Kindly if any one can help how to create invoice hash, considering that we need to create invoice hash to times, one time before signing because the hash is required to sign the invoice and create the QR, and another invoice hash after signing.
the hash before signing steps like preparing the xml file, then removing the UBL, signature, and QR tags then making canonization to the file after that then creating sh256 then decode64 to the result, but how to create the invoice hash after signing and also the new hash (after signing) will be different from the hash used in the QR creation and we will get error if we send the hash after signing.
any one can help what is the steps of signing and creating the hash and what hash to send to the API
Hi @redametawee ,
I am assuming that you are asking about the signing process, and generating hash process. Please note that you can sign the invoices and generate the hash using the SDK.
Generating the hash process is applied for standards invoices. you can generate the hash using this command:
Fatoora -generateHash -invoice “invoice.xml”
You will have to take the hash value from the CLI and replace the first digest value in the invoice with the new generated Hash.
Unlike standard tax invoice, simplified tax invoice & its associated notes must be signed with the taxpayer X.509 certificate (CSID), there are 2 returned X.509 certificates in the taxpayer’s EGS onboarding process.
First X.509 certificate: CCSID, which is returned after completing the first API (Compliance CSID), It’s returned as a security binary token which will be used as a username in the authorization, it’s also used as a signing certificate (X.509) after we decode it using base64 (we decode the binarysecurityToken) using base64 decoder and the output is the X.509 certificate, we use this certificate to sign the simplified tax invoices in the compliance invoice API (Compliance checks phase).
Second X.509 Certificate: PCSID, which is returned after completing the third API on the onboarding process (Production CSID), it’s also returned as a binary security token, and will be used as the username in te authorization for both reporting & clearance API, it’s also used as a signing certificate (X.509) after we decode it using base64 (we decode the binarysecurityToken) using base64 decoder and the output is the X.509 certificate, we use this certificate to sign the simplified tax invoices in the reporting API.
Please refer to the steps of manual signing using ZATCA’s JAVA SDK below:
- After sending the CSR in the Compliance request CSID API, a Binarytoken & secret will be returned
- Take the Binarytoken output, and decode it using base64 decoder, the decoded value is the x.509 certificate
- Go to the SDK file to the following path: SDK/Data/Certificates/Cert.pem
- Replace the value with your obtained x.509 certificate
- Go to the SDK and use the command: fatooranet -sign -invoice “invoice.xml”
- Now the invoice will be signed & can be submitted successfully in the compliance checks phase (Compliance invoice API)
- Redo the same steps above with the returned PCSID from the third API in the onboarding process and sign your simplified tax invoices with before sending to Reporting API
If you are implementing the signing process in your own code, please refer to This document:
SigningProcessUpdated.pdf (392.7 KB)
If you require any additional support other than the mentioned steps above, please do not hesitate to reach out.
Thank you so much for your kind support.
I am using my own code using Nodejs
so I need the steps of signing the invoice.xml file and creating the Qr, expecting that to sign and create the qr we need to generate the invoice hash before singing then using the hash with the certifcates details we sign and generate the qr then we need to send the signed invoice to the api with the hash of the signed invoice, which will be different from the hash used in generating the qr code and we will get error that the hash is different from the one used in the qr
so I will be very much thankful if you send me the steps before signing and after signing for generating the hash and what we need to send to the api
Hi, you are talking about B2B or B2C? As hash is calculated to clean XML means UBL, QR tags are removed and only data part of XML is there to hash now no matter how many times you will calcualte hash with any changes in t he xml will remain same and this is the purpose of hash to know if xml was changed? thanks
Mr. Malik
thank you for your support
We are able to send B2B without issues because it is the data part only, but we are not able to send B2C because we it needs to be signed and to create the qr
you are saying that the hash will be for the data part only so it will not change but as per the support team the hash need to be sent to the api should be the hash after signing so defiantly the value of the hash will change from the hash of the data only
if you help me with the steps after we prepare our invoice.xml file based on the template and filling it with the invoice data, we we need to do starting from singing and creating the qr till we send to the API from invoice/compliance keep in mind that we are using Nodejs not SDK
thanks
Hi,
You can just take one invoice and use SDK manually to sign and check and verify with your hash. thanks