How to connect PDF annotations with signatures while validation?

Question

I'm trying to validate a pades signature, but with warnings, like in adobe reader (There have been subsequent changes...). I can validate integrity of signature, but how to check if annotation has been added after signing the document? I can list Annotations from pdf, like:

/Annots[8 0 R 27 0 R 41 0 R]

It shows: Signature (8 0 R), Annotation (27 0 R), and another Signature (41 0 R).

If I understand it right, sequence of first numbers (8, 27, 41) represents the order in which they were placed in pdf. Or maybe I'm wrong? If it is true, how to get annotations values and their properties?

Answer 1

Please check my book on digital signatures in PDF. Figure 2.20 shows what a PDF looks like when it's signed multiple times:

Taking your example, it could very well be that revision 1 contains the following annotation:

/Annots[8 0 R]

Whereas revision 2 contains:

/Annots[8 0 R 27 0 R]

And revision 3 contains:

/Annots[8 0 R 27 0 R 41 0 R]

In answer to your question: is that the order in which they were placed in the PDF: that probably won't always be the case (PDF is a rather special format), but your guess is a safe assumption.

You want to detect which annotations were added before or after which signature. To achieve this, you have to extract the different revisions of each PDF.

A PDF always ends with %%EOF and each new signature adds data after that %%EOF. Going back to the previous revision means taking away the bytes at the end of the file until you reach the next %%EOF.

If you want to do this using iText, you'll find some examples in my book.