Recently, we have detected an increase in errors during the validation of electronic invoices sent through the eFACT platform, in accordance with the signature policies defined in FACTURAe. Below, we detail the most common problems and offer some recommendations for their resolution:
- invalid:untrustedKey-Invalid signing certificate
- Solution: Check the validity of the certificate used to sign the invoice. Make sure the certificate is valid and issued by a recognized certificate authority.
- invalid: untrustedKey-X509IssuerName in signing certificate attribute from signature is not well formed.
- Problem: The X509IssuerName field is incorrectly encoded or uses non-standard prefixes. Examples:
- Bad coding:
<ds:X509IssuerName>CN=AC Representaci�n,OU=CERES,O=FNMT-RCM,C=ES</ds:X509IssuerName>
- Out of standard:
<ds:X509IssuerName>OrganizationID=VATES-A66*****, CN=UANATACA CA1 2016, OU=TSP-UANATACA, O=UANATACA S.A., L=Barcelona (see current address at www.uanataca.com/address), C=ES</ds:X509IssuerName>
- Solution: Verify that the prefixes and structure of the X509IssuerName field conform to X.509 encoding standards.
- XPathEvaluationError-Malformed request: the request has no signature to validate.
- Solution: You must ensure that the scheme corresponding to the signature (simple or advanced) complies with the XMLDSig and XAdES standard. Review the structure of the signature and its presence in the XML document.
- SignaturePolicyNotFound-Signature Policy null and SignPolicyImplied found but not supported.
- Problem: The SignaturePolicyIdentifier field is incorrect or blank.
<etsi:SignaturePolicyIdentifier>
<etsi:SignaturePolicyImplied/>
</etsi:SignaturePolicyIdentifier>
- Solution: The signature policy must be correctly specified in the field
SignaturePolicyIdentifier
instead of leaving it blank.
- SignaturePolicyNotFound-Given commitment cannot be found on the
requested signature policy
- Problem: The field has been added
<xades:CommitmentTypeId>
- Solution: Must not be incorporated.
- InternalServerError-Cannot recover the given signature policy and it's associated commitment.
- Problem: The SignaturePolicyIdentifier field is incorrect or blank.
<etsi:SignaturePolicyIdentifier>
<etsi:SignaturePolicyImplied/>
</etsi:SignaturePolicyIdentifier>
- Solution: The signature policy must be correctly specified in the field
SignaturePolicyIdentifier
instead of leaving it blank.
- invalid:incorrectSignature-Signature pdu is not valid
- Problem: A required attribute is missing,
SigningCertificate
, in advanced signatures.
- Solution: Include attribute
SigningCertificate
in advanced signatures according to FACTURAe requirements.
- Unknown:certificate:PathValidationFails-Certification path could not be validated.Read timed out
- Problem: A timeout error occurred.
- Solution: Retry validation. If the error persists, review the certificate chain and ensure that all intermediate certificates are accessible.
Signature Policy:
Remember that among the validations detailed in the annex of theOrder HAP/1650/2015, in Annex 2.a, it is indicated that it is necessary to verify the current signature policy associated with the "FACTURAe" format. The signature policy for invoices sent to eFACT should be reviewed, taking into account the technical document published in FACTURAe website.
In order to prevent such errors, we recommend thorough testing of electronic signatures before sending, to ensure their compliance with the signature policy standard defined in FACTURAe.