iText Core/Community 8.0.2

Just in time for Halloween, here's a new release of your favorite open-source PDF library for Java and .NET. There's nothing spooky about: iText Core version 8.0.2 and the updated iText Suite add-ons in this release though! Let's take a closer look.

PDF/A-4 support

First and foremost, we've extended iText Core's support for the creation and validation of PDF/A compliant documents to include the latest PDF/A-4 standard. PDF/A-4 is based on the PDF 2.0 specification, unlike the previous PDF/A-3 standard which was based on PDF 1.7. This means it allows some of the new features of PDF 2.0, such as page-level output intents for accurate color interpretation, an updated Unicode version, and improvements to Tagged PDF.

The a ("Accessibility"), u ("Unicode") and b ("Basic") conformance levels in earlier variants of PDF/A have been replaced by two new profiles: e and f. The PDF/UA format now exists for Universal Accessibility, and Unicode is now a requirement in PDF/A-4 for text encoding rather than a specific conformance level. Therefore, the base PDF/A-4 specification replaces the b and u conformance levels.

PDF/A-4e (Engineering) replaces the old PDF/E standard for technical documents, and supports Rich Media and 3D annotations, PDF/A4f allows any type of file to be embedded, similar to PDF/A-3, and builds upon PDFs existing container format capabilities.

In addition, PDF/A-4 has better support for the archiving of fillable forms than PDF/A3, since non-static content is now allowed in the form of JavaScript. Therefore, information about interactive forms can be both stored and archived.

Plus, it simplifies the handling of digital signatures. Which leads us nicely into:

Digital signing

We continue the digital signature revolution we introduced with iText Core version 8.0 with a significant improvement which allows signing to be performed in several steps, rather than as a single operation. This can be especially useful to facilitate concurrency and manage resources efficiently in batch operations. The new deferred signing API already allowed this to some degree, although it required users to manually implement IExternalSignatureContainer themselves -- which is no longer necessary.

There's also a nice improvement for the appearance of digital signatures. Now, the generation of the appearance of signature form fields is delegated to the layout module rather than being manually implemented in the PdfSignatureAppearance class, enabling completely customizable appearances. This means the old layer-based approach is outdated, and has been deprecated.

In relation to a pull request, we added support for signing with the SM2/SM3 algorithms which are becoming more commonplace in China. This didn't quite make it into the 8.0.2 release, however it is available in the latest SNAPSHOT release. You can find an example in the above pull request which is a neat demonstration of how you can take advantage of the algorithm-agnostic signing and validation from the 8.0.1 release.

In addition, with this release we're introducing a new higher level API for signing with PAdES. We're still working on the finer details so it's not quite ready for prime-time yet. However, it's fully-functional so you use it for testing, and get a sneak peak at how it simplifies the digital signing process. Stay tuned for future releases to see further strides in digital signing.

Annotation flattening

There are some nice changes to annotation flattening, where we've implemented a high-level API to simplify and enable easy customization of annotation flattening. You can either tell iText to flatten all annotations with just two lines of code, or if you prefer you can define specific types of annotation to be flattened. The power is now at your fingertips.

Bug fixes and miscellaneous

There's also some miscellaneous improvements and fixes for the layout module relating to table row and cell properties, as well as fixes for a potential infinite loop with tables. We've also fixed an issue where a maliciously crafted PDF with a huge number of pages and empty data structures could cause an out of memory error. Now iText will avoid such issues by more intelligently allocating memory for documents like this.

New Features

PDF/A-4 family support

• Introduced higher level signing API
• High-level API for annotation flattening

Improvements

• Create default implementation for IExternalSignatureContainer
• Signature appearance improvements

Bug Fixes

• KeepTogether property set on table might lead to infinite loop
• PDF with Missing Dict Causes Exception
• Incorrect processing of table cells with large rowspan occupying more than one page
• Row span doesn't carry the Cell color to next page

iText Core/Community 8.0.1

Q3 of 2023 is here, and so is a new release of your favorite open-source PDF library for Java and .NET: iText Core 8.0.1! Following the release of iText Suite version 8.0.0 in Q2, you might not be expecting much from a simple patch release. However, we do have a few nice things to talk about.

There’s also a neat feature for the sign module, to follow on from the improvements introduced in 8.0.0. We’ve introduced algorithm agnostic signing/validation so if you wish you can now make use of algorithms not directly supported by iText, but supported by the underlying Bouncy Castle cryptographic library. This is also supported for the Java bc-fips library, but not currently by the .NET version. Note that if you use algorithms not specifically supported by the PDF specification, iText will output a warning to let you know.

There’s some additions in the layout module for CSS flex-wrap and flex-direction for pdfHTML to use, and for the forms module there’s an improvement to optimize PdfFormField regeneration handling.

We’ve also made a number of improvements to the font-asian module, such as improved Unicode support for fonts "HeiseiMin-W3" and "UniJIS-UCS2-H" and other text encoding improvements.

New Features

Algorithm agnostic signing/validation
Support for flex-wrap: wrap property and value
Add ability to customize form related implementations

Improvements

Improved PdfFormField regeneration handling
Several improvements to font-asian module

Bug Fixes

Fixes for incorrect checkbox handling
Flex item with nested floating element processed incorrectly
PdfPageFormCopier improvements tagging issue

iText Core/Community 8.0.0

It’s time for our second quarterly release of the iText Suite; yet as we promised last time, this release of the open-source iText Core PDF library and the add-ons which make up the iText Suite is a little bit different. And not just because this is the first release of the iText Suite under the Apryse banner!

Seven years after the first release of version 7 of the iText library, we’re proud to announce the release of iText Core version 8 – aka iText 8.

What's new?

Just as with the 2016 release of the iText library, iText version 8 has been rewritten and refined to meet the meet the needs of modern document processing. While version 7 was designed around the then upcoming PDF 2.0 specification, iText Core 8.0.0 introduces a number of new features and support for the latest cryptographic related extensions to PDF 2.0. In particular, support has been added for SHA-3 hash functions as specified in ISO/TS 32001, and from ISO/TS 32002 modern elliptical curves for digital signatures are also supported. While these extensions are very new, we believe that it's important for open-source projects such as iText to support and popularize such standards early - especially as we are involved with both the PDF Association and the ISO committees responsible for their publication.

On a related note, direct support for the .NET Bouncy Castle FIPS APIs has been added to iText Core, for compliance with the Federal Information Processing Standard (FIPS 140-2) – the benchmark for evaluating cryptographic products. While FIPS 140-2 is a U.S./Canadian Federal standard, it is widely adopted by both governmental and non-governmental sectors worldwide for practical security and realistic best practice.

Bouncy Castle FIPS implementation
For ease of use, we've introduced a new dependency for the sign module: bouncy-castle-connector. After loading the new bouncy-castle-connector module, developers can simply specify whether to load our standard bouncy-castle-adapter or the bouncy-castle-fips-adapter module, depending on their requirements. This is because the FIPS version of Bouncy Castle is more restrictive, and so may not have all the functionality in the vanilla version.

It is important to not add them both as a dependency since they are not compatible. Also, users must explicitly depend on either the standard bouncy-castle-adapter or the bouncy-castle-fips-adapter module. Otherwise the encryption/signing features will fail with an exception, however, this exception will give you a hint to add one of the bc-adapter dependencies.

In addition, Bouncy Castle FIPS has a FIPS approved mode which makes it possible to deliver one application that can be configured to work in FIPS mode or in regular mode. However, those users requiring FIPS compliance will likely only use the FIPS approved mode.

Please note that FIPS support works in .NET Core, but due to a limitation, .NET Framework is not currently supported.

See the Bouncy Castle changes page for more details on using our FIPS implementation.

Other changes to the sign module
For digital signing, we’ve made significant improvements to the sign module in order to both support new features (such as the RSASSA-PSS padding scheme specified by ETSI as the preferred method for PAdES), and to make the process of digital signing easier. Huge thanks to MatthiasValvekens for submitting the pull requests for this, and the ISO/TS 32001 and ISO/TS 32002 extensions mentioned earlier!

Improved forms creation
Big improvements have also been made to the forms module. When creating forms, you can now benefit from a more logical layout-based approach which will greatly aid forms creation and maintenance.

What else is there?
We also have a really nice improvement for text extraction from PDFs containing non-identity CMaps (Character to Glyph Index Mapping Tables) (such as UniJIS-UCS2-H) that contain double mappings. This change enables reliable Unicode extraction regardless of the source encoding of the CMap in the document.

Special mention should be made to the new and improved layout module documentation which can be found in our GitHub repository.

Together with a bunch of API improvements and refinements and improved documentation, we believe iText Core version 8 represents a big leap over previous iText versions. Our aim was to create a great platform for future development, and to maintain iText's reputation as the most performant and most developer friendly .NET library for PDF creation (including PDF/A and PDF/UA), digitally signing PDFs, and much more besides!

New features

RSASSA-PSS support
Add support for recently published ISO extensions to digital signing
Add support for FIPS 140-2 compliant Bouncy Castle module

Improvements

Improve Checkbox behavior on Adobe Acrobat for PDF/A documents
Support for TIF images with CCITT T.4 compression

Bugs

Text extraction with non-identity CMaps occasionally produces wrongly decoded output

iText Core/Community 7.2.5

Happy 2023 everyone! Thanks to our regular quarterly release schedule, the start of a new year also means you can expect a new release of your favorite open-source PDF library: iText Core 7.2.5!

That's not all though, since if you read our blog you'll know that a brand-new version of iText is in the works. iText 8 is coming, and our development team are hard at work adding new features and revising the API to make it even more intuitive for developers. You can learn about some of the things we have planned in our release blog, but customers can get a sneak-peak by checking out the 8.0 snapshots from our Artifactory. Things could still break or change in the API before release though, so be warned!

As for iText Core 7.2.5 though we've still got plenty of neat stuff to talk about, so let's get right into it.

A change in the way documents are opened means you should see a significant performance increase when opening or processing PDFs. In addition, we’ve improved Core’s resilience when dealing with PDFs with incorrect or malformed cross reference (xref) tables. Previous versions would already do a pretty good job of rebuilding invalid xrefs when opening a document. However, issues could still be encountered when a trailer containing references to an object was located before the actual object’s location, for example in linearized PDFs with corrupted xrefs. Cases like these should now be resolved.

The wrapping of text elements inside Paragraph objects has been improved to fix problems with spaces at the beginning or end of lines. See the example linked below for more information.

Support for TIFF images has been updated and extended to include more CCITT compression types. Images using the T.4 compression standard are now supported in Core.

Finally, a bug relating to merging documents has been resolved. In previous versions, layers with identical names would be discarded when merging with UseSmartMode(), even when the layers were assigned to different pages in the document.

iText Core/Community 7.1.18

The iText 7 Core 7.1.18 release is a maintenance release for iText 7.1.x which includes some recent CVE mitigations and backports from 7.2.x releases.

It addresses two CVE issues (CVE-2022-24196, CVE-2022-24197) which were fixed in the release of iText 7 Core 7.2.2. In addition, we've also backported a fix from our 7.2.1 release which fixes improper nesting of canvas operators when converting SVG to PDF by supporting q/Q Operators inside BT/ET text blocks and objects.

iText Core/Community 7.2.4

As the last quarter of 2022 rolls around, it’s time for our final release of the year for iText 7 Core. While there’s nothing quite as big to announce as the Android reference implementation from last time, we do have a few cool new things in iText 7.2.4 to tell you about. There’s a nice convenience method improvement for creating tagged PDFs, plus a couple of changes relating to default color spaces for PDF/A documents, and for PDF/A detection in the sign module.

Let’s talk about the changes to PDF tagging first. We noticed that when you apply iText's tagging defaults to somewhat advanced layouts, it could result in rather convoluted tag structures. You could remedy such issues by calling getAccessibilityProperties().setRole(null) on the layout element(s) that don't have semantic value, which attaches all children of the layout element to the element's parent for tagging purposes. However, this was a little inconvenient since invoking setRole(...) is not chainable with regards to the underlying layout element, since it operates on AccessibilityProperties instead of on the layout node itself. This meant that to use this feature, you would need to create an intermediate variable to hold the layout element you wish to be "tag-neutral". To improve things, we’ve added a chainable setNeutralRole() method which can be implemented at the layout element level instead, which is a much more elegant solution.

As for the change to PDF/A default color spaces, ISO 19005-2 6.2.4.3 states that when rendering colors specified in DeviceRGB or DeviceCMYK, and where no matching device independent default color space has been set, conforming readers should use the profile in the file’s PDF/A OutputIntent dictionary as the source color space. Previous versions of iText were not aware when some content was drawn using the color space set by default, and so we’ve now added a check for the Default Color Space in our PdfAChecker mechanism.

In addition, we’ve made an improvement to the sign module relating to the detection and initialization of PDF/A documents. In previous versions of iText 7 Core, we did not check if the given document was a PDF or a PDF/A document. This prevented the PdfSigner from initializing the document as a PdfADocument if it was required. Now the PdfSigner class will check to see if a document claims PDF/A conformance, and treat it accordingly. Note that this does count as a breaking change, so see the example linked below to learn more.

We have also fixed a bug where BBox values for table cells would be inaccurate, leading to text clipping issues. See the example linked below for more information about this fix.

Improvements

• PDF/A: Add check for Default Color Space
• Implement chainable API to neutralize tagging on specific layout elements
• Implement PDF Type 0 (Sampled) Functions (chapter 7.10.2 of 32000-1_2008)
• In the method ImagePdfBytesInfo.decodeTiffAndPngBytes when the colorspace is a separation color space don't throw an exception but recalculate the image pixels to the alternate colorspace of the separation color
• Update CMap files in font-asian package

Bugs

• Smart mode copying merges GoTo actions with different explicit destinations into a single PDF object
• PdfDocument.copyPagesTo was creating corrupt PDFs when there was a button widget whose action is to jump to another page within the same document
• When merging using UseSmartMode() layers with identical names were discarded
• Result of text extraction differs from the original document text for CJK fonts (Identity-H/V encoding)
• table.createRendererSubTree() is producing an incorrect height calculation for the occupied area BBox. If we set the cell height to the calculated value, then text is being clipped on the final output

iText Core/Community 7.2.3

Q3 is upon us, and so is the release of iText 7 Core 7.2.3! The big news this time round is naturally the official release of our reference implementation of iText 7 for Android, though there’s plenty more that’s new in Core. We have a fix relating to XMP metadata in PDF/A documents, improved support for SVG image dimensions using exponent notation, and revised the way PDF streams with indirect references are flushed.

Plus, we have the usual round of bugfixes and miscellaneous improvements as always.

In other news, a big thank you to @carl-di-ortus for submitting a fix for XMP metadata in canonical format causing issues, and thus generating invalid namespace attributes in PDF/A documents. We determined the reported issue was caused by the XML library used by the .NET version of iText 7 not supporting the 0x1F char, however the fix should prevent such XMP metadata causing similar compliance issues when generating PDF/A documents.

In addition, another pull request inspired us to make some improvements to the way PDF streams with indirect references are flushed. Thank you @LingMan!

In other news for Core, we’ve made some more SVG improvements by adding support for exponent notation using the capital E to specify image dimensions. We’ve prepared a code example to demonstrate this which you can find linked below.

There’s also a nice change for our AGPL users. If a license file is not provided for Core, it assumes AGPL usage and so occasionally a message is printed to stdout as a reminder. However, if you’re happy that you’re in compliance with the AGPL requirements then seeing this message might become a little annoying after a while. If this is the case, you’ll be pleased to learn that you can disable it, see the example linked below to learn more.

Improvements

• Android Support
• Save XMP metadata in canonical format for PDF/A documents
• Implement Pdf Type 2 function (Exponential Interpolation) Functions
• Implement Pdf Type 3 (Stitching) Functions
• Indirect ref in PdfStream issues: implement the first solution mentioned during the refinement
• Update several 3rd party dependencies to their most recent version

Bugs

• SVG: support exponent notation for numbers with capital E
• Fix NPE on CopyPagesTo
• Issue with flushing PDF stream with indirect reference in /Filter
• Fix infinite loop when reading a PdfDocument
• Fix the NPE which is thrown when table cell content is clipped

iText Core/Community 7.2.2

It's already Q2 of 2022, and so we're pleased to announce the release of iText Core 7.2.2. Your favorite PDF library for Java and .NET (and more!)

The System.Text.RegularExpressions dependency is now explicit rather than implicit, and uses version 4.3.1.

We've made some improvements to iText's parsing logic for PDF cross-reference structures. This was to prevent the potential for a PDF's structure to be maliciously created to cause infinite loops or other issues.

We've also fixed a bug relating to CFF font parsing. As noted in the specification, CFF is a font format which was developed by Adobe to act as a compact container for one or more fonts by using lossless compression. In cases when a font's CID does not correspond to its GID, iText could incorrectly read its cmap values resulting in incorrect glyphs being displayed in PDF viewers. To address this, the font parsing logic has been rewritten to account for fonts where the glyph IDs do not match the CIDs, and will now handle them in the correct and expected manner.

This release also addresses two CVE issues (CVE-2022-24196, and CVE-2022-24197) which were disclosed. See the Changelog or the linked issues for more details.

Improvements

• Updated (or rather make it explicit) a .NET dependency (System.Text.RegularExpressions 4.3.1)

Bugs

• Fixed CFF font-parsing logic
• CVE fixes
  CVE-2022-24196 - out-of-memory error via the component readStreamBytesRaw
  CVE-2022-24197 - stack-based buffer overflow via the component ByteBuffer.append

iText Core/Community 7.2.1

iText Core 7.2.1 is the latest release of your favorite PDF library for Java and .NET (and more!), and the first scheduled maintenance release for iText 7.2. It brings further improvements for SVG conversion, supporting default values for the d attribute of the path tag and improving PDF output, which in previous versions could be rendered incorrectly by some PDF viewers, such as Safari and View (macOS), and Documents (iOS). As usual, pdfHTML also benefits from any SVG handling changes.

As for PDF merging functionality, we should note more intelligent outline handling, which is no longer as strict and can fix some syntax mistakes in the Outlines hierarchy. For instance, absence of the parent attribute which is mandatory in the PDF specification is not an issue anymore.

We'd also like to thank the iText community for its contributions, specifically; realityone, with a really important and impactful fix for incompatibility with PDF standards in our codebase and kohler, whose PR helped us a lot in our efforts to process PDF outlines better. We are happy to see that after 21 years there is still so much interest in improving the iText library.

You can also expect other changes such as a number of bug fixes, plus some significant improvements to the codebase.

Improvements

• SVG: Support default value for 'd" attribute
• Process Outlines using explicit hierarchy
• Support of copying empty tags

Bugs

• Outlines structure parsing: infinite loop while merging with outlines
• SVG. Support of q/Q Operators inside BT/ET text block/object
• Set PubKeySecurityHandler output stream with DER encoding format
• OcgPropertiesCopier: StackOverflowError when merging documents with OCGs if a resource has cycle reference

iText Core/Community 7.1.17

The iText 7.1.17 release is a maintenance release with a security bug fix for a vulnerability that allowed the use of GhostScript in an unpredictable manner.
At the same time, we are also releasing iText 7.2.0, the next major version of iText. In addition to this bug fix, 7.2.0 contains a great deal of other improvements.

Bugs

• Security bugfix for vulnerability in GhostScript