For the signing process, we have to hash the signed properties. In ZATCA’s samples the signed properties look like so:
<xades:SignedSignatureProperties>
<xades:SigningTime>2022-09-15T00:41:21Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>YTJkM2JhYTcwZTBhZTAxOGYwODMyNzY3NTdkZDM3YzhjY2IxOTIyZDZhM2RlZGJiMGY0NDUzZWJhYWI4MDhmYg==</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=TSZEINVOICE-SubCA-1, DC=extgazt, DC=gov, DC=local</ds:X509IssuerName>
<ds:X509SerialNumber>2475382886904809774818644480820936050208702411</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
</xades:SignedProperties>
However in open source libraries like wes4m’s zatca-xml-js they got it working by adding attributes to some of the elements during the signing step. These attributes are not present in ZATCA’s samples provided with the SDK.
Mainly:
<ds:X509IssuerName xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:X509IssuerName>
<ds:X509SerialNumber xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:X509SerialNumber>
Can we get an example of the whole signed properties block as it should look when it’s time for hashing?
We’re stuck at this step:
{
"type" => "ERROR",
"code" => "signed-properties-hashing",
"category" => "CERTIFICATE_ERRORS",
"message" => "Invalid signed properties hashing, SignedProperties with id='xadesSignedProperties'",
"status" => "ERROR"
}
We made sure that the hashing steps are correct (compared with other SDKs that are passing), so it must be the content that has an issue.