Not sure if others have encountered this but I thought I’d report this since I ran into this issue and spent quite a while trying to figure out what’s going on. The issue:
The signUsingStax and verifyUsingStax methods from the Example Code (see https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-signature/src/test/java/org/apache/coheigea/santuario/xmlsignature/SignatureUtils.java#L162 and https://github.com/coheigea/testcases/blob/master/apache/santuario/santuario-xml-signature/src/test/java/org/apache/coheigea/santuario/xmlsignature/SignatureUtils.java#L203) seem to produce invalid XML signatures by default. Used as is you will get XML Signatures that do not include the EnvelopedSignature Transform (http://www.w3.org/2000/09/xmldsig#enveloped-signature). The code will sign documents but when you verify the signed documents you’ll get invalid digest errors like: org.apache.xml.security.exceptions.XMLSecurityException: Invalid digest of reference #Ge7a73177-7aad-4fe8-bed8-d26ef9cfaeed To make the code work you’ll need to add the EnvelopedSignature Transform like: private static final String[] ENVELOPED_SIGNATURE_TRANSFORMS = { "http://www.w3.org/2000/09/xmldsig#enveloped-signature";, "http://www.w3.org/2001/10/xml-exc-c14n#"}; signatureSpec.getElementsToSign().forEach( qname -> { final SecurePart securePart = new SecurePart(qname, SecurePart.Modifier.Content); securePart.setTransforms(ENVELOPED_SIGNATURE_TRANSFORMS); securityProperties.addSignaturePart(securePart); }); Perhaps it would be helpful to include two separate examples, one using stax signature verification with an enveloped signature and another one with an enveloping signature?
