From 54303c0452f342394dc3ed4bb27d744b66882080 Mon Sep 17 00:00:00 2001
From: svillegas-cdd <svillegas@cordada.com>
Date: Tue, 1 Oct 2024 17:19:46 -0300
Subject: [PATCH] fix: Update cleaning regex to match RUTs with non-numeric
 digits

- The regular expression in `get_subject_rut_from_certificate_pfx` caused the removal of all letters,
including the letter K, from the RUTs.
- It has been updated to a regex that includes the letter K in certain RUTs.
- Added tests for RUTs that end with a `K`.
- Added a guide named `howto.md`, which explains how to create a valid `.der` certificate.
  Based on the guide in `FD-CL-Data`
  [See](https://github.com/cordada/fd-cl-data/blob/ba85835e81c857acbcc0498751c21335591b17b5/test_data/apps/sii_auth/certificate_pfx/howto.md).

Ref: https://github.com/cordada/lib-cl-sii-python/issues/700
Ref: https://app.shortcut.com/cordada/story/9821
---
 src/cl_sii/rut/crypto_utils.py                |  10 ++-
 .../sii-crypto/TEST-DTE-13185095-K.der        | Bin 0 -> 1092 bytes
 .../sii-crypto/TEST-DTE-13185095-K.pem        |  28 +++++++
 .../TEST-DTE-WITH-ID-BUT-NO-RUT.der           | Bin 0 -> 866 bytes
 .../TEST-DTE-WITH-ID-BUT-NO-RUT.pem           |  28 +++++++
 src/tests/test_data/sii-crypto/howto.md       |  71 ++++++++++++++++++
 src/tests/test_rut_crypto_utils.py            |  40 ++++++++++
 7 files changed, 176 insertions(+), 1 deletion(-)
 create mode 100644 src/tests/test_data/sii-crypto/TEST-DTE-13185095-K.der
 create mode 100644 src/tests/test_data/sii-crypto/TEST-DTE-13185095-K.pem
 create mode 100644 src/tests/test_data/sii-crypto/TEST-DTE-WITH-ID-BUT-NO-RUT.der
 create mode 100644 src/tests/test_data/sii-crypto/TEST-DTE-WITH-ID-BUT-NO-RUT.pem
 create mode 100644 src/tests/test_data/sii-crypto/howto.md

diff --git a/src/cl_sii/rut/crypto_utils.py b/src/cl_sii/rut/crypto_utils.py
index df98a9c7..1f22efcc 100644
--- a/src/cl_sii/rut/crypto_utils.py
+++ b/src/cl_sii/rut/crypto_utils.py
@@ -51,6 +51,14 @@ def get_subject_rut_from_certificate_pfx(pfx_file_bytes: bytes, password: Option
         raise Exception(f'len(results) == {len(results)}')
 
     subject_rut_raw: bytes = results[0]
-    subject_rut = re.sub(r'[^0-9-]', '', subject_rut_raw.decode('utf-8'))
+    subject_rut_str = subject_rut_raw.decode('utf-8')
+
+    # Regex to extract Chilean RUT formatted string
+    rut_match = re.search(r'\b\d{1,8}-[0-9Kk]\b', subject_rut_str)
+
+    if not rut_match:
+        raise Exception('RUT format not found in certificate')
+
+    subject_rut = rut_match.group(0)
 
     return Rut(subject_rut)
diff --git a/src/tests/test_data/sii-crypto/TEST-DTE-13185095-K.der b/src/tests/test_data/sii-crypto/TEST-DTE-13185095-K.der
new file mode 100644
index 0000000000000000000000000000000000000000..b279fc34ae577fafb46e94d2821039974ef760cb
GIT binary patch
literal 1092
zcmXqLVsS8NV%Au|%*4pVBw}$drp;7FncYC}|3L|<sJX(gUuhWdvT<s)d9;1!Wn|=L
zWiV*mYRGNC$;KSY!Y0h*>|-cvAPwSh@Q4JZrf25oDfp(A6y+D>=VX>7<|P^m8t{Xp
z*?BmE6Z1+k6VvkzB@M(uLR>roj>);H3eNdO1^GpZB|yD~Dh5g*DQ+HVu#{^>K~8>g
zW?8C2NNQeQX0d`(Vopvm%uHq;4zK)-JO!8hR6_*=Ik+=98N~#%fD(Es`Kb<xKr8f;
z^K%X4#CeTO3=Iqn4J}R03{0bdTvH_Oko8v+qY`oyF|sl+H!<=v7&I|*F*PwVGMp@J
zZb_>sX-cSUbw7Mo|L3Chc^6b~{uazQJ7>f1yo(oqeVFR8qWbEmQ!*c~{F$<8?m6A-
z9@o!&)cyPB;^e=Yw*<<2&wqFRw=imnlZ(Rk>xVM8PI;^7mEw9chGYAyXIJ+<ZuoP8
zOKZFO>G=g!(R0k2zi@5{6$(1TBcxmsH*aChl9WE~4do$EkJxw^Hr-pf*4DCmk*4IU
zz{zW_o~z>GvH$h?<-WczhpIR)Jk!zOxNq~$FHF|+==)p6#sB7+J&KrUTD|)4zm#v?
z-Ev}I`tv*-;}@6PP7nLjtEqgGrMa-uU!&jZ+W#|qe&6)9*vj1Z!R+~tviofkzjq#)
zVY5s1IlC^?QYL0b2FAs11}+B5z@#NB$RcAPwLpT6Lz|6}h4COG;{qNYE<<BO3sVD2
zQ(bQZS&$+=7BLo){mUY+@67(I_@sK-RN0`ConcITyOBd0m>GZ}&B(y*a%|r(`;8CI
z?6i$=P(AkS%eE^0{D?Jr@*%SXN~442?@P_#I<Znzr<q&t?@3Rtcqh$XvxT!a{fiCe
ze##pdy?E*F)8a2??z7lc`<nHg$Q2uX>qM!!F%sODeI9Q2i`%3n+|n>fCQ^Dw)vv!*
z4{8_Ohz~lS@xJx3<xv>{QTw}p6`YMH>}#p<xO2Jrfp4Sb3dh+qcf34%{{Bbf!*`h%
z9QS?|b1S$_>qg>*yX{liGW^9E|9|A@JQa7flkX4L-+xa&UVqzH9m+EG%aVABXp^~9
zzC7)fFsa|QU3vE`F^yTWAJ6&nU1<J(#;%rgdgt~Xn*M9{vH#lhe!<^dbGDz)Uq9H+
GEDZp~ah!z!

literal 0
HcmV?d00001

diff --git a/src/tests/test_data/sii-crypto/TEST-DTE-13185095-K.pem b/src/tests/test_data/sii-crypto/TEST-DTE-13185095-K.pem
new file mode 100644
index 00000000..cc0ebece
--- /dev/null
+++ b/src/tests/test_data/sii-crypto/TEST-DTE-13185095-K.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJdYOEZnh0gmB5
+hUfDzS/5oq9u0CXZ+xFozZyw+27R0frwlUioe9Xyyhzx1PyUsp3OLddI18zxLf3s
+0ZP9KdoQd43P90P+oVqkQkQgt9fCabWU7SFKZEXZXAi36ubVvuOA/MgKKrcny59w
+elucNoP0CbBVElLMDBIjdF6eoXykZI4LsHdU5cQ8SDGC3qmtPTl7oikZ6lGTrNXO
+egoMP/rz6b6O9MJ6CdDmLCgI3zzuTlYdScXv2nNz/p424liRNXurw/5k9ouLHhb0
+j25IQV+jdz2XVvyNKSPZBINxeU8ojzrW/8y8+9lNOLUDjvA257h234YY+7nEmDy6
+JecHLQKlAgMBAAECggEABne3WTDQ/SySXFRjEW4s9B688xnLnUvqKysutJ/d1u6e
+18pzIrWXEMxcUYc89KknV88w8i27bqLDXC7+SUpmrdCoxNxzWmFjv5JBDavZSWyL
+X9SdFP5TH79MqFrqPkJ6m1GCOpFUf/qRi9LhzgoSAmutNY35CoP4sRqzTvRwQ/bH
+4JR2mO1GD3mDvPwUpsONucujuQCpNhalgLCf2OQIG6nfHU1koJawSps8dHvqjf/g
+K8x37MtE/vF+ubdyFVRkx6wv3YCaieP4lac9sOrPu7X9dtYDli8yCjJ6waILRilI
+4KXL/bu+hNIw3entuB8V5V5uPP4PrQwZ43VwuabrAQKBgQDZ9Buo5B739GpL468O
+ORKrHOPT1j1BOQ2Wz0V3+SbgM1CnRJ19QWIAxqLv8jRWd2o9QWm0UaEr4MpyIo2C
+ZMYsIL0ALz9i39WXumwWziIiCpC5ABYt882YZX4nzhJDgt01MnVvLJzCb8J/oJdO
+/un3/8maq1nVHNtdhsM9BbeNDQKBgQDsoEzgR2xlf2bA0NnAGKSoACi74NS0COAG
+nxF2oq/bhPsQk8UHK5ka6otHsl0lgFRCRG+tNLWnq7jWB+ZhwoVxHeQB5ddGil6V
+atQXNuW7V/Xy+CsZCe5/mekKWNdcacOo76cAqbYtLyPAkVl/381S53jEE47Us+6k
+2eptxC3V+QKBgEJp0eva51zjC2jojjUlSvz9JqcsRyoSuoNT0XVHZIM438C4dczv
+GW/nF0tKYIxgguz7e7xIi3YVX1r8EGbFUmWr7CucOhJk5m7/jWQ9l8ULtyHIVvnV
+qrZfZtu2PXZ47/L/1yzzSSkuaPP++VxG7QB23vXUdOEtk+Kh5+g2T8IZAoGAAPij
+eCQy6LO+KzpwOl6fhmUBxculc9u5d619d9wxFpiUIzxICcB/D2I5EiFESpwdPGxl
+fPODb13AE3jS1EHlJFK4Fd3opUx6GOjoV/QMu1kgFFA6dQ7aYMGz+CvnLmTsvavG
+JrWLnuHbprWyBVlY0WdL0po18t+OMjUGxk6Q1ZkCgYEAznH4XiQo/MHfcSkvUunm
+8Hn5LI+aP+kbIg/NExrOQR3mbQaXhpAJzb4+VRX/l5XNvJ2AHv64lSKTgirvK+p7
+jmB8+pPC3XZ9nyfWYBj4+GMudVytlbDb0Sxrr9AZK3GQaVW26WBffWALAmClWFFm
+bkGfTLjxBHBG6vqhFBGF/Ak=
+-----END PRIVATE KEY-----
diff --git a/src/tests/test_data/sii-crypto/TEST-DTE-WITH-ID-BUT-NO-RUT.der b/src/tests/test_data/sii-crypto/TEST-DTE-WITH-ID-BUT-NO-RUT.der
new file mode 100644
index 0000000000000000000000000000000000000000..608546996327ca82fa6d483ff8e4690f7445bb2c
GIT binary patch
literal 866
zcmXqLVvaLtVscx+%*4pVBw|`IB|$XgKyHKQrJ5;*XYM_kbNsdeFB_*;n@8JsUPeZ4
zRt5uCLv903Hs(+kHen{mP(xt@K@f+7hbuTgH&r*dB(WsbP|-jhB*?`h;h9&GT9lVs
zq7a^$lAc*otPoIAso+zRVjw5ZYh+?*U|?uuU}|Y<8U^H<B5|o@O%tOMvIiJh8JL?G
z`56qF7`d357#SJnZ1}?WXHD?O<m7)-pL{c0Io<ok35z20va_qWrZy&h>*skoRW`^`
z#=3W{@S|6(t?A#biz82DJ=cx9rQMQzp-tOZhv$VA%Z}3h?j9Sg51-dQlqqn-_I96J
z#)XP!o0y7n(^&-DA1_OEUEdjc+wsss?|sWY=V-8QeE9X^>-z;)zB#7kFD<w`QR80E
z?I6Cw(AZ~FOj)8n+}+qz;JPg%G|O3h)3W_8Yqam@%3Sm2yY-Ue{F&OL%x{IIGCf|o
z<!M!ztq9L?usXpOuwUn0K$^Lffcd*E_rJMqm+h{IwfS?bQ#3p`vj31wRi|4}oPKW5
zLylmR%-$_4++Y4~UZ~P-Kfk1viJ6gsaj~0$i-9sQ#$*LqWDKMhNU(8evoW$T9%N)(
zz{A6pm{+M=TvC*omu?^nQpCq1#v(G2o9WrUzC``J2{jjAXiNX=f4N8-Ii!I}1sKwd
z3{j=YRsR=%5S;V+*6!64<~Kc=Jnh-G2El|Qubn3}2<bDw>QG(XJKyHxn$oRpuP)x0
za^=v1%oWV_$1W&u>fCwn;^SRaiybQs9yojUUg+)NyQfm)xOc;r*6QEo@9r;YaF@Gw
z?%IOz(r=oaQjHgW<sY?sI`!D}V}&bHKWdl#QBFVG_E3J`S)aL^%ZxRqM{<4HcbB=m
zE9d!o1z(kyIn}IEyN$%!Z)Wexm>Vmtvw!xFH(%{1sYopPb|ZzokokrBKC{^@Q`0hK
z;+E*$eKuuU1ACr-TvFbuZGX+4b?Tc>Kjj~nxAJhg-<qSrDk=(jR$`B?KKcIt$P_P0
RiB~<w6Pgwseby<+4**}jTE74Q

literal 0
HcmV?d00001

diff --git a/src/tests/test_data/sii-crypto/TEST-DTE-WITH-ID-BUT-NO-RUT.pem b/src/tests/test_data/sii-crypto/TEST-DTE-WITH-ID-BUT-NO-RUT.pem
new file mode 100644
index 00000000..84fec6cc
--- /dev/null
+++ b/src/tests/test_data/sii-crypto/TEST-DTE-WITH-ID-BUT-NO-RUT.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCcsPQO/KxT8WNj
+/pXk9japl0voyDhyN3bNqgqVgWL2jwzllR1SQRw7ja0T4uoFhWf3O3NZyGrnLV7a
+K4Rj0IYrMywM6DoEuHW/R0iwO8PPK8JpENg9245GaNB45rICcm1nBBGH46ZhRa+J
+VdtBwqFLvqbzbCgFseH10evfcNT2QWRvpXDdkSjejNtSDnFVXeaUNQRa8N2xgnBF
+tmhVakMXsqa/RKwr320c1ksO2ukIz8x9xQPtExppSOpGbip4NqhXbEA6yAZQvyzu
+UGY3GhA37rTf9ka3HYt4XTz8xokVV21Zj8IceolGUl4vbVLhCFM0aY20qEfp+4Oh
+JIs/n3SFAgMBAAECggEAAoNvIsdoTz9lv/6fMmlFprJD2DPP/fsIR5PE8DF/YCOa
+yhr6ea2MMaNb5aAD73s8l/Fm8AeAOX2XkinVCZHYeRxsxjc6aQV5dAxFbPhEc5AI
+4g0QXuuk7Fm1kF7o95OU0Cx3SIX9Dv3iazJKnlMsKa4g+PIg8ThxfrMzlKW3cMzE
+zfWdgGe65I0cOS8kLi7C+nd23y2EMn/Zfq55pguSYq0E49A+J30KzRFmZZWiXsfB
+U0Q1mOHEl4Lbl0WLeJnjp+adDTgRwUMoAsuQ87SGr+8BRwZCJX2wLmdBS4NKvZFH
+Xsxu4OQxxx8SySxeGKqmyE4cUAL2iCy18vS1wL/5OQKBgQDGjpoe9aU8eEt0vDbe
+/SyJITMchnqOUNGEBAyRmPqViGolHd+htnrj3hJ1O44vTjUTxj3NWxon2pFYMrtj
+LHBN9CBzt3/1KMjUQmQL1BmIMRlvXS8HsRQl4Nt9lP4GqtX0tbi64JydCENiavL9
+zVE0mCV4HzNSqSiTfqEVBZ/NvQKBgQDKBbalPtzQQ+sgvslMQPNpNFCpow4Nn6Eo
+CHGQ9nZFFyEpdMxcpqhYwgiy8eosBXTEhbhQyYcbxB77EDH1WLcho1ZII8rX6LrM
+153B/8XuIdEkJDkcYhEGmM0CAO+X8Nztkksk3T3jpG8TFdZBlk2giegBV4ko2Ina
+HdkRqah6aQKBgEM6mXiOF+qHmJTn/XQ3KNMtiI7KAckaGDao4FCUCZSD4dy7ZrLs
+hGOPF5TWG2htBI+zec2EYTDJUpkYZFZJ/6SFWk+T/CFYM9eauyE+KX7xkPkiBgCG
+tpm0rtywi+paAaOfu/Kahqys1ZQHPkstL6etNFKdzdTZLcHzCDuD8f3JAoGATDaj
+lOuGOjulNJFFN7M5IPNPiu+smY8jKQsmbN3N+HqlVBJwFnP5BqMMzRVeloTobEtW
+IYQlqF/woB6X+kshq1sHbeey2ok+D5E4PrvTW+b+E3hm40JL0gVLMfpQaS3A6w9J
+sfqVIpAiJz0Ru2SMnIfqMrdnUzV9q/+eqH8sxCECgYBxIN/8r/H1lmJBa8vaAO5P
+Nb6j6yRgWkIIS8lN9uGjs5O3qfT0MDvkiyp6vDetHelKF+ayJ+SeNpuj978g2lhy
+KgUtUYeo1qXLHHpEpmf/Dc597v+v8aI9uUD3RFdOtR2yup3JUlDVJFf/VtF27a5X
+aC5sPUAoOReOMN6lLnxKrg==
+-----END PRIVATE KEY-----
diff --git a/src/tests/test_data/sii-crypto/howto.md b/src/tests/test_data/sii-crypto/howto.md
new file mode 100644
index 00000000..219ffd63
--- /dev/null
+++ b/src/tests/test_data/sii-crypto/howto.md
@@ -0,0 +1,71 @@
+# Generating a self-signed certificate in DER format using OpenSSL
+
+## Documentation
+
+- <https://www.openssl.org/docs/manmaster/man1/req.html>
+
+## Parameters
+
+- File to send the key to (`key_file_name`)
+- Output file (`certificate_file_name`)
+- Number of days cert is valid for (`number_of_days`)
+
+```sh
+key_file_name='key.pem'
+certificate_file_name='certificate.der'
+number_of_days=365
+subject_rut_oid='1.3.6.1.4.1.8321.1'
+subject_rut='13185095-K'
+```
+
+## Steps
+
+### Generate the private key and public certificate
+
+```sh
+openssl req \
+    -newkey rsa:2048 \
+    -nodes \
+    -keyout "$key_file_name" \
+    -x509 \
+    -days "$number_of_days" \
+    -outform DER \
+    -out "$certificate_file_name" \
+    -extensions san -config <(cat /etc/ssl/openssl.cnf \
+        <(printf "\n[san]\nsubjectAltName=otherName:$subject_rut_oid;UTF8:$subject_rut"))
+```
+
+```text
+Generating a RSA private key
+....................................................................................+++++
+....................................................+++++
+writing new private key to 'key.pem'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:CL
+State or Province Name (full name) [Some-State]:Region Metropolitana
+Locality Name (eg, city) []:Santiago
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme Corporation
+Organizational Unit Name (eg, section) []:Acme Explosive Tennis Balls
+Common Name (e.g. server FQDN or YOUR name) []:John Doe
+Email Address []:john.doe@acme.com
+```
+
+### Output
+
+#### Review the created certificate
+
+```sh
+openssl x509 \
+    -inform DER \
+    -in "$certificate_file_name" \
+    -text -noout
+```
+
+This will generate a self-signed certificate in DER format and allow you to review its contents
diff --git a/src/tests/test_rut_crypto_utils.py b/src/tests/test_rut_crypto_utils.py
index c485d53b..ab16eafd 100644
--- a/src/tests/test_rut_crypto_utils.py
+++ b/src/tests/test_rut_crypto_utils.py
@@ -32,6 +32,46 @@ def test_get_subject_rut_from_certificate_pfx_ok(self) -> None:
             self.assertIsInstance(subject_rut, rut.Rut)
             self.assertEqual(subject_rut, rut.Rut('13185095-6'))
 
+    def test_get_subject_rut_from_certificate_pfx_ok_with_rut_that_ends_with_K(self) -> None:
+        cert_der_bytes = utils.read_test_file_bytes('test_data/sii-crypto/TEST-DTE-13185095-K.der')
+
+        x509_cert = load_der_x509_cert(cert_der_bytes)
+
+        with patch.object(
+            pkcs12,
+            'load_key_and_certificates',
+            Mock(return_value=(None, x509_cert, None)),
+        ):
+            pfx_file_bytes = b'hello'
+            password = 'fake_password'
+            subject_rut = get_subject_rut_from_certificate_pfx(
+                pfx_file_bytes=pfx_file_bytes,
+                password=password,
+            )
+            self.assertIsInstance(subject_rut, rut.Rut)
+            self.assertEqual(subject_rut, rut.Rut('13185095-K'))
+
+    def test_get_subject_rut_from_certificate_pfx_not_matching_rut_format(self) -> None:
+        cert_der_bytes = utils.read_test_file_bytes(
+            'test_data/sii-crypto/TEST-DTE-WITH-ID-BUT-NO-RUT.der',
+        )
+
+        x509_cert = load_der_x509_cert(cert_der_bytes)
+
+        with patch.object(
+            pkcs12,
+            'load_key_and_certificates',
+            Mock(return_value=(None, x509_cert, None)),
+        ):
+            pfx_file_bytes = b'hello'
+            password = 'fake_password'
+            with self.assertRaises(Exception) as cm:
+                get_subject_rut_from_certificate_pfx(
+                    pfx_file_bytes=pfx_file_bytes,
+                    password=password,
+                )
+            self.assertEqual(cm.exception.args, ('RUT format not found in certificate',))
+
     def test_get_subject_rut_from_certificate_pfx_fails_if_rut_info_is_missing(self) -> None:
         cert_der_bytes = utils.read_test_file_bytes(
             'test_data/crypto/wildcard-google-com-cert.der',