LlosLab Software Development BlogEngineering notes for PDF, Delphi, and document software developers.

Article technique

HotXLS Component: XLSX AES-protected output in Delphi

HotXLS Component

Cet article français présente HotXLS Component: XLSX AES-protected output in Delphi pour les équipes qui construisent des solutions avec Delphi, C++Builder, Lazarus/FPC et les composants losLab

L'accent est mis sur les choix pratiques, les pièges et les points de contrôle afin que la solution reste fiable en production

Décisions d'architecture

Separate workbook protection from file encryption. password generation, delivery, rotation, escrow, and retry policy / difference between workbook structure protection, sheet protection, and file encryption

  • password generation, delivery, rotation, escrow, and retry policy
  • difference between workbook structure protection, sheet protection, and file encryption
  • supported target applications and whether encrypted input reading is part of scope
  • temporary file and support-bundle handling for protected workbooks

Parcours d'implémentation

Create protected output from a named security profile. The order below keeps the workflow reviewable for Delphi and C++Builder teams.

  1. generate the workbook content and validate it before applying file encryption
  2. select the AES protection profile and obtain the password through approved code paths
  3. save the protected XLSX to a controlled temporary destination
  4. test open behavior with target Excel versions or downstream consumers
  5. log security profile identifiers without logging secrets

Preuves de validation

Protection evidence for delivery and support. Keep these fields with the output or support record.

  • security profile, output format, protection mode, target viewer test, and output hash
  • password delivery channel identifier without password value
  • temporary path, cleanup result, and retention rule
  • viewer compatibility result and operator-facing failure reason

Password-protected XLSX still needs workflow policy

AES-protected output is a delivery decision. The application should know how passwords are generated, transmitted, rotated, and never logged; it should also verify that target viewers can open the result.

Notes d'implémentation en production

Traitez HotXLS Component: XLSX AES-protected output in Delphi comme un contrat de service explicite autour des appels HotXLS, en séparant validation d'entrée, écriture du classeur, contrôle de sortie et preuves de support

  • Définir la source de données, les plages de cellules et le format de sortie avant de créer le classeur
  • Consigner le nombre de lignes, les feuilles, les avertissements et le chemin de sortie dans une trace relisible
  • Encapsuler les détails applicatifs dans des helpers testables plutôt que dans des événements UI
  • Rouvrir ou inspecter le fichier enregistré avant livraison à un autre système ou au client

Défaillances à répéter en test

  • Un SaveAs réussi ne prouve pas que le contrat métier est respecté
  • Polices, droits et paramètres régionaux peuvent différer entre serveur et poste de développement
  • Les journaux ne doivent exposer ni mots de passe, ni données client, ni liens internes

Exemple Delphi détaillé

L'exemple Delphi suivant montre une frontière de service pratique pour ce sujet, avec politiques, journalisation et validation dans une couche testable

procedure SaveProtectedXlsxReport(const OutputFile, Password: string; const Rows: TArray<TSecureRow>);
var
  Wb: TXLSXWorkbook;
  Sh: IXLSWorksheet;
  RowIndex: Integer;
  Row: TSecureRow;
  Policy: TEncryptionPolicy;
begin
  RequireStrongWorkbookPassword(Password);
  Policy := BuildEncryptionPolicy('customer-delivery', 256);
  Wb := TXLSXWorkbook.Create;
  try
    Sh := Wb.Sheets[0];
    Sh.Name := 'Secure Export';
    WriteHeaderRow(Sh, ['RecordId', 'Owner', 'Amount', 'Status']);

    RowIndex := 2;
    for Row in Rows do
    begin
      Sh.Range['A' + IntToStr(RowIndex)].Value := Row.RecordId;
      Sh.Range['B' + IntToStr(RowIndex)].Value := Row.Owner;
      Sh.Range['C' + IntToStr(RowIndex)].Value := Row.Amount;
      Sh.Range['D' + IntToStr(RowIndex)].Value := Row.Status;
      Inc(RowIndex);
    end;

    WriteEncryptionAuditSheet(Wb, Policy, RowIndex - 2);
    SaveAsEncryptedWorkbook(Wb, OutputFile, Password, Policy);
    VerifyEncryptedWorkbookCanOpen(OutputFile, Password);
    RegisterSecureDelivery(OutputFile, Policy);
  finally
    Wb.Free;
  end;
end;

Liste de mise en production

  • Run the workflow on an empty workbook, a normal customer workbook, and a worst-case workbook
  • Open the output with the target spreadsheet application or downstream importer
  • Log product version, template version, profile, row count, output path, elapsed time, and warning count
  • Keep passwords, temporary files, customer data, and support bundles under explicit retention rules
  • Add regression workbooks when a customer file exposes a new edge case

Product documentation

HotXLS Component

Exemples de code supplémentaires

var
  Book: TXLSXWorkbook;
begin
  Book := TXLSXWorkbook.Create;
  try
    if Book.CanReadEncrypted(FileName) then
    begin
      // Encrypted container: HotXLS cannot decrypt it.
      Writeln(FileName + ': needs manual decryption in Excel first');
      Exit;
    end;
    try
      Book.OpenEncrypted(FileName, '');   // plain files fall through to Open
      Writeln(FileName + ': opened, ' + IntToStr(Book.Sheets.Count) + ' sheet(s)');
    except
      on EXlsxEncryptionNotImplemented do
        Writeln(FileName + ': encrypted - routed to manual queue');
    end;
  finally
    Book.Free;
  end;
end;
var
  Writer, Reader: IXLSWorkbook;   // interface refs: no manual Free
begin
  Writer := TXLSWorkbook.Create;
  Writer.Sheets.Add.Cells.Item[1, 1].Value := 'Confidential';
  Writer.EncryptionPassword := 'S3cret!';
  Writer.SaveAs('confidential.xls');

  Reader := TXLSWorkbook.Create;
  if Reader.Open('confidential.xls', 'S3cret!') > 0 then
    Writeln(Reader.Sheets[1].Cells.Item[1, 1].Value);  // Entries are 1-based
end;