LlosLab Software Development BlogEngineering notes for PDF, Delphi, and document software developers.

기술 문서

PDFlibPas: Delphi에서 PAdES signing and validation

Delphi PDF Library

losLab PDF Library는 Delphi 및 C++Builder 팀에 소스 제공 PDF 엔진을 제공합니다. 데스크톱, 서버, DLL, ActiveX, Dylib 워크플로에서 PDF/A 및 PDF/UA 검사, PAdES 서명 지원, 렌더러 선택을 외부 PDF 서비스 없이 사용할 수 있습니다.

이 글은 teams that need to create, inspect, and validate signed PDF workflows inside Delphi applications을 위한 글입니다. PAdES signing and validation을 단순한 컴포넌트 호출이 아니라 운영 환경의 문서 엔지니어링으로 다룹니다.

실제 위험은 signature creation and signature validation are often implemented separately, causing mismatched trust decisions when timestamps, revocation data, or incremental updates change입니다. 따라서 명확한 계약, 관찰 가능한 진단, 실제 고객 파일을 반영한 회귀 샘플이 필요합니다.

아키텍처 결정

Use one trust policy for signing and validation. accepted certificate stores, chain policy, timestamp source, and revocation source / PAdES profile, long-term validation requirements, and archive retention period

  • accepted certificate stores, chain policy, timestamp source, and revocation source
  • PAdES profile, long-term validation requirements, and archive retention period
  • whether warnings create a block, manual review, or documented waiver
  • how later document changes are restricted after the trusted revision

구현 흐름

Validate the final signed revision, not the draft. The order below keeps the workflow reviewable for Delphi and C++Builder teams.

  1. prepare the document and collect validation prerequisites before signing
  2. apply the signature, timestamp, and revocation evidence according to policy
  3. validate the final signed file and classify every warning
  4. store trust evidence with the business record rather than only inside the PDF
  5. revalidate representative files when trust anchors or policy change

검증 증거

Trust evidence for signed documents. Keep these fields with the output or support record.

  • signature status, byte range, digest algorithm, signer certificate, and chain result
  • timestamp token status, revocation source, DSS/VRI presence, and validation time
  • policy version, warning classification, and waiver decision
  • final signed file hash and validator result

Long-term validation needs supporting data

PAdES workflows need certificate-chain checks, timestamps, revocation data, DSS/VRI information, byte-range validation, and policy decisions for warnings. The final file must be validated after all signing bytes are written.

Customer-visible behavior

Users do not see internal call order. They see whether the file opens, validates, prints, edits, imports, or gets rejected. The workflow should translate PAdES signing and validation results into states users can act on.

  • prepare the document and collect validation prerequisites before signing
  • apply the signature, timestamp, and revocation evidence according to policy
  • validate the final signed file and classify every warning
  • a signature can be cryptographically intact but untrusted by current policy
  • revocation services may be unavailable when the document is signed

PAdES signing and validation에 대한 엔지니어링 검토 노트

이 검토 노트를 사용해 기능이 데모 단계를 넘어섰고 출시, 지원, 고객 에스컬레이션 상황에서 설명할 수 있는지 확인합니다

  • 결정: accepted certificate stores, chain policy, timestamp source, and revocation source. 구현상 핵심 지점: apply the signature, timestamp, and revocation evidence according to policy. 승인 증거: policy version, warning classification, and waiver decision. 회귀 트리거: clock differences can make timestamp and certificate validity hard to explain
  • 결정: PAdES profile, long-term validation requirements, and archive retention period. 구현상 핵심 지점: validate the final signed file and classify every warning. 승인 증거: final signed file hash and validator result. 회귀 트리거: a signature can be cryptographically intact but untrusted by current policy
  • 결정: whether warnings create a block, manual review, or documented waiver. 구현상 핵심 지점: store trust evidence with the business record rather than only inside the PDF. 승인 증거: signature status, byte range, digest algorithm, signer certificate, and chain result. 회귀 트리거: revocation services may be unavailable when the document is signed

경계 사례

  • a signature can be cryptographically intact but untrusted by current policy
  • revocation services may be unavailable when the document is signed
  • incremental updates after signing need a clear allowed-change policy
  • clock differences can make timestamp and certificate validity hard to explain

Delphi / C++Builder 참고 사항

PDFlibPas should sit behind a small service boundary that receives files, streams, profiles, and credentials, then returns output paths, warnings, metrics, and validation status. 중요한 용어는 PAdES, signature validation, timestamp, revocation, DSS, byte range.

Delphi 코드 예제

다음 Delphi 스케치는 이 주제에 맞는 실무형 서비스 경계를 보여 줍니다. 정책 검사, 로깅, 검증을 좁은 제품 호출 구간 밖에 두면 워크플로를 테스트하기 쉽습니다.

procedure ValidatePadesPackage(const InputFile: string; const TrustPolicy: TTrustPolicy);
var
  Pdf: TPDFlib;
  ProcessId: Integer;
begin
  Pdf := TPDFlib.Create;
  try
    ProcessId := Pdf.NewSignProcessFromFile(InputFile, '');
    CheckByteRange(Pdf, ProcessId);
    ValidateCertificatePath(Pdf, ProcessId, TrustPolicy);
    Pdf.ReleaseSignProcess(ProcessId);
  finally
    Pdf.Free;
  end;
end;

운영 체크리스트

  • 워크플로는 빈 파일, 일반 고객 파일, 최악의 파일에서 실행합니다
  • 생성된 PDF는 대상 뷰어, 검증기, 프린터 또는 downstream 애플리케이션에서 엽니다
  • 제품 버전, 프로필 버전, 입력 해시, 출력 경로, 경과 시간, 경고 수를 기록합니다
  • 암호, 인증서, 임시 파일, 고객 데이터는 명확한 보존 규칙에 따라 관리합니다
  • 고객 파일이 새로운 경계 사례를 드러내면 회귀 문서를 추가합니다

제품 문서

PDFlibPas

추가 코드 예제

var
  Pdf: TPDFlib;
  StsId: Integer;
  HashHex, TstDer, TsAttr, AugmentedCms: AnsiString;
begin
  Pdf := TPDFlib.Create;
  try
    StsId := Pdf.NewPAdESSignatureTimeStampProcessFromFile('invoice-signed.pdf', '');
    Pdf.SetPAdESSignatureTimeStampField(StsId, 'Sig1');
    Pdf.SetPAdESSignatureTimeStampDigestAlgorithm(StsId, 2);
    HashHex := Pdf.GetPAdESSignatureValueHashHex(StsId);
    // both calls below are application code: an HTTP POST to your TSA,
    // and a CMS re-encode that attaches the token as an unsigned attribute
    TstDer := RequestTimeStampToken(HashHex);
    TsAttr := Pdf.BuildPAdESSignatureTimeStampAttribute(TstDer);
    AugmentedCms := AttachUnsignedAttribute(Pdf.GetPAdESSignatureCMSBytes(StsId), TsAttr);
    Pdf.SetPAdESSignatureCMSBytes(StsId, AugmentedCms);
    Pdf.EndPAdESSignatureTimeStampProcessToFile(StsId, 'invoice-bt.pdf');
    if Pdf.GetPAdESSignatureTimeStampProcessResult(StsId) <> 1 then
      raise Exception.Create('timestamp embedding failed');
    Pdf.ReleasePAdESSignatureTimeStampProcess(StsId);
  finally
    Pdf.Free;
  end;
end;
var
  Doc: TPDFlibSignDoc;
  Names: TStringList;
  I: Integer;
  B0, B1, B2, B3, FileSize: Int64;
begin
  FileSize := TFile.GetSize('invoice-bt.pdf');  // before Open: SignDoc holds a share lock
  Doc := TPDFlibSignDoc.Create;
  try
    if not Doc.Open('invoice-bt.pdf', '', False) then
      raise Exception.Create('cannot open for audit');
    Names := TStringList.Create;
    try
      Doc.GetSignatureFieldNames(Names);
      for I := 0 to Names.Count - 1 do
        if Doc.GetSignatureValueObjNum(Names[I]) > 0 then   // >0 means actually signed
        begin
          B0 := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 11)));
          B1 := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 12)));
          B2 := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 13)));
          B3 := StrToInt64(string(Doc.GetSignatureValueByName(Names[I], 14)));
          if (B0 = 0) and (B2 + B3 = FileSize) then
            Writeln(Names[I], ': covers the file to EOF')
          else
            Writeln(Names[I], ': earlier revision, or unexpected ByteRange layout');
        end;
    finally
      Names.Free;
    end;
    Doc.Close;
  finally
    Doc.Free;
  end;
end;