5.2. Signing Offline Receipts

 
 
When making an online transaction, sales transactions are submitted to the Malawi Revenue Authority (MRA) in real-time. In response, the MRA returns a ValidationURL. The POS uses this ValidationURL to generate a QR code.
 
For offline transactions, the POS generates the ValidationURL offline. This is done by creating a HMAC (Hash-based Message Authentication Code) of the invoice request, which includes the invoice number, line items count, and transaction date. The HMAC is created using a secret key received during terminal activation.
 
Below is the sample method used to generate the Offline Signature and Validation Url:
 
 
 private (string OfflineDataSignature, string ValidationURL) GenerateInvoiceResponse(long taxpayerId,
            int position,
            InvoiceGenerationRequest request, string secretKey)
{
    var julianDate = ToJulianDate(Convert.ToDateTime(request.transactiondate));
    var julianDateTo64 = Base10ToBase64(julianDate);
    var combinedString = GenerateCombinedString(taxpayerId, position, julianDate, request.transactionCount);
 
    var offlineBaseURL = "https://dev-eis-portal.mra.mw/ReceiptValidation/Validate/";
    string param = $"TI={combinedString}&N={request.NumItems}&I={request.InvoiceTotal}&V={request.VATAmount}&T={julianDateTo64}";
 
    string offlineDataSignature = ComputeHMACWithSHA256(param, secretKey);
    offlineDataSignature = HttpUtility.UrlEncode(offlineDataSignature);
    string validationURL = $"{offlineBaseURL}?{param}&S={offlineDataSignature}";
 
    return (offlineDataSignature, validationURL);
 
}
 
ComputeHMACWithSHA256 helper method:
 
 private static string ComputeHMACWithSHA256(string plainText, string secretKey)
 {
     using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey)))
     {
         byte[] hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(plainText));
         return Convert.ToBase64String(hash)
             .Replace("+", "-")
             .Replace("/", "_")
             .TrimEnd('=');
     }
 }
The function that computes the HMAC takes two parameters: a plainText string—constructed by concatenating the invoice number, line item count, invoice total, VAT amount, and transaction date—and a secretKey. The resulting HMAC is stored in the database as the offlineSignature
 
When the POS regains the ability to connect to the MRA server, it sends the offline transactions to the server. The `offlineSignature` must not be null for these transactions. If `offlineSignature` is null, it indicates the transaction was made online. If it is not null, it indicates the transaction was made offline.