Migrate to JDK 17

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ jobs:
     strategy:
       matrix:
         # test against latest update of each major Java version, as well as specific updates of LTS versions:
-        java: [ 11, 17, 21 ]
+        java: [ 17, 21 ]
     name: Java ${{ matrix.java }}
     steps:
       - uses: actions/checkout@v2

.github/workflows/release.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Java
         uses: actions/[email protected]
         with:
-          java-version: 11
+          java-version: 17
 
       - name: Release
         env:

README.md

@@ -62,6 +62,11 @@ next (snapshot) release, e.g. `1.1-SNAPSHOT` after releasing `1.0`.
 
 ## Changelog
 
+## 2024-xx-yy 1.41
+  * Build with JDK 17
+  * Remove deprecated <pre>ManifestCms.CONTENT_TYPE_OID</pre>
+  * Remove deprecated <pre>ManifestCms.getHash</pre>
+
 ## 2024-xx-yy 1.40
   * Clean up some style (SonarQube) warnings
 

pom.xml

@@ -42,8 +42,8 @@
         <build.number>DEV</build.number>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
-        <java.language.version>11</java.language.version>
-        <java.runtime.version>11</java.runtime.version>
+        <java.language.version>17</java.language.version>
+        <java.runtime.version>17</java.runtime.version>
 
         <net.ripe.ipresource.version>1.52</net.ripe.ipresource.version>
         <bouncycastle.version>1.77</bouncycastle.version>

src/main/java/net/ripe/rpki/commons/crypto/cms/aspa/AspaCmsParser.java

@@ -16,7 +16,6 @@
 import javax.annotation.CheckForNull;
 import java.util.Comparator;
 import java.util.List;
-import java.util.stream.Collectors;
 import java.util.stream.StreamSupport;
 
 import static net.ripe.rpki.commons.crypto.util.Asn1Util.expect;
@@ -116,7 +115,7 @@ public void decodeAsn1Content(ASN1Encodable content) {
 
             List<Asn> providerAsList = StreamSupport.stream(providerAsnsSequence.spliterator(), false)
                 .map(this::parseProviderAsn)
-                .collect(Collectors.toList());
+                .toList();
 
             //  * The elements of providers MUST be ordered in ascending numerical
             //    order.¶

src/main/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCms.java

@@ -14,7 +14,7 @@
 import org.apache.commons.lang3.builder.ToStringBuilder;
 import org.apache.commons.lang3.builder.ToStringStyle;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.cms.CMSSignedDataGenerator;
+import org.bouncycastle.cms.CMSSignedGenerator;
 import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.digests.SHA256Digest;
 import org.joda.time.DateTime;
@@ -40,13 +40,9 @@ public class ManifestCms extends RpkiSignedObject {
 
     public static final int DEFAULT_VERSION = 0;
 
-    // since 1.34
-    @Deprecated
-    public static final String CONTENT_TYPE_OID = "1.2.840.113549.1.9.16.1.26";
-
     public static final ASN1ObjectIdentifier CONTENT_TYPE = new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.1.26");
 
-    public static final String FILE_HASH_ALGORITHM = CMSSignedDataGenerator.DIGEST_SHA256;
+    public static final String FILE_HASH_ALGORITHM = CMSSignedGenerator.DIGEST_SHA256;
 
     /**
      * Allowed format of a manifest entry file name.
@@ -138,7 +134,7 @@ protected void validateWithCrl(String location, CertificateRepositoryObjectValid
     private void checkEntries(ValidationResult result) {
         List<String> failedEntries = getFileNames().stream()
                 .filter(s -> !FILE_NAME_PATTERN.matcher(s).matches())
-                .collect(Collectors.toList());
+                .toList();
         result.rejectIfFalse(
                 failedEntries.isEmpty(),
                 ValidationString.MANIFEST_ENTRY_FILE_NAME_IS_RELATIVE,
@@ -166,21 +162,13 @@ private void checkManifestValidityTimes(ValidationOptions options, ValidationRes
 
     }
 
-    /**
-     * @deprecated use {@link #verifyFileContents(String, byte[])} or {@link #getFileContentSpecification(String)}.
-     */
-    @Deprecated
-    public byte[] getHash(String fileName) {
-        return hashes.get(fileName);
-    }
-
     public boolean verifyFileContents(String fileName, byte[] contents) {
         return getFileContentSpecification(fileName).isSatisfiedBy(contents);
     }
 
     public FileContentSpecification getFileContentSpecification(String fileName) {
         Validate.isTrue(containsFile(fileName));
-        return new FileContentSpecification(getHash(fileName));
+        return new FileContentSpecification(hashes.get(fileName));
     }
 
     public static byte[] hashContents(byte[] contents) {

src/main/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCmsBuilder.java

@@ -1,6 +1,5 @@
 package net.ripe.rpki.commons.crypto.cms.roa;
 
-import com.google.common.collect.ImmutableSortedSet;
 import net.ripe.ipresource.Asn;
 import net.ripe.ipresource.IpResourceType;
 import net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectBuilder;
@@ -113,7 +112,7 @@ ASN1Encodable encodeRoaIpAddressFamilySequence(List<RoaPrefix> prefixes) {
         List<ASN1Encodable> encodables = Stream.concat(
             addRoaIpAddressFamily(IpResourceType.IPv4, prefixes),
             addRoaIpAddressFamily(IpResourceType.IPv6, prefixes)
-        ).collect(Collectors.toList());
+        ).toList();
 
         Validate.isTrue(!encodables.isEmpty(), "no encodable prefixes");
         return new DERSequence(encodables.toArray(new ASN1Encodable[encodables.size()]));

src/main/java/net/ripe/rpki/commons/provisioning/payload/AbstractProvisioningPayloadXmlSerializer.java

@@ -1,8 +1,8 @@
 package net.ripe.rpki.commons.provisioning.payload;
 
+import net.ripe.rpki.commons.crypto.x509cert.X509CertificateParser;
 import net.ripe.rpki.commons.crypto.x509cert.X509GenericCertificate;
 import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
-import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateParser;
 import net.ripe.rpki.commons.provisioning.payload.common.CertificateElement;
 import net.ripe.rpki.commons.provisioning.payload.common.GenericClassElement;
 import net.ripe.rpki.commons.provisioning.serialization.CertificateUrlListConverter;
@@ -27,12 +27,11 @@
 import java.util.Base64;
 import java.util.List;
 import java.util.function.Supplier;
-import java.util.stream.Collectors;
 
 import static net.ripe.rpki.commons.provisioning.payload.AbstractProvisioningPayload.SUPPORTED_VERSION;
 
 public abstract class AbstractProvisioningPayloadXmlSerializer<T extends AbstractProvisioningPayload> extends DomXmlSerializer<T> {
-    private static final String XMLNS = "http://www.apnic.net/specs/rescerts/up-down/";
+    private static final String UP_DOWN_XMLNS = "http://www.apnic.net/specs/rescerts/up-down/";
 
     /**
      * We use the MIME decoder (RFC 2045) here to make the ProcessApnicPdusTest#apnic_pdu_2011_08_15_1_has_errors test
@@ -43,11 +42,12 @@ public abstract class AbstractProvisioningPayloadXmlSerializer<T extends Abstrac
     protected static final IpResourceSetProvisioningConverter IP_RESOURCE_SET_PROVISIONING_CONVERTER = IpResourceSetProvisioningConverter.INSTANCE;
     protected static final CertificateUrlListConverter CERTIFICATE_URL_LIST_CONVERTER = CertificateUrlListConverter.INSTANCE;
     protected static final DateTimeConverter DATE_TIME_CONVERTER = new DateTimeConverter();
+    public static final String ATTR_CERT_URL = "cert_url";
 
     private final PayloadMessageType type;
 
     protected AbstractProvisioningPayloadXmlSerializer(PayloadMessageType type) {
-        super(XMLNS);
+        super(UP_DOWN_XMLNS);
         this.type = type;
     }
 
@@ -57,7 +57,7 @@ protected AbstractProvisioningPayloadXmlSerializer(PayloadMessageType type) {
 
     protected X509ResourceCertificate parseX509ResourceCertificate(String base64) {
         ValidationResult result = ValidationResult.withLocation("certificate.cer").withoutStoringPassingChecks();
-        X509GenericCertificate certificate = X509ResourceCertificateParser.parseCertificate(result, BASE64_DECODER.decode(base64.trim()));
+        X509GenericCertificate certificate = X509CertificateParser.parseCertificate(result, BASE64_DECODER.decode(base64.trim()));
         if (result.hasFailureForCurrentLocation()) {
             throw new DomXmlSerializerException("resource certificate validation failed: " + result);
         } else if (certificate instanceof X509ResourceCertificate) {
@@ -133,7 +133,7 @@ public String serialize(T payload) {
 
     protected CertificateElement parseCertificateElementXml(Element certificate) {
         CertificateElement result = new CertificateElement();
-        result.setIssuerCertificatePublicationLocation(CERTIFICATE_URL_LIST_CONVERTER.fromString(getRequiredAttributeValue(certificate, "cert_url")));
+        result.setIssuerCertificatePublicationLocation(CERTIFICATE_URL_LIST_CONVERTER.fromString(getRequiredAttributeValue(certificate, ATTR_CERT_URL)));
         result.setAllocatedAsn(getAttributeValue(certificate, "req_resource_set_as").map(IP_RESOURCE_SET_PROVISIONING_CONVERTER::fromString).orElse(null));
         result.setAllocatedIpv4(getAttributeValue(certificate, "req_resource_set_ipv4").map(IP_RESOURCE_SET_PROVISIONING_CONVERTER::fromString).orElse(null));
         result.setAllocatedIpv6(getAttributeValue(certificate, "req_resource_set_ipv6").map(IP_RESOURCE_SET_PROVISIONING_CONVERTER::fromString).orElse(null));
@@ -143,7 +143,7 @@ protected CertificateElement parseCertificateElementXml(Element certificate) {
 
     protected Element generateCertificateElementXml(Document document, CertificateElement certificate) {
         Element result = document.createElementNS(xmlns, "certificate");
-        result.setAttribute("cert_url", CERTIFICATE_URL_LIST_CONVERTER.toString(certificate.getIssuerCertificatePublicationUris()));
+        result.setAttribute(ATTR_CERT_URL, CERTIFICATE_URL_LIST_CONVERTER.toString(certificate.getIssuerCertificatePublicationUris()));
         if (certificate.getAllocatedAsn() != null) {
             result.setAttribute("req_resource_set_as", IP_RESOURCE_SET_PROVISIONING_CONVERTER.toString(certificate.getAllocatedAsn()));
         }
@@ -159,7 +159,7 @@ protected Element generateCertificateElementXml(Document document, CertificateEl
 
     protected <U extends GenericClassElement> U parseClassElementXml(Element element, Supplier<U> clazzSupplier) {
         U clazz = clazzSupplier.get();
-        clazz.setCertUris(CERTIFICATE_URL_LIST_CONVERTER.fromString(getRequiredAttributeValue(element, "cert_url")));
+        clazz.setCertUris(CERTIFICATE_URL_LIST_CONVERTER.fromString(getRequiredAttributeValue(element, ATTR_CERT_URL)));
         clazz.setClassName(getRequiredAttributeValue(element, "class_name"));
         clazz.setResourceSetAs(IP_RESOURCE_SET_PROVISIONING_CONVERTER.fromString(getRequiredAttributeValue(element, "resource_set_as")));
         clazz.setResourceSetIpv4(IP_RESOURCE_SET_PROVISIONING_CONVERTER.fromString(getRequiredAttributeValue(element, "resource_set_ipv4")));
@@ -169,7 +169,7 @@ protected <U extends GenericClassElement> U parseClassElementXml(Element element
         List<CertificateElement> certificateElements = getChildElements(element, "certificate")
                 .stream()
                 .map(this::parseCertificateElementXml)
-                .collect(Collectors.toList());
+                .toList();
         clazz.setCertificateElements(certificateElements);
         Element issuerElement = getSingleChildElement(element, "issuer");
         clazz.setIssuer(parseX509ResourceCertificate(issuerElement.getTextContent()));
@@ -178,7 +178,7 @@ protected <U extends GenericClassElement> U parseClassElementXml(Element element
 
     protected Element generateClassElementXml(Document document, GenericClassElement classElement) {
         Element node = document.createElementNS(xmlns, "class");
-        node.setAttribute("cert_url", CERTIFICATE_URL_LIST_CONVERTER.toString(classElement.getCertificateAuthorityUri()));
+        node.setAttribute(ATTR_CERT_URL, CERTIFICATE_URL_LIST_CONVERTER.toString(classElement.getCertificateAuthorityUri()));
         node.setAttribute("class_name", classElement.getClassName());
         node.setAttribute("resource_set_as", IP_RESOURCE_SET_PROVISIONING_CONVERTER.toString(classElement.getResourceSetAsn()));
         node.setAttribute("resource_set_ipv4", IP_RESOURCE_SET_PROVISIONING_CONVERTER.toString(classElement.getResourceSetIpv4()));

src/main/java/net/ripe/rpki/commons/provisioning/payload/list/response/ResourceClassListResponsePayloadSerializer.java

@@ -7,7 +7,6 @@
 import org.w3c.dom.Node;
 
 import java.util.List;
-import java.util.stream.Collectors;
 
 /**
  * See RFC6492 section 3.3.1 (https://tools.ietf.org/html/rfc6492#section-3.3.1). Example:
@@ -27,7 +26,7 @@ protected ResourceClassListResponsePayload parseXmlPayload(Element message) {
         List<ResourceClassListResponseClassElement> classes = getChildElements(message, "class")
                 .stream()
                 .map(element -> parseClassElementXml(element, ResourceClassListResponseClassElement::new))
-                .collect(Collectors.toList());
+                .toList();
         return new ResourceClassListResponsePayload(classes);
     }
 
@@ -36,7 +35,7 @@ protected Iterable<? extends Node> generateXmlPayload(Document document, Resourc
         return payload.getClassElements()
                 .stream()
                 .map(clazz -> generateClassElementXml(document, clazz))
-                .collect(Collectors.toList());
+                .toList();
     }
 
 }

src/main/java/net/ripe/rpki/commons/validation/ValidationResult.java

@@ -15,7 +15,6 @@
 import java.util.Map.Entry;
 import java.util.Set;
 import java.util.TreeMap;
-import java.util.stream.Collectors;
 
 public final class ValidationResult implements Serializable {
 
@@ -241,7 +240,7 @@ public Set<ValidationCheck> getFailuresForCurrentLocation() {
     public List<ValidationCheck> getFailuresForAllLocations() {
         return results.values().stream()
                 .flatMap(location -> location.error.stream())
-                .collect(Collectors.toList());
+                .toList();
     }
 
     public List<ValidationCheck> getFailures(ValidationLocation location) {
@@ -266,7 +265,7 @@ public boolean hasFailureForLocation(ValidationLocation location) {
     public List<ValidationCheck> getWarnings() {
         return results.values().stream()
                 .flatMap(location -> location.warning.stream())
-                .collect(Collectors.toList());
+                .toList();
     }
 
     public List<ValidationCheck> getAllValidationChecksForCurrentLocation() {

src/main/java/net/ripe/rpki/commons/validation/objectvalidators/CertificateRepositoryObjectValidationContext.java

@@ -1,6 +1,5 @@
 package net.ripe.rpki.commons.validation.objectvalidators;
 
-import com.google.common.collect.Lists;
 import net.ripe.ipresource.IpResourceSet;
 import net.ripe.rpki.commons.crypto.x509cert.X509CertificateObject;
 import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
@@ -11,6 +10,7 @@
 import org.apache.commons.lang3.builder.ToStringStyle;
 
 import java.net.URI;
+import java.util.ArrayList;
 import java.util.List;
 
 /**
@@ -32,7 +32,7 @@ public class CertificateRepositoryObjectValidationContext {
     private IpResourceSet overclaiming = new IpResourceSet();
 
     public CertificateRepositoryObjectValidationContext(URI location, X509ResourceCertificate certificate) {
-        this(location, certificate, certificate.getResources(), Lists.newArrayList(certificate.getSubject().getName()));
+        this(location, certificate, certificate.getResources(), List.of(certificate.getSubject().getName()));
     }
 
     public CertificateRepositoryObjectValidationContext(URI location, X509ResourceCertificate certificate, IpResourceSet resources, List<String> subjectChain) {
@@ -91,7 +91,7 @@ public void addOverclaiming(IpResourceSet overclaiming) {
     public CertificateRepositoryObjectValidationContext createChildContext(URI childLocation, X509ResourceCertificate childCertificate) {
         IpResourceSet effectiveResources = childCertificate.deriveResources(resources);
         removeOverclaimingResources(effectiveResources);
-        List<String> childSubjects = Lists.newArrayList(subjectChain);
+        List<String> childSubjects = new ArrayList<>(subjectChain);
         childSubjects.add(childCertificate.getSubject().getName());
         return new CertificateRepositoryObjectValidationContext(childLocation, childCertificate, effectiveResources, childSubjects);
     }

src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsBuilderTest.java

@@ -55,7 +55,6 @@ public void shouldTrackFilenameAndHash() {
 
     }
 
-    @SuppressWarnings("deprecation")
     @Test
     public void shouldCalculateHashAndWriteFile() throws IOException {
         byte[] contents = "contents".getBytes();
@@ -67,7 +66,7 @@ public void shouldCalculateHashAndWriteFile() throws IOException {
 
         // The hash below I got using 'shasum -a 256 /tmp/foo1' on OSX, where /tmp/foo1 is the file written above...
         byte[] expectedHash = Hex.decode("d1b2a59fbea7e20077af9f91b27e95e865061b270be03ff539ab3b73587882e8");
-        assertArrayEquals(expectedHash, result.getHash("foo1"));
+        assertArrayEquals(expectedHash, result.getFileContentSpecification("foo1").getHash());
 
         assertTrue(result.verifyFileContents("foo1", contents));
         assertFalse(result.verifyFileContents("foo1", Hex.decode("deadbeaf")));