Java Security

Hi,

I have some problems verifying an XMLSignature. The main problem is that IMHO the signature verifier hashes the wrong data. I get this data by registering my own SHA-1 wrapper-implementation which prints all hashed data to System.out. The result is shown below.
Please take a look onto the hashed data. The expected hash is "nyG5t9UJP4gBVWgmQd8JA0gz+Uc=" but the expected hash is part of the data being hashed (see line starting with "<Signature>")!
This would only be possible if we had a hash collision - really strange...
Is there anbody who can explain me that?

*********SHA engineUpdate: BEGIN
<test>
	<elementx a="b">
		<subelement attr="??"></subelement>
	</elementx>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""></InclusiveNamespaces></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI=""><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>nyG5t9UJP4gBVWgmQd8JA0gz+Uc=</DigestValue></Reference></SignedInfo><SignatureValue>WJj1hsyI1elHNRpAuFbXNZFETJL4HHhOe+VTv/RXQJUnk5w8zIGYITAfpjRBWXBoEXLH0Jfyhiql
VPtQGQI3gK1a4rMwX3tziDkRUknl4jbAymsq+54qF3yOU+XP5bKIDtHucD4KDZtVghApUWZx1p2B
qDO3vBRgYQRTF0BwUEg=</SignatureValue><KeyInfo><X509Data><X509SubjectName>C=DE,ST=Test,L=Test,O=Test,OU=Test,CN=Test</X509SubjectName><X509Certificate>MIICIjCCAYsCBGaf3EowDQYJKoZIhvcNAQEFBQAwWDENMAsGA1UEAxMEVGVzdDENMAsGA1UECxME
VGVzdDENMAsGA1UEChMEVGVzdDENMAsGA1UEBxMEVGVzdDENMAsGA1UECBMEVGVzdDELMAkGA1UE
BhMCREUwHhcNMTAwMjAzMjMwMDAwWhcNMTUwMjAzMjMwMDAwWjBYMQ0wCwYDVQQDEwRUZXN0MQ0w
CwYDVQQLEwRUZXN0MQ0wCwYDVQQKEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ0wCwYDVQQIEwRUZXN0
MQswCQYDVQQGEwJERTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApbnKytkrzRR/rbnKqb7t
hV6lXxl3xLCAAWtCGwYC+TONxYKUGEnYeKS2+fa+7AC2CzTPfT4O6Xf1zuV6qZsdrjGM1EcAwVLk
BN53lJcMMavxmWMbNN75pwEKK7+5JWfwV4TAsZ8PwBSZ00ckysLbbPuWrlhfox+KmRampfPzaDcC
AwEAATANBgkqhkiG9w0BAQUFAAOBgQBhvfxRdgKkHRdZDsew/illknlez5z0CzGolRwJRbEjg8Nv
om2YbmwJxsvHiDA02YPL5Se9RmVe9K3jlOTm8lT3SkwX6da26bB7c8pUQ/KI5Hrf4yAaWDypxhj1
xorky/Yv+MnwSZG6+h4p7IGGV+HVoFkkk/FaXE/2tYARygQcMg==</X509Certificate></X509Data></KeyInfo></Signature></test>
*********END
digest: F9M1BR5Vlv1RtNnwvKVD4X99Hj8=
05.02.2010 11:08:10 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Expected digest: nyG5t9UJP4gBVWgmQd8JA0gz+Uc=
05.02.2010 11:08:10 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Actual digest: F9M1BR5Vlv1RtNnwvKVD4X99Hj8=
05.02.2010 11:08:10 org.jcp.xml.dsig.internal.dom.DOMXMLSignature validate
FEIN: Reference[] is valid: false

And this is the Java code for verifying the signature:

Handler handler = new ConsoleHandler();
handler.setLevel(Level.FINEST);
Logger l = Logger.getLogger("org.jcp.xml.dsig.internal.dom");
l.setLevel(Level.FINE);
l.addHandler(handler);

XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
dbf.setXIncludeAware(true);
Document doc = dbf.newDocumentBuilder().parse(new FileInputStream("signed.xml"));

NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS,"Signature");
if (nl.getLength() == 0)
  throw new Exception("Cannot find Signature element");

DOMValidateContext valContext = new DOMValidateContext(new X509KeySelector(), nl.item(0));

XMLSignature signature = fac.unmarshalXMLSignature(valContext);
valContext.setProperty("javax.xml.crypto.dsig.cacheReference",Boolean.TRUE);
boolean coreValidity = signature.validate(valContext);
if (coreValidity) {
  System.out.println("Signature passed core validation");
  return;
}
System.out.println("Signature failed core validation");