From 797242c7090d7d53483991e2f005825bd7ade3c5 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Mon, 16 Oct 2023 14:09:28 +0200
Subject: [PATCH] GitHub Actions: build with JDK21 (#679)

Drop build support for Java 8
---
 .github/workflows/maven.yml                   |  2 +-
 .../actool/configmodel/pkcs/KeyTest.java      | 19 +++++-
 docs/Configuration.md                         |  2 +-
 pom.xml                                       | 62 ++-----------------
 4 files changed, 23 insertions(+), 62 deletions(-)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index a0814e08c..dc69ce4f7 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -7,7 +7,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macOS-latest]
-        jdk: [8, 11, 17]
+        jdk: [11, 17, 21]
         include:
           # lengthy build steps should only be performed on linux with Java 17 (Sonarcloud analysis, deployment)
           - os: ubuntu-latest
diff --git a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/configmodel/pkcs/KeyTest.java b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/configmodel/pkcs/KeyTest.java
index 9e44132b5..8da569d9e 100644
--- a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/configmodel/pkcs/KeyTest.java
+++ b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/configmodel/pkcs/KeyTest.java
@@ -14,6 +14,8 @@
 import org.bouncycastle.pkcs.PKCSException;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.EnabledForJreRange;
+import org.junit.jupiter.api.condition.JRE;
 
 import biz.netcentric.cq.tools.actool.configmodel.TestDecryptionService;
 import biz.netcentric.cq.tools.actool.crypto.DecryptionService;
@@ -65,8 +67,9 @@ public void testEncryptedPkcs8RsaKeyWithUnrelatedCertificate() throws IOExceptio
     }
 
     @Test
-    // https://bugs.openjdk.java.net/browse/JDK-8231581 (Java 11) or https://bugs.openjdk.java.net/browse/JDK-8076999 (Java 8)
-    public void testEncryptedPkcs8Pbes2RsaKeyWithCertificateOnJCASDefault() throws IOException, GeneralSecurityException, OperatorCreationException, PKCSException {
+    @EnabledForJreRange(max = JRE.JAVA_17)
+    // https://bugs.openjdk.java.net/browse/JDK-8231581 (Java 11) or https://bugs.openjdk.java.net/browse/JDK-8076999 (Java 8) but works with Java 21 (https://bugs.openjdk.org/browse/JDK-8288050)
+    public void testEncryptedPkcs8Pbes2RsaKeyWithCertificateOnJCASDefaultPriorJava21() throws IOException, GeneralSecurityException, OperatorCreationException, PKCSException {
         try (InputStream inputPkcs8 = this.getClass().getResourceAsStream("example5_rsa_pkcs8");
              InputStream inputPemCert = this.getClass().getResourceAsStream("example5_rsa.crt")) {
             String privateKey = IOUtils.toString(inputPkcs8, StandardCharsets.US_ASCII);
@@ -76,6 +79,18 @@ public void testEncryptedPkcs8Pbes2RsaKeyWithCertificateOnJCASDefault() throws I
         }
     }
 
+    @Test
+    @EnabledForJreRange(min = JRE.JAVA_21)
+    public void testEncryptedPkcs8Pbes2RsaKeyWithCertificateOnJCASDefaultJava21() throws IOException, GeneralSecurityException, OperatorCreationException, PKCSException {
+        try (InputStream inputPkcs8 = this.getClass().getResourceAsStream("example5_rsa_pkcs8");
+             InputStream inputPemCert = this.getClass().getResourceAsStream("example5_rsa.crt")) {
+            String privateKey = IOUtils.toString(inputPkcs8, StandardCharsets.US_ASCII);
+            String certificate = IOUtils.toString(inputPemCert, StandardCharsets.US_ASCII);
+            Key key = Key.createFromPrivateKeyAndCertificate(descryptionService, privateKey, "{password}", certificate, privateKeyDecryptor);
+            key.getKeyPair();
+        }
+    }
+
     @Test
     public void testEncryptedPkcs8Pbes2RsaKeyWithCertificateAndBouncycastle() throws IOException, GeneralSecurityException, OperatorCreationException, PKCSException {
         privateKeyDecryptor = new BouncycastlePkcs8EncryptedPrivateKeyDecryptor();
diff --git a/docs/Configuration.md b/docs/Configuration.md
index c73110024..ad94c77df 100644
--- a/docs/Configuration.md
+++ b/docs/Configuration.md
@@ -179,7 +179,7 @@ AEMs Crypto Support provides a 128 bit AES encryption which is stronger than the
 
 To encrypt an unencrypted PKCS#8 private key (in PEM format) you can use the command
 `openssl pkcs8 -topk8 -in <unencrypted-private-key-file> -out <encrypted-private-key-file>`. It will ask you for the password interactively.
-By default this will use the unsafe `PbeWithMD5AndDES-CBC` algorithm (with 56 bit key). You should consider using more secure algorithms with parameter `v2`, those are only supported with [Bouncy Castle][bouncycastle], though. For more details refer also to [RFC 8018](https://tools.ietf.org/html/rfc8018#appendix-B.2)
+By default this will use the unsafe `PbeWithMD5AndDES-CBC` algorithm (with 56 bit key). You should consider using more secure algorithms with parameter `v2`, those are only supported with [Bouncy Castle][bouncycastle] or [Java 21+](https://bugs.openjdk.org/browse/JDK-8288050), though. For more details refer also to [RFC 8018](https://tools.ietf.org/html/rfc8018#appendix-B.2)
 
 ### Install Bouncy Castle
 
diff --git a/pom.xml b/pom.xml
index ee3fc653b..3854d9e16 100644
--- a/pom.xml
+++ b/pom.xml
@@ -84,9 +84,10 @@
         <slf4j.version>1.7.25</slf4j.version>
         <bnd.version>6.3.1</bnd.version>
         <bouncycastle.version>1.64</bouncycastle.version>
-        <java.target.version>8</java.target.version>
+        <!-- release sets API classpath, source and target, see  https://docs.oracle.com/javase/9/tools/javac.htm#GUID-AEEC9F07-CB49-4E96-8BC7-BCC2C7F725C9__GUID-D343F6B4-3FDD-43A8-AD24-43DD70214471  and http://openjdk.java.net/jeps/247 -->
+        <maven.compiler.release>8</maven.compiler.release>
         <mockito.version>4.8.0</mockito.version>
-        <junit.version>5.9.0</junit.version>
+        <junit.version>5.10.0</junit.version>
     </properties>
 
     <modules>
@@ -296,11 +297,6 @@
                         <password>${crx.password}</password>
                     </configuration>
                 </plugin>
-                <plugin>
-                    <groupId>org.codehaus.mojo</groupId>
-                    <artifactId>animal-sniffer-maven-plugin</artifactId>
-                    <version>1.21</version>
-                </plugin>
                 <!-- for building content packages -->
                 <plugin>
                     <groupId>org.apache.jackrabbit</groupId>
@@ -457,10 +453,7 @@
                                     <version>3.6.1</version>
                                 </requireMavenVersion>
                                 <requireJavaVersion>
-                                    <version>1.8.0</version>
-                                    <message>Bnd requires Java 8
-                                        (https://github.com/bndtools/bnd/wiki/Changes-in-4.0.0)
-                                    </message>
+                                    <version>${maven.compiler.release}</version>
                                 </requireJavaVersion>
                             </rules>
                         </configuration>
@@ -484,53 +477,6 @@
     </build>
 
     <profiles>
-        <profile>
-            <id>jdk8</id>
-            <activation>
-                <jdk>1.8</jdk>
-            </activation>
-            <properties>
-                <!-- this affects m-compiler-p and m-javadoc-p -->
-                <maven.compiler.source>1.8</maven.compiler.source>
-                <maven.compiler.target>1.8</maven.compiler.target>
-            </properties>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>animal-sniffer-maven-plugin</artifactId>
-                        <executions>
-                            <execution>
-                                <goals>
-                                    <goal>check</goal>
-                                </goals>
-                            </execution>
-                        </executions>
-                        <configuration>
-                            <signature>
-                                <groupId>org.codehaus.mojo.signature</groupId>
-                                <artifactId>java18</artifactId>
-                                <version>1.0</version>
-                            </signature>
-                        </configuration>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-        <profile>
-            <id>jdk9-or-higher</id>
-            <activation>
-                <!-- syntax according to http://maven.apache.org/enforcer/enforcer-rules/versionRanges.html -->
-                <jdk>[9,)</jdk>
-            </activation>
-            <properties>
-                <!-- 
-                release sets API classpath, source and target, see 
-                https://docs.oracle.com/javase/9/tools/javac.htm#GUID-AEEC9F07-CB49-4E96-8BC7-BCC2C7F725C9__GUID-D343F6B4-3FDD-43A8-AD24-43DD70214471 
-                and http://openjdk.java.net/jeps/247 -->
-                <maven.compiler.release>${java.target.version}</maven.compiler.release>
-            </properties>
-        </profile>
         <profile>
             <id>release</id>
             <build>