// first check signature value, see
// https://www.isecpartners.com/media/12012/XMLDSIG_Command_Injection.pdf
SignatureValue sigValue = signature.getSignatureValue();
boolean sv = sigValue.validate(valContext);
if (!sv) {
handler.signatureValueValidationFailed(sigValue);
}
// then the references!
// check the validation status of each Reference
for (Reference ref : (List<Reference>) signature.getSignedInfo().getReferences()) {