LlosLab Software Development BlogEngineering notes for PDF, Delphi, and document software developers.

技術記事

PDFlibPas: Delphi での PAdES signing and validation

Delphi PDF Library

losLab PDF Library は、Delphi/C++Builder チーム向けにソース提供の PDF エンジンを提供します。デスクトップ、サーバー、DLL、ActiveX、Dylib ワークフローで使え、PDF/A・PDF/UA チェック、PAdES 署名、複数レンダラーを外部 PDF サービスなしで利用できます。

この記事は teams that need to create, inspect, and validate signed PDF workflows inside Delphi applications 向けです。PAdES signing and validation を単なるコンポーネント呼び出しではなく、本番向けのドキュメントエンジニアリングとして扱います。

実務上のリスクは signature creation and signature validation are often implemented separately, causing mismatched trust decisions when timestamps, revocation data, or incremental updates change です。そのため、明確な契約、観測可能な診断、実際の顧客ファイルに近い回帰サンプルが必要です。

アーキテクチャ上の判断

Use one trust policy for signing and validation. accepted certificate stores, chain policy, timestamp source, and revocation source / PAdES profile, long-term validation requirements, and archive retention period

  • accepted certificate stores, chain policy, timestamp source, and revocation source
  • PAdES profile, long-term validation requirements, and archive retention period
  • whether warnings create a block, manual review, or documented waiver
  • how later document changes are restricted after the trusted revision

実装フロー

Validate the final signed revision, not the draft. The order below keeps the workflow reviewable for Delphi and C++Builder teams.

  1. prepare the document and collect validation prerequisites before signing
  2. apply the signature, timestamp, and revocation evidence according to policy
  3. validate the final signed file and classify every warning
  4. store trust evidence with the business record rather than only inside the PDF
  5. revalidate representative files when trust anchors or policy change

検証エビデンス

Trust evidence for signed documents. Keep these fields with the output or support record.

  • signature status, byte range, digest algorithm, signer certificate, and chain result
  • timestamp token status, revocation source, DSS/VRI presence, and validation time
  • policy version, warning classification, and waiver decision
  • final signed file hash and validator result

Long-term validation needs supporting data

PAdES workflows need certificate-chain checks, timestamps, revocation data, DSS/VRI information, byte-range validation, and policy decisions for warnings. The final file must be validated after all signing bytes are written.

Customer-visible behavior

Users do not see internal call order. They see whether the file opens, validates, prints, edits, imports, or gets rejected. The workflow should translate PAdES signing and validation results into states users can act on.

  • prepare the document and collect validation prerequisites before signing
  • apply the signature, timestamp, and revocation evidence according to policy
  • validate the final signed file and classify every warning
  • a signature can be cryptographically intact but untrusted by current policy
  • revocation services may be unavailable when the document is signed

PAdES signing and validation に関する技術レビューの注意点

これらのレビュー項目を使って、機能がデモ段階を超え、リリース、サポート、顧客エスカレーションの場で説明できることを確認します

  • 判断: accepted certificate stores, chain policy, timestamp source, and revocation source. 実装上の焦点: apply the signature, timestamp, and revocation evidence according to policy. 受け入れ証拠: policy version, warning classification, and waiver decision. 回帰の引き金: clock differences can make timestamp and certificate validity hard to explain
  • 判断: PAdES profile, long-term validation requirements, and archive retention period. 実装上の焦点: validate the final signed file and classify every warning. 受け入れ証拠: final signed file hash and validator result. 回帰の引き金: a signature can be cryptographically intact but untrusted by current policy
  • 判断: whether warnings create a block, manual review, or documented waiver. 実装上の焦点: store trust evidence with the business record rather than only inside the PDF. 受け入れ証拠: signature status, byte range, digest algorithm, signer certificate, and chain result. 回帰の引き金: revocation services may be unavailable when the document is signed

境界ケース

  • a signature can be cryptographically intact but untrusted by current policy
  • revocation services may be unavailable when the document is signed
  • incremental updates after signing need a clear allowed-change policy
  • clock differences can make timestamp and certificate validity hard to explain

Delphi / C++Builder の補足

PDFlibPas should sit behind a small service boundary that receives files, streams, profiles, and credentials, then returns output paths, warnings, metrics, and validation status. 重要な用語には PAdES, signature validation, timestamp, revocation, DSS, byte range.

Delphi コード例

次の Delphi スケッチは、このテーマに対する実用的なサービス境界を示します。ポリシー確認、ログ記録、検証を製品呼び出しの狭い部分の外側に置くと、ワークフローをテストしやすくなります。

procedure ValidatePadesPackage(const InputFile: string; const TrustPolicy: TTrustPolicy);
var
  Pdf: TPDFlib;
  ProcessId: Integer;
begin
  Pdf := TPDFlib.Create;
  try
    ProcessId := Pdf.NewSignProcessFromFile(InputFile, '');
    CheckByteRange(Pdf, ProcessId);
    ValidateCertificatePath(Pdf, ProcessId, TrustPolicy);
    Pdf.ReleaseSignProcess(ProcessId);
  finally
    Pdf.Free;
  end;
end;

本番チェックリスト

  • ワークフローは、空のファイル、通常の顧客ファイル、最悪ケースのファイルで実行します
  • 生成された PDF は、対象のビューアー、検証ツール、プリンター、または downstream アプリケーションで開きます
  • 製品バージョン、プロファイルバージョン、入力ハッシュ、出力パス、経過時間、警告数を記録します
  • パスワード、証明書、一時ファイル、顧客データは明確な保持ルールの下で管理します
  • 顧客ファイルが新しい境界ケースを示したら、回帰用ドキュメントを追加します

製品ドキュメント

PDFlibPas

追加のコード例

var
  Pdf: TPDFlib;
  StsId: Integer;
  HashHex, TstDer, TsAttr, AugmentedCms: AnsiString;
begin
  Pdf := TPDFlib.Create;
  try
    StsId := Pdf.NewPAdESSignatureTimeStampProcessFromFile('invoice-signed.pdf', '');
    Pdf.SetPAdESSignatureTimeStampField(StsId, 'Sig1');
    Pdf.SetPAdESSignatureTimeStampDigestAlgorithm(StsId, 2);
    HashHex := Pdf.GetPAdESSignatureValueHashHex(StsId);
    // both calls below are application code: an HTTP POST to your TSA,
    // and a CMS re-encode that attaches the token as an unsigned attribute
    TstDer := RequestTimeStampToken(HashHex);
    TsAttr := Pdf.BuildPAdESSignatureTimeStampAttribute(TstDer);
    AugmentedCms := AttachUnsignedAttribute(Pdf.GetPAdESSignatureCMSBytes(StsId), TsAttr);
    Pdf.SetPAdESSignatureCMSBytes(StsId, AugmentedCms);
    Pdf.EndPAdESSignatureTimeStampProcessToFile(StsId, 'invoice-bt.pdf');
    if Pdf.GetPAdESSignatureTimeStampProcessResult(StsId) <> 1 then
      raise Exception.Create('timestamp embedding failed');
    Pdf.ReleasePAdESSignatureTimeStampProcess(StsId);
  finally
    Pdf.Free;
  end;
end;
var
  Doc: TPDFlibSignDoc;
  Names: TStringList;
  I: Integer;
  B0, B1, B2, B3, FileSize: Int64;
begin
  FileSize := TFile.GetSize('invoice-bt.pdf');  // before Open: SignDoc holds a share lock
  Doc := TPDFlibSignDoc.Create;
  try
    if not Doc.Open('invoice-bt.pdf', '', False) then
      raise Exception.Create('cannot open for audit');
    Names := TStringList.Create;
    try
      Doc.GetSignatureFieldNames(Names);
      for I := 0 to Names.Count - 1 do
        if Doc.GetSignatureValueObjNum(Names[I]) > 0 then   // >0 means actually signed
        begin
          B0 := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 11)));
          B1 := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 12)));
          B2 := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 13)));
          B3 := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 14)));
          if (B0 = 0) and (B2 + B3 = FileSize) then
            Writeln(Names[I], ': covers the file to EOF')
          else
            Writeln(Names[I], ': earlier revision, or unexpected ByteRange layout');
        end;
    finally
      Names.Free;
    end;
    Doc.Close;
  finally
    Doc.Free;
  end;
end;