There are also signature exploits that leverage this sort of thing if the caller doesn't realize that nothing came back and was added to the digest. That's more of an issue with c14n, but...

This seems to be the same issue we have been wondering about in our project. We are also using WSS4J for signing attachments and see the warning in logs. We have org.apache.santuario:xmlsec:4.0.4 and org.apache.wss4j:wss4j-ws-security-dom:4.0.1.

Let me elaborate a bit on what is happening: org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform does the transformation, writes to output stream and returns null. Then org.apache.jcp.xml.dsig.internal.dom.DOMReference#transform logs the warning because the transformation returned null. I find that behaviour strange because the javadoc of javax.xml.crypto.dsig.Transform#transform(javax.xml.crypto.Data, javax.xml.crypto.XMLCryptoContext, java.io.OutputStream) says:

Returns: the transformed data (or null if the data was written to the OutputStream parameter)

Is there anything we can do differently to avoid the warning or is it, as coheigea suggests, a valid use-case where the WARNING logged by santuario is inappropriate?

This log message was added by me in e58c7e6.

I think it was possibly misplaced. I'm fine with changing it to debug for now, and when I have more time I can figure out if it is necessary or should be moved to a different place.