ECDSA verification with BouncyCastle: SignatureException: error decoding signature bytes

Question

While trying to verify a signature persisted on a database as a String i get this exception:

java.security.SignatureException: error decoding signature bytes.
at org.bouncycastle.jcajce.provider.asymmetric.util.DSABase.engineVerify(Unknown Source)
at java.base/java.security.Signature$Delegate.engineVerify(Signature.java:1245)
at java.base/java.security.Signature.verify(Signature.java:674)
at SignCheck.ValidateSignature(SignCheck.java:65)
at SignCheck.main(SignCheck.java:26)

What I am making wrong? This is the simplified application:

String signature = "308194024802ce15a95958817cf7ac8086332d0eb7e5a7faed71c225845251514ddf3ca56246498169a27a814f62f457a4336338e9931e4b12dda0e8cf221f83c4a33c31c907a4b3520d0c3c3b0248012801b7f51e810165762ff2848752cefb4dcef1e862d9783740d40d6436e7b45c151bce9ea19c2dce205351115cb3b753af611fdc8dfc19ac11e49f29d81c1699e9f38cdb1ba45d";
String stringToCheck = "CCCCBBBBTue Oct 23 15:26:02 CEST 2018";
String publicKey = "3081a7301006072a8648ce3d020106052b81040027038192000406dbfdc0ccf5cc8230b773b4c21059c3c47e2e832a962a0015f9f440cccc80ca1d4af9f3e39f96dffcd09f6015373e4373a764c2aadac8db8db62e28196a7f7a6cacb971f0cfee570292eb0c8c78b14054ce5b7e85f616b10571044dcfad51c271f09746577aa6068f94d395533f2a8f723a112e72962117fef2e5c6ce4b32d8217a86e96ddec7f8241d4b30941b8f78";

try {
        Security.addProvider(new BouncyCastleProvider());
        Signature ecdsaVerify = Signature.getInstance("SHA256withECDSA", "BC");

        KeyFactory fact = KeyFactory.getInstance("ECDSA", "BC");
        PublicKey pub= fact.generatePublic(new X509EncodedKeySpec(Hex.decode(publicKey)));
        ecdsaVerify.initVerify(pub);


        ecdsaVerify.update(stringToCheck.getBytes("UTF-8"));
        boolean result = ecdsaVerify.verify(signature.getBytes());

       return result;
    } catch (InvalidKeySpecException | NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException | UnsupportedEncodingException | SignatureException e) {
        e.printStackTrace();
        System.out.println("FALSIFICATION DETECTED!");
    }

Answer 1

The signature that you're trying to verify is in hex format and the .getBytes() doesn't do what you expect it to do. You need to convert the signature hex string into a byte[] and then validate with this result in the ecdsaVerify.verify(signatureBytes) where signatureBytes is the Hex.decode(signature).