I am trying to use BouncyCastle library for generating X509Certificate in a .Net application, meanwhile i want to use keys stored in HSM.
My solution is generating EC key-pair in HSM, returning ECPoint and key lable to .Net application, and regenerate an elliptic key for signature generation.
After generating elliptic key, While checking its validity i got this error: UnManagedException: Public key presented not for certificate signature. This is the part of code from which Error raises:
X509Certificate rootCertificate = new X509Certificate (
new X509CertificateStructure (
TBS_Structure,
AlgorithmID,
new BitDERString(signature));
rootCertificate.Verify(PublicKeyParam);
PublicKeyParam is RSAKeyParameter and rebuilt based on Exponent and Modolus extracted from the library which made key on HSM (and returned key parameters). rootCertificate's algorithm is SHA256WithRSAandMGF1.
The problem is that for X509 certificates, elliptic key-point with separated r and s parts are required. The key-point which PKCS11Interop returns from HSM is a concatenated byte[] of r and s. So you should break it into two byte[] and use following code instead of signature in new BitDERString(signature):
new DerSequence(
new DerInteger(new BigInteger(1, signature.Take(len/2).ToArray())),
new DerInteger(new BigInteger(1, signature.Skip(len/2).ToArray()))
).GetDerEncodded()
This issue was explained in this question unintentionally but i couldn't get the point.