Decrypt message using RSA with password private key using pem file in C#

Question

I'm trying to decode the HelloWorks callback signature to add security to an endpoint. As it stays in the documentation I need to generate a private key using the following openssl command:

openssl genrsa -des3 -out helloworks.pem 4096

and then make the public key:

openssl rsa -in helloworks.pem -outform PEM -pubout -out public.pem

I have created both keys and configured it. Now I need to decode base64 the X-Helloworks-Signature sent by them, then decrypt the result using the private key.

I have been trying several ways to do this in C# but with no luck. One approach that I have done using BouncyCastle library is:

        var signature = mvcContext.HttpContext.Request.Headers["X-Helloworks-Signature"];

        var url = mvcContext.HttpContext.Request.Path.Value;

        var bytesToDecrypt = Convert.FromBase64String(signature);

        AsymmetricCipherKeyPair keyPair;

        var pemPath = Path.Combine(env.ContentRootPath, "./helloworks.pem");
        using (var reader = File.OpenText(pemPath))
            keyPair = (AsymmetricCipherKeyPair)new PemReader(reader, new PasswordFinder("password")).ReadObject();

        var decryptEngine = new Pkcs1Encoding(new RsaEngine());
        decryptEngine.Init(false, keyPair.Private);

        var decryptedToken = Encoding.UTF8.GetString(decryptEngine.ProcessBlock(bytesToDecrypt, 0, bytesToDecrypt.Length));

But it always throws the same exception message:

Org.BouncyCastle.Crypto.DataLengthException: 'input too large for RSA cipher.'

I have been trying other approaches that I have found here in SO and the web but no luck.

How can I use the private key pem file to decrypt the signature in C#, specifically .Net Core 2?

Update 1

An example of the signature is:

X-Helloworks-Signature: bGNTNUVOZ0w5akx4U1VXUTFrcHQ0ZmZSZU1KQnNpbDhwVDFGVllSMzF5aVdtQkZOcTRMTFNrY2FmV3o5aFZJVk5rbmVRUEdydTZLZ1BHQ1dCdkFYVVRMWUs1bUYxSXplam5mZVEwVFZvMjFZRS1rM0l4SDBkNU45clJDX1RYOVZPcThwUzI5V2pTd1k2d0kxaGQ0VXpiSkU2NERJaVljaWxCWkJwVVJhN0NRcGphbkxlZV8tZFMxQWtUbTdRUHdEVTZtVDNnc2ZPQkNiMFZMeUR2TGVtdmVTZldXZnVUOXg0NTRYSU1rZjE3elRvR0xHT29YeEpKWjk5LUcyc3VjWkk5NWpmRldvaGo0S2Z0dXV1SHMtMmpZajZuNXhpMFI5S0hmT2xNRkRwRlFtbEpUbG9TTURGREVPeDE3RjNoX1NXMk1RSUR2b2hGazBtTkstMk9OVHhHQ05tQXhuS1c5Nm9SN0N4QlJnQ2xyLXlvOXJTWXp2anNlVVhGZ0hqakYzZE8ybGhUdXFPV1A0NU9TaUVoY21zSHVMRnV0Zy10a0J5QTJLYTB2Yk1sNi1wMVlLR09QZVdMVm9QN0k5ellyWFdNRFl0S2dPaXZkSldEa1B0SmdvbVMwbU1DdWMyblBFUHFxUTEtQkdJMHNFdjNNWVFfYVNjeGJsZ2p2VHVZZzRmZy1VXzk3R0pON1ZsM1IwWllZSF9QU2syQll6LTN3Vjc3QjMxbGFjT3lWSU15WDVJdktKWXIwTXZMQ190cjIwZk9hZkx5c011eWpsSXV6Tl96Q2VHbkpfbkJiQnJYNXNyNmktZDB4UW9rc0JKSUtUZUNMR3dVWWEtVEJVUE5FeWplM09RT0NOYW02R242OEdLeDRZdTlzZDVNa1BCQ1B6NTI3aUhoYm9aLTg9

Answer 1

Thanks to James K Polk comment I ended doing the following method:

    private static byte[] Base64Decode(StringValues signature)
    {
        string incoming = signature.ToString().Replace('_', '/').Replace('-', '+');
        switch (signature.ToString().Length % 4)
        {
            case 2:
                incoming += "==";
                break;
            case 3:
                incoming += "=";
                break;
        }

        return Convert.FromBase64String(incoming);
    }

and modifying my code from:

var bytesToDecrypt = Convert.FromBase64String(signature);

to:

var decoded = Base64Decode(signature);
var text = Encoding.ASCII.GetString(decoded);
var bytesToDecrypt = Base64Decode(text);

I needed to decode two times the signature using the URL-safe version of base64 decoding.