Removed eddsa library in favor of standard Java Security classes (#993)

- Bouncy Castle provides Ed25519 support using standard Java Security classes
- Removed net.i2p.crypto:eddsa:0.3.0 dependency
- Removed Ed25519PublicKey extension of EdDSAPublicKey class from eddsa library
- Added Ed25519KeyFactory for generating Java PublicKey and PrivateKey objects from raw encoded key byte arrays
- Refactored key parsing to use Ed25519KeyFactory
- Refactored SignatureEdDSA to use Java Signature class with Ed25519

Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>

build.gradle

@@ -54,7 +54,6 @@ dependencies {
   implementation "org.bouncycastle:bcprov-jdk18on:$bouncycastleVersion"
   implementation "org.bouncycastle:bcpkix-jdk18on:$bouncycastleVersion"
   implementation "com.hierynomus:asn-one:0.6.0"
-  implementation "net.i2p.crypto:eddsa:0.3.0"
 }
 
 license {
@@ -182,8 +181,6 @@ jar {
     instruction "Import-Package", "!net.schmizz.*"
     instruction "Import-Package", "!com.hierynomus.sshj.*"
     instruction "Import-Package", "javax.crypto*"
-    instruction "Import-Package", "!net.i2p.crypto.eddsa.math"
-    instruction "Import-Package", "net.i2p*"
     instruction "Import-Package", "com.jcraft.jzlib*;version=\"[1.1,2)\";resolution:=optional"
     instruction "Import-Package", "org.slf4j*;version=\"[1.7,5)\""
     instruction "Import-Package", "org.bouncycastle*;resolution:=optional"

src/itest/java/com/hierynomus/sshj/sftp/FileWriteTest.java

@@ -21,7 +21,6 @@ import java.util.EnumSet;
 import org.junit.jupiter.api.Test;
 import org.testcontainers.junit.jupiter.Container;
 import org.testcontainers.junit.jupiter.Testcontainers;
-import org.testcontainers.shaded.org.bouncycastle.util.Arrays;
 
 import com.hierynomus.sshj.SshdContainer;
 
@@ -31,11 +30,12 @@ import net.schmizz.sshj.sftp.RemoteFile;
 import net.schmizz.sshj.sftp.SFTPClient;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 
 @Testcontainers
 public class FileWriteTest {
     @Container
-    private static SshdContainer sshd = new SshdContainer();
+    private static final SshdContainer sshd = new SshdContainer();
 
     @Test
     public void shouldAppendToFile_GH390() throws Throwable {
@@ -63,8 +63,14 @@ public class FileWriteTest {
                 try (RemoteFile read = sftp.open(file, EnumSet.of(OpenMode.READ))) {
                     byte[] readBytes = new byte[initialText.length + appendText.length];
                     read.read(0, readBytes, 0, readBytes.length);
-                    assertThat(Arrays.copyOfRange(readBytes, 0, initialText.length)).isEqualTo(initialText);
+
-                    assertThat(Arrays.copyOfRange(readBytes, initialText.length, initialText.length + appendText.length)).isEqualTo(appendText);
+                    final byte[] expectedInitialText = new byte[initialText.length];
+                    System.arraycopy(readBytes, 0, expectedInitialText, 0, expectedInitialText.length);
+                    assertArrayEquals(expectedInitialText, initialText);
+
+                    final byte[] expectedAppendText = new byte[appendText.length];
+                    System.arraycopy(readBytes, initialText.length, expectedAppendText, 0, expectedAppendText.length);
+                    assertArrayEquals(expectedAppendText, appendText);
                 }
             }
 

src/main/java/com/hierynomus/sshj/common/KeyDecryptionFailedException.java

@@ -26,8 +26,12 @@ public class KeyDecryptionFailedException extends IOException {
 
     public static final String MESSAGE = "Decryption of the key failed. A supplied passphrase may be incorrect.";
 
-    public KeyDecryptionFailedException() {
+    public KeyDecryptionFailedException(final String message) {
-        super(MESSAGE);
+        super(message);
+    }
+
+    public KeyDecryptionFailedException(final String message, final Throwable cause) {
+        super(message, cause);
     }
 
     public KeyDecryptionFailedException(IOException cause) {

src/main/java/com/hierynomus/sshj/signature/Ed25519PublicKey.java

@@ -1,56 +0,0 @@
-/*
- * Copyright (C)2009 - SSHJ Contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.hierynomus.sshj.signature;
-
-import net.i2p.crypto.eddsa.EdDSAPublicKey;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveSpec;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
-import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
-import net.schmizz.sshj.common.SSHRuntimeException;
-
-import java.util.Arrays;
-
-/**
- * Our own extension of the EdDSAPublicKey that comes from ECC-25519, as that class does not implement equality.
- * The code uses the equality of the keys as an indicator whether they're the same during host key verification.
- */
-@SuppressWarnings("serial")
-public class Ed25519PublicKey extends EdDSAPublicKey {
-
-    public Ed25519PublicKey(EdDSAPublicKeySpec spec) {
-        super(spec);
-
-        EdDSANamedCurveSpec ed25519 = EdDSANamedCurveTable.getByName("Ed25519");
-        if (!spec.getParams().getCurve().equals(ed25519.getCurve())) {
-            throw new SSHRuntimeException("Cannot create Ed25519 Public Key from wrong spec");
-        }
-    }
-
-    @Override
-    public boolean equals(Object other) {
-        if (!(other instanceof Ed25519PublicKey)) {
-            return false;
-        }
-
-        Ed25519PublicKey otherKey = (Ed25519PublicKey) other;
-        return Arrays.equals(getAbyte(), otherKey.getAbyte());
-    }
-
-    @Override
-    public int hashCode() {
-        return getA().hashCode();
-    }
-}

src/main/java/com/hierynomus/sshj/signature/SignatureEdDSA.java

@@ -15,14 +15,14 @@
  */
 package com.hierynomus.sshj.signature;
 
-import net.i2p.crypto.eddsa.EdDSAEngine;
 import net.schmizz.sshj.common.KeyType;
 import net.schmizz.sshj.common.SSHRuntimeException;
+import net.schmizz.sshj.common.SecurityUtils;
 import net.schmizz.sshj.signature.AbstractSignature;
 import net.schmizz.sshj.signature.Signature;
 
-import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.SignatureException;
 
 public class SignatureEdDSA extends AbstractSignature {
@@ -43,11 +43,11 @@ public class SignatureEdDSA extends AbstractSignature {
         super(getEngine(), KeyType.ED25519.toString());
     }
 
-    private static EdDSAEngine getEngine() {
+    private static java.security.Signature getEngine() {
         try {
-            return new EdDSAEngine(MessageDigest.getInstance("SHA-512"));
+            return SecurityUtils.getSignature("Ed25519");
-        } catch (NoSuchAlgorithmException e) {
+        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
-            throw new SSHRuntimeException(e);
+            throw new SSHRuntimeException("Ed25519 Signatures not supported", e);
         }
     }
 

src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyFileUtil.java

@@ -47,8 +47,7 @@ public class OpenSSHKeyFileUtil {
      * @param publicKey Public key accessible through a {@code Reader}
      */
     public static ParsedPubKey initPubKey(Reader publicKey) throws IOException {
-        final BufferedReader br = new BufferedReader(publicKey);
+        try (BufferedReader br = new BufferedReader(publicKey)) {
-        try {
             String keydata;
             while ((keydata = br.readLine()) != null) {
                 keydata = keydata.trim();
@@ -68,8 +67,6 @@ public class OpenSSHKeyFileUtil {
             throw new IOException("Public key file is blank");
         } catch (Base64DecodingException err) {
             throw new IOException("Public key decoding failed", err);
-        } finally {
-            br.close();
         }
     }
 

src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java

@@ -21,9 +21,6 @@ import com.hierynomus.sshj.transport.cipher.BlockCiphers;
 import com.hierynomus.sshj.transport.cipher.ChachaPolyCiphers;
 import com.hierynomus.sshj.transport.cipher.GcmCiphers;
 import com.hierynomus.sshj.userauth.keyprovider.bcrypt.BCrypt;
-import net.i2p.crypto.eddsa.EdDSAPrivateKey;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
-import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
 import net.schmizz.sshj.common.*;
 import net.schmizz.sshj.common.Buffer.PlainBuffer;
 import net.schmizz.sshj.transport.cipher.Cipher;
@@ -351,8 +348,14 @@ public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
                 keyBuffer.readUInt32(); // length of privatekey+publickey
                 byte[] privKey = new byte[32];
                 keyBuffer.readRawBytes(privKey); // string privatekey
-                keyBuffer.readRawBytes(new byte[32]); // string publickey (again...)
+
-                kp = new KeyPair(publicKey, new EdDSAPrivateKey(new EdDSAPrivateKeySpec(privKey, EdDSANamedCurveTable.getByName("Ed25519"))));
+                final byte[] pubKey = new byte[32];
+                keyBuffer.readRawBytes(pubKey); // string publickey (again...)
+
+                final PrivateKey edPrivateKey = Ed25519KeyFactory.getPrivateKey(privKey);
+                final PublicKey edPublicKey = Ed25519KeyFactory.getPublicKey(pubKey);
+
+                kp = new KeyPair(edPublicKey, edPrivateKey);
                 break;
             case RSA:
                 final RSAPrivateCrtKeySpec rsaPrivateCrtKeySpec = readRsaPrivateKeySpec(keyBuffer);

src/main/java/net/schmizz/sshj/common/Ed25519KeyFactory.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.common;
+
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import java.util.Objects;
+
+/**
+ * Factory for generating Edwards-curve 25519 Public and Private Keys
+ */
+public class Ed25519KeyFactory {
+    private static final int KEY_LENGTH = 32;
+
+    private static final String KEY_ALGORITHM = "Ed25519";
+
+    private static final byte[] ED25519_PKCS8_PRIVATE_KEY_HEADER = Base64.getDecoder().decode("MC4CAQEwBQYDK2VwBCIEIA");
+
+    private static final byte[] ED25519_PKCS8_PUBLIC_KEY_HEADER = Base64.getDecoder().decode("MCowBQYDK2VwAyEA");
+
+    private static final int PRIVATE_KEY_ENCODED_LENGTH = 48;
+
+    private static final int PUBLIC_KEY_ENCODED_LENGTH = 44;
+
+    private Ed25519KeyFactory() {
+
+    }
+
+    /**
+     * Get Edwards-curve Private Key for private key binary
+     *
+     * @param privateKeyBinary Private Key byte array consisting of 32 bytes
+     * @return Edwards-curve 25519 Private Key
+     * @throws GeneralSecurityException Thrown on failure to generate Private Key
+     */
+    public static PrivateKey getPrivateKey(final byte[] privateKeyBinary) throws GeneralSecurityException {
+        Objects.requireNonNull(privateKeyBinary, "Private Key byte array required");
+        if (privateKeyBinary.length == KEY_LENGTH) {
+            final byte[] privateKeyEncoded = new byte[PRIVATE_KEY_ENCODED_LENGTH];
+            System.arraycopy(ED25519_PKCS8_PRIVATE_KEY_HEADER, 0, privateKeyEncoded, 0, ED25519_PKCS8_PRIVATE_KEY_HEADER.length);
+            System.arraycopy(privateKeyBinary, 0, privateKeyEncoded, ED25519_PKCS8_PRIVATE_KEY_HEADER.length, KEY_LENGTH);
+            final PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyEncoded);
+
+            final KeyFactory keyFactory = SecurityUtils.getKeyFactory(KEY_ALGORITHM);
+            return keyFactory.generatePrivate(keySpec);
+        } else {
+            throw new IllegalArgumentException("Key length of 32 bytes required");
+        }
+    }
+
+    /**
+     * Get Edwards-curve Public Key for public key binary
+     *
+     * @param publicKeyBinary Public Key byte array consisting of 32 bytes
+     * @return Edwards-curve 25519 Public Key
+     * @throws GeneralSecurityException Thrown on failure to generate Public Key
+     */
+    public static PublicKey getPublicKey(final byte[] publicKeyBinary) throws GeneralSecurityException {
+        Objects.requireNonNull(publicKeyBinary, "Public Key byte array required");
+        if (publicKeyBinary.length == KEY_LENGTH) {
+            final byte[] publicKeyEncoded = new byte[PUBLIC_KEY_ENCODED_LENGTH];
+            System.arraycopy(ED25519_PKCS8_PUBLIC_KEY_HEADER, 0, publicKeyEncoded, 0, ED25519_PKCS8_PUBLIC_KEY_HEADER.length);
+            System.arraycopy(publicKeyBinary, 0, publicKeyEncoded, ED25519_PKCS8_PUBLIC_KEY_HEADER.length, KEY_LENGTH);
+            final X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyEncoded);
+
+            final KeyFactory keyFactory = SecurityUtils.getKeyFactory(KEY_ALGORITHM);
+            return keyFactory.generatePublic(keySpec);
+        } else {
+            throw new IllegalArgumentException("Key length of 32 bytes required");
+        }
+    }
+}

src/main/java/net/schmizz/sshj/common/KeyType.java

@@ -16,13 +16,8 @@
 package net.schmizz.sshj.common;
 
 import com.hierynomus.sshj.common.KeyAlgorithm;
-import com.hierynomus.sshj.signature.Ed25519PublicKey;
 import com.hierynomus.sshj.signature.SignatureEdDSA;
 import com.hierynomus.sshj.userauth.certificate.Certificate;
-import net.i2p.crypto.eddsa.EdDSAPublicKey;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveSpec;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
-import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
 import net.schmizz.sshj.common.Buffer.BufferException;
 import net.schmizz.sshj.signature.Signature;
 import net.schmizz.sshj.signature.SignatureDSA;
@@ -178,20 +173,16 @@ public enum KeyType {
         public PublicKey readPubKeyFromBuffer(Buffer<?> buf) throws GeneralSecurityException {
             try {
                 final int keyLen = buf.readUInt32AsInt();
-                final byte[] p = new byte[keyLen];
+                final byte[] publicKeyBinary = new byte[keyLen];
-                buf.readRawBytes(p);
+                buf.readRawBytes(publicKeyBinary);
                 if (log.isDebugEnabled()) {
                     log.debug(String.format("Key algo: %s, Key curve: 25519, Key Len: %s\np: %s",
                             sType,
                             keyLen,
-                            Arrays.toString(p))
+                            Arrays.toString(publicKeyBinary))
                     );
                 }
-
+                return Ed25519KeyFactory.getPublicKey(publicKeyBinary);
-                EdDSANamedCurveSpec ed25519 = EdDSANamedCurveTable.getByName("Ed25519");
-                EdDSAPublicKeySpec publicSpec = new EdDSAPublicKeySpec(p, ed25519);
-                return new Ed25519PublicKey(publicSpec);
-
             } catch (Buffer.BufferException be) {
                 throw new SSHRuntimeException(be);
             }
@@ -199,13 +190,17 @@ public enum KeyType {
 
         @Override
         protected void writePubKeyContentsIntoBuffer(PublicKey pk, Buffer<?> buf) {
-            EdDSAPublicKey key = (EdDSAPublicKey) pk;
+            final byte[] encoded = pk.getEncoded();
-            buf.putBytes(key.getAbyte());
+            final int keyLength = 32;
+            final int headerLength = encoded.length - keyLength;
+            final byte[] encodedPublicKey = new byte[keyLength];
+            System.arraycopy(encoded, headerLength, encodedPublicKey, 0, keyLength);
+            buf.putBytes(encodedPublicKey);
         }
 
         @Override
         protected boolean isMyType(Key key) {
-            return "EdDSA".equals(key.getAlgorithm());
+            return "EdDSA".equals(key.getAlgorithm()) || "Ed25519".equals(key.getAlgorithm());
         }
     },
 

src/main/java/net/schmizz/sshj/common/SecurityUtils.java

@@ -286,8 +286,8 @@ public class SecurityUtils {
                 if (securityProvider == null && registerBouncyCastle == null) {
                     LOG.info("BouncyCastle not registered, using the default JCE provider");
                 } else if (securityProvider == null) {
-                    LOG.error("Failed to register BouncyCastle as the defaut JCE provider");
+                    LOG.error("Failed to register BouncyCastle as the default JCE provider");
-                    throw new SSHRuntimeException("Failed to register BouncyCastle as the defaut JCE provider");
+                    throw new SSHRuntimeException("Failed to register BouncyCastle as the default JCE provider");
                 }
             }
             registrationDone = true;

src/main/java/net/schmizz/sshj/sftp/RandomAccessRemoteFile.java

@@ -317,13 +317,10 @@ public class RandomAccessRemoteFile
     @Override
     public void writeUTF(String str)
             throws IOException {
-        final DataOutputStream dos = new DataOutputStream(rf.new RemoteFileOutputStream(fp));
+        try (DataOutputStream dos = new DataOutputStream(rf.new RemoteFileOutputStream(fp));) {
-        try {
             dos.writeUTF(str);
-        } finally {
+            fp += dos.size();
-            dos.close();
         }
-        fp += dos.size();
     }
 
 }

src/main/java/net/schmizz/sshj/sftp/SFTPFileTransfer.java

@@ -140,12 +140,9 @@ public class SFTPFileTransfer
                                           final LocalDestFile local)
                 throws IOException {
             final LocalDestFile adjusted = local.getTargetDirectory(remote.getName());
-            final RemoteDirectory rd = engine.openDir(remote.getPath());
+            try (RemoteDirectory rd = engine.openDir(remote.getPath())) {
-            try {
                 for (RemoteResourceInfo rri : rd.scan(getDownloadFilter()))
                     download(listener, rri, adjusted.getChild(rri.getName()), 0); // not supporting individual byte offsets for these files
-            } finally {
-                rd.close();
             }
             return adjusted;
         }
@@ -156,23 +153,16 @@ public class SFTPFileTransfer
                                            final long byteOffset)
                 throws IOException {
             final LocalDestFile adjusted = local.getTargetFile(remote.getName());
-            final RemoteFile rf = engine.open(remote.getPath());
+            try (RemoteFile rf = engine.open(remote.getPath())) {
-            try {
                 log.debug("Attempting to download {} with offset={}", remote.getPath(), byteOffset);
-                final RemoteFile.ReadAheadRemoteFileInputStream rfis = rf.new ReadAheadRemoteFileInputStream(16, byteOffset);
+                try (RemoteFile.ReadAheadRemoteFileInputStream rfis = rf.new ReadAheadRemoteFileInputStream(16, byteOffset);
-                final OutputStream os = adjusted.getOutputStream(byteOffset != 0);
+                     OutputStream os = adjusted.getOutputStream(byteOffset != 0)) {
-                try {
                     new StreamCopier(rfis, os, engine.getLoggerFactory())
                             .bufSize(engine.getSubsystem().getLocalMaxPacketSize())
                             .keepFlushing(false)
                             .listener(listener)
                             .copy();
-                } finally {
-                    rfis.close();
-                    os.close();
                 }
-            } finally {
-                rf.close();
             }
             return adjusted;
         }

src/main/java/net/schmizz/sshj/transport/verification/OpenSSHKnownHosts.java

@@ -187,12 +187,9 @@ public class OpenSSHKnownHosts
 
     public void write()
             throws IOException {
-        final BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(khFile));
+        try (BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(khFile))) {
-        try {
             for (KnownHostEntry entry : entries)
                 bos.write((entry.getLine() + LS).getBytes(StandardCharsets.UTF_8));
-        } finally {
-            bos.close();
         }
     }
 

src/main/java/net/schmizz/sshj/userauth/keyprovider/EncryptedPEMKeyReader.java

@@ -0,0 +1,149 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.userauth.keyprovider;
+
+import com.hierynomus.sshj.common.KeyDecryptionFailedException;
+import net.schmizz.sshj.userauth.password.PasswordFinder;
+import net.schmizz.sshj.userauth.password.PasswordUtils;
+import net.schmizz.sshj.userauth.password.Resource;
+import org.bouncycastle.openssl.PEMDecryptor;
+import org.bouncycastle.openssl.PEMDecryptorProvider;
+import org.bouncycastle.openssl.PEMException;
+import org.bouncycastle.openssl.bc.BcPEMDecryptorProvider;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.util.encoders.Hex;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.util.List;
+import java.util.Objects;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * PEM Key Reader implementation supporting historical password-based encryption from OpenSSL EVP_BytesToKey
+ */
+class EncryptedPEMKeyReader extends StandardPEMKeyReader {
+    private static final String PROC_TYPE_ENCRYPTED_HEADER = "Proc-Type: 4,ENCRYPTED";
+
+    private static final Pattern DEK_INFO_PATTERN = Pattern.compile("^DEK-Info: ([A-Z0-9\\-]+),([A-F0-9]{16,32})$");
+
+    private static final int DEK_INFO_ALGORITHM_GROUP = 1;
+
+    private static final int DEK_INFO_IV_GROUP = 2;
+
+    private final PasswordFinder passwordFinder;
+
+    private final Resource<?> resource;
+
+    EncryptedPEMKeyReader(final PasswordFinder passwordFinder, final Resource<?> resource) {
+        this.passwordFinder = Objects.requireNonNull(passwordFinder, "Password Finder required");
+        this.resource = Objects.requireNonNull(resource, "Resource required");
+    }
+
+    @Override
+    public PEMKey readPemKey(final BufferedReader bufferedReader) throws IOException {
+        final PEMKey pemKey = super.readPemKey(bufferedReader);
+        final List<String> headers = pemKey.getHeaders();
+
+        final PEMKey processedPemKey;
+        if (isEncrypted(headers)) {
+            processedPemKey = readEncryptedPemKey(pemKey);
+        } else {
+            processedPemKey = pemKey;
+        }
+
+        return processedPemKey;
+    }
+
+    private boolean isEncrypted(final List<String> headers) {
+        return headers.contains(PROC_TYPE_ENCRYPTED_HEADER);
+    }
+
+    private PEMKey readEncryptedPemKey(final PEMKey pemKey) throws IOException {
+        final List<String> headers = pemKey.getHeaders();
+        final DataEncryptionKeyInfo dataEncryptionKeyInfo = getDataEncryptionKeyInfo(headers);
+        final byte[] pemKeyBody = pemKey.getBody();
+
+        byte[] decryptedPemKeyBody = null;
+        char[] password = passwordFinder.reqPassword(resource);
+        while (password != null) {
+            try {
+                decryptedPemKeyBody = getDecryptedPemKeyBody(password, pemKeyBody, dataEncryptionKeyInfo);
+                break;
+            } catch (final KeyDecryptionFailedException e) {
+                if (passwordFinder.shouldRetry(resource)) {
+                    password = passwordFinder.reqPassword(resource);
+                } else {
+                    throw e;
+                }
+            }
+        }
+
+        if (decryptedPemKeyBody == null) {
+            throw new KeyDecryptionFailedException("PEM Key password-based decryption failed");
+        }
+
+        return new PEMKey(pemKey.getPemKeyType(), headers, decryptedPemKeyBody);
+    }
+
+    private byte[] getDecryptedPemKeyBody(final char[] password, final byte[] pemKeyBody, final DataEncryptionKeyInfo dataEncryptionKeyInfo) throws IOException {
+        final String algorithm = dataEncryptionKeyInfo.algorithm;
+        try {
+            final PEMDecryptorProvider pemDecryptorProvider = new BcPEMDecryptorProvider(password);
+            final PEMDecryptor pemDecryptor = pemDecryptorProvider.get(algorithm);
+            final byte[] initializationVector = dataEncryptionKeyInfo.initializationVector;
+            return pemDecryptor.decrypt(pemKeyBody, initializationVector);
+        } catch (final OperatorCreationException e) {
+            throw new IOException(String.format("PEM decryption support not found for algorithm [%s]", algorithm), e);
+        } catch (final PEMException e) {
+            throw new KeyDecryptionFailedException(String.format("PEM Key decryption failed for algorithm [%s]", algorithm), e);
+        } finally {
+            PasswordUtils.blankOut(password);
+        }
+    }
+
+    private DataEncryptionKeyInfo getDataEncryptionKeyInfo(final List<String> headers) throws IOException {
+        DataEncryptionKeyInfo dataEncryptionKeyInfo = null;
+
+        for (final String header : headers) {
+            final Matcher matcher = DEK_INFO_PATTERN.matcher(header);
+            if (matcher.matches()) {
+                final String algorithm = matcher.group(DEK_INFO_ALGORITHM_GROUP);
+                final String initializationVectorGroup = matcher.group(DEK_INFO_IV_GROUP);
+                final byte[] initializationVector = Hex.decode(initializationVectorGroup);
+                dataEncryptionKeyInfo = new DataEncryptionKeyInfo(algorithm, initializationVector);
+            }
+        }
+
+        if (dataEncryptionKeyInfo == null) {
+            throw new IOException("Data Encryption Key Information header [DEK-Info] not found");
+        }
+
+        return dataEncryptionKeyInfo;
+    }
+
+    private static class DataEncryptionKeyInfo {
+        private final String algorithm;
+
+        private final byte[] initializationVector;
+
+        private DataEncryptionKeyInfo(final String algorithm, final byte[] initializationVector) {
+            this.algorithm = algorithm;
+            this.initializationVector = initializationVector;
+        }
+    }
+}

src/main/java/net/schmizz/sshj/userauth/keyprovider/PEMKey.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.userauth.keyprovider;
+
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * PEM Key container with identified Key Type and decoded body
+ */
+public class PEMKey {
+    private final PEMKeyType pemKeyType;
+
+    private final List<String> headers;
+
+    private final byte[] body;
+
+    PEMKey(final PEMKeyType pemKeyType, final List<String> headers, final byte[] body) {
+        this.pemKeyType = Objects.requireNonNull(pemKeyType, "PEM Key Type required");
+        this.headers = Objects.requireNonNull(headers, "Headers required");
+        this.body = Objects.requireNonNull(body, "Body required");
+    }
+
+    PEMKeyType getPemKeyType() {
+        return pemKeyType;
+    }
+
+    List<String> getHeaders() {
+        return headers;
+    }
+
+    byte[] getBody() {
+        return body.clone();
+    }
+
+    public enum PEMKeyType {
+        /** RFC 3279 Section 2.3.2 */
+        DSA("-----BEGIN DSA PRIVATE KEY-----"),
+
+        /** RFC 5915 Section 3 */
+        EC("-----BEGIN EC PRIVATE KEY-----"),
+
+        /** RFC 8017 Appendix 1.2 */
+        RSA("-----BEGIN RSA PRIVATE KEY-----"),
+
+        /** RFC 5208 Section 5 */
+        PKCS8("-----BEGIN PRIVATE KEY-----"),
+
+        /** RFC 5208 Section 6 */
+        PKCS8_ENCRYPTED("-----BEGIN ENCRYPTED PRIVATE KEY-----");
+
+        private final String header;
+
+        PEMKeyType(final String header) {
+            this.header = header;
+        }
+
+        String getHeader() {
+            return header;
+        }
+    }
+}

src/main/java/net/schmizz/sshj/userauth/keyprovider/PEMKeyReader.java

@@ -13,23 +13,21 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package net.schmizz.sshj.userauth.keyprovider.pkcs;
+package net.schmizz.sshj.userauth.keyprovider;
-
-import org.bouncycastle.openssl.PEMKeyPair;
 
+import java.io.BufferedReader;
 import java.io.IOException;
 
 /**
- * Converter from typed object to PEM Key Pair
+ * Abstraction for parsing and returning PEM Keys
- * @param <T> Object Type
  */
-public interface KeyPairConverter<T> {
+interface PEMKeyReader {
     /**
-     * Get PEM Key Pair from typed object
+     * Read PEM Key from buffered reader
      *
-     * @param object Typed Object
+     * @param bufferedReader Buffered Reader containing lines from resource reader
-     * @return PEM Key Pair
+     * @return PEM Key
-     * @throws IOException Thrown on conversion failures
+     * @throws IOException Thrown on failure to read PEM Key from resources
      */
-    PEMKeyPair getKeyPair(T object) throws IOException;
+    PEMKey readPemKey(BufferedReader bufferedReader) throws IOException;
 }

src/main/java/net/schmizz/sshj/userauth/keyprovider/PKCS8KeyFile.java

@@ -15,37 +15,66 @@
  */
 package net.schmizz.sshj.userauth.keyprovider;
 
+import com.hierynomus.asn1.ASN1InputStream;
+import com.hierynomus.asn1.encodingrules.der.DERDecoder;
+import com.hierynomus.asn1.types.ASN1Tag;
+import com.hierynomus.asn1.types.constructed.ASN1Sequence;
+import com.hierynomus.asn1.types.constructed.ASN1TaggedObject;
+import com.hierynomus.asn1.types.primitive.ASN1Integer;
+import com.hierynomus.asn1.types.primitive.ASN1ObjectIdentifier;
+import com.hierynomus.asn1.types.string.ASN1BitString;
+import com.hierynomus.asn1.types.string.ASN1OctetString;
+import com.hierynomus.sshj.common.KeyAlgorithm;
 import com.hierynomus.sshj.common.KeyDecryptionFailedException;
-import net.schmizz.sshj.common.IOUtils;
+import net.schmizz.sshj.common.ECDSACurve;
+import net.schmizz.sshj.common.ECDSAKeyFactory;
 import net.schmizz.sshj.common.SecurityUtils;
-import net.schmizz.sshj.userauth.keyprovider.pkcs.KeyPairConverter;
-import net.schmizz.sshj.userauth.keyprovider.pkcs.PrivateKeyInfoKeyPairConverter;
 import net.schmizz.sshj.userauth.password.PasswordUtils;
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import net.schmizz.sshj.userauth.keyprovider.PEMKey.PEMKeyType;
-import org.bouncycastle.openssl.EncryptionException;
-import org.bouncycastle.openssl.PEMEncryptedKeyPair;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
-import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
-import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
-import org.bouncycastle.operator.InputDecryptorProvider;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
-import org.bouncycastle.pkcs.PKCSException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.crypto.Cipher;
+import javax.crypto.EncryptedPrivateKeyInfo;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import java.io.BufferedReader;
 import java.io.IOException;
+import java.math.BigInteger;
+import java.security.AlgorithmParameters;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
 import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.interfaces.DSAParams;
+import java.security.interfaces.DSAPrivateKey;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.RSAPrivateCrtKey;
+import java.security.spec.DSAPrivateKeySpec;
+import java.security.spec.DSAPublicKeySpec;
+import java.security.spec.ECField;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPoint;
+import java.security.spec.ECPublicKeySpec;
+import java.security.spec.EllipticCurve;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.RSAPrivateCrtKeySpec;
+import java.security.spec.RSAPublicKeySpec;
 
 /**
  * Key File implementation supporting PEM-encoded PKCS8 and PKCS1 formats with or without password-based encryption
  */
 public class PKCS8KeyFile extends BaseFileKeyProvider {
+    /** Bouncy Castle class for detecting support of historical OpenSSL password-based decryption */
+    private static final String BOUNCY_CASTLE_CLASS = "org.bouncycastle.openssl.PEMDecryptor";
 
-    public static class Factory
+    private static final boolean HISTORICAL_DECRYPTION_SUPPORTED = isHistoricalDecryptionSupported();
-            implements net.schmizz.sshj.common.Factory.Named<FileKeyProvider> {
+
+    protected final Logger log = LoggerFactory.getLogger(getClass());
+
+    public static class Factory implements net.schmizz.sshj.common.Factory.Named<FileKeyProvider> {
 
         @Override
         public FileKeyProvider create() {
@@ -58,58 +87,47 @@ public class PKCS8KeyFile extends BaseFileKeyProvider {
         }
     }
 
-    protected final Logger log = LoggerFactory.getLogger(getClass());
+    @Override
+    protected KeyPair readKeyPair() throws IOException {
+        final PEMKeyReader pemKeyReader;
 
-    protected KeyPairConverter<PrivateKeyInfo> privateKeyInfoKeyPairConverter = new PrivateKeyInfoKeyPairConverter();
+        if (HISTORICAL_DECRYPTION_SUPPORTED) {
-
+            if (pwdf == null) {
-    protected KeyPair readKeyPair()
+                pemKeyReader = new StandardPEMKeyReader();
-            throws IOException {
+            } else {
-        KeyPair kp = null;
+                pemKeyReader = new EncryptedPEMKeyReader(pwdf, resource);
-
-        for (PEMParser r = null; ; ) {
-            // while the PasswordFinder tells us we should retry
-            try {
-                r = new PEMParser(resource.getReader());
-                final Object o = r.readObject();
-
-                final JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter();
-                if (SecurityUtils.getSecurityProvider() != null) {
-                    pemConverter.setProvider(SecurityUtils.getSecurityProvider());
-                }    
-
-                if (o instanceof PEMEncryptedKeyPair) {
-                    final PEMEncryptedKeyPair encryptedKeyPair = (PEMEncryptedKeyPair) o;
-                    final PEMKeyPair pemKeyPair = readEncryptedKeyPair(encryptedKeyPair);
-                    kp = pemConverter.getKeyPair(pemKeyPair);
-                } else if (o instanceof PEMKeyPair) {
-                    kp = pemConverter.getKeyPair((PEMKeyPair) o);
-                } else if (o instanceof PrivateKeyInfo) {
-                    final PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo) o;
-                    final PEMKeyPair pemKeyPair = privateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
-                    kp = pemConverter.getKeyPair(pemKeyPair);
-                } else if (o instanceof PKCS8EncryptedPrivateKeyInfo) {
-                    final PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = (PKCS8EncryptedPrivateKeyInfo) o;
-                    final PrivateKeyInfo privateKeyInfo = readEncryptedPrivateKeyInfo(encryptedPrivateKeyInfo);
-                    final PEMKeyPair pemKeyPair = privateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
-                    kp = pemConverter.getKeyPair(pemKeyPair);
-                } else {
-                    log.warn("Unexpected PKCS8 PEM Object [{}]", o);
-                }
-
-            } catch (EncryptionException e) {
-                if (pwdf != null && pwdf.shouldRetry(resource))
-                    continue;
-                else
-                    throw new KeyDecryptionFailedException(e);
-            } finally {
-                IOUtils.closeQuietly(r);
             }
-            break;
+        } else {
+            pemKeyReader = new StandardPEMKeyReader();
         }
 
-        if (kp == null)
+        try (BufferedReader bufferedReader = new BufferedReader(resource.getReader())) {
-            throw new IOException("Could not read key pair from: " + resource);
+            final PEMKey pemKey = pemKeyReader.readPemKey(bufferedReader);
-        return kp;
+            return readKeyPair(pemKey);
+        }
+    }
+
+    private KeyPair readKeyPair(final PEMKey pemKey) throws IOException {
+        final KeyPair keyPair;
+
+        final PEMKeyType pemKeyType = pemKey.getPemKeyType();
+        final byte[] pemKeyBody = pemKey.getBody();
+
+        if (PEMKeyType.DSA == pemKeyType) {
+            keyPair = readDsaKeyPair(pemKeyBody);
+        } else if (PEMKeyType.EC == pemKeyType) {
+            keyPair = readEcKeyPair(pemKeyBody);
+        } else if (PEMKeyType.PKCS8 == pemKeyType) {
+            keyPair = getPkcs8KeyPair(pemKeyBody);
+        } else if (PEMKeyType.PKCS8_ENCRYPTED == pemKeyType) {
+            keyPair = readEncryptedPkcs8KeyPair(pemKeyBody);
+        } else if (PEMKeyType.RSA == pemKeyType) {
+            keyPair = readRsaKeyPair(pemKeyBody);
+        } else {
+            throw new IOException(String.format("PEM Key Type [%s] not supported", pemKeyType));
+        }
+
+        return keyPair;
     }
 
     @Override
@@ -117,36 +135,304 @@ public class PKCS8KeyFile extends BaseFileKeyProvider {
         return "PKCS8KeyFile{resource=" + resource + "}";
     }
 
-    private PEMKeyPair readEncryptedKeyPair(final PEMEncryptedKeyPair encryptedKeyPair) throws IOException {
+    private KeyPair readDsaKeyPair(final byte[] pemKeyBody) throws IOException {
-        final JcePEMDecryptorProviderBuilder builder = new JcePEMDecryptorProviderBuilder();
+        try (ASN1InputStream inputStream = new ASN1InputStream(new DERDecoder(), pemKeyBody)) {
-        if (SecurityUtils.getSecurityProvider() != null) {
+            final ASN1Sequence sequence = inputStream.readObject();
-            builder.setProvider(SecurityUtils.getSecurityProvider());
+
-        }
+            final BigInteger p = getBigInteger(sequence, 1);
-        char[] passphrase = null;
+            final BigInteger q = getBigInteger(sequence, 2);
-        try {
+            final BigInteger g = getBigInteger(sequence, 3);
-            passphrase = pwdf == null ? null : pwdf.reqPassword(resource);
+
-            return encryptedKeyPair.decryptKeyPair(builder.build(passphrase));
+            final BigInteger y = getBigInteger(sequence, 4);
-        } finally {
+            final BigInteger x = getBigInteger(sequence, 5);
-            PasswordUtils.blankOut(passphrase);
+
+            final DSAPrivateKeySpec privateKeySpec = new DSAPrivateKeySpec(x, p, q, g);
+            final DSAPublicKeySpec publicKeySpec = new DSAPublicKeySpec(y, p, q, g);
+
+            final KeyFactory keyFactory = SecurityUtils.getKeyFactory(KeyAlgorithm.DSA);
+            final PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
+            final PrivateKey privateKey = keyFactory.generatePrivate(privateKeySpec);
+            return new KeyPair(publicKey, privateKey);
+        } catch (final Exception e) {
+            throw new IOException("PEM Key [DSA] processing failed", e);
         }
     }
 
-    private PrivateKeyInfo readEncryptedPrivateKeyInfo(final PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo) throws EncryptionException {
+    private KeyPair readRsaKeyPair(final byte[] pemKeyBody) throws IOException {
-        final JceOpenSSLPKCS8DecryptorProviderBuilder builder = new JceOpenSSLPKCS8DecryptorProviderBuilder();
+        try (ASN1InputStream inputStream = new ASN1InputStream(new DERDecoder(), pemKeyBody)) {
-        if (SecurityUtils.getSecurityProvider() != null) {
+            final ASN1Sequence sequence = inputStream.readObject();
-            builder.setProvider(SecurityUtils.getSecurityProvider());
+            final BigInteger modulus = getBigInteger(sequence, 1);
+            final BigInteger publicExponent = getBigInteger(sequence, 2);
+            final BigInteger privateExponent = getBigInteger(sequence, 3);
+            final BigInteger prime1 = getBigInteger(sequence, 4);
+            final BigInteger prime2 = getBigInteger(sequence, 5);
+            final BigInteger exponent1 = getBigInteger(sequence, 6);
+            final BigInteger exponent2 = getBigInteger(sequence, 7);
+            final BigInteger coefficient = getBigInteger(sequence, 8);
+
+            final RSAPrivateCrtKeySpec privateKeySpec = new RSAPrivateCrtKeySpec(modulus, publicExponent, privateExponent, prime1, prime2, exponent1, exponent2, coefficient);
+            final KeyFactory keyFactory = SecurityUtils.getKeyFactory(KeyAlgorithm.RSA);
+            final PrivateKey privateKey = keyFactory.generatePrivate(privateKeySpec);
+
+            final RSAPublicKeySpec publicKeySpec = new RSAPublicKeySpec(modulus, publicExponent);
+            final PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
+
+            return new KeyPair(publicKey, privateKey);
+        } catch (final Exception e) {
+            throw new IOException("PEM Key [RSA] processing failed", e);
         }
-        char[] passphrase = null;
+    }
+
+    private KeyPair readEcKeyPair(final byte[] pemKeyBody) throws IOException {
+        try (ASN1InputStream inputStream = new ASN1InputStream(new DERDecoder(), pemKeyBody)) {
+            final ASN1Sequence sequence = inputStream.readObject();
+
+            final ASN1TaggedObject taggedObjectParameters = (ASN1TaggedObject) sequence.get(2);
+            final ASN1ObjectIdentifier objectIdentifier = (ASN1ObjectIdentifier) taggedObjectParameters.getObject();
+            final String objectId = objectIdentifier.getValue();
+            final ECNamedCurveObjectIdentifier ecNamedCurveObjectIdentifier = getEcNamedCurve(objectId);
+
+            final ASN1OctetString privateKeyOctetString = (ASN1OctetString) sequence.get(1);
+            final BigInteger privateKeyInteger = new BigInteger(1, privateKeyOctetString.getValue());
+            final ECPrivateKey privateKey = (ECPrivateKey) ECDSAKeyFactory.getPrivateKey(privateKeyInteger, ecNamedCurveObjectIdentifier.ecdsaCurve);
+            final ECParameterSpec ecParameterSpec = privateKey.getParams();
+
+            final ASN1TaggedObject taggedBitString = (ASN1TaggedObject) sequence.get(3);
+            final ASN1BitString publicKeyBitString = (ASN1BitString) taggedBitString.getObject();
+            final byte[] bitString = publicKeyBitString.getValueBytes();
+            final PublicKey publicKey = getEcPublicKey(bitString, ecParameterSpec);
+            return new KeyPair(publicKey, privateKey);
+        } catch (final Exception e) {
+            throw new IOException("PEM Key [EC] processing failed", e);
+        }
+    }
+
+    private ECNamedCurveObjectIdentifier getEcNamedCurve(final String objectId) {
+        ECNamedCurveObjectIdentifier objectIdentifierFound = null;
+
+        for (final ECNamedCurveObjectIdentifier objectIdentifier : ECNamedCurveObjectIdentifier.values()) {
+            if (objectIdentifier.objectId.equals(objectId)) {
+                objectIdentifierFound = objectIdentifier;
+            }
+        }
+
+        if (objectIdentifierFound == null) {
+            throw new IllegalArgumentException(String.format("ECDSA Key Algorithm [%s] not supported", objectId));
+        }
+
+        return objectIdentifierFound;
+    }
+
+    private KeyPair readEncryptedPkcs8KeyPair(final byte[] pemKeyBody) throws IOException {
+        if (pwdf == null) {
+            throw new KeyDecryptionFailedException("Password not provided for encrypted PKCS8 key");
+        }
+
+        KeyPair keyPair = null;
         try {
-            passphrase = pwdf == null ? null : pwdf.reqPassword(resource);
+            char[] password = pwdf.reqPassword(resource);
-            final InputDecryptorProvider inputDecryptorProvider = builder.build(passphrase);
+            while (password != null) {
-            return encryptedPrivateKeyInfo.decryptPrivateKeyInfo(inputDecryptorProvider);
+                try {
-        } catch (final OperatorCreationException e) {
+                    final PKCS8EncodedKeySpec encodedKeySpec = getPkcs8DecryptedKeySpec(password, pemKeyBody);
-            throw new EncryptionException("Loading Password for Encrypted Private Key Failed", e);
+                    keyPair = getPkcs8KeyPair(encodedKeySpec.getEncoded());
-        } catch (final PKCSException e) {
+                    break;
-            throw new EncryptionException("Reading Encrypted Private Key Failed", e);
+                } catch (final KeyDecryptionFailedException e) {
+                    if (pwdf.shouldRetry(resource)) {
+                        password = pwdf.reqPassword(resource);
+                    } else {
+                        throw e;
+                    }
+                }
+            }
+        } catch (final GeneralSecurityException e) {
+            throw new IOException("PEM Key [PKCS8] processing failed", e);
+        }
+
+        if (keyPair == null) {
+            throw new KeyDecryptionFailedException("PEM Key [PKCS8] decryption failed");
+        }
+
+        return keyPair;
+    }
+
+    private PKCS8EncodedKeySpec getPkcs8DecryptedKeySpec(final char[] password, final byte[] encoded) throws IOException, GeneralSecurityException {
+        try {
+            final EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(encoded);
+            final AlgorithmParameters algorithmParameters = encryptedPrivateKeyInfo.getAlgParameters();
+            final String secretKeyAlgorithm = algorithmParameters.toString();
+            final SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(secretKeyAlgorithm);
+            final PBEKeySpec secretKeySpec = new PBEKeySpec(password);
+            final SecretKey secretKey = secretKeyFactory.generateSecret(secretKeySpec);
+            final Cipher cipher = Cipher.getInstance(secretKeyAlgorithm);
+            cipher.init(Cipher.DECRYPT_MODE, secretKey, algorithmParameters);
+
+            try {
+                return encryptedPrivateKeyInfo.getKeySpec(cipher);
+            } catch (final GeneralSecurityException e) {
+                throw new KeyDecryptionFailedException(String.format("PKCS8 Key Decryption failed for algorithm [%s]", secretKeyAlgorithm), e);
+            }
         } finally {
-            PasswordUtils.blankOut(passphrase);
+            PasswordUtils.blankOut(password);
+        }
+    }
+
+    private KeyPair getPkcs8KeyPair(final byte[] encoded) throws IOException {
+        try (ASN1InputStream inputStream = new ASN1InputStream(new DERDecoder(), encoded)) {
+            final ASN1Sequence sequence = inputStream.readObject();
+
+            final ASN1Sequence privateKeyAlgorithmSequence =  (ASN1Sequence) sequence.get(1);
+            final ASN1ObjectIdentifier privateKeyAlgorithm = (ASN1ObjectIdentifier) privateKeyAlgorithmSequence.get(0);
+            final String privateKeyAlgorithmObjectId = privateKeyAlgorithm.getValue();
+            final KeyAlgorithmObjectIdentifier keyAlgorithmObjectIdentifier = getKeyAlgorithmObjectIdentifier(privateKeyAlgorithmObjectId);
+
+            return getPkcs8KeyPair(keyAlgorithmObjectIdentifier, encoded);
+        } catch (final Exception e) {
+            throw new IOException("PEM Key [PKCS8] processing failed", e);
+        }
+    }
+
+    private KeyPair getPkcs8KeyPair(final KeyAlgorithmObjectIdentifier objectIdentifier, final byte[] privateKeyInfo) throws GeneralSecurityException {
+        final PublicKey publicKey;
+
+        final PrivateKey privateKey = getPkcs8PrivateKey(objectIdentifier, privateKeyInfo);
+
+        if (privateKey instanceof RSAPrivateCrtKey) {
+            final RSAPrivateCrtKey rsaPrivateKey = (RSAPrivateCrtKey) privateKey;
+            final BigInteger modulus = rsaPrivateKey.getModulus();
+            final BigInteger publicExponent = rsaPrivateKey.getPublicExponent();
+            final RSAPublicKeySpec publicKeySpec = new RSAPublicKeySpec(modulus, publicExponent);
+            final KeyFactory keyFactory = SecurityUtils.getKeyFactory(privateKey.getAlgorithm());
+            publicKey = keyFactory.generatePublic(publicKeySpec);
+        } else if (privateKey instanceof DSAPrivateKey) {
+            final DSAPrivateKey dsaPrivateKey = (DSAPrivateKey) privateKey;
+            final DSAParams dsaParams = dsaPrivateKey.getParams();
+            final BigInteger p = dsaParams.getP();
+            final BigInteger g = dsaParams.getG();
+            final BigInteger q = dsaParams.getQ();
+            final BigInteger x = dsaPrivateKey.getX();
+            final BigInteger y = g.modPow(x, p);
+            final DSAPublicKeySpec publicKeySpec = new DSAPublicKeySpec(y, p, q, g);
+            final KeyFactory keyFactory = SecurityUtils.getKeyFactory(privateKey.getAlgorithm());
+            publicKey = keyFactory.generatePublic(publicKeySpec);
+        } else if (privateKey instanceof ECPrivateKey) {
+            final ECPrivateKey ecPrivateKey = (ECPrivateKey) privateKey;
+            final ECParameterSpec ecParameterSpec = ecPrivateKey.getParams();
+
+            // Read ECDSA Public Key from ASN.1
+            try (ASN1InputStream inputStream = new ASN1InputStream(new DERDecoder(), privateKeyInfo)) {
+                final ASN1Sequence sequence = inputStream.readObject();
+                final ASN1OctetString keyOctetString = (ASN1OctetString) sequence.get(2);
+                final byte[] keyBytes = keyOctetString.getValue();
+                try (ASN1InputStream keyInputStream = new ASN1InputStream(new DERDecoder(), keyBytes)) {
+                    final ASN1Sequence keySequence = keyInputStream.readObject();
+                    final ASN1TaggedObject taggedObject = (ASN1TaggedObject) keySequence.get(2);
+                    final ASN1BitString publicKeyBitString = taggedObject.getObject(ASN1Tag.BIT_STRING);
+                    final byte[] bitString = publicKeyBitString.getValueBytes();
+
+                    publicKey = getEcPublicKey(bitString, ecParameterSpec);
+                }
+            } catch (final IOException e) {
+                throw new GeneralSecurityException("ECDSA Private Key Info parsing failed", e);
+            }
+        } else {
+            throw new GeneralSecurityException(String.format("PEM Key [PKCS8] algorithm [%s] Key Pair derivation not supported", privateKey.getAlgorithm()));
+        }
+
+        return new KeyPair(publicKey, privateKey);
+    }
+
+    private PrivateKey getPkcs8PrivateKey(final KeyAlgorithmObjectIdentifier objectIdentifier, final byte[] privateKeyInfo) throws GeneralSecurityException {
+        final PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyInfo);
+        final KeyFactory keyFactory = SecurityUtils.getKeyFactory(objectIdentifier.name());
+        return keyFactory.generatePrivate(keySpec);
+    }
+
+    private PublicKey getEcPublicKey(final byte[] bitString, final ECParameterSpec ecParameterSpec) throws GeneralSecurityException {
+        final EllipticCurve ellipticCurve = ecParameterSpec.getCurve();
+        final ECField ecField = ellipticCurve.getField();
+        final int fieldSize = (ecField.getFieldSize() + 7) / 8;
+        final int publicKeyPointSize = fieldSize * 2;
+
+        final byte[] x = new byte[fieldSize];
+        final byte[] y = new byte[fieldSize];
+
+        final int pointOffset = bitString.length - publicKeyPointSize;
+
+        System.arraycopy(bitString, pointOffset, x, 0, x.length);
+        System.arraycopy(bitString, pointOffset + y.length, y, 0, y.length);
+
+        final BigInteger pointX = new BigInteger(1, x);
+        final BigInteger pointY = new BigInteger(1, y);
+        final ECPoint point = new ECPoint(pointX, pointY);
+        final ECPublicKeySpec publicKeySpec = new ECPublicKeySpec(point, ecParameterSpec);
+
+        final KeyFactory keyFactory = SecurityUtils.getKeyFactory(KeyAlgorithm.EC_KEYSTORE);
+        return keyFactory.generatePublic(publicKeySpec);
+    }
+
+    private KeyAlgorithmObjectIdentifier getKeyAlgorithmObjectIdentifier(final String objectId) {
+        KeyAlgorithmObjectIdentifier keyAlgorithmObjectIdentifier = null;
+
+        for (final KeyAlgorithmObjectIdentifier objectIdentifier : KeyAlgorithmObjectIdentifier.values()) {
+            if (objectIdentifier.getObjectId().equals(objectId)) {
+                keyAlgorithmObjectIdentifier = objectIdentifier;
+            }
+        }
+
+        if (keyAlgorithmObjectIdentifier == null) {
+            throw new IllegalArgumentException(String.format("PKCS8 Private Key Algorithm [%s] not supported", objectId));
+        }
+
+        return keyAlgorithmObjectIdentifier;
+    }
+
+    private BigInteger getBigInteger(final ASN1Sequence sequence, final int index) {
+        final ASN1Integer integer = (ASN1Integer) sequence.get(index);
+        return integer.getValue();
+    }
+
+    private static boolean isHistoricalDecryptionSupported() {
+        try {
+            // Support requires Bouncy Castle library for OpenSSL password-based decryption
+            Class.forName(BOUNCY_CASTLE_CLASS);
+            return true;
+        } catch (final Exception e) {
+            return false;
+        }
+    }
+
+    private enum ECNamedCurveObjectIdentifier {
+        SECP256R1("1.2.840.10045.3.1.7", ECDSACurve.SECP256R1),
+
+        SECP384R1("1.3.132.0.34", ECDSACurve.SECP384R1),
+
+        SECP521R1("1.3.132.0.35", ECDSACurve.SECP521R1);
+
+        private final String objectId;
+
+        private final ECDSACurve ecdsaCurve;
+
+        ECNamedCurveObjectIdentifier(final String objectId, final ECDSACurve ecdsaCurve) {
+            this.objectId = objectId;
+            this.ecdsaCurve = ecdsaCurve;
+        }
+    }
+
+    private enum KeyAlgorithmObjectIdentifier {
+        DSA("1.2.840.10040.4.1"),
+
+        EC("1.2.840.10045.2.1"),
+
+        RSA("1.2.840.113549.1.1.1");
+
+        private final String objectId;
+
+        KeyAlgorithmObjectIdentifier(final String objectId) {
+            this.objectId = objectId;
+        }
+
+        String getObjectId() {
+            return objectId;
         }
     }
 }

src/main/java/net/schmizz/sshj/userauth/keyprovider/PuTTYKeyFile.java

@@ -16,12 +16,6 @@
 package net.schmizz.sshj.userauth.keyprovider;
 
 import com.hierynomus.sshj.common.KeyAlgorithm;
-import net.i2p.crypto.eddsa.EdDSAPrivateKey;
-import net.i2p.crypto.eddsa.EdDSAPublicKey;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveSpec;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
-import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
-import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
 import net.schmizz.sshj.common.*;
 import net.schmizz.sshj.userauth.password.PasswordUtils;
 import org.bouncycastle.crypto.generators.Argon2BytesGenerator;
@@ -165,10 +159,17 @@ public class PuTTYKeyFile extends BaseFileKeyProvider {
             }
         }
         if (KeyType.ED25519.equals(keyType)) {
-            EdDSANamedCurveSpec ed25519 = EdDSANamedCurveTable.getByName("Ed25519");
+            try {
-            EdDSAPublicKeySpec publicSpec = new EdDSAPublicKeySpec(publicKeyReader.readBytes(), ed25519);
+                final byte[] publicKeyEncoded = publicKeyReader.readBytes();
-            EdDSAPrivateKeySpec privateSpec = new EdDSAPrivateKeySpec(privateKeyReader.readBytes(), ed25519);
+                final PublicKey edPublicKey = Ed25519KeyFactory.getPublicKey(publicKeyEncoded);
-            return new KeyPair(new EdDSAPublicKey(publicSpec), new EdDSAPrivateKey(privateSpec));
+
+                final byte[] privateKeyEncoded = privateKeyReader.readBytes();
+                final PrivateKey edPrivateKey = Ed25519KeyFactory.getPrivateKey(privateKeyEncoded);
+
+                return new KeyPair(edPublicKey, edPrivateKey);
+            } catch (final GeneralSecurityException e) {
+                throw new IOException("Reading Ed25519 Keys failed", e);
+            }
         }
         final ECDSACurve ecdsaCurve;
         switch (keyType) {
@@ -200,9 +201,8 @@ public class PuTTYKeyFile extends BaseFileKeyProvider {
 
     protected void parseKeyPair() throws IOException {
         this.keyFileVersion = null;
-        BufferedReader r = new BufferedReader(resource.getReader());
         // Parse the text into headers and payloads
-        try {
+        try (BufferedReader r = new BufferedReader(resource.getReader())) {
             String headerName = null;
             String line;
             while ((line = r.readLine()) != null) {
@@ -225,8 +225,6 @@ public class PuTTYKeyFile extends BaseFileKeyProvider {
                     payload.put(headerName, s);
                 }
             }
-        } finally {
-            r.close();
         }
         if (this.keyFileVersion == null) {
             throw new IOException("Invalid key file format: missing \"PuTTY-User-Key-File-?\" entry");

src/main/java/net/schmizz/sshj/userauth/keyprovider/StandardPEMKeyReader.java

@@ -0,0 +1,113 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.userauth.keyprovider;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Standard implementation of PEM Key Reader supporting Base64 decoding without decryption
+ */
+class StandardPEMKeyReader implements PEMKeyReader {
+    private static final String HEADER_DELIMITER = "-----BEGIN";
+
+    private static final String FOOTER_DELIMITER = "-----END";
+
+    private static final char PEM_HEADER_DELIMITER = ':';
+
+    private static final int CHARACTER_NOT_FOUND = -1;
+
+    private static final String HEADER_NOT_FOUND = "header not found";
+
+    private static final Base64.Decoder bodyDecoder = Base64.getDecoder();
+
+    /**
+     * Read PEM Key from Buffered Reader
+     *
+     * @param bufferedReader Buffered Reader containing lines from resource reader
+     * @return PEM Key
+     * @throws IOException Thrown on failure to read or decode PEM Key
+     */
+    @Override
+    public PEMKey readPemKey(final BufferedReader bufferedReader) throws IOException {
+        Objects.requireNonNull(bufferedReader, "Reader required");
+        final PEMKey.PEMKeyType pemKeyType = findPemKeyType(bufferedReader);
+        return readPemKeyBody(pemKeyType, bufferedReader);
+    }
+
+    private PEMKey.PEMKeyType findPemKeyType(final BufferedReader bufferedReader) throws IOException {
+        PEMKey.PEMKeyType pemKeyTypeFound = null;
+
+        String header = HEADER_NOT_FOUND;
+        String line = bufferedReader.readLine();
+        readLoop: while (line != null) {
+            if (line.startsWith(HEADER_DELIMITER)) {
+                header = line;
+                for (final PEMKey.PEMKeyType pemKeyType : PEMKey.PEMKeyType.values()) {
+                    if (pemKeyType.getHeader().equals(line)) {
+                        pemKeyTypeFound = pemKeyType;
+                        break readLoop;
+                    }
+                }
+            }
+
+            line = bufferedReader.readLine();
+        }
+
+        if (pemKeyTypeFound == null) {
+            throw new IOException(String.format("Supported PEM Key Type not found for header [%s]", header));
+        }
+
+        return pemKeyTypeFound;
+    }
+
+    private PEMKey readPemKeyBody(final PEMKey.PEMKeyType pemKeyType, final BufferedReader bufferedReader) throws IOException {
+        final StringBuilder builder = new StringBuilder();
+
+        final List<String> headers = new ArrayList<>();
+
+        String line = bufferedReader.readLine();
+        while (line != null) {
+            if (line.startsWith(FOOTER_DELIMITER)) {
+                break;
+            }
+
+            if (line.indexOf(PEM_HEADER_DELIMITER) > CHARACTER_NOT_FOUND) {
+                headers.add(line);
+            } else if (!line.isEmpty()) {
+                builder.append(line);
+            }
+
+            line = bufferedReader.readLine();
+        }
+
+        final String pemKeyBody = builder.toString();
+        final byte[] pemKeyBodyDecoded = getPemKeyBodyDecoded(pemKeyBody);
+        return new PEMKey(pemKeyType, headers, pemKeyBodyDecoded);
+    }
+
+    private byte[] getPemKeyBodyDecoded(final String pemKeyBodyEncoded) throws IOException {
+        try {
+            return bodyDecoder.decode(pemKeyBodyEncoded);
+        } catch (final IllegalArgumentException e) {
+            throw new IOException("Base64 decoding of PEM Key failed", e);
+        }
+    }
+}

src/main/java/net/schmizz/sshj/userauth/keyprovider/pkcs/DSAPrivateKeyInfoKeyPairConverter.java

@@ -1,90 +0,0 @@
-/*
- * Copyright (C)2009 - SSHJ Contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package net.schmizz.sshj.userauth.keyprovider.pkcs;
-
-import org.bouncycastle.asn1.ASN1Integer;
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.ASN1Sequence;
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
-import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
-import org.bouncycastle.crypto.params.DSAParameters;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.math.BigInteger;
-import java.util.Objects;
-
-/**
- * Key Pair Converter from DSA Private Key Information to PEM Key Pair
- */
-class DSAPrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
-    private static final Logger logger = LoggerFactory.getLogger(DSAPrivateKeyInfoKeyPairConverter.class);
-
-    private static final int P_INDEX = 0;
-
-    private static final int Q_INDEX = 1;
-
-    private static final int G_INDEX = 2;
-
-    /**
-     * Get PEM Key Pair calculating DSA Public Key from DSA Private Key Information
-     *
-     * @param privateKeyInfo DSA Private Key Information
-     * @return PEM Key Pair
-     * @throws IOException Thrown on Public Key parsing failures
-     */
-    @Override
-    public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
-        Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
-        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
-        final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
-        if (X9ObjectIdentifiers.id_dsa.equals(algorithm)) {
-            logger.debug("DSA Algorithm Found [{}]", algorithm);
-        } else {
-            throw new IllegalArgumentException(String.format("DSA Algorithm OID required [%s]", algorithm));
-        }
-        final ASN1Integer encodedPublicKey = getEncodedPublicKey(privateKeyInfo);
-        final SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algorithmIdentifier, encodedPublicKey);
-        return new PEMKeyPair(subjectPublicKeyInfo, privateKeyInfo);
-    }
-
-    /**
-     * Get ASN.1 Encoded Public Key calculated according to RFC 6979 Section 2.2
-     *
-     * @param privateKeyInfo DSA Private Key Information
-     * @return ASN.1 Encoded DSA Public Key
-     * @throws IOException Thrown on failures parsing private key
-     */
-    private ASN1Integer getEncodedPublicKey(final PrivateKeyInfo privateKeyInfo) throws IOException {
-        final ASN1Integer privateKey = ASN1Integer.getInstance(privateKeyInfo.parsePrivateKey());
-        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
-        final DSAParameters dsaParameters = getDsaParameters(algorithmIdentifier);
-        final BigInteger publicKey = dsaParameters.getG().modPow(privateKey.getValue(), dsaParameters.getP());
-        return new ASN1Integer(publicKey);
-    }
-
-    private DSAParameters getDsaParameters(final AlgorithmIdentifier algorithmIdentifier) {
-        final ASN1Sequence sequence = ASN1Sequence.getInstance(algorithmIdentifier.getParameters());
-        final ASN1Integer p = ASN1Integer.getInstance(sequence.getObjectAt(P_INDEX));
-        final ASN1Integer q = ASN1Integer.getInstance(sequence.getObjectAt(Q_INDEX));
-        final ASN1Integer g = ASN1Integer.getInstance(sequence.getObjectAt(G_INDEX));
-        return new DSAParameters(p.getValue(), q.getValue(), g.getValue());
-    }
-}

src/main/java/net/schmizz/sshj/userauth/keyprovider/pkcs/ECDSAPrivateKeyInfoKeyPairConverter.java

@@ -1,90 +0,0 @@
-/*
- * Copyright (C)2009 - SSHJ Contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package net.schmizz.sshj.userauth.keyprovider.pkcs;
-
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
-import org.bouncycastle.asn1.sec.ECPrivateKey;
-import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.bouncycastle.asn1.x9.X9ECParameters;
-import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
-import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
-import org.bouncycastle.math.ec.ECMultiplier;
-import org.bouncycastle.math.ec.ECPoint;
-import org.bouncycastle.math.ec.FixedPointCombMultiplier;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.math.BigInteger;
-import java.util.Objects;
-
-/**
- * Key Pair Converter from ECDSA Private Key Information to PEM Key Pair
- */
-class ECDSAPrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
-    private static final Logger logger = LoggerFactory.getLogger(ECDSAPrivateKeyInfoKeyPairConverter.class);
-
-    private static final boolean POINT_COMPRESSED = false;
-
-    /**
-     * Get PEM Key Pair calculating ECDSA Public Key from ECDSA Private Key Information
-     *
-     * @param privateKeyInfo ECDSA Private Key Information
-     * @return PEM Key Pair
-     * @throws IOException Thrown on Public Key parsing failures
-     */
-    @Override
-    public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
-        Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
-        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
-        final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
-        if (X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm)) {
-            logger.debug("ECDSA Algorithm Found [{}]", algorithm);
-        } else {
-            throw new IllegalArgumentException(String.format("ECDSA Algorithm OID required [%s]", algorithm));
-        }
-        final byte[] encodedPublicKey = getEncodedPublicKey(privateKeyInfo);
-        final SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algorithmIdentifier, encodedPublicKey);
-        return new PEMKeyPair(subjectPublicKeyInfo, privateKeyInfo);
-    }
-
-    /**
-     * Get Encoded Elliptic Curve Public Key calculated according to RFC 6979 Section 2.2
-     *
-     * @param privateKeyInfo ECDSA Private Key Information
-     * @return Encoded Elliptic Curve Public Key
-     * @throws IOException Thrown on failures parsing private key
-     */
-    private byte[] getEncodedPublicKey(final PrivateKeyInfo privateKeyInfo) throws IOException {
-        final X9ECParameters parameters = getParameters(privateKeyInfo.getPrivateKeyAlgorithm());
-        final ECPrivateKey ecPrivateKey = ECPrivateKey.getInstance(privateKeyInfo.parsePrivateKey());
-        final ECPoint publicKey = getPublicKey(parameters, ecPrivateKey.getKey());
-        return publicKey.getEncoded(POINT_COMPRESSED);
-    }
-
-    private X9ECParameters getParameters(final AlgorithmIdentifier algorithmIdentifier) {
-        final ASN1ObjectIdentifier encodedParameters = ASN1ObjectIdentifier.getInstance(algorithmIdentifier.getParameters());
-        return ECUtil.getNamedCurveByOid(encodedParameters);
-    }
-
-    private ECPoint getPublicKey(final X9ECParameters parameters, final BigInteger privateKey) {
-        final ECMultiplier multiplier = new FixedPointCombMultiplier();
-        return multiplier.multiply(parameters.getG(), privateKey);
-    }
-}

src/main/java/net/schmizz/sshj/userauth/keyprovider/pkcs/PrivateKeyInfoKeyPairConverter.java

@@ -1,61 +0,0 @@
-/*
- * Copyright (C)2009 - SSHJ Contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package net.schmizz.sshj.userauth.keyprovider.pkcs;
-
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
-import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
-import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
-import org.bouncycastle.openssl.PEMKeyPair;
-
-import java.io.IOException;
-import java.util.Objects;
-
-/**
- * Key Pair Converter for Private Key Information using known Algorithm Object Identifiers
- */
-public class PrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
-    private DSAPrivateKeyInfoKeyPairConverter dsaPrivateKeyInfoKeyPairConverter = new DSAPrivateKeyInfoKeyPairConverter();
-
-    private ECDSAPrivateKeyInfoKeyPairConverter ecdsaPrivateKeyInfoKeyPairConverter = new ECDSAPrivateKeyInfoKeyPairConverter();
-
-    private RSAPrivateKeyInfoKeyPairConverter rsaPrivateKeyInfoKeyPairConverter = new RSAPrivateKeyInfoKeyPairConverter();
-
-    /**
-     * Get PEM Key Pair delegating to configured converters based on Algorithm Object Identifier
-     *
-     * @param privateKeyInfo Private Key Information
-     * @return PEM Key Pair
-     * @throws IOException Thrown on conversion failures
-     */
-    @Override
-    public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
-        Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
-        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
-        final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
-
-        if (PKCSObjectIdentifiers.rsaEncryption.equals(algorithm)) {
-            return rsaPrivateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
-        } else if (X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm)) {
-            return ecdsaPrivateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
-        } else if (X9ObjectIdentifiers.id_dsa.equals(algorithm)) {
-            return dsaPrivateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
-        } else {
-            throw new IllegalArgumentException(String.format("Unsupported Algorithm [%s]", algorithm));
-        }
-    }
-}

src/main/java/net/schmizz/sshj/userauth/keyprovider/pkcs/RSAPrivateKeyInfoKeyPairConverter.java

@@ -1,65 +0,0 @@
-/*
- * Copyright (C)2009 - SSHJ Contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package net.schmizz.sshj.userauth.keyprovider.pkcs;
-
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
-import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
-import org.bouncycastle.asn1.pkcs.RSAPublicKey;
-import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.util.Objects;
-
-/**
- * Key Pair Converter from RSA Private Key Information to PEM Key Pair
- */
-class RSAPrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
-    private static final Logger logger = LoggerFactory.getLogger(RSAPrivateKeyInfoKeyPairConverter.class);
-
-    /**
-     * Get PEM Key Pair parsing RSA Public Key attributes from RSA Private Key Information
-     *
-     * @param privateKeyInfo RSA Private Key Information
-     * @return PEM Key Pair
-     * @throws IOException Thrown on Public Key parsing failures
-     */
-    @Override
-    public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
-        Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
-        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
-        final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
-        if (PKCSObjectIdentifiers.rsaEncryption.equals(algorithm)) {
-            logger.debug("RSA Algorithm Found [{}]", algorithm);
-        } else {
-            throw new IllegalArgumentException(String.format("RSA Algorithm OID required [%s]", algorithm));
-        }
-
-        final RSAPublicKey rsaPublicKey = getRsaPublicKey(privateKeyInfo);
-        final SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algorithmIdentifier, rsaPublicKey);
-        return new PEMKeyPair(subjectPublicKeyInfo, privateKeyInfo);
-    }
-
-    private RSAPublicKey getRsaPublicKey(final PrivateKeyInfo privateKeyInfo) throws IOException {
-        final RSAPrivateKey rsaPrivateKey = RSAPrivateKey.getInstance(privateKeyInfo.parsePrivateKey());
-        return new RSAPublicKey(rsaPrivateKey.getModulus(), rsaPrivateKey.getPublicExponent());
-    }
-}

src/test/java/com/hierynomus/sshj/transport/GcmCipherDecryptSshPacketTest.java

@@ -19,13 +19,10 @@ import com.hierynomus.sshj.transport.cipher.GcmCiphers;
 import net.schmizz.sshj.common.IOUtils;
 import net.schmizz.sshj.common.SSHPacket;
 import net.schmizz.sshj.transport.cipher.Cipher;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 
-import java.security.Security;
 import java.util.Arrays;
 import java.util.stream.Stream;
 
@@ -42,11 +39,6 @@ public class GcmCipherDecryptSshPacketTest {
         return Stream.of(Arguments.of("mina-sshd", 3), Arguments.of("openssh", 4));
     }
 
-    @BeforeAll
-    public static void setupBeforeClass() {
-        Security.addProvider(new BouncyCastleProvider());
-    }
-
     @ParameterizedTest
     @MethodSource("sets")
     public void testDecryptPacket(String ssh, int nr) throws Exception {

src/test/java/com/hierynomus/sshj/transport/verification/OpenSSHKnownHostsTest.java

@@ -16,10 +16,8 @@
 package com.hierynomus.sshj.transport.verification;
 
 import net.schmizz.sshj.common.Buffer;
-import net.schmizz.sshj.common.SecurityUtils;
 import net.schmizz.sshj.transport.verification.OpenSSHKnownHosts;
 import net.schmizz.sshj.util.KeyUtil;
-import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -41,11 +39,6 @@ public class OpenSSHKnownHostsTest {
     @TempDir
     public File tempDir;
 
-    @BeforeAll
-    public static void setup() {
-        SecurityUtils.registerSecurityProvider("org.bouncycastle.jce.provider.BouncyCastleProvider");
-    }
-
     @Test
     public void shouldParseAndVerifyHashedHostEntry() throws Exception {
         File knownHosts = knownHosts(

src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java

@@ -222,7 +222,7 @@ public class OpenSSHKeyFileTest {
         OpenSSHKeyV1KeyFile keyFile = new OpenSSHKeyV1KeyFile();
         keyFile.init(new File("src/test/resources/keytypes/test_ed25519"));
         PrivateKey aPrivate = keyFile.getPrivate();
-        assertThat(aPrivate.getAlgorithm(), equalTo("EdDSA"));
+        assertThat(aPrivate.getAlgorithm(), equalTo("Ed25519"));
     }
 
     @Test
@@ -343,7 +343,7 @@ public class OpenSSHKeyFileTest {
         WipeTrackingPasswordFinder pwf = new WipeTrackingPasswordFinder(password, withRetry);
         keyFile.init(new File(key), pwf);
         PrivateKey aPrivate = keyFile.getPrivate();
-        assertThat(aPrivate.getAlgorithm(), equalTo("EdDSA"));
+        assertThat(aPrivate.getAlgorithm(), equalTo("Ed25519"));
         pwf.assertWiped();
     }
 

src/test/java/net/schmizz/sshj/keyprovider/PKCS8KeyFileTest.java

@@ -126,8 +126,8 @@ public class PKCS8KeyFileTest {
     public void testPkcs8Ecdsa() throws IOException {
         final PKCS8KeyFile provider = new PKCS8KeyFile();
         provider.init(getFile("pkcs8-ecdsa"));
-        assertEquals(KeyAlgorithm.ECDSA, provider.getPublic().getAlgorithm());
+        assertEquals(KeyAlgorithm.EC_KEYSTORE, provider.getPublic().getAlgorithm());
-        assertEquals(KeyAlgorithm.ECDSA, provider.getPrivate().getAlgorithm());
+        assertEquals(KeyAlgorithm.EC_KEYSTORE, provider.getPrivate().getAlgorithm());
     }
 
     @Test

src/test/java/net/schmizz/sshj/transport/DecoderDecryptGcmCipherSshPacketTest.java

@@ -22,12 +22,10 @@ import net.schmizz.sshj.common.LoggerFactory;
 import net.schmizz.sshj.common.SSHException;
 import net.schmizz.sshj.common.SSHPacket;
 import net.schmizz.sshj.transport.cipher.Cipher;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import java.security.SecureRandom;
-import java.security.Security;
 
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.mockito.ArgumentMatchers.any;
@@ -49,7 +47,6 @@ public class DecoderDecryptGcmCipherSshPacketTest {
 
     @BeforeEach
     public void setUp() throws Exception {
-        Security.addProvider(new BouncyCastleProvider());
         ClassLoader classLoader = DecoderDecryptGcmCipherSshPacketTest.class.getClassLoader();
         iv = IOUtils.readFully(classLoader.getResourceAsStream("ssh-packets/gcm/mina-sshd/s2c.iv.bin" )).toByteArray();
         key = IOUtils.readFully(classLoader.getResourceAsStream("ssh-packets/gcm/mina-sshd/s2c.key.bin" )).toByteArray();

src/test/java/net/schmizz/sshj/transport/mac/BaseMacTest.java

@@ -17,10 +17,11 @@ package net.schmizz.sshj.transport.mac;
 
 import com.hierynomus.sshj.transport.mac.Macs;
 import net.schmizz.sshj.common.SSHRuntimeException;
-import org.bouncycastle.util.encoders.Hex;
+import org.apache.sshd.common.util.buffer.BufferUtils;
 import org.junit.jupiter.api.Test;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -28,9 +29,9 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.fail;
 
 public class BaseMacTest {
-    private static final Charset CHARSET = Charset.forName("US-ASCII");
+    private static final Charset CHARSET = StandardCharsets.US_ASCII;
     private static final byte[] PLAIN_TEXT = "Hello World".getBytes(CHARSET);
-    private static final String EXPECTED_HMAC = "24ddeed57ad91465c5b59dce74ef73778bfb0cb9";
+    private static final String EXPECTED_HMAC = "24 dd ee d5 7a d9 14 65 c5 b5 9d ce 74 ef 73 77 8b fb 0c b9";
     private static final String KEY = "et1Quo5ooCie6theel8i";
 
     @Test
@@ -38,7 +39,7 @@ public class BaseMacTest {
         BaseMAC hmac = Macs.HMACSHA1().create();
         hmac.init((KEY + "foo").getBytes(CHARSET));
         hmac.update(PLAIN_TEXT);
-        assertThat(Hex.toHexString(hmac.doFinal()),  is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal()),  is(EXPECTED_HMAC));
     }
 
     @Test
@@ -54,7 +55,7 @@ public class BaseMacTest {
     public void testUpdateWithDoFinal() {
         BaseMAC hmac = initHmac();
         hmac.update(PLAIN_TEXT);
-        assertThat(Hex.toHexString(hmac.doFinal()),  is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal()),  is(EXPECTED_HMAC));
     }
 
     @Test
@@ -67,13 +68,13 @@ public class BaseMacTest {
 
         // update with the range from the second to penultimate byte
         hmac.update(plainText, 1, PLAIN_TEXT.length);
-        assertThat(Hex.toHexString(hmac.doFinal()),  is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal()),  is(EXPECTED_HMAC));
     }
 
     @Test
     public void testDoFinalWithInput() {
         BaseMAC hmac = initHmac();
-        assertThat(Hex.toHexString(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
     }
 
     @Test
@@ -82,7 +83,7 @@ public class BaseMacTest {
         byte[] resultBuf = new byte[20];
         hmac.update(PLAIN_TEXT);
         hmac.doFinal(resultBuf, 0);
-        assertThat(Hex.toHexString(resultBuf), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(resultBuf), is(EXPECTED_HMAC));
     }
 
     private BaseMAC initHmac() {

src/test/java/net/schmizz/sshj/transport/mac/HMACMD596Test.java

@@ -16,30 +16,31 @@
 package net.schmizz.sshj.transport.mac;
 
 import com.hierynomus.sshj.transport.mac.Macs;
-import org.bouncycastle.util.encoders.Hex;
+import org.apache.sshd.common.util.buffer.BufferUtils;
 import org.junit.jupiter.api.Test;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
 public class HMACMD596Test {
-    private static final Charset CHARSET = Charset.forName("US-ASCII");
+    private static final Charset CHARSET = StandardCharsets.US_ASCII;
     private static final byte[] PLAIN_TEXT = "Hello World".getBytes(CHARSET);
-    private static final String EXPECTED_HMAC = "dff33c507463f9cf088a5ce8";
+    private static final String EXPECTED_HMAC = "df f3 3c 50 74 63 f9 cf 08 8a 5c e8";
 
     @Test
     public void testUpdateWithDoFinal() {
         BaseMAC hmac = initHmac();
         hmac.update(PLAIN_TEXT);
-        assertThat(Hex.toHexString(hmac.doFinal()), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal()), is(EXPECTED_HMAC));
     }
 
     @Test
     public void testDoFinalWithInput() {
         BaseMAC hmac = initHmac();
-        assertThat(Hex.toHexString(hmac.doFinal(PLAIN_TEXT)),
+        assertThat(BufferUtils.toHex(hmac.doFinal(PLAIN_TEXT)),
                 is(EXPECTED_HMAC));
     }
 
@@ -49,7 +50,7 @@ public class HMACMD596Test {
         byte[] resultBuf = new byte[12];
         hmac.update(PLAIN_TEXT);
         hmac.doFinal(resultBuf, 0);
-        assertThat(Hex.toHexString(resultBuf), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(resultBuf), is(EXPECTED_HMAC));
     }
 
     private BaseMAC initHmac() {

src/test/java/net/schmizz/sshj/transport/mac/HMACMD5Test.java

@@ -16,30 +16,31 @@
 package net.schmizz.sshj.transport.mac;
 
 import com.hierynomus.sshj.transport.mac.Macs;
-import org.bouncycastle.util.encoders.Hex;
+import org.apache.sshd.common.util.buffer.BufferUtils;
 import org.junit.jupiter.api.Test;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
 public class HMACMD5Test {
-    private static final Charset CHARSET = Charset.forName("US-ASCII");
+    private static final Charset CHARSET = StandardCharsets.US_ASCII;
     private static final byte[] PLAIN_TEXT = "Hello World".getBytes(CHARSET);
-    private static final String EXPECTED_HMAC = "dff33c507463f9cf088a5ce8d969c386";
+    private static final String EXPECTED_HMAC = "df f3 3c 50 74 63 f9 cf 08 8a 5c e8 d9 69 c3 86";
 
     @Test
     public void testUpdateWithDoFinal() {
         BaseMAC hmac = initHmac();
         hmac.update(PLAIN_TEXT);
-        assertThat(Hex.toHexString(hmac.doFinal()), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal()), is(EXPECTED_HMAC));
     }
 
     @Test
     public void testDoFinalWithInput() {
         BaseMAC hmac = initHmac();
-        assertThat(Hex.toHexString(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
     }
 
     @Test
@@ -48,7 +49,7 @@ public class HMACMD5Test {
         byte[] resultBuf = new byte[16];
         hmac.update(PLAIN_TEXT);
         hmac.doFinal(resultBuf, 0);
-        assertThat(Hex.toHexString(resultBuf), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(resultBuf), is(EXPECTED_HMAC));
     }
 
     private BaseMAC initHmac() {

src/test/java/net/schmizz/sshj/transport/mac/HMACSHA196Test.java

@@ -16,30 +16,31 @@
 package net.schmizz.sshj.transport.mac;
 
 import com.hierynomus.sshj.transport.mac.Macs;
-import org.bouncycastle.util.encoders.Hex;
+import org.apache.sshd.common.util.buffer.BufferUtils;
 import org.junit.jupiter.api.Test;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
 public class HMACSHA196Test {
-    private static final Charset CHARSET = Charset.forName("US-ASCII");
+    private static final Charset CHARSET = StandardCharsets.US_ASCII;
     private static final byte[] PLAIN_TEXT = "Hello World".getBytes(CHARSET);
-    private static final String EXPECTED_HMAC = "24ddeed57ad91465c5b59dce";
+    private static final String EXPECTED_HMAC = "24 dd ee d5 7a d9 14 65 c5 b5 9d ce";
 
     @Test
     public void testUpdateWithDoFinal() {
         BaseMAC hmac = initHmac();
         hmac.update(PLAIN_TEXT);
-        assertThat(Hex.toHexString(hmac.doFinal()), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal()), is(EXPECTED_HMAC));
     }
 
     @Test
     public void testDoFinalWithInput() {
         BaseMAC hmac = initHmac();
-        assertThat(Hex.toHexString(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
     }
 
     @Test
@@ -48,7 +49,7 @@ public class HMACSHA196Test {
         byte[] resultBuf = new byte[12];
         hmac.update(PLAIN_TEXT);
         hmac.doFinal(resultBuf, 0);
-        assertThat(Hex.toHexString(resultBuf), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(resultBuf), is(EXPECTED_HMAC));
     }
 
     private BaseMAC initHmac() {

src/test/java/net/schmizz/sshj/transport/mac/HMACSHA1Test.java

@@ -16,30 +16,31 @@
 package net.schmizz.sshj.transport.mac;
 
 import com.hierynomus.sshj.transport.mac.Macs;
-import org.bouncycastle.util.encoders.Hex;
+import org.apache.sshd.common.util.buffer.BufferUtils;
 import org.junit.jupiter.api.Test;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
 public class HMACSHA1Test {
-    private static final Charset CHARSET = Charset.forName("US-ASCII");
+    private static final Charset CHARSET = StandardCharsets.US_ASCII;
     private static final byte[] PLAIN_TEXT = "Hello World".getBytes(CHARSET);
-    private static final String EXPECTED_HMAC = "24ddeed57ad91465c5b59dce74ef73778bfb0cb9";
+    private static final String EXPECTED_HMAC = "24 dd ee d5 7a d9 14 65 c5 b5 9d ce 74 ef 73 77 8b fb 0c b9";
 
     @Test
     public void testUpdateWithDoFinal() {
         BaseMAC hmac = initHmac();
         hmac.update(PLAIN_TEXT);
-        assertThat(Hex.toHexString(hmac.doFinal()),  is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal()),  is(EXPECTED_HMAC));
     }
 
     @Test
     public void testDoFinalWithInput() {
         BaseMAC hmac = initHmac();
-        assertThat(Hex.toHexString(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
     }
 
     @Test
@@ -48,7 +49,7 @@ public class HMACSHA1Test {
         byte[] resultBuf = new byte[20];
         hmac.update(PLAIN_TEXT);
         hmac.doFinal(resultBuf, 0);
-        assertThat(Hex.toHexString(resultBuf), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(resultBuf), is(EXPECTED_HMAC));
     }
 
     private BaseMAC initHmac() {

src/test/java/net/schmizz/sshj/transport/mac/HMACSHA2256Test.java

@@ -16,30 +16,31 @@
 package net.schmizz.sshj.transport.mac;
 
 import com.hierynomus.sshj.transport.mac.Macs;
-import org.bouncycastle.util.encoders.Hex;
+import org.apache.sshd.common.util.buffer.BufferUtils;
 import org.junit.jupiter.api.Test;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
 public class HMACSHA2256Test {
-    private static final Charset CHARSET = Charset.forName("US-ASCII");
+    private static final Charset CHARSET = StandardCharsets.US_ASCII;
     private static final byte[] PLAIN_TEXT = "Hello World".getBytes(CHARSET);
-    private static final String EXPECTED_HMAC = "eb2207b2df36c7485f46d1be30418bc44e8134b4fdaabbe16d71f56ab24fce88";
+    private static final String EXPECTED_HMAC = "eb 22 07 b2 df 36 c7 48 5f 46 d1 be 30 41 8b c4 4e 81 34 b4 fd aa bb e1 6d 71 f5 6a b2 4f ce 88";
 
     @Test
     public void testUpdateWithDoFinal() {
         BaseMAC hmac = initHmac();
         hmac.update(PLAIN_TEXT);
-        assertThat(Hex.toHexString(hmac.doFinal()), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal()), is(EXPECTED_HMAC));
     }
 
     @Test
     public void testDoFinalWithInput() {
         BaseMAC hmac = initHmac();
-        assertThat(Hex.toHexString(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
     }
 
     @Test
@@ -48,7 +49,7 @@ public class HMACSHA2256Test {
         byte[] resultBuf = new byte[32];
         hmac.update(PLAIN_TEXT);
         hmac.doFinal(resultBuf, 0);
-        assertThat(Hex.toHexString(resultBuf), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(resultBuf), is(EXPECTED_HMAC));
     }
 
     private BaseMAC initHmac() {

src/test/java/net/schmizz/sshj/transport/mac/HMACSHA2512Test.java

@@ -16,30 +16,31 @@
 package net.schmizz.sshj.transport.mac;
 
 import com.hierynomus.sshj.transport.mac.Macs;
-import org.bouncycastle.util.encoders.Hex;
+import org.apache.sshd.common.util.buffer.BufferUtils;
 import org.junit.jupiter.api.Test;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
 public class HMACSHA2512Test {
-    private static final Charset CHARSET = Charset.forName("US-ASCII");
+    private static final Charset CHARSET = StandardCharsets.US_ASCII;
     private static final byte[] PLAIN_TEXT = "Hello World".getBytes(CHARSET);
-    private static final String EXPECTED_HMAC = "28929cffc903039ef18cbc9cea6fd5f1420763af297a470d731236ed1f5a4c61d64dfccf6529265205bec932f2f7850c8ae4de1dc1a5259dc5b1fd85d8e62c04";
+    private static final String EXPECTED_HMAC = "28 92 9c ff c9 03 03 9e f1 8c bc 9c ea 6f d5 f1 42 07 63 af 29 7a 47 0d 73 12 36 ed 1f 5a 4c 61 d6 4d fc cf 65 29 26 52 05 be c9 32 f2 f7 85 0c 8a e4 de 1d c1 a5 25 9d c5 b1 fd 85 d8 e6 2c 04";
 
     @Test
     public void testUpdateWithDoFinal() {
         BaseMAC hmac = initHmac();
         hmac.update(PLAIN_TEXT);
-        assertThat(Hex.toHexString(hmac.doFinal()), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal()), is(EXPECTED_HMAC));
     }
 
     @Test
     public void testDoFinalWithInput() {
         BaseMAC hmac = initHmac();
-        assertThat(Hex.toHexString(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(hmac.doFinal(PLAIN_TEXT)), is(EXPECTED_HMAC));
     }
 
     @Test
@@ -48,7 +49,7 @@ public class HMACSHA2512Test {
         byte[] resultBuf = new byte[64];
         hmac.update(PLAIN_TEXT);
         hmac.doFinal(resultBuf, 0);
-        assertThat(Hex.toHexString(resultBuf), is(EXPECTED_HMAC));
+        assertThat(BufferUtils.toHex(resultBuf), is(EXPECTED_HMAC));
     }
 
     private BaseMAC initHmac() {