feat(ocsp): switch to Java 11 to use the built-in HttpClient

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>

Author: mrts

.github/workflows/coverity-analysis.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/setup-java@v3
         with:
           distribution: zulu
-          java-version: 8
+          java-version: 11
 
       - name: Cache Maven packages
         uses: actions/cache@v3

.github/workflows/maven-build.yml

@@ -12,7 +12,7 @@ jobs:
       - uses: actions/setup-java@v3
         with:
           distribution: zulu
-          java-version: 8
+          java-version: 11
 
       - name: Cache Maven packages
         uses: actions/cache@v3

.github/workflows/maven-deploy.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/setup-java@v3
         with:
           distribution: zulu
-          java-version: 8
+          java-version: 11
 
       - name: Cache Maven packages
         uses: actions/cache@v3

README.md

@@ -25,7 +25,7 @@ Add the following lines to Maven `pom.xml` to include the Web eID authentication
     <dependency>
         <groupId>eu.webeid.security</groupId>
         <artifactId>authtoken-validation</artifactId>
-        <version>2.1.1</version>
+        <version>3.0.0</version>
     </dependency>
 </dependencies>
 

pom.xml

@@ -5,20 +5,19 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>authtoken-validation</artifactId>
     <groupId>org.webeid.security</groupId>
-    <version>2.1.2</version>
+    <version>3.0.0</version>
     <packaging>jar</packaging>
     <name>authtoken-validation</name>
     <description>Web eID authentication token validation library for Java</description>
 
     <properties>
         <maven.version>3.3.9</maven.version>
         <maven-surefire-plugin.version>2.22.2</maven-surefire-plugin.version>
-        <java.version>1.8</java.version>
+        <java.version>11</java.version>
         <jjwt.version>0.11.5</jjwt.version>
         <jackson.version>2.13.4.2</jackson.version>
         <slf4j.version>1.7.36</slf4j.version>
         <bouncycastle.version>1.70</bouncycastle.version>
-        <okhttp.version>4.10.0</okhttp.version>
         <junit-jupiter.version>5.8.2</junit-jupiter.version>
         <assertj.version>3.23.1</assertj.version>
         <mockito.version>4.6.1</mockito.version>
@@ -64,11 +63,6 @@
             <artifactId>bcpkix-jdk15on</artifactId>
             <version>${bouncycastle.version}</version>
         </dependency>
-        <dependency>
-            <groupId>com.squareup.okhttp3</groupId>
-            <artifactId>okhttp</artifactId>
-            <version>${okhttp.version}</version>
-        </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>

src/main/java/eu/webeid/security/util/DateAndTime.java

@@ -47,6 +47,7 @@ public static class DefaultClock implements Clock {
 
         public static final Clock INSTANCE = new DefaultClock();
 
+        @Override
         public Date now() {
             return new Date();
         }

src/main/java/eu/webeid/security/validator/AuthTokenValidatorBuilder.java

@@ -24,7 +24,7 @@
 
 import eu.webeid.security.exceptions.JceException;
 import eu.webeid.security.validator.ocsp.OcspClient;
-import eu.webeid.security.validator.ocsp.OkHttpOcspClient;
+import eu.webeid.security.validator.ocsp.OcspClientImpl;
 import eu.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.slf4j.Logger;
@@ -180,7 +180,7 @@ public AuthTokenValidatorBuilder withOcspClient(OcspClient ocspClient) {
     public AuthTokenValidator build() throws NullPointerException, IllegalArgumentException, JceException {
         configuration.validate();
         if (configuration.isUserCertificateRevocationCheckWithOcspEnabled() && ocspClient == null) {
-            ocspClient = OkHttpOcspClient.build(configuration.getOcspRequestTimeout());
+            ocspClient = OcspClientImpl.build(configuration.getOcspRequestTimeout());
         }
         return new AuthTokenValidatorImpl(configuration, ocspClient);
     }

…ity/validator/ocsp/OkHttpOcspClient.java …urity/validator/ocsp/OcspClientImpl.javasrc/main/java/eu/webeid/security/validator/ocsp/OkHttpOcspClient.java renamed to src/main/java/eu/webeid/security/validator/ocsp/OcspClientImpl.java src/main/java/eu/webeid/security/validator/ocsp/OkHttpOcspClient.java renamed to src/main/java/eu/webeid/security/validator/ocsp/OcspClientImpl.java

@@ -22,41 +22,38 @@
 
 package eu.webeid.security.validator.ocsp;
 
-import okhttp3.MediaType;
-import okhttp3.OkHttpClient;
-import okhttp3.Request;
-import okhttp3.RequestBody;
-import okhttp3.Response;
-import okhttp3.ResponseBody;
 import org.bouncycastle.cert.ocsp.OCSPReq;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
 import java.time.Duration;
-import java.util.Objects;
 
-public class OkHttpOcspClient implements OcspClient {
+public class OcspClientImpl implements OcspClient {
 
-    private static final Logger LOG = LoggerFactory.getLogger(OkHttpOcspClient.class);
-    private static final MediaType OCSP_REQUEST_TYPE = MediaType.get("application/ocsp-request");
-    private static final MediaType OCSP_RESPONSE_TYPE = MediaType.get("application/ocsp-response");
+    private static final Logger LOG = LoggerFactory.getLogger(OcspClientImpl.class);
+    private static final String OCSP_REQUEST_TYPE = "application/ocsp-request";
+    private static final String OCSP_RESPONSE_TYPE = "application/ocsp-response";
+    public static final String CONTENT_TYPE = "Content-Type";
 
-    private final OkHttpClient httpClient;
+    private final HttpClient httpClient;
+    private final Duration ocspRequestTimeout;
 
     public static OcspClient build(Duration ocspRequestTimeout) {
-        return new OkHttpOcspClient(
-            new OkHttpClient.Builder()
+        return new OcspClientImpl(
+            HttpClient.newBuilder()
                 .connectTimeout(ocspRequestTimeout)
-                .callTimeout(ocspRequestTimeout)
-                .build()
-        );
+                .build(),
+            ocspRequestTimeout);
     }
 
     /**
-     * Use OkHttpClient to fetch the OCSP response from the OCSP responder service.
+     * Use the built-in HttpClient to fetch the OCSP response from the OCSP responder service.
      *
      * @param uri     OCSP server URL
      * @param ocspReq OCSP request
@@ -66,31 +63,36 @@ public static OcspClient build(Duration ocspRequestTimeout) {
      */
     @Override
     public OCSPResp request(URI uri, OCSPReq ocspReq) throws IOException {
-        final RequestBody requestBody = RequestBody.create(ocspReq.getEncoded(), OCSP_REQUEST_TYPE);
-        final Request request = new Request.Builder()
-            .url(uri.toURL())
-            .post(requestBody)
+        final HttpRequest request = HttpRequest.newBuilder()
+            .uri(uri)
+            .header(CONTENT_TYPE, OCSP_REQUEST_TYPE)
+            .POST(HttpRequest.BodyPublishers.ofByteArray(ocspReq.getEncoded()))
+            .timeout(ocspRequestTimeout)
             .build();
 
-        try (final Response response = httpClient.newCall(request).execute()) {
-            if (!response.isSuccessful()) {
-                throw new IOException("OCSP request was not successful, response: " + response);
-            } else {
-                LOG.debug("OCSP response: {}", response);
-            }
-            try (final ResponseBody responseBody = Objects.requireNonNull(response.body(), "response body")) {
-                Objects.requireNonNull(responseBody.contentType(), "response content type");
-                if (!OCSP_RESPONSE_TYPE.type().equals(responseBody.contentType().type()) ||
-                    !OCSP_RESPONSE_TYPE.subtype().equals(responseBody.contentType().subtype())) {
-                    throw new IOException("OCSP response content type is not " + OCSP_RESPONSE_TYPE);
-                }
-                return new OCSPResp(responseBody.bytes());
-            }
+        final HttpResponse<byte[]> response;
+        try {
+            response = httpClient.send(request, HttpResponse.BodyHandlers.ofByteArray());
+        } catch (InterruptedException e) {
+            Thread.currentThread().interrupt();
+            throw new IOException("Interrupted while sending OCSP request", e);
         }
+
+        if (response.statusCode() != 200) {
+            throw new IOException("OCSP request was not successful, response: " + response);
+        } else {
+            LOG.debug("OCSP response: {}", response);
+        }
+        final String contentType = response.headers().firstValue(CONTENT_TYPE).orElse("");
+        if (!contentType.startsWith(OCSP_RESPONSE_TYPE)) {
+            throw new IOException("OCSP response content type is not " + OCSP_RESPONSE_TYPE);
+        }
+        return new OCSPResp(response.body());
     }
 
-    public OkHttpOcspClient(OkHttpClient httpClient) {
+    public OcspClientImpl(HttpClient httpClient, Duration ocspRequestTimeout) {
         this.httpClient = httpClient;
+        this.ocspRequestTimeout = ocspRequestTimeout;
     }
 
 }

src/test/java/eu/webeid/security/testutil/OcspServiceMaker.java

@@ -25,10 +25,9 @@
 import eu.webeid.security.certificate.CertificateValidator;
 import eu.webeid.security.exceptions.JceException;
 import eu.webeid.security.exceptions.OCSPCertificateException;
+import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 import eu.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
 import eu.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
-import org.jetbrains.annotations.NotNull;
-import eu.webeid.security.validator.ocsp.OcspServiceProvider;
 
 import java.io.IOException;
 import java.net.URI;
@@ -37,7 +36,9 @@
 import java.util.Arrays;
 import java.util.List;
 
-import static eu.webeid.security.testutil.Certificates.*;
+import static eu.webeid.security.testutil.Certificates.getTestEsteid2015CA;
+import static eu.webeid.security.testutil.Certificates.getTestEsteid2018CA;
+import static eu.webeid.security.testutil.Certificates.getTestSkOcspResponder2020;
 import static eu.webeid.security.util.Collections.newHashSet;
 import static eu.webeid.security.validator.ocsp.OcspUrl.AIA_ESTEID_2015;
 
@@ -55,22 +56,18 @@ public class OcspServiceMaker {
         }
     }
 
-    @NotNull
     public static OcspServiceProvider getAiaOcspServiceProvider() throws JceException {
         return new OcspServiceProvider(null, getAiaOcspServiceConfiguration());
     }
 
-    @NotNull
     public static OcspServiceProvider getDesignatedOcspServiceProvider() throws CertificateException, IOException, OCSPCertificateException, JceException {
         return new OcspServiceProvider(getDesignatedOcspServiceConfiguration(), getAiaOcspServiceConfiguration());
     }
 
-    @NotNull
     public static OcspServiceProvider getDesignatedOcspServiceProvider(boolean doesSupportNonce) throws CertificateException, IOException, JceException, OCSPCertificateException {
         return new OcspServiceProvider(getDesignatedOcspServiceConfiguration(doesSupportNonce), getAiaOcspServiceConfiguration());
     }
 
-    @NotNull
     public static OcspServiceProvider getDesignatedOcspServiceProvider(String ocspServiceAccessLocation) throws CertificateException, IOException, OCSPCertificateException, JceException {
         return new OcspServiceProvider(getDesignatedOcspServiceConfiguration(true, ocspServiceAccessLocation), getAiaOcspServiceConfiguration());
     }