Invalid signed properties hashing

Signing process
1

I’m currently facing an issue when attempting to submit B2C (Simplified Invoice) invoices to the
compliance/invoice endpoint. While our B2B invoices are being successfully cleared, the B2C invoices encounter an error.
Below is the response I’m receiving from the API:
Response:

 {
        "type": "ERROR",
        "code": "signed-properties-hashing",
        "category": "CERTIFICATE_ERRORS",
        "message": "Invalid signed properties hashing, SignedProperties with id='xadesSignedProperties'",
        "status": "ERROR"
      }

def generate_signed_properties_hash(self, signing_time, issuer_name, serial_number, encoded_certificate_hash):
        try:
            # XML template including certificate hash
            xml_string = '''<xades:SignedProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="xadesSignedProperties">
                                    <xades:SignedSignatureProperties>
                                        <xades:SigningTime>{signing_time}</xades:SigningTime>
                                        <xades:SigningCertificate>
                                            <xades:Cert>
                                                <xades:CertDigest>
                                                    <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                                                    <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">{encoded_certificate_hash}</ds:DigestValue>
                                                </xades:CertDigest>
                                                <xades:IssuerSerial>
                                                    <ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#">{issuer_name}</ds:X509IssuerName>
                                                    <ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#">{serial_number}</ds:X509SerialNumber>
                                                </xades:IssuerSerial>
                                            </xades:Cert>
                                        </xades:SigningCertificate>
                                    </xades:SignedSignatureProperties>
                                </xades:SignedProperties>'''

            # Linearize the XML (removing unnecessary whitespace)
            xml_string = ''.join(xml_string.split())

            # Rendering the XML with the provided data
            xml_string_rendered = xml_string.format(
                signing_time=signing_time,
                encoded_certificate_hash=encoded_certificate_hash,
                issuer_name=issuer_name,
                serial_number=str(serial_number)
            )

            # Encode to UTF-8 and hash with SHA-256
            utf8_bytes = xml_string_rendered.encode('utf-8')
            hash_object = hashlib.sha256(utf8_bytes)
            hex_sha256 = hash_object.hexdigest()

            # Convert the hash to Base64
            signed_properties_base64 = base64.b64encode(hex_sha256.encode('utf-8')).decode('utf-8')

            return signed_properties_base64

        except Exception as e:
            raise SuspiciousOperation("Error in generating signed properties hash: " + str(e))

Generated XML:

<?xml version='1.0' encoding='UTF-8'?>
<Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2" xmlns:cac="urn:oasis:names:specification:ubl:schema:xsd:CommonAggregateComponents-2" xmlns:cbc="urn:oasis:names:specification:ubl:schema:xsd:CommonBasicComponents-2" xmlns:ext="urn:oasis:names:specification:ubl:schema:xsd:CommonExtensionComponents-2">
  <ext:UBLExtensions>
    <ext:UBLExtension>
      <ext:ExtensionURI>urn:oasis:names:specification:ubl:dsig:enveloped:xades</ext:ExtensionURI>
      <ext:ExtensionContent>
        <sig:UBLDocumentSignatures xmlns:sig="urn:oasis:names:specification:ubl:schema:xsd:CommonSignatureComponents-2" xmlns:sac="urn:oasis:names:specification:ubl:schema:xsd:SignatureAggregateComponents-2" xmlns:sbc="urn:oasis:names:specification:ubl:schema:xsd:SignatureBasicComponents-2">
          <sac:SignatureInformation>
            <cbc:ID>urn:oasis:names:specification:ubl:signature:1</cbc:ID>
            <sbc:ReferencedSignatureID>urn:oasis:names:specification:ubl:signature:Invoice</sbc:ReferencedSignatureID>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="signature">
              <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
                <ds:Reference Id="invoiceSignedData" URI="">
                  <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
                      <ds:XPath>not(//ancestor-or-self::ext:UBLExtensions)</ds:XPath>
                    </ds:Transform>
                    <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
                      <ds:XPath>not(//ancestor-or-self::cac:Signature)</ds:XPath>
                    </ds:Transform>
                    <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
                      <ds:XPath>not(//ancestor-or-self::cac:AdditionalDocumentReference[cbc:ID='QR'])</ds:XPath>
                    </ds:Transform>
                    <ds:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <ds:DigestValue>vfOjaFqsBfUTY67fSxxt07DjPGgXmAqTdBXC1+0gscY=</ds:DigestValue></ds:Reference>
                <ds:Reference URI="#xadesSignedProperties" Type="http://www.w3.org/2000/09/xmldsig#SignatureProperties">
                  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                  <ds:DigestValue>MTgyNWJlMTYyODE4MjA1MzRiYWJjYWI2ODJhOTRhYTlkNmFlM2I1NGJjOTQyNGJiZmI4NWJlMDFjNTRhOTU5MA==</ds:DigestValue></ds:Reference>
              </ds:SignedInfo>
              <ds:SignatureValue>MEQCIE8coUynUgvjQsi1BEq/0nMYIP+XKl8uyrk9LriLeazLAiBcb+21yXDYp2rahE4WACeq+G1444mVgP0k23IDJVUxGg==</ds:SignatureValue><ds:KeyInfo>
                <ds:X509Data>
                  <ds:X509Certificate>MIICEjCCAbegAwIBAgIGAZJCyiYjMAoGCCqGSM49BAMCMBUxEzARBgNVBAMMCmVJbnZvaWNpbmcwHhcNMjQwOTMwMTE1NjMyWhcNMjkwOTI5MjEwMDAwWjBDMQswCQYDVQQGEwJTQTEUMBIGA1UECwwLRGFtbSBCcmFuY2gxEDAOBgNVBAoMB0F1dG9iaWExDDAKBgNVBAMMA1dUMTBWMBAGByqGSM49AgEGBSuBBAAKA0IABF3XJ+5uKkCOBVFfnJ0gPTi1DnDUuzfJ/PGSp5g4Vri517MITfNthbvL/5eo943iG2qbyvA57THVFn9OSLf6v/WjgccwgcQwDAYDVR0TAQH/BAIwADCBswYDVR0RBIGrMIGopIGlMIGiMT8wPQYDVQQEDDYxLVdUMXwyLUF1dG9iaWF8My0yODE5ZmY2MC1jYzdkLTQwMjgtYWU2Yy1iYzZmNmQ3MDY1ZjIxHzAdBgoJkiaJk/IsZAEBDA8zMTA3MTk4Mjg5MDAwMDMxDTALBgNVBAwMBDExMDAxEDAOBgNVBBoMB0RNTTEyOTMxHTAbBgNVBA8MFFNwYXJlIFBhcnRzIENvbW1lcmNlMAoGCCqGSM49BAMCA0kAMEYCIQCk/2AZzxIgoPUBBcB9bNgST7WeLWRA4k1PqJ3mIz6A0gIhAMfEbWQEmEyHV3jJX2kxWhKUNeN8KZ0hefoWa62Yd6vM</ds:X509Certificate></ds:X509Data>
              </ds:KeyInfo>
              <ds:Object>
                <xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="signature">
                  <xades:SignedProperties Id="xadesSignedProperties">
                    <xades:SignedSignatureProperties>
                      <xades:SigningTime>2024-10-05T18:47:33</xades:SigningTime><xades:SigningCertificate>
                        <xades:Cert>
                          <xades:CertDigest>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                            <ds:DigestValue>MzgxYWE1N2IyNzBiMmM0MGQyMzc5MDQ5ZWU4MjUyOTM5NWE3YjFhNmZmOTJmMDZiYjZiMTEwNDU2YzgzOTcwZQ==</ds:DigestValue></xades:CertDigest>
                          <xades:IssuerSerial>
                            <ds:X509IssuerName>CN=eInvoicing</ds:X509IssuerName><ds:X509SerialNumber>1727697397283</ds:X509SerialNumber></xades:IssuerSerial>
                        </xades:Cert>
                      </xades:SigningCertificate>
                    </xades:SignedSignatureProperties>
                  </xades:SignedProperties>
                </xades:QualifyingProperties>
              </ds:Object>
            </ds:Signature>
          </sac:SignatureInformation>
        </sig:UBLDocumentSignatures>
      </ext:ExtensionContent>
    </ext:UBLExtension>
  </ext:UBLExtensions>
...........

I have followed all the steps outlined in the “E-invoicing-Detailed-Technical-Guideline.PDF” and “SigningProcessUpdated.PDF” documents as instructed, but the issue persists.

Could anyone please assist in identifying the root cause and how to resolve this error?

1 Like
2

Dear @OssamaEltigani ,
Thanks for reaching out .

You can follow the below steps:
1-After submitting the Certificate Signing Request (CSR) via the Compliance Request CSID API, you will receive a BinaryToken and a secret.
2-Decode the BinaryToken using a base64 decoder. The decoded value will be the x.509 certificate.
3-Navigate to the SDK directory: SDK/Data/Certificates/Cert.pem.
4-Replace the contents of the Cert.pem file with the x.509 certificate obtained from the decoded BinaryToken.
5-Insert the newly generated private key into the ec-secp256k1-priv-key.pem file.
6-if you use JAVA SDK, run the following command: fatoora -sign -invoice “invoice.xml”.
else the .Net SDK, run the following command: fatooranet sign -invoice “invoice.xml”
7-The invoice will now be signed and can be successfully submitted during the compliance checks phase via the Compliance Invoice API.
8-Repeat the above steps using the returned PCSID from the third API in the onboarding process, sign your simplified tax invoices, and submit them to the Reporting API. Ensure the returned Binary Token is decoded using a base64 decoder, and the certificate is updated at
SDK/Data/Certificates/Cert.pem.
Thanks

3

@OssamaEltigani,

You can tray my sugestion in this post

4

Thanks @halrashidy for your response.
Actually, I’m not using the SDK my approach is manual signing.
Can you clarify the source of the error and what part is causing this error?

2 Likes
5

Dear @OssamaEltigani ,

This error happens while doing the signing process please follow up the steps below to solve your issue
1-After submitting the Certificate Signing Request (CSR) via the Compliance Request CSID API, you will receive a BinaryToken and a secret.
2-Decode the BinaryToken using a base64 decoder. The decoded value will be the x.509 certificate.
3-Navigate to the SDK directory: SDK/Data/Certificates/Cert.pem.
4-Replace the contents of the Cert.pem file with the x.509 certificate obtained from the decoded BinaryToken.
5-Insert the newly generated private key into the ec-secp256k1-priv-key.pem file.
6-if you use JAVA SDK, run the following command: fatoora -sign -invoice “invoice.xml”.
else the .Net SDK, run the following command: fatooranet sign -invoice “invoice.xml”
7-The invoice will now be signed and can be successfully submitted during the compliance checks phase via the Compliance Invoice API.
8-Repeat the above steps using the returned PCSID from the third API in the onboarding process, sign your simplified tax invoices, and submit them to the Reporting API. Ensure the returned Binary Token is decoded using a base64 decoder, and the certificate is updated at
SDK/Data/Certificates/Cert.pem.
Thanks