I'm searching for outside assistance in fixing an issue I've in verifying an XML Signature while using Apache Santuario Java library version 1.4.6. I've got a client/server solution in which the client signs a DOM document before delivering the document towards the server. I apply the signature towards the document like so:

public static void applySignature(X509Certificate cert, PrivateKey privateKey, Document doc)
{
    try
    {
        XMLSignature sig = new XMLSignature(doc, 
                                            "", 
                                            XMLSignature.ALGO_ID_SIGNATURE_RSA);

        sig.addResourceResolver(new XmlSignatureResolver());
        doc.getDocumentElement().appendChild(sig.getElement());

        Transforms transforms = new Transforms(doc);
        transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
        transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);

        sig.addDocument("", transforms, Constants.ALGO_ID_DIGEST_SHA1);

        sig.addKeyInfo(cert);
        sig.addKeyInfo(cert.getPublicKey());

        sig.sign(privateKey);
    }
    catch (XMLSecurityException e)
    {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
}

I verify the signature the following:

public static boolean verifySignature(X509Certificate cert, Document doc)
{
    boolean validSignature = false;

    try
    {
        Element nscontext = createDSctx(doc, "ds", Constants.SignatureSpecNS); 

        // Remove any attributes of Signed Info
        Node signInfoNode = XPathAPI.selectSingleNode(doc, "//ds:SignedInfo", nscontext);

        int numAttributes = signInfoNode.getAttributes().getLength();
        if (numAttributes > 0)
        {
            for (int i = 0; i < numAttributes; i++)
            {
                String attrName = signInfoNode.getAttributes().item(0).getNodeName();
                signInfoNode.getAttributes().removeNamedItem(attrName);
            }    
        }

        Element sigElement = 
            (Element) XPathAPI.selectSingleNode(doc, "//ds:Signature", nscontext); 
        XMLSignature signature = new XMLSignature(sigElement, "");

        signature.setFollowNestedManifests(true); 
        signature.addResourceResolver(new XmlSignatureResolver());

        validSignature = signature.checkSignatureValue(cert);

        //  Remove the signature
        sigElement.getParentNode().removeChild(sigElement);            
    }
    catch (XMLSignatureException e)
    {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    catch (XMLSecurityException e)
    {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    catch (TransformerException e)
    {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }

    return validSignature;// validSignature;
}

The issue I've is the fact that after i verify the signature around the server (it creates the customer basically verify immediately after using the signature), I recieve the next warning:

2011-11-12 18:30:27 Reference [WARN] Verification unsuccessful for URI ""
2011-11-12 18:30:27 Reference [WARN] Expected Digest: EEl+J/jsY8Im2rgjsozBXRxkQjQ=
2011-11-12 18:30:27 Reference [WARN] Actual Digest: Y7C0HCjugZbegkZT4E8A7Bd4qm0=

Just help,
Ernie Burlison

=============

The code I personally use to transmit the dom in the client towards the server is:

                // Use a Transformer for output
                TransformerFactory tFactory = TransformerFactory.newInstance();
                Transformer transformer = tFactory.newTransformer();
                transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "no");
                transformer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
                transformer.setOutputProperty(OutputKeys.INDENT, "no");

                DOMSource source = new DOMSource(doc);
                StreamResult result = new StreamResult(m_SenderOutput);

                m_Logger.debug("Transforming...");
                transformer.transform(source, result);   
                m_SenderOutput.flush();
                m_Logger.debug("Transform complete...");
                m_ClientSocket.shutdownOutput();

The code that reads the dom around the server side is:

                DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
                dbf.setNamespaceAware(true);
                DocumentBuilder db = dbf.newDocumentBuilder();

                m_Logger.debug("Parsing Document");
                Document doc = db.parse(m_SenderInput);
                m_Logger.debug("Received DOM");   

The dom prior to the apply signature is comparable to the next (information is encoded before signature is used):

<?xml version="1.0" encoding="UTF-8"?><SmMessageSet xmlns="urn:ccsds:recommendation:service_management:schema:sccs:R1.0" xmlns:ns2="urn:ccsds:recommendation:navigation:schema:ndmxml:R1.5"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>VosyFTcuAkzo6WPPLnnM2Nka+gpyD9r2cNy3fbSX8RjGg5dKktK9SGZAar5t3ci2mU6Nw9Ski2Td
g1WNei+kgns6vFET5Ff8m5/VIO24sBz30DPO5cAwfLax0slTjZWDRu7XXs/ORSK2PrB8B8qaO+me
W5iPLXjkkL4LnLwZfIvCSdG3JJoOTUhR6CstquTejRBLvTdvry8jB2RncjpV244eng7Bmk7HWcNd
Mz20DujfX14MTyKAQcVAgUhM9MpisveiDRdKYtXWCkma2NcUhpxqzjyPtyJtHVJQfaPZ2kla2NQV
DcMPUvmM+V0Y3kI5NBZq1vlIAg1i5JsZRniB+Q==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>8UCDr2ZzDvD5JczkPU7UnxRYBdxs6ZgL5s2ksHyn/FZvBVSwYh6o/Rnx41fnN6uygcylW++zoxSq
a9qcpuS8rFxtw6TtRzZeixJYBgZWVHp9NYiB4WbtZF6iR5EjaGKZdghUgCVtvKKbpbMQTTPRCBym
7HA2iQzNpGH1tcGegDB8+w3ALDP8QN5q3PG2uFBk880KXRozxAxKZVNKZfEZyat0fnzf6J8bTCac
n1lxV02jCWyz1/2Gd/jfo8B2BLXVMZWm0WiM7Z/uk4PFsTQjPmb1CD+E+7Oh8TRJzIqC1dyPQVV+
kgdoJbM/2sZka1VCuUzEIEQ1fhH+iUE0ymtuw+djwhfqDAow1pfRJOsak2cXzLoYO7mwqmIHoeaM
hN9IAtI/TfXDHNSL8ledhYT/ZL2gmNSR1Jze6JZPaXgqkmBEGVgqbzLex/5drxOf/DQVcugSnqEw
uHrikLsjU4jHozNg4PGidJNPCKLPgJaiLX1rgyo9N6pUDMVrNH+Tz1G7EFydzZOrZt+yY8Je17NL
ah8mBQb/S5zGD7642aDR4UmVQthD3LTMIG/oxbzMIh/OOcC432SZ+ShAvUD+bU+GDDdcOKzemLPB
EV6QLstFqonyHLSTQqgIMU5z2NxFpJIKRBClX09q5fOytaRVrGIZgJtOfuT4zFwjmwF66yuiQp0H
gD9O95A+ifmwe8k9KUsAO9Q8alxrXrqhptfsySCYDo2nSXbhSn5cKgsdK4jw5B6zsoQQZxJmzsYT
ZSbo0DhjAbZVszsU0HeTMRKRNlOABXAJPxSmqz2hT/wgYnWSMZt839swJyOZhaMuOUfShAP1iVo+
m5xM+zw7SnsAwFozNw==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></SmMessageSet>

The XML is similar following the applySignature and following the SignedInfo is modified within verifysignature method. The issue seems to get along with the SignedInfo Recommended Products after i send the document on the socket in some way the transformation that happens throughout verification is adding 46 bytes leading to the check to fail.

Unsure where this really is originating from. Anybody have ideas?