Kompletan primjer fiskalizacije (Croatian fiscalization act/law).

fiskalizacija.php

<?php
/**
 * @author Branko Ajzele <ajzele@gmail.com, http://foggyline.net>
 */

$XMLRequestType = 'RacunZahtjev'; /* RacunZahtjev OR PoslovniProstorZahtjev */










/*************************************************************************************/
/********** STEP_1: Handle the FINA aplikativni certificate in .pfx format  **********/
/*************************************************************************************/
$certificate = null;
$certificatePass = 'MyCertPassHere';
$pfxCertificate = '/Users/branko/Downloads/fiskal1-demo-aplikativni.pfx';

openssl_pkcs12_read(file_get_contents($pfxCertificate), $certificate, $certificatePass);

$publicCertificate = $certificate['cert'];
$privateKey = $certificate['pkey'];

$privateKeyResource = openssl_pkey_get_private($privateKey, $certificatePass);
$publicCertificateData = openssl_x509_parse($publicCertificate);










/****************************************************************************/
/********** STEP_2: Handle the FINA CA certificate in .cer format  **********/
/****************************************************************************/
$certificateCAcer = '/Users/branko/Downloads/democacert.cer';
$certificateCAcerContent = file_get_contents($certificateCAcer);

/* Convert .cer to .pem, cURL uses .pem */
$certificateCApemContent =  '-----BEGIN CERTIFICATE-----'.PHP_EOL
    .chunk_split(base64_encode($certificateCAcerContent), 64, PHP_EOL)
    .'-----END CERTIFICATE-----'.PHP_EOL;

$certificateCApem = $certificateCAcer.'.pem';
file_put_contents($certificateCApem, $certificateCApemContent);










/*****************************************************/
/********** STEP_3: Calculate Zastitni Kod  **********/
/*****************************************************/
$oib = '11111111111';
$dt = new DateTime('now');
$datumVrijemeIzdavanjaRacuna = $dt->format('d.m.Y H:i:s'); /* use invoice created_at datetime here */
$brojcanaOznakaRacuna = '23'; /* 23/MAGE5/1 */
$oznakaPoslovnogProstora = 'MAGE5'; /* 23/MAGE5/1 */
$oznakaNaplatnogUredaja = '1'; /* 23/MAGE5/1 */
$ukupniIznosRacuna = '182.50';

$ZastKodUnsigned = '';

$ZastKodUnsigned .= $oib;
$ZastKodUnsigned .= $datumVrijemeIzdavanjaRacuna;
$ZastKodUnsigned .= $brojcanaOznakaRacuna;
$ZastKodUnsigned .= $oznakaPoslovnogProstora;
$ZastKodUnsigned .= $oznakaNaplatnogUredaja;
$ZastKodUnsigned .= $ukupniIznosRacuna;

$ZastKodSignature = null;

openssl_sign($ZastKodUnsigned, $ZastKodSignature, $privateKeyResource, OPENSSL_ALGO_SHA1);

$ZastKod = md5($ZastKodSignature);










/************************************************/
/********** STEP_4: Calculate UUID v4  **********/
/************************************************/
function UUIDv4() {
    return sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
        mt_rand(0, 0xffff), mt_rand(0, 0xffff),
        mt_rand(0, 0xffff),
        mt_rand(0, 0x0fff) | 0x4000,
        mt_rand(0, 0x3fff) | 0x8000,
        mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
    );
}

$UUID = UUIDv4();










/*****************************************************************************************************/
/********** STEP_5: Prepare/Build pure request XML (RacunZahtjev OR PoslovniProstorZahtjev) **********/
/*****************************************************************************************************/
$UriId = uniqid();

if ($XMLRequestType == 'RacunZahtjev') {

    $ns = 'tns';

    $writer = new XMLWriter();
    $writer->openMemory();
//$writer->startDocument('1.0', 'UTF-8');

    $writer->setIndent(4);
    $writer->startElementNs($ns, 'RacunZahtjev', 'http://www.apis-it.hr/fin/2012/types/f73');
    $writer->writeAttribute('Id', $UriId);

    $writer->startElementNs($ns, 'Zaglavlje', null);
    $writer->writeElementNs($ns, 'IdPoruke', null, $UUID);
    $writer->writeElementNs($ns, 'DatumVrijeme', null, date('d.m.Y\TH:i:s'));
    $writer->endElement(); /* #Zaglavlje */


    $writer->startElementNs($ns, 'Racun', null);
    $writer->writeElementNs($ns, 'Oib', null, $oib);
    $writer->writeElementNs($ns, 'USustPdv', null, '1');
    $writer->writeElementNs($ns, 'DatVrijeme', null, $dt->format('d.m.Y\TH:i:s'));
    $writer->writeElementNs($ns, 'OznSlijed', null, 'P'); /* P ili N => P na nivou Poslovnog prostora, N na nivou naplatnog uredaja */


    $writer->startElementNs($ns, 'BrRac', null);
    $writer->writeElementNs($ns, 'BrOznRac', null, $brojcanaOznakaRacuna);
    $writer->writeElementNs($ns, 'OznPosPr', null, $oznakaPoslovnogProstora);
    $writer->writeElementNs($ns, 'OznNapUr', null, $oznakaNaplatnogUredaja);
    $writer->endElement(); /* #BrRac */

    $writer->startElementNs($ns, 'Pdv', null);
    $writer->startElementNs($ns, 'Porez', null);
    $writer->writeElementNs($ns, 'Stopa', null, '25.00');
    $writer->writeElementNs($ns, 'Osnovica', null, '100.00');
    $writer->writeElementNs($ns, 'Iznos', null, '25.00');
    $writer->endElement(); /* #Porez */

    $writer->startElementNs($ns, 'Porez', null);
    $writer->writeElementNs($ns, 'Stopa', null, '5.00');
    $writer->writeElementNs($ns, 'Osnovica', null, '50.00');
    $writer->writeElementNs($ns, 'Iznos', null, '7.50');
    $writer->endElement(); /* #Porez */
    $writer->endElement(); /* #Pdv */

    $writer->writeElementNs($ns, 'IznosUkupno', null, $ukupniIznosRacuna);

    $writer->writeElementNs($ns, 'NacinPlac', null, 'G');
    $writer->writeElementNs($ns, 'OibOper', null, $oib);

    $writer->writeElementNs($ns, 'ZastKod', null, $ZastKod);
    $writer->writeElementNs($ns, 'NakDost', null, '0');

    $writer->endElement(); /* #Racun */

    $writer->endElement(); /* #RacunZahtjev */

//$writer->endDocument();

    $XMLRequest = $writer->outputMemory();
}

if ($XMLRequestType == 'PoslovniProstorZahtjev') {
    $ns = 'tns';

    $writer = new XMLWriter();
    $writer->openMemory();
    //$writer->startDocument('1.0', 'UTF-8');

    $writer->setIndent(4);
    $writer->startElementNs($ns, 'PoslovniProstorZahtjev', 'http://www.apis-it.hr/fin/2012/types/f73');
    $writer->writeAttribute('Id', $UriId);

    $writer->startElementNs($ns, 'Zaglavlje', null);
    $writer->writeElementNs($ns, 'IdPoruke', null, UUIDv4());
    $writer->writeElementNs($ns, 'DatumVrijeme', null, date('d.m.Y\TH:i:s'));
    $writer->endElement(); /* #Zaglavlje */


    $writer->startElementNs($ns, 'PoslovniProstor', null);
    $writer->writeElementNs($ns, 'Oib', null, $oib);
    $writer->writeElementNs($ns, 'OznPoslProstora', null, $oznakaPoslovnogProstora);

    $writer->startElementNs($ns, 'AdresniPodatak', null);
    $writer->startElementNs($ns, 'Adresa', null);
    $writer->writeElementNs($ns, 'Ulica', null, 'Otokara Kersovanija 4');
    $writer->writeElementNs($ns, 'KucniBroj', null, '45');
    $writer->writeElementNs($ns, 'KucniBrojDodatak', null, 'B');
    $writer->writeElementNs($ns, 'BrojPoste', null, '31000');
    $writer->writeElementNs($ns, 'Naselje', null, 'Osijek');
    $writer->writeElementNs($ns, 'Opcina', null, 'Osijek');
    $writer->endElement(); /* #Adresa */
    $writer->endElement(); /* #AdresniPodatak */

    $writer->writeElementNs($ns, 'RadnoVrijeme', null, 'Pon-Sub: 08:00-21:00, Ned: 09:00-14:00');
    $writer->writeElementNs($ns, 'DatumPocetkaPrimjene', null, '04.01.2013');

    $writer->writeElementNs($ns, 'SpecNamj', null, '79343687407'); /* YOUR DEVELOPMENT COMPANY OIB ALWAYS */

    $writer->endElement(); /* #PoslovniProstor */


    $writer->endElement(); /* #PoslovniProstorZahtjev */

    //$writer->endDocument();

    $XMLRequest = $writer->outputMemory();
}










/*******************************************************************/
/********** STEP_6: Sign $XMLRequest XML via certificate **********/
/*******************************************************************/
$XMLRequestDOMDoc = new DOMDocument();
$XMLRequestDOMDoc->loadXML($XMLRequest);

$canonical = $XMLRequestDOMDoc->C14N();
$DigestValue = base64_encode(hash('sha1', $canonical, true));

$rootElem = $XMLRequestDOMDoc->documentElement;

$SignatureNode = $rootElem->appendChild(new DOMElement('Signature'));
$SignatureNode->setAttribute('xmlns','http://www.w3.org/2000/09/xmldsig#');

$SignedInfoNode = $SignatureNode->appendChild(new DOMElement('SignedInfo'));
$SignedInfoNode->setAttribute('xmlns','http://www.w3.org/2000/09/xmldsig#');

$CanonicalizationMethodNode = $SignedInfoNode->appendChild(new DOMElement('CanonicalizationMethod'));
$CanonicalizationMethodNode->setAttribute('Algorithm','http://www.w3.org/2001/10/xml-exc-c14n#');

$SignatureMethodNode = $SignedInfoNode->appendChild(new DOMElement('SignatureMethod'));
$SignatureMethodNode->setAttribute('Algorithm','http://www.w3.org/2000/09/xmldsig#rsa-sha1');

$ReferenceNode = $SignedInfoNode->appendChild(new DOMElement('Reference'));
$ReferenceNode->setAttribute('URI', sprintf('#%s', $UriId));

$TransformsNode = $ReferenceNode->appendChild(new DOMElement('Transforms'));

$Transform1Node = $TransformsNode->appendChild(new DOMElement('Transform'));
$Transform1Node->setAttribute('Algorithm','http://www.w3.org/2000/09/xmldsig#enveloped-signature');

$Transform2Node = $TransformsNode->appendChild(new DOMElement('Transform'));
$Transform2Node->setAttribute('Algorithm', 'http://www.w3.org/2001/10/xml-exc-c14n#');

$DigestMethodNode = $ReferenceNode->appendChild(new DOMElement('DigestMethod'));
$DigestMethodNode->setAttribute('Algorithm','http://www.w3.org/2000/09/xmldsig#sha1');

$ReferenceNode->appendChild(new DOMElement('DigestValue', $DigestValue));

$SignedInfoNode = $XMLRequestDOMDoc->getElementsByTagName('SignedInfo')->item(0);

$X509Issuer = $publicCertificateData['issuer'];
$X509IssuerName = sprintf('OU=%s,O=%s,C=%s', $X509Issuer['OU'], $X509Issuer['O'], $X509Issuer['C']);
$X509IssuerSerial = $publicCertificateData['serialNumber'];

$publicCertificatePureString = str_replace('-----BEGIN CERTIFICATE-----', '', $publicCertificate);
$publicCertificatePureString = str_replace('-----END CERTIFICATE-----', '', $publicCertificatePureString);

$SignedInfoSignature = null;

if (!openssl_sign($SignedInfoNode->C14N(true), $SignedInfoSignature, $privateKeyResource, OPENSSL_ALGO_SHA1)) {
    throw new Exception('Unable to sign the request');
}

$SignatureNode = $XMLRequestDOMDoc->getElementsByTagName('Signature')->item(0);
$SignatureValueNode = new DOMElement('SignatureValue', base64_encode($SignedInfoSignature));
$SignatureNode->appendChild($SignatureValueNode);

$KeyInfoNode = $SignatureNode->appendChild(new DOMElement('KeyInfo'));

$X509DataNode = $KeyInfoNode->appendChild(new DOMElement('X509Data'));
$X509CertificateNode = new DOMElement('X509Certificate', $publicCertificatePureString);
$X509DataNode->appendChild($X509CertificateNode);

$X509IssuerSerialNode = $X509DataNode->appendChild(new DOMElement('X509IssuerSerial'));

$X509IssuerNameNode = new DOMElement('X509IssuerName',$X509IssuerName);
$X509IssuerSerialNode->appendChild($X509IssuerNameNode);

$X509SerialNumberNode = new DOMElement('X509SerialNumber',$X509IssuerSerial);
$X509IssuerSerialNode->appendChild($X509SerialNumberNode);









/*************************************************************/
/********** STEP_7: Add SOAP envelope to signed XML **********/
/*************************************************************/
$envelope = new DOMDocument();

$envelope->loadXML('<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Body></soapenv:Body>
</soapenv:Envelope>');

$envelope->encoding = 'UTF-8';
$envelope->version = '1.0';

$XMLRequestTypeNode = $XMLRequestDOMDoc->getElementsByTagName($XMLRequestType)->item(0);
$XMLRequestTypeNode = $envelope->importNode($XMLRequestTypeNode, true);

$envelope->getElementsByTagName('Body')->item(0)->appendChild($XMLRequestTypeNode);

/* Final, signed XML request */
$payload = $envelope->saveXML();










/******************************************************************************/
/********** STEP_8: Execute POST request with signed XML towards CIS **********/
/******************************************************************************/
$ch = curl_init();

$options = array(
    CURLOPT_URL => 'https://cistest.apis-it.hr:8449/FiskalizacijaServiceTest',
    CURLOPT_CONNECTTIMEOUT => 5,
    CURLOPT_TIMEOUT => 5,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $payload,
    CURLOPT_SSL_VERIFYHOST => 2,
    CURLOPT_SSL_VERIFYPEER => true,
    CURLOPT_CAINFO => $certificateCApem,
);

curl_setopt_array($ch, $options);

$response = curl_exec($ch);

if ($response) {
    $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

    $DOMResponse = new DOMDocument();
    $DOMResponse->loadXML($response);

    if ($code === 200) {
        /* For RacunZahtjev */
        $Jir = $DOMResponse->getElementsByTagName('Jir')->item(0);
        if ($Jir) {
            echo $Jir->nodeValue;
        }
        /* For RacunZahtjev && PoslovniProstorZahtjev */
        echo $response;
    } else {
        $SifraGreske = $DOMResponse->getElementsByTagName('SifraGreske')->item(0);
        $PorukaGreske = $DOMResponse->getElementsByTagName('PorukaGreske')->item(0);

        if ($SifraGreske && $PorukaGreske) {
            throw new Exception(sprintf('%s: %s', $SifraGreske->nodeValue, $PorukaGreske->nodeValue));
        } else {
            throw new Exception(sprintf('HTTP response code %s not suited for further actions.', $code));
        }
    }
} else {
    throw new Exception(curl_error($ch));
}

curl_close($ch);

Note to all potential users.

You might temporarily set CURLOPT_SSL_VERIFYHOST 0 and CURLOPT_SSL_VERIFYPEER false, if you experience cURL issues like "Fatal error: Uncaught exception 'Exception' with message 'error setting certificate verify locations: CAfile".

But that type of setup is not to be used for production, as cURL communication must be secured.

Solution for cURL issues like "Fatal error: Uncaught exception 'Exception' with message 'error setting certificate verify locations: CAfile"
You need to merge two certificates in one and use that one in your requests, with this bundled certificate chain validation passes correctly.

For PRODUCTION merge FinaRootCA and FinaRDCCA2015 into new one, name is not important, both are available for download on FINA site http://www.fina.hr/Default.aspx?art=10758.
For DEMO merge demo2014_root_ca and demo2014_sub_ca.

Procedure is simple for .txt or .pem certificates, just copy the content of both certificates into new file, any text editor can be used. Read NOTE below for other formats.

Both certificates for production and demo mode can be downloaded in .txt format from FINA site, links are provided below.

Demo certificates
https://demo-pki.fina.hr/certifikati/demo2014_root_ca.txt
https://demo-pki.fina.hr/certifikati/demo2014_sub_ca.txt

Production certificates
http://rdc.fina.hr/Root/FinaRootCA.txt
http://rdc.fina.hr/RDC2015/FinaRDCCA2015.txt

If you are using .txt certificates provided above, after merge rename newly generated certificate extension from .txt to .cer and use that one in your requests.

NOTE: conversion between different certificate formats:

• For certificates in .pem or .txt simply rename to .crt
• For certificates in .cer (der) to convert to .crt you need to execute following for each certificate file:
  openssl x509 -inform DER -in YOUR_CERTIFICATE.cer -out YOUR_CERTIFICATE.crt

Solution found on: http://fiskalizacija.codeplex.com/
Authors: @rh_orpam, @josipj