How to verify X509Certificate with EC key using Bouncy Castle

Question

With Bouncy Castle added as a provider, the following piece of code:

    private static boolean isSelfSigned(final X509Certificate cert) {

    try {

        final PublicKey key = cert.getPublicKey();

        cert.verify(key);

        return true;

    } catch (final RuntimeException re) {

        LOG.warn(re, "isSelfSigned: error.");
        return false;
    } catch (final GeneralSecurityException gse) {

        LOG.warn(gse, "isSelfSigned: error.");
        return false;
    }

}

Results in the following two errors depending on the implementation class of cert:

java.security.InvalidKeyException: Supplied key (org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey) is not a RSAPublicKey instance

or

java.security.InvalidKeyException: Supplied key (sun.security.ec.ECPublicKeyImpl) is not a RSAPublicKey instance

Does Bouncy Castle not support verifying EC signed certificates? There doesn't appear to be any parameters where I can indicate the keys are not RSA. How do I verify an EC signed certificate using Bouncy Castle?

score 0 · Answer 1 · answered May 07 '18 at 19:11

0

This was a misunderstanding on my part. The check fails because the certificate does in fact have an EC key, but the parent certificate has an RSA key.

answered May 07 '18 at 19:11

Michael Gantz

200
2
7

Selfsigned certs (always) have subject = issuer; it's best to check that first before checking the signature. – dave_thompson_085 May 07 '18 at 22:37

How to verify X509Certificate with EC key using Bouncy Castle

1 Answers1