How can I validate Vault signatures offline?

I have a Vault signature (and its original plaintext) that I’d like to verify offline, in my Java program. Since Vault has given me the public key, this should be possible, right?

I’m trying to use Bouncy Castle to verify the signature. I know from the API docs that Transit defaults to PSS, but haven’t had any luck with the “verify” so far. Perhaps one of my PSS signature parameters is incorrect?

Here’s how I’m implementing things in Java (Kotlin) at the moment:

fun testVerify(checksumChallenge: String, vaultSig: String) : Boolean
{
val pubByteKey = Base64.getDecoder().decode("MIIBIjANB...")
val pubKey = X509EncodedKeySpec(pubByteKey)
val publicKey = KeyFactory.getInstance("RSA").generatePublic(pubKey)
val strippedPrefixString = vaultSig.substring(9)

// begin: PSS verify
val publicSignature = Signature.getInstance("SHA256withRSA/PSS");
publicSignature.setParameter(PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1))
publicSignature.initVerify(publicKey)
publicSignature.update(checksumChallenge.toByteArray())

val result =  publicSignature.verify(strippedPrefixString.toByteArray())
//end: PSS verify
return result
}

Any thoughts?