Ajay Lohani

I am hoping that someone will respond back to this. Atleast to start a discussion....

We are working in enabling cnsa cipher suite in jsch. It is likely that defacult jce in java doesnot support most of these algorithm, we have our own FIPS and CNSA supported JCE provider to support these algorithm.The cipher suite we need to be supported in jsch are as follows: 1. HMAC-SHA-512 2. ecdh-sha2-nistp384 3. ecdsa-sha2-nistp384 4. aes-256-ctr/cbc The issue we faced with hmac-sha-512 and ecdsa-sha2-nistp384 are as follows : 1. hmac-sha512 : on enabling this algorithm. We were getting the buffer out of bound exception. We debug further and did the following correction to make it to work. We increase the buffer size taken in the method from 100 to 120. Channel class : method genChannelOpenPacket() Buffer buf = new Buffer(120) ecdsa-sha2-nistp384 : Although jsch claims to support this algorithm as well but the implementation used is the old implementation as per open ssh client documentation. The issue here is the signature for ecdsa (irrespective of the curve used ) always uses the same com.jcraft.jsch.jce.SignatureECDSA class which uses signature=java.security.Signature.getInstance("SHA256withECDSA"); This results in failure of a signature verification if host used ecdsa-nist-p384. We implemented a new class SignatureECDSAp384 and changes this line to signature=java.security.Signature.getInstance("SHA384withECDSA"); which result this algorithm to work. This error is propagated from open sshClient implementation of SSH to JSCH which is already rectified in OpenSSHClient but i think jsch has not accomodated this change. Either please address our request for this change or inform us if there is a way by which we can make sure these changes should get accomaodated in next release.

Hmac-sha512 and ecdsa-nistp384 is not working in jsch.

We are working in enabling cnsa cipher suite in jsch. It is likely that defacult...