So far, dirtyfilthy and I are using practically the same code for decoding public keys, generating key pairs, signing with private keys, and verifying signatures.  Here is the code: http://bitcointalk.org/index.php?topic=2957.msg41493#msg41493

But after finally making sure that I'm giving everything the correct data, getting the correct hashes, cross-checking it all with the data and hashes generated by the official bitcoin client, etc., our signature verification still isn't working.  It could either be that I'm not converting the bytes of the key to an ECPublicKey object correctly, or (what I think is slightly more likely) that I'm not using the right code for signature verification.  I don't know anything about BouncyCastle (and can't find much in the way of documentation outside of the partial Javadocs) or about the low-level details of ECDSA (or public key crypto in general), which makes it much harder to even know where to look.

And I still haven't even tried to generate key pairs or create new transactions to see if the official Bitcoin client verifies them correctly, yet, so I don't know if that code is ok or not, either.

Is there anyone with any Bitcoin and BouncyCastle experience that can help with this?

Thanks

Here's what I would suggest. Create a new key pair in your code. Hash and sign something like 'abc'. Then see if you can verify the signature. If it works, publish the key and signature here. I can try to verify the sig with OpenSSL. I was successful at verifying a Bitcoin signature, so this might reveal differences in the two libraries.

Well my attempt to verify that sig in openssl failed, it didn't verify. That's no surprise since the two methods also disagreed about the validity of the bitcoin sig. I hoped I'd see something wrong in the data structures, but I didn't. Your pubkey is a valid EC point on the secp256k1 curve. The signature appears to be properly formatted.

I'll see if I can think of anything else...

Bitcoin uses a raw format that is not DER encoded, what code are you using to pump out that key? you want to use pubkey.encode() to get the DER version.

Signatures are DER encoded in Bitcoin, and your signature above is in the same format. 30 is a sequence of values, in this case the two ECDSA components, called r and s. 46 is the length of the sequence. Then 02 means integer, 21 is the length, followed by 0x21 bytes which is the r value. Then there's another 02 and length for the s value. If the high bit of r or s is set, they get 00 prepended so it's clear they're positive. Bitcoin sigs have exactly the same format as you can see in any blockexplorer.com dump.

Good to hear you have it figured out. I guess that explains the difference ... I didn't use JCE so I never had to specify that magic string.

Next up, successfully receive and send some coins with your implementation

Yes.

There are a lot of choices like "SHA1withECDSA", "SHA256withECDSA", etc., and I'm guessing it's using one of these by default when signing and verifying, so we need "NONEwithECDSA" when signing and verifying.