Complyance, tax advisors, and industry leaders are jointly conducting a free e-invoicing webinar.

Digital Signature for e-invoicing in malaysia

Learn how digital signatures ensure compliance with Malaysia's e-Invoicing regulations. Discover the role of CAs, the signing process, and validation rules.

By
Ajith Kumar M
July 10, 2024
20 mins

Understanding Digital Signatures for e-Invoicing Compliance in Malaysia

As Malaysia's e-Invoice mandate swiftly approaches, understanding the digital signature process becomes crucial for businesses. The Inland Revenue Board of Malaysia (IRBM), also known as Lembaga Hasil Dalam Negeri Malaysia (LHDNM), requires every invoice submission to include a digital signature. This applies to both single invoices and batch submissions, ensuring each invoice is digitally signed to comply with regulations.

What is a Digital Signature?

A digital signature acts like a virtual seal, uniquely linking digital information to its creator. Similar to a handwritten signature or a stamped seal in the physical world, digital signatures provide enhanced security and reliability in the digital realm.

Core Components of Digital Signatures:

  • Private Key: Used to create the digital signature.
  • Public Key: Used to verify the digital signature.

These keys are connected through asymmetric encryption algorithms like RSA (Rivest-Shamir-Adleman) or ECC (Elliptic Curve Cryptography).

Importance and Applications of Digital Signatures

  • Authentication: Ensures the sender's identity is legitimate.
  • Integrity: Detects any alterations or tampering attempts.
  • Non-repudiation: Prevents the sender from denying their involvement.
  • Legal Validity: Legally equivalent to handwritten signatures in many jurisdictions.

The Role of Certificate Authorities (CAs)

Certificate Authorities (CAs) validate digital signatures by providing a trusted framework for verifying public keys associated with digital certificates.

Functions of CAs:

  1. Issuance of Digital Certificates: Bind an individual or entity's identity to a public key.
  2. Verification of Identity: Ensure the requester's identity is legitimate before issuing a certificate.
  3. Binding Public Keys to Identities: Digitally sign the certificate to verify the identity.
  4. Distribution of Certificates: Make certificates publicly available for verification.
  5. Validation of Digital Signatures: Use the CA’s public key to authenticate signatures.
  6. Trust Chain Verification: Validate the certificate chain to ensure each certificate is valid.

How Digital Signatures Work for e-Invoicing in Malaysia

The process of using digital signatures for e-invoicing in Malaysia involves several detailed steps to ensure compliance and security. Here's a comprehensive breakdown of the process:

  1. Generating e-Invoices:
    • The initial step involves creating e-invoices in a structured digital format, such as XML (Extensible Markup Language) or JSON (JavaScript Object Notation). These formats are chosen for their ability to organize data efficiently and facilitate seamless data exchange between systems.
  2. Hash Calculation:
    • Once the e-invoice is generated, a hash value of the document is calculated using the SHA-256 (Secure Hash Algorithm 256-bit) algorithm. This algorithm produces a fixed-size string of characters (hash) unique to the original content of the e-invoice. Any alteration in the invoice content would result in a different hash value, ensuring the document's integrity.
  3. Digital Signature:
    • After calculating the hash, the next step is to digitally sign this hash using a digital certificate. The digital certificate, issued by a trusted Certificate Authority (CA), contains the sender's private key, which is used to encrypt the hash. This encrypted hash, now a digital signature, is unique to both the document and the signer, ensuring authenticity.
  4. Invoice Submission:
    • Finally, the digitally signed e-invoice, including the signature value, is embedded within the XML or JSON document. This comprehensive e-invoice is then submitted to the IRBM/LHDNM (Inland Revenue Board of Malaysia/Lembaga Hasil Dalam Negeri Malaysia) through their designated APIs (Application Programming Interfaces). The submission ensures that the e-invoice is verified and processed in compliance with Malaysia’s regulatory requirements.

This multi-step process ensures that e-invoices are securely generated, signed, and submitted, maintaining the integrity and authenticity required for compliance with Malaysia's e-invoicing regulations.

Validating Digital Signatures by IRBM/LHDNM:

  • Decryption and Identification: IRBM decrypts the signature value using the taxpayer's public key.
  • Hash Comparison: IRBM calculates the hash of the e-Invoice XML and compares it with the decrypted hash. A match indicates a valid invoice.

Complyance’s e-Invoice Middleware

Complyance’s e-Invoice middleware is designed to adhere to IRBM/LHDNM guidelines, ensuring seamless e-Invoice compliance. With global experience in similar mandates, Complyance is a reliable partner for your compliance needs.

Soft Certificate

  • Location: Should be placed on the same server as your ERP or middleware.
  • Accessibility: Your ERP server/middleware should read the soft certificate file in .p12 format.
  • Integration: No integration needed, but the ERP server must locate the certificate.
  • Suitable for: Any organization.
  • Certificate validity: 1 year.

Roaming Certificate

  • Location: Stored securely at Pos Digicert's HSM.
  • Accessibility: Via API.
  • Integration: Required.
  • Suitable for: Appointed Tax Agents / Intermediaries.
  • Certificate validity: 1 year.

How to Purchase the Certificate?

  1. Email: Request a quotation from Certificate Authorities.
  2. Issue PO/Payment Advice: Complete the payment.
  3. Submission: Send documents to Certificate Authorities . Processing takes 3-5 working days.
  4. Verification: The administrative contact will be contacted for information verification.
  5. Certificate Issuance: The certificate will be issued and sent to the administrative contact.
  6. Configuration: Configure the certificate to your ERP solution with assistance from your ERP provider.

List of Certification Authorities and Recognition

License and Recognitions under the Digital Signature Act 1997

Note: Pursuant to Subsection 12(3) of the DSA 1997, a licensed certification authority whose licence has expired shall be entitled to carry on its business as if its licence had not expired upon proof being submitted to the Commission that the licensed certification authority has applied for a renewal of the licence and that such application is pending determination.

List of Licensed Certification Authorities

Pos Digicert Sdn Bhd (457608-K)

  1. Address: No 8-3A-02 Star Central, Lingkaran Cyberpoint Timur, 63000 Cyberjaya, Selangor Darul Ehsan
  2. Licence No: LPBP-1/2020 (4)
  3. Issuing date: 25 December 2020
  4. Expiry date: 24 December 2025
  5. Tel: +603 8800 6000
  6. Website: www.posdigicert.com.my

MSC Trustgate.Com Sdn Bhd (478231-X)

  1. Address: Suite 2-9, Level 2 Block 4801, CBD Perdana, Jalan Perdana, 63000 Cyberjaya, Selangor
  2. Licence No: LPBP-2/2020 (4)
  3. Issuing date: 25 July 2020
  4. Expiry date: 24 July 2025
  5. Tel: +603 8318 1800
  6. Fax: +603 8319 1800
  7. Website: www.msctrustgate.com

TM Technology Services Sdn Bhd (571389-H)

  1. Address: Level 51, North Wing, Menara TM, Jalan Pantai Baharu, 50672 Kuala Lumpur.
  2. Licence No: LPBP-3/2023(3)
  3. Issuing date: 14 April 2023
  4. Expiry date: 31 July 2024
  5. Tel: +6 03 2240 1221
  6. Website: https://www.tmca.com.my/

Raffcomm Technologies Sdn Bhd (1000449-W)

  1. Address: Lot 32.02 Level 32, Sunway Putra Tower, 100, Jalan Putra, 50350 Kuala Lumpur
  2. Licence No: LPBP-4/2021 (1)
  3. Issuing date: 1 May 2021
  4. Expiry date: 30 April 2024 (Renewal in progress)
  5. Tel: +603 4040 0091
  6. Fax: +603 4040 0095
  7. Website: www.rafftech.my

LHDN Guideline for Creating Signatures

This section provides a comprehensive guide on creating digital signatures for documents. It follows the standards set by UBL 2.1 (Universal Business Language Version 2.1) for XML and UBL 2.1 JSON Alternative Representation Version 2.0 for JSON. The methods outlined here are applicable only to documents submitted using the APIs described in this SDK, as detailed in the "Submit Documents" section.

To ensure compliance, the submitter must use a valid digital certificate issued by a recognized certificate authority (CA) in Malaysia. Detailed information about approved CAs can be found in the "List of Certification Authorities and Recognition."

Digital Signing Certificate Profile

The digital certificate used for signing submitted documents must be a valid X.509 certificate and should adhere to the profile specified below.

Certificate Distinguished Name

Certificate distinguished name must have elements listed in the table below:

Certificate Distinguished Name

Key Usage and Enhanced Key Usage

To ensure digital signature level, the following certificate extensions must be set:

  • Key Usage: “Non-Repudiation (40)”. Additional key usages can also be specified, but “Non-Repudiation (40)” must be present.
  • Enhanced Key Usage: “Document Signing (1.3.6.1.4.1.311.10.3.12)”. Additional enhanced key usages can also be specified, but “Document Signing (1.3.6.1.4.1.311.10.3.12)” must be present.

Digital Signature Creation Requirements and Considerations

Requirements:

  • Algorithm: XAdES (XML Advanced Electronic Signature).
  • Hashing Algorithm: SHA 256.
  • Signature Algorithm: RSA.
  • XML Standard: UBL 2.1 XML standard.
  • Profile: Enveloped digital signature profile.

Considerations:

  • Transformations: Exclude ds:Signature and its sub-elements in the calculation.
  • JSON Alternative: Supported using a foreign extension for UBL 2.1 JSON Alternative Representation.

Digital Signature Structure

Digital Signature Structure

Please note that the ExtensionURI should be set as per the value below:

<ext:ExtensionURI>urn:oasis:names:specification:ubl:dsig:enveloped:xades</ext:ExtensionURI>

Signature Element

Signature Element

Signed Information

Signed Information

Document Signed Data

Document Signed Data

XAdES Signed Properties

XAdES Signed Properties

Signed Properties

Signed Properties

Signature Creation

Signed content is the entire document structure except for the following sections:

  • UBLExtension: XPath: [local-name()='Invoice']//[local-name()='UBLExtensions'].
  • Signature: XPath: [local-name()='Invoice']//[local-name()='Signature']. SHA256 hashing used for creating the hash of the elements to sign.

PROPERTYDESCRIPTIONREFERENCESignature valueSignature value generated by signing the document digest.SigDocument digestDocument digest value created using HEX-to-Base64 Encoder.DocDigestSigned properties digestCertificate digest value created using HEX-to-Base64 Encoder.PropsDigestCertificate information digestHEX-SHA256 encoded certificate information.CertDigest

Signature Validation

The validation rules for signatures are:

  • Base64 encoded value: Must be a valid XAdES structure.
  • Signing certificate validity: Must be valid at the date of submission for validation.
  • Issuer: Taxpayer or authorized intermediary must match in certificate and document.
  • XAdES signature: Must be a valid RSA signature created using an approved CA(Certificate Authority) in Malaysia.

Signature Sample

  • UBL 2.1 Invoice Sample XML with Signature
  • UBL 2.1 Invoice Sample JSON with Signature

Disclaimer: The sample JSON file is for digital signature illustration purposes only. Taxpayers are advised to consult local laws and regulations for guidance on digital signature implementation.

Benefits of Using Digital Signature

Digital signatures offer numerous advantages over other forms of electronic signatures. Here are the major benefits:

  • Integrity: Ensures documents remain unchanged after signing, reducing tampering risks.
  • Authentication: Licensed Certification Authorities issue digital certificates, verifying the signer's identity and minimizing impersonation risks.
  • Non-repudiation: Signers cannot deny their signature, providing evidence of document origin and identity.
  • Time-Stamped: Documents are time-stamped, aiding in traceability and establishing when they were signed.
  • Legally Binding: Digital signatures carry the same legal weight as handwritten ones, offering enhanced evidential value.
  • Convenience: Simplifies processes, allowing signing from anywhere with an internet connection, boosting efficiency and reducing paperwork hassles.

Conclusion

Digital signatures are essential for e-Invoicing compliance in Malaysia. Understanding the process, importance, and applications of digital signatures helps businesses streamline operations, ensure legal validity, and maintain data integrity. Partnering with reliable providers like Taxilla and Pos Digicert simplifies this process, providing the necessary tools and support to meet IRBM/LHDNM guidelines effectively.

FAQs

.What is the difference between a soft certificate and a roaming certificate?**

  • A soft certificate is stored on the same server as your ERP or middleware, while a roaming certificate is securely stored at Pos Digicert's HSM and accessed via API.

How long does it take to process a digital certificate application?

  • It typically takes 3-5 working days to process a digital certificate application.

Can a digital signature be used for non-invoice documents?

  • Yes, digital signatures can be used for various types of documents, including contracts and agreements, providing authentication, integrity, non-repudiation, and legal validity.

What is XAdES?

  • XAdES (XML Advanced Electronic Signatures) is a digital signature format that allows for the use of advanced electronic signatures, providing additional security and validity features.

How does IRBM validate digital signatures?

  • IRBM validates digital signatures by decrypting the signature value using the taxpayer's public key, identifying the hash value, and comparing it with the calculated hash of the e-Invoice XML. If they match, the invoice is considered valid.

RECENTLY PUBLISHED