[JSch-users] jsch-0.1.54.jar throws com.jcraft.jsch.JSchException: invalid privatekey

Discussion:

Erik Wasser

2016-11-04 21:20:03 UTC

Summary: Is there a known problem with SSH and RSA keys with 4096 bits?

Recently I noticed that using the SFTP plugin of my favorite editor
jedit wasn't working anymore. To make a long story short: I've drilled
down the problem to the library JSch (jsch-0.1.54.jar) and compiled one
of your example:

I'm using UserAuthPubKey.java
(http://www.jcraft.com/jsch/examples/UserAuthPubKey.java.html) example
with a 2 different keys:

% ssh-keygen -lf ~/.ssh/id_rsa-2048
2048 SHA256:e8G+h4MsuUMZYUbk2jhk18FGQ88JNB/Lpxzpw/kfAeY
***@namm.de (RSA)

% ssh-keygen -lf ~/.ssh/id_rsa-4096
4096 SHA256:3M4Mx6KUodWqWfdVWOr0cavdapf8y+zIH3bXcl7umbo
***@namm.de (RSA)

The first one is working fine, that last one returns the following message
throwing from the code snippet

jsch.addIdentity(chooser.getSelectedFile().getAbsolutePath());

If've modified UserAuthPubKey.java a little bit to drill down the
JSchException. Here's the relevant part:

if(returnVal == JFileChooser.APPROVE_OPTION) {
System.out.println("You chose "+
chooser.getSelectedFile().getAbsolutePath()+".");
System.out.println("before jsch.addIdentity()");
jsch.addIdentity(chooser.getSelectedFile().getAbsolutePath());
System.out.println("after jsch.addIdentity()");
}

Compiling (using the oracle JDK 1.8.0_101):

% javac -classpath jsch.jar UserAuthPubKey.java

Starting and using the 2048 bit key:

% java -classpath jsch.jar:. UserAuthPubKey
You chose /home/brassel/.ssh/id_rsa-2048.
before jsch.addIdentity()
after jsch.addIdentity()
...Program goes on...

Starting and using the 4096 bit key:

% java -classpath jsch.jar:. UserAuthPubKey
You chose /home/brassel/.ssh/id_rsa-4096.
before jsch.addIdentity()
com.jcraft.jsch.JSchException: invalid privatekey: [***@48140564
...Program ends here...

Why is that? Why are 4096 bits RSA keys invalid? How can I fix this issue?

--
So long... Erik

Lothar Kimmeringer

2016-11-07 09:38:17 UTC

Permalink

Hi,

Post by Erik Wasser
Why is that? Why are 4096 bits RSA keys invalid? How can I fix this issue?

Maybe a limit of a JVM without Unlimited Strength Cryptography Extension
being installed?

Cheers, Lothar

Erik Wasser

2016-11-07 22:30:57 UTC

Permalink

Post by Lothar Kimmeringer
Hi,

Post by Erik Wasser
Why is that? Why are 4096 bits RSA keys invalid? How can I fix this issue?

Maybe a limit of a JVM without Unlimited Strength Cryptography Extension
being installed?

Thanks for the feedback.

I've download the file 'jce_policy-8.zip'
(http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)
and extracted the files 'US_export_policy.jar' and 'local_policy.jar'
to the directory '/usr/java/jdk1.8.0_112/jre/lib/security' (overwriting
the old ones).

Nothing changed (and I've double checked if this is the right java
version I'm using).

If I switch to 'java-1.8.0-openjdk.x86_64' the error still remains so I
think it's not a (Oracle-)Java problem.

Here's the stack trace:

com.jcraft.jsch.JSchException: invalid privatekey: [***@282ba1e
at com.jcraft.jsch.KeyPair.load(KeyPair.java:664)
at com.jcraft.jsch.KeyPair.load(KeyPair.java:561)
at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:407)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:367)
at UserAuthPubKey.main(UserAuthPubKey.java:29)

I've debugged a little bit further and replaced the lines

Post by Lothar Kimmeringer
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----BEGIN OPENSSH PRIVATE KEY-----

with

Post by Lothar Kimmeringer
-----BEGIN RSA PRIVATE KEY-----
...
-----BEGIN RSA PRIVATE KEY-----

And the stack trace changed a little bit:

com.jcraft.jsch.JSchException: invalid privatekey: [***@f5f2bb7
at com.jcraft.jsch.KeyPair.load(KeyPair.java:948)
at com.jcraft.jsch.KeyPair.load(KeyPair.java:561)
at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:407)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:367)
at UserAuthPubKey.main(UserAuthPubKey.java:29)

Any ideas?

--
So long... Erik

Tim Bain

2016-11-08 05:39:21 UTC

Permalink

This is the 0.1.53 source:
http://grepcode.com/file/repo1.maven.org/maven2/com.jcraft/jsch/0.1.53/com/jcraft/jsch/KeyPair.java#KeyPair
Presumably the 0.1.54 source isn't much different, since the line numbers
match exactly.

Look at lines 634-665, and in particular lines 638-644. It looks like keys
in formats DSA, RSA, ECDSA, and SSH are supported, but there's no
indication that OPENSSH keys are supported. Did you maybe forget the "-t
rsa" argument when generating the 4096-bit key? I'm not sure why the
output would include "(RSA)" if that happened, but at the same time the
content you showed us doesn't appear to be an RSA key...

Tim

Post by Erik Wasser

Post by Lothar Kimmeringer
Hi,

Post by Erik Wasser
Why is that? Why are 4096 bits RSA keys invalid? How can I fix this

issue?

Post by Lothar Kimmeringer
Maybe a limit of a JVM without Unlimited Strength Cryptography Extension
being installed?

Thanks for the feedback.
I've download the file 'jce_policy-8.zip'
(http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-
2133166.html)
and extracted the files 'US_export_policy.jar' and 'local_policy.jar'
to the directory '/usr/java/jdk1.8.0_112/jre/lib/security' (overwriting
the old ones).
Nothing changed (and I've double checked if this is the right java
version I'm using).
If I switch to 'java-1.8.0-openjdk.x86_64' the error still remains so I
think it's not a (Oracle-)Java problem.
at com.jcraft.jsch.KeyPair.load(KeyPair.java:664)
at com.jcraft.jsch.KeyPair.load(KeyPair.java:561)
at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:407)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:367)
at UserAuthPubKey.main(UserAuthPubKey.java:29)
I've debugged a little bit further and replaced the lines

Post by Lothar Kimmeringer
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----BEGIN OPENSSH PRIVATE KEY-----

with

Post by Lothar Kimmeringer
-----BEGIN RSA PRIVATE KEY-----
...
-----BEGIN RSA PRIVATE KEY-----

at com.jcraft.jsch.KeyPair.load(KeyPair.java:948)
at com.jcraft.jsch.KeyPair.load(KeyPair.java:561)
at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:407)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:367)
at UserAuthPubKey.main(UserAuthPubKey.java:29)
Any ideas?
--
So long... Erik
------------------------------------------------------------
------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
JSch-users mailing list
https://lists.sourceforge.net/lists/listinfo/jsch-users

Erik Wasser

2016-11-08 20:21:30 UTC

Permalink

Post by Tim Bain
http://grepcode.com/file/repo1.maven.org/maven2/com.jcraft/jsch/0.1.53/com/jcraft/jsch/KeyPair.java#KeyPair
Presumably the 0.1.54 source isn't much different, since the line
numbers match exactly.
Look at lines 634-665, and in particular lines 638-644. It looks like
keys in formats DSA, RSA, ECDSA, and SSH are supported, but there's no
indication that OPENSSH keys are supported. Did you maybe forget the
"-t rsa" argument when generating the 4096-bit key? I'm not sure why
the output would include "(RSA)" if that happened, but at the same time
the content you showed us doesn't appear to be an RSA key...

Hi. Thanks for the answer. You've pushed me into the right direction.

Post by Tim Bain
ssh-keygen -b 4096 -f .ssh/foo

And everything is fine and the first line indicates an RSA. And voilà:
Jsch is working just fine with a 4096 bits/RSA key.

So my key was just bad, like the error messages indicated it. B-)

Thanks for the help.

--
So long... Erik

Tim Bain

2016-11-09 02:55:49 UTC

Permalink

I'm glad to hear you got it working, though I'm surprised the command you
ran, without -t rsa, worked as you described. No matter, if it solved your
problem then that's what matters.

Tim

Post by Tim Bain

Post by Tim Bain
http://grepcode.com/file/repo1.maven.org/maven2/com.

jcraft/jsch/0.1.53/com/jcraft/jsch/KeyPair.java#KeyPair

Post by Tim Bain
Presumably the 0.1.54 source isn't much different, since the line
numbers match exactly.
Look at lines 634-665, and in particular lines 638-644. It looks like
keys in formats DSA, RSA, ECDSA, and SSH are supported, but there's no
indication that OPENSSH keys are supported. Did you maybe forget the
"-t rsa" argument when generating the 4096-bit key? I'm not sure why
the output would include "(RSA)" if that happened, but at the same time
the content you showed us doesn't appear to be an RSA key...

Hi. Thanks for the answer. You've pushed me into the right direction.

Post by Tim Bain
ssh-keygen -b 4096 -f .ssh/foo

Jsch is working just fine with a 4096 bits/RSA key.
So my key was just bad, like the error messages indicated it. B-)
Thanks for the help.
--
So long... Erik
------------------------------------------------------------
------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
JSch-users mailing list
https://lists.sourceforge.net/lists/listinfo/jsch-users