ENT-11728: Switched to LTS version of BC. Also removed PQC algos as n… (#7706)

* ENT-11728: Switched to LTS version of BC. Also removed PQC algos as not supported in LTS.
* ENT-11728: Removed the SPHINCS PQC algorithm.
* ENT-11728: Added dependency on bcutil to fix missing class error.

.ci/api-current.txt

@@ -643,6 +643,8 @@ public final class net.corda.core.contracts.CommandWithParties extends java.lang
   public String toString()
 ##
 public final class net.corda.core.contracts.ComponentGroupEnum extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.contracts.ComponentGroupEnum valueOf(String)
   public static net.corda.core.contracts.ComponentGroupEnum[] values()
 ##
@@ -1198,6 +1200,8 @@ public static final class net.corda.core.contracts.TransactionVerificationExcept
 ##
 @CordaSerializable
 public static final class net.corda.core.contracts.TransactionVerificationException$Direction extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.contracts.TransactionVerificationException$Direction valueOf(String)
   public static net.corda.core.contracts.TransactionVerificationException.Direction[] values()
 ##
@@ -1878,8 +1882,6 @@ public final class net.corda.core.crypto.Crypto extends java.lang.Object
   public static final net.corda.core.crypto.SignatureScheme RSA_SHA256
   @NotNull
   public static final org.bouncycastle.asn1.DLSequence SHA512_256
-  @NotNull
-  public static final net.corda.core.crypto.SignatureScheme SPHINCS256_SHA256
 ##
 public final class net.corda.core.crypto.CryptoUtils extends java.lang.Object
   @NotNull
@@ -2698,6 +2700,8 @@ public final class net.corda.core.flows.DistributionRecordKey extends java.lang.
 ##
 @CordaSerializable
 public final class net.corda.core.flows.DistributionRecordType extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.flows.DistributionRecordType valueOf(String)
   public static net.corda.core.flows.DistributionRecordType[] values()
 ##
@@ -3249,8 +3253,25 @@ public final class net.corda.core.flows.LedgerRecoveryException extends net.cord
 ##
 @StartableByRPC
 public final class net.corda.core.flows.LedgerRecoveryFlow extends net.corda.core.flows.FlowLogic
+  public <init>(java.util.Collection)
+  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow)
+  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow, boolean)
+  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean)
+  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, boolean)
+  public <init>(java.util.Collection, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, boolean, boolean, int)
   public <init>(net.corda.core.flows.LedgerRecoveryParameters, net.corda.core.utilities.ProgressTracker)
   public <init>(net.corda.core.flows.LedgerRecoveryParameters, net.corda.core.utilities.ProgressTracker, int, kotlin.jvm.internal.DefaultConstructorMarker)
+  public <init>(net.corda.core.identity.Party)
+  public <init>(net.corda.core.identity.Party, net.corda.core.flows.RecoveryTimeWindow)
+  public <init>(net.corda.core.identity.Party, net.corda.core.flows.RecoveryTimeWindow, boolean)
+  public <init>(net.corda.core.identity.Party, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean)
+  public <init>(net.corda.core.identity.Party, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, boolean)
+  public <init>(boolean)
+  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow)
+  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow, boolean)
+  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean)
+  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, int)
+  public <init>(boolean, net.corda.core.flows.RecoveryTimeWindow, boolean, boolean, int, boolean)
   @Suspendable
   @NotNull
   public net.corda.core.flows.LedgerRecoveryResult call()
@@ -3824,6 +3845,8 @@ public final class net.corda.core.flows.StateConsumptionDetails extends java.lan
 ##
 @CordaSerializable
 public static final class net.corda.core.flows.StateConsumptionDetails$ConsumedStateType extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.flows.StateConsumptionDetails$ConsumedStateType valueOf(String)
   public static net.corda.core.flows.StateConsumptionDetails.ConsumedStateType[] values()
 ##
@@ -4778,6 +4801,8 @@ public interface net.corda.core.node.ServicesForResolution
 ##
 @CordaSerializable
 public final class net.corda.core.node.StatesToRecord extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.StatesToRecord valueOf(String)
   public static net.corda.core.node.StatesToRecord[] values()
 ##
@@ -5015,6 +5040,8 @@ public static final class net.corda.core.node.services.PartyInfo$SingleNode exte
   public String toString()
 ##
 public final class net.corda.core.node.services.ServiceLifecycleEvent extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.ServiceLifecycleEvent valueOf(String)
   public static net.corda.core.node.services.ServiceLifecycleEvent[] values()
 ##
@@ -5067,6 +5094,8 @@ public final class net.corda.core.node.services.TimeWindowChecker extends java.l
 ##
 @CordaSerializable
 public final class net.corda.core.node.services.TransactionStatus extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.TransactionStatus valueOf(String)
   public static net.corda.core.node.services.TransactionStatus[] values()
 ##
@@ -5129,6 +5158,8 @@ public static final class net.corda.core.node.services.Vault$ConstraintInfo$Comp
 ##
 @CordaSerializable
 public static final class net.corda.core.node.services.Vault$ConstraintInfo$Type extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.Vault$ConstraintInfo$Type valueOf(String)
   public static net.corda.core.node.services.Vault.ConstraintInfo.Type[] values()
 ##
@@ -5170,6 +5201,8 @@ public static final class net.corda.core.node.services.Vault$Page extends java.l
 ##
 @CordaSerializable
 public static final class net.corda.core.node.services.Vault$RelevancyStatus extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.Vault$RelevancyStatus valueOf(String)
   public static net.corda.core.node.services.Vault.RelevancyStatus[] values()
 ##
@@ -5232,6 +5265,8 @@ public static final class net.corda.core.node.services.Vault$StateMetadata exten
 ##
 @CordaSerializable
 public static final class net.corda.core.node.services.Vault$StateStatus extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.Vault$StateStatus valueOf(String)
   public static net.corda.core.node.services.Vault.StateStatus[] values()
 ##
@@ -5290,6 +5325,8 @@ public static final class net.corda.core.node.services.Vault$Update extends java
 ##
 @CordaSerializable
 public static final class net.corda.core.node.services.Vault$UpdateType extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.Vault$UpdateType valueOf(String)
   public static net.corda.core.node.services.Vault.UpdateType[] values()
 ##
@@ -5389,6 +5426,8 @@ public final class net.corda.core.node.services.diagnostics.NodeVersionInfo exte
 ##
 @CordaSerializable
 public final class net.corda.core.node.services.vault.AggregateFunctionType extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.AggregateFunctionType valueOf(String)
   public static net.corda.core.node.services.vault.AggregateFunctionType[] values()
 ##
@@ -5498,6 +5537,8 @@ public final class net.corda.core.node.services.vault.AttachmentSort extends net
 public static final class net.corda.core.node.services.vault.AttachmentSort$AttachmentSortAttribute extends java.lang.Enum
   @NotNull
   public final String getColumnName()
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.AttachmentSort$AttachmentSortAttribute valueOf(String)
   public static net.corda.core.node.services.vault.AttachmentSort.AttachmentSortAttribute[] values()
 ##
@@ -5538,12 +5579,16 @@ public abstract class net.corda.core.node.services.vault.BaseSort extends java.l
 @DoNotImplement
 @CordaSerializable
 public final class net.corda.core.node.services.vault.BinaryComparisonOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.BinaryComparisonOperator valueOf(String)
   public static net.corda.core.node.services.vault.BinaryComparisonOperator[] values()
 ##
 @DoNotImplement
 @CordaSerializable
 public final class net.corda.core.node.services.vault.BinaryLogicalOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.BinaryLogicalOperator valueOf(String)
   public static net.corda.core.node.services.vault.BinaryLogicalOperator[] values()
 ##
@@ -5789,6 +5834,8 @@ public final class net.corda.core.node.services.vault.Builder extends java.lang.
 @DoNotImplement
 @CordaSerializable
 public final class net.corda.core.node.services.vault.CollectionOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.CollectionOperator valueOf(String)
   public static net.corda.core.node.services.vault.CollectionOperator[] values()
 ##
@@ -6014,6 +6061,8 @@ public static final class net.corda.core.node.services.vault.CriteriaExpression$
 @DoNotImplement
 @CordaSerializable
 public final class net.corda.core.node.services.vault.EqualityComparisonOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.EqualityComparisonOperator valueOf(String)
   public static net.corda.core.node.services.vault.EqualityComparisonOperator[] values()
 ##
@@ -6066,12 +6115,16 @@ public interface net.corda.core.node.services.vault.IQueryCriteriaParser extends
 @DoNotImplement
 @CordaSerializable
 public final class net.corda.core.node.services.vault.LikenessOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.LikenessOperator valueOf(String)
   public static net.corda.core.node.services.vault.LikenessOperator[] values()
 ##
 @DoNotImplement
 @CordaSerializable
 public final class net.corda.core.node.services.vault.NullOperator extends java.lang.Enum implements net.corda.core.node.services.vault.Operator
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.NullOperator valueOf(String)
   public static net.corda.core.node.services.vault.NullOperator[] values()
 ##
@@ -6379,6 +6432,8 @@ public static final class net.corda.core.node.services.vault.QueryCriteria$SoftL
 ##
 @CordaSerializable
 public static final class net.corda.core.node.services.vault.QueryCriteria$SoftLockingType extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.QueryCriteria$SoftLockingType valueOf(String)
   public static net.corda.core.node.services.vault.QueryCriteria.SoftLockingType[] values()
 ##
@@ -6402,6 +6457,8 @@ public static final class net.corda.core.node.services.vault.QueryCriteria$TimeC
 ##
 @CordaSerializable
 public static final class net.corda.core.node.services.vault.QueryCriteria$TimeInstantType extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.QueryCriteria$TimeInstantType valueOf(String)
   public static net.corda.core.node.services.vault.QueryCriteria.TimeInstantType[] values()
 ##
@@ -6606,11 +6663,15 @@ public static final class net.corda.core.node.services.vault.Sort$CommonStateAtt
   public final String getAttributeChild()
   @NotNull
   public final String getAttributeParent()
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.Sort$CommonStateAttribute valueOf(String)
   public static net.corda.core.node.services.vault.Sort.CommonStateAttribute[] values()
 ##
 @CordaSerializable
 public static final class net.corda.core.node.services.vault.Sort$Direction extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.Sort$Direction valueOf(String)
   public static net.corda.core.node.services.vault.Sort.Direction[] values()
 ##
@@ -6619,6 +6680,8 @@ public static final class net.corda.core.node.services.vault.Sort$Direction exte
 public static final class net.corda.core.node.services.vault.Sort$FungibleStateAttribute extends java.lang.Enum implements net.corda.core.node.services.vault.Sort$Attribute
   @NotNull
   public final String getAttributeName()
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.Sort$FungibleStateAttribute valueOf(String)
   public static net.corda.core.node.services.vault.Sort.FungibleStateAttribute[] values()
 ##
@@ -6627,6 +6690,8 @@ public static final class net.corda.core.node.services.vault.Sort$FungibleStateA
 public static final class net.corda.core.node.services.vault.Sort$LinearStateAttribute extends java.lang.Enum implements net.corda.core.node.services.vault.Sort$Attribute
   @NotNull
   public final String getAttributeName()
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.Sort$LinearStateAttribute valueOf(String)
   public static net.corda.core.node.services.vault.Sort.LinearStateAttribute[] values()
 ##
@@ -6654,6 +6719,8 @@ public static final class net.corda.core.node.services.vault.Sort$SortColumn ext
 public static final class net.corda.core.node.services.vault.Sort$VaultStateAttribute extends java.lang.Enum implements net.corda.core.node.services.vault.Sort$Attribute
   @NotNull
   public final String getAttributeName()
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.node.services.vault.Sort$VaultStateAttribute valueOf(String)
   public static net.corda.core.node.services.vault.Sort.VaultStateAttribute[] values()
 ##
@@ -6834,6 +6901,8 @@ public interface net.corda.core.serialization.ClassWhitelist
 public @interface net.corda.core.serialization.ConstructorForDeserialization
 ##
 public final class net.corda.core.serialization.ContextPropertyKeys extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.serialization.ContextPropertyKeys valueOf(String)
   public static net.corda.core.serialization.ContextPropertyKeys[] values()
 ##
@@ -6967,6 +7036,8 @@ public interface net.corda.core.serialization.SerializationContext
   public abstract net.corda.core.serialization.SerializationContext withoutReferences()
 ##
 public static final class net.corda.core.serialization.SerializationContext$UseCase extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.serialization.SerializationContext$UseCase valueOf(String)
   public static net.corda.core.serialization.SerializationContext.UseCase[] values()
 ##
@@ -7306,6 +7377,8 @@ public static final class net.corda.core.transactions.ContractUpgradeWireTransac
   public <init>(kotlin.jvm.internal.DefaultConstructorMarker)
 ##
 public static final class net.corda.core.transactions.ContractUpgradeWireTransaction$Component extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.transactions.ContractUpgradeWireTransaction$Component valueOf(String)
   public static net.corda.core.transactions.ContractUpgradeWireTransaction.Component[] values()
 ##
@@ -7537,6 +7610,8 @@ public static final class net.corda.core.transactions.LedgerTransaction$InOutGro
   @NotNull
   public String toString()
 ##
+public final class net.corda.core.transactions.LedgerTransactionKt extends java.lang.Object
+##
 @CordaSerializable
 public final class net.corda.core.transactions.MissingContractAttachments extends net.corda.core.flows.FlowException
   public <init>(java.util.List)
@@ -7651,6 +7726,8 @@ public final class net.corda.core.transactions.NotaryChangeWireTransaction exten
   public String toString()
 ##
 public static final class net.corda.core.transactions.NotaryChangeWireTransaction$Component extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.core.transactions.NotaryChangeWireTransaction$Component valueOf(String)
   public static net.corda.core.transactions.NotaryChangeWireTransaction.Component[] values()
 ##
@@ -7881,6 +7958,8 @@ public abstract class net.corda.core.transactions.TraversableTransaction extends
   public final net.corda.core.crypto.DigestService getDigestService()
   @NotNull
   public java.util.List getInputs()
+  @NotNull
+  public final java.util.List getLegacyAttachments()
   @Nullable
   public net.corda.core.crypto.SecureHash getNetworkParametersHash()
   @Nullable
@@ -9441,6 +9520,8 @@ public class net.corda.testing.driver.SharedMemoryIncremental extends net.corda.
   public static net.corda.testing.driver.SharedMemoryIncremental INSTANCE
 ##
 public final class net.corda.testing.driver.VerifierType extends java.lang.Enum
+  @NotNull
+  public static kotlin.enums.EnumEntries getEntries()
   public static net.corda.testing.driver.VerifierType valueOf(String)
   public static net.corda.testing.driver.VerifierType[] values()
 ##

build.gradle

@@ -383,6 +383,8 @@ allprojects {
                 url "${publicArtifactURL}/corda-dependencies-dev"
                 content {
                     includeGroup 'co.paralleluniverse'
+                    // Remove below when BC 2.73.6 is released
+                    includeGroup 'org.bouncycastle'
                 }
             }
             maven {

client/jackson/build.gradle

@@ -18,8 +18,8 @@ dependencies {
     implementation "com.google.guava:guava:$guava_version"
 
     // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
     implementation "org.slf4j:slf4j-api:$slf4j_version"
 
     testImplementation project(':finance:workflows')

constants.properties

@@ -20,8 +20,8 @@ guavaVersion=28.0-jre
 quasarVersion=0.9.0_r3
 dockerJavaVersion=3.2.5
 proguardVersion=7.3.1
-# Bouncy Castle version must not be changed on a patch release. Needs a full release test cycle to flush out any issues.
-bouncycastleVersion=1.75
+# Switch to release version when out
+bouncycastleVersion=2.73.6-SNAPSHOT
 classgraphVersion=4.8.135
 disruptorVersion=3.4.2
 typesafeConfigVersion=1.3.4

core-tests/build.gradle

@@ -105,7 +105,7 @@ dependencies {
     testImplementation "com.esotericsoftware:kryo:$kryo_version"
     testImplementation "co.paralleluniverse:quasar-core:$quasar_version"
     testImplementation "org.hibernate:hibernate-core:$hibernate_version"
-    testImplementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
     testImplementation "io.netty:netty-common:$netty_version"
     testImplementation "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
 
@@ -123,7 +123,7 @@ dependencies {
     smokeTestImplementation project(":testing:cordapps:4.11-workflows")
     smokeTestImplementation project(":finance:contracts")
     smokeTestImplementation "org.assertj:assertj-core:${assertj_version}"
-    smokeTestImplementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    smokeTestImplementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
     smokeTestImplementation "co.paralleluniverse:quasar-core:$quasar_version"
     smokeTestImplementation "org.junit.jupiter:junit-jupiter-api:${junit_jupiter_version}"
     smokeTestImplementation "junit:junit:$junit_version"

core-tests/src/test/kotlin/net/corda/coretests/crypto/CompositeKeyTests.kt

@@ -295,21 +295,19 @@ class CompositeKeyTests {
         val keyPairK1 = Crypto.generateKeyPair(Crypto.ECDSA_SECP256K1_SHA256)
         val keyPairR1 = Crypto.generateKeyPair(Crypto.ECDSA_SECP256R1_SHA256)
         val keyPairEd = Crypto.generateKeyPair(Crypto.EDDSA_ED25519_SHA512)
-        val keyPairSP = Crypto.generateKeyPair(Crypto.SPHINCS256_SHA256)
 
         val RSASignature = keyPairRSA.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairRSA.public).schemeNumberID)))
         val K1Signature = keyPairK1.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairK1.public).schemeNumberID)))
         val R1Signature = keyPairR1.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairR1.public).schemeNumberID)))
         val EdSignature = keyPairEd.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairEd.public).schemeNumberID)))
-        val SPSignature = keyPairSP.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairSP.public).schemeNumberID)))
 
-        val compositeKey = CompositeKey.Builder().addKeys(keyPairRSA.public, keyPairK1.public, keyPairR1.public, keyPairEd.public, keyPairSP.public).build() as CompositeKey
+        val compositeKey = CompositeKey.Builder().addKeys(keyPairRSA.public, keyPairK1.public, keyPairR1.public, keyPairEd.public).build() as CompositeKey
 
-        val signatures = listOf(RSASignature, K1Signature, R1Signature, EdSignature, SPSignature)
+        val signatures = listOf(RSASignature, K1Signature, R1Signature, EdSignature)
         assertTrue { compositeKey.isFulfilledBy(signatures.byKeys()) }
 
         // One signature is missing.
-        val signaturesWithoutRSA = listOf(K1Signature, R1Signature, EdSignature, SPSignature)
+        val signaturesWithoutRSA = listOf(K1Signature, R1Signature, EdSignature)
         assertFalse { compositeKey.isFulfilledBy(signaturesWithoutRSA.byKeys()) }
     }
 
@@ -320,20 +318,18 @@ class CompositeKeyTests {
         val keyPairK1 = Crypto.generateKeyPair(Crypto.ECDSA_SECP256K1_SHA256)
         val keyPairR1 = Crypto.generateKeyPair(Crypto.ECDSA_SECP256R1_SHA256)
         val keyPairEd = Crypto.generateKeyPair(Crypto.EDDSA_ED25519_SHA512)
-        val keyPairSP = Crypto.generateKeyPair(Crypto.SPHINCS256_SHA256)
 
         val RSASignature = keyPairRSA.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairRSA.public).schemeNumberID)))
         val K1Signature = keyPairK1.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairK1.public).schemeNumberID)))
         val R1Signature = keyPairR1.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairR1.public).schemeNumberID)))
         val EdSignature = keyPairEd.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairEd.public).schemeNumberID)))
-        val SPSignature = keyPairSP.sign(SignableData(secureHash, SignatureMetadata(1, Crypto.findSignatureScheme(keyPairSP.public).schemeNumberID)))
 
-        val compositeKey = CompositeKey.Builder().addKeys(keyPairRSA.public, keyPairK1.public, keyPairR1.public, keyPairEd.public, keyPairSP.public).build() as CompositeKey
+        val compositeKey = CompositeKey.Builder().addKeys(keyPairRSA.public, keyPairK1.public, keyPairR1.public, keyPairEd.public).build() as CompositeKey
 
-        val signatures = listOf(RSASignature, K1Signature, R1Signature, EdSignature, SPSignature)
+        val signatures = listOf(RSASignature, K1Signature, R1Signature, EdSignature)
         assertTrue { compositeKey.isFulfilledBy(signatures.byKeys()) }
         // One signature is missing.
-        val signaturesWithoutRSA = listOf(K1Signature, R1Signature, EdSignature, SPSignature)
+        val signaturesWithoutRSA = listOf(K1Signature, R1Signature, EdSignature)
         assertFalse { compositeKey.isFulfilledBy(signaturesWithoutRSA.byKeys()) }
 
         // Create self sign CA.
@@ -374,13 +370,12 @@ class CompositeKeyTests {
         val (_, pub3) = Crypto.generateKeyPair(Crypto.RSA_SHA256)
         val (_, pub4) = Crypto.generateKeyPair(Crypto.EDDSA_ED25519_SHA512)
         val (_, pub5) = Crypto.generateKeyPair(Crypto.ECDSA_SECP256R1_SHA256)
-        val (_, pub6) = Crypto.generateKeyPair(Crypto.SPHINCS256_SHA256)
-        val (_, pub7) = Crypto.generateKeyPair(Crypto.ECDSA_SECP256K1_SHA256)
+        val (_, pub6) = Crypto.generateKeyPair(Crypto.ECDSA_SECP256K1_SHA256)
 
         // Using default weight = 1, thus all weights are equal.
-        val composite1 = CompositeKey.Builder().addKeys(pub1, pub2, pub3, pub4, pub5, pub6, pub7).build() as CompositeKey
+        val composite1 = CompositeKey.Builder().addKeys(pub1, pub2, pub3, pub4, pub5, pub6).build() as CompositeKey
         // Store in reverse order.
-        val composite2 = CompositeKey.Builder().addKeys(pub7, pub6, pub5, pub4, pub3, pub2, pub1).build() as CompositeKey
+        val composite2 = CompositeKey.Builder().addKeys(pub6, pub5, pub4, pub3, pub2, pub1).build() as CompositeKey
         // There are 7! = 5040 permutations, but as sorting is deterministic the following should never fail.
         assertEquals(composite1.children, composite2.children)
     }

core/build.gradle

@@ -37,7 +37,7 @@ dependencies {
     implementation "com.github.ben-manes.caffeine:caffeine:$caffeine_version"
     implementation "org.apache.commons:commons-lang3:$commons_lang3_version"
     // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
     // required to use @Type annotation
     implementation "org.hibernate:hibernate-core:$hibernate_version"
     // FastThreadLocal
@@ -55,7 +55,7 @@ dependencies {
     testImplementation "com.natpryce:hamkrest:$hamkrest_version"
     // AssertJ: for fluent assertions for testing
     testImplementation "org.assertj:assertj-core:$assertj_version"
-    testImplementation "org.bouncycastle:bcpkix-jdk18on:$bouncycastle_version"
+    testImplementation "org.bouncycastle:bcpkix-lts8on:$bouncycastle_version"
     testImplementation "org.ow2.asm:asm:$asm_version"
 
     testRuntimeOnly "com.esotericsoftware:kryo:$kryo_version"

core/src/main/kotlin/net/corda/core/crypto/Crypto.kt

@@ -6,19 +6,16 @@ import net.corda.core.crypto.internal.AliasPrivateKey
 import net.corda.core.crypto.internal.Curve25519.isOnCurve25519
 import net.corda.core.crypto.internal.Instances.withSignature
 import net.corda.core.crypto.internal.PublicKeyCache
-import net.corda.core.crypto.internal.bouncyCastlePQCProvider
 import net.corda.core.crypto.internal.cordaBouncyCastleProvider
 import net.corda.core.crypto.internal.cordaSecurityProvider
 import net.corda.core.crypto.internal.providerMap
 import net.corda.core.internal.utilities.PrivateInterner
 import net.corda.core.serialization.serialize
 import net.corda.core.utilities.ByteSequence
-import org.bouncycastle.asn1.ASN1Integer
 import org.bouncycastle.asn1.ASN1ObjectIdentifier
 import org.bouncycastle.asn1.DERNull
 import org.bouncycastle.asn1.DERUTF8String
 import org.bouncycastle.asn1.DLSequence
-import org.bouncycastle.asn1.bc.BCObjectIdentifiers
 import org.bouncycastle.asn1.edec.EdECObjectIdentifiers
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers
@@ -48,9 +45,6 @@ import org.bouncycastle.math.ec.ECConstants
 import org.bouncycastle.math.ec.FixedPointCombMultiplier
 import org.bouncycastle.math.ec.WNafUtil
 import org.bouncycastle.math.ec.rfc8032.Ed25519
-import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PrivateKey
-import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PublicKey
-import org.bouncycastle.pqc.jcajce.spec.SPHINCS256KeyGenParameterSpec
 import java.math.BigInteger
 import java.security.InvalidKeyException
 import java.security.Key
@@ -79,7 +73,6 @@ import javax.crypto.spec.SecretKeySpec
  * <li>ECDSA_SECP256K1_SHA256 (ECDSA using the secp256k1 Koblitz curve and SHA256 as hash algorithm).
  * <li>ECDSA_SECP256R1_SHA256 (ECDSA using the secp256r1 (NIST P-256) curve and SHA256 as hash algorithm).
  * <li>EDDSA_ED25519_SHA512 (EdDSA using the ed25519 twisted Edwards curve and SHA512 as hash algorithm).
- * <li>SPHINCS256_SHA512 (SPHINCS-256 hash-based signature scheme using SHA512 as hash algorithm).
  * </ul>
  */
 object Crypto {
@@ -155,26 +148,6 @@ object Crypto {
     @JvmField
     val SHA512_256 = DLSequence(arrayOf(NISTObjectIdentifiers.id_sha512_256))
 
-    /**
-     * SPHINCS-256 hash-based signature scheme using SHA512 for message hashing. It provides 128bit security against
-     * post-quantum attackers at the cost of larger key nd signature sizes and loss of compatibility.
-     */
-    // TODO: change val name to SPHINCS256_SHA512. This will break backwards compatibility.
-    @JvmField
-    val SPHINCS256_SHA256 = SignatureScheme(
-            5,
-            "SPHINCS-256_SHA512",
-            AlgorithmIdentifier(BCObjectIdentifiers.sphincs256_with_SHA512, null),
-            listOf(AlgorithmIdentifier(BCObjectIdentifiers.sphincs256, DLSequence(arrayOf(ASN1Integer(0), SHA512_256)))),
-            bouncyCastlePQCProvider.name,
-            "SPHINCS256",
-            "SHA512withSPHINCS256",
-            SPHINCS256KeyGenParameterSpec(SPHINCS256KeyGenParameterSpec.SHA512_256),
-            256,
-            "SPHINCS-256 hash-based signature scheme. It provides 128bit security against post-quantum attackers " +
-                    "at the cost of larger key sizes and loss of compatibility."
-    )
-
     /** Corda [CompositeKey] signature type. */
     // TODO: change the val name to a more descriptive one as it's now confusing and looks like a Key type.
     @JvmField
@@ -204,7 +177,6 @@ object Crypto {
             ECDSA_SECP256K1_SHA256,
             ECDSA_SECP256R1_SHA256,
             EDDSA_ED25519_SHA512,
-            SPHINCS256_SHA256,
             COMPOSITE_KEY
     ).associateBy { it.schemeCodeName }
 
@@ -469,7 +441,7 @@ object Crypto {
             // Note that deterministic signature schemes, such as EdDSA, original SPHINCS-256 and RSA PKCS#1, do not require
             // extra randomness, but we have to ensure that non-deterministic algorithms (i.e., ECDSA) use non-blocking
             // SecureRandom implementation.
-            if (signatureScheme == EDDSA_ED25519_SHA512 || signatureScheme == SPHINCS256_SHA256 || signatureScheme == RSA_SHA256) {
+            if (signatureScheme == EDDSA_ED25519_SHA512 || signatureScheme == RSA_SHA256) {
                 signature.initSign(privateKey)
             } else {
                 // The rest of the algorithms will require a SecureRandom input (i.e., ECDSA or any new algorithm for which
@@ -970,7 +942,6 @@ object Crypto {
         return when (key) {
             is BCECPublicKey, is EdECPublicKey -> publicKeyOnCurve(signatureScheme, key)
             is BCRSAPublicKey -> key.modulus.bitLength() >= 2048 // Although the recommended RSA key size is 3072, we accept any key >= 2048bits.
-            is BCSphincs256PublicKey -> true
             else -> throw IllegalArgumentException("Unsupported key type: ${key.javaClass.name}")
         }
     }
@@ -1003,7 +974,6 @@ object Crypto {
             key is BCEdDSAPublicKey && key is EdECPublicKey -> internPublicKey(key)  // The BC implementation is not public
             key is BCECPublicKey -> internPublicKey(key)
             key is BCRSAPublicKey -> internPublicKey(key)
-            key is BCSphincs256PublicKey -> internPublicKey(key)
             key is CompositeKey -> internPublicKey(key)
             else -> decodePublicKey(key.encoded)
         }
@@ -1023,7 +993,6 @@ object Crypto {
             key is BCEdDSAPrivateKey && key is EdECPrivateKey -> key  // The BC implementation is not public
             key is BCECPrivateKey -> key
             key is BCRSAPrivateKey -> key
-            key is BCSphincs256PrivateKey -> key
             else -> decodePrivateKey(key.encoded)
         }
     }

core/src/main/kotlin/net/corda/core/crypto/SignatureScheme.kt

@@ -10,12 +10,12 @@ import java.security.spec.AlgorithmParameterSpec
  * This class is used to define a digital signature scheme.
  * @param schemeNumberID unique number ID for better efficiency on-wire serialisation.
  * @param schemeCodeName unique code name for this signature scheme (e.g. RSA_SHA256, ECDSA_SECP256K1_SHA256, ECDSA_SECP256R1_SHA256,
- * EDDSA_ED25519_SHA512, SPHINCS-256_SHA512).
+ * EDDSA_ED25519_SHA512).
  * @param signatureOID ASN.1 algorithm identifier of the signature algorithm (e.g 1.3.101.112 for EdDSA)
  * @param alternativeOIDs ASN.1 algorithm identifiers for keys of the signature, where we want to map multiple keys to
  * the same signature scheme.
  * @param providerName the provider's name (e.g. "BC").
- * @param algorithmName which signature algorithm is used (e.g. RSA, ECDSA. EdDSA, SPHINCS-256).
+ * @param algorithmName which signature algorithm is used (e.g. RSA, ECDSA. EdDSA).
  * @param signatureName a signature-scheme name as required to create [Signature] objects (e.g. "SHA256withECDSA")
  * @param algSpec parameter specs for the underlying algorithm. Note that RSA is defined by the key size rather than algSpec.
  * eg. ECGenParameterSpec("secp256k1").

core/src/main/kotlin/net/corda/core/crypto/internal/ProviderMap.kt

@@ -2,7 +2,6 @@ package net.corda.core.crypto.internal
 
 import net.corda.core.crypto.CordaSecurityProvider
 import org.bouncycastle.jce.provider.BouncyCastleProvider
-import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider
 import java.security.Provider
 import java.security.Security
 import java.util.Collections.unmodifiableMap
@@ -26,16 +25,11 @@ val cordaBouncyCastleProvider = BouncyCastleProvider().also {
     Security.addProvider(it)
 }
 
-val bouncyCastlePQCProvider = BouncyCastlePQCProvider().apply {
-    require(name == "BCPQC") { "Invalid PQCProvider name" }
-}.also {
-    Security.addProvider(it)
-}
 // This map is required to defend against users that forcibly call Security.addProvider / Security.removeProvider
 // that could cause unexpected and suspicious behaviour.
 // i.e. if someone removes a Provider and then he/she adds a new one with the same name.
 // The val is immutable to avoid any harmful state changes.
 internal val providerMap: Map<String, Provider> = unmodifiableMap(
-    listOf(cordaBouncyCastleProvider, cordaSecurityProvider, bouncyCastlePQCProvider)
+    listOf(cordaBouncyCastleProvider, cordaSecurityProvider)
         .associateByTo(LinkedHashMap(), Provider::getName)
 )

core/src/test/kotlin/net/corda/core/crypto/CryptoUtilsTest.kt

@@ -5,21 +5,16 @@ import net.corda.core.crypto.Crypto.ECDSA_SECP256K1_SHA256
 import net.corda.core.crypto.Crypto.ECDSA_SECP256R1_SHA256
 import net.corda.core.crypto.Crypto.EDDSA_ED25519_SHA512
 import net.corda.core.crypto.Crypto.RSA_SHA256
-import net.corda.core.crypto.Crypto.SPHINCS256_SHA256
 import net.corda.core.crypto.internal.PlatformSecureRandomService
 import net.corda.core.utilities.OpaqueBytes
 import org.apache.commons.lang3.ArrayUtils.EMPTY_BYTE_ARRAY
 import org.assertj.core.api.Assertions.assertThatIllegalArgumentException
 import org.assertj.core.api.Assertions.assertThatThrownBy
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo
 import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPrivateKey
 import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey
 import org.bouncycastle.jce.ECNamedCurveTable
 import org.bouncycastle.jce.interfaces.ECKey
 import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec
-import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PrivateKey
-import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PublicKey
 import org.junit.Assert.assertNotEquals
 import org.junit.Test
 import java.math.BigInteger
@@ -54,21 +49,18 @@ class CryptoUtilsTest {
         val ecdsaKKeyPair = Crypto.generateKeyPair(ECDSA_SECP256K1_SHA256)
         val ecdsaRKeyPair = Crypto.generateKeyPair(ECDSA_SECP256R1_SHA256)
         val eddsaKeyPair = Crypto.generateKeyPair(EDDSA_ED25519_SHA512)
-        val sphincsKeyPair = Crypto.generateKeyPair(SPHINCS256_SHA256)
 
         // not null private keys
         assertNotNull(rsaKeyPair.private)
         assertNotNull(ecdsaKKeyPair.private)
         assertNotNull(ecdsaRKeyPair.private)
         assertNotNull(eddsaKeyPair.private)
-        assertNotNull(sphincsKeyPair.private)
 
         // not null public keys
         assertNotNull(rsaKeyPair.public)
         assertNotNull(ecdsaKKeyPair.public)
         assertNotNull(ecdsaRKeyPair.public)
         assertNotNull(eddsaKeyPair.public)
-        assertNotNull(sphincsKeyPair.public)
 
         // fail on unsupported algorithm
         try {
@@ -298,66 +290,11 @@ class CryptoUtilsTest {
         }
     }
 
-    @Test(timeout=300_000)
-	fun `SPHINCS-256 full process keygen-sign-verify`() {
-        val keyPair = Crypto.generateKeyPair(SPHINCS256_SHA256)
-        val (privKey, pubKey) = keyPair
-        // test for some data
-        val signedData = Crypto.doSign(privKey, testBytes)
-        val verification = Crypto.doVerify(pubKey, signedData, testBytes)
-        assertTrue(verification)
-
-        // test for empty data signing
-        try {
-            Crypto.doSign(privKey, EMPTY_BYTE_ARRAY)
-            fail()
-        } catch (e: Exception) {
-            // expected
-        }
-
-        // test for empty source data when verifying
-        try {
-            Crypto.doVerify(pubKey, testBytes, EMPTY_BYTE_ARRAY)
-            fail()
-        } catch (e: Exception) {
-            // expected
-        }
-
-        // test for empty signed data when verifying
-        try {
-            Crypto.doVerify(pubKey, EMPTY_BYTE_ARRAY, testBytes)
-            fail()
-        } catch (e: Exception) {
-            // expected
-        }
-
-        // test for zero bytes data
-        val signedDataZeros = Crypto.doSign(privKey, test100ZeroBytes)
-        val verificationZeros = Crypto.doVerify(pubKey, signedDataZeros, test100ZeroBytes)
-        assertTrue(verificationZeros)
-
-        // test for 1MB of data (I successfully tested it locally for 1GB as well)
-        val MBbyte = ByteArray(1000000) // 1.000.000
-        Random().nextBytes(MBbyte)
-        val signedDataBig = Crypto.doSign(privKey, MBbyte)
-        val verificationBig = Crypto.doVerify(pubKey, signedDataBig, MBbyte)
-        assertTrue(verificationBig)
-
-        // test on malformed signatures (even if they change for 1 bit)
-        signedData[0] = signedData[0].inc()
-        try {
-            Crypto.doVerify(pubKey, signedData, testBytes)
-            fail()
-        } catch (e: Exception) {
-            // expected
-        }
-    }
-
     // test list of supported algorithms
     @Test(timeout=300_000)
 	fun `Check supported algorithms`() {
         val algList: List<String> = Crypto.supportedSignatureSchemes().map { it.schemeCodeName }
-        val expectedAlgSet = setOf("RSA_SHA256", "ECDSA_SECP256K1_SHA256", "ECDSA_SECP256R1_SHA256", "EDDSA_ED25519_SHA512", "SPHINCS-256_SHA512", "COMPOSITE")
+        val expectedAlgSet = setOf("RSA_SHA256", "ECDSA_SECP256K1_SHA256", "ECDSA_SECP256R1_SHA256", "EDDSA_ED25519_SHA512", "COMPOSITE")
         assertTrue { Sets.symmetricDifference(expectedAlgSet, algList.toSet()).isEmpty(); }
     }
 
@@ -422,36 +359,6 @@ class CryptoUtilsTest {
         assertEquals(pubKey2, pubKey)
     }
 
-    @Test(timeout=300_000)
-	fun `SPHINCS-256 encode decode keys - required for serialization`() {
-        // Generate key pair.
-        val keyPair = Crypto.generateKeyPair(SPHINCS256_SHA256)
-        val privKey: BCSphincs256PrivateKey = keyPair.private as BCSphincs256PrivateKey
-        val pubKey: BCSphincs256PublicKey = keyPair.public as BCSphincs256PublicKey
-
-        //1st method for encoding/decoding
-        val privKey2 = Crypto.decodePrivateKey(privKey.encoded)
-        assertEquals(privKey2, privKey)
-
-        // Encode and decode public key.
-        val pubKey2 = Crypto.decodePublicKey(pubKey.encoded)
-        assertEquals(pubKey2, pubKey)
-
-        //2nd method for encoding/decoding
-
-        // Encode and decode private key.
-        val privKeyInfo: PrivateKeyInfo = PrivateKeyInfo.getInstance(privKey.encoded)
-        val decodedPrivKey = BCSphincs256PrivateKey(privKeyInfo)
-        // Check that decoded private key is equal to the initial one.
-        assertEquals(decodedPrivKey, privKey)
-
-        // Encode and decode public key.
-        val pubKeyInfo: SubjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(pubKey.encoded)
-        val decodedPubKey = BCSphincs256PublicKey(pubKeyInfo)
-        // Check that decoded private key is equal to the initial one.
-        assertEquals(decodedPubKey, pubKey)
-    }
-
     @Test(timeout=300_000)
 	fun `RSA scheme finder by key type`() {
         val keyPairRSA = Crypto.generateKeyPair(RSA_SHA256)
@@ -496,14 +403,6 @@ class CryptoUtilsTest {
         assertEquals((pubEd as EdECPublicKey).params.name, NamedParameterSpec.ED25519.name)
     }
 
-    @Test(timeout=300_000)
-	fun `SPHINCS-256 scheme finder by key type`() {
-        val keyPairSP = Crypto.generateKeyPair(SPHINCS256_SHA256)
-        val (privSP, pubSP) = keyPairSP
-        assertEquals(privSP.algorithm, "SPHINCS-256")
-        assertEquals(pubSP.algorithm, "SPHINCS-256")
-    }
-
     @Test(timeout=300_000)
 	fun `Automatic EdDSA key-type detection and decoding`() {
         val keyPairEd = Crypto.generateKeyPair(EDDSA_ED25519_SHA512)
@@ -568,22 +467,6 @@ class CryptoUtilsTest {
         assertEquals(decodedPubRSA, pubRSA)
     }
 
-    @Test(timeout=300_000)
-	fun `Automatic SPHINCS-256 key-type detection and decoding`() {
-        val keyPairSP = Crypto.generateKeyPair(SPHINCS256_SHA256)
-        val (privSP, pubSP) = keyPairSP
-        val encodedPrivSP = privSP.encoded
-        val encodedPubSP = pubSP.encoded
-
-        val decodedPrivSP = Crypto.decodePrivateKey(encodedPrivSP)
-        assertEquals(decodedPrivSP.algorithm, "SPHINCS-256")
-        assertEquals(decodedPrivSP, privSP)
-
-        val decodedPubSP = Crypto.decodePublicKey(encodedPubSP)
-        assertEquals(decodedPubSP.algorithm, "SPHINCS-256")
-        assertEquals(decodedPubSP, pubSP)
-    }
-
     @Test(timeout=300_000)
 	fun `Failure test between K1 and R1 keys`() {
         val keyPairK1 = Crypto.generateKeyPair(ECDSA_SECP256K1_SHA256)
@@ -904,8 +787,8 @@ class CryptoUtilsTest {
     }
 
     @Test(timeout=300_000)
-	fun `Ensure deterministic signatures of EdDSA, SPHINCS-256 and RSA PKCS1`() {
-        listOf(EDDSA_ED25519_SHA512, SPHINCS256_SHA256, RSA_SHA256)
+	fun `Ensure deterministic signatures of EdDSA and RSA PKCS1`() {
+        listOf(EDDSA_ED25519_SHA512, RSA_SHA256)
                 .forEach { testDeterministicSignatures(it) }
     }
 

node-api-tests/build.gradle

@@ -24,8 +24,8 @@ dependencies {
     testImplementation "io.netty:netty-handler-proxy:$netty_version"
 
     // Bouncy castle support needed for X509 certificate manipulation
-    testImplementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
-    testImplementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
 
     testRuntimeOnly "org.junit.vintage:junit-vintage-engine:${junit_vintage_version}"
     testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:${junit_jupiter_version}"

node-api-tests/src/test/kotlin/net/corda/nodeapitests/internal/crypto/X509UtilitiesTest.kt

@@ -9,7 +9,6 @@ import net.corda.core.crypto.Crypto.ECDSA_SECP256K1_SHA256
 import net.corda.core.crypto.Crypto.ECDSA_SECP256R1_SHA256
 import net.corda.core.crypto.Crypto.EDDSA_ED25519_SHA512
 import net.corda.core.crypto.Crypto.RSA_SHA256
-import net.corda.core.crypto.Crypto.SPHINCS256_SHA256
 import net.corda.core.crypto.Crypto.generateKeyPair
 import net.corda.core.crypto.SignatureScheme
 import net.corda.core.crypto.newSecureRandom
@@ -58,7 +57,6 @@ import org.bouncycastle.asn1.x509.CRLDistPoint
 import org.bouncycastle.asn1.x509.Extension
 import org.bouncycastle.asn1.x509.KeyUsage
 import org.bouncycastle.asn1.x509.SubjectKeyIdentifier
-import org.bouncycastle.pqc.jcajce.provider.sphincs.BCSphincs256PrivateKey
 import org.junit.Rule
 import org.junit.Test
 import org.junit.rules.TemporaryFolder
@@ -108,12 +106,10 @@ class X509UtilitiesTest {
                 Pair(DEFAULT_TLS_SIGNATURE_SCHEME, DEFAULT_TLS_SIGNATURE_SCHEME),
                 Pair(DEFAULT_IDENTITY_SIGNATURE_SCHEME, DEFAULT_IDENTITY_SIGNATURE_SCHEME),
                 Pair(DEFAULT_TLS_SIGNATURE_SCHEME, DEFAULT_IDENTITY_SIGNATURE_SCHEME),
-                Pair(ECDSA_SECP256R1_SHA256, SPHINCS256_SHA256),
                 Pair(ECDSA_SECP256K1_SHA256, RSA_SHA256),
                 Pair(EDDSA_ED25519_SHA512, ECDSA_SECP256K1_SHA256),
                 Pair(RSA_SHA256, EDDSA_ED25519_SHA512),
                 Pair(EDDSA_ED25519_SHA512, ECDSA_SECP256R1_SHA256),
-                Pair(SPHINCS256_SHA256, ECDSA_SECP256R1_SHA256)
         )
 
         val schemeToKeyTypes = listOf(
@@ -121,8 +117,6 @@ class X509UtilitiesTest {
                 Triple(ECDSA_SECP256R1_SHA256, java.security.interfaces.ECPrivateKey::class.java, org.bouncycastle.jce.interfaces.ECPrivateKey::class.java),
                 Triple(ECDSA_SECP256K1_SHA256, java.security.interfaces.ECPrivateKey::class.java, org.bouncycastle.jce.interfaces.ECPrivateKey::class.java),
                 Triple(EDDSA_ED25519_SHA512, EdECPrivateKey::class.java, EdECPrivateKey::class.java),
-                // By default, JKS returns SUN RSA key.
-                Triple(SPHINCS256_SHA256, BCSphincs256PrivateKey::class.java, BCSphincs256PrivateKey::class.java)
         )
     }
 

node-api/build.gradle

@@ -51,8 +51,8 @@ dependencies {
     implementation "com.fasterxml.jackson.core:jackson-databind:$jackson_version"
 
     // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
 
     implementation "io.reactivex:rxjava:$rxjava_version"
     implementation "javax.persistence:javax.persistence-api:2.2"

node/build.gradle

@@ -135,8 +135,8 @@ dependencies {
         exclude group: 'org.jgroups', module: 'jgroups'
     }
     // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
     implementation "com.esotericsoftware:kryo:$kryo_version"
     implementation "com.fasterxml.jackson.core:jackson-annotations:${jackson_version}"
     implementation "com.fasterxml.jackson.core:jackson-databind:$jackson_version"

serialization-tests/build.gradle

@@ -15,8 +15,8 @@ dependencies {
     testImplementation project(':test-utils')
 
     // Bouncy castle support needed for X509 certificate manipulation
-    testImplementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
-    testImplementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
+    testImplementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
 
     testImplementation "org.junit.jupiter:junit-jupiter-api:${junit_jupiter_version}"
     testImplementation "junit:junit:$junit_version"

testing/core-test-utils/build.gradle

@@ -17,8 +17,8 @@ dependencies {
     api "org.jetbrains.kotlin:kotlin-test"
 
     // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
 
     implementation "org.slf4j:slf4j-api:$slf4j_version"
     implementation "org.mockito.kotlin:mockito-kotlin:$mockito_kotlin_version"

testing/node-driver/build.gradle

@@ -75,8 +75,9 @@ dependencies {
     }
 
     // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcutil-lts8on:${bouncycastle_version}"
 
     implementation "com.google.code.findbugs:jsr305:$jsr305_version"
     implementation "com.google.jimfs:jimfs:1.1"

testing/test-utils/build.gradle

@@ -40,8 +40,8 @@ dependencies {
     implementation "com.github.ben-manes.caffeine:caffeine:$caffeine_version"
 
     // Bouncy castle support needed for X509 certificate manipulation
-    implementation "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}"
-    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcprov-lts8on:${bouncycastle_version}"
+    implementation "org.bouncycastle:bcpkix-lts8on:${bouncycastle_version}"
 
     testImplementation "org.apache.commons:commons-lang3:$commons_lang3_version"
     testImplementation "org.assertj:assertj-core:$assertj_version"