Java Crypto - Sign and Verify Failure

I am attempting to sign and then verify a message using a secp256r1 key pair, but I am getting an exception during the verify operation.  I have a feeling that it may be related to the particular curve that I am using.

Any clues where I can look to troubleshoot this problem?

public class CryptoServiceTest { private static final byte[] message = ByteUtilities.toByteArray("0123456789ABCDEF0011223344"); @ConfigProperty(name = "pki.smdp.auth.pkcs12.name") String authKeystoreName; @ConfigProperty(name = "pki.smdp.auth.pkcs12.pass") String authKeystorePassword; @ConfigProperty(name = "pki.smdp.auth.pkcs12.alias") String authKeystoreAlias; @Test public void signAndVerifyPoc() throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, UnrecoverableEntryException, KeyStoreException, CertificateException, IOException { KeyStore dpauthKeystore = KeyStore.getInstance("PKCS12"); InputStream fis = KeyStoreManager.class.getResourceAsStream(authKeystoreName); dpauthKeystore.load(fis, authKeystorePassword.toCharArray()); // certificate Certificate authCertificate = dpauthKeystore.getCertificate(authKeystoreAlias); // public key ECPublicKey authPublicKey = (ECPublicKey) authCertificate.getPublicKey(); // private key KeyStore.ProtectionParameter protParam = new KeyStore.PasswordProtection(authKeystorePassword.toCharArray()); KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) (dpauthKeystore.getEntry(authKeystoreAlias, protParam)); ECPrivateKey authPrivateKey = (ECPrivateKey) privateKeyEntry.getPrivateKey(); // algorithm - should be derived from certificate String algorithm = "SHA256withECDSA"; // sign Signature signSig = Signature.getInstance(algorithm); signSig.initSign(authPrivateKey); signSig.update(message); byte[] messageSignature = signSig.sign(); System.out.println("Signature: " + ByteUtilities.toHexString(messageSignature)); // verify Signature verifySig = Signature.getInstance(algorithm); verifySig.initVerify(authPublicKey); verifySig.update(message); boolean ok = verifySig.verify(message);  // ** exception thrown here ** System.out.println("Verification OK?: " + ok); } }Signature: 3045022100A4568657332BE0BA59753BA31DE68C14F7E134E622   1C4D96671538F3AA43F1D402204CA288BC7BF85BCDC611A6708B   FB61DB875954E013B2E4B5ABB849021E393218 java.security.SignatureException: Could not verify signature Caused by: java.security.SignatureException: Invalid encoding for signature Caused by: java.io.IOException: Sequence tag error

Doh - I was trying to verify against the message itself and not the signature

The message Invalid encoding for signature should have been enough of a clue.


This: boolean ok = verifySig.verify(message);should be:boolean ok = verifySig.verify(messageSignature);

One other thing: There is a reason that KeyStore.load() accepts the password as a char[] and not as a String. After you've loaded the key store, you should clear the password.

You're using Quarkus right? Instead of injecting the password using @ConfigProperty, try if this works:
char[] authKeystorePassword = ConfigProvider.getConfig().getValue("pki.smdp.auth.pkcs12.pass", char[].class); try {  dpauthKeystore.load(fis, authKeystorePassword); } finally {  Arrays.fill(authKeystorePassword, (char) 0); }
If this doesn't work it's no disaster, because presumably you're running this code on a protected server (where the password is available in a configuration file anyway).