기능 참조 — sgcSign

아키텍처

세 가지 레이어, 하나의 엔진

sgcSign은 키 관리, 서명 작업, 출력 형식을 분리해요. 모든 키 공급자와 서명자를 혼합하고; 하나의 컴포넌트만 변경하여 로컬 PFX와 Cloud KMS 사이를 전환해요.

키 공급자 (IsgcKeyProvider)

단일 인터페이스 뒤에 인증서 및 개인 키 액세스를 추상화해요. 로컬 파일, Windows 인증서 저장소, PKCS#11 하드웨어 토큰, Azure / AWS / Google Cloud KMS, HashiCorp Vault, Certum SimplySign, CSC v2 원격 QTSP예요.

서명자

각 ETSI 형식을 위한 특화된 서명자: TsgcXAdESSigner, TsgcPAdESSigner, TsgcCAdESSigner, TsgcAuthenticodeSigner. 또한 국가 프로파일에서 적절한 서명자를 선택하고 구성하는 통합 고수준 API인 TsgcDocumentSigner가 있어요.

지원 컴포넌트

TsgcTSAClient (RFC 3161 타임스탬프), TsgcOCSPClient (폐지), TsgcSignatureVerifier (검증), TsgcEUTrustList (LOTL/EUTL), TsgcASiCContainer (ASiC-S/ASiC-E ZIP 패키징)이에요.

서명 표준

XAdES, PAdES, CAdES, ASiC & Authenticode

모든 4가지 AdES 레벨(B-B, B-T, B-LT, B-LTA)에서 완전한 ETSI 서명 형식 지원, 코드 서명을 위한 Microsoft Authenticode 포함이에요.

XAdES — ETSI EN 319 132

XML 고급 전자 서명이에요. 봉투형, 분리형, 래핑형 모드예요. B-B / B-T / B-LT / B-LTA 레벨이에요. 서명 위치를 고정하는 봉투 형식을 위한 SignatureParentElement(KSeF /v2/auth/xades-signature). Delphi 7 이상에서 WideString 오버로드를 통한 폴란드어, 스페인어, 독일어 발음 기호 지원이에요.

PAdES — ETSI EN 319 142

PDF Advanced Electronic Signatures. Embedded signatures inside PDF; visible signature appearance with signer name, reason, location, contact info and configurable rectangle. Compatible with Adobe Acrobat. PAdES-T, -LT levels via TSA + OCSP.

CAdES — ETSI EN 319 122

CMS/PKCS#7 바이너리 서명 over any file or data stream. Detached and attached forms. CAdES-BES, CAdES-T (timestamped), CAdES-XL (long-term with revocation values).

ASiC-S / ASiC-E — ETSI EN 319 162

연관 서명 컨테이너. ZIP-format archive bundling one or more documents with a XAdES or CAdES signature. Simple (apASiCS, single document) or Extended (apASiCE, manifest + multiple documents). The first ZIP entry is an uncompressed mimetype marker so verifiers detect the container in the first ~50 bytes.

Authenticode — Code Signing

Microsoft Authenticode for Windows PE files (.exe, .dll, .sys, .ocx, .cpl, .scr). SHA-1, SHA-256 (default), SHA-384 and SHA-512 hash algorithms. RFC 3161 timestamp tokens. Nested (dual) signatures for legacy + modern verifier compatibility. Available in sgcSign Server.

AdES Levels — B-B / B-T / B-LT / B-LTA

All four ETSI conformance levels supported per format: B-B (basic), B-T (timestamp), B-LT (long-term, with revocation values), B-LTA (archival, with archive timestamp). Promote a signature from B-B to B-LT by adding a TSA client and OCSP responder.

10 KEY PROVIDERS

Local, Hardware, Cloud & Remote QTSPs

Every provider implements IsgcKeyProvider. Switch between any of these key sources without changing your signing code.

Component	Type	Use Case
`TsgcPFXKeyProvider`	Local file (PKCS#12)	Password-protected PFX/.p12 files. Native Windows CNG support.
`TsgcPEMKeyProvider`	Local file (PEM)	PEM certificates with encrypted PKCS#8 keys. Native PBES2 / PBKDF2 / AES-CBC decryption — no OpenSSL DLL required.
`TsgcWindowsCertStoreProvider`	Windows store	Local-machine and current-user stores. Active Directory and Group Policy integration.
`TsgcPKCS11Provider`	Hardware token	Smart cards and HSMs via PKCS#11 driver — SafeNet, YubiKey, Nitrokey, Thales, Utimaco, etc.
`TsgcAzureTrustedSigningProvider`	Cloud (Microsoft)	Azure Trusted Signing — Microsoft's qualified signing service. OAuth2 client credentials. Distinct from Azure Key Vault.
`TsgcAWSKMSKeyProvider`	Cloud (AWS)	AWS Key Management Service. Keys stay in AWS; only document hashes leave the network.
`TsgcGCloudKMSKeyProvider`	Cloud (Google)	Google Cloud Key Management. Service-account authentication.
`TsgcHashiCorpVaultKeyProvider`	Cloud (self-hosted)	HashiCorp Vault transit signing engine. Keys never leave the Vault cluster.
`TsgcCertumSimplySignProvider`	Remote QTSP	Certum SimplySign — qualified Polish e-signature provider. KSeF, ZUS, PUE compatible.
`TsgcCSCKeyProvider`	Remote QTSP (CSC v2)	Generic Cloud Signature Consortium v2 client — Universign, D-Trust sign-me, A-Trust, FNMT Cl@ve Firma, Evrotrust, Intesi Group and any QTSP exposing the CSC v2 API.

21 PRE-CONFIGURED COUNTRY PROFILES

European E-Invoicing & Employment-Contract Signing

Each profile pre-tunes hash algorithm, canonicalization, signature level, RFC 3161 timestamp policy and OCSP-revocation expectations to satisfy the target country's regulator. Switch jurisdiction with one line.

E-Invoicing Profiles (12)

Profile	Country	System	Format	Level
`spVeriFactu`	Spain	VeriFactu (AEAT)	XAdES-EPES	B-B
`spTicketBAI`	Spain (Basque)	TicketBAI	XAdES-EPES	B-B
`spFacturaeB2B`	Spain	Facturae 3.x / FACe	XAdES-EPES	B-T
`spFatturaPA`	Italy	FatturaPA (SDI)	XAdES-BES	B-B
`spSAFTPT`	Portugal	SAF-T PT	RSA-SHA256	B-B
`spKSeF`	Poland	KSeF (Krajowy System e-Faktur)	XAdES	B-T
`spFacturX`	France / Germany	Factur-X / ZUGFeRD	XAdES	B-B
`spEFactura`	Romania	e-Factura (ANAF)	XAdES	B-T
`spNAVOnline`	Hungary	NAV Online	XML-DSig	B-B
`spFiskalizacija`	Croatia	Fiskalizacija	XML-DSig	B-B
`spPeppolBE`	Belgium	Peppol UBL 2.0	XAdES	B-T
`spPeppolBG`	Bulgaria	Peppol UBL 2.1	XAdES	B-T
`spMyDATA`	Greece	myDATA (AADE)	XAdES	B-B

EU Employment-Contract Profiles (9)

eIDAS-compliant signatures for member-state labour-law requirements (e.g. § 126a BGB in Germany, FEQ in Italy). Pre-tuned per jurisdiction; loaded into TsgcXAdESSigner via Profile.LoadProfile(spEmploymentXX).

Profile	Country	Level	Hash	Timestamp	OCSP	Notes
`spEmploymentDE`	Germany	B-LT	SHA-256	Yes	Yes	QES required by § 126a BGB for written-form contracts.
`spEmploymentIT`	Italy	B-LT	SHA-256	Yes	Yes	FEQ qualified signature; INPS portals consume both XAdES and CAdES.
`spEmploymentES`	Spain	B-T	SHA-256	Yes	No	AdES sufficient. SEPE / TGSS portals require FNMT or DNIe.
`spEmploymentFR`	France	B-T	SHA-256	Yes	No	AdES OK; QES preferred for remote-signing under DSP2 / RGS.
`spEmploymentAT`	Austria	B-LT	SHA-256	Yes	Yes	QES via Handy-Signatur / ID Austria common.
`spEmploymentBE`	Belgium	B-LT	SHA-256	Yes	Yes	QES via eID card (BeID).
`spEmploymentPT`	Portugal	B-LT	SHA-256	Yes	Yes	QES via Cartão do Cidadão / Chave Móvel Digital.
`spEmploymentNL`	Netherlands	B-T	SHA-256	Yes	No	AdES generally accepted; QES for some HR portals (UWV).
`spEmploymentPL`	Poland	B-T	SHA-256	Yes	No	QES via Profil Zaufany or qualified cert when contract goes to ZUS / PUE.

VALIDATION & TRUST

Verify the Way the EU Verifies

Full validation pipeline plus EU Trust List integration and the standardised ETSI TS 119 102-2 XML Validation Report — legal proof of signature validity accepted by EU labour courts and public-administration verifiers.

Signature Verification with LTV

TsgcSignatureVerifier covers the full pipeline: digest checks, RSA / ECDSA signature verification, certificate-chain validation, OCSP revocation checking, embedded RevocationValues for Long-Term Validation, and Id-based fragment lookup for SignedProperties.

EU Trust List (LOTL / EUTL)

TsgcEUTrustList parses the ETSI TS 119 612 List of Trusted Lists and ~31 per-Member-State Trusted Lists. Classify any X.509 certificate as eIDAS-qualified by looking it up against the live EU registry. Offline-mode caching for air-gapped deployments.

ETSI TS 119 102-2 Validation Report

Standardised XML Validation Report (v1.2.1) produced for every verification — the format accepted by EU labour courts and public-administration verifiers as legal proof of signature validity.

RFC 3161 Timestamping

TsgcTSAClient connects to any RFC 3161 timestamp authority. Promotes signatures from B-B to B-T, B-LT and B-LTA — verifiable long after the signing certificate has expired.

OCSP Revocation

TsgcOCSPClient performs RFC 6960 Online Certificate Status Protocol checks. Real-time revocation, with the OCSP response embedded in B-LT signatures so the document remains verifiable when the responder is later offline.

XML Canonicalization (C14N)

Inclusive C14N (xml-c14n11) and Exclusive C14N (xml-exc-c14n) for consistent XML signature processing. Each country profile selects the canonicalization expected by its regulator.

FOUNDATION

Native, Self-Contained, Cross-Version

Zero External DLLs

Windows CNG / BCrypt cryptography throughout — no OpenSSL DLL required. Native PBES2 / PBKDF2 / AES-CBC for encrypted PKCS#8 PEM. WinHTTP for network operations.

Delphi 7 through Delphi 13

Supports every Delphi compiler from Delphi 7 to RAD Studio 13, plus C++Builder. Modern units guarded for legacy compatibility (e.g. TsgcASiCContainer requires D2010+ generics; gracefully compiles as empty unit on D7).

.NET Implementation

Mirror C# port for .NET Framework 2.0–4.8, .NET Core, .NET 5–9 and .NET Standard. Same Tsgc* class names; same API surface as the Delphi library.

Full Source Code

Complete source included with every license. Inspect, customise, audit and extend. Component class names registered for design-time IDE integration.

UTC Timestamps Throughout

All X.509 / CRL / OCSP / TSA timestamps stored as UTC TDateTime values, matching RFC 5280, RFC 3161 and RFC 6960. Local-time conversion via *Local properties on each component.

Zero Runtime Royalties

Free binary redistribution. Sign as many documents as you like with no per-document fees and no per-deployment licenses.

CODE EXAMPLES

Same API, Three Different Key Sources

Sign a VeriFactu Invoice with a Local PFX

Single high-level component (TsgcDocumentSigner)
Profile picks XAdES-EPES, B-B, SHA-256, exclusive C14N
Switch to spFatturaPA for Italy, spKSeF for Poland

SignVeriFactu.pas

// Sign Spanish VeriFactu invoice
var
  vKeyProvider: TsgcPFXKeyProvider;
  vSigner: TsgcDocumentSigner;
begin
  vKeyProvider := TsgcPFXKeyProvider.Create(nil);
  try
    vKeyProvider.FileName := 'certificate.pfx';
    vKeyProvider.Password := 'secret';
    vKeyProvider.LoadFromFile;

    vSigner := TsgcDocumentSigner.Create(nil);
    try
      vSigner.KeyProvider := vKeyProvider;
      vSigner.Profile := spVeriFactu;
      memoSigned.Text := vSigner.SignXML(memoXML.Text);
    finally
      vSigner.Free;
    end;
  finally
    vKeyProvider.Free;
  end;
end;

Authenticode-Sign an EXE with Azure Trusted Signing

Cloud key, no local PFX or USB token
OAuth2 client credentials authentication
Microsoft-issued public-trust certificate

SignWithAzure.pas

// Authenticode-sign with Azure Trusted Signing
var
  vKeyProvider: TsgcAzureTrustedSigningProvider;
  vSigner: TsgcAuthenticodeSigner;
begin
  vKeyProvider := TsgcAzureTrustedSigningProvider.Create(nil);
  vSigner := TsgcAuthenticodeSigner.Create(nil);
  try
    vKeyProvider.AccountName := 'my-trusted-signing-account';
    vKeyProvider.CertificateProfileName := 'public-trust';
    vKeyProvider.Endpoint := 'https://eus.codesigning.azure.net';

    vSigner.KeyProvider := vKeyProvider;
    vSigner.SignFile('myapp.exe', 'myapp-signed.exe');
  finally
    vSigner.Free;
    vKeyProvider.Free;
  end;
end;

PAdES-T — PDF with Visible Signature & Timestamp

Certificate from Windows store by Subject Name
RFC 3161 timestamp embedded in signature
Visible appearance with reason and location

SignPDFVisible.pas

// PAdES-T with visible signature appearance
var
  vKeyProvider: TsgcWindowsCertStoreProvider;
  vSigner: TsgcPAdESSigner;
  vTSA: TsgcTSAClient;
begin
  vKeyProvider := TsgcWindowsCertStoreProvider.Create(nil);
  vSigner := TsgcPAdESSigner.Create(nil);
  vTSA := TsgcTSAClient.Create(nil);
  try
    vKeyProvider.SubjectName := 'CN=Acme Corp';
    vKeyProvider.LoadFromStore;

    vTSA.URL := 'https://freetsa.org/tsr';

    vSigner.KeyProvider := vKeyProvider;
    vSigner.TSAClient := vTSA;
    vSigner.Reason := 'Approved';
    vSigner.Location := 'Madrid, Spain';
    vSigner.VisibleSignature.Enabled := True;
    vSigner.SignPDF('contract.pdf', 'contract-signed.pdf');
  finally
    vTSA.Free;
    vSigner.Free;
    vKeyProvider.Free;
  end;
end;

sgcSign 기능 참조