Agile encryption with certificates RRS feed

  • Question

  • Hi,

    I have successfully implemented a password based agile encryption for Apache POI (#55818 [1]) and now try to find out how the certificate based encryption works. Based on the MS-OFFCRYPTO [2] entry, I've created the necessary x509/encryptedKey/verifier entries with a self-signed certificate. I thought, if I import the self-signed certificate into the private key and CA area of the windows certificate store it might be possible to open the file without password input ... but of course it didn't work ...

    So now I basically try to find a way, to somehow validate my implementation, either by opening my generated file in Office or by creating a file via Office and check my file against it ...  and on my way, I have a few things to check:

    1. On my private PC, I have only a MS Word/Excel/... Viewer installation available:

    • is it possible to open certificate based encrypted files with them, i.e. without entering the password?

    2. On my project PC, I have an Office 2010 enterprise installation - when I try to create a file (e.g. a word doc) with a restricted user list [3] - it says something about an unsupported environment. The error message seems to be connected with the missing of a RMS client:

    • is the "restrict permission" option the right way, to add certificates?
    • is certificate encryption supported out of the box? or ...
    • ... do I need something like a rms client/infrastructure? (... I would prefer, not to install something which seems to be a DRM environment on a laptop I don't own ...)
    • are there any Office GPOs [4], which might limit the usage of certifcates?

    3. In a different question [5] you state that the ms-offcrypto docs are not accompanied by sample files, but maybe you have some in a different "folder"? ;) ...

    4. is it possible to provide you with a sample file (like in yet another question [6]) to see, if it is according to the specs? (in this case, either we use my self-signed cert. or you provide a public cert)

    Thank you for your support.

    Best wishes,

    Sorry html-links don't work for not verified users ...:



    [3] (look at Figure M)




    Wednesday, December 18, 2013 1:42 AM


All replies

  • Hi Kiwi-Wings, thank you for your question. A member of the protocol documentation team will respond to you soon.

    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Wednesday, December 18, 2013 4:08 PM
  • Hi Josh,

    are there any updates on this issue?

    A encrypted test-file + a test certificate (private&public key) + a test password would be really good to start with.


    Tuesday, March 4, 2014 11:57 PM
  • Hi Kiwi-Wings, I apologize for the lack of response until now. I will try to address each of your issues.


    Questions 1 and 2:

    These questions would be better asked in a forum that supports the Office products and developer issues such as General Office Development or Office 2010 - IT Pro General Discussions.


    Questions 3:

    We do not provide sample files. However, the MS-OFFCRYPTO Examples project on CodePlex could have something that might be able to help you.


    Question 4:

    We do not provide file or implementation validation. However, tools such as BFF Validator or OffVis can be used for basic binary file format validation. Though I don't know what level of support they have for encrypted files.

    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Wednesday, March 5, 2014 8:50 PM