FirmaSAT changes 2011


The only versión 3.0 CFDI sample file is wrong!

The only versión 3.0 CFDI sample file we've been able to find on the SAT website is ejemplo1 cfdv3.xml [text], last modifed 21 September 2010. It is full of errors.

The certificado is wrong

The certificado string in the example is wrong. It does not represent a valid X.509 certificate. Someone has missed the letter "j" off the end!

The signatures are wrong

  1. We can extract the SHA-1 message digest from the signature (`sello`) in the sample SAT version 3.0 XML file. We have
    sello="tOSe+Ex/wvn33YlGwtfmrJwQ31Crd7lI9VcH63TGjHfxk5vfb3q9uSbDUGk9TXvo70ydOpikRVw+9B2Six0mbu3PjoPpO909oAYITrRyomdeUGJ4vmA2/12L86EJLWpU7vIt4cL8HpkEw7TOFhSdpzb/890+jP+C1adBsHU1VHc="
    noCertificado="30001000000100000800"
    
    and we used this VB6 code to obtain
    Extracted SHA-1 digest=F5CCE4D1CB527D912FEC725EC51B7EA9A6BE0B10
    

    The fact that we can extract any valid digest from the signature means we have decrypted it correctly. Now to verify this signature we need to reproduce exactly the piped string (cadena original) from the XML file and obtain the same SHA-1 message digest. But we think the piped string for that document according to the specifications should be the following 527 bytes [zipped|hexdump]

    ||3.0|2010-03-06T20:38:12|ingreso|PAGO EN UNA SOLA EXHIBICION|488.50|488.50|PPL961114GZ1|PHARMA PLUS SA DE CV|AV. RIO MIXCOAC|No. 140|ACACIAS|BENITO JUAREZ|MEXICO, D.F.|Mexico|03240|AV. UNIVERSIDAD|1858|OXTOPULCO|DISTRITO FEDERAL|Mexico|03910|PEPJ8001019Q8|JUAN PEREZ PEREZ|AV UNIVERSIDAD|16 EDF 3|DPTO 101|COPILCO UNIVERSIDAD|COYOACAN|DISTRITO FEDERAL|Mexico|04360|1.0|CAPSULAS|VIBRAMICINA 100MG 10|244.00|244.00|1.0|BOTELLA|CLORUTO 500M|137.93|137.93|1.0|TABLETAS|SEDEPRON 250MG 10|84.50|84.50|IVA|0.00|0.00|IVA|16.00|22.07||	
    
    and this has SHA-1 digest
    CEC1B8FCC73C121AC59DF2DD1307476D9A7D4D67
    
    These two digest values should be the same.
  2. Likewise, we can do the same with the TimbreFiscalDigital signature (`selloSAT`).
    selloSAT="j5bSpqM3w0+shGtImqOwqqy6+d659O78ckfstu5vTSFa+2CVMj6Awfr18x4yMLGBwk6ruYbjBlVURodEIl6nJIhTTUtYQV1cbRDG9kvvhaNAakxqaSOnOx79nHxqFPRVoqh10CsjocS9PZkSM2jz1uwLgaF0knf1g8pjDkLYwlk="
    noCertificadoSAT="30001000000100000801"
    
    Extracted SHA-1 digest=2EC741B98A5E1EDE6062957F5E21C36EF279F5FC
    
    But we think the piped string should be the following 258 bytes [zipped|hexdump]
    ||1.0|ad662d33-6934-459c-a128-bdf0393e0f44|2010-03-06T20:40:10|tOSe+Ex/wvn33YlGwtfmrJwQ31Crd7lI9VcH63TGjHfxk5vfb3q9uSbDUGk9TXvo70ydOpikRVw+9B2Six0mbu3PjoPpO909oAYITrRyomdeUGJ4vmA2/12L86EJLWpU7vIt4cL8HpkEw7TOFhSdpzb/890+jP+C1adBsHU1VHc=|30001000000100000801||
    
    and this has SHA-1 digest
    8A012F880C1DB74C22553336F78BAFC2FA975CC7
    
    Again, the two digest values do not match. There are no accented characters in the input to mess up the UTF-8/Latin-1 encodings, and no extra white space requiring normalize-space operations, so we can't see any obvious problems there. (Mind you, if we were creating a test file, we'd include accented characters and superfluous white space to test things a bit more thoroughly.)

So we cannot reproduce two message digests in the only sample XML document provided. We believe we're following the rules as published.

The Correct Version

2010-12-20: Here is what we think the correct version should be: ejemplo1cfdv3-new.xml [text]. Now this validates on the new SAT v3 validador site with the same digest we computed above, but, er..., the original example file from the SAT site does not.

2011-06-01: And here is the same XML document with the correct selloSAT signature in the TimbreFiscalDigital field: ejemplo1cfdv3-signed-tfd.xml [text]. This also validates on the SAT v3 validador site as shown here. (Note that you must replace the incorrect selloCFD field before creating the selloSAT, so the digest computed in step 2 above is still not the correct one.)

Here are the original XML document and the two new ones in zipped format (8 kB).

2011-06-05: There is a problem on the SAT validator site with missing, optional nodes in a detallista element. See Errors on the SAT validator site.

References: recent SAT publications

Contact

To send us information or ask questions, please send us a message (use the form and we'll send you a proper email address to forward documents to).

This page first published by DI Management 19 November 2010. Last updated 5 June 2011.