RIPE NCC has merged f3ba680b4

* Update dependency org.wiremock:wiremock-jetty12 to v3.6.0 [a8ffa15a6]
* Update dependency net.jqwik:jqwik to v1.8.5 [ea011ab23]
* Update dependency com.google.code.gson:gson to v2.11.0 [446a0366a]
* Use explicit UTC time zone everywhere [0f919ddec]
* EXplicitly use UTC for history items [738cd2850]

build.gradle

@@ -56,7 +56,7 @@ dependencies {
     implementation 'org.postgresql:postgresql:42.7.3'
     runtimeOnly 'org.springframework.boot:spring-boot-starter-tomcat'
 
-    implementation 'com.google.code.gson:gson:2.10.1'
+    implementation 'com.google.code.gson:gson:2.11.0'
     implementation 'com.jamesmurty.utils:java-xmlbuilder:1.3'
     implementation 'commons-codec:commons-codec:1.17.0'
     implementation 'commons-io:commons-io:2.16.1'
@@ -72,8 +72,8 @@ dependencies {
         exclude group: 'org.hamcrest', module: 'hamcrest-core'
     }
 
-    testImplementation "org.wiremock:wiremock-jetty12:3.5.4"
-    testImplementation 'net.jqwik:jqwik:1.8.4'
+    testImplementation "org.wiremock:wiremock-jetty12:3.6.0"
+    testImplementation 'net.jqwik:jqwik:1.8.5'
     testImplementation "net.ripe.rpki:rpki-commons:$rpki_commons_version:tests"
     testImplementation 'org.assertj:assertj-core'
 

src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java

@@ -337,7 +337,7 @@ private void activatePendingKey(KeyPairEntity newKeyPair) {
      * @return false if NO key was activated
      */
     public boolean activatePendingKeys(Duration minStagingTime) {
-        DateTime cutOffTime = new DateTime().minus(minStagingTime);
+        DateTime cutOffTime = new DateTime(DateTimeZone.UTC).minus(minStagingTime);
         return findPendingKeyPair()
             .filter(pkp -> pkp.getStatusChangedAt(KeyPairStatus.PENDING).isBefore(cutOffTime))
             .map(pkp -> {
@@ -442,7 +442,7 @@ private boolean hasKeyPairWithStatus(KeyPairStatus... status) {
 
     public boolean currentKeyPairIsOlder(int ageDays) {
         return findCurrentKeyPair().map(keyPairEntity -> {
-            final DateTime maxCreationTime = new DateTime().minusDays(ageDays);
+            final DateTime maxCreationTime = new DateTime(DateTimeZone.UTC).minusDays(ageDays);
             return keyPairEntity.getCreatedAt().isBefore(maxCreationTime);
         }).orElse(false);
     }

src/main/java/net/ripe/rpki/rest/pojo/HistoryItem.java

@@ -8,7 +8,7 @@
 import org.joda.time.DateTime;
 
 import java.time.Instant;
-import java.time.ZoneId;
+import java.time.ZoneOffset;
 import java.time.ZonedDateTime;
 
 @JsonInclude(JsonInclude.Include.NON_NULL)
@@ -26,8 +26,7 @@ public HistoryItem(String humanizedUserPrincipal, CertificateAuthorityHistoryIte
         this.time = toJavaTime(input.getExecutionTime());
         this.principal = humanizedUserPrincipal;
         this.summary = input.getSummary();
-        if (input instanceof CommandAuditData) {
-            final CommandAuditData commandData = (CommandAuditData) input;
+        if (input instanceof CommandAuditData commandData) {
             this.caId = commandData.getCertificateAuthorityId();
             this.commandType = commandData.getCommandType();
             this.commandGroup = commandData.getCommandGroup().toString();
@@ -40,7 +39,6 @@ public HistoryItem(String humanizedUserPrincipal, CertificateAuthorityHistoryIte
 
     private ZonedDateTime toJavaTime(DateTime joda) {
         Instant t = Instant.ofEpochMilli(joda.getMillis());
-        ZoneId z = ZoneId.of(joda.getZone().getID());
-        return ZonedDateTime.ofInstant(t, z);
+        return ZonedDateTime.ofInstant(t, ZoneOffset.UTC);
     }
 }

src/main/java/net/ripe/rpki/rest/service/CaService.java

@@ -24,6 +24,7 @@
 import net.ripe.rpki.server.api.support.objects.CaName;
 import org.apache.commons.io.IOUtils;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -218,7 +219,7 @@ public ResponseEntity<?> identity(@PathVariable("caName") final CaName caName) {
         if (parentId != null) {
             final String xml = new ParentIdentitySerializer().serialize(parentId);
             final DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyyMMdd");
-            final String fileName = "issuer-identity-" + new DateTime().toString(fmt) + ".xml";
+            final String fileName = "issuer-identity-" + new DateTime(DateTimeZone.UTC).toString(fmt) + ".xml";
             return ResponseEntity
                     .status(HttpStatus.OK)
                     .contentType(TEXT_XML)

src/main/java/net/ripe/rpki/ripencc/provisioning/CertificateIssuanceProcessor.java

@@ -26,6 +26,7 @@
 import net.ripe.rpki.server.api.services.read.ResourceCertificateViewService;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
 import org.springframework.stereotype.Component;
 
 import jakarta.inject.Inject;
@@ -144,7 +145,7 @@ private CertificateIssuanceResponseClassElement buildClassElement(CertificateIss
                 .withClassName(request.getClassName())
                 .withIssuer(currentIncomingResourceCertificate.getCertificate())
                 .withCertificateAuthorityUri(Collections.singletonList(currentIncomingResourceCertificate.getPublicationUri()))
-                .withValidityNotAfter(CertificateAuthority.calculateValidityNotAfter(new DateTime()))
+                .withValidityNotAfter(CertificateAuthority.calculateValidityNotAfter(new DateTime(DateTimeZone.UTC)))
                 .withIpResourceSet(new IpResourceSet(ipResources))
                 .withCertificateElements(Collections.singletonList(certificateElement))
                 .buildCertificateIssuanceResponseClassElement();

src/main/java/net/ripe/rpki/ripencc/provisioning/ListResourceClassProcessor.java

@@ -14,6 +14,7 @@
 import net.ripe.rpki.server.api.ports.ResourceLookupService;
 import net.ripe.rpki.server.api.services.read.ResourceCertificateViewService;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
 import org.springframework.stereotype.Component;
 
 import java.util.Collections;
@@ -51,7 +52,7 @@ public ResourceClassListResponsePayload process(NonHostedCertificateAuthorityDat
                 .withIpResourceSet(new IpResourceSet(resources))
                 .withCertificateAuthorityUri(Collections.singletonList(currentIncomingResourceCertificate.getPublicationUri()))
                 .withIssuer(currentIncomingResourceCertificate.getCertificate())
-                .withValidityNotAfter(CertificateAuthority.calculateValidityNotAfter(new DateTime()))
+                .withValidityNotAfter(CertificateAuthority.calculateValidityNotAfter(new DateTime(DateTimeZone.UTC)))
                 .buildResourceClassListResponseClassElement();
 
             final List<CertificateElement> certificateElements = nonHostedCertificateAuthority.getPublicKeys().stream()

src/main/java/net/ripe/rpki/services/impl/jpa/JpaCertificateAuthorityRepository.java

@@ -11,6 +11,7 @@
 import net.ripe.rpki.util.JdbcDBComponent;
 import org.apache.commons.lang.Validate;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
 import org.joda.time.Duration;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
@@ -321,7 +322,7 @@ public Collection<ManagedCertificateAuthority> getCasWithoutKeyPairsAndRoaConfig
                 "   SELECT rac FROM RoaAlertConfiguration rac " +
                 "   WHERE rac.certificateAuthority = ca" +
                 ")");
-        final DateTime yearAgo = new DateTime().minus(Duration.standardDays(366));
+        final DateTime yearAgo = new DateTime(DateTimeZone.UTC).minus(Duration.standardDays(366));
         return sql
             .setParameter("threshold", yearAgo)
             .setParameter("user", CertificateAuthorityCommandGroup.USER)

src/test/java/net/ripe/rpki/domain/IncomingResourceCertificateTest.java

@@ -6,6 +6,7 @@
 import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
 import net.ripe.rpki.domain.interca.CertificateIssuanceResponse;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -31,7 +32,7 @@ public void setUp() {
     @Test
     public void shouldUpdateCertificate() {
         X509ResourceCertificate updatedCertificate = TestObjects.createResourceCertificate(15L, keyPair,
-            new ValidityPeriod(new DateTime(), new DateTime().plusDays(10)), ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES,
+            new ValidityPeriod(new DateTime(DateTimeZone.UTC), new DateTime(DateTimeZone.UTC).plusDays(10)), ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES,
             new X509CertificateInformationAccessDescriptor[] {
                 new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY,
                     BASE_URI),

src/test/java/net/ripe/rpki/domain/OutgoingResourceCertificateTest.java

@@ -70,7 +70,7 @@ public void testGenerateX509Certificate() throws Exception {
 
     @Test(expected=IllegalArgumentException.class)
     public void shouldRequireClosedValidityPeriod() {
-        TestObjects.createResourceCertificate(TestObjects.TEST_SERIAL_NUMBER, keyPair, new ValidityPeriod(new DateTime(), null), TestObjects.TEST_RESOURCE_SET, TestObjects.SUBJECT_INFORMATION_ACCESS);
+        TestObjects.createResourceCertificate(TestObjects.TEST_SERIAL_NUMBER, keyPair, new ValidityPeriod(new DateTime(DateTimeZone.UTC), null), TestObjects.TEST_RESOURCE_SET, TestObjects.SUBJECT_INFORMATION_ACCESS);
     }
 
     @Test

src/test/java/net/ripe/rpki/domain/ProductionCertificateAuthorityTest.java

@@ -8,6 +8,7 @@
 import net.ripe.rpki.domain.interca.CertificateIssuanceResponse;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeUtils;
+import org.joda.time.DateTimeZone;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -45,7 +46,7 @@ public void shouldVerifyResourcesWhenIssuingEndEntityResourceCertificate() {
         IncomingResourceCertificate currentCertificate = TestObjects.createResourceCertificate(
             123L,
             kp,
-            new ValidityPeriod(new DateTime().minusYears(2), new DateTime().plusYears(5).plusMinutes(1)),
+            new ValidityPeriod(new DateTime(DateTimeZone.UTC).minusYears(2), new DateTime(DateTimeZone.UTC).plusYears(5).plusMinutes(1)),
             ImmutableResourceSet.parse("10/8"),
             createSia()
         );

src/test/java/net/ripe/rpki/domain/TestObjects.java

@@ -171,7 +171,7 @@ public static ResourceCertificateBuilder createBuilder(KeyPairEntity signingKeyP
         builder.withAuthorityInformationAccess(AUTHORITY_INFORMATION_ACCESS);
         builder.withSubjectInformationAccess(SUBJECT_INFORMATION_ACCESS);
         builder.withParentPublicationDirectory(CERTIFICATE_REPOSITORY_LOCATION);
-        DateTime now = new DateTime();
+        DateTime now = new DateTime(DateTimeZone.UTC);
         builder.withValidityPeriod(new ValidityPeriod(now, now.plusYears(1)));
         return builder;
     }

src/test/java/net/ripe/rpki/domain/manifest/ManifestEntityTest.java

@@ -64,7 +64,7 @@ public void setUp() {
     }
 
     private DateTime getUtcNowWithoutMillis() {
-        return new DateTime(new DateTime().getMillis() / DateTimeConstants.MILLIS_PER_SECOND  * DateTimeConstants.MILLIS_PER_SECOND, DateTimeZone.UTC);
+        return new DateTime(new DateTime(DateTimeZone.UTC).getMillis() / DateTimeConstants.MILLIS_PER_SECOND  * DateTimeConstants.MILLIS_PER_SECOND, DateTimeZone.UTC);
     }
 
     @After

src/test/java/net/ripe/rpki/domain/roa/RoaEntityServiceBeanTest.java

@@ -12,6 +12,7 @@
 import net.ripe.rpki.domain.interca.CertificateIssuanceResponse;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeUtils;
+import org.joda.time.DateTimeZone;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -103,7 +104,7 @@ public void should_not_create_roa_entity_without_resources() {
 
     @Test
     public void should_not_create_expired_roa_entity() {
-        DateTimeUtils.setCurrentMillisFixed(new DateTime().plusYears(3).getMillis());
+        DateTimeUtils.setCurrentMillisFixed(new DateTime(DateTimeZone.UTC).plusYears(3).getMillis());
         RoaEntity roaEntity = handleRoaSpecificationCreatedEvent().getAddedRoa();
         assertNull(roaEntity);
     }

src/test/java/net/ripe/rpki/domain/roa/RoaSpecificationTest.java

@@ -9,6 +9,7 @@
 import net.ripe.rpki.commons.validation.roa.AllowedRoute;
 import net.ripe.rpki.domain.IncomingResourceCertificate;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -24,7 +25,7 @@
 
 public class RoaSpecificationTest {
 
-    private static final DateTime NOW = new DateTime();
+    private static final DateTime NOW = new DateTime(DateTimeZone.UTC);
 
     private static final Asn ASN = Asn.parse("AS123");
 

src/test/java/net/ripe/rpki/hsm/db/DatabaseKeyStorageTest.java

@@ -9,6 +9,7 @@
 import net.ripe.rpki.domain.hsm.HsmKeyStoreRepository;
 import net.ripe.rpki.hsm.api.KeyStorage;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
@@ -168,7 +169,7 @@ private static X509Certificate createCertificate(KeyPair keyPair) {
         final X509CertificateBuilderHelper builder = new X509CertificateBuilderHelper();
         builder.withSignatureProvider("SunRsaSign");
         builder.withSerial(BigInteger.ONE);
-        builder.withValidityPeriod(new ValidityPeriod(new DateTime().minusYears(2), new DateTime().minusYears(1)));
+        builder.withValidityPeriod(new ValidityPeriod(new DateTime(DateTimeZone.UTC).minusYears(2), new DateTime(DateTimeZone.UTC).minusYears(1)));
         builder.withCa(false);
         builder.withIssuerDN(new X500Principal("CN=issuer" + random.nextInt()));
         builder.withSubjectDN(new X500Principal("CN=subject" + random.nextInt()));

src/test/java/net/ripe/rpki/publication/persistence/disk/FileSystemPublicationObjectPersistenceTest.java

@@ -5,6 +5,7 @@
 import org.apache.commons.io.FileUtils;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeUtils;
+import org.joda.time.DateTimeZone;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -51,7 +52,7 @@ public void setUp(@TempDir File onlineRepositoryBaseDirectory, @TempDir File taR
 
         // fix the current time while a test is running
         // this time is used for the naming of the target directories
-        DateTimeUtils.setCurrentMillisFixed(new DateTime().getMillis());
+        DateTimeUtils.setCurrentMillisFixed(new DateTime(DateTimeZone.UTC).getMillis());
 
         subject = new FileSystemPublicationObjectPersistence(
             ONLINE_REPOSITORY_BASE_URI, onlineRepositoryBaseDirectory.toString(),

src/test/java/net/ripe/rpki/rest/json/ObjectMapperProviderTest.java

@@ -3,6 +3,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeUtils;
+import org.joda.time.DateTimeZone;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -85,7 +86,7 @@ public void shouldDeserializeDates() throws Exception {
     }
 
     static class DateTimeWrapper {
-        private DateTime dateTime = new DateTime();
+        private DateTime dateTime = new DateTime(DateTimeZone.UTC);
 
         public void setDateTime(DateTime dateTime) {
             this.dateTime = dateTime;

src/test/java/net/ripe/rpki/ripencc/provisioning/CertificateIssuanceProcessorTest.java

@@ -26,6 +26,7 @@
 import org.bouncycastle.asn1.pkcs.CertificationRequest;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -110,7 +111,7 @@ public void shouldProcessCertificateIssuanceRequest() throws ResourceInformation
 
         assertEquals(requestPayload.getRequestElement().getClassName(), classElement.getClassName());
         //assertEquals(caRepositoryUri, classElement.getCertificateAuthorityUri().get(0));
-        assertTrue(new DateTime().isBefore(classElement.getValidityNotAfter()));
+        assertTrue(new DateTime(DateTimeZone.UTC).isBefore(classElement.getValidityNotAfter()));
 
         // Certifiable resources
         assertEquals(IpResourceSet.parse(""), classElement.getResourceSetAsn());

src/test/java/net/ripe/rpki/ripencc/provisioning/ListResourceClassProcessorTest.java

@@ -16,6 +16,7 @@
 import net.ripe.rpki.server.api.ports.ResourceLookupService;
 import net.ripe.rpki.server.api.services.read.ResourceCertificateViewService;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -82,7 +83,7 @@ public void shouldBuildClassElementIntoTheResponsePayload() throws ResourceInfor
         assertEquals(DEFAULT_RESOURCE_CLASS, resourceClassListResponseClassElement.getClassName());
         assertSame(uri, resourceClassListResponseClassElement.getCertificateAuthorityUri().get(0));
         assertSame(issuerCertificate, resourceClassListResponseClassElement.getIssuer());
-        assertTrue(new DateTime().isBefore(resourceClassListResponseClassElement.getValidityNotAfter()));
+        assertTrue(new DateTime(DateTimeZone.UTC).isBefore(resourceClassListResponseClassElement.getValidityNotAfter()));
     }
 
     @Test