Sample code for 30+ languages & platforms
Tcl

Sign XML for Zakat, Tax and Customs Authority (ZATCA)

See more ZATCA Examples

Demonstrates how to sign XML for Zakat, Tax and Customs Authority (ZATCA).

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

set success 1

# Load XML to be signed...
set sbXml [new_CkStringBuilder]

set success [CkStringBuilder_LoadFile $sbXml "qa_data/xml_dsig_valid_samples/UBL_Saudi_ZATCA_Zakat_Tax_and_Customs_Authority_toBeSigned.xml" "utf-8"]
if {$success == 0} then {
    puts "Failed to load XML file to be signed."
    delete_CkStringBuilder $sbXml
    exit
}

# Loads XML containing the following (with data modified from the original sample).

# <?xml version="1.0" encoding="UTF-8"?>
# <Invoice xmlns="urn:oasis:names:specification:ubl:schema:xsd:Invoice-2" xmlns:cac="urn:oasis:names:specification:ubl:schema:xsd:CommonAggregateComponents-2" xmlns:cbc="urn:oasis:names:specification:ubl:schema:xsd:CommonBasicComponents-2" xmlns:ext="urn:oasis:names:specification:ubl:schema:xsd:CommonExtensionComponents-2"><ext:UBLExtensions>
#     <ext:UBLExtension>
#         <ext:ExtensionURI>urn:oasis:names:specification:ubl:dsig:enveloped:xades</ext:ExtensionURI>
#         <ext:ExtensionContent>
#             <sig:UBLDocumentSignatures xmlns:sig="urn:oasis:names:specification:ubl:schema:xsd:CommonSignatureComponents-2" xmlns:sac="urn:oasis:names:specification:ubl:schema:xsd:SignatureAggregateComponents-2" xmlns:sbc="urn:oasis:names:specification:ubl:schema:xsd:SignatureBasicComponents-2">
#                 <sac:SignatureInformation>
#                     <cbc:ID>urn:oasis:names:specification:ubl:signature:1</cbc:ID>
#                     <sbc:ReferencedSignatureID>urn:oasis:names:specification:ubl:signature:Invoice</sbc:ReferencedSignatureID>
#                     
#                 </sac:SignatureInformation>
#             </sig:UBLDocumentSignatures>
#         </ext:ExtensionContent>
#     </ext:UBLExtension>
# </ext:UBLExtensions>
#    
#    <cbc:ProfileID>reporting:1.0</cbc:ProfileID>
#    <cbc:ID>100</cbc:ID>
#    <cbc:UUID>3cf5ee18-ee25-44ea-a444-2c37ba7f28be</cbc:UUID>
#    <cbc:IssueDate>2021-04-25</cbc:IssueDate>
#    <cbc:IssueTime>15:30:00</cbc:IssueTime>
#    <cbc:InvoiceTypeCode name="0100000">388</cbc:InvoiceTypeCode>
#    <cbc:DocumentCurrencyCode>SAR</cbc:DocumentCurrencyCode>
#    <cbc:TaxCurrencyCode>SAR</cbc:TaxCurrencyCode>
#    <cbc:LineCountNumeric>2</cbc:LineCountNumeric>
#    <cac:AdditionalDocumentReference>
#       <cbc:ID>ICV</cbc:ID>
#       <cbc:UUID>46531</cbc:UUID>
#    </cac:AdditionalDocumentReference>
#    <cac:AdditionalDocumentReference>
#       <cbc:ID>PIH</cbc:ID>
#       <cac:Attachment>
#          <cbc:EmbeddedDocumentBinaryObject mimeCode="text/plain">NWZl......NTdlOQ==</cbc:EmbeddedDocumentBinaryObject>
#       </cac:Attachment>
#    </cac:AdditionalDocumentReference>
#    
#   
#    <cac:AdditionalDocumentReference>
#         <cbc:ID>QR</cbc:ID>
#         <cac:Attachment>
#             <cbc:EmbeddedDocumentBinaryObject mimeCode="text/plain">ARlBbC........FAau5g</cbc:EmbeddedDocumentBinaryObject>
#         </cac:Attachment>
# </cac:AdditionalDocumentReference><cac:Signature>
#       <cbc:ID>urn:oasis:names:specification:ubl:signature:Invoice</cbc:ID>
#       <cbc:SignatureMethod>urn:oasis:names:specification:ubl:dsig:enveloped:xades</cbc:SignatureMethod>
# </cac:Signature><cac:AccountingSupplierParty>
#       <cac:Party>
#          <cac:PartyIdentification>
#             <cbc:ID schemeID="MLS">123457890</cbc:ID>
#          </cac:PartyIdentification>
#          <cac:PostalAddress>
#             <cbc:StreetName>King Abdulaziz Road</cbc:StreetName>
#             <cbc:BuildingNumber>9999</cbc:BuildingNumber>
#             <cbc:PlotIdentification>9999</cbc:PlotIdentification>
#             <cbc:CitySubdivisionName>Al Amal</cbc:CitySubdivisionName>
#             <cbc:CityName>Riyadh</cbc:CityName>
#             <cbc:PostalZone>12643</cbc:PostalZone>
#             <cbc:CountrySubentity>Riyadh Region</cbc:CountrySubentity>
#             <cac:Country>
#                <cbc:IdentificationCode>SA</cbc:IdentificationCode>
#             </cac:Country>
#          </cac:PostalAddress>
#          <cac:PartyTaxScheme>
#             <cbc:CompanyID>300099999900003</cbc:CompanyID>
#             <cac:TaxScheme>
#                <cbc:ID>VAT</cbc:ID>
#             </cac:TaxScheme>
#          </cac:PartyTaxScheme>
#          <cac:PartyLegalEntity>
#             <cbc:RegistrationName>Example Co. LTD</cbc:RegistrationName>
#          </cac:PartyLegalEntity>
#       </cac:Party>
#    </cac:AccountingSupplierParty>
#    <cac:AccountingCustomerParty>
#       <cac:Party>
#          <cac:PartyIdentification>
#             <cbc:ID schemeID="SAG">123C12345678</cbc:ID>
#          </cac:PartyIdentification>
#          <cac:PostalAddress>
#             <cbc:StreetName>King Abdullah Road</cbc:StreetName>
#             <cbc:BuildingNumber>9999</cbc:BuildingNumber>
#             <cbc:PlotIdentification>9999</cbc:PlotIdentification>
#             <cbc:CitySubdivisionName>Al Mursalat</cbc:CitySubdivisionName>
#             <cbc:CityName>Riyadh</cbc:CityName>
#             <cbc:PostalZone>11564</cbc:PostalZone>
#             <cbc:CountrySubentity>Riyadh Region</cbc:CountrySubentity>
#             <cac:Country>
#                <cbc:IdentificationCode>SA</cbc:IdentificationCode>
#             </cac:Country>
#          </cac:PostalAddress>
#          <cac:PartyTaxScheme>
#             <cac:TaxScheme>
#                <cbc:ID>VAT</cbc:ID>
#             </cac:TaxScheme>
#          </cac:PartyTaxScheme>
#          <cac:PartyLegalEntity>
#             <cbc:RegistrationName>EXAMPLE MARKETS</cbc:RegistrationName>
#          </cac:PartyLegalEntity>
#       </cac:Party>
#    </cac:AccountingCustomerParty>
#    <cac:Delivery>
#       <cbc:ActualDeliveryDate>2022-04-25</cbc:ActualDeliveryDate>
#    </cac:Delivery>
#    <cac:PaymentMeans>
#       <cbc:PaymentMeansCode>42</cbc:PaymentMeansCode>
#    </cac:PaymentMeans>
#    <cac:TaxTotal>
#       <cbc:TaxAmount currencyID="SAR">135.00</cbc:TaxAmount>
#       <cac:TaxSubtotal>
#          <cbc:TaxableAmount currencyID="SAR">900.00</cbc:TaxableAmount>
#          <cbc:TaxAmount currencyID="SAR">135.00</cbc:TaxAmount>
#          <cac:TaxCategory>
#             <cbc:ID>S</cbc:ID>
#             <cbc:Percent>15</cbc:Percent>
#             <cac:TaxScheme>
#                <cbc:ID>VAT</cbc:ID>
#             </cac:TaxScheme>
#          </cac:TaxCategory>
#       </cac:TaxSubtotal>
#    </cac:TaxTotal>
#    <cac:TaxTotal>
#       <cbc:TaxAmount currencyID="SAR">135.00</cbc:TaxAmount>
#    </cac:TaxTotal>
#    <cac:LegalMonetaryTotal>
#       <cbc:LineExtensionAmount currencyID="SAR">900.00</cbc:LineExtensionAmount>
#       <cbc:TaxExclusiveAmount currencyID="SAR">900.00</cbc:TaxExclusiveAmount>
#       <cbc:TaxInclusiveAmount currencyID="SAR">1035.00</cbc:TaxInclusiveAmount>
#       <cbc:AllowanceTotalAmount currencyID="SAR">0.00</cbc:AllowanceTotalAmount>
#       <cbc:PayableAmount currencyID="SAR">1035.00</cbc:PayableAmount>
#    </cac:LegalMonetaryTotal>
#    <cac:InvoiceLine>
#       <cbc:ID>1</cbc:ID>
#       <cbc:InvoicedQuantity unitCode="PCE">1</cbc:InvoicedQuantity>
#       <cbc:LineExtensionAmount currencyID="SAR">200.00</cbc:LineExtensionAmount>
#       <cac:TaxTotal>
#          <cbc:TaxAmount currencyID="SAR">30.00</cbc:TaxAmount>
#          <cbc:RoundingAmount currencyID="SAR">230.00</cbc:RoundingAmount>
#       </cac:TaxTotal>
#       <cac:Item>
#          <cbc:Name>Item A</cbc:Name>
#          <cac:ClassifiedTaxCategory>
#             <cbc:ID>S</cbc:ID>
#             <cbc:Percent>15</cbc:Percent>
#             <cac:TaxScheme>
#                <cbc:ID>VAT</cbc:ID>
#             </cac:TaxScheme>
#          </cac:ClassifiedTaxCategory>
#       </cac:Item>
#       <cac:Price>
#          <cbc:PriceAmount currencyID="SAR">200.00</cbc:PriceAmount>
#       </cac:Price>
#    </cac:InvoiceLine>
#    <cac:InvoiceLine>
#       <cbc:ID>2</cbc:ID>
#       <cbc:InvoicedQuantity unitCode="PCE">2</cbc:InvoicedQuantity>
#       <cbc:LineExtensionAmount currencyID="SAR">700.00</cbc:LineExtensionAmount>
#       <cac:TaxTotal>
#          <cbc:TaxAmount currencyID="SAR">105.00</cbc:TaxAmount>
#          <cbc:RoundingAmount currencyID="SAR">805.00</cbc:RoundingAmount>
#       </cac:TaxTotal>
#       <cac:Item>
#          <cbc:Name>Item B</cbc:Name>
#          <cac:ClassifiedTaxCategory>
#             <cbc:ID>S</cbc:ID>
#             <cbc:Percent>15</cbc:Percent>
#             <cac:TaxScheme>
#                <cbc:ID>VAT</cbc:ID>
#             </cac:TaxScheme>
#          </cac:ClassifiedTaxCategory>
#       </cac:Item>
#       <cac:Price>
#          <cbc:PriceAmount currencyID="SAR">350.00</cbc:PriceAmount>
#       </cac:Price>
#    </cac:InvoiceLine>
# </Invoice>

set gen [new_CkXmlDSigGen]

CkXmlDSigGen_put_SigLocation $gen "Invoice|ext:UBLExtensions|ext:UBLExtension|ext:ExtensionContent|sig:UBLDocumentSignatures|sac:SignatureInformation"
CkXmlDSigGen_put_SigLocationMod $gen 0
CkXmlDSigGen_put_SigId $gen "signature"
CkXmlDSigGen_put_SigNamespacePrefix $gen "ds"
CkXmlDSigGen_put_SigNamespaceUri $gen "http://www.w3.org/2000/09/xmldsig#"
CkXmlDSigGen_put_SignedInfoCanonAlg $gen "C14N_11"
CkXmlDSigGen_put_SignedInfoDigestMethod $gen "sha256"

# Create an Object to be added to the Signature.
set object1 [new_CkXml]

CkXml_put_Tag $object1 "xades:QualifyingProperties"
CkXml_AddAttribute $object1 "xmlns:xades" "http://uri.etsi.org/01903/v1.3.2#"
CkXml_AddAttribute $object1 "Target" "signature"
CkXml_UpdateAttrAt $object1 "xades:SignedProperties" 1 "Id" "xadesSignedProperties"
CkXml_UpdateChildContent $object1 "xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime" "TO BE GENERATED BY CHILKAT"
CkXml_UpdateAttrAt $object1 "xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestMethod" 1 "Algorithm" "http://www.w3.org/2001/04/xmlenc#sha256"
CkXml_UpdateChildContent $object1 "xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestValue" "TO BE GENERATED BY CHILKAT"
CkXml_UpdateChildContent $object1 "xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509IssuerName" "TO BE GENERATED BY CHILKAT"
CkXml_UpdateChildContent $object1 "xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509SerialNumber" "TO BE GENERATED BY CHILKAT"

CkXmlDSigGen_AddObject $gen "" [CkXml_getXml $object1] "" ""

# -------- Reference 1 --------
set xml1 [new_CkXml]

CkXml_put_Tag $xml1 "ds:Transforms"
CkXml_UpdateAttrAt $xml1 "ds:Transform" 1 "Algorithm" "http://www.w3.org/TR/1999/REC-xpath-19991116"
CkXml_UpdateChildContent $xml1 "ds:Transform|ds:XPath" "not(//ancestor-or-self::ext:UBLExtensions)"
CkXml_UpdateAttrAt $xml1 "ds:Transform[1]" 1 "Algorithm" "http://www.w3.org/TR/1999/REC-xpath-19991116"
CkXml_UpdateChildContent $xml1 "ds:Transform[1]|ds:XPath" "not(//ancestor-or-self::cac:Signature)"
CkXml_UpdateAttrAt $xml1 "ds:Transform[2]" 1 "Algorithm" "http://www.w3.org/TR/1999/REC-xpath-19991116"
CkXml_UpdateChildContent $xml1 "ds:Transform[2]|ds:XPath" "not(//ancestor-or-self::cac:AdditionalDocumentReference[cbc:ID='QR'])"
CkXml_UpdateAttrAt $xml1 "ds:Transform[3]" 1 "Algorithm" "http://www.w3.org/2006/12/xml-c14n11"

CkXmlDSigGen_AddSameDocRef2 $gen "" "sha256" $xml1 ""

CkXmlDSigGen_SetRefIdAttr $gen "" "invoiceSignedData"

# -------- Reference 2 --------
CkXmlDSigGen_AddObjectRef $gen "xadesSignedProperties" "sha256" "" "" "http://www.w3.org/2000/09/xmldsig#SignatureProperties"

# Provide a certificate + private key. (PFX password is test123)
set certFromPfx [new_CkCert]

set success [CkCert_LoadPfxFile $certFromPfx "qa_data/pfx/cert_test123.pfx" "test123"]
if {$success != 1} then {
    puts [CkCert_lastErrorText $certFromPfx]
    delete_CkStringBuilder $sbXml
    delete_CkXmlDSigGen $gen
    delete_CkXml $object1
    delete_CkXml $xml1
    delete_CkCert $certFromPfx
    exit
}

# Alternatively, if your certificate and private key are in separate PEM files, do this:
set cert [new_CkCert]

set success [CkCert_LoadFromFile $cert "qa_data/zatca/cert.pem"]
if {$success != 1} then {
    puts [CkCert_lastErrorText $cert]
    delete_CkStringBuilder $sbXml
    delete_CkXmlDSigGen $gen
    delete_CkXml $object1
    delete_CkXml $xml1
    delete_CkCert $certFromPfx
    delete_CkCert $cert
    exit
}

puts [CkCert_subjectCN $cert]

# Load the private key.
set privKey [new_CkPrivateKey]

set success [CkPrivateKey_LoadPemFile $privKey "qa_data/zatca/ec-secp256k1-priv-key.pem"]
if {$success != 1} then {
    puts [CkPrivateKey_lastErrorText $privKey]
    delete_CkStringBuilder $sbXml
    delete_CkXmlDSigGen $gen
    delete_CkXml $object1
    delete_CkXml $xml1
    delete_CkCert $certFromPfx
    delete_CkCert $cert
    delete_CkPrivateKey $privKey
    exit
}

puts "Key Type: [CkPrivateKey_keyType $privKey]"

# Associate the private key with the certificate.
set success [CkCert_SetPrivateKey $cert $privKey]
if {$success != 1} then {
    puts [CkCert_lastErrorText $cert]
    delete_CkStringBuilder $sbXml
    delete_CkXmlDSigGen $gen
    delete_CkXml $object1
    delete_CkXml $xml1
    delete_CkCert $certFromPfx
    delete_CkCert $cert
    delete_CkPrivateKey $privKey
    exit
}

# The certificate passed to SetX509Cert must have an associated private key.
# If the cert was loaded from a PFX, then it should automatically has an associated private key.
# If the cert was loaded from PEM, then the private key was explicitly associated as shown above.
set success [CkXmlDSigGen_SetX509Cert $gen $cert 1]
if {$success != 1} then {
    puts [CkXmlDSigGen_lastErrorText $gen]
    delete_CkStringBuilder $sbXml
    delete_CkXmlDSigGen $gen
    delete_CkXml $object1
    delete_CkXml $xml1
    delete_CkCert $certFromPfx
    delete_CkCert $cert
    delete_CkPrivateKey $privKey
    exit
}

CkXmlDSigGen_put_KeyInfoType $gen "X509Data"
CkXmlDSigGen_put_X509Type $gen "Certificate"

# ---------------- This is important -----------------------------------------
# Starting in Chilkat v9.5.0.92, add the "ZATCA" behavior to produce the format required by ZATCA.
CkXmlDSigGen_put_Behaviors $gen "IndentedSignature,TransformSignatureXPath,ZATCA"
# ----------------------------------------------------------------------------

# Sign the XML...
set success [CkXmlDSigGen_CreateXmlDSigSb $gen $sbXml]
if {$success != 1} then {
    puts [CkXmlDSigGen_lastErrorText $gen]
    delete_CkStringBuilder $sbXml
    delete_CkXmlDSigGen $gen
    delete_CkXml $object1
    delete_CkXml $xml1
    delete_CkCert $certFromPfx
    delete_CkCert $cert
    delete_CkPrivateKey $privKey
    exit
}

# -----------------------------------------------

# Save the signed XML to a file.
set success [CkStringBuilder_WriteFile $sbXml "qa_output/signedXml.xml" "utf-8" 0]

puts [CkStringBuilder_getAsString $sbXml]

# ----------------------------------------
# Verify the signatures we just produced...
set verifier [new_CkXmlDSig]

set success [CkXmlDSig_LoadSignatureSb $verifier $sbXml]
if {$success != 1} then {
    puts [CkXmlDSig_lastErrorText $verifier]
    delete_CkStringBuilder $sbXml
    delete_CkXmlDSigGen $gen
    delete_CkXml $object1
    delete_CkXml $xml1
    delete_CkCert $certFromPfx
    delete_CkCert $cert
    delete_CkPrivateKey $privKey
    delete_CkXmlDSig $verifier
    exit
}

# ---------------- This is important -----------------------------------------
# Starting in Chilkat v9.5.0.92, specify "ZATCA" in uncommon options 
# to validate signed XML according to ZATCA needs.
# ----------------------------------------------------------------------------
CkXmlDSig_put_UncommonOptions $verifier "ZATCA"

set numSigs [CkXmlDSig_get_NumSignatures $verifier]
set verifyIdx 0
while {$verifyIdx < $numSigs} {
    CkXmlDSig_put_Selector $verifier $verifyIdx
    set verified [CkXmlDSig_VerifySignature $verifier 1]
    if {$verified != 1} then {
        puts [CkXmlDSig_lastErrorText $verifier]
        delete_CkStringBuilder $sbXml
        delete_CkXmlDSigGen $gen
        delete_CkXml $object1
        delete_CkXml $xml1
        delete_CkCert $certFromPfx
        delete_CkCert $cert
        delete_CkPrivateKey $privKey
        delete_CkXmlDSig $verifier
        exit
    }

    set verifyIdx [expr $verifyIdx + 1]
}
puts "All signatures were successfully verified."

delete_CkStringBuilder $sbXml
delete_CkXmlDSigGen $gen
delete_CkXml $object1
delete_CkXml $xml1
delete_CkCert $certFromPfx
delete_CkCert $cert
delete_CkPrivateKey $privKey
delete_CkXmlDSig $verifier