Features Reference — sgcSign | eSeGeCe

sgcSign Features Reference

Complete feature catalog for the sgcSign digital signature suite — signature standards, key providers, country profiles, validation, EU Trust List integration and ETSI validation reports for Delphi 7 through Delphi 13 Florence, C++Builder and .NET.

Three Layers, One Engine

sgcSign separates key management, signing operations and output formats. Mix any key provider with any signer; switch between local PFX and cloud KMS by changing one component.

Key Providers (IsgcKeyProvider)

Abstract certificate and private-key access behind a single interface. Local files, Windows Certificate Store, PKCS#11 hardware tokens, Azure / AWS / Google Cloud KMS, HashiCorp Vault, Certum SimplySign and CSC v2 remote QTSPs.

Signers

Specialised signers for each ETSI format: TsgcXAdESSigner, TsgcPAdESSigner, TsgcCAdESSigner, TsgcAuthenticodeSigner. Plus TsgcDocumentSigner — a unified high-level API that selects and configures the right signer from a country profile. TsgcSAFTPTSigner produces Portugal's Portaria 363/2010 invoice signature.

Support Components

TsgcTSAClient (RFC 3161 timestamps), TsgcOCSPClient (revocation), TsgcSignatureVerifier (validation), TsgcX509Certificate (certificate decoder + issuer verification), TsgcEUTrustList (LOTL/EUTL), TsgcASiCContainer (ASiC-S/ASiC-E ZIP packaging).

XAdES, PAdES, CAdES, ASiC & Authenticode

Full ETSI signature-format coverage at all four AdES levels (B-B, B-T, B-LT, B-LTA), plus Microsoft Authenticode for code signing.

XAdES — ETSI EN 319 132

XML Advanced Electronic Signatures. Enveloped, detached and enveloping modes. B-B / B-T / B-LT / B-LTA levels. SignatureParentElement for envelope formats that pin signature placement (KSeF /v2/auth/xades-signature). Polish, Spanish and German diacritics via WideString overloads on Delphi 7+.

PAdES — ETSI EN 319 142

PDF Advanced Electronic Signatures. Embedded signatures inside PDF; visible signature appearance with signer name, reason, location, contact info and configurable rectangle. Compatible with Adobe Acrobat. PAdES-T, -LT levels via TSA + OCSP.

CAdES — ETSI EN 319 122

CMS/PKCS#7 binary signatures over any file or data stream. Detached and attached forms. CAdES-BES, CAdES-T (timestamped), CAdES-XL (long-term with revocation values).

ASiC-S / ASiC-E — ETSI EN 319 162

Associated Signature Containers. ZIP-format archive bundling one or more documents with a XAdES or CAdES signature. Simple (apASiCS, single document) or Extended (apASiCE, manifest + multiple documents). The first ZIP entry is an uncompressed mimetype marker so verifiers detect the container in the first ~50 bytes.

Authenticode — Code Signing

Microsoft Authenticode for Windows PE files (.exe, .dll, .sys, .ocx, .cpl, .scr). SHA-1, SHA-256 (default), SHA-384 and SHA-512 hash algorithms. RFC 3161 timestamp tokens. Nested (dual) signatures for legacy + modern verifier compatibility. Available in sgcSign Server.

AdES Levels — B-B / B-T / B-LT / B-LTA

All four ETSI conformance levels supported per format: B-B (basic), B-T (timestamp), B-LT (long-term, with revocation values), B-LTA (archival, with archive timestamp). Promote a signature from B-B to B-LT by adding a TSA client and OCSP responder.

Local, Hardware, Cloud & Remote QTSPs

Every provider implements IsgcKeyProvider. Switch between any of these key sources without changing your signing code.

Component Type Use Case
TsgcPFXKeyProvider Local file (PKCS#12) Password-protected PFX/.p12 files. Native Windows CNG support.
TsgcPEMKeyProvider Local file (PEM) PEM certificates with encrypted PKCS#8 keys. Native PBES2 / PBKDF2 / AES-CBC decryption — no OpenSSL DLL required.
TsgcWindowsCertStoreProvider Windows store Local-machine and current-user stores. Active Directory and Group Policy integration.
TsgcPKCS11Provider Hardware token Smart cards and HSMs via PKCS#11 driver — SafeNet, YubiKey, Nitrokey, Thales, Utimaco, etc.
TsgcAzureTrustedSigningProvider Cloud (Microsoft) Azure Trusted Signing — Microsoft's qualified signing service. OAuth2 client credentials. Distinct from Azure Key Vault.
TsgcAWSKMSKeyProvider Cloud (AWS) AWS Key Management Service. Keys stay in AWS; only document hashes leave the network.
TsgcGCloudKMSKeyProvider Cloud (Google) Google Cloud Key Management. Service-account authentication.
TsgcHashiCorpVaultKeyProvider Cloud (self-hosted) HashiCorp Vault transit signing engine. Keys never leave the Vault cluster.
TsgcCertumSimplySignProvider Remote QTSP Certum SimplySign — qualified Polish e-signature provider. KSeF, ZUS, PUE compatible.
TsgcCSCKeyProvider Remote QTSP (CSC v2) Generic Cloud Signature Consortium v2 client — Universign, D-Trust sign-me, A-Trust, FNMT Cl@ve Firma, Evrotrust, Intesi Group and any QTSP exposing the CSC v2 API.

European E-Invoicing & Employment-Contract Signing

Each profile pre-tunes hash algorithm, canonicalization, signature level, RFC 3161 timestamp policy and OCSP-revocation expectations to satisfy the target country's regulator. Switch jurisdiction with one line.

E-Invoicing Profiles (12)

Profile Country System Format Level
spVeriFactuSpainVeriFactu (AEAT)XAdES-EPESB-B
spTicketBAISpain (Basque)TicketBAIXAdES-EPESB-B
spFacturaeB2BSpainFacturae 3.x / FACeXAdES-EPESB-T
spFatturaPAItalyFatturaPA (SDI)XAdES-BESB-B
spSAFTPTPortugalSAF-T PTRSA-SHA256B-B
spKSeFPolandKSeF (Krajowy System e-Faktur)XAdESB-T
spFacturXFrance / GermanyFactur-X / ZUGFeRDXAdESB-B
spEFacturaRomaniae-Factura (ANAF)XAdESB-T
spNAVOnlineHungaryNAV OnlineXML-DSigB-B
spFiskalizacijaCroatiaFiskalizacijaXML-DSigB-B
spPeppolBEBelgiumPeppol UBL 2.0XAdESB-T
spPeppolBGBulgariaPeppol UBL 2.1XAdESB-T
spMyDATAGreecemyDATA (AADE)XAdESB-B

Portugal: beyond signing the SAF-T (PT) file itself, the dedicated TsgcSAFTPTSigner component produces the Portaria 363/2010 per-invoice signature, the RSA-SHA1 signature whose four characters at positions 1, 11, 21 and 31 are printed on the invoice and carried in QR-code field Q.

TicketBAI: per-province variants spTicketBAIAraba, spTicketBAIBizkaia and spTicketBAIGipuzkoa each carry their provincial Hacienda's official signature-policy identifier and SHA-256 digest. spTicketBAI maps to the Bizkaia pair for backward compatibility.

EU Employment-Contract Profiles (9)

eIDAS-compliant signatures for member-state labour-law requirements (e.g. § 126a BGB in Germany, FEQ in Italy). Pre-tuned per jurisdiction; loaded into TsgcXAdESSigner via Profile.LoadProfile(spEmploymentXX).

Profile Country Level Hash Timestamp OCSP Notes
spEmploymentDEGermanyB-LTSHA-256YesYesQES required by § 126a BGB for written-form contracts.
spEmploymentITItalyB-LTSHA-256YesYesFEQ qualified signature; INPS portals consume both XAdES and CAdES.
spEmploymentESSpainB-TSHA-256YesNoAdES sufficient. SEPE / TGSS portals require FNMT or DNIe.
spEmploymentFRFranceB-TSHA-256YesNoAdES OK; QES preferred for remote-signing under DSP2 / RGS.
spEmploymentATAustriaB-LTSHA-256YesYesQES via Handy-Signatur / ID Austria common.
spEmploymentBEBelgiumB-LTSHA-256YesYesQES via eID card (BeID).
spEmploymentPTPortugalB-LTSHA-256YesYesQES via Cartão do Cidadão / Chave Móvel Digital.
spEmploymentNLNetherlandsB-TSHA-256YesNoAdES generally accepted; QES for some HR portals (UWV).
spEmploymentPLPolandB-TSHA-256YesNoQES via Profil Zaufany or qualified cert when contract goes to ZUS / PUE.

Verify the Way the EU Verifies

Full validation pipeline plus EU Trust List integration and the standardised ETSI TS 119 102-2 XML Validation Report — legal proof of signature validity accepted by EU labour courts and public-administration verifiers.

Signature Verification with LTV

TsgcSignatureVerifier covers the full pipeline: digest checks, RSA / ECDSA signature verification, certificate-chain validation, OCSP revocation checking, embedded RevocationValues for Long-Term Validation, and Id-based fragment lookup for SignedProperties.

EU Trust List (LOTL / EUTL)

TsgcEUTrustList parses the ETSI TS 119 612 List of Trusted Lists and ~31 per-Member-State Trusted Lists. Classify any X.509 certificate as eIDAS-qualified by looking it up against the live EU registry. Offline-mode caching for air-gapped deployments.

ETSI TS 119 102-2 Validation Report

Standardised XML Validation Report (v1.2.1) produced for every verification — the format accepted by EU labour courts and public-administration verifiers as legal proof of signature validity.

RFC 3161 Timestamping

TsgcTSAClient connects to any RFC 3161 timestamp authority. Promotes signatures from B-B to B-T, B-LT and B-LTA — verifiable long after the signing certificate has expired.

OCSP Revocation

TsgcOCSPClient performs RFC 6960 Online Certificate Status Protocol checks. Real-time revocation, with the OCSP response embedded in B-LT signatures so the document remains verifiable when the responder is later offline.

X.509 Certificate Decoder & Issuer Check

TsgcX509Certificate exposes every field an online decoder shows: key size, algorithm names, serial (colon and decimal), RFC 2253 / LDAP distinguished names, certificate policies, key identifiers, SHA-1 / SHA-256 / MD5 thumbprints and the SubjectPublicKeyInfo SHA-256 pin. It verifies the issuer signature cryptographically (RSA and ECDSA), resolves the CA from the AIA caIssuers URL, and runs an automatic OCSP check via CheckCertificateAuto.

XML Canonicalization (C14N)

Inclusive C14N (xml-c14n11) and Exclusive C14N (xml-exc-c14n) for consistent XML signature processing. Each country profile selects the canonicalization expected by its regulator.

Native, Self-Contained, Cross-Version

Zero External DLLs

Windows CNG / BCrypt cryptography throughout — no OpenSSL DLL required. Native PBES2 / PBKDF2 / AES-CBC for encrypted PKCS#8 PEM. WinHTTP for network operations.

Delphi 7 through Delphi 13 Florence

Supports every Delphi compiler from Delphi 7 to RAD Studio 13, plus C++Builder. Modern units guarded for legacy compatibility (e.g. TsgcASiCContainer requires D2010+ generics; gracefully compiles as empty unit on D7).

.NET Implementation

Mirror C# port for .NET Framework 2.0–4.8, .NET Core, .NET 5–9 and .NET Standard. Same Tsgc* class names; same API surface as the Delphi library.

Full Source Code

Complete source included with every license. Inspect, customise, audit and extend. Component class names registered for design-time IDE integration.

UTC Timestamps Throughout

All X.509 / CRL / OCSP / TSA timestamps stored as UTC TDateTime values, matching RFC 5280, RFC 3161 and RFC 6960. Local-time conversion via *Local properties on each component.

Zero Runtime Royalties

Free binary redistribution. Sign as many documents as you like with no per-document fees and no per-deployment licenses.

Same API, Three Different Key Sources

Sign a VeriFactu Invoice with a Local PFX

  • Single high-level component (TsgcDocumentSigner)
  • Profile picks XAdES-EPES, B-B, SHA-256, exclusive C14N
  • Switch to spFatturaPA for Italy, spKSeF for Poland
SignVeriFactu.pas
// Sign Spanish VeriFactu invoice
var
  vKeyProvider: TsgcPFXKeyProvider;
  vSigner: TsgcDocumentSigner;
begin
  vKeyProvider := TsgcPFXKeyProvider.Create(nil);
  try
    vKeyProvider.FileName := 'certificate.pfx';
    vKeyProvider.Password := 'secret';
    vKeyProvider.LoadFromFile;

    vSigner := TsgcDocumentSigner.Create(nil);
    try
      vSigner.KeyProvider := vKeyProvider;
      vSigner.Profile := spVeriFactu;
      memoSigned.Text := vSigner.SignXML(memoXML.Text);
    finally
      vSigner.Free;
    end;
  finally
    vKeyProvider.Free;
  end;
end;

Authenticode-Sign an EXE with Azure Trusted Signing

  • Cloud key, no local PFX or USB token
  • OAuth2 client credentials authentication
  • Microsoft-issued public-trust certificate
SignWithAzure.pas
// Authenticode-sign with Azure Trusted Signing
var
  vKeyProvider: TsgcAzureTrustedSigningProvider;
  vSigner: TsgcAuthenticodeSigner;
begin
  vKeyProvider := TsgcAzureTrustedSigningProvider.Create(nil);
  vSigner := TsgcAuthenticodeSigner.Create(nil);
  try
    vKeyProvider.AccountName := 'my-trusted-signing-account';
    vKeyProvider.CertificateProfileName := 'public-trust';
    vKeyProvider.Endpoint := 'https://eus.codesigning.azure.net';

    vSigner.KeyProvider := vKeyProvider;
    vSigner.SignFile('myapp.exe', 'myapp-signed.exe');
  finally
    vSigner.Free;
    vKeyProvider.Free;
  end;
end;

PAdES-T — PDF with Visible Signature & Timestamp

  • Certificate from Windows store by Subject Name
  • RFC 3161 timestamp embedded in signature
  • Visible appearance with reason and location
SignPDFVisible.pas
// PAdES-T with visible signature appearance
var
  vKeyProvider: TsgcWindowsCertStoreProvider;
  vSigner: TsgcPAdESSigner;
  vTSA: TsgcTSAClient;
begin
  vKeyProvider := TsgcWindowsCertStoreProvider.Create(nil);
  vSigner := TsgcPAdESSigner.Create(nil);
  vTSA := TsgcTSAClient.Create(nil);
  try
    vKeyProvider.SubjectName := 'CN=Acme Corp';
    vKeyProvider.LoadFromStore;

    vTSA.URL := 'https://freetsa.org/tsr';

    vSigner.KeyProvider := vKeyProvider;
    vSigner.TSAClient := vTSA;
    vSigner.Reason := 'Approved';
    vSigner.Location := 'Madrid, Spain';
    vSigner.VisibleSignature.Enabled := True;
    vSigner.SignPDF('contract.pdf', 'contract-signed.pdf');
  finally
    vTSA.Free;
    vSigner.Free;
    vKeyProvider.Free;
  end;
end;

Ship eIDAS-Compliant Signatures Today

Add XAdES, PAdES, CAdES and ASiC signing to your Delphi, C++Builder or .NET application.