none
VBA project signature: Sig vs SigAgile RRS feed

  • Question

  • Hi,

    I'm writing utility, which will validate VBA project signature of DOC/DOT.

    And now I'm stuck.

    According to [MS-DOC] rgxchValues of StwUser may contain Sign and/or SigAgile. What I noticed is that hash function in Sign is MD5, in SigAgile - SHA1.

    My questions are:

    1. Am I right, that all combinations are possible: only Sign present, only SigAgile present, both present. If not, what does it depend on?
    2. If both Sign and SigAgile are present, does it mean that I need to check/verify VBA project signature from both fields.
    3. Need information about SpcIndirectDataContentV2 used in SigAgile. SpcIndirectDataContent (in Sign) simply contains MD5 hash of VBA project in the messageDigest field. But SpcIndirectDataContentV2 contains compiledHash and sourceHash fields (see [MS-OSHARED] 2.3.2.4.3.2 SpcIndirectDataContentV2). What are the meanings of  compiledHash and sourceHash?

    Thanks, Oleksii

    Monday, November 30, 2015 3:15 PM

Answers

  • Hello Oleksii :

    Kindly find my analysis below for queries #1 and #2 :

    #1 :  ‘SignAgile’ name string is recently introduced in Word 2016 and will be added in files created by Word 2016.  We are still adding ‘Sign’ name string with files created by Word’16 for backward compatibility. Only following 2 combinations of ‘SignAgile’ and ‘Sign’ are possible :

    • SignAgile + Sign : In case of Word 2016
    • Sign : In case of word prior to Word 2016

    #2 : We recommend checking both Signatures (if present) to validate the Integrity of the Project.

    If you observe different behavior from above analysis during your implementation; kindly feel free to let us know.

    PS: I'm still researching on your outstanding 3.1 query and will get back at the earliest.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, December 8, 2015 12:29 AM
  • Hello Oleksii :

    Regarding your 3.1 query - We are making a change in the specification to document that compiledHashSize and compiledHashOffset should be set to 0. As a result, in your project you can simple ignore this field as it shouldn't influence any security decisions.

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, December 10, 2015 11:58 PM
  • Hello Oleksii -

    I apologies for the confusion. Your latter understanding is correct. compiledHash will be omitted and not required to be validated. If present, it just gives us a hint whether to invalidate the internal cache or not. It does not add any value to security of VBA project.

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Monday, December 14, 2015 8:00 PM

All replies

  • Hi Oleksii,

    Thank you for your question.  An engineer from the Protocols team will contact you soon.


    [MSFT] Jeff McCashland

    Monday, November 30, 2015 5:46 PM
    Moderator
  • Hello Oleksii :

    I'm researching this for you and will update the thread as I make progress.

    Regards

     

    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Monday, November 30, 2015 6:10 PM
  • Hello Oleksii :

    Regarding your #3 query i.e. 'What are the meanings of  compiledHash and sourceHash' - Per code review, complieHash equates to Hash of complied VBA project and sourceHash equates to Hash of source of VBA project.

    Please let me know if this resolves your #3 query. I'm still researching on #1 and #2.

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, December 2, 2015 5:20 PM
  • Hi, Tarun Chopra.

    Thank you for the answer on my 3rd question. So, sourceHash is calculated according to [MS-OVBA] 2.4.2 Contents Hash. In order to calculate compiledHash I need to get compiled VBA project from office file.

    3.1 Where is compiled VBA project kept? Is it just one of streams in legacy file?

    Thanks, Oleksii

    Thursday, December 3, 2015 10:29 AM
  • Researching and will get back on your 3.1 query as well.

    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, December 3, 2015 8:02 PM
  • Hello Oleksii :

    Kindly find my analysis below for queries #1 and #2 :

    #1 :  ‘SignAgile’ name string is recently introduced in Word 2016 and will be added in files created by Word 2016.  We are still adding ‘Sign’ name string with files created by Word’16 for backward compatibility. Only following 2 combinations of ‘SignAgile’ and ‘Sign’ are possible :

    • SignAgile + Sign : In case of Word 2016
    • Sign : In case of word prior to Word 2016

    #2 : We recommend checking both Signatures (if present) to validate the Integrity of the Project.

    If you observe different behavior from above analysis during your implementation; kindly feel free to let us know.

    PS: I'm still researching on your outstanding 3.1 query and will get back at the earliest.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, December 8, 2015 12:29 AM
  • Hello Oleksii :

    Regarding your 3.1 query - We are making a change in the specification to document that compiledHashSize and compiledHashOffset should be set to 0. As a result, in your project you can simple ignore this field as it shouldn't influence any security decisions.

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, December 10, 2015 11:58 PM
  • First of all, thank you for your research and detailed answers.

    One little question left.

    Previously you wrote:

    Per code review, complieHash equates to Hash of complied VBA project
    >
     ‘SignAgile’ name string is recently introduced in Word 2016 and will be added in files created by Word 2016

    Now you said:

    >We are making a change in the specification to document that compiledHashSize and compiledHashOffset should be set to 0.

    So, in Office 2016 new feature was introduced: sign compiled VBA project (compiledHash). And now it is going to be removed?

    Or by saying "We are making a change in the specification to document that compiledHashSize and compiledHashOffset should be set to 0." you actually meant that:

    • while generating signature compiledHash may be omitted;
    • while validating signature I do not need to worry about compiledHash and must check only sourceHash.

    Saturday, December 12, 2015 3:38 PM
  • Hello Oleksii -

    I apologies for the confusion. Your latter understanding is correct. compiledHash will be omitted and not required to be validated. If present, it just gives us a hint whether to invalidate the internal cache or not. It does not add any value to security of VBA project.

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Monday, December 14, 2015 8:00 PM
  • Hi there,

    I am also working on a project to add agile digital signatures to office documents.
    Is there a way to get the complied hash for the signature?

    Regards


    • Edited by AlexNbg Tuesday, September 27, 2016 8:17 PM
    Tuesday, September 27, 2016 8:17 PM
  • Hi AlexNbg:

    I have alerted the Open Specifications Team regarding your inquiry. A member of the team will be in touch soon.


    Regards, Obaid Farooqi

    Wednesday, September 28, 2016 5:56 AM
    Owner
  • Hello AlexNg:

    I believe that you are inquiring about compiledHashOffset and compiledHashSize fields of SigDataV1Serialized specified in MS-OSHARED specification (https://msdn.microsoft.com/en-us/library/office/cc313156(v=office.12).aspx). If so, then we have already updated MS-OSHARED specification that these fields are neither generated by office documents nor required for any computation. As a result, there is no way to get this information.

    Hope this answers your query, if not, please let me know.

    Thanks.

    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, September 28, 2016 6:42 AM
  • Hello Traun,

    I think the description of SigDataV1Serialized in the new version MS-OSHARED is wrong.
    If I set compiledHashOffset and compieldHashSize to 0 and omit the compiledHash the signature is tampered.

    I have to provide all those values, though I can set the compiledHash to the value of sourceHash (it has to be a valid hash! just setting it to a byte-array with zeros yields to an invalid signature!).

    So the description in the old version was better. It just lacked an "igore this fields while signature check"-hint.

    There are also other errors in MS-OSHARED and MS-DOC! The Uservariable in a binary word document is called SigAgile not SignAgile!

    Regards
    Alex



    • Edited by AlexNbg Wednesday, September 28, 2016 2:51 PM
    Wednesday, September 28, 2016 10:53 AM
  • Hello Alex:

    Thank you for brining this to our attention. Can you please send the file wherein signature is tampered when compiledHash is set to the empty string for further analysis ? Please send the file to my attention at dochelp@microsoft.com.

    Regarding Usevairable issue, I'll review and file a documentation issue to get it fixed.

    PS: If you have any additional feedback, apart from these issues, please let us know as it will help in improving our specifications.

    Regards


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, September 28, 2016 4:15 PM
  • Hello Alex:

    We had a discussion internally and believe that we are wrong in documenting that compiledHashOffset should be 0. compiledHashOffset has to point to valid location hence it has to be a non-zero value; however; compieldHashSize and compiledHash can be 0. Can you try that out and let us know if it works and accordingly we will get specification updated ?

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, September 28, 2016 10:14 PM
  • Hello,

    I've made several tests.

    compiledHashSize can be 0
    compiledHash can be ommited
    compiledHashOffset has to be greater than algorithmIdSize + algorithIdOffset, so compiledHashOffset = sourceHashOffset works. Values < algorithmIdSize + algorithIdOffset produces invalid signatures

    Office does not include the compiledHsh in a verification.

    Do You still need the files?

    Btw. I wonder why You as MS cannot do all those tests on your own. You have all the original sources (so I hope ;-))

    I could need some help with other issues. I try to build the correct hash for a access db. My Problem is: Access uses not the algorithm described in MS-OVBA. It adds something to this hash it there are access-macros within the db. Can you tell me, how the right has is built for an access mdb?

    Regards
    Alex


    • Edited by AlexNbg Thursday, September 29, 2016 9:18 AM
    Thursday, September 29, 2016 9:01 AM
  • Hello Alex:

    As compiledHash is null and compileHashSize is 0, we expect compiledHashOffset to coincide with sourceHashOffset as there is No data to read between compiledHash and sourceHash due to serial nature of the structure. I believe that your test validates our understanding and earlier response. If not, please let me know.

    @SigAgile - I've verified and filed a documentation issue to get specification updated with the information you shared.

    @ Access- Microsoft Access is not covered by our specifications, hence I'd request you to please post your query here ; https://social.msdn.microsoft.com/Forums/office/en-US/home?forum=accessdev ; to get further assistance.

    For any other query related to open specification, please feel free to reach us by opening a new thread/post on our forum and we will be happy to assist !!

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Friday, September 30, 2016 12:12 AM
  • Hello!

    Is there a documentation of the Visio-Format (vsd File) and/or of the Publisher-Format (pub File) available?

    As for the Publisher files: I can read the VBA-Code  and I see the Digital Certificates in the Contents-Stream but I just need to know how the Contents-Stream is build.

    Regards

    Alex

    Wednesday, October 5, 2016 1:36 PM
  • Hello Alex

    The Visio/Publisher file format is not covered by the Open Specifications documentation set. Visio format is packaged in the same way, using the OPC format, as the other Office Open XML file formats (.docx, .xlsx, and .pptx) which is described in ISO/IEC 29500-2. However, documentation for the .vsdx file format is provided under the Office Development -> Office Clients -> Visio node of MSDN.

    I believe that your best bet for receiving support for that would be one of the Office Developer forums.

    Thanks


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, October 5, 2016 5:27 PM