Clearance Invoice Error

Dears All,
I am reaching out to seek assistance with an issue I encountered while making a cURL POST request to the ZATCA API for invoice clearance. Below is the cURL command I used:

curl -X ‘POST’
‘https://gw-fatoora.zatca.gov.sa/e-invoicing/developer-portal/invoices/clearance/single’
-H ‘accept: application/json’
-H ‘accept-language: en’
-H ‘Clearance-Status: 1’
-H ‘Accept-Version: V2’
-H 'Authorization: Basic ’
-H ‘Content-Type: application/json’
-d ‘{
“invoiceHash”: “ITVi7felrvAP5CslNnBQmZJzSL0X2UgKVTdrfiBQVCg=”,
“uuid”: “f165cd5f-780b-4455-bc73-2de0adb9cc19”,
“invoice”: “…”
}’

However, I’m encountering an error when attempting to make this request. The specific error message returned is as follows:

{
  "validationResults": {
    "infoMessages": [
      {
        "type": "INFO",
        "code": "XSD_ZATCA_VALID",
        "category": "XSD validation",
        "message": "Complied with UBL 2.1 standards in line with ZATCA specifications",
        "status": "PASS"
      }
    ],
    "errorMessages": [
      {
        "type": "ERROR",
        "code": "certificate-permissions",
        "category": "CERTIFICATE_ERRORS",
        "message": "User only allowed to use the vat number that exists in the authentication certificate",
        "status": "ERROR"
      }
    ],
    "status": "ERROR"
  },
  "clearanceStatus": "NOT_CLEARED",
  "clearedInvoice": null
}

@Madleen
Try use default Vat Number 399999999900003 for Clearance and Reporting on Sanbox.

Dear @eCloud ,
Thank you for your help! Could you please explain that more clearly?
in step 4 i’m donig that

image1575×873 168 KB

in step 5:

image1501×728 99.8 KB

should use tag like that :

<xades:SignedProperties xmlns:xades=“Assigned ETSI XML URIs” Id=“xadesSignedProperties”>
xades:SignedSignatureProperties
xades:SigningTime</xades:SigningTime>
xades:SigningCertificate
xades:Cert
xades:CertDigest
<ds:DigestMethod xmlns:ds=“XML-Signature Syntax and Processing” Algorithm=“XML Encryption Syntax and Processing”/>
<ds:DigestValue xmlns:ds=“XML-Signature Syntax and Processing”></ds:DigestValue>
</xades:CertDigest>
xades:IssuerSerial
<ds:X509IssuerName xmlns:ds=“XML-Signature Syntax and Processing”></ds:X509IssuerName>
<ds:X509SerialNumber xmlns:ds=“XML-Signature Syntax and Processing”></ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
</xades:SignedProperties>

OR THAT:

<ext:UBLExtension>
    <ext:ExtensionURI>urn:oasis:names:specification:ubl:dsig:enveloped:xades</ext:ExtensionURI>
    <ext:ExtensionContent>
        <sig:UBLDocumentSignatures xmlns:sig="urn:oasis:names:specification:ubl:schema:xsd:CommonSignatureComponents-2" xmlns:sac="urn:oasis:names:specification:ubl:schema:xsd:SignatureAggregateComponents-2" xmlns:sbc="urn:oasis:names:specification:ubl:schema:xsd:SignatureBasicComponents-2">
            <sac:SignatureInformation>
                <cbc:ID>urn:oasis:names:specification:ubl:signature:1</cbc:ID>
                <sbc:ReferencedSignatureID>urn:oasis:names:specification:ubl:signature:Invoice</sbc:ReferencedSignatureID>
                <ds:Signature Id="signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:Object>
                        <xades:QualifyingProperties Target="signature" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#">
                            <xades:SignedProperties Id="xadesSignedProperties">
                                <xades:SignedSignatureProperties>
                                    <xades:SigningTime>2024-10-02T10:14:33</xades:SigningTime>
                                    <xades:SigningCertificate>
                                        <xades:Cert>
                                            <xades:CertDigest>
                                                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                                                <ds:DigestValue>ZDNjOGEzNGY5N2NhMmY0MTJlMWViYWYzM2I3ZGQ4MDQyZmMyNWE2NzY1Nzk3ZWJhYzAwMTQzNWRhNzMzNDczOQ==</ds:DigestValue>
                                            </xades:CertDigest>
                                            <xades:IssuerSerial>
                                                <ds:X509IssuerName>CN=eInvoicing</ds:X509IssuerName>
                                                <ds:X509SerialNumber>1727681943615</ds:X509SerialNumber>
                                            </xades:IssuerSerial>
                                        </xades:Cert>
                                    </xades:SigningCertificate>
                                </xades:SignedSignatureProperties>
                            </xades:SignedProperties>
                        </xades:QualifyingProperties>
                    </ds:Object>
                </ds:Signature>
            </sac:SignatureInformation>
        </sig:UBLDocumentSignatures>
    </ext:ExtensionContent>
</ext:UBLExtension>

</ext:UBLExtensions>
as i wat to sign simplified invoice

@Madleen

It looks like you want to sign the Invoice using your own code.

yes, to get the Signed PropertiesHash you can use the tag as in the guide. make sure we have 36 spaces before the <xades:SignedSignatureProperties> tag and for other tags must be formatted with 4 spaces.

image1115×593 107 KB

internal static string GetSignedPropertiesHash(string signingTime, string digestValue, string x509IssuerName, string x509SerialNumber)
{
    string xmlString = $@"<xades:SignedProperties xmlns:xades=""http://uri.etsi.org/01903/v1.3.2#"" Id=""xadesSignedProperties"">
                            <xades:SignedSignatureProperties>
                                <xades:SigningTime>{signingTime}</xades:SigningTime>
                                <xades:SigningCertificate>
                                    <xades:Cert>
                                        <xades:CertDigest>
                                            <ds:DigestMethod xmlns:ds=""http://www.w3.org/2000/09/xmldsig#"" Algorithm=""http://www.w3.org/2001/04/xmlenc#sha256""/>
                                            <ds:DigestValue xmlns:ds=""http://www.w3.org/2000/09/xmldsig#"">{digestValue}</ds:DigestValue>
                                        </xades:CertDigest>
                                        <xades:IssuerSerial>
                                            <ds:X509IssuerName xmlns:ds=""http://www.w3.org/2000/09/xmldsig#"">{x509IssuerName}</ds:X509IssuerName>
                                            <ds:X509SerialNumber xmlns:ds=""http://www.w3.org/2000/09/xmldsig#"">{x509SerialNumber}</ds:X509SerialNumber>
                                        </xades:IssuerSerial>
                                    </xades:Cert>
                                </xades:SigningCertificate>
                            </xades:SignedSignatureProperties>
                        </xades:SignedProperties>".Replace("\r\n", "\n");  // Normalize line endings to LF only

    byte[] hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(xmlString.Trim()));
    string hashHex = BitConverter.ToString(hashBytes).Replace("-", "").ToLower();
    return Convert.ToBase64String(Encoding.UTF8.GetBytes(hashHex));
}

For complete code you can see my Zatca.eInvoice library in my Github Repository.

hope this help…

Dear @eCloud ,
How fix it?

image1632×651 31.4 KB

on what Environment type?

Check your x509Certificate there

image1067×338 111 KB

are issuer name and serial number same as in your XML?

or you can just try your invoice on Compliance Check Api to find out if there is a problem with your Signed Invoice.

Dear @eCloud ,
For that’s my “csr.serial.number=1-TST|2-TST|3-ed22f1d8-e6a2-1118-9b58-d9a8f11e445f”

1-Manufacturer or Solution Provider Name|2-Model or Version|3-SerialNumber

It’s same I entered in xml invoice but show this error.

I don’t understand what you are asking,
for the first post issue, I suggest you use the default VAT Number for Certificate and eInvoice XML.

For the Serial Number and Issuer Name error, since you are using your own code to sign the invoice, you must ensure your code generates the IssuerName and SerialNumber as shown in the Certificate Decoder.

Additionally, for Clearance, you do not need to sign your XML eInvoice, just make sure the eInvoice is correct, and send it to the server. The server will sign it for you.

Dear,
To clarify further, by

“csr.serial.number=1-TST|2-TST|3-ed22f1d8-e6a2-1118-9b58-d9a8f11e445f”

I mean that this is not an integer as required here.

Another question: After creating the standard/simplified invoices and ensuring their validation, what is the next step in the simulation process?

@Madleen
Did you follow my suggestion?

image1475×816 89.7 KB

image1019×293 74.5 KB

When you have passed Clearance and reporting in the Simulation Environment, it means that your application is ready to be implemented in the Production or Core Environment.

Dear,
That’s show in csrdecoder

image1264×868 69.2 KB

That means you sign the document using CSR,

Make sure you sign the document with the correct certificate.

For Compliance Check, sign the document using Certificate from Compliance CSID,
and for Clearance, sign the document with Certificate from Production CSID.

Dear @eCloud ,
I’m doing these steps in simulation portal:
1- generate csr, private key.
2- used Certificate from Compliance CSID for Compliance check.
I know we need a certificate from production CSID to Clearance (Standard invoices) and reporting (Simplified Invoices).
But when try to generate Production CSID, the response

400 Bad Request
{
“code”: “Missing-ComplianceSteps”,
“message”: “The compliance certificate is not done with the following compliance steps yet [standard-credit-note-compliant,standard-debit-note-compliant,simplified-compliant,simplified-credit-note-compliant,simplified-debit-note-compliant]”
}

I want to know what I am doing wrong

Seems you have done Compliance Steps for Standard Invoice Only.
these 5 compliance checks are pending,

standard-credit-note-compliant
standard-debit-note-compliant
simplified-compliant
simplified-credit-note-compliant
simplified-debit-note-compliant

if you are generating only Standard Invoices, you need to define in CSR information.

1000 = Generating Standard Tax Documents only
0100 = Generating Simplified Tax Documents only
1100 = Generate Both Standard and Simplified Tax Documents
1111 = Generate All

Dear Author,
I’m defined invoice-Type=1100 in CSR.
My questions: Should do Compliance Check for (standard-credit-note-compliant, standard-debit-note-compliant, simplified-compliant, simplified-credit-note-compliant, simplified-debit-note-compliant)
Then do Clearance (Standard invoices) /reporting (Simplified Invoices) OR what should do?

You need to submit each type of document in any sequence. Total 6 documents.

Standard Invoice
Simplified Invoice
Standard Credit note
Standard Debit note

Simplified Credit note
Simplified Debit note

Once you do these, then you will be able to generate PCSID

The server response is clear, you are missing compliance step, you need send 6 Sample invoice, all invoice must be accepted by Compliance Check API.

Thanks, I was getting the same error. Now it’s resolved.

User only allowed to use the vat number that exists in the authentication certificate

hi sir i have one question how to Fatoora SDK run i search many website but not working …currently use postman for testing purpose but not working help me sir how do run …?