Dear ZATCA Support Team,
I am currently working on integrating Phase 2 of the e-invoicing (Simplified Invoice) process using your developer sandbox environment, and I’m encountering issues while decoding the binarySecurityToken received from your onboarding API.
The response containing the binarySecurityToken is obtained from the following endpoint:
POST https://gw-fatoora.zatca.gov.sa/e-invoicing/devices/identity
This token is required to extract the signing certificate details for use in the XAdES signature SignedProperties, specifically:
ds:X509IssuerNameds:X509SerialNumber- SHA-256 hash of the certificate (DER encoded)
However, I’ve attempted the following decoding methods, all of which result in errors or unparseable data:
- Base64 decode to DER > parse as X.509 certificate — throws errors such as “Unparsed DER bytes remain after ASN.1 parsing”.
- Parse as PKCS#7 (CMS
SignedData) — results in a valid structure, butcertificatesfield is empty or missing. - Converting to PEM format and using tools like
node-forgeorOpenSSLalso fails to recognize it as a valid certificate.
Could you please clarify:
- What is the expected format of the
binarySecurityTokenreturned from this endpoint? - Does the token contain an embedded X.509 certificate, and if so, how should it be decoded?
- What is the correct way to extract the issuer name, serial number, and hash from this response for use in the XAdES
SignedPropertiessection?
Any guidance, specification reference, or example token structure would be very helpful in proceeding.