LlosLab Software Development BlogEngineering notes for PDF, Delphi, and document software developers.

技術記事

PDFlibPas: Delphi での compliance and signing workbench

Delphi PDF Library

losLab PDF Library は、Delphi/C++Builder チーム向けにソース提供の PDF エンジンを提供します。デスクトップ、サーバー、DLL、ActiveX、Dylib ワークフローで使え、PDF/A・PDF/UA チェック、PAdES 署名、複数レンダラーを外部 PDF サービスなしで利用できます。

この記事は teams combining validation, remediation, signature preparation, and evidence review in one Delphi workflow 向けです。compliance and signing workbench を単なるコンポーネント呼び出しではなく、本番向けのドキュメントエンジニアリングとして扱います。

実務上のリスクは separate validation and signing tools can disagree about the document state, leaving operators unsure which revision was checked and which revision was signed です。そのため、明確な契約、観測可能な診断、実際の顧客ファイルに近い回帰サンプルが必要です。

アーキテクチャ上の判断

Use one workbench record for the document lifecycle. validation profiles required before signing and after signing / remediation actions allowed inside the workbench versus upstream templates

  • validation profiles required before signing and after signing
  • remediation actions allowed inside the workbench versus upstream templates
  • certificate source, timestamp authority, revocation source, and operator roles
  • waiver workflow for compliance warnings that do not block signing

実装フロー

Validate before the signing revision is created. The order below keeps the workflow reviewable for Delphi and C++Builder teams.

  1. create a workbench record and hash the source file before analysis
  2. run compliance validation and classify findings into fix, waive, or block
  3. apply approved remediation before the signature field is reserved
  4. sign the validated revision and immediately run post-sign validation
  5. package reports, hashes, certificate data, and operator decisions together

検証エビデンス

Workbench evidence that survives audit. Keep these fields with the output or support record.

  • source hash, validation profile, issue summary, remediation list, and waiver list
  • certificate fingerprint, timestamp result, revocation status, and signer identity
  • pre-sign and post-sign validation reports with matching document references
  • final file hash and workbench decision trail

Validation and signing must agree on bytes

A compliance and signing workbench should tie the input hash, validation profile, remediation decisions, signing certificate, timestamp, and final validation result together. Without that chain, a signed file can be difficult to explain later.

Operational metrics to watch

The first release should expose enough metrics to prove the workflow is healthy under real files, not only under curated samples.

  • count and rate for source hash, validation profile, issue summary, remediation list, and waiver list
  • warning trend for fixing compliance issues after signing changes the revision that was trusted
  • latency of the stage that must create a workbench record and hash the source file before analysis
  • profile usage for validation profiles required before signing and after signing

compliance and signing workbench に関する技術レビューの注意点

これらのレビュー項目を使って、機能がデモ段階を超え、リリース、サポート、顧客エスカレーションの場で説明できることを確認します

  • 判断: validation profiles required before signing and after signing. 実装上の焦点: run compliance validation and classify findings into fix, waive, or block. 受け入れ証拠: pre-sign and post-sign validation reports with matching document references. 回帰の引き金: operators need a clear blocked state when the source cannot be trusted
  • 判断: remediation actions allowed inside the workbench versus upstream templates. 実装上の焦点: apply approved remediation before the signature field is reserved. 受け入れ証拠: final file hash and workbench decision trail. 回帰の引き金: fixing compliance issues after signing changes the revision that was trusted
  • 判断: certificate source, timestamp authority, revocation source, and operator roles. 実装上の焦点: sign the validated revision and immediately run post-sign validation. 受け入れ証拠: source hash, validation profile, issue summary, remediation list, and waiver list. 回帰の引き金: waivers should identify an owner and expiry rather than becoming permanent silence
  • 判断: waiver workflow for compliance warnings that do not block signing. 実装上の焦点: package reports, hashes, certificate data, and operator decisions together. 受け入れ証拠: certificate fingerprint, timestamp result, revocation status, and signer identity. 回帰の引き金: timestamp services and validators may fail independently of PDF generation

境界ケース

  • fixing compliance issues after signing changes the revision that was trusted
  • waivers should identify an owner and expiry rather than becoming permanent silence
  • timestamp services and validators may fail independently of PDF generation
  • operators need a clear blocked state when the source cannot be trusted

Delphi / C++Builder の補足

PDFlibPas should sit behind a small service boundary that receives files, streams, profiles, and credentials, then returns output paths, warnings, metrics, and validation status. 重要な用語には compliance, PAdES, preflight, timestamp, waiver, validation report.

Delphi コード例

次の Delphi スケッチは、このテーマに対する実用的なサービス境界を示します。ポリシー確認、ログ記録、検証を製品呼び出しの狭い部分の外側に置くと、ワークフローをテストしやすくなります。

procedure RunComplianceSigningJob(const InputFile, OutputFile: string; const Policy: TSigningPolicy);
var
  Pdf: TPDFlib;
begin
  Pdf := TPDFlib.Create;
  try
    Pdf.LoadFromFile(InputFile, Policy.OpenPassword);
    PrepareComplianceEvidence(Pdf, Policy);
    CompleteSigningWorkflow(Pdf, OutputFile, Policy);
    ValidateSignedOutput(OutputFile, Policy.ProfileName);
  finally
    Pdf.Free;
  end;
end;

本番チェックリスト

  • ワークフローは、空のファイル、通常の顧客ファイル、最悪ケースのファイルで実行します
  • 生成された PDF は、対象のビューアー、検証ツール、プリンター、または downstream アプリケーションで開きます
  • 製品バージョン、プロファイルバージョン、入力ハッシュ、出力パス、経過時間、警告数を記録します
  • パスワード、証明書、一時ファイル、顧客データは明確な保持ルールの下で管理します
  • 顧客ファイルが新しい境界ケースを示したら、回帰用ドキュメントを追加します

製品ドキュメント

PDFlibPas

追加のコード例

ProcessID := PDF.NewSignProcessFromFile('invoice-fixed.pdf', '');
if ProcessID = 0 then
  raise Exception.Create('Cannot open source for signing');
PDF.SetSignProcessField(ProcessID, 'ApprovalSig');
PDF.SetSignProcessPFXFromFile(ProcessID, 'company.pfx', PfxPassword);
PDF.SetSignProcessInfo(ProcessID, 'Invoice approval', 'Berlin', 'billing@example.com');
PDF.SetSignProcessCustomSubFilter(ProcessID, 'ETSI.CAdES.detached');  // PAdES baseline
PDF.SetSignProcessDigestAlgorithm(ProcessID, 2);                      // SHA-256
PDF.SetSignProcessReserveContentsBytes(ProcessID, 8192);              // room for a later timestamp
PDF.EndSignProcessToFile(ProcessID, 'invoice-signed.pdf');
if PDF.GetSignProcessResult(ProcessID) <> 1 then
  Writeln('Sign failed, code ', PDF.GetSignProcessResult(ProcessID));
PDF.ReleaseSignProcess(ProcessID);
var
  Doc: TPDFlibSignDoc;
  Names: TStringList;
  FS: TFileStream;
  I: Integer;
  SourceSize, RangeStart, GapStart, TailStart, TailLen: Int64;
begin
  // Capture the size before Open: the audit object holds a share lock on the file
  FS := TFileStream.Create('invoice-signed.pdf', fmOpenRead or fmShareDenyNone);
  SourceSize := FS.Size;
  FS.Free;
  Doc := TPDFlibSignDoc.Create;
  Names := TStringList.Create;
  try
    if not Doc.Open('invoice-signed.pdf', '', False) then Exit;
    Doc.GetSignatureFieldNames(Names);
    for I := 0 to Names.Count - 1 do
      if Doc.GetSignatureValueObjNum(Names[I]) > 0 then  // > 0 means the field is signed
      begin
        RangeStart := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 11)));
        GapStart   := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 12)));
        TailStart  := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 13)));
        TailLen    := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 14)));
        if (RangeStart = 0) and (TailStart + TailLen = SourceSize) then
          Writeln(Names[I], ': signature covers the file to EOF')
        else
          Writeln(Names[I], ': earlier revision, or unusual ByteRange layout');
      end;
    Doc.Close;
  finally
    Names.Free;
    Doc.Free;
  end;
end;