Skip to content

Fix key export for non-CRT RSA keys and add Ed25519 PEM support #440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nindanaoto wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix key export for non-CRT RSA keys and add Ed25519 PEM support #440

nindanaoto wants to merge 2 commits into from
+348 −1

Conversation

@nindanaoto
Copy link
Contributor

@nindanaoto nindanaoto commented Jan 3, 2026

Fixes connectbot/connectbot#1812

This PR fixes SSH key export failures that occur when using security providers like Conscrypt, which return RSAPrivateKey impleme
ntations that don't implement RSAPrivateCrtKey (e.g., OpenSSLRSAPrivateKey). It also adds Ed25519 support to PEMEncoder.

Problem

When using the OSS build of ConnectBot (which uses Conscrypt's OpenSSL provider), exporting RSA keys fails with "Unsupported key
type" error because:

  • OpenSSHKeyEncoder.exportOpenSSH() only checked for RSAPrivateCrtKey
  • PEMEncoder.encodePrivateKey() only checked for RSAPrivateCrtKey
  • Conscrypt's OpenSSLRSAPrivateKey implements RSAPrivateKey but not RSAPrivateCrtKey

Additionally, Ed25519 keys could not be exported in PEM format.

Solution

  • Added handling for RSAPrivateKey (non-CRT) in both OpenSSHKeyEncoder and PEMEncoder
  • Parse the PKCS#8 encoded form to extract CRT parameters and convert to RSAPrivateCrtKey
  • Added encodeEd25519PrivateKey() to PEMEncoder using PKCS#8 format

Changes

File Description
OpenSSHKeyEncoder.java Handle non-CRT RSA keys via convertToRSAPrivateCrtKey()
PEMEncoder.java Handle non-CRT RSA keys + add Ed25519 PKCS#8 encoding
OpenSSHKeyEncoderTest.java Add tests for non-CRT RSA key export
PEMEncoderTest.java Add tests for non-CRT RSA and Ed25519 encoding

Testing

  • Added eight new tests covering non-CRT RSA and Ed25519 scenarios

🤖 Generated with Claude Code

@nindanaoto @claude
Fix key export for non-CRT RSA keys and add Ed25519 PEM support
2a0d843 
- Handle RSAPrivateKey that doesn't implement RSAPrivateCrtKey
  (e.g., Conscrypt's OpenSSLRSAPrivateKey) by parsing PKCS#8 encoded
  form to extract CRT parameters
- Add Ed25519 private key encoding to PEMEncoder in PKCS#8 format
- Add tests for non-CRT RSA key export and Ed25519 PEM encoding

Fixes connectbot/connectbot#1812

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@nindanaoto @claude
Consolidate duplicate convertToRSAPrivateCrtKey method
11170da 
Move the shared RSA key conversion logic to PEMEncoder and
make it package-visible so OpenSSHKeyEncoder can use it.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Export key - Unsupported Key Type

1 participant

@nindanaoto