This is a shell implementation of sending registered sale to testing endpoint (for now). The main intention is to bring possibility to register sale using the most basic tools to help other developers implementing usable products for tax payers obliged to register sales.

There are two implementations now. Template based implementation is meant as a proof of concept for later Java development. xmlsec1 implementation was used as preparation step for templates.

Prerequisites Follwoing command need to be available

• xmlsec1
• xsltproc
• php (command line - php-cli)
• openssl
• xxd
• tr
• sed

Edit SOAP template message data/template.xml (business data) according to your needs. Put placehoders in the form of ${placeholdername} at places, where needed them. Edit business data in data/uctenka-data.json. The data will be used to replace placeholders. Every attribute value in JSON is used to replace placeholder in the template having the same name as attribute. There are several reserved placeholders: ${digest}, ${signature}, ${pkp}, ${bkp} - these are used internally to compute security attributes of the message.

After data/template.xml is changed you need to run ./prepare-templates.sh.

Signed message can be generated by running php ./create-signed-message.php. If all goes well signed message is generated in work/signed-message and you can send it to EET API by using ./send-req.sh work/signed-message.

1. Edit create-signed-message.php. At the beginning, set the $p12File variable to the path of your certificate, e.g.: $p12File="cert/001.p12";.
2. Create a .pwd file for your certificate (e.g. cert/001.p12.pwd) and put there the certificate's password.
3. Edit send-req.sh and choose production URL instead of the playground.
4. Run php ./create-signed-message.php
5. Run ./send-req.sh work/signed-message

To prepare message for signing take data/template.xml and change anything inside element save it to sale-to-register-soap.xml.

To sign prefabricated SOAP message use script:

sign.sh sale-to-register-soap.xml signed-soap.xml

To send signed message to testing API:

send-req.sh signed-soap.xml

After sending you shoul see API response on the output containing FIK.

Every request sent to API must be signed according to WS-Security. WS-Security standard does not use stright XMLDSig implementation. It brings in a level of indirection. This tweak complicates development on restricted platforms withouth full fledged WS-Security implementation. Shell implementation uses combines templating to create SOAP message with open source XMLDSign implementation comming in XMLSEC1 package.

The xmlsec1 functionality is available in the form of library and command line tool xmlsec1. Command line tool is used in this case.

The API accepts (for now) only signatures which uses #id reference to soap:Body. Unfortunately when xmlsec1 tool is used directly on prefabricated SOAP message as provided by GFR, signing fails due to XML lacking standard definition of ID attribute. xmlsec1 documentation suggests several workarounds. Current implementation uses xml:id extension to XML standard. Adding xml:id attribute with the same value as wsu:Id solves the issue. During signing/validation using xmlsec1 xml:id is used. API internaly (presumably) uses wsu:Id but the result is (fortunately) the same.

The scripts hard code certificates/keys used for signing for now. The original message and keys/certificate are published on http://etrzby.cz