iText Core/Community 8.0.0

It’s time for our second quarterly release of the iText Suite; yet as we promised last time, this release of the open-source iText Core PDF library and the add-ons which make up the iText Suite is a little bit different. And not just because this is the first release of the iText Suite under the Apryse banner!

Seven years after the first release of version 7 of the iText library, we’re proud to announce the release of iText Core version 8 – aka iText 8.

What's new?

Just as with the 2016 release of the iText library, iText version 8 has been rewritten and refined to meet the meet the needs of modern document processing. While version 7 was designed around the then upcoming PDF 2.0 specification, iText Core 8.0.0 introduces a number of new features and support for the latest cryptographic related extensions to PDF 2.0. In particular, support has been added for SHA-3 hash functions as specified in ISO/TS 32001, and from ISO/TS 32002 modern elliptical curves for digital signatures are also supported. While these extensions are very new, we believe that it's important for open-source projects such as iText to support and popularize such standards early - especially as we are involved with both the PDF Association and the ISO committees responsible for their publication.

On a related note, direct support for Bouncy Castle FIPS APIs has been added to iText Core, for compliance with the Federal Information Processing Standard (FIPS 140-2) – the benchmark for evaluating cryptographic products. While FIPS 140-2 is a U.S./Canadian Federal standard, it is widely adopted by both governmental and non-governmental sectors worldwide for practical security and realistic best practice.

Bouncy Castle FIPS implementation
For ease of use, we've introduced a new dependency for the sign module: bouncy-castle-connector. After loading the new bouncy-castle-connector module, developers can simply specify whether to load our standard bouncy-castle-adapter or the bouncy-castle-fips-adapter module, depending on their requirements. This is because the FIPS version of Bouncy Castle is more restrictive, and so may not have all the functionality in the vanilla version.

It is important to not add them both as a dependency since they are not compatible. Also, users must explicitly depend on either the standard bouncy-castle-adapter or the bouncy-castle-fips-adapter module. Otherwise the encryption/signing features will fail with an exception, however, this exception will give you a hint to add one of the bc-adapter dependencies.

In addition, Bouncy Castle FIPS has a FIPS approved mode which makes it possible to deliver one application that can be configured to work in FIPS mode or in regular mode. However, those users requiring FIPS compliance will likely only use the FIPS approved mode.

See the Bouncy Castle changes page for more details on using our FIPS implementation.

Other changes to the sign module
For digital signing, we’ve made significant improvements to the sign module in order to both support new features (such as the RSASSA-PSS padding scheme specified by ETSI as the preferred method for PAdES), and to make the process of digital signing easier. Huge thanks to MatthiasValvekens for submitting the pull requests for this, and the ISO/TS 32001 and ISO/TS 32002 extensions mentioned earlier!

Improved forms creation
Big improvements have also been made to the forms module. When creating forms, you can now benefit from a more logical layout-based approach which will greatly aid forms creation and maintenance.

What else is there?
We also have a really nice improvement for text extraction from PDFs containing non-identity CMaps (Character to Glyph Index Mapping Tables) (such as UniJIS-UCS2-H) that contain double mappings. This change enables reliable Unicode extraction regardless of the source encoding of the CMap in the document.

Special mention should be made to the new and improved layout module documentation which can be found in our GitHub repository.

Together with a bunch of API improvements and refinements and improved documentation, we believe iText Core version 8 represents a big leap over previous iText versions. Our aim was to create a great platform for future development, and to maintain iText's reputation as the most performant and most developer friendly Java library for PDF creation (including PDF/A and PDF/UA), digitally signing PDFs, and much more besides!

New features

RSASSA-PSS support
Add support for recently published ISO extensions to digital signing
Add support for FIPS 140-2 compliant Bouncy Castle module

Improvements

Improve Checkbox behavior on Adobe Acrobat for PDF/A documents
Support for TIF images with CCITT T.4 compression

Bugs

Text extraction with non-identity CMaps occasionally produces wrongly decoded output

iText Core/Community 7.2.5

Happy 2023 everyone! Thanks to our regular quarterly release schedule, the start of a new year also means you can expect a new release of your favorite open-source PDF library: iText Core 7.2.5!

That's not all though, since if you read our blog you'll know that a brand-new version of iText is in the works. iText 8 is coming, and our development team are hard at work adding new features and revising the API to make it even more intuitive for developers. You can learn about some of the things we have planned in our release blog, but customers can get a sneak-peak by checking out the 8.0 snapshots from our Artifactory. Things could still break or change in the API before release though, so be warned!

As for iText Core 7.2.5 though we've still got plenty of neat stuff to talk about, so let's get right into it.

A change in the way documents are opened means you should see a significant performance increase when opening or processing PDFs. In addition, we’ve improved Core’s resilience when dealing with PDFs with incorrect or malformed cross reference (xref) tables. Previous versions would already do a pretty good job of rebuilding invalid xrefs when opening a document. However, issues could still be encountered when a trailer containing references to an object was located before the actual object’s location, for example in linearized PDFs with corrupted xrefs. Cases like these should now be resolved.

The wrapping of text elements inside Paragraph objects has been improved to fix problems with spaces at the beginning or end of lines. See the example linked below for more information.

Support for TIFF images has been updated and extended to include more CCITT compression types. Images using the T.4 compression standard are now supported in Core.

Finally, a bug relating to merging documents has been resolved. In previous versions, layers with identical names would be discarded when merging with useSmartMode(), even when the layers were assigned to different pages in the document.

iText Core/Community 7.1.18

The iText 7 Core 7.1.18 release is a maintenance release for iText 7.1.x which includes some recent CVE mitigations and backports from 7.2.x releases.

It addresses two CVE issues (CVE-2022-24196, CVE-2022-24197) which were fixed in the release of iText 7 Core 7.2.2. In addition, we've also backported a fix from our 7.2.1 release which fixes improper nesting of canvas operators when converting SVG to PDF by supporting q/Q Operators inside BT/ET text blocks and objects.

iText Core/Community 7.2.4

As the last quarter of 2022 rolls around, it’s time for our final release of the year for iText 7 Core. While there’s nothing quite as big to announce as the Android reference implementation from last time, we do have a few cool new things in iText 7.2.4 to tell you about. There’s a nice convenience method improvement for creating tagged PDFs, plus a couple of changes relating to default color spaces for PDF/A documents, and for PDF/A detection in the sign module.

Let’s talk about the changes to PDF tagging first. We noticed that when you apply iText's tagging defaults to somewhat advanced layouts, it could result in rather convoluted tag structures. You could remedy such issues by calling getAccessibilityProperties().setRole(null) on the layout element(s) that don't have semantic value, which attaches all children of the layout element to the element's parent for tagging purposes. However, this was a little inconvenient since invoking setRole(...) is not chainable with regards to the underlying layout element, since it operates on AccessibilityProperties instead of on the layout node itself. This meant that to use this feature, you would need to create an intermediate variable to hold the layout element you wish to be "tag-neutral". To improve things, we’ve added a chainable setNeutralRole() method which can be implemented at the layout element level instead, which is a much more elegant solution.

As for the change to PDF/A default color spaces, ISO 19005-2 6.2.4.3 states that when rendering colors specified in DeviceRGB or DeviceCMYK, and where no matching device independent default color space has been set, conforming readers should use the profile in the file’s PDF/A OutputIntent dictionary as the source color space. Previous versions of iText were not aware when some content was drawn using the color space set by default, and so we’ve now added a check for the Default Color Space in our PdfAChecker mechanism.

In addition, we’ve made an improvement to the sign module relating to the detection and initialization of PDF/A documents. In previous versions of iText 7 Core, we did not check if the given document was a PDF or a PDF/A document. This prevented the PdfSigner from initializing the document as a PdfADocument if it was required. Now the PdfSigner class will check to see if a document claims PDF/A conformance, and treat it accordingly. Note that this does count as a breaking change, so see the example linked below to learn more.

We have also fixed a bug where BBox values for table cells would be inaccurate, leading to text clipping issues. See the example linked below for more information about this fix.

In other news, we have upgraded our Java BouncyCastle dependency from version 1.69 to 1.70.

Improvements

• Updated jackson-databind dependency to 2.13.4
• PDF/A: Add check for Default Color Space
• Implement chainable API to neutralize tagging on specific layout elements
• Implement PDF Type 0 (Sampled) Functions (chapter 7.10.2 of 32000-1_2008)
• In the method ImagePdfBytesInfo.decodeTiffAndPngBytes when the colorspace is a separation color space don't throw an exception but recalculate the image pixels to the alternate colorspace of the separation color
• Update CMap files in font-asian package

Bugs

• Smart mode copying merges GoTo actions with different explicit destinations into a single PDF object
• PdfDocument.copyPagesTo was creating corrupt PDFs when there was a button widget whose action is to jump to another page within the same document
• When merging using UseSmartMode() layers with identical names were discarded
• Result of text extraction differs from the original document text for CJK fonts (Identity-H/V encoding)
• table.createRendererSubTree() is producing an incorrect height calculation for the occupied area BBox. If we set the cell height to the calculated value, then text is being clipped on the final output

iText Core/Community 7.2.3

Q3 is upon us, and so is the release of iText 7 Core 7.2.3! The big news this time round is naturally the official release of our reference implementation of iText 7 for Android, though there’s plenty more that’s new in Core. We have a fix relating to XMP metadata in PDF/A documents, improved support for SVG image dimensions using exponent notation, and revised the way PDF streams with indirect references are flushed.

Plus, we have the usual round of bugfixes and miscellaneous improvements as always.

Let’s talk about Android first though. By using iText 7.2 as a base, we’ve done some legwork to eliminate the main sticking points for incompatibility between Java and Android, and to showcase this we’ve developed a reference implementation. This includes some UI components to build an app which demonstrates the currently available functionality.

This SDK depends on forked versions of PdfiumAndroid and the AndroidPdfViewer project developed by @barteksc, and requires API version 27 or above.

A pull request inspired us to make some improvements to the way PDF streams with indirect references are flushed. Thank you @LingMan!

In other news for Core, we’ve made some more SVG improvements by adding support for exponent notation using the capital E to specify image dimensions. We’ve prepared a code example to demonstrate this which you can find linked below.

There’s also a nice change for our AGPL users. If a license file is not provided for Core, it assumes AGPL usage and so occasionally a message is printed to stdout as a reminder. However, if you’re happy that you’re in compliance with the AGPL requirements then seeing this message might become a little annoying after a while. If this is the case, you’ll be pleased to learn that you can disable it, see the example linked below to learn more.

Improvements

• Android Support
• Save XMP metadata in canonical format for PDF/A documents
• Implement Pdf Type 2 function (Exponential Interpolation) Functions
• Implement Pdf Type 3 (Stitching) Functions
• Indirect ref in PdfStream issues: implement the first solution mentioned during the refinement
• Update several 3rd party dependencies to their most recent version

Bugs

• SVG: support exponent notation for numbers with capital E
• Fix NPE on CopyPagesTo
• Issue with flushing PDF stream with indirect reference in /Filter
• Fix infinite loop when reading a PdfDocument
• Fix the NPE which is thrown when table cell content is clipped

iText Core/Community 7.2.2

It's already Q2 of 2022, and so we're pleased to announce the release of iText Core 7.2.2. Your favorite PDF library for Java and .NET (and more!)

We've updated some dependencies such as Bouncy Castle to 1.70, Log4j to 1.7.33, and Logback to 1.2.10.

We've made some improvements to iText's parsing logic for PDF cross-reference structures. This was to prevent the potential for a PDF's structure to be maliciously created to cause infinite loops or other issues.

We've also fixed a bug relating to CFF font parsing. As noted in the specification, CFF is a font format which was developed by Adobe to act as a compact container for one or more fonts by using lossless compression. In cases when a font's CID does not correspond to its GID, iText could incorrectly read its cmap values resulting in incorrect glyphs being displayed in PDF viewers. To address this, the font parsing logic has been rewritten to account for fonts where the glyph IDs do not match the CIDs, and will now handle them in the correct and expected manner.

This release also addresses two CVE issues (CVE-2022-24196, and CVE-2022-24197) which were disclosed. See the Changelog or the linked issues for more details.

Improvements

• Updated some Java dependencies (Bouncy Castle 1.70, Logback 1.2.10, slf4j 1.7.33)

Bugs

• Fixed CFF font-parsing logic
• CVE fixes
  CVE-2022-24196 - out-of-memory error via the component readStreamBytesRaw
  CVE-2022-24197 - stack-based buffer overflow via the component ByteBuffer.append

iText Core/Community 7.2.1

iText Core 7.2.1 is the latest release of your favorite PDF library for Java and .NET (and more!), and the first scheduled maintenance release for iText 7.2. It brings further improvements for SVG conversion, supporting default values for the d attribute of the path tag and improving PDF output, which in previous versions could be rendered incorrectly by some PDF viewers, such as Safari and View (macOS), and Documents (iOS). As usual, pdfHTML also benefits from any SVG handling changes.

As for PDF merging functionality, we should note more intelligent outline handling, which is no longer as strict and can fix some syntax mistakes in the Outlines hierarchy. For instance, absence of the parent attribute which is mandatory in the PDF specification is not an issue anymore.

We'd also like to thank the iText community for its contributions, specifically; realityone, with a really important and impactful fix for incompatibility with PDF standards in our codebase and kohler, whose PR helped us a lot in our efforts to process PDF outlines better. We are happy to see that after 21 years there is still so much interest in improving the iText library.

You can also expect other changes such as a number of bug fixes, plus some significant improvements to the codebase.

Improvements

• SVG: Support default value for 'd" attribute
• Process Outlines using explicit hierarchy
• Support of copying empty tags

Bugs

• Outlines structure parsing: infinite loop while merging with outlines
• SVG. Support of q/Q Operators inside BT/ET text block/object
• Set PubKeySecurityHandler output stream with DER encoding format
• OcgPropertiesCopier: StackOverflowError when merging documents with OCGs if a resource has cycle reference

iText Core/Community 7.1.17

The iText 7.1.17 release is a maintenance release with a security bug fix for a vulnerability that allowed the use of GhostScript in an unpredictable manner.
At the same time, we are also releasing iText 7.2.0, the next major version of iText. In addition to this bug fix, 7.2.0 contains a great deal of other improvements.

Bugs

• Security bugfix for vulnerability in GhostScript

iText Core/Community 7.2.0

We are pleased to announce the next major version of iText 7; iText 7.2.0.

The most important change in this release of iText 7 is the new Unified License Mechanism, where we can have independent licenses for iText 7 Core, iText 7 add-ons and other products, send statistics to the server, allow users to easily check used volume, and more. As you might guess from the name, the Unified License Mechanism affects the entire iText 7 Suite, so please also check out the iText add-ons which have received updates along with this release.

As this is a major release, please note that we have removed deprecated and redundant methods from the API. This will allow us to better maintain the code and more easily add new functionality in the future.

As a next step for wider SVG support in future releases, we have upgraded to a newer version of the jsoup HTML parser, which iText 7 uses for SVG processing. This version of jsoup (1.14.1), brings a number of security and stability fixes, in addition to its improved SVG support. Probably the most immediate expected improvement resulting from this upgrade is that SVG tags will now be correctly processed in a case-sensitive manner, as per the specification.

Separately, it should be noted that this release contains a security bug fix for a vulnerability that allowed the use of GhostScript in an unpredictable manner.

As for the rest of the changes, 7.2 brings a number of bugfixes, plus some significant improvements to the codebase. Some of these may not yet be visible but will have an important effect on the further development of the iText 7 Suite, its security, and performance.

Breaking Changes

• Removed deprecated methods from API

New Features

• Unified License Mechanism
• Introduce interface of typography logic and stub implementation at the layout level

Improvements

• Case insensitive SVG tags
• Jsoup 1.14.1
• Throw specific errors when Outline Dictionary breaks PDF specs rules

Bugs

• Streams remain open in case of exception in PdfDocument/PdfReader constructors
• PdfPageFormCopier. multiple widget source field can`t be added to AcroForm when there is a name conflict.
• Infinity loop in ParagraphRenderer
• Prevent empty producer line logic
• No list symbol indention for "Right to left" text
• Layout: Cell with big rowspan causes infinite loop

iText Core/Community 7.1.16

The iText Core 7.1.16 release is already our third release for 2021 and it brings a few important improvements, making our SDK even more flexible, customizable and productive.
We continue to improve the SVG support in iText. For this release we made the TextLeafSvgNodeRenderer class easily extendable, so you can implement your own conversion logic. This can be beneficial for processing complicated SVG images and make code clearer.
Another important improvement in this release is refactoring the PdfSigner class responsible for digital signatures. Specifically, the customization of a signature's appearance has been significantly simplified. This is implicitly related to SVG support, as from now on using SVG images for a signature's appearance will not require so much effort on the part of developers.
As for performance improvements, we should note the parsing of Metadata has been optimized, and the fixing of a couple of bugs that could cause deadlocks and memory leaks.
Besides that, support of non-encrypted PDF files with encrypted attachments, and ICCBased colorspaces has been added.

Features

• SVG. Customizable TextLeafSvgNodeRenderer
• Support for encryption embedded files only

Improvements

• Improve Bezier curve approximation for rounded borders
• Improve performance of Metadata parsing
• Support ICCBased color space
• Refactor preClose() in PdfSigner

Bugs

• Streams remain open when Exception thrown
• Support Type3 fonts extraction, when glyphs have non-standard names