如何使用sha256签名对sha256证书进行时间戳记来保护Excel 2013中的Excel VBA宏代码? [英] How do you timestamp a sha256 certificate with a sha256 signature to secure Excel VBA Macro code in Excel 2013?
问题描述
这个引用来自于关于Excel安全设置的另一个问题的答案。答案提出使用数字证书签署宏来解决安全问题。在答案结束时,有人指出:
当你数字签名宏时,获取时间戳是很重要的...
这在Office 2013中很棘手,原因有很多。首先,将签名附加到电子表格有两种不同的方法。它们被称为可见和隐形签名。可以使用文件>保护工作簿>添加数字签名命令将可见签名应用于整个文档。要将独立的VBA代码应用于VBA代码,请从VBA编辑器中使用工具>数字签名命令,然后选择要签名的证书。
最好简单地保护VBA代码而不是整个电子表格,因为一旦运行宏,代码将其输出写入电子表格,由于它是受保护的工作簿,因此代码错误并停止。此工作簿被设计为演示,并以只读建议保存,并需要密码进行修改。我们希望用户能够将宏写入电子表格,但不能以相同的名称保存文件。由于向VBA应用数字签名只能保护VBA,当它写入电子表格时,没有错误。
问题是获取证书保护时间戳VBA。
有一个令人迷惑的注册表和组策略设置数组会影响时间戳,并且在使用sha256证书时获取sha256时间戳需要哪些设置是不清楚的只保护VBA。我已经尝试了所有可用的东西,看起来好像可能会影响时间戳没有快乐。
虽然我已经能够签署电子表格,并使用较新的Office获得签名时间戳XAdES计数器签名,用于签署VBA项目的证书本身没有时间戳。
输入以下注册表项是必需的:
HKCU\Software\Microsoft\Office\15.0\Common\Signatures
我相信密钥中的以下值只会影响整个工作簿XAdES签名的时间戳。
MinXAdESLevel DWORD 2
TSALocation http://timestamp.comodoca.com/rfc3161
XAdESLevel DWORD 5
从实验中,我发现有可能通过使用以下注册表项获得使用时间戳记签署的VBA证书:
HKCU\Software\Microsoft\VBA\Security:
TimeStampURL http:/ /timestamp.comodoca.com/rfc3161
TimeStampRetryCount DWORD 2
TimeStampRetryDelay DWORD 5
不幸的是,我只能获得一个SHA1时间戳 这条路。很快,这就像在Windows 10上没有时间戳。
有人知道如何在这种情况下获得SHA256时间戳?
默认情况下,Office在签名或验证代码时不使用时间戳服务。使用时间戳服务通常需要比默认数字签名过程更多的时间。要使用时间戳服务,Office需要通过Internet与证书颁发机构的timestamp服务器进行通信,以完成该操作。除非您连接到互联网,否则无法对数字签名进行时间戳记。
没有内置的Office用户界面可以使用此选项。要让Office使用所有未来数字签名的时间戳服务,您需要设置这些注册表项。
应在一键下输入值。请使用以下说明:
在VBA级别创建安全密钥:
HKEY_CURRENT_USER\Software\Microsoft\VBA\Security
将字符串值添加到名为TimeStampURL的安全密钥,其值设置为下面的时间戳URL。
SHA-1时间戳URL是timestamp.verisign.com /scripts/timstamp.dll
需要timstamp.dll文件名以符合旧的MS-DOS命名约定。
带有RFC 3161的SHA-1时间戳URL是 http://sha1timestamp.ws.symantec.com/sha1/timestamp
具有RFC 3161时间戳URL的SHA-256是 http://sha256timestamp.ws.symantec.com/sha256/timestamp
将DWORD值项添加到安全性键值为TimeStampRetryCount,值数据设置为3'(在我的情况下,我使用3,但你可以选择一个不同的数字)
添加一个DWORD值项到名为TimeStampRetryDelay的值,数据设置为'3'(在我的情况下,我使用3但你可以选择不同的数字)。
为了减少恶意用户从其公钥获得数字证书的私钥的可能性,商业上获得的数字证书将在一年后过期。 Office不允许您使用过期的证书来签署宏,并且当文件的数字签名已过期时也会向最终用户发出警告。最终用户会在通常的数字签名安全警告中看到警告,表示证书不再值得信赖。用户可以通过查看证书的详细信息对话框来确定证书是否已过期。
为了防止您不必为您的软件和Visual Basic for Applications项目辞职每当您的证书到期时,一些商业证书颁发机构提供时间戳服务。如果您在签署代码时使用时间戳服务,则将代码的哈希发送到服务器以记录代码的时间戳。当使用时间戳服务时,用户的软件可以区分使用不应信任的过期证书签名的代码以及使用在代码签名时有效但随后过期的证书签名的代码。 / p>
This quote was taken from an answer to another question about Excel Security settings. The answer proposed using a digital certificate to sign macros to resolve the security issue. Towards the end of the answer, it was noted that: "When you digitally sign macros, it is important to obtain a time stamp. . ."
This is tricky in Office 2013, for a variety of reasons. First, there are two different ways to attach a signature to a spreadsheet. They are known as visible and invisible signatures. The visible signatures can be applied to the whole document using the File > Protect Workbook > Add a digital signature commands. To apply an invisible one to the VBA code alone, from the VBA editor, use the Tools > Digital Signature commands then Choose a certificate to sign with.
It would be preferable to simply protect the VBA code and not the entire spreadsheet, because as soon as you run the macro, the code writes its output into the spreadsheet, and since it's a protected workbook, the code errors out and comes to a halt. This workbook was designed as a demonstration and was saved with a read only recommendation and requires a password to modify it. We want the user to be able to have the macro write to the spreadsheet, but not to save the file with changes under the same name. Since applying a digital signature to the VBA only protects the VBA, when it writes to the spreadsheet, there is no error.
The problem is obtaining a timestamp on the certificate protecting the VBA.
There are a bewildering array of registry and group policy settings that affect timestamping, and it's quite unclear which settings are required to obtain a sha256 timestamp on my sha256 certificate when used to only protect the VBA. I've tried everything available that looks as though it could affect timestamping without joy.
While I've been able to sign spreadsheets and get that signature timestamped using the newer Office XAdES counter signature, the certificate used to sign the VBA project is not timestamped itself.
Entries it the following registry key are required: HKCU\Software\Microsoft\Office\15.0\Common\Signatures
I believe the following values in the key only affect timestamping the whole workbook XAdES signature.
MinXAdESLevel DWORD 2 TSALocation http://timestamp.comodoca.com/rfc3161 XAdESLevel DWORD 5
From experimenting, I have found that it was possible to get the cert protecting the VBA countersigned with a timestamp by using the following registry entries:
HKCU\Software\Microsoft\VBA\Security: TimeStampURL http://timestamp.comodoca.com/rfc3161 TimeStampRetryCount DWORD 2 TimeStampRetryDelay DWORD 5
Unfortunately, I was only able to obtain a SHA1 timestamp when doing it this way. Soon, that will be like having no timestamp at all on Windows 10.
Does anyone know how to get a SHA256 timestamp in this situation?
By default, Office does not use a timestamping service when signing or validating code. Using a timestamping service usually takes more time than the default digital signing process. To use a timestamping service, Office needs to communicate with a certificate authority s timestamp server over the Internet to complete the action. You cannot timestamp a digital signature unless you are connected to the Internet.
There is no built-in Office user interface to use this option. To have Office use a timestamping service with all future digital signatures, you need to set these registry keys. The values should be entered under ONE key. Please use the following instructions:
Create a Security key at the VBA level: HKEY_CURRENT_USER\Software\Microsoft\VBA\Security Add a String value Item to the Security key named TimeStampURL with the value set to the time stamp URL below.
The SHA-1 timestamping URL is timestamp.verisign.com/scripts/timstamp.dll The timstamp.dll filename is required to conform to old MS-DOS naming convention).
The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp
The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp
Add a DWORD value item to the Security key named TimeStampRetryCount with the value data set to '3' (In my case I used 3 but you can pick a different number) Add a DWORD value item to the Security key named TimeStampRetryDelay with the value data set to '3' (In my case I used 3 but you can pick a different number). To reduce the likelihood that a malicious user can derive a digital certificate's private key from its public key, a commercially obtained digital certificate expires after one year. Office will not allow you to use an expired certificate to sign macros, and will also warn the end user when a digital signature for a file has expired. The end user will see a warning in the usual Digital Signature security warning, which indicates that the certificate is no longer trustworthy. The user can determine if the certificate has expired by looking in the Details dialog box for the certificate.
To prevent you from having to resign your software and Visual Basic for Applications projects every time your certificate expires, some commercial certificate authorities provide a timestamping service. If you use a timestamping service when signing code, a hash of your code is sent to a server to record a timestamp for your code. When using a timestamping service, a user's software can distinguish between code signed with an expired certificate that should not be trusted, and code that was signed with a certificate that was valid at the time the code was signed, but which has subsequently expired.
这篇关于如何使用sha256签名对sha256证书进行时间戳记来保护Excel 2013中的Excel VBA宏代码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
