SignDoc SDK now uses Helvetica if the font in the DA entry of an annotation is unusable. For instance, this happens if the resource name passed to the Ft operator in DA does not exist in the Font dictionary in the DR dictionary in the interactive form dictionary.

On Windows Server, PFXImportCertStore() persists the extracted private key on disk. As a consequence, Windows created a new file in directory C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 (or similar) for each invocation of SignDocDocument.addSignature() with a private key coming from a PKCS #12 blob. SignDoc SDK no longer uses PFXImportCertStore(). CleanPKCS12.exe has been added for deleting those files, which is available from CleanPKCS12.txt.

The M entry of the signature dictionary is mandatory for PAdES-LTA even if the CMS signature contains a timestamp token as an unsigned signatureTimeStampToken attribute.

Ignore any Limits entry in the root node of number trees and name trees. Remove that entry when modifying a number tree or a name tree.

An improved handling for broken documents is now supported for flattenAnnotations(), flattenField(), and flattenFields() now support improved handling for invalid documents.. If the annotation dictionary doesn't have a P entry, find the page by traversing the page tree looking for an Annots entry that has an element pointing to the annotation dictionary.

SignDocDocument.verifySignature() did not use the Document Security Store (if present) of the PDF document for verifying time stamps, causing offline verification of time stamps to fail. The DSS was used only for verifying the proper signature.

SignDocDocument.getSignatureCount() and SignDocDocument.getSignature() now always use the file or blob the document was most recently loaded from or saved to, ignoring unsaved changes in memory. Please do not save the document between calling SignDocDocument.getSignatureCount() and calling SignDocDocument.getSignature().

1599536: Parsing SignerInfo failed if both SigningCertificate and SigningCertificatev2 attributes were present.

1560464: Redirection from an http:// URL to an https:// URL for OCSP, CRL download, and RFC 3161 time stamps now works correctly.

1586530: Avoid dereferencing a null pointer when trying to construct an error message for an invalid number tree.

1511462: Ensure that SignDocDocument.renderPageAsImage() uses the same data as the signature verification does, preventing attackers from making the document look different from how it looked when it was signed.

1587423: If the new structure element for the new text, image, or annotation cannot be inserted into the structure tree because the structure tree is not valid, SignDoc SDK will leave the structure tree as it is, without inserting the new structure element. However, if the flag SignDocDocument.f_fail_for_broken_target_structure is set, the operation will fail without modifying the document.

1496377: When comparing two signatures using SignDoc SDK, it is allowed to set the match parameter to null. The null value will prevent a successful completion of the comparison.