We tried an interop test (against our product) with a length of 91 and it failed. The bug seems to be that xmlsec rounds down to the nearest bytecount? if(content != NULL) { res = atoi((char*)content) / 8; The fix looks a little tricky, since changing "digestSize" from bytes to bits would be pretty pervasive. Perhaps adding a "outputBits" field which, if non-zero, is used as a mask? /r$