From c52548a2bba726f9dd5982d3204c19663ee374fc Mon Sep 17 00:00:00 2001
From: Consultoria AS <desarrollo@consultoria-as.com>
Date: Sun, 25 Jan 2026 01:51:57 +0000
Subject: [PATCH] fix: remove double base64 encoding of certificate in SAT auth

The PEM certificate content is already base64 encoded after removing
headers and newlines. We should not re-encode it.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 apps/api/src/services/sat/sat-auth.service.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/services/sat/sat-auth.service.ts b/apps/api/src/services/sat/sat-auth.service.ts
index 02a7ced..b015bf7 100644
--- a/apps/api/src/services/sat/sat-auth.service.ts
+++ b/apps/api/src/services/sat/sat-auth.service.ts
@@ -27,7 +27,8 @@ function buildAuthRequest(credential: Credential): string {
   const uuid = randomUUID();
 
   const certificate = credential.certificate();
-  const cerB64 = Buffer.from(certificate.pem().replace(/-----.*-----/g, '').replace(/\n/g, '')).toString('base64');
+  // El PEM ya contiene el certificado en base64, solo quitamos headers y newlines
+  const cerB64 = certificate.pem().replace(/-----.*-----/g, '').replace(/\s/g, '');
 
   // Canonicalizar y firmar
   const toDigestXml = `<u:Timestamp xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" u:Id="_0">` +