Invoice Hash not match Calculated Hash

I am trying to send compliance invoice, for B2B it is working fine and I am getting cleared response but for B2C I got some issues solved one by one but still Not able to solve this issue The invoice hash API body does not match the (calculated) Hash of the XML
can you advise please

Dear @redametawee ,

Please install the last version of the SDk 3.3.4

The hash should be calculated on the final version of the XML document after it has been signed. If you’re generating the hash before signing, the XML will change when signed, leading to a mismatch.

Kindly ensure you are correctly using the hash from the signed XML, not the unsigned version, The order should be:

  1. Generate the XML document.
  2. Sign the XML.
  3. Calculate the hash from the signed XML.
  4. Send the signed XML and the corresponding hash to the API.

Please Confirm that you’re signing the XML before generating the hash and that the hash is from the final, signed XML document.
It’s likely not a bug but rather an issue with the order of operations or a mismatch between the hash and the XML content. Ensuring the correct sequence first, then hashing should resolve this issue. If the error still occurs, please don’t hesitate to reach out with our support team via email:

Thanks,

thank you so much for your support

still I have the same problem

The invoice hash API body does not match the (calculated) Hash of the XML

and I want to mention the following points

1- I am not using .Net so I dont have to use SDK
2- I am using Nodejs
3- first I am preparing the invoice.xml file and populating the data from the database to create the same file

  1. Remove the ext:UBLExtensions/ block
  2. Remove the cac:AdditionalDocumentReference/block where cbc:ID/ =QR
  3. Remove thecac:Signature/block
  4. Canonicalize the Invoice using the C14N11 standard
  5. Hash the resulting string using SHA256 to a binary object
  6. Base64 encode the binary object to generate the digest value (so at this point we created the Invoice Hash)

7- we use the invoice hash created in point 6 to sign the invoice and to create the QR

8- we pouplate the signed data into the invoice.xml file to include the UBLExtensions and Qr again (so at this point we created the signed xml file)
9- we encode the xml file created in point number 8 to base 64 (so here we created the invoice body by just encoding the xml file)
10 - we pass the invoice hash created in point number 6, and invoice body created in number 9 to the compliance/invoice API

after all mentioned points we got the same error The invoice hash API body does not match the (calculated) Hash of the XML

please note that,

1- we passed the invoice hash created on point number 6 becuase if we created another invoice hash after signing the invoice we will get error that the invoice hash passed wo the API is different from the invoice hash used in the Qr creation and also the main error which the mentioned in the begning still
2- as per many topics in the groups it was mentioned that we have to add namespaces to the signedPoperties tags when preparing the file only but when finalizing the invoice we should remove those namespaces but if we did this we got an error Invalid signed properties hashing, SignedProperties with id=‘xadesSignedProperties’ so we are keeping those name spaces in the file also before sending to the API ( example for what I mean by the namespace in the signedProperites is like <ds:X509SerialNumber xmlns:ds=“XML-Signature Syntax and Processing”>{SET_CERTIFICATE_SERIAL_NUMBER}</ds:X509SerialNumber> as we have to add xmlns:ds=“XML-Signature Syntax and Processing” always and in the invoice itself before sending othewise will got error
3- we are able to send the B2B invoices and getting cleared status, and our problem is in the B2C because it require signing

Kidly advise how can we solve this problem

Can you please elaborate more, what do you mean by:
The invoice hash API body does not match the (calculated) Hash of the XML

Dear @halrashidy
For signing of XML invoice latest SDk 3.3.4 is used, but the certificates are generated using the CSR generated by OpenSSL . Whether it creates this issue in invoice hashing specified by @redametawee ?

this is the error message I am getting as a response from compliance/invoice API
{
type: ‘ERROR’,
code: ‘invalid-invoice-hash’,
category: ‘INVOICE_HASHING_ERRORS’,
message: ‘The invoice hash API body does not match the (calculated) Hash of the XML’,
status: ‘ERROR’
}

Please We need you support as we are posting the issue in the group but still not solved the issue,

as per your advise we tried to hash the invoice after signing but got one more issue that the hash is not same as the hash in the QR which is correct because in order to sign the xml invoice and generate the QR we need to get the hash before singing first,
if you send us more details about the process I think it might help, details like prepare the invoice file then remove the tags not required in first stage then generate the hash for the unsigned then sign and create the qr then get the hash again… etc

below is the details for last post in the group but did not get response from your side

still I have the same problem

The invoice hash API body does not match the (calculated) Hash of the XML

and I want to mention the following points

1- I am not using .Net so I dont have to use SDK
2- I am using Nodejs
3- first I am preparing the invoice.xml file and populating the data from the database to create the same file

  1. Remove the ext:UBLExtensions/ block
  2. Remove the cac:AdditionalDocumentReference/block where cbc:ID/ =QR
  3. Remove thecac:Signature/block
  4. Canonicalize the Invoice using the C14N11 standard
  5. Hash the resulting string using SHA256 to a binary object
  6. Base64 encode the binary object to generate the digest value (so at this point we created the Invoice Hash)

7- we use the invoice hash created in point 6 to sign the invoice and to create the QR

8- we pouplate the signed data into the invoice.xml file to include the UBLExtensions and Qr again (so at this point we created the signed xml file)
9- we encode the xml file created in point number 8 to base 64 (so here we created the invoice body by just encoding the xml file)
10 - we pass the invoice hash created in point number 6, and invoice body created in number 9 to the compliance/invoice API

after all mentioned points we got the same error The invoice hash API body does not match the (calculated) Hash of the XML

please note that,

1- we passed the invoice hash created on point number 6 becuase if we created another invoice hash after signing the invoice we will get error that the invoice hash passed wo the API is different from the invoice hash used in the Qr creation and also the main error which the mentioned in the begning still
2- as per many topics in the groups it was mentioned that we have to add namespaces to the signedPoperties tags when preparing the file only but when finalizing the invoice we should remove those namespaces but if we did this we got an error Invalid signed properties hashing, SignedProperties with id=‘xadesSignedProperties’ so we are keeping those name spaces in the file also before sending to the API ( example for what I mean by the namespace in the signedProperites is like <ds:X509SerialNumber xmlns:ds=“XML-Signature Syntax and Processing”>{SET_CERTIFICATE_SERIAL_NUMBER}</ds:X509SerialNumber> as we have to add xmlns:ds=“XML-Signature Syntax and Processing” always and in the invoice itself before sending othewise will got error
3- we are able to send the B2B invoices and getting cleared status, and our problem is in the B2C because it require signing

Kidly advise how can we solve this problem

| halrashidy
August 28 |

  • | - |

Dear @redametawee ,

Please install the last version of the SDk 3.3.4

The hash should be calculated on the final version of the XML document after it has been signed. If you’re generating the hash before signing, the XML will change when signed, leading to a mismatch.

Kindly ensure you are correctly using the hash from the signed XML, not the unsigned version, The order should be:

  1. Generate the XML document.
  2. Sign the XML.
  3. Calculate the hash from the signed XML.
  4. Send the signed XML and the corresponding hash to the API.

Please Confirm that you’re signing the XML before generating the hash and that the hash is from the final, signed XML document.
It’s likely not a bug but rather an issue with the order of operations or a mismatch between the hash and the XML content. Ensuring the correct sequence first, then hashing should resolve this issue. If the error still occurs, please don’t hesitate to reach out with our support team via email:

Thanks,

What are the steps you’re following to generate the invoice hash?

1- I am not using .Net so I dont have to use SDK
2- I am using Nodejs
3- first I am preparing the invoice.xml file and populating the data from the database to create the same file

  1. Remove the ext:UBLExtensions/ block
  2. Remove the cac:AdditionalDocumentReference/block where cbc:ID/ =QR
  3. Remove thecac:Signature/block
  4. Canonicalize the Invoice using the C14N11 standard
  5. Hash the resulting string using SHA256 to a binary object
  6. Base64 encode the binary object to generate the digest value (so at this point we created the Invoice Hash)

7- we use the invoice hash created in point 6 to sign the invoice and to create the QR

8- we pouplate the signed data into the invoice.xml file to include the UBLExtensions and Qr again (so at this point we created the signed xml file)
9- we encode the xml file created in point number 8 to base 64 (so here we created the invoice body by just encoding the xml file)
10 - we pass the invoice hash created in point number 6, and invoice body created in number 9 to the compliance/invoice API

after all mentioned points we got the same error The invoice hash API body does not match the (calculated) Hash of the XML

please note that,

1- we passed the invoice hash created on point number 6 becuase if we created another invoice hash after signing the invoice we will get error that the invoice hash passed wo the API is different from the invoice hash used in the Qr creation and also the main error which the mentioned in the begning still
2- as per many topics in the groups it was mentioned that we have to add namespaces to the signedPoperties tags when preparing the file only but when finalizing the invoice we should remove those namespaces but if we did this we got an error Invalid signed properties hashing, SignedProperties with id=‘xadesSignedProperties’ so we are keeping those name spaces in the file also before sending to the API ( example for what I mean by the namespace in the signedProperites is like <ds:X509SerialNumber xmlns:ds=“XML-Signature Syntax and Processing”>{SET_CERTIFICATE_SERIAL_NUMBER}</ds:X509SerialNumber> as we have to add xmlns:ds=“XML-Signature Syntax and Processing” always and in the invoice itself before sending othewise will got error
3- we are able to send the B2B invoices and getting cleared status, and our problem is in the B2C because it require signing

Kidly advise how can we solve this problem

Dear @redametawee

Thanks for reaching out,

Can I kindly ask you to share your full concerns via email to SP support team, to ensure comprehensive support as usual, and schedule a meeting if needed.

SP email: sp_support@zatca.gov.sa

Thanks,
Ibrahem Daoud.

Hi,

Steps are mentioned in the following document starting from page 52:
E-invoicing Detailed Technical Guidelines Version 2

I’m putting them below for your reference (I think you missed step 3 below):

  1. Open the invoice XML file
  2. Remove the tags (UBLExtension, QR, Signature)
  3. Remove the XML version
  4. Canonicalize the Invoice using the C14N11 standard
  5. Hash the new invoice body using SHA-256
  6. Encode the hashed invoice using base64 Using HEX-to Base64 Encoder
  7. Sign the generated invoice hash with ECDSA using the private key

Regards,

what is the steps of Calculate the hash from the signed XML ?

I am not using SDK, I am using custom software so I need the details steps (just the steps like what you mentioned before) but steps of singing the invoice and creating the QR (I think qr is mandatory for the invoice file to be ready) and after that steps of preparing the invoice and creating the hash to the API, keeping in mind that we need to create invoice hash two times one before singing which will be used in singing and creating the qr and one after signing which will be send along with the decoded64 invoice file to API and also keeping in mind that the hash used in the qr will be different of the one send to the API which will give error