SriMensaje[] = []
+  const mensajeEls = parent.getElementsByTagName('mensaje')
+
+  for (let i = 0; i < mensajeEls.length; i++) {
+    const el = mensajeEls[i]!
+    mensajes.push({
+      identificador: getTagText(el, 'identificador'),
+      mensaje: getTagText(el, 'mensaje'),
+      informacionAdicional: getTagText(el, 'informacionAdicional') || undefined,
+      tipo: getTagText(el, 'tipo') as SriMensaje['tipo'],
+    })
+  }
+
+  return mensajes
+}
+
+function delay(ms: number, signal?: AbortSignal): Promise<void> {
+  return new Promise((resolve, reject) => {
+    if (signal?.aborted) {
+      reject(new SriTimeoutError('Authorization query aborted'))
+      return
+    }
+    const timer = setTimeout(resolve, ms)
+    signal?.addEventListener(
+      'abort',
+      () => {
+        clearTimeout(timer)
+        reject(new SriTimeoutError('Authorization query aborted'))
+      },
+      { once: true },
+    )
+  })
+}
+
+/**
+ * Query SRI for the authorization status of a document.
+ *
+ * Polls the autorizacionComprobante service using the clave de acceso.
+ * Retries when status is EN PROCESO, up to maxAttempts times.
+ *
+ * Returns the authorization response when AUTORIZADO.
+ * Throws SriSoapError when NO AUTORIZADO.
+ * Throws SriTimeoutError when max attempts exhausted.
+ */
+export async function queryAutorizacion(
+  claveAcceso: string,
+  environment: SriEnvironment,
+  options?: PollOptions,
+): Promise<SriAutorizacionResponse> {
+  const maxAttempts = options?.maxAttempts ?? 10
+  const intervalMs = options?.intervalMs ?? 2000
+  const signal = options?.signal
+
+  const url = environment === '1' ? SRI_URLS.TEST.AUTORIZACION : SRI_URLS.PRODUCTION.AUTORIZACION
+
+  const body = [
+    '<aut:autorizacionComprobante xmlns:aut="http://ec.gob.sri.ws.autorizacion">',
+    `<claveAccesoComprobante>${claveAcceso}</claveAccesoComprobante>`,
+    '</aut:autorizacionComprobante>',
+  ].join('')
+
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    if (signal?.aborted) {
+      throw new SriTimeoutError('Authorization query aborted')
+    }
+
+    const responseXml = await soapCall(url, body, signal)
+
+    const parser = new DOMParser()
+    const doc = parser.parseFromString(responseXml, 'text/xml')
+
+    // Find the autorizacion element
+    const autorizacionEls = doc.getElementsByTagName('autorizacion')
+    if (autorizacionEls.length === 0) {
+      // No authorization data yet, retry
+      if (attempt < maxAttempts) {
+        await delay(intervalMs, signal)
+        continue
+      }
+      throw new SriTimeoutError(`No authorization response after ${maxAttempts} attempts`)
+    }
+
+    const autorizacion = autorizacionEls[0]!
+    const estado = getTagText(autorizacion, 'estado')
+    const mensajes = parseMensajes(autorizacion)
+
+    if (estado === 'AUTORIZADO') {
+      return {
+        estado: 'AUTORIZADO',
+        numeroAutorizacion: getTagText(autorizacion, 'numeroAutorizacion'),
+        fechaAutorizacion: getTagText(autorizacion, 'fechaAutorizacion'),
+        ambiente: getTagText(autorizacion, 'ambiente'),
+        comprobante: getTagText(autorizacion, 'comprobante'),
+        mensajes,
+      }
+    }
+
+    if (estado === 'NO AUTORIZADO') {
+      const errorMsg = mensajes.map((m) => `[${m.identificador}] ${m.mensaje}`).join('; ')
+      throw new SriSoapError(
+        `SRI denied authorization: ${errorMsg}`,
+        mensajes[0]?.identificador,
+        mensajes,
+      )
+    }
+
+    // EN PROCESO — retry after interval
+    if (attempt < maxAttempts) {
+      await delay(intervalMs, signal)
+    }
+  }
+
+  throw new SriTimeoutError(
+    `Authorization still EN PROCESO after ${maxAttempts} attempts for clave ${claveAcceso}`,
+  )
+}

package/src/soap/client.ts

@@ -0,0 +1,45 @@
+import { SriSoapError } from '../errors'
+
+/**
+ * Make a SOAP call to SRI web services.
+ * Returns the raw XML response body.
+ */
+export async function soapCall(url: string, body: string, signal?: AbortSignal): Promise<string> {
+  // Strip ?wsdl from URL — we call the service endpoint directly
+  const serviceUrl = url.replace(/\?wsdl$/i, '')
+
+  const envelope = [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">',
+    '<soapenv:Body>',
+    body,
+    '</soapenv:Body>',
+    '</soapenv:Envelope>',
+  ].join('')
+
+  let response: Response
+  try {
+    response = await fetch(serviceUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'text/xml; charset=utf-8',
+      },
+      body: envelope,
+      signal,
+    })
+  } catch (err) {
+    throw new SriSoapError(
+      `Network error connecting to SRI: ${err instanceof Error ? err.message : String(err)}`,
+    )
+  }
+
+  const responseText = await response.text()
+
+  if (!response.ok) {
+    throw new SriSoapError(
+      `SRI returned HTTP ${response.status}: ${responseText.substring(0, 500)}`,
+    )
+  }
+
+  return responseText
+}

package/src/soap/recepcion.ts

@@ -0,0 +1,83 @@
+import { DOMParser } from '@xmldom/xmldom'
+import type { SriEnvironment, SriRecepcionResponse, SriMensaje } from '@timbra-ec/types'
+import { SRI_URLS } from '@timbra-ec/types'
+import { SriSoapError } from '../errors'
+import { soapCall } from './client'
+
+/** Extract text content of a tag from a parent element */
+function getTagText(parent: Element, tag: string): string {
+  const el = parent.getElementsByTagName(tag)[0]
+  return el?.textContent ?? ''
+}
+
+/** Parse SRI mensajes from a comprobante element */
+function parseMensajes(comprobante: Element): SriMensaje[] {
+  const mensajes: SriMensaje[] = []
+  const mensajeEls = comprobante.getElementsByTagName('mensaje')
+
+  for (let i = 0; i < mensajeEls.length; i++) {
+    const el = mensajeEls[i]!
+    mensajes.push({
+      identificador: getTagText(el, 'identificador'),
+      mensaje: getTagText(el, 'mensaje'),
+      informacionAdicional: getTagText(el, 'informacionAdicional') || undefined,
+      tipo: getTagText(el, 'tipo') as SriMensaje['tipo'],
+    })
+  }
+
+  return mensajes
+}
+
+/**
+ * Submit a signed XML document to SRI's reception service (validarComprobante).
+ *
+ * The signed XML is base64-encoded and sent via SOAP.
+ * Returns RECIBIDA if accepted, throws SriSoapError if DEVUELTA.
+ */
+export async function submitComprobante(
+  signedXml: string,
+  environment: SriEnvironment,
+  signal?: AbortSignal,
+): Promise<SriRecepcionResponse> {
+  const url = environment === '1' ? SRI_URLS.TEST.RECEPCION : SRI_URLS.PRODUCTION.RECEPCION
+
+  const xmlBase64 = Buffer.from(signedXml, 'utf-8').toString('base64')
+
+  const body = [
+    '<ec:validarComprobante xmlns:ec="http://ec.gob.sri.ws.recepcion">',
+    `<xml>${xmlBase64}</xml>`,
+    '</ec:validarComprobante>',
+  ].join('')
+
+  const responseXml = await soapCall(url, body, signal)
+
+  const parser = new DOMParser()
+  const doc = parser.parseFromString(responseXml, 'text/xml')
+
+  const estado = getTagText(doc.documentElement!, 'estado')
+
+  const comprobantes: SriRecepcionResponse['comprobantes'] = []
+  const comprobanteEls = doc.getElementsByTagName('comprobante')
+
+  for (let i = 0; i < comprobanteEls.length; i++) {
+    const el = comprobanteEls[i]!
+    comprobantes.push({
+      claveAcceso: getTagText(el, 'claveAcceso'),
+      mensajes: parseMensajes(el),
+    })
+  }
+
+  const response: SriRecepcionResponse = { estado: estado as 'RECIBIDA' | 'DEVUELTA', comprobantes }
+
+  if (estado === 'DEVUELTA') {
+    const allMensajes = comprobantes.flatMap((c) => c.mensajes)
+    const errorMsg = allMensajes.map((m) => `[${m.identificador}] ${m.mensaje}`).join('; ')
+    throw new SriSoapError(
+      `SRI rejected document: ${errorMsg}`,
+      allMensajes[0]?.identificador,
+      allMensajes,
+    )
+  }
+
+  return response
+}