The only versión 3.0 CFDI sample file we've been able to find on the SAT website is ejemplo1 cfdv3.xml [text], last modifed 21 September 2010. It is full of errors.
The certificado string in the example is wrong. It does not represent a valid X.509 certificate. Someone has missed the letter "j" off the end!
sello="tOSe+Ex/wvn33YlGwtfmrJwQ31Crd7lI9VcH63TGjHfxk5vfb3q9uSbDUGk9TXvo70ydOpikRVw+9B2Six0mbu3PjoPpO909oAYITrRyomdeUGJ4vmA2/12L86EJLWpU7vIt4cL8HpkEw7TOFhSdpzb/890+jP+C1adBsHU1VHc=" noCertificado="30001000000100000800"and we used this VB6 code to obtain
Extracted SHA-1 digest=F5CCE4D1CB527D912FEC725EC51B7EA9A6BE0B10
The fact that we can extract any valid digest from the signature means we have decrypted it correctly. Now to verify this signature we need to reproduce exactly the piped string (cadena original) from the XML file and obtain the same SHA-1 message digest. But we think the piped string for that document according to the specifications should be the following 527 bytes [zipped|hexdump]
||3.0|2010-03-06T20:38:12|ingreso|PAGO EN UNA SOLA EXHIBICION|488.50|488.50|PPL961114GZ1|PHARMA PLUS SA DE CV|AV. RIO MIXCOAC|No. 140|ACACIAS|BENITO JUAREZ|MEXICO, D.F.|Mexico|03240|AV. UNIVERSIDAD|1858|OXTOPULCO|DISTRITO FEDERAL|Mexico|03910|PEPJ8001019Q8|JUAN PEREZ PEREZ|AV UNIVERSIDAD|16 EDF 3|DPTO 101|COPILCO UNIVERSIDAD|COYOACAN|DISTRITO FEDERAL|Mexico|04360|1.0|CAPSULAS|VIBRAMICINA 100MG 10|244.00|244.00|1.0|BOTELLA|CLORUTO 500M|137.93|137.93|1.0|TABLETAS|SEDEPRON 250MG 10|84.50|84.50|IVA|0.00|0.00|IVA|16.00|22.07||and this has SHA-1 digest
CEC1B8FCC73C121AC59DF2DD1307476D9A7D4D67These two digest values should be the same.
Extracted SHA-1 digest=2EC741B98A5E1EDE6062957F5E21C36EF279F5FCBut we think the piped string should be the following 258 bytes [zipped|hexdump]
||1.0|ad662d33-6934-459c-a128-bdf0393e0f44|2010-03-06T20:40:10|tOSe+Ex/wvn33YlGwtfmrJwQ31Crd7lI9VcH63TGjHfxk5vfb3q9uSbDUGk9TXvo70ydOpikRVw+9B2Six0mbu3PjoPpO909oAYITrRyomdeUGJ4vmA2/12L86EJLWpU7vIt4cL8HpkEw7TOFhSdpzb/890+jP+C1adBsHU1VHc=|30001000000100000801||and this has SHA-1 digest
8A012F880C1DB74C22553336F78BAFC2FA975CC7Again, the two digest values do not match. There are no accented characters in the input to mess up the UTF-8/Latin-1 encodings, and no extra white space requiring normalize-space operations, so we can't see any obvious problems there. (Mind you, if we were creating a test file, we'd include accented characters and superfluous white space to test things a bit more thoroughly.)
So we cannot reproduce two message digests in the only sample XML document provided. We believe we're following the rules as published.
2010-12-20: Here is what we think the correct version should be: ejemplo1cfdv3-new.xml [text]. Now this validates on the new SAT v3 validador site with the same digest we computed above, but, er..., the original example file from the SAT site does not.
2011-06-01: And here is the same XML document with the correct selloSAT signature in the TimbreFiscalDigital field: ejemplo1cfdv3-signed-tfd.xml [text]. This also validates on the SAT v3 validador site as shown here. (Note that you must replace the incorrect selloCFD field before creating the selloSAT, so the digest computed in step 2 above is still not the correct one.)
Here are the original XML document and the two new ones in zipped format (8 kB).
To send us information or ask questions, please send us a message (use the form and we'll send you a proper email address to forward documents to).
This page first published by DI Management 19 November 2010. Last updated 5 June 2011.