BouncyCastle is required to read a key of type ecdsa-sha2-nistp256

I'm working on a scala application with an SSH2 connection using sshj (0.19.1). I can connect fine from within eclipse, but running the application from a fat jar, I'm getting some errors. My initial error was:

Line 3: TransportException: null
 at net.schmizz.sshj.transport.TransportException$1.chain(33)
 at net.schmizz.sshj.transport.TransportException$1.chain(27)
 at net.schmizz.concurrent.Promise.deliverError(96)
 at net.schmizz.concurrent.Event.deliverError(74)
 at net.schmizz.concurrent.ErrorDeliveryUtil.alertEvents(34)
 at net.schmizz.sshj.transport.KeyExchanger.notifyError(386)
 at net.schmizz.sshj.transport.TransportImpl.die(596)
 at net.schmizz.sshj.transport.Reader.run(68)

I've added US_export_policy.jar and local_policy.jar to $JAVA_HOME/lib/security. I've added the following to try to register bouncycastle as a provider,

import org.bouncycastle.jce.provider.BouncyCastleProvider
val bouncyCastle = new BouncyCastleProvider()
java.security.Security.addProvider(bouncyCastle)
net.schmizz.sshj.common.SecurityUtils.registerSecurityProvider("org.bouncycastle.jce.provider.BouncyCastleProvider")

but I'm still getting the following errors:

INFO  n.schmizz.sshj.common.SecurityUtils - Registration of Security Provider 'org.bouncycastle.jce.provider.BouncyCastleProvider' unexpectedly failed
INFO  n.schmizz.sshj.common.SecurityUtils - BouncyCastle not registered, using the default JCE provider
INFO  n.s.sshj.transport.random.JCERandom - Creating new SecureRandom.
WARN  net.schmizz.sshj.DefaultConfig - Illegal key size
WARN  net.schmizz.sshj.DefaultConfig - Cannot find any provider supporting Twofish/CBC/NoPadding
...
WARN  net.schmizz.sshj.DefaultConfig - Illegal key size or default parameters
WARN  net.schmizz.sshj.DefaultConfig - Disabling high-strength ciphers: cipher strengths apparently limited by JCE policy
INFO  n.s.sshj.transport.TransportImpl - Client identity string: SSH-2.0-SSHJ_0.19.1
INFO  n.s.sshj.transport.TransportImpl - Server identity string: SSH-2.0-OpenSSH_6.6.1
ERROR n.s.sshj.transport.TransportImpl - Dying because - {}
net.schmizz.sshj.common.SSHRuntimeException: BouncyCastle is required to read a key of type ecdsa-sha2-nistp256
    at net.schmizz.sshj.common.Buffer.readPublicKey(Buffer.java:431)
    at net.schmizz.sshj.transport.kex.AbstractDHG.next(AbstractDHG.java:66)
    at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:358)
    at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:493)
    at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:104)
    at net.schmizz.sshj.transport.Decoder.received(Decoder.java:172)
    at net.schmizz.sshj.transport.Reader.run(Reader.java:60)
Caused by: java.security.GeneralSecurityException: BouncyCastle is required to read a key of type ecdsa-sha2-nistp256
    at net.schmizz.sshj.common.KeyType$3.readPubKeyFromBuffer(KeyType.java:120)
    at net.schmizz.sshj.common.Buffer.readPublicKey(Buffer.java:429)
    ... 6 common frames omitted
INFO  n.s.sshj.transport.TransportImpl - Disconnected - UNKNOWN
ERROR net.schmizz.concurrent.Promise - <<kex done>> woke to: net.schmizz.sshj.transport.TransportException: BouncyCastle is required to read a key of type ecdsa-sha2-nistp256

I'm running the jar as java -cp ../lib/bcprov-jdk15on-1.51.jar -jar <my jar>, because as I understand it, you can't include bouncycastle as part of your fat jar as a provider. But I'm not sure what I'm missing that I can't get it registered as a provider. Any help would be appreciated.

java -jar ignores classpath from commandline or envvar, and uses instead the specified jar plus any class-path item in its manifest. Either

• reference bcprov in the jar's manifest (but do not merge a provider like bcprov into your own jar, you are correct on that) or

• put bcprov in your JRE/lib/ext so JVM will find it without using classpath.

Or run with java -cp myjar:bcprov mainclassname (; on windows) which does use the classpath.

I'd expect your new BouncyCastleProvider() to throw, before getting to the point in your code that tries to use the provider, but I don't know scala and maybe it's different here.

FWIW, if this project would upgrade to 5 years ago (Java 7) you wouldn't need Bouncy for EC including ECDSA. You would still need it for Twofish, but I don't know who (else) implements Twofish and I'd be astonished if anyone requires it; your server here identifies as OpenSSH which doesn't.