If we use Windows CryptoAPI to encrypt plaintext with RSA to get ciphertext, the Java BadPaddingException exception happens when we use Java Security to decrypt the ciphertext with RSA.
We suppose that it is padding problem between Java Security and Windows CryptoAPI, but Windows CryptoAPI default uses PKCS1Padding in RSA, and our Java program uses Cipher.getInstance("RSA/ECB/PKCS1Padding"). Therefore both padding algorithms are same. Where is the problem?
The problem is, ciphertext encrypted by Windows CryptoAPI is little-endian, but Java Security consider ciphertext is big-endian. We can reverse ciphertext before calling RSA decrypt of Java Security.