ENT-11728: Switched to LTS version of BC. Also removed PQC algos as n… (#7706)

* ENT-11728: Switched to LTS version of BC. Also removed PQC algos as not supported in LTS. * ENT-11728: Removed the SPHINCS PQC algorithm. * ENT-11728: Added dependency on bcutil to fix missing class error.
2024-12-18 20:47:57 +00:00 · 2024-04-03 11:14:19 +01:00 · 2024-04-03 11:14:19 +01:00 · 72778b7fb0
commit 72778b7fb0
parent af62c36986
19 changed files with 124 additions and 205 deletions
--- a/.ci/api-current.txt
+++ b/.ci/api-current.txt
@ -643,6 +643,8 @@ public final class net.corda.core.contracts.CommandWithParties extends java.lang
  public String toString()
 ##
 public final class net.corda.core.contracts.ComponentGroupEnum extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.contracts.ComponentGroupEnum valueOf(String)
  public static net.corda.core.contracts.ComponentGroupEnum[] values()
 ##
@ -1198,6 +1200,8 @@ public static final class net.corda.core.contracts.TransactionVerificationExcept
 ##
@CordaSerializable
 public static final class net.corda.core.contracts.TransactionVerificationException$Direction extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.contracts.TransactionVerificationException$Direction valueOf(String)
  public static net.corda.core.contracts.TransactionVerificationException.Direction[] values()
 ##
@ -1878,8 +1882,6 @@ public final class net.corda.core.crypto.Crypto extends java.lang.Object
  public static final net.corda.core.crypto.SignatureScheme RSA_SHA256
  @NotNull
  public static final org.bouncycastle.asn1.DLSequence SHA512_256
  @NotNull
  public static final net.corda.core.crypto.SignatureScheme SPHINCS256_SHA256
 ##
 public final class net.corda.core.crypto.CryptoUtils extends java.lang.Object
  @NotNull
@ -2698,6 +2700,8 @@ public final class net.corda.core.flows.DistributionRecordKey extends java.lang.
 ##
@CordaSerializable
 public final class net.corda.core.flows.DistributionRecordType extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.flows.DistributionRecordType valueOf(String)
  public static net.corda.core.flows.DistributionRecordType[] values()
 ##
@ -3249,8 +3253,25 @@ public final class net.corda.core.flows.LedgerRecoveryException extends net.cord
 ##
@StartableByRPC
 public final class net.corda.core.flows.LedgerRecoveryFlow extends net.corda.core.flows.FlowLogic
  public <init>(java.util.Collection)
  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow)
  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow, boolean)
  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean)
  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, boolean)
  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, boolean, boolean, int)
  public <init>(net.corda.core.flows.LedgerRecoveryParameters, net.corda.core.utilities.ProgressTracker)
  public <init>(net.corda.core.flows.LedgerRecoveryParameters, net.corda.core.utilities.ProgressTracker, int, kotlin.jvm.internal.DefaultConstructorMarker)
  public <init>(net.corda.core.identity.Party)
  public <init>(net.corda.core.identity.Party, net.corda.core.flows.RecoveryTimeWindow)
  public <init>(net.corda.core.identity.Party, net.corda.core.flows.RecoveryTimeWindow, boolean)
  public <init>(net.corda.core.identity.Party, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean)
  public <init>(net.corda.core.identity.Party, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, boolean)
  public <init>(boolean)
  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow)
  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow, boolean)
  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean)
  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, int)
  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, int, boolean)
  @Suspendable
  @NotNull
  public net.corda.core.flows.LedgerRecoveryResult call()
@ -3824,6 +3845,8 @@ public final class net.corda.core.flows.StateConsumptionDetails extends java.lan
 ##
@CordaSerializable
 public static final class net.corda.core.flows.StateConsumptionDetails$ConsumedStateType extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.flows.StateConsumptionDetails$ConsumedStateType valueOf(String)
  public static net.corda.core.flows.StateConsumptionDetails.ConsumedStateType[] values()
 ##
@ -4778,6 +4801,8 @@ public interface net.corda.core.node.ServicesForResolution
 ##
@CordaSerializable
 public final class net.corda.core.node.StatesToRecord extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.StatesToRecord valueOf(String)
  public static net.corda.core.node.StatesToRecord[] values()
 ##
@ -5015,6 +5040,8 @@ public static final class net.corda.core.node.services.PartyInfo$SingleNode exte
  public String toString()
 ##
 public final class net.corda.core.node.services.ServiceLifecycleEvent extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.ServiceLifecycleEvent valueOf(String)
  public static net.corda.core.node.services.ServiceLifecycleEvent[] values()
 ##
@ -5067,6 +5094,8 @@ public final class net.corda.core.node.services.TimeWindowChecker extends java.l
 ##
@CordaSerializable
 public final class net.corda.core.node.services.TransactionStatus extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.TransactionStatus valueOf(String)
  public static net.corda.core.node.services.TransactionStatus[] values()
 ##
@ -5129,6 +5158,8 @@ public static final class net.corda.core.node.services.Vault$ConstraintInfo$Comp
 ##
@CordaSerializable
 public static final class net.corda.core.node.services.Vault$ConstraintInfo$Type extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.Vault$ConstraintInfo$Type valueOf(String)
  public static net.corda.core.node.services.Vault.ConstraintInfo.Type[] values()
 ##
@ -5170,6 +5201,8 @@ public static final class net.corda.core.node.services.Vault$Page extends java.l
 ##
@CordaSerializable
 public static final class net.corda.core.node.services.Vault$RelevancyStatus extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.Vault$RelevancyStatus valueOf(String)
  public static net.corda.core.node.services.Vault.RelevancyStatus[] values()
 ##
@ -5232,6 +5265,8 @@ public static final class net.corda.core.node.services.Vault$StateMetadata exten
 ##
@CordaSerializable
 public static final class net.corda.core.node.services.Vault$StateStatus extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.Vault$StateStatus valueOf(String)
  public static net.corda.core.node.services.Vault.StateStatus[] values()
 ##
@ -5290,6 +5325,8 @@ public static final class net.corda.core.node.services.Vault$Update extends java
 ##
@CordaSerializable
 public static final class net.corda.core.node.services.Vault$UpdateType extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.Vault$UpdateType valueOf(String)
  public static net.corda.core.node.services.Vault.UpdateType[] values()
 ##
@ -5389,6 +5426,8 @@ public final class net.corda.core.node.services.diagnostics.NodeVersionInfo exte
 ##
@CordaSerializable
 public final class net.corda.core.node.services.vault.AggregateFunctionType extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.AggregateFunctionType valueOf(String)
  public static net.corda.core.node.services.vault.AggregateFunctionType[] values()
 ##
@ -5498,6 +5537,8 @@ public final class net.corda.core.node.services.vault.AttachmentSort extends net
 public static final class net.corda.core.node.services.vault.AttachmentSort$AttachmentSortAttribute extends java.lang.Enum
  @NotNull
  public final String getColumnName()
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.AttachmentSort$AttachmentSortAttribute valueOf(String)
  public static net.corda.core.node.services.vault.AttachmentSort.AttachmentSortAttribute[] values()
 ##
@ -5538,12 +5579,16 @@ public abstract class net.corda.core.node.services.vault.BaseSort extends java.l
@DoNotImplement
@CordaSerializable
 public final class net.corda.core.node.services.vault.BinaryComparisonOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.BinaryComparisonOperator valueOf(String)
  public static net.corda.core.node.services.vault.BinaryComparisonOperator[] values()
 ##
@DoNotImplement
@CordaSerializable
 public final class net.corda.core.node.services.vault.BinaryLogicalOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.BinaryLogicalOperator valueOf(String)
  public static net.corda.core.node.services.vault.BinaryLogicalOperator[] values()
 ##
@ -5789,6 +5834,8 @@ public final class net.corda.core.node.services.vault.Builder extends java.lang.
@DoNotImplement
@CordaSerializable
 public final class net.corda.core.node.services.vault.CollectionOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.CollectionOperator valueOf(String)
  public static net.corda.core.node.services.vault.CollectionOperator[] values()
 ##
@ -6014,6 +6061,8 @@ public static final class net.corda.core.node.services.vault.CriteriaExpression$
@DoNotImplement
@CordaSerializable
 public final class net.corda.core.node.services.vault.EqualityComparisonOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.EqualityComparisonOperator valueOf(String)
  public static net.corda.core.node.services.vault.EqualityComparisonOperator[] values()
 ##
@ -6066,12 +6115,16 @@ public interface net.corda.core.node.services.vault.IQueryCriteriaParser extends
@DoNotImplement
@CordaSerializable
 public final class net.corda.core.node.services.vault.LikenessOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.LikenessOperator valueOf(String)
  public static net.corda.core.node.services.vault.LikenessOperator[] values()
 ##
@DoNotImplement
@CordaSerializable
 public final class net.corda.core.node.services.vault.NullOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.NullOperator valueOf(String)
  public static net.corda.core.node.services.vault.NullOperator[] values()
 ##
@ -6379,6 +6432,8 @@ public static final class net.corda.core.node.services.vault.QueryCriteria$SoftL
 ##
@CordaSerializable
 public static final class net.corda.core.node.services.vault.QueryCriteria$SoftLockingType extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.QueryCriteria$SoftLockingType valueOf(String)
  public static net.corda.core.node.services.vault.QueryCriteria.SoftLockingType[] values()
 ##
@ -6402,6 +6457,8 @@ public static final class net.corda.core.node.services.vault.QueryCriteria$TimeC
 ##
@CordaSerializable
 public static final class net.corda.core.node.services.vault.QueryCriteria$TimeInstantType extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.QueryCriteria$TimeInstantType valueOf(String)
  public static net.corda.core.node.services.vault.QueryCriteria.TimeInstantType[] values()
 ##
@ -6606,11 +6663,15 @@ public static final class net.corda.core.node.services.vault.Sort$CommonStateAtt
  public final String getAttributeChild()
  @NotNull
  public final String getAttributeParent()
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.Sort$CommonStateAttribute valueOf(String)
  public static net.corda.core.node.services.vault.Sort.CommonStateAttribute[] values()
 ##
@CordaSerializable
 public static final class net.corda.core.node.services.vault.Sort$Direction extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.Sort$Direction valueOf(String)
  public static net.corda.core.node.services.vault.Sort.Direction[] values()
 ##
@ -6619,6 +6680,8 @@ public static final class net.corda.core.node.services.vault.Sort$Direction exte
 public static final class net.corda.core.node.services.vault.Sort$FungibleStateAttribute extends java.lang.Enum implements net.corda.core.node.services.vault.Sort$Attribute
  @NotNull
  public final String getAttributeName()
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.Sort$FungibleStateAttribute valueOf(String)
  public static net.corda.core.node.services.vault.Sort.FungibleStateAttribute[] values()
 ##
@ -6627,6 +6690,8 @@ public static final class net.corda.core.node.services.vault.Sort$FungibleStateA
 public static final class net.corda.core.node.services.vault.Sort$LinearStateAttribute extends java.lang.Enum implements net.corda.core.node.services.vault.Sort$Attribute
  @NotNull
  public final String getAttributeName()
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.Sort$LinearStateAttribute valueOf(String)
  public static net.corda.core.node.services.vault.Sort.LinearStateAttribute[] values()
 ##
@ -6654,6 +6719,8 @@ public static final class net.corda.core.node.services.vault.Sort$SortColumn ext
 public static final class net.corda.core.node.services.vault.Sort$VaultStateAttribute extends java.lang.Enum implements net.corda.core.node.services.vault.Sort$Attribute
  @NotNull
  public final String getAttributeName()
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.node.services.vault.Sort$VaultStateAttribute valueOf(String)
  public static net.corda.core.node.services.vault.Sort.VaultStateAttribute[] values()
 ##
@ -6834,6 +6901,8 @@ public interface net.corda.core.serialization.ClassWhitelist
 public @interface net.corda.core.serialization.ConstructorForDeserialization
 ##
 public final class net.corda.core.serialization.ContextPropertyKeys extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.serialization.ContextPropertyKeys valueOf(String)
  public static net.corda.core.serialization.ContextPropertyKeys[] values()
 ##
@ -6967,6 +7036,8 @@ public interface net.corda.core.serialization.SerializationContext
  public abstract net.corda.core.serialization.SerializationContext withoutReferences()
 ##
 public static final class net.corda.core.serialization.SerializationContext$UseCase extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.serialization.SerializationContext$UseCase valueOf(String)
  public static net.corda.core.serialization.SerializationContext.UseCase[] values()
 ##
@ -7306,6 +7377,8 @@ public static final class net.corda.core.transactions.ContractUpgradeWireTransac
  public <init>(kotlin.jvm.internal.DefaultConstructorMarker)
 ##
 public static final class net.corda.core.transactions.ContractUpgradeWireTransaction$Component extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.transactions.ContractUpgradeWireTransaction$Component valueOf(String)
  public static net.corda.core.transactions.ContractUpgradeWireTransaction.Component[] values()
 ##
@ -7537,6 +7610,8 @@ public static final class net.corda.core.transactions.LedgerTransaction$InOutGro
  @NotNull
  public String toString()
 ##
 public final class net.corda.core.transactions.LedgerTransactionKt extends java.lang.Object
 ##
@CordaSerializable
 public final class net.corda.core.transactions.MissingContractAttachments extends net.corda.core.flows.FlowException
  public <init>(java.util.List)
@ -7651,6 +7726,8 @@ public final class net.corda.core.transactions.NotaryChangeWireTransaction exten
  public String toString()
 ##
 public static final class net.corda.core.transactions.NotaryChangeWireTransaction$Component extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.core.transactions.NotaryChangeWireTransaction$Component valueOf(String)
  public static net.corda.core.transactions.NotaryChangeWireTransaction.Component[] values()
 ##
@ -7881,6 +7958,8 @@ public abstract class net.corda.core.transactions.TraversableTransaction extends
  public final net.corda.core.crypto.DigestService getDigestService()
  @NotNull
  public java.util.List getInputs()
  @NotNull
  public final java.util.List getLegacyAttachments()
  @Nullable
  public net.corda.core.crypto.SecureHash getNetworkParametersHash()
  @Nullable
@ -9441,6 +9520,8 @@ public class net.corda.testing.driver.SharedMemoryIncremental extends net.corda.
  public static net.corda.testing.driver.SharedMemoryIncremental INSTANCE
 ##
 public final class net.corda.testing.driver.VerifierType extends java.lang.Enum
  @NotNull
  public static kotlin.enums.EnumEntries getEntries()
  public static net.corda.testing.driver.VerifierType valueOf(String)
  public static net.corda.testing.driver.VerifierType[] values()
 ##
--- a/build.gradle
+++ b/build.gradle
@ -383,6 +383,8 @@ allprojects {
                url "${publicArtifactURL}/corda-dependencies-dev"
                content {
                    includeGroup 'co.paralleluniverse'
                    // Remove below when BC 2.73.6 is released
                    includeGroup 'org.bouncycastle'
                }
            }
            maven {
--- a/client/jackson/build.gradle
+++ b/client/jackson/build.gradle
@ -18,8 +18,8 @@ dependencies {
    implementation "com.google.guava:guava:$guava_version"
    // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
    implementation "org.slf4j:slf4j-api:$slf4j_version"
    testImplementation project(':finance:workflows')
--- a/constants.properties
+++ b/constants.properties
@ -20,8 +20,8 @@ guavaVersion=28.0-jre
 quasarVersion=0.9.0_r3
 dockerJavaVersion=3.2.5
 proguardVersion=7.3.1
-# Bouncy Castle version must not be changed on a patch release. Needs a full release test cycle to flush out any issues.
+# Switch to release version when out
-bouncycastleVersion=1.75
+bouncycastleVersion=2.73.6-SNAPSHOT
 classgraphVersion=4.8.135
 disruptorVersion=3.4.2
 typesafeConfigVersion=1.3.4
--- a/core-tests/build.gradle
+++ b/core-tests/build.gradle
@ -105,7 +105,7 @@ dependencies {
    testImplementation "com.esotericsoftware:kryo:$kryo_version"
    testImplementation "co.paralleluniverse:quasar-core:$quasar_version"
    testImplementation "org.hibernate:hibernate-core:$hibernate_version"
-    testImplementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
    testImplementation "io.netty:netty-common:$netty_version"
    testImplementation "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
@ -123,7 +123,7 @@ dependencies {
    smokeTestImplementation project(":testing:cordapps:4.11-workflows")
    smokeTestImplementation project(":finance:contracts")
    smokeTestImplementation "org.assertj:assertj-core:${assertj_version}"
-    smokeTestImplementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    smokeTestImplementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
    smokeTestImplementation "co.paralleluniverse:quasar-core:$quasar_version"
    smokeTestImplementation "org.junit.jupiter:junit-jupiter-api:${junit_jupiter_version}"
    smokeTestImplementation "junit:junit:$junit_version"
--- a/core-tests/src/test/kotlin/net/corda/coretests/crypto/CompositeKeyTests.kt
+++ b/core-tests/src/test/kotlin/net/corda/coretests/crypto/CompositeKeyTests.kt
@ -295,21 +295,19 @@ class CompositeKeyTests {
        val keyPairK1 = Crypto.generateKeyPair(Crypto.ECDSA_SECP256K1_SHA256)
        val keyPairR1 = Crypto.generateKeyPair(Crypto.ECDSA_SECP256R1_SHA256)
        val keyPairEd = Crypto.generateKeyPair(Crypto.EDDSA_ED25519_SHA512)
        val keyPairSP = Crypto.generateKeyPair(Crypto.SPHINCS256_SHA256)
        val RSASignature = keyPairRSA.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairRSA.public).schemeNumberID)))
        val K1Signature = keyPairK1.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairK1.public).schemeNumberID)))
        val R1Signature = keyPairR1.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairR1.public).schemeNumberID)))
        val EdSignature = keyPairEd.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairEd.public).schemeNumberID)))
        val SPSignature = keyPairSP.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairSP.public).schemeNumberID)))
-        val compositeKey = CompositeKey.Builder().addKeys(keyPairRSA.public, keyPairK1.public, keyPairR1.public, keyPairEd.public, keyPairSP.public).build() as CompositeKey
+        val compositeKey = CompositeKey.Builder().addKeys(keyPairRSA.public, keyPairK1.public, keyPairR1.public, keyPairEd.public).build() as CompositeKey
-        val signatures = listOf(RSASignature, K1Signature, R1Signature, EdSignature, SPSignature)
+        val signatures = listOf(RSASignature, K1Signature, R1Signature, EdSignature)
        assertTrue { compositeKey.isFulfilledBy(signatures.byKeys()) }
        // One signature is missing.
-        val signaturesWithoutRSA = listOf(K1Signature, R1Signature, EdSignature, SPSignature)
+        val signaturesWithoutRSA = listOf(K1Signature, R1Signature, EdSignature)
        assertFalse { compositeKey.isFulfilledBy(signaturesWithoutRSA.byKeys()) }
    }
@ -320,20 +318,18 @@ class CompositeKeyTests {
        val keyPairK1 = Crypto.generateKeyPair(Crypto.ECDSA_SECP256K1_SHA256)
        val keyPairR1 = Crypto.generateKeyPair(Crypto.ECDSA_SECP256R1_SHA256)
        val keyPairEd = Crypto.generateKeyPair(Crypto.EDDSA_ED25519_SHA512)
        val keyPairSP = Crypto.generateKeyPair(Crypto.SPHINCS256_SHA256)
        val RSASignature = keyPairRSA.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairRSA.public).schemeNumberID)))
        val K1Signature = keyPairK1.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairK1.public).schemeNumberID)))
        val R1Signature = keyPairR1.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairR1.public).schemeNumberID)))
        val EdSignature = keyPairEd.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairEd.public).schemeNumberID)))
        val SPSignature = keyPairSP.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairSP.public).schemeNumberID)))
-        val compositeKey = CompositeKey.Builder().addKeys(keyPairRSA.public, keyPairK1.public, keyPairR1.public, keyPairEd.public, keyPairSP.public).build() as CompositeKey
+        val compositeKey = CompositeKey.Builder().addKeys(keyPairRSA.public, keyPairK1.public, keyPairR1.public, keyPairEd.public).build() as CompositeKey
-        val signatures = listOf(RSASignature, K1Signature, R1Signature, EdSignature, SPSignature)
+        val signatures = listOf(RSASignature, K1Signature, R1Signature, EdSignature)
        assertTrue { compositeKey.isFulfilledBy(signatures.byKeys()) }
        // One signature is missing.
-        val signaturesWithoutRSA = listOf(K1Signature, R1Signature, EdSignature, SPSignature)
+        val signaturesWithoutRSA = listOf(K1Signature, R1Signature, EdSignature)
        assertFalse { compositeKey.isFulfilledBy(signaturesWithoutRSA.byKeys()) }
        // Create self sign CA.
@ -374,13 +370,12 @@ class CompositeKeyTests {
        val (_, pub3) = Crypto.generateKeyPair(Crypto.RSA_SHA256)
        val (_, pub4) = Crypto.generateKeyPair(Crypto.EDDSA_ED25519_SHA512)
        val (_, pub5) = Crypto.generateKeyPair(Crypto.ECDSA_SECP256R1_SHA256)
-        val (_, pub6) = Crypto.generateKeyPair(Crypto.SPHINCS256_SHA256)
+        val (_, pub6) = Crypto.generateKeyPair(Crypto.ECDSA_SECP256K1_SHA256)
        val (_, pub7) = Crypto.generateKeyPair(Crypto.ECDSA_SECP256K1_SHA256)
        // Using default weight = 1, thus all weights are equal.
-        val composite1 = CompositeKey.Builder().addKeys(pub1, pub2, pub3, pub4, pub5, pub6, pub7).build() as CompositeKey
+        val composite1 = CompositeKey.Builder().addKeys(pub1, pub2, pub3, pub4, pub5, pub6).build() as CompositeKey
        // Store in reverse order.
-        val composite2 = CompositeKey.Builder().addKeys(pub7, pub6, pub5, pub4, pub3, pub2, pub1).build() as CompositeKey
+        val composite2 = CompositeKey.Builder().addKeys(pub6, pub5, pub4, pub3, pub2, pub1).build() as CompositeKey
        // There are 7! = 5040 permutations, but as sorting is deterministic the following should never fail.
        assertEquals(composite1.children, composite2.children)
    }
--- a/core/build.gradle
+++ b/core/build.gradle
@ -37,7 +37,7 @@ dependencies {
    implementation "com.github.ben-manes.caffeine:caffeine:$caffeine_version"
    implementation "org.apache.commons:commons-lang3:$commons_lang3_version"
    // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
    // required to use @Type annotation
    implementation "org.hibernate:hibernate-core:$hibernate_version"
    // FastThreadLocal
@ -55,7 +55,7 @@ dependencies {
    testImplementation "com.natpryce:hamkrest:$hamkrest_version"
    // AssertJ: for fluent assertions for testing
    testImplementation "org.assertj:assertj-core:$assertj_version"
-    testImplementation "org.bouncycastle:bcpkix-jdk18on:$bouncycastle_version"
+    testImplementation "org.bouncycastle:bcpkix-lts8on:$bouncycastle_version"
    testImplementation "org.ow2.asm:asm:$asm_version"
    testRuntimeOnly "com.esotericsoftware:kryo:$kryo_version"
--- a/core/src/main/kotlin/net/corda/core/crypto/Crypto.kt
+++ b/core/src/main/kotlin/net/corda/core/crypto/Crypto.kt
@ -6,19 +6,16 @@ import net.corda.core.crypto.internal.AliasPrivateKey
 import net.corda.core.crypto.internal.Curve25519.isOnCurve25519
 import net.corda.core.crypto.internal.Instances.withSignature
 import net.corda.core.crypto.internal.PublicKeyCache
 import net.corda.core.crypto.internal.bouncyCastlePQCProvider
 import net.corda.core.crypto.internal.cordaBouncyCastleProvider
 import net.corda.core.crypto.internal.cordaSecurityProvider
 import net.corda.core.crypto.internal.providerMap
 import net.corda.core.internal.utilities.PrivateInterner
 import net.corda.core.serialization.serialize
 import net.corda.core.utilities.ByteSequence
 import org.bouncycastle.asn1.ASN1Integer
 import org.bouncycastle.asn1.ASN1ObjectIdentifier
 import org.bouncycastle.asn1.DERNull
 import org.bouncycastle.asn1.DERUTF8String
 import org.bouncycastle.asn1.DLSequence
 import org.bouncycastle.asn1.bc.BCObjectIdentifiers
 import org.bouncycastle.asn1.edec.EdECObjectIdentifiers
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers
@ -48,9 +45,6 @@ import org.bouncycastle.math.ec.ECConstants
 import org.bouncycastle.math.ec.FixedPointCombMultiplier
 import org.bouncycastle.math.ec.WNafUtil
 import org.bouncycastle.math.ec.rfc8032.Ed25519
 import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PrivateKey
 import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PublicKey
 import org.bouncycastle.pqc.jcajce.spec.SPHINCS256KeyGenParameterSpec
 import java.math.BigInteger
 import java.security.InvalidKeyException
 import java.security.Key
@ -79,7 +73,6 @@ import javax.crypto.spec.SecretKeySpec
 * <li>ECDSA_SECP256K1_SHA256 (ECDSA using the secp256k1 Koblitz curve and SHA256 as hash algorithm).
 * <li>ECDSA_SECP256R1_SHA256 (ECDSA using the secp256r1 (NIST P-256) curve and SHA256 as hash algorithm).
 * <li>EDDSA_ED25519_SHA512 (EdDSA using the ed25519 twisted Edwards curve and SHA512 as hash algorithm).
 * <li>SPHINCS256_SHA512 (SPHINCS-256 hash-based signature scheme using SHA512 as hash algorithm).
 * </ul>
 */
 object Crypto {
@ -155,26 +148,6 @@ object Crypto {
    @JvmField
    val SHA512_256 = DLSequence(arrayOf(NISTObjectIdentifiers.id_sha512_256))
    /**
     * SPHINCS-256 hash-based signature scheme using SHA512 for message hashing. It provides 128bit security against
     * post-quantum attackers at the cost of larger key nd signature sizes and loss of compatibility.
     */
    // TODO: change val name to SPHINCS256_SHA512. This will break backwards compatibility.
    @JvmField
    val SPHINCS256_SHA256 = SignatureScheme(
            5,
            "SPHINCS-256_SHA512",
            AlgorithmIdentifier(BCObjectIdentifiers.sphincs256_with_SHA512, null),
            listOf(AlgorithmIdentifier(BCObjectIdentifiers.sphincs256, DLSequence(arrayOf(ASN1Integer(0), SHA512_256)))),
            bouncyCastlePQCProvider.name,
            "SPHINCS256",
            "SHA512withSPHINCS256",
            SPHINCS256KeyGenParameterSpec(SPHINCS256KeyGenParameterSpec.SHA512_256),
            256,
            "SPHINCS-256 hash-based signature scheme. It provides 128bit security against post-quantum attackers " +
                    "at the cost of larger key sizes and loss of compatibility."
    )
    /** Corda [CompositeKey] signature type. */
    // TODO: change the val name to a more descriptive one as it's now confusing and looks like a Key type.
    @JvmField
@ -204,7 +177,6 @@ object Crypto {
            ECDSA_SECP256K1_SHA256,
            ECDSA_SECP256R1_SHA256,
            EDDSA_ED25519_SHA512,
            SPHINCS256_SHA256,
            COMPOSITE_KEY
    ).associateBy { it.schemeCodeName }
@ -469,7 +441,7 @@ object Crypto {
            // Note that deterministic signature schemes, such as EdDSA, original SPHINCS-256 and RSA PKCS#1, do not require
            // extra randomness, but we have to ensure that non-deterministic algorithms (i.e., ECDSA) use non-blocking
            // SecureRandom implementation.
-            if (signatureScheme == EDDSA_ED25519_SHA512 || signatureScheme == SPHINCS256_SHA256 || signatureScheme == RSA_SHA256) {
+            if (signatureScheme == EDDSA_ED25519_SHA512 || signatureScheme == RSA_SHA256) {
                signature.initSign(privateKey)
            } else {
                // The rest of the algorithms will require a SecureRandom input (i.e., ECDSA or any new algorithm for which
@ -970,7 +942,6 @@ object Crypto {
        return when (key) {
            is BCECPublicKey, is EdECPublicKey -> publicKeyOnCurve(signatureScheme, key)
            is BCRSAPublicKey -> key.modulus.bitLength() >= 2048 // Although the recommended RSA key size is 3072, we accept any key >= 2048bits.
            is BCSphincs256PublicKey -> true
            else -> throw IllegalArgumentException("Unsupported key type: ${key.javaClass.name}")
        }
    }
@ -1003,7 +974,6 @@ object Crypto {
            key is BCEdDSAPublicKey && key is EdECPublicKey -> internPublicKey(key)  // The BC implementation is not public
            key is BCECPublicKey -> internPublicKey(key)
            key is BCRSAPublicKey -> internPublicKey(key)
            key is BCSphincs256PublicKey -> internPublicKey(key)
            key is CompositeKey -> internPublicKey(key)
            else -> decodePublicKey(key.encoded)
        }
@ -1023,7 +993,6 @@ object Crypto {
            key is BCEdDSAPrivateKey && key is EdECPrivateKey -> key  // The BC implementation is not public
            key is BCECPrivateKey -> key
            key is BCRSAPrivateKey -> key
            key is BCSphincs256PrivateKey -> key
            else -> decodePrivateKey(key.encoded)
        }
    }
--- a/core/src/main/kotlin/net/corda/core/crypto/SignatureScheme.kt
+++ b/core/src/main/kotlin/net/corda/core/crypto/SignatureScheme.kt
@ -10,12 +10,12 @@ import java.security.spec.AlgorithmParameterSpec
 * This class is used to define a digital signature scheme.
 * @param schemeNumberID unique number ID for better efficiency on-wire serialisation.
 * @param schemeCodeName unique code name for this signature scheme (e.g. RSA_SHA256, ECDSA_SECP256K1_SHA256, ECDSA_SECP256R1_SHA256,
- * EDDSA_ED25519_SHA512, SPHINCS-256_SHA512).
+ * EDDSA_ED25519_SHA512).
 * @param signatureOID ASN.1 algorithm identifier of the signature algorithm (e.g 1.3.101.112 for EdDSA)
 * @param alternativeOIDs ASN.1 algorithm identifiers for keys of the signature, where we want to map multiple keys to
 * the same signature scheme.
 * @param providerName the provider's name (e.g. "BC").
- * @param algorithmName which signature algorithm is used (e.g. RSA, ECDSA. EdDSA, SPHINCS-256).
+ * @param algorithmName which signature algorithm is used (e.g. RSA, ECDSA. EdDSA).
 * @param signatureName a signature-scheme name as required to create [Signature] objects (e.g. "SHA256withECDSA")
 * @param algSpec parameter specs for the underlying algorithm. Note that RSA is defined by the key size rather than algSpec.
 * eg. ECGenParameterSpec("secp256k1").
--- a/core/src/main/kotlin/net/corda/core/crypto/internal/ProviderMap.kt
+++ b/core/src/main/kotlin/net/corda/core/crypto/internal/ProviderMap.kt
@ -2,7 +2,6 @@ package net.corda.core.crypto.internal
 import net.corda.core.crypto.CordaSecurityProvider
 import org.bouncycastle.jce.provider.BouncyCastleProvider
 import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider
 import java.security.Provider
 import java.security.Security
 import java.util.Collections.unmodifiableMap
@ -26,16 +25,11 @@ val cordaBouncyCastleProvider = BouncyCastleProvider().also {
    Security.addProvider(it)
 }
 val bouncyCastlePQCProvider = BouncyCastlePQCProvider().apply {
    require(name == "BCPQC") { "Invalid PQCProvider name" }
 }.also {
    Security.addProvider(it)
 }
 // This map is required to defend against users that forcibly call Security.addProvider / Security.removeProvider
 // that could cause unexpected and suspicious behaviour.
 // i.e. if someone removes a Provider and then he/she adds a new one with the same name.
 // The val is immutable to avoid any harmful state changes.
 internal val providerMap: Map<String, Provider> = unmodifiableMap(
-    listOf(cordaBouncyCastleProvider, cordaSecurityProvider, bouncyCastlePQCProvider)
+    listOf(cordaBouncyCastleProvider, cordaSecurityProvider)
        .associateByTo(LinkedHashMap(), Provider::getName)
 )
--- a/core/src/test/kotlin/net/corda/core/crypto/CryptoUtilsTest.kt
+++ b/core/src/test/kotlin/net/corda/core/crypto/CryptoUtilsTest.kt
@ -5,21 +5,16 @@ import net.corda.core.crypto.Crypto.ECDSA_SECP256K1_SHA256
 import net.corda.core.crypto.Crypto.ECDSA_SECP256R1_SHA256
 import net.corda.core.crypto.Crypto.EDDSA_ED25519_SHA512
 import net.corda.core.crypto.Crypto.RSA_SHA256
 import net.corda.core.crypto.Crypto.SPHINCS256_SHA256
 import net.corda.core.crypto.internal.PlatformSecureRandomService
 import net.corda.core.utilities.OpaqueBytes
 import org.apache.commons.lang3.ArrayUtils.EMPTY_BYTE_ARRAY
 import org.assertj.core.api.Assertions.assertThatIllegalArgumentException
 import org.assertj.core.api.Assertions.assertThatThrownBy
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo
 import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPrivateKey
 import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey
 import org.bouncycastle.jce.ECNamedCurveTable
 import org.bouncycastle.jce.interfaces.ECKey
 import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec
 import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PrivateKey
 import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PublicKey
 import org.junit.Assert.assertNotEquals
 import org.junit.Test
 import java.math.BigInteger
@ -54,21 +49,18 @@ class CryptoUtilsTest {
        val ecdsaKKeyPair = Crypto.generateKeyPair(ECDSA_SECP256K1_SHA256)
        val ecdsaRKeyPair = Crypto.generateKeyPair(ECDSA_SECP256R1_SHA256)
        val eddsaKeyPair = Crypto.generateKeyPair(EDDSA_ED25519_SHA512)
        val sphincsKeyPair = Crypto.generateKeyPair(SPHINCS256_SHA256)
        // not null private keys
        assertNotNull(rsaKeyPair.private)
        assertNotNull(ecdsaKKeyPair.private)
        assertNotNull(ecdsaRKeyPair.private)
        assertNotNull(eddsaKeyPair.private)
        assertNotNull(sphincsKeyPair.private)
        // not null public keys
        assertNotNull(rsaKeyPair.public)
        assertNotNull(ecdsaKKeyPair.public)
        assertNotNull(ecdsaRKeyPair.public)
        assertNotNull(eddsaKeyPair.public)
        assertNotNull(sphincsKeyPair.public)
        // fail on unsupported algorithm
        try {
@ -298,66 +290,11 @@ class CryptoUtilsTest {
        }
    }
    @Test(timeout=300_000)
 	fun `SPHINCS-256 full process keygen-sign-verify`() {
        val keyPair = Crypto.generateKeyPair(SPHINCS256_SHA256)
        val (privKey, pubKey) = keyPair
        // test for some data
        val signedData = Crypto.doSign(privKey, testBytes)
        val verification = Crypto.doVerify(pubKey, signedData, testBytes)
        assertTrue(verification)
        // test for empty data signing
        try {
            Crypto.doSign(privKey, EMPTY_BYTE_ARRAY)
            fail()
        } catch (e: Exception) {
            // expected
        }
        // test for empty source data when verifying
        try {
            Crypto.doVerify(pubKey, testBytes, EMPTY_BYTE_ARRAY)
            fail()
        } catch (e: Exception) {
            // expected
        }
        // test for empty signed data when verifying
        try {
            Crypto.doVerify(pubKey, EMPTY_BYTE_ARRAY, testBytes)
            fail()
        } catch (e: Exception) {
            // expected
        }
        // test for zero bytes data
        val signedDataZeros = Crypto.doSign(privKey, test100ZeroBytes)
        val verificationZeros = Crypto.doVerify(pubKey, signedDataZeros, test100ZeroBytes)
        assertTrue(verificationZeros)
        // test for 1MB of data (I successfully tested it locally for 1GB as well)
        val MBbyte = ByteArray(1000000) // 1.000.000
        Random().nextBytes(MBbyte)
        val signedDataBig = Crypto.doSign(privKey, MBbyte)
        val verificationBig = Crypto.doVerify(pubKey, signedDataBig, MBbyte)
        assertTrue(verificationBig)
        // test on malformed signatures (even if they change for 1 bit)
        signedData[0] = signedData[0].inc()
        try {
            Crypto.doVerify(pubKey, signedData, testBytes)
            fail()
        } catch (e: Exception) {
            // expected
        }
    }
    // test list of supported algorithms
    @Test(timeout=300_000)
 	fun `Check supported algorithms`() {
        val algList: List<String> = Crypto.supportedSignatureSchemes().map { it.schemeCodeName }
-        val expectedAlgSet = setOf("RSA_SHA256", "ECDSA_SECP256K1_SHA256", "ECDSA_SECP256R1_SHA256", "EDDSA_ED25519_SHA512", "SPHINCS-256_SHA512", "COMPOSITE")
+        val expectedAlgSet = setOf("RSA_SHA256", "ECDSA_SECP256K1_SHA256", "ECDSA_SECP256R1_SHA256", "EDDSA_ED25519_SHA512", "COMPOSITE")
        assertTrue { Sets.symmetricDifference(expectedAlgSet, algList.toSet()).isEmpty(); }
    }
@ -422,36 +359,6 @@ class CryptoUtilsTest {
        assertEquals(pubKey2, pubKey)
    }
    @Test(timeout=300_000)
 	fun `SPHINCS-256 encode decode keys - required for serialization`() {
        // Generate key pair.
        val keyPair = Crypto.generateKeyPair(SPHINCS256_SHA256)
        val privKey: BCSphincs256PrivateKey = keyPair.private as BCSphincs256PrivateKey
        val pubKey: BCSphincs256PublicKey = keyPair.public as BCSphincs256PublicKey
        //1st method for encoding/decoding
        val privKey2 = Crypto.decodePrivateKey(privKey.encoded)
        assertEquals(privKey2, privKey)
        // Encode and decode public key.
        val pubKey2 = Crypto.decodePublicKey(pubKey.encoded)
        assertEquals(pubKey2, pubKey)
        //2nd method for encoding/decoding
        // Encode and decode private key.
        val privKeyInfo: PrivateKeyInfo = PrivateKeyInfo.getInstance(privKey.encoded)
        val decodedPrivKey = BCSphincs256PrivateKey(privKeyInfo)
        // Check that decoded private key is equal to the initial one.
        assertEquals(decodedPrivKey, privKey)
        // Encode and decode public key.
        val pubKeyInfo: SubjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(pubKey.encoded)
        val decodedPubKey = BCSphincs256PublicKey(pubKeyInfo)
        // Check that decoded private key is equal to the initial one.
        assertEquals(decodedPubKey, pubKey)
    }
    @Test(timeout=300_000)
 	fun `RSA scheme finder by key type`() {
        val keyPairRSA = Crypto.generateKeyPair(RSA_SHA256)
@ -496,14 +403,6 @@ class CryptoUtilsTest {
        assertEquals((pubEd as EdECPublicKey).params.name, NamedParameterSpec.ED25519.name)
    }
    @Test(timeout=300_000)
 	fun `SPHINCS-256 scheme finder by key type`() {
        val keyPairSP = Crypto.generateKeyPair(SPHINCS256_SHA256)
        val (privSP, pubSP) = keyPairSP
        assertEquals(privSP.algorithm, "SPHINCS-256")
        assertEquals(pubSP.algorithm, "SPHINCS-256")
    }
    @Test(timeout=300_000)
 	fun `Automatic EdDSA key-type detection and decoding`() {
        val keyPairEd = Crypto.generateKeyPair(EDDSA_ED25519_SHA512)
@ -568,22 +467,6 @@ class CryptoUtilsTest {
        assertEquals(decodedPubRSA, pubRSA)
    }
    @Test(timeout=300_000)
 	fun `Automatic SPHINCS-256 key-type detection and decoding`() {
        val keyPairSP = Crypto.generateKeyPair(SPHINCS256_SHA256)
        val (privSP, pubSP) = keyPairSP
        val encodedPrivSP = privSP.encoded
        val encodedPubSP = pubSP.encoded
        val decodedPrivSP = Crypto.decodePrivateKey(encodedPrivSP)
        assertEquals(decodedPrivSP.algorithm, "SPHINCS-256")
        assertEquals(decodedPrivSP, privSP)
        val decodedPubSP = Crypto.decodePublicKey(encodedPubSP)
        assertEquals(decodedPubSP.algorithm, "SPHINCS-256")
        assertEquals(decodedPubSP, pubSP)
    }
    @Test(timeout=300_000)
 	fun `Failure test between K1 and R1 keys`() {
        val keyPairK1 = Crypto.generateKeyPair(ECDSA_SECP256K1_SHA256)
@ -904,8 +787,8 @@ class CryptoUtilsTest {
    }
    @Test(timeout=300_000)
-	fun `Ensure deterministic signatures of EdDSA, SPHINCS-256 and RSA PKCS1`() {
+	fun `Ensure deterministic signatures of EdDSA and RSA PKCS1`() {
-        listOf(EDDSA_ED25519_SHA512, SPHINCS256_SHA256, RSA_SHA256)
+        listOf(EDDSA_ED25519_SHA512, RSA_SHA256)
                .forEach { testDeterministicSignatures(it) }
    }
--- a/node-api-tests/build.gradle
+++ b/node-api-tests/build.gradle
@ -24,8 +24,8 @@ dependencies {
    testImplementation "io.netty:netty-handler-proxy:$netty_version"
    // Bouncy castle support needed for X509 certificate manipulation
-    testImplementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
-    testImplementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
    testRuntimeOnly "org.junit.vintage:junit-vintage-engine:${junit_vintage_version}"
    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:${junit_jupiter_version}"
--- a/node-api-tests/src/test/kotlin/net/corda/nodeapitests/internal/crypto/X509UtilitiesTest.kt
+++ b/node-api-tests/src/test/kotlin/net/corda/nodeapitests/internal/crypto/X509UtilitiesTest.kt
@ -9,7 +9,6 @@ import net.corda.core.crypto.Crypto.ECDSA_SECP256K1_SHA256
 import net.corda.core.crypto.Crypto.ECDSA_SECP256R1_SHA256
 import net.corda.core.crypto.Crypto.EDDSA_ED25519_SHA512
 import net.corda.core.crypto.Crypto.RSA_SHA256
 import net.corda.core.crypto.Crypto.SPHINCS256_SHA256
 import net.corda.core.crypto.Crypto.generateKeyPair
 import net.corda.core.crypto.SignatureScheme
 import net.corda.core.crypto.newSecureRandom
@ -58,7 +57,6 @@ import org.bouncycastle.asn1.x509.CRLDistPoint
 import org.bouncycastle.asn1.x509.Extension
 import org.bouncycastle.asn1.x509.KeyUsage
 import org.bouncycastle.asn1.x509.SubjectKeyIdentifier
 import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PrivateKey
 import org.junit.Rule
 import org.junit.Test
 import org.junit.rules.TemporaryFolder
@ -108,12 +106,10 @@ class X509UtilitiesTest {
                Pair(DEFAULT_TLS_SIGNATURE_SCHEME, DEFAULT_TLS_SIGNATURE_SCHEME),
                Pair(DEFAULT_IDENTITY_SIGNATURE_SCHEME, DEFAULT_IDENTITY_SIGNATURE_SCHEME),
                Pair(DEFAULT_TLS_SIGNATURE_SCHEME, DEFAULT_IDENTITY_SIGNATURE_SCHEME),
                Pair(ECDSA_SECP256R1_SHA256, SPHINCS256_SHA256),
                Pair(ECDSA_SECP256K1_SHA256, RSA_SHA256),
                Pair(EDDSA_ED25519_SHA512, ECDSA_SECP256K1_SHA256),
                Pair(RSA_SHA256, EDDSA_ED25519_SHA512),
                Pair(EDDSA_ED25519_SHA512, ECDSA_SECP256R1_SHA256),
                Pair(SPHINCS256_SHA256, ECDSA_SECP256R1_SHA256)
        )
        val schemeToKeyTypes = listOf(
@ -121,8 +117,6 @@ class X509UtilitiesTest {
                Triple(ECDSA_SECP256R1_SHA256, java.security.interfaces.ECPrivateKey::class.java, org.bouncycastle.jce.interfaces.ECPrivateKey::class.java),
                Triple(ECDSA_SECP256K1_SHA256, java.security.interfaces.ECPrivateKey::class.java, org.bouncycastle.jce.interfaces.ECPrivateKey::class.java),
                Triple(EDDSA_ED25519_SHA512, EdECPrivateKey::class.java, EdECPrivateKey::class.java),
                // By default, JKS returns SUN RSA key.
                Triple(SPHINCS256_SHA256, BCSphincs256PrivateKey::class.java, BCSphincs256PrivateKey::class.java)
        )
    }
--- a/node-api/build.gradle
+++ b/node-api/build.gradle
@ -51,8 +51,8 @@ dependencies {
    implementation "com.fasterxml.jackson.core:jackson-databind:$jackson_version"
    // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
    implementation "io.reactivex:rxjava:$rxjava_version"
    implementation "javax.persistence:javax.persistence-api:2.2"
--- a/node/build.gradle
+++ b/node/build.gradle
@ -135,8 +135,8 @@ dependencies {
        exclude group: 'org.jgroups', module: 'jgroups'
    }
    // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
    implementation "com.esotericsoftware:kryo:$kryo_version"
    implementation "com.fasterxml.jackson.core:jackson-annotations:${jackson_version}"
    implementation "com.fasterxml.jackson.core:jackson-databind:$jackson_version"
--- a/serialization-tests/build.gradle
+++ b/serialization-tests/build.gradle
@ -15,8 +15,8 @@ dependencies {
    testImplementation project(':test-utils')
    // Bouncy castle support needed for X509 certificate manipulation
-    testImplementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
-    testImplementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
    testImplementation "org.junit.jupiter:junit-jupiter-api:${junit_jupiter_version}"
    testImplementation "junit:junit:$junit_version"
--- a/testing/core-test-utils/build.gradle
+++ b/testing/core-test-utils/build.gradle
@ -17,8 +17,8 @@ dependencies {
    api "org.jetbrains.kotlin:kotlin-test"
    // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
    implementation "org.slf4j:slf4j-api:$slf4j_version"
    implementation "org.mockito.kotlin:mockito-kotlin:$mockito_kotlin_version"
--- a/testing/node-driver/build.gradle
+++ b/testing/node-driver/build.gradle
@ -75,8 +75,9 @@ dependencies {
    }
    // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
    implementation "org.bouncycastle:bcutil-lts8on:${bouncycastle_version}"
    implementation "com.google.code.findbugs:jsr305:$jsr305_version"
    implementation "com.google.jimfs:jimfs:1.1"
--- a/testing/test-utils/build.gradle
+++ b/testing/test-utils/build.gradle
@ -40,8 +40,8 @@ dependencies {
    implementation "com.github.ben-manes.caffeine:caffeine:$caffeine_version"
    // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
    testImplementation "org.apache.commons:commons-lang3:$commons_lang3_version"
    testImplementation "org.assertj:assertj-core:$assertj_version"