Merge branch 'master' into bjorncs/sslcontext-version

18 files changed, 140 insertions, 28 deletions

diff --git a/security-utils/pom.xml b/security-utils/pom.xml
index 10dec598915..4796a809293 100644
--- a/security-utils/pom.xml
+++ b/security-utils/pom.xml
@@ -11,6 +11,13 @@
   <artifactId>security-utils</artifactId>
   <packaging>container-plugin</packaging>
   <version>7-SNAPSHOT</version>
+
+  <properties>
+    <!-- vespa-http-client targets jdk8 and uses this library -->
+    <!-- TODO remove once vespa-http-client no longer builds against jdk8 -->
+    <maven.compiler.release>8</maven.compiler.release>
+  </properties>
+
   <dependencies>
     <!-- provided -->
     <dependency>
@@ -19,6 +26,13 @@
       <version>${project.version}</version>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <!-- required for bundle-plugin to generate import-package statements for Java's standard library -->
+      <groupId>com.yahoo.vespa</groupId>
+      <artifactId>jdisc_core</artifactId>
+      <version>${project.version}</version>
+      <scope>provided</scope>
+    </dependency>
 
     <!-- compile scope -->
     <dependency>
@@ -67,6 +81,23 @@
         <artifactId>bundle-plugin</artifactId>
         <extensions>true</extensions>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <configuration>
+          <jdkToolchain>
+            <version>${java.version}</version>
+          </jdkToolchain>
+          <source>${java.version}</source>
+          <target>${java.version}</target>
+          <showDeprecation>true</showDeprecation>
+          <compilerArgs>
+            <arg>-Xlint:all</arg>
+            <arg>-Xlint:-serial</arg>
+            <arg>-Werror</arg>
+          </compilerArgs>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 </project>
diff --git a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java
index 81581c8146c..ab58c607891 100644
--- a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java
+++ b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java
@@ -64,7 +64,7 @@ public class SubjectAlternativeName {
             case GeneralName.directoryName:
                 return X500Name.getInstance(name).toString();
             case GeneralName.iPAddress:
-                var octets = DEROctetString.getInstance(name.toASN1Primitive()).getOctets();
+                byte[] octets = DEROctetString.getInstance(name.toASN1Primitive()).getOctets();
                 try {
                     return InetAddress.getByAddress(octets).getHostAddress();
                 } catch (UnknownHostException e) {
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java b/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java
index faf6ecb4348..18764f51dc5 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/AutoReloadingX509KeyManager.java
@@ -64,8 +64,8 @@ public class AutoReloadingX509KeyManager extends X509ExtendedKeyManager implemen
             return KeyStoreBuilder.withType(KeyStoreType.PKCS12)
                     .withKeyEntry(
                             CERTIFICATE_ALIAS,
-                            KeyUtils.fromPemEncodedPrivateKey(Files.readString(privateKey)),
-                            X509CertificateUtils.certificateListFromPem(Files.readString(certificateChain)))
+                            KeyUtils.fromPemEncodedPrivateKey(com.yahoo.vespa.jdk8compat.Files.readString(privateKey)),
+                            X509CertificateUtils.certificateListFromPem(com.yahoo.vespa.jdk8compat.Files.readString(certificateChain)))
                     .build();
         } catch (IOException e) {
             throw new UncheckedIOException(e);
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java
index f5bd866eb27..f746480b126 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileBasedTlsContext.java
@@ -85,7 +85,7 @@ public class ConfigFileBasedTlsContext implements TlsContext {
     private static KeyStore loadTruststore(Path caCertificateFile) {
         try {
             return KeyStoreBuilder.withType(KeyStoreType.PKCS12)
-                    .withCertificateEntries("cert", X509CertificateUtils.certificateListFromPem(Files.readString(caCertificateFile)))
+                    .withCertificateEntries("cert", X509CertificateUtils.certificateListFromPem(com.yahoo.vespa.jdk8compat.Files.readString(caCertificateFile)))
                     .build();
         } catch (IOException e) {
             throw new UncheckedIOException(e);
@@ -97,8 +97,8 @@ public class ConfigFileBasedTlsContext implements TlsContext {
             return KeyStoreBuilder.withType(KeyStoreType.PKCS12)
                     .withKeyEntry(
                             "default",
-                            KeyUtils.fromPemEncodedPrivateKey(Files.readString(privateKeyFile)),
-                            X509CertificateUtils.certificateListFromPem(Files.readString(certificatesFile)))
+                            KeyUtils.fromPemEncodedPrivateKey(com.yahoo.vespa.jdk8compat.Files.readString(privateKeyFile)),
+                            X509CertificateUtils.certificateListFromPem(com.yahoo.vespa.jdk8compat.Files.readString(certificatesFile)))
                     .build();
         } catch (IOException e) {
             throw new UncheckedIOException(e);
@@ -115,7 +115,7 @@ public class ConfigFileBasedTlsContext implements TlsContext {
                 .withTrustManagerFactory(
                         ignoredTruststore -> options.getAuthorizedPeers()
                                 .map(authorizedPeers -> (X509ExtendedTrustManager) new PeerAuthorizerTrustManager(authorizedPeers, mode, mutableTrustManager))
-                                .orElseGet(() -> new PeerAuthorizerTrustManager(new AuthorizedPeers(Set.of()), AuthorizationMode.DISABLE, mutableTrustManager)))
+                                .orElseGet(() -> new PeerAuthorizerTrustManager(new AuthorizedPeers(com.yahoo.vespa.jdk8compat.Set.of()), AuthorizationMode.DISABLE, mutableTrustManager)))
                 .build();
         List<String> acceptedCiphers = options.getAcceptedCiphers();
         Set<String> ciphers = acceptedCiphers.isEmpty() ? TlsContext.ALLOWED_CIPHER_SUITES : new HashSet<>(acceptedCiphers);
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index f4a89da988a..c3f10a464a5 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -63,14 +63,14 @@ public class DefaultTlsContext implements TlsContext {
                     String.format("None of the accepted ciphers are supported (supported=%s, accepted=%s)",
                                   supportedCiphers, acceptedCiphers));
         }
-        log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", List.of(allowedCiphers)));
+        log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", com.yahoo.vespa.jdk8compat.List.of(allowedCiphers)));
         return allowedCiphers;
     }
 
     private static String[] getAllowedProtocols(SSLContext sslContext) {
         Set<String> allowedProtocols = TlsContext.getAllowedProtocols(sslContext);
-        log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", List.of(allowedProtocols)));
-        return allowedProtocols.toArray(String[]::new);
+        log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", com.yahoo.vespa.jdk8compat.List.of(allowedProtocols)));
+        return com.yahoo.vespa.jdk8compat.Collection.toArray(allowedProtocols, String[]::new);
     }
 
     @Override
@@ -131,7 +131,7 @@ public class DefaultTlsContext implements TlsContext {
         if (authorizedPeers != null) {
             builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager(authorizedPeers, mode, truststore));
         } else {
-            builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager(new AuthorizedPeers(Set.of()), AuthorizationMode.DISABLE, truststore));
+            builder.withTrustManagerFactory(truststore -> new PeerAuthorizerTrustManager(new AuthorizedPeers(com.yahoo.vespa.jdk8compat.Set.of()), AuthorizationMode.DISABLE, truststore));
         }
         return builder.build();
     }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java
index 2e48de3c01f..c60f13f9729 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/KeyManagerUtils.java
@@ -30,7 +30,7 @@ public class KeyManagerUtils {
                     .filter(manager -> manager instanceof X509ExtendedKeyManager)
                     .map(X509ExtendedKeyManager.class::cast)
                     .findFirst()
-                    .orElseThrow(() -> new RuntimeException("No X509ExtendedKeyManager in " + List.of(keyManagers)));
+                    .orElseThrow(() -> new RuntimeException("No X509ExtendedKeyManager in " + com.yahoo.vespa.jdk8compat.List.of(keyManagers)));
         } catch (GeneralSecurityException e) {
             throw new RuntimeException(e);
         }
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index 04e1cfe77e6..886cf3e886b 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -23,7 +23,7 @@ public interface TlsContext extends AutoCloseable {
      * For TLSv1.3 we allow the DEFAULT group ciphers.
      * Note that we _only_ allow AEAD ciphers for either TLS version.
      */
-    Set<String> ALLOWED_CIPHER_SUITES = Set.of(
+    Set<String> ALLOWED_CIPHER_SUITES = com.yahoo.vespa.jdk8compat.Set.of(
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", // Java 12
@@ -34,7 +34,7 @@ public interface TlsContext extends AutoCloseable {
             "TLS_AES_256_GCM_SHA384", // TLSv1.3
             "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3, Java 12
 
-    Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2"); // TODO Enable TLSv1.3
+    Set<String> ALLOWED_PROTOCOLS = com.yahoo.vespa.jdk8compat.Set.of("TLSv1.2"); // TODO Enable TLSv1.3
     String SSL_CONTEXT_VERSION = "TLS"; // Use SSLContext implementations that supports all TLS versions
 
     /**
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java b/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java
index 7c1d7070617..17f56011261 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TrustManagerUtils.java
@@ -29,7 +29,7 @@ public class TrustManagerUtils {
                     .filter(manager -> manager instanceof X509ExtendedTrustManager)
                     .map(X509ExtendedTrustManager.class::cast)
                     .findFirst()
-                    .orElseThrow(() -> new RuntimeException("No X509ExtendedTrustManager in " + List.of(trustManagers)));
+                    .orElseThrow(() -> new RuntimeException("No X509ExtendedTrustManager in " + com.yahoo.vespa.jdk8compat.List.of(trustManagers)));
         } catch (GeneralSecurityException e) {
             throw new RuntimeException(e);
         }
diff --git a/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/Collection.java b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/Collection.java
new file mode 100644
index 00000000000..fbfea01b2c7
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/Collection.java
@@ -0,0 +1,16 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.jdk8compat;
+
+import java.util.function.IntFunction;
+
+/**
+ * Backport of new {@link java.util.Collection} methods added after JDK8
+ *
+ * @author bjorncs
+ */
+public interface Collection {
+    static <T> T[] toArray(java.util.Collection<T> collection, IntFunction<T[]> generator) {
+        return collection.toArray(generator.apply(collection.size()));
+    }
+
+}
diff --git a/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/Files.java b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/Files.java
new file mode 100644
index 00000000000..cc3bd698cd5
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/Files.java
@@ -0,0 +1,24 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.jdk8compat;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.OpenOption;
+import java.nio.file.Path;
+
+/**
+ * Backport of new {@link java.nio.file.Files} methods added after JDK8
+ *
+ * @author bjorncs
+ */
+public interface Files {
+
+    static String readString(Path path) throws IOException {
+        byte[] bytes = java.nio.file.Files.readAllBytes(path);
+        return new String(bytes, StandardCharsets.UTF_8);
+    }
+
+    static Path writeString(Path path, CharSequence string, OpenOption... options) throws IOException {
+        return java.nio.file.Files.write(path, string.toString().getBytes(), options);
+    }
+}
diff --git a/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/List.java b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/List.java
new file mode 100644
index 00000000000..f57834e93cb
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/List.java
@@ -0,0 +1,17 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.jdk8compat;
+
+import java.util.Arrays;
+
+/**
+ * Backport of new {@link java.util.List} methods added after JDK8
+ *
+ * @author bjorncs
+ */
+public interface List {
+    @SafeVarargs
+    @SuppressWarnings("varargs")
+    static <E> java.util.List<E> of(E... elements) {
+        return Arrays.asList(elements);
+    }
+}
diff --git a/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/Set.java b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/Set.java
new file mode 100644
index 00000000000..b2c998bb716
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/Set.java
@@ -0,0 +1,18 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.jdk8compat;
+
+import java.util.Arrays;
+import java.util.HashSet;
+
+/**
+ * Backport of new {@link java.util.Set} methods added after JDK8
+ *
+ * @author bjorncs
+ */
+public interface Set {
+    @SafeVarargs
+    @SuppressWarnings("varargs")
+    static <E> java.util.Set<E> of(E... elements) {
+        return new HashSet<>(Arrays.asList(elements));
+    }
+}
diff --git a/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/package-info.java b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/package-info.java
new file mode 100644
index 00000000000..40d74321438
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/vespa/jdk8compat/package-info.java
@@ -0,0 +1,8 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+/**
+ * JDK8 port of types and methods added in later JDK versions.
+ * TODO Remove this package once vespa-http-client/security-utils no longer targets JDK8
+ *
+ * @author bjorncs
+ */
+package com.yahoo.vespa.jdk8compat;
\ No newline at end of file
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/AutoReloadingX509KeyManagerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/AutoReloadingX509KeyManagerTest.java
index 823989ac4ca..22710e7f393 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/AutoReloadingX509KeyManagerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/AutoReloadingX509KeyManagerTest.java
@@ -15,7 +15,6 @@ import org.mockito.Mockito;
 import javax.security.auth.x500.X500Principal;
 import java.io.IOException;
 import java.math.BigInteger;
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.KeyPair;
 import java.security.Principal;
@@ -42,12 +41,12 @@ public class AutoReloadingX509KeyManagerTest {
     public void crypto_material_is_reloaded_when_scheduler_task_is_executed() throws IOException {
         KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC);
         Path privateKeyFile = tempDirectory.newFile().toPath();
-        Files.writeString(privateKeyFile, KeyUtils.toPem(keyPair.getPrivate()));
+        com.yahoo.vespa.jdk8compat.Files.writeString(privateKeyFile, KeyUtils.toPem(keyPair.getPrivate()));
 
         Path certificateFile = tempDirectory.newFile().toPath();
         BigInteger serialNumberInitialCertificate = BigInteger.ONE;
         X509Certificate initialCertificate = generateCertificate(keyPair, serialNumberInitialCertificate);
-        Files.writeString(certificateFile, X509CertificateUtils.toPem(initialCertificate));
+        com.yahoo.vespa.jdk8compat.Files.writeString(certificateFile, X509CertificateUtils.toPem(initialCertificate));
 
         ScheduledExecutorService scheduler = Mockito.mock(ScheduledExecutorService.class);
         ArgumentCaptor<Runnable> updaterTaskCaptor = ArgumentCaptor.forClass(Runnable.class);
@@ -60,9 +59,9 @@ public class AutoReloadingX509KeyManagerTest {
         assertThat(certChain).hasSize(1);
         assertThat(certChain[0].getSerialNumber()).isEqualTo(serialNumberInitialCertificate);
 
-        BigInteger serialNumberUpdatedCertificate = BigInteger.TWO;
+        BigInteger serialNumberUpdatedCertificate = BigInteger.TEN;
         X509Certificate updatedCertificate = generateCertificate(keyPair, serialNumberUpdatedCertificate);
-        Files.writeString(certificateFile, X509CertificateUtils.toPem(updatedCertificate));
+        com.yahoo.vespa.jdk8compat.Files.writeString(certificateFile, X509CertificateUtils.toPem(updatedCertificate));
 
         updaterTaskCaptor.getValue().run(); // run update task in ReloadingX509KeyManager
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java
index 4e6f0a141b0..54a1e3847f9 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java
@@ -35,17 +35,17 @@ public class ConfigFileBasedTlsContextTest {
     public void can_create_sslcontext_from_credentials() throws IOException, InterruptedException {
         KeyPair keyPair = KeyUtils.generateKeypair(EC);
         Path privateKeyFile = tempDirectory.newFile().toPath();
-        Files.writeString(privateKeyFile, KeyUtils.toPem(keyPair.getPrivate()));
+        com.yahoo.vespa.jdk8compat.Files.writeString(privateKeyFile, KeyUtils.toPem(keyPair.getPrivate()));
 
         X509Certificate certificate = X509CertificateBuilder
                 .fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, EPOCH.plus(1, DAYS), SHA256_WITH_ECDSA, BigInteger.ONE)
                 .build();
         Path certificateChainFile = tempDirectory.newFile().toPath();
         String certificatePem = X509CertificateUtils.toPem(certificate);
-        Files.writeString(certificateChainFile, certificatePem);
+        com.yahoo.vespa.jdk8compat.Files.writeString(certificateChainFile, certificatePem);
 
         Path caCertificatesFile = tempDirectory.newFile().toPath();
-        Files.writeString(caCertificatesFile, certificatePem);
+        com.yahoo.vespa.jdk8compat.Files.writeString(caCertificatesFile, certificatePem);
 
         TransportSecurityOptions options = new TransportSecurityOptions.Builder()
                 .withCertificates(certificateChainFile, privateKeyFile)
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509KeyManagerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/MutableX509KeyManagerTest.java
index 30e54d3c09d..2a6ee35ec18 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/MutableX509KeyManagerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/MutableX509KeyManagerTest.java
@@ -42,7 +42,7 @@ public class MutableX509KeyManagerTest {
         assertThat(certChain).hasSize(1);
         assertThat(certChain[0].getSerialNumber()).isEqualTo(serialNumberInitialCertificate);
 
-        BigInteger serialNumberUpdatedCertificate = BigInteger.TWO;
+        BigInteger serialNumberUpdatedCertificate = BigInteger.TEN;
         KeyStore updatedKeystore = generateKeystore(keyPair, serialNumberUpdatedCertificate);
         keyManager.updateKeystore(updatedKeystore, new char[0]);
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java
index 9d8f26cdd2c..28dc10d31d5 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java
@@ -8,9 +8,8 @@ import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.util.List;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
 
 /**
  * @author bjorncs
@@ -21,7 +20,7 @@ public class TransportSecurityOptionsTest {
     private static final TransportSecurityOptions OPTIONS = new TransportSecurityOptions.Builder()
             .withCertificates(Paths.get("certs.pem"), Paths.get("myhost.key"))
             .withCaCertificates(Paths.get("my_cas.pem"))
-            .withAcceptedCiphers(List.of("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" , "TLS_AES_256_GCM_SHA384"))
+            .withAcceptedCiphers(com.yahoo.vespa.jdk8compat.List.of("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" , "TLS_AES_256_GCM_SHA384"))
             .build();
 
     @Test
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
index 03489a60784..078aa58c948 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/json/TransportSecurityOptionsJsonSerializerTest.java
@@ -65,7 +65,7 @@ public class TransportSecurityOptionsJsonSerializerTest {
         TransportSecurityOptions options = new TransportSecurityOptions.Builder()
                 .withCertificates(Paths.get("certs.pem"), Paths.get("myhost.key"))
                 .withCaCertificates(Paths.get("my_cas.pem"))
-                .withAcceptedCiphers(List.of("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" , "TLS_AES_256_GCM_SHA384"))
+                .withAcceptedCiphers(com.yahoo.vespa.jdk8compat.List.of("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" , "TLS_AES_256_GCM_SHA384"))
                 .build();
         File outputFile = tempDirectory.newFile();
         try (OutputStream out = Files.newOutputStream(outputFile.toPath())) {