Programmatically Adding Digital Signature

M

Michael

Is there a VBE method or other way to programmatically update the digital
signature on a Visio drawing VBA project? I have several (>1000) files that
I want to programmatically change using VBE (not VBA--I want to change the VB
projects themselves). They were originally signed by me using a certificate
issued by a trused root CA. However, the timestamp on that certificate has
now expired so I will lose the certificate when the VBE changes are
programmatically applied. I want to resign those files with a new digital
certificate during the process of making these changes. Can this be done
instead of having to use the Tools->Digital Signature... menu item?

Thanks,

Michael
 
W

Wei-Dong XU [MSFT]

Hi Michael,

Thanks for using Microsoft newsgroup!

Currently we are researching this issue for you. If we have any idea, we
will post one reply then.

Best Regards,
Wei-Dong XU (WD)
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
W

Wei-Dong XU [MSFT]

Hi Michael,

Based on my research, Office does not provide a way to do this
programmatically, because it would constitute a security hole.

There would actually be two ways to exploit a hypothetical method or
property for digitally signing VBA macros.

1) Malicious code could make a change to VBA code that had been digitally
signed and then resign it with the same signature, so the user would never
know a change had been made. The danger in this should be obvious. (What
if the macro calculates exchange rates, or opens connections to a secure
server?)

2) Malicious code could inject a macro into an Office document using code
like in:

Q219905 - HOWTO: Dynamically Add and Run a VBA Macro from Visual Basic
http://support.microsoft.com/support/kb/articles/q219/9/05.asp
It could then digitally sign that code and distribute it. If the recipient
had trusted the signature, then the macros would run when opened in Office
without any warnings, even if macro security was set to High.

So this functionality is not available from Office products. For your
sceanrio, you will need to update the certificate manually.

Please feel free to let me know if you have any question.

Best Regards,
Wei-Dong XU (WD)
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
M

Michael

None of those would be problems if an API were available to perform the
signature that required the password to the private key of the certificate.

Michael
 
W

Wei-Dong XU [MSFT]

Hi Michael,

The reason why there is no one API for this scenario is due to the crypted
key design in the Office products. Office files contain their VBA macros in
a special structured storage stream within the file. When digitally
signing an Office document, this stream is the only part of the file that
is actually digitally signed. When the document is created, the Office
application creates a stream and gives it to VBA. VBA saves whatever
information it wishes in this stream, digitally signs the bits in the
stream, and then passes the stream back to the application to be saved with
the rest of the file. Whenever the document is opened, VBA checks the
digital signature on the stream against the bits.

In this scenario, the Office application doesn't care what VBA puts into
the structured storage stream, and VBA doesn't care where the application
saves the stream. This allows a great deal of flexibility in designing VBA
hosts, but it makes creating a generic tool that could sign the VBA
structured storage stream impossible. Any tool to do this would have to
know where the application stores the VBA stream within the file, as well
as where the digital signature for that stream is stored (they're not in
the same place). There's no way to do this generically, which is why
Microsoft didn't create a tool.

It would be very difficult for a third-party to create such a tool as well,
since the tool would have to understand the details of the VBA structured
storage stream format and how VBA digitally signs that stream. As
mentioned before, it would also need to know where in the host file to put
the digital signature and how to indicate to the host that the file had
been signed. As I know, Microsoft will not provide one utility for digital
signature in the future.

Greatly appreciate your understanding! Please feel free to let me know if
you have any question.

Best Regards,
Wei-Dong XU (WD)
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
M

Michael

I'm aware of those things. I am a VC++ developer, not a VB/VBA developer.

It would have to be a VBE object method to add the signature and I don't
really still see why that cannot be done. It would be nice to add that in
the future, especially since everything today must be signed to be of
practical use. Obviously the VBE is knowledgeable of the structured storage
otherwise it would not be able to update other portions when changed. Again,
you could protect that using a method that requires either the password to
the certificate's private key or any other standard technique present in the
Crypto API.

Michael
 
W

Wei-Dong XU [MSFT]

Hi Michael,

Thank you for the great suggestion! I have forwarded this to our product
feedback team.

Appreciate you once more!

Best Regards,
Wei-Dong XU (WD)
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

Dharmesh

How can I programmatically check if an Excel sheet has been digitally signed ?
 
W

Wei-Dong XU [MSFT]

Hi Dharmesh,

So far as I know, the validation feature is built-in in Excel which hasn't
been exposed at the Automation object model. This limitation is due to the
security consideration that no any code can workaround the excel security
checking on the cerfiicate.

Best Regards,
Wei-Dong XU
Microsoft Product Support Services

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.
This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page:
http://support.microsoft.com/default.aspx?scid=/international.aspx.
=====================================================
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

dharmesh

But one should be able to "read" some componets of the signature

1. Has it been signed ? yes or No
2. Who signed it ?

This limits automation on signed documents...
 
W

Wei-Dong XU [MSFT]

Hi Dharmesh,

So far as I know, no such one utility is available. We should use Excel to
verify this.

Best Regards,
Wei-Dong XU
Microsoft Product Support Services

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.
This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page:
http://support.microsoft.com/default.aspx?scid=/international.aspx.
=====================================================
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Jonathan West

dharmesh said:
But one should be able to "read" some componets of the signature

1. Has it been signed ? yes or No
Click to expand...

The VBASigned property of the WorkBook object will provide the answer to
this question
2. Who signed it ?
Click to expand...

As far as I'm aware, that is not made available through the object model.


--
Regards
Jonathan West - Word MVP
www.intelligentdocuments.co.uk
Please reply to the newsgroup
Keep your VBA code safe, sign the ClassicVB petition www.classicvb.org
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

"There was a problem with the digital certificate. The VBA project could not be signed. The signatu 1
Problem Signing PPA (Powerpoint 2003) 0
Issue with expired digital certificate .. 1
Digital ID's 0
Problem for signing Word 2007 Template. 0
Macro Digital Signature 4
Testing for Digital Certificate in VBA Project Programmatically 1
VeriSign Digital Certificate Failure? 3

Top