search

dian-gov-co / e-invoice

Important: If a new schema version is released, please prepare a PR (sources at time of writing: https://micrositios.dian.gov.co/sistema-de-facturacion-electronica/)
0 stars 0 forks source link

Examples and doc use deprecated `xades:SigningCertificate` instead of `xades:SigningCertificateV2` #2

Open blaggacao opened 8 months ago

blaggacao commented 8 months ago

xades:SigningCertificate has been deprecated via ETSI-319132-1(v1.2.1) Annex D.

The qualifying properties, specified in ETSI TS 101 903 (V1.4.2) [i.2] and listed below, are deprecated. XAdES signatures shall not include any of these qualifying properties. 1) The SigningCertificate qualifying property defined in the namespace whose URI is http://uri.etsi.org/01903/v1.3.2#, and specified in ETSI TS 101 903 (V1.4.2) [i.2]. Instead the SigningCertificateV2 qualifying property defined in the namespace whose URI is http://uri.etsi.org/01903/v1.3.2#, specified in clause 5.2.2 of the present document, shall be used.

BSI DSig v2 p 90 has some more context:

The signing-certificate is defined in RFC2634, Clause 5.4 and statically uses SHA-1, while signing-certificate-2 is defined in RFC5035, Clause 4 and allows using other hash algorithms. Against the background ofrecentresearch resultssuch asSBK+17, GaPe20, for example, it is more than advisable to use signing-certificate-2 with a suitable hash algorithm for the generation of new signatures.

ETSI TS 101 903 V1.4.2 (2010-12) p 35:

<xsd:element name="SigningCertificate" type="CertIDListType"/>
<xsd:complexType name="CertIDListType">
 <xsd:sequence>
 <xsd:element name="Cert" type="CertIDType"
 maxOccurs="unbounded"/>
 </xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CertIDType">
 <xsd:sequence>
 <xsd:element name="CertDigest" type="DigestAlgAndValueType"/>
 <xsd:element name="IssuerSerial" type="ds:X509IssuerSerialType"/>
 </xsd:sequence>
 <xsd:attribute name="URI" type="xsd:anyURI" use="optional"/>
</xsd:complexType>
<xsd:complexType name="DigestAlgAndValueType">
 <xsd:sequence>
 <xsd:element ref="ds:DigestMethod"/>
 <xsd:element ref="ds:DigestValue"/>
 </xsd:sequence>
</xsd:complexType>

ETSI EN 319 132-1 V1.2.1 (2022-02) p 27:

<!-- targetNamespace="http://uri.etsi.org/01903/v1.3.2#" -->
<xsd:element name="SigningCertificateV2" type="CertIDListV2Type"/>
<xsd:complexType name="CertIDListV2Type">
 <xsd:sequence>
 <xsd:element name="Cert" type="CertIDTypeV2" maxOccurs="unbounded"/>
 </xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CertIDTypeV2">
 <xsd:sequence>
 <xsd:element name="CertDigest" type="DigestAlgAndValueType"/>
 <xsd:element name="IssuerSerialV2" type="xsd:base64Binary" minOccurs="0"/>
 </xsd:sequence>
 <xsd:attribute name="URI" type="xsd:anyURI" use="optional"/>
</xsd:complexType>
<xsd:complexType name="DigestAlgAndValueType">
 <xsd:sequence>
 <xsd:element ref="ds:DigestMethod"/>
 <xsd:element ref="ds:DigestValue"/>
 </xsd:sequence>
</xsd:complexType>
blaggacao commented 8 months ago

PQR

Nro. de solicitud: 2024DP000022580
Código autenticación: N5S8F8
blaggacao commented 8 months ago

An example of a popular python library which, at the time of writing, only supports SigningCertificateV2: https://github.com/XML-Security/signxml/blob/72256dca6dc7250aa5c5a265ac752cf6adc1b6dd/signxml/xades/xades.py#L195C53-L195C73

blaggacao commented 7 months ago

PQR: (previous was closed without serious answer)

Nro. de solicitud: 2024DP000039160
Código autenticación: Y3M6D3