XAdES EPES: facturae/CAOC requires legacy SigningCertificate with specific X509IssuerName format

[zipus]

Spanish Facturae XAdES signatures accepted by FACE are rejected by CAOC/VALid2 with:

invalid:untrustedKey-X509IssuerName in signing certificate attribute from signature is not well formed

Root cause: CAOC expects the legacy XAdES SigningCertificate (v1.3) element with:

• SHA1 CertDigest
• IssuerSerial containing ds:X509IssuerName and ds:X509SerialNumber
• X509IssuerName serialized in a strict root-to-leaf order: C=...,O=...,OU=...,CN=... (uppercase attr names)

Current XAdESSigner only emits SigningCertificateV2 and the issuer string follows rfc4514_string() order (CN-first), so CAOC rejects the signature. FACE accepts both.

Proposed fix:

• In XAdES signing, emit both SigningCertificate (legacy) and SigningCertificateV2.
• For the legacy block, use SHA1 CertDigest and serialize X509IssuerName as C=...,O=...,OU=...,CN=....
• Keep V2 as-is (digest per configured algorithm).

References:

• CAOC validator/VALid2 docs: https://github.com/ConsorciAOC/eFact and https://consorciaoc.github.io/VALid2/#4
• Frequent CAOC signature issues: https://www.aoc.cat/en/blog/2024/errors-frequents-en-la-signatura-de-factures-electroniques-i-possibles-solucions/
• Related signxml issue on X509IssuerSerial: Support for X509IssuerSerial #152

Environment/Impact:

• facturae 3.2.x XAdES EPES signatures
• FNMT certificates
• Validates on FACE; fails on CAOC without the legacy SigningCertificate in the expected issuer format.