Disable signing_certificate by default

kislyuk · kislyuk · commit 2370e49950c8 · 2026-01-18T20:46:32.000-08:00
diff --git a/signxml/xades/xades.py b/signxml/xades/xades.py
@@ -98,6 +98,8 @@ class XAdESSigner(XAdESProcessor, XMLSigner):
         Parameters to pass to the :class:`signxml.XMLSigner` constructor.
     """
 
+    use_deprecated_legacy_signing_certificate: bool = False
+
     def __init__(
         self,
         signature_policy: Optional[XAdESSignaturePolicy] = None,
@@ -191,9 +193,6 @@ def add_signing_time(self, signed_signature_properties, sig_root, signing_settin
 
     def add_signing_certificate(self, signed_signature_properties, sig_root, signing_settings: SigningSettings):
         # Emit both legacy SigningCertificate (SHA1 + IssuerSerial) and SigningCertificateV2
-        signing_cert = SubElement(
-            signed_signature_properties, xades_tag("SigningCertificate"), nsmap=self.namespaces
-        )
         signing_cert_v2 = SubElement(
             signed_signature_properties, xades_tag("SigningCertificateV2"), nsmap=self.namespaces
         )
@@ -208,21 +207,28 @@ def add_signing_certificate(self, signed_signature_properties, sig_root, signing
             cert_digest_sha1_bytes = self._get_digest(der_encoded_cert, algorithm=DigestAlgorithm.SHA1)
 
             # Legacy SigningCertificate
-            cert_node_legacy = SubElement(signing_cert, xades_tag("Cert"), nsmap=self.namespaces)
-            cert_digest = SubElement(cert_node_legacy, xades_tag("CertDigest"), nsmap=self.namespaces)
-            SubElement(cert_digest, ds_tag("DigestMethod"), nsmap=self.namespaces, Algorithm=DigestAlgorithm.SHA1.value)
-            digest_value_node = SubElement(cert_digest, ds_tag("DigestValue"), nsmap=self.namespaces)
-            digest_value_node.text = b64encode(cert_digest_sha1_bytes).decode()
-            issuer_serial = SubElement(cert_node_legacy, xades_tag("IssuerSerial"), nsmap=self.namespaces)
-            issuer_name = SubElement(issuer_serial, ds_tag("X509IssuerName"), nsmap=self.namespaces)
-            issuer_name.text = "C={C},O={O},OU={OU},CN={CN}".format(
-                C=loaded_cert.issuer.get_attributes_for_oid(x509.oid.NameOID.COUNTRY_NAME)[0].value,
-                O=loaded_cert.issuer.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value,
-                OU=loaded_cert.issuer.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME)[0].value,
-                CN=loaded_cert.issuer.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value,
-            )
-            serial_number = SubElement(issuer_serial, ds_tag("X509SerialNumber"), nsmap=self.namespaces)
-            serial_number.text = str(loaded_cert.serial_number)
+            if self.use_deprecated_legacy_signing_certificate:
+                signing_cert = SubElement(
+                    signed_signature_properties, xades_tag("SigningCertificate"), nsmap=self.namespaces
+                )
+
+                cert_node_legacy = SubElement(signing_cert, xades_tag("Cert"), nsmap=self.namespaces)
+                cert_digest = SubElement(cert_node_legacy, xades_tag("CertDigest"), nsmap=self.namespaces)
+                SubElement(
+                    cert_digest, ds_tag("DigestMethod"), nsmap=self.namespaces, Algorithm=DigestAlgorithm.SHA1.value
+                )
+                digest_value_node = SubElement(cert_digest, ds_tag("DigestValue"), nsmap=self.namespaces)
+                digest_value_node.text = b64encode(cert_digest_sha1_bytes).decode()
+                issuer_serial = SubElement(cert_node_legacy, xades_tag("IssuerSerial"), nsmap=self.namespaces)
+                issuer_name = SubElement(issuer_serial, ds_tag("X509IssuerName"), nsmap=self.namespaces)
+                issuer_name.text = "C={C},O={O},OU={OU},CN={CN}".format(
+                    C=loaded_cert.issuer.get_attributes_for_oid(x509.oid.NameOID.COUNTRY_NAME)[0].value,
+                    O=loaded_cert.issuer.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value,
+                    OU=loaded_cert.issuer.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME)[0].value,
+                    CN=loaded_cert.issuer.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value,
+                )
+                serial_number = SubElement(issuer_serial, ds_tag("X509SerialNumber"), nsmap=self.namespaces)
+                serial_number.text = str(loaded_cert.serial_number)
 
             # SigningCertificateV2 (current default)
             cert_node = SubElement(signing_cert_v2, xades_tag("Cert"), nsmap=self.namespaces)
