About legal reference and order of transforms of XML signature

Question

I'm quite confused about the reference and transform of XML signature

While doing same-document referencing, is there any legal URI expect "" and "#objectid"?

and

While signing enveloped signature, after dereferencing, should the C14N be applied first or the enveloped transform? (although it seems to be no difference)

Thank you

Answer 1

For same-document references, legal URIs are also defined by the XPointer framework, so it is possible that there are other URIs than the typical ones you mentioned.

The "Enveloped" transform is a transform whose input is a node set and which also produces a node set. The input node set is given implicitly by dereferencing the URI attribute and the result will be another node set where the signature element that contains the transform is removed.

In order to be able to compute the message digest needed for computing the signature value, the node set will have to be transformed to "octet-stream" first. This is what C14N does. You either apply an explicitly stated C14N transform or, if none was specified, you apply an implicit C14N 1.0 transform (see XML Signature Syntax and Processing Version 1.1):

If the result of the URI dereference and application of Transforms is an XPath node-set (or sufficiently functional replacement implemented by the application) then it must be converted as described in section 4.4.3.2 The Reference Processing Model.

and

If the data object is a node-set and the next transform requires octets, the signature application must attempt to convert the node-set to an octet stream using Canonical XML [XML-C14N].

It is also important to apply the transforms in the same order as they appear in the document, it may very well yield wrong results if you apply them in arbitrary order.