[I] Bouncy Castle Fips provider 2.0.0 usage with MINA SSHD v2.0.15 can cause class not found exception for Ed25519 support [mina-sshd]

via GitHub Mon, 01 Dec 2025 04:06:57 -0800


itaisegev opened a new issue, #856:
URL: https://github.com/apache/mina-sshd/issues/856


   ### Version
   
   2.15.0
   
   ### Bug description
   
   Hi.
   
   When using BC-FIPS provider 2.0.0 and MINA SSHD v2.0.15.
   BC-FIPS 2.0.0 seems to supports  Ed25519 (bc-fips 1.0.0 doesn't) but 
**org.apache.sshd.common.util.security.bouncycastle.BouncyCastleSecurityProviderRegistrar.java**
 tries to import
   "org/bouncycastle.crypto.params.AsymmetricKeyParameter"
   which is the right path in bcprov jars, but in bc-fips i found this class in 
   **"org.bouncycastle.crypto.internal.params.AsymmetricKeyParameter.java"**
   
   There are more wrong imports from BC-FIPS perspective like 
org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters; that in bc-fips is 
at "org.bouncycastle.crypto.general.Ed25519PrivateKeyParameters.java".
   
   The result is "class not found exception" for AsymmetricKeyParameter.java 
every time I am trying to use the SSHD-SCP lib for scp connections. (I didn't 
see this import but somehow used when BouncyCastleEdDSASupport is used.
   
   **Note 1**: WA that i'm using is to pull the "net.i2p.crypto eddsa" artifact 
as appears in the optional maven dependency in the SSHD common pom.xml
   BouncyCastleEdDSASupport is not used then and issue is averted..
   
   **Note 2**: in BouncyCastleSecurityProviderRegistrar:: isSupported method i 
do see some comment about BC-FIPS: "
                   // Apache MINA sshd assumes that if we can get at the 
provider class, we can also get any other class we
                   // need. However, and BC-based optional stuff should 
actually check if it does have the concrete
                   // classes it needs accessible. The FIPS version has only a 
subset of the full BC. "
   
   Which seems to hint about potential issues..
   
   **Note 3**: I understand that with java 15+ this shouldn't be an issue 
anymore but some projects are still using old java (hopefully we will get to 
newer versions soon..)
   
   ### Actual behavior
   
   Getting class not found exceptio 
   
   ### Expected behavior
   
   SCP connection to pass using Mina SSHD client
   
   ### Relevant log output
   
   ```Shell
   Caused by: java.lang.NoClassDefFoundError: 
org/bouncycastle/crypto/params/AsymmetricKeyParameter
        at 
org.apache.sshd.common.util.security.bouncycastle.BouncyCastleSecurityProviderRegistrar.getEdDSASupport(BouncyCastleSecurityProviderRegistrar.java:190)
 ~[sshd-common-2.15.0.jar:2.15.0]
        at 
org.apache.sshd.common.util.security.SecurityUtils.getEdDSASupport(SecurityUtils.java:637)
 ~[sshd-common-2.15.0.jar:2.15.0]
        at 
org.apache.sshd.common.util.security.SecurityUtils.isEDDSACurveSupported(SecurityUtils.java:612)
 ~[sshd-common-2.15.0.jar:2.15.0]
        at 
org.apache.sshd.common.signature.BuiltinSignatures$17.isSupported(BuiltinSignatures.java:251)
 ~[sshd-common-2.15.0.jar:2.15.0]
        at 
org.apache.sshd.common.NamedFactory.lambda$setUpBuiltinFactories$1(NamedFactory.java:80)
 ~[sshd-common-2.15.0.jar:2.15.0]
        at 
java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174) 
~[?:1.8.0_242]
        at 
java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) 
~[?:1.8.0_242]
        at 
java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) 
~[?:1.8.0_242]
        at 
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) 
~[?:1.8.0_242]
        at 
java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) 
~[?:1.8.0_242]
        at 
java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) 
~[?:1.8.0_242]
        at 
java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) 
~[?:1.8.0_242]
        at 
org.apache.sshd.common.NamedFactory.setUpBuiltinFactories(NamedFactory.java:81) 
~[sshd-common-2.15.0.jar:2.15.0]
        at 
org.apache.sshd.client.ClientBuilder.setUpDefaultSignatureFactories(ClientBuilder.java:175)
 ~[sshd-core-2.15.0.jar:2.15.0]
        at 
org.apache.sshd.client.ClientBuilder.fillWithDefaultValues(ClientBuilder.java:117)
 ~[sshd-core-2.15.0.jar:2.15.0]
        at 
org.apache.sshd.client.ClientBuilder.fillWithDefaultValues(ClientBuilder.java:56)
 ~[sshd-core-2.15.0.jar:2.15.0]
        at org.apache.sshd.common.BaseBuilder.build(BaseBuilder.java:278) 
~[sshd-core-2.15.0.jar:2.15.0]
        at org.apache.sshd.client.ClientBuilder.build(ClientBuilder.java:165) 
~[sshd-core-2.15.0.jar:2.15.0]
        at org.apache.sshd.client.ClientBuilder.build(ClientBuilder.java:56) 
~[sshd-core-2.15.0.jar:2.15.0]
        at org.apache.sshd.common.BaseBuilder.build(BaseBuilder.java:302) 
~[sshd-core-2.15.0.jar:2.15.0]
        at 
org.apache.sshd.client.SshClient.setUpDefaultClient(SshClient.java:1014) 
~[sshd-core-2.15.0.jar:2.15.0]
   ```
   
   ### Other information
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[I] Bouncy Castle Fips provider 2.0.0 usage with MINA SSHD v2.0.15 can cause class not found exception for Ed25519 support [mina-sshd]

Reply via email to