I have Similar problem:
Client sent "demo" XML files... certificate OK, Public Key OK, Verified to Digest with 3021300906052b0e03021a05000414 and 20 bytes which MUST BE WHAT WAS SIGNED
BUT the digest value NOt = "Verified" digest ,ad I cant make a digest equal to either - some fiddle-de-dee has been going on
I also use org.apache.xml.security.c14n.Canonicalizer .... Now I can only hope the client can provide me with the exact byte array he used to get the digest.
Unfortunately we are in an adverserial situation, the client has an interest in seeing us fail (its a long story!) so Im not holdingmybreath.