Gigitally sign e-invoices using digital certificates in Node.js and .NET Core

ylwong

To digitally sign e-invoices using digital certificates in Node.js and .NET Core, you can use libraries and APIs to handle the cryptographic operations required. Below are detailed examples for both environments.

1. Node.js Solution for Digital Signing Using a Digital Certificate

In Node.js, you can use the crypto module or libraries like NodeForge or OpenSSL. Here's an example using the native crypto module to sign data using a digital certificate.

Steps:

Install Dependencies:

npm install crypto

Generate or Obtain a Digital Certificate:
You need a .pfx, .pem, or .crt file from a trusted Certificate Authority (CA). The private key used for signing must be available in .pfx format, as it contains both the certificate and the private key.
Sign the Invoice in Node.js:

Here’s an example code to sign an e-invoice:

const crypto = require('crypto');
const fs = require('fs');

// Load your PFX certificate
const pfx = fs.readFileSync('path_to_your_certificate.pfx');
const passphrase = 'your_pfx_passphrase'; // Optional, if your certificate has a passphrase

// Sample data (the invoice in JSON format or any string)
const invoiceData = JSON.stringify({
    invoiceNumber: 'INV-12345',
    date: '2024-10-18',
    totalAmount: '5000',
    currency: 'MYR'
});

// Sign the data using the private key from the certificate
const sign = crypto.createSign('SHA256');
sign.write(invoiceData);
sign.end();

const signature = sign.sign({
    key: pfx,
    passphrase: passphrase
}, 'base64'); // Use base64 for output signature

console.log('Digital Signature:', signature);

// Optionally verify the signature
const verify = crypto.createVerify('SHA256');
verify.write(invoiceData);
verify.end();

const isVerified = verify.verify(pfx, signature, 'base64');
console.log('Signature Valid:', isVerified);

In this example:

invoiceData is the invoice payload you want to sign.
The digital signature is generated using the private key from the .pfx file.
The signature can be attached to the e-invoice and transmitted securely.

2. .NET Core Solution for Digital Signing Using a Digital Certificate

For .NET Core, you can use the System.Security.Cryptography namespace for signing. The example below demonstrates how to sign an e-invoice using a digital certificate stored in a .pfx file.

Steps:

Install NuGet Packages:

dotnet add package System.Security.Cryptography.Pkcs

Sign the Invoice in .NET Core:

Here’s an example code to sign an invoice using the digital certificate:

using System;
using System.IO;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

class Program
{
    static void Main(string[] args)
    {
        // Load your PFX certificate
        string certPath = "path_to_your_certificate.pfx";
        string certPassword = "your_pfx_password";

        X509Certificate2 cert = new X509Certificate2(certPath, certPassword);

        // Invoice data (sample JSON string)
        string invoiceData = "{ \"invoiceNumber\": \"INV-12345\", \"date\": \"2024-10-18\", \"totalAmount\": \"5000\", \"currency\": \"MYR\" }";

        // Convert the invoice data to bytes
        byte[] dataBytes = System.Text.Encoding.UTF8.GetBytes(invoiceData);

        // Create a digital signature using the private key
        using (RSA rsa = cert.GetRSAPrivateKey())
        {
            byte[] signedData = rsa.SignData(dataBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
            string signature = Convert.ToBase64String(signedData);

            Console.WriteLine("Digital Signature: " + signature);

            // Optional: Verify the signature
            bool isVerified = rsa.VerifyData(dataBytes, signedData, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
            Console.WriteLine("Signature Valid: " + isVerified);
        }
    }
}

In this example:

X509Certificate2 is used to load the .pfx certificate and access the private key.
The invoice data is serialized as a string, converted to bytes, and signed using RSA with SHA-256.
The rsa.SignData() method creates the digital signature, which can be attached to the invoice.

Key Points to Consider:

Certificate Format:
- Make sure you have a .pfx file (with the private key included) for signing.
- You may use a .pem file but you’ll need both the certificate and the private key in PEM format.
Security of Private Key:
- Never expose or hardcode your private key directly in the code.
- Ensure the certificate is stored securely, such as in a hardware security module (HSM) or protected key vault.
Signature Algorithm:
- Use SHA-256 as the preferred hash algorithm, as it is widely accepted and secure.
- You can choose other algorithms if required by your system.
Verification:
- The recipient of the invoice must be able to verify the digital signature using your public certificate (typically provided with the invoice).

These examples demonstrate how to integrate digital signing of e-invoices using a digital certificate for both Node.js and .NET Core environments.

ylwong

In an X.509 version 3 (X509v3) digital certificate, the "Key Usage" extension defines the purpose of the public key contained in the certificate. It restricts the types of cryptographic operations the key is authorized to perform. Each purpose is represented by a bit in the extension, and the certificate can be used only for the purposes specified by these bits.

The term "90" here is likely a reference to a numeric value representing the combination of key usage purposes in binary. The value 90 (in decimal) corresponds to a binary value of 1011010, which represents a specific combination of the allowed key usages.

Here’s how the bits (and corresponding key usages) in X.509v3 Key Usage map to that value:

Bit 0: digitalSignature (1) – The key is used for verifying digital signatures, such as for certificate signing or email/message signing.
Bit 1: nonRepudiation (2) – The key can be used to provide non-repudiation, ensuring that the signer cannot deny the act of signing.
Bit 2: keyEncipherment (4) – The key can be used to encrypt keys, typically in protocols like SSL/TLS.
Bit 3: dataEncipherment (8) – The key can be used to encrypt data directly (less common in practice).
Bit 4: keyAgreement (16) – The key can be used for key agreement protocols (like Diffie-Hellman).
Bit 5: keyCertSign (32) – The key can be used to sign certificates (used by Certificate Authorities to sign other certificates).
Bit 6: cRLSign (64) – The key can be used to sign Certificate Revocation Lists (CRLs).
Bit 7: encipherOnly (128) – The key can be used only for enciphering.
Bit 8: decipherOnly (256) – The key can be used only for deciphering.

For a value of 90 (binary 1011010), the corresponding key usages are:

Bit 1 (nonRepudiation)
Bit 3 (dataEncipherment)
Bit 5 (keyCertSign)
Bit 6 (cRLSign)

This means the key in the certificate is allowed to perform these operations:

Non-repudiation
Data encipherment
Signing certificates
Signing Certificate Revocation Lists (CRLs)

This is a typical setup for a certificate that could be used by a Certificate Authority (CA) or a similar entity responsible for managing keys and issuing certificates.