Different XML signature between Apache Santuario and Java XML Digital Signature API

Question

I did two implementations that should do the same thing: sign a XML file with a given X509 certificate.

• The first one I did with the native Java XML Digital Signature API (from javax.xml.crypto.dsi).
• The second one I have implemented in Kotlin (my objective is to run it in Android), using the Apache Santuario XML Security version 2.0.3.

What happened is that, for exactly the same XML file to be signed, it generates different values for SignatureValue. But all the other properties of the XML are exactly the same:

• The DigestValue are the same, which evidences that the files are identical.
• The KeyInfo/X509Data/X509Certificate are equals, so the certificate is for sure the same.
• The CanonicalizationMethod, SignatureMethod, DigestMethod and Transform algorithms are exactly the same.

I tried even for small XML (e.g. only a <x/> tag), but the SignatureValue never matches.

Is there any case that all the data from the <Signature> tag matches, except for the SignatureValue?

Answer 1

I've found the solution. It happened because Apache Santuario adds line break in the signature tag. So that the <SignedInfo> tag have different contents if comparing between the one generated by Apache and the one generated from Java XML signature.

To fix that, I have put the following line of code before signing.

System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true")