BouncyCastle gets error 'public key presented not for certificate signature' for retrieved ECPublicKey

Question

I am trying to use BouncyCastle library for generating X509Certificate in a .Net application, meanwhile i want to use keys stored in HSM. My solution is generating EC key-pair in HSM, returning ECPoint and key lable to .Net application, and regenerate an elliptic key for signature generation.

After generating elliptic key, While checking its validity i got this error: UnManagedException: Public key presented not for certificate signature. This is the part of code from which Error raises:

X509Certificate rootCertificate = new X509Certificate (
            new X509CertificateStructure (
                 TBS_Structure, 
                 AlgorithmID, 
                 new BitDERString(signature));
rootCertificate.Verify(PublicKeyParam);

PublicKeyParam is RSAKeyParameter and rebuilt based on Exponent and Modolus extracted from the library which made key on HSM (and returned key parameters). rootCertificate's algorithm is SHA256WithRSAandMGF1.

Answer 1

The problem is that for X509 certificates, elliptic key-point with separated r and s parts are required. The key-point which PKCS11Interop returns from HSM is a concatenated byte[] of r and s. So you should break it into two byte[] and use following code instead of signature in new BitDERString(signature):

new DerSequence(
    new DerInteger(new BigInteger(1, signature.Take(len/2).ToArray())),
    new DerInteger(new BigInteger(1, signature.Skip(len/2).ToArray()))
         ).GetDerEncodded()

This issue was explained in this question unintentionally but i couldn't get the point.