Skip to content

Instantly share code, notes, and snippets.

@brankoajzele

brankoajzele/fiskalizacija.php

Last active December 1, 2022 17:26
Show Gist options
  • Save brankoajzele/4594489 to your computer and use it in GitHub Desktop.
Save brankoajzele/4594489 to your computer and use it in GitHub Desktop.
Download ZIP
Kompletan primjer fiskalizacije (Croatian fiscalization act/law).
Raw
fiskalizacija.php
<?php
/**
* @author Branko Ajzele <[email protected], http://foggyline.net>
*/
$XMLRequestType = 'RacunZahtjev'; /* RacunZahtjev OR PoslovniProstorZahtjev */
/*************************************************************************************/
/********** STEP_1: Handle the FINA aplikativni certificate in .pfx format **********/
/*************************************************************************************/
$certificate = null;
$certificatePass = 'MyCertPassHere';
$pfxCertificate = '/Users/branko/Downloads/fiskal1-demo-aplikativni.pfx';
openssl_pkcs12_read(file_get_contents($pfxCertificate), $certificate, $certificatePass);
$publicCertificate = $certificate['cert'];
$privateKey = $certificate['pkey'];
$privateKeyResource = openssl_pkey_get_private($privateKey, $certificatePass);
$publicCertificateData = openssl_x509_parse($publicCertificate);
/****************************************************************************/
/********** STEP_2: Handle the FINA CA certificate in .cer format **********/
/****************************************************************************/
$certificateCAcer = '/Users/branko/Downloads/democacert.cer';
$certificateCAcerContent = file_get_contents($certificateCAcer);
/* Convert .cer to .pem, cURL uses .pem */
$certificateCApemContent = '-----BEGIN CERTIFICATE-----'.PHP_EOL
.chunk_split(base64_encode($certificateCAcerContent), 64, PHP_EOL)
.'-----END CERTIFICATE-----'.PHP_EOL;
$certificateCApem = $certificateCAcer.'.pem';
file_put_contents($certificateCApem, $certificateCApemContent);
/*****************************************************/
/********** STEP_3: Calculate Zastitni Kod **********/
/*****************************************************/
$oib = '11111111111';
$dt = new DateTime('now');
$datumVrijemeIzdavanjaRacuna = $dt->format('d.m.Y H:i:s'); /* use invoice created_at datetime here */
$brojcanaOznakaRacuna = '23'; /* 23/MAGE5/1 */
$oznakaPoslovnogProstora = 'MAGE5'; /* 23/MAGE5/1 */
$oznakaNaplatnogUredaja = '1'; /* 23/MAGE5/1 */
$ukupniIznosRacuna = '182.50';
$ZastKodUnsigned = '';
$ZastKodUnsigned .= $oib;
$ZastKodUnsigned .= $datumVrijemeIzdavanjaRacuna;
$ZastKodUnsigned .= $brojcanaOznakaRacuna;
$ZastKodUnsigned .= $oznakaPoslovnogProstora;
$ZastKodUnsigned .= $oznakaNaplatnogUredaja;
$ZastKodUnsigned .= $ukupniIznosRacuna;
$ZastKodSignature = null;
openssl_sign($ZastKodUnsigned, $ZastKodSignature, $privateKeyResource, OPENSSL_ALGO_SHA1);
$ZastKod = md5($ZastKodSignature);
/************************************************/
/********** STEP_4: Calculate UUID v4 **********/
/************************************************/
function UUIDv4() {
return sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
mt_rand(0, 0xffff), mt_rand(0, 0xffff),
mt_rand(0, 0xffff),
mt_rand(0, 0x0fff) | 0x4000,
mt_rand(0, 0x3fff) | 0x8000,
mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
);
}
$UUID = UUIDv4();
/*****************************************************************************************************/
/********** STEP_5: Prepare/Build pure request XML (RacunZahtjev OR PoslovniProstorZahtjev) **********/
/*****************************************************************************************************/
$UriId = uniqid();
if ($XMLRequestType == 'RacunZahtjev') {
$ns = 'tns';
$writer = new XMLWriter();
$writer->openMemory();
//$writer->startDocument('1.0', 'UTF-8');
$writer->setIndent(4);
$writer->startElementNs($ns, 'RacunZahtjev', 'http://www.apis-it.hr/fin/2012/types/f73');
$writer->writeAttribute('Id', $UriId);
$writer->startElementNs($ns, 'Zaglavlje', null);
$writer->writeElementNs($ns, 'IdPoruke', null, $UUID);
$writer->writeElementNs($ns, 'DatumVrijeme', null, date('d.m.Y\TH:i:s'));
$writer->endElement(); /* #Zaglavlje */
$writer->startElementNs($ns, 'Racun', null);
$writer->writeElementNs($ns, 'Oib', null, $oib);
$writer->writeElementNs($ns, 'USustPdv', null, '1');
$writer->writeElementNs($ns, 'DatVrijeme', null, $dt->format('d.m.Y\TH:i:s'));
$writer->writeElementNs($ns, 'OznSlijed', null, 'P'); /* P ili N => P na nivou Poslovnog prostora, N na nivou naplatnog uredaja */
$writer->startElementNs($ns, 'BrRac', null);
$writer->writeElementNs($ns, 'BrOznRac', null, $brojcanaOznakaRacuna);
$writer->writeElementNs($ns, 'OznPosPr', null, $oznakaPoslovnogProstora);
$writer->writeElementNs($ns, 'OznNapUr', null, $oznakaNaplatnogUredaja);
$writer->endElement(); /* #BrRac */
$writer->startElementNs($ns, 'Pdv', null);
$writer->startElementNs($ns, 'Porez', null);
$writer->writeElementNs($ns, 'Stopa', null, '25.00');
$writer->writeElementNs($ns, 'Osnovica', null, '100.00');
$writer->writeElementNs($ns, 'Iznos', null, '25.00');
$writer->endElement(); /* #Porez */
$writer->startElementNs($ns, 'Porez', null);
$writer->writeElementNs($ns, 'Stopa', null, '5.00');
$writer->writeElementNs($ns, 'Osnovica', null, '50.00');
$writer->writeElementNs($ns, 'Iznos', null, '7.50');
$writer->endElement(); /* #Porez */
$writer->endElement(); /* #Pdv */
$writer->writeElementNs($ns, 'IznosUkupno', null, $ukupniIznosRacuna);
$writer->writeElementNs($ns, 'NacinPlac', null, 'G');
$writer->writeElementNs($ns, 'OibOper', null, $oib);
$writer->writeElementNs($ns, 'ZastKod', null, $ZastKod);
$writer->writeElementNs($ns, 'NakDost', null, '0');
$writer->endElement(); /* #Racun */
$writer->endElement(); /* #RacunZahtjev */
//$writer->endDocument();
$XMLRequest = $writer->outputMemory();
}
if ($XMLRequestType == 'PoslovniProstorZahtjev') {
$ns = 'tns';
$writer = new XMLWriter();
$writer->openMemory();
//$writer->startDocument('1.0', 'UTF-8');
$writer->setIndent(4);
$writer->startElementNs($ns, 'PoslovniProstorZahtjev', 'http://www.apis-it.hr/fin/2012/types/f73');
$writer->writeAttribute('Id', $UriId);
$writer->startElementNs($ns, 'Zaglavlje', null);
$writer->writeElementNs($ns, 'IdPoruke', null, UUIDv4());
$writer->writeElementNs($ns, 'DatumVrijeme', null, date('d.m.Y\TH:i:s'));
$writer->endElement(); /* #Zaglavlje */
$writer->startElementNs($ns, 'PoslovniProstor', null);
$writer->writeElementNs($ns, 'Oib', null, $oib);
$writer->writeElementNs($ns, 'OznPoslProstora', null, $oznakaPoslovnogProstora);
$writer->startElementNs($ns, 'AdresniPodatak', null);
$writer->startElementNs($ns, 'Adresa', null);
$writer->writeElementNs($ns, 'Ulica', null, 'Otokara Kersovanija 4');
$writer->writeElementNs($ns, 'KucniBroj', null, '45');
$writer->writeElementNs($ns, 'KucniBrojDodatak', null, 'B');
$writer->writeElementNs($ns, 'BrojPoste', null, '31000');
$writer->writeElementNs($ns, 'Naselje', null, 'Osijek');
$writer->writeElementNs($ns, 'Opcina', null, 'Osijek');
$writer->endElement(); /* #Adresa */
$writer->endElement(); /* #AdresniPodatak */
$writer->writeElementNs($ns, 'RadnoVrijeme', null, 'Pon-Sub: 08:00-21:00, Ned: 09:00-14:00');
$writer->writeElementNs($ns, 'DatumPocetkaPrimjene', null, '04.01.2013');
$writer->writeElementNs($ns, 'SpecNamj', null, '79343687407'); /* YOUR DEVELOPMENT COMPANY OIB ALWAYS */
$writer->endElement(); /* #PoslovniProstor */
$writer->endElement(); /* #PoslovniProstorZahtjev */
//$writer->endDocument();
$XMLRequest = $writer->outputMemory();
}
/*******************************************************************/
/********** STEP_6: Sign $XMLRequest XML via certificate **********/
/*******************************************************************/
$XMLRequestDOMDoc = new DOMDocument();
$XMLRequestDOMDoc->loadXML($XMLRequest);
$canonical = $XMLRequestDOMDoc->C14N();
$DigestValue = base64_encode(hash('sha1', $canonical, true));
$rootElem = $XMLRequestDOMDoc->documentElement;
$SignatureNode = $rootElem->appendChild(new DOMElement('Signature'));
$SignatureNode->setAttribute('xmlns','http://www.w3.org/2000/09/xmldsig#');
$SignedInfoNode = $SignatureNode->appendChild(new DOMElement('SignedInfo'));
$SignedInfoNode->setAttribute('xmlns','http://www.w3.org/2000/09/xmldsig#');
$CanonicalizationMethodNode = $SignedInfoNode->appendChild(new DOMElement('CanonicalizationMethod'));
$CanonicalizationMethodNode->setAttribute('Algorithm','http://www.w3.org/2001/10/xml-exc-c14n#');
$SignatureMethodNode = $SignedInfoNode->appendChild(new DOMElement('SignatureMethod'));
$SignatureMethodNode->setAttribute('Algorithm','http://www.w3.org/2000/09/xmldsig#rsa-sha1');
$ReferenceNode = $SignedInfoNode->appendChild(new DOMElement('Reference'));
$ReferenceNode->setAttribute('URI', sprintf('#%s', $UriId));
$TransformsNode = $ReferenceNode->appendChild(new DOMElement('Transforms'));
$Transform1Node = $TransformsNode->appendChild(new DOMElement('Transform'));
$Transform1Node->setAttribute('Algorithm','http://www.w3.org/2000/09/xmldsig#enveloped-signature');
$Transform2Node = $TransformsNode->appendChild(new DOMElement('Transform'));
$Transform2Node->setAttribute('Algorithm', 'http://www.w3.org/2001/10/xml-exc-c14n#');
$DigestMethodNode = $ReferenceNode->appendChild(new DOMElement('DigestMethod'));
$DigestMethodNode->setAttribute('Algorithm','http://www.w3.org/2000/09/xmldsig#sha1');
$ReferenceNode->appendChild(new DOMElement('DigestValue', $DigestValue));
$SignedInfoNode = $XMLRequestDOMDoc->getElementsByTagName('SignedInfo')->item(0);
$X509Issuer = $publicCertificateData['issuer'];
$X509IssuerName = sprintf('OU=%s,O=%s,C=%s', $X509Issuer['OU'], $X509Issuer['O'], $X509Issuer['C']);
$X509IssuerSerial = $publicCertificateData['serialNumber'];
$publicCertificatePureString = str_replace('-----BEGIN CERTIFICATE-----', '', $publicCertificate);
$publicCertificatePureString = str_replace('-----END CERTIFICATE-----', '', $publicCertificatePureString);
$SignedInfoSignature = null;
if (!openssl_sign($SignedInfoNode->C14N(true), $SignedInfoSignature, $privateKeyResource, OPENSSL_ALGO_SHA1)) {
throw new Exception('Unable to sign the request');
}
$SignatureNode = $XMLRequestDOMDoc->getElementsByTagName('Signature')->item(0);
$SignatureValueNode = new DOMElement('SignatureValue', base64_encode($SignedInfoSignature));
$SignatureNode->appendChild($SignatureValueNode);
$KeyInfoNode = $SignatureNode->appendChild(new DOMElement('KeyInfo'));
$X509DataNode = $KeyInfoNode->appendChild(new DOMElement('X509Data'));
$X509CertificateNode = new DOMElement('X509Certificate', $publicCertificatePureString);
$X509DataNode->appendChild($X509CertificateNode);
$X509IssuerSerialNode = $X509DataNode->appendChild(new DOMElement('X509IssuerSerial'));
$X509IssuerNameNode = new DOMElement('X509IssuerName',$X509IssuerName);
$X509IssuerSerialNode->appendChild($X509IssuerNameNode);
$X509SerialNumberNode = new DOMElement('X509SerialNumber',$X509IssuerSerial);
$X509IssuerSerialNode->appendChild($X509SerialNumberNode);
/*************************************************************/
/********** STEP_7: Add SOAP envelope to signed XML **********/
/*************************************************************/
$envelope = new DOMDocument();
$envelope->loadXML('<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body></soapenv:Body>
</soapenv:Envelope>');
$envelope->encoding = 'UTF-8';
$envelope->version = '1.0';
$XMLRequestTypeNode = $XMLRequestDOMDoc->getElementsByTagName($XMLRequestType)->item(0);
$XMLRequestTypeNode = $envelope->importNode($XMLRequestTypeNode, true);
$envelope->getElementsByTagName('Body')->item(0)->appendChild($XMLRequestTypeNode);
/* Final, signed XML request */
$payload = $envelope->saveXML();
/******************************************************************************/
/********** STEP_8: Execute POST request with signed XML towards CIS **********/
/******************************************************************************/
$ch = curl_init();
$options = array(
CURLOPT_URL => 'https://cistest.apis-it.hr:8449/FiskalizacijaServiceTest',
CURLOPT_CONNECTTIMEOUT => 5,
CURLOPT_TIMEOUT => 5,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $payload,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_CAINFO => $certificateCApem,
);
curl_setopt_array($ch, $options);
$response = curl_exec($ch);
if ($response) {
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$DOMResponse = new DOMDocument();
$DOMResponse->loadXML($response);
if ($code === 200) {
/* For RacunZahtjev */
$Jir = $DOMResponse->getElementsByTagName('Jir')->item(0);
if ($Jir) {
echo $Jir->nodeValue;
}
/* For RacunZahtjev && PoslovniProstorZahtjev */
echo $response;
} else {
$SifraGreske = $DOMResponse->getElementsByTagName('SifraGreske')->item(0);
$PorukaGreske = $DOMResponse->getElementsByTagName('PorukaGreske')->item(0);
if ($SifraGreske && $PorukaGreske) {
throw new Exception(sprintf('%s: %s', $SifraGreske->nodeValue, $PorukaGreske->nodeValue));
} else {
throw new Exception(sprintf('HTTP response code %s not suited for further actions.', $code));
}
}
} else {
throw new Exception(curl_error($ch));
}
curl_close($ch);
@Bharakuda
Copy link

Bharakuda commented Mar 22, 2017
edited
Loading

Solution for cURL issues like "Fatal error: Uncaught exception 'Exception' with message 'error setting certificate verify locations: CAfile"
You need to merge two certificates in one and use that one in your requests, with this bundled certificate chain validation passes correctly.

For PRODUCTION merge FinaRootCA and FinaRDCCA2015 into new one, name is not important, both are available for download on FINA site http://www.fina.hr/Default.aspx?art=10758.
For DEMO merge demo2014_root_ca and demo2014_sub_ca.

Procedure is simple for .txt or .pem certificates, just copy the content of both certificates into new file, any text editor can be used. Read NOTE below for other formats.

Both certificates for production and demo mode can be downloaded in .txt format from FINA site, links are provided below.

Demo certificates
https://demo-pki.fina.hr/certifikati/demo2014_root_ca.txt
https://demo-pki.fina.hr/certifikati/demo2014_sub_ca.txt

Production certificates
http://rdc.fina.hr/Root/FinaRootCA.txt
http://rdc.fina.hr/RDC2015/FinaRDCCA2015.txt

If you are using .txt certificates provided above, after merge rename newly generated certificate extension from .txt to .cer and use that one in your requests.

NOTE: conversion between different certificate formats:

  • For certificates in .pem or .txt simply rename to .crt
  • For certificates in .cer (der) to convert to .crt you need to execute following for each certificate file:
    openssl x509 -inform DER -in YOUR_CERTIFICATE.cer -out YOUR_CERTIFICATE.crt

Solution found on: http://fiskalizacija.codeplex.com/
Authors: @rh_orpam, @josipj

@rb3606
Copy link

rb3606 commented Jul 7, 2020

Where to find pfx key ?

@Substractive
Copy link

Not sure if it's the case here but watch out for serial number that goes into X509SerialNumber element, newer certs can throw s001 error.
Message example:

"Poruka nije u skladu s XML shemom : cvc-simple-type 1: element {http://www.w3.org/2000/09/xmldsig#}X509SerialNumber value '0x' is not a valid instance of type {http://www.w3.org/2001/XMLSchema}integer".

I solved it by using bcmath to get proper integer value (hex to dec conversion) and so far it looks good. As time passed IsssuerSerial num incremented quite a bit.
Encountered this with one cert, hope this can help someone in case this error pops.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment