NoClassDefFoundError PKCS8EncodedKeySpec when running in Tomcat

Question

I use com.hieronymus:sshj in version 0.31.0 to establish an ssh connection between a Spring Boot application and a data exchange server. To authenticate the application a private SSH key is used, generated by the default settings of ssh-keygen, without password protection. It is stored in pem format as a file in the local file system.

The following code is used to handle the authentication:

override fun authenticate(ssh: SSHClient) {
    val keys = ssh.loadKeys(
        String(
            resourceLoader.getResource("/path/to/key").inputStream.readBytes()
        ),
        String(
            resourceLoader.getResource("/path/to/key.pub").inputStream.readBytes()
        ),
        null
    )
    ssh.authPublickey(username, keys)
}

When I run the application from IntelliJ or fat jar, everything works fine. Problems start to arise though when I package it as a war file and deploy it to a Tomcat 9 server running on JDK 11, which I also use to develop it:

java.lang.NoClassDefFoundError: java/security/spec/PKCS8EncodedKeySpec
        at org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyFactorySpi.engineGeneratePrivate(Unknown Source) ~[bcprov-jdk15on-1.68.jar:1.68.0]
        at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:384) ~[na:na]
        at com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile.readUnencrypted(OpenSSHKeyV1KeyFile.java:223) ~[sshj-0.31.0.jar:0.31.0]
        at com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile.readDecodedKeyPair(OpenSSHKeyV1KeyFile.java:113) ~[sshj-0.31.0.jar:0.31.0]
        at com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile.readKeyPair(OpenSSHKeyV1KeyFile.java:85) ~[sshj-0.31.0.jar:0.31.0]
        at net.schmizz.sshj.userauth.keyprovider.BaseFileKeyProvider.getPublic(BaseFileKeyProvider.java:81) ~[sshj-0.31.0.jar:0.31.0]
        at net.schmizz.sshj.userauth.method.KeyedAuthMethod.putPubKey(KeyedAuthMethod.java:45) ~[sshj-0.31.0.jar:0.31.0]
        at net.schmizz.sshj.userauth.method.AuthPublickey.buildReq(AuthPublickey.java:62) ~[sshj-0.31.0.jar:0.31.0]
        at net.schmizz.sshj.userauth.method.AuthPublickey.buildReq(AuthPublickey.java:81) ~[sshj-0.31.0.jar:0.31.0]
        at net.schmizz.sshj.userauth.method.AbstractAuthMethod.request(AbstractAuthMethod.java:68) ~[sshj-0.31.0.jar:0.31.0]
        at net.schmizz.sshj.userauth.UserAuthImpl.authenticate(UserAuthImpl.java:73) ~[sshj-0.31.0.jar:0.31.0]
        at net.schmizz.sshj.SSHClient.auth(SSHClient.java:221) ~[sshj-0.31.0.jar:0.31.0]
        at net.schmizz.sshj.SSHClient.authPublickey(SSHClient.java:342) ~[sshj-0.31.0.jar:0.31.0]
        at net.schmizz.sshj.SSHClient.authPublickey(SSHClient.java:360) ~[sshj-0.31.0.jar:0.31.0]
        at SSHClass.authenticate(SSHClass.kt:4711) ~[classes/:0.0.1-SNAPSHOT]

This did suprise me quite much, since PKCS8EncodedKeySpec is part of the "java core". The libraries were obviously able to parse the file but it failed when creating the key objects.

Does Tomcat somehow prevent deployed applications from parsing private SSH keys? Do I need to put the keys in some keystore and load them from there? Has anyone run into this problem?