For key exchange in TLS connections, the local side need to generate the private key for the given named group. Here is the code in the SunJSSE provider:

XDHKeyExchange.java:
        XDHEPossession(NamedGroup namedGroup, SecureRandom random) {
            try {
                KeyPairGenerator kpg
                        = KeyPairGenerator.getInstance(namedGroup.algorithm);
                kpg.initialize(namedGroup.keAlgParamSpec, random);
                KeyPair kp = kpg.generateKeyPair();
                privateKey = kp.getPrivate();
                publicKey = (XECPublicKey) kp.getPublic();
            } catch (GeneralSecurityException e) {
                throw new RuntimeException(
                        "Could not generate XDH keypair", e);
            }

            this.namedGroup = namedGroup;
        }


The XDH public key is explicit cast to XECPublicKey, which is fine for security providers that implement per the Java Security standards. However, there is a public issue [1] with BC provider which does not support the XECPublicKey interface for the x25519/x448 named group key pair generation.

For such cases, it would be nice if other key exchange algorithms rather than x2559/x448 could be used for the connection. This update could build a more robust SunJSSE provider.

[1]: https://github.com/bcgit/bc-java/issues/1086