Add a CertificateChecker class (#793)

* CertificateChecker with checks for expiration and key length

* Add validity length check

* Get rid of hard-coded constants and DSA checks

* add files that for some reason weren't included in last commit

* Rename violations and other fixes

* Add displayMessage to CertificateViolation enum

* Switch violations from an enum to a class

* small changes

* Get rid of ECDSA checks

* add checks for old validity length

* Change error message for validity length

core/gradle/dependency-locks/compile.lockfile

@@ -202,6 +202,7 @@ org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.6.2
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

core/gradle/dependency-locks/compileClasspath.lockfile

@@ -200,6 +200,7 @@ org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.6.2
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

core/gradle/dependency-locks/default.lockfile

@@ -204,6 +204,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

core/gradle/dependency-locks/deploy_jar.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

core/gradle/dependency-locks/nonprodCompile.lockfile

@@ -202,6 +202,7 @@ org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.6.2
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

core/gradle/dependency-locks/nonprodCompileClasspath.lockfile

@@ -201,6 +201,7 @@ org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.6.2
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

core/gradle/dependency-locks/nonprodRuntime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

core/gradle/dependency-locks/nonprodRuntimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

core/gradle/dependency-locks/runtime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

core/gradle/dependency-locks/runtimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/compile.lockfile

@@ -204,6 +204,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/compileClasspath.lockfile

@@ -202,6 +202,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/default.lockfile

@@ -204,6 +204,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/deploy_jar.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/runtime.lockfile

@@ -204,6 +204,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/runtimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/testCompile.lockfile

@@ -208,6 +208,7 @@ org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.apiguardian:apiguardian-api:1.1.0
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/testCompileClasspath.lockfile

@@ -207,6 +207,7 @@ org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.apiguardian:apiguardian-api:1.1.0
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/testRuntime.lockfile

@@ -208,6 +208,7 @@ org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.apiguardian:apiguardian-api:1.1.0
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

docs/gradle/dependency-locks/testRuntimeClasspath.lockfile

@@ -208,6 +208,7 @@ org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.apiguardian:apiguardian-api:1.1.0
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

networking/src/main/java/google/registry/networking/module/CertificateSupplierModule.java

@@ -25,7 +25,7 @@ import com.google.common.collect.ImmutableList;
 import dagger.Lazy;
 import dagger.Module;
 import dagger.Provides;
-import google.registry.networking.util.SelfSignedCaCertificate;
+import google.registry.util.SelfSignedCaCertificate;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStreamReader;

networking/src/test/java/google/registry/networking/handler/SslClientInitializerTest.java

@@ -21,7 +21,7 @@ import static google.registry.networking.handler.SslInitializerTestUtils.signKey
 import static google.registry.networking.handler.SslInitializerTestUtils.verifySslException;
 
 import com.google.common.collect.ImmutableList;
-import google.registry.networking.util.SelfSignedCaCertificate;
+import google.registry.util.SelfSignedCaCertificate;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelPipeline;

networking/src/test/java/google/registry/networking/handler/SslInitializerTestUtils.java

@@ -18,7 +18,7 @@ import static com.google.common.truth.Truth.assertThat;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import com.google.common.base.Throwables;
-import google.registry.networking.util.SelfSignedCaCertificate;
+import google.registry.util.SelfSignedCaCertificate;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelFuture;
 import io.netty.handler.ssl.SslHandler;

networking/src/test/java/google/registry/networking/handler/SslServerInitializerTest.java

@@ -23,7 +23,7 @@ import static google.registry.networking.handler.SslServerInitializer.CLIENT_CER
 
 import com.google.common.base.Suppliers;
 import com.google.common.collect.ImmutableList;
-import google.registry.networking.util.SelfSignedCaCertificate;
+import google.registry.util.SelfSignedCaCertificate;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelInitializer;
 import io.netty.channel.ChannelPipeline;

networking/src/test/java/google/registry/networking/module/CertificateSupplierModuleTest.java

@@ -26,7 +26,7 @@ import dagger.Component;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.networking.module.CertificateSupplierModule.Mode;
-import google.registry.networking.util.SelfSignedCaCertificate;
+import google.registry.util.SelfSignedCaCertificate;
 import java.io.ByteArrayOutputStream;
 import java.io.OutputStreamWriter;
 import java.security.KeyPair;

proxy/src/test/java/google/registry/proxy/EppProtocolModuleTest.java

@@ -23,9 +23,9 @@ import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import com.google.common.base.Throwables;
-import google.registry.networking.util.SelfSignedCaCertificate;
 import google.registry.proxy.handler.HttpsRelayServiceHandler.NonOkHttpResponseException;
 import google.registry.testing.FakeClock;
+import google.registry.util.SelfSignedCaCertificate;
 import io.netty.buffer.ByteBuf;
 import io.netty.buffer.Unpooled;
 import io.netty.channel.embedded.EmbeddedChannel;

proxy/src/test/java/google/registry/proxy/handler/EppServiceHandlerTest.java

@@ -27,10 +27,10 @@ import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 import com.google.common.base.Throwables;
-import google.registry.networking.util.SelfSignedCaCertificate;
 import google.registry.proxy.TestUtils;
 import google.registry.proxy.handler.HttpsRelayServiceHandler.NonOkHttpResponseException;
 import google.registry.proxy.metric.FrontendMetrics;
+import google.registry.util.SelfSignedCaCertificate;
 import io.netty.buffer.ByteBuf;
 import io.netty.buffer.Unpooled;
 import io.netty.channel.ChannelInitializer;

services/backend/gradle/dependency-locks/compile.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/backend/gradle/dependency-locks/compileClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/backend/gradle/dependency-locks/default.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/backend/gradle/dependency-locks/runtime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/backend/gradle/dependency-locks/runtimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/backend/gradle/dependency-locks/testCompile.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/backend/gradle/dependency-locks/testCompileClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/backend/gradle/dependency-locks/testRuntime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/backend/gradle/dependency-locks/testRuntimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/default/gradle/dependency-locks/compile.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/default/gradle/dependency-locks/compileClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/default/gradle/dependency-locks/default.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/default/gradle/dependency-locks/runtime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/default/gradle/dependency-locks/runtimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/default/gradle/dependency-locks/testCompile.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/default/gradle/dependency-locks/testCompileClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/default/gradle/dependency-locks/testRuntime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/default/gradle/dependency-locks/testRuntimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/pubapi/gradle/dependency-locks/compile.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/pubapi/gradle/dependency-locks/compileClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/pubapi/gradle/dependency-locks/default.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/pubapi/gradle/dependency-locks/runtime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/pubapi/gradle/dependency-locks/runtimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/pubapi/gradle/dependency-locks/testCompile.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/pubapi/gradle/dependency-locks/testCompileClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/pubapi/gradle/dependency-locks/testRuntime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/pubapi/gradle/dependency-locks/testRuntimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/tools/gradle/dependency-locks/compile.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/tools/gradle/dependency-locks/compileClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/tools/gradle/dependency-locks/default.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/tools/gradle/dependency-locks/runtime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/tools/gradle/dependency-locks/runtimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/tools/gradle/dependency-locks/testCompile.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/tools/gradle/dependency-locks/testCompileClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/tools/gradle/dependency-locks/testRuntime.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

services/tools/gradle/dependency-locks/testRuntimeClasspath.lockfile

@@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
 org.apache.logging.log4j:log4j-api:2.13.3
 org.apache.logging.log4j:log4j-core:2.13.3
 org.bouncycastle:bcpg-jdk15on:1.61
+org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1

util/build.gradle

@@ -32,6 +32,8 @@ dependencies {
   compile deps['javax.xml.bind:jaxb-api']
   compile deps['joda-time:joda-time']
   compile deps['org.yaml:snakeyaml']
+  compile deps['org.bouncycastle:bcpkix-jdk15on']
+  compile deps['org.bouncycastle:bcprov-jdk15on']
   compile project(':common')
   runtime deps['com.google.auto.value:auto-value']
   testCompile deps['com.google.appengine:appengine-api-stubs']

util/gradle/dependency-locks/compile.lockfile

@@ -34,5 +34,7 @@ javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.11.1
 org.yaml:snakeyaml:1.17

util/gradle/dependency-locks/compileClasspath.lockfile

@@ -34,5 +34,7 @@ javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.11.1
 org.yaml:snakeyaml:1.17

util/gradle/dependency-locks/default.lockfile

@@ -35,5 +35,7 @@ javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.11.1
 org.yaml:snakeyaml:1.17

util/gradle/dependency-locks/deploy_jar.lockfile

@@ -35,5 +35,7 @@ javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.11.1
 org.yaml:snakeyaml:1.17

util/gradle/dependency-locks/runtime.lockfile

@@ -35,5 +35,7 @@ javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.11.1
 org.yaml:snakeyaml:1.17

util/gradle/dependency-locks/runtimeClasspath.lockfile

@@ -35,5 +35,7 @@ javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.11.1
 org.yaml:snakeyaml:1.17

util/gradle/dependency-locks/testCompile.lockfile

@@ -42,6 +42,8 @@ net.bytebuddy:byte-buddy:1.10.5
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
 org.apiguardian:apiguardian-api:1.1.0
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1
 org.hamcrest:hamcrest-all:1.3

util/gradle/dependency-locks/testCompileClasspath.lockfile

@@ -42,6 +42,8 @@ net.bytebuddy:byte-buddy:1.10.5
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
 org.apiguardian:apiguardian-api:1.1.0
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1
 org.hamcrest:hamcrest-all:1.3

util/gradle/dependency-locks/testRuntime.lockfile

@@ -44,6 +44,8 @@ net.bytebuddy:byte-buddy:1.10.5
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
 org.apiguardian:apiguardian-api:1.1.0
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1
 org.hamcrest:hamcrest-all:1.3

util/gradle/dependency-locks/testRuntimeClasspath.lockfile

@@ -44,6 +44,8 @@ net.bytebuddy:byte-buddy:1.10.5
 org.apache.httpcomponents:httpclient:4.5.11
 org.apache.httpcomponents:httpcore:4.4.13
 org.apiguardian:apiguardian-api:1.1.0
+org.bouncycastle:bcpkix-jdk15on:1.61
+org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-compat-qual:2.5.5
 org.checkerframework:checker-qual:2.11.1
 org.hamcrest:hamcrest-all:1.3

util/src/main/java/google/registry/util/CertificateChecker.java

@@ -0,0 +1,141 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.collect.ImmutableSet;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Date;
+import org.joda.time.DateTime;
+import org.joda.time.Days;
+
+/** An utility to check that a given certificate meets our requirements */
+public class CertificateChecker {
+
+  private final int maxValidityDays;
+  private final int daysToExpiration;
+  private final int minimumRsaKeyLength;
+  public final CertificateViolation certificateExpiredViolation;
+  public final CertificateViolation certificateNotYetValidViolation;
+  public final CertificateViolation certificateValidityLengthViolation;
+  public final CertificateViolation certificateOldValidityLengthValidViolation;
+  public final CertificateViolation certificateRsaKeyLengthViolation;
+  public final CertificateViolation certificateAlgorithmViolation;
+
+  public CertificateChecker(int maxValidityDays, int daysToExpiration, int minimumRsaKeyLength) {
+    this.maxValidityDays = maxValidityDays;
+    this.daysToExpiration = daysToExpiration;
+    this.minimumRsaKeyLength = minimumRsaKeyLength;
+    this.certificateExpiredViolation =
+        CertificateViolation.create("Expired Certificate", "This certificate is expired.");
+    this.certificateNotYetValidViolation =
+        CertificateViolation.create(
+            "Not Yet Valid", "This certificate's start date has not yet passed.");
+    this.certificateOldValidityLengthValidViolation =
+        CertificateViolation.create(
+            "Validity Period Too Long",
+            String.format(
+                "The certificate's validity length must be less than or equal to %d days, or %d"
+                    + " days if issued prior to 2020-09-01.",
+                maxValidityDays, 825));
+    this.certificateValidityLengthViolation =
+        CertificateViolation.create(
+            "Validity Period Too Long",
+            String.format(
+                "The certificate must have a validity length of less than %d days.",
+                maxValidityDays));
+    this.certificateRsaKeyLengthViolation =
+        CertificateViolation.create(
+            "RSA Key Length Too Long",
+            String.format("The minimum RSA key length is %d.", minimumRsaKeyLength));
+    this.certificateAlgorithmViolation =
+        CertificateViolation.create(
+            "Certificate Algorithm Not Allowed", "Only RSA and ECDSA keys are accepted.");
+  }
+
+  /**
+   * Checks a certificate for violations and returns a list of all the violations the certificate
+   * has.
+   */
+  public ImmutableSet<CertificateViolation> checkCertificate(
+      X509Certificate certificate, Date now) {
+    ImmutableSet.Builder<CertificateViolation> violations = new ImmutableSet.Builder<>();
+
+    // Check Expiration
+    if (certificate.getNotAfter().before(now)) {
+      violations.add(certificateExpiredViolation);
+    } else if (certificate.getNotBefore().after(now)) {
+      violations.add(certificateNotYetValidViolation);
+    }
+    int validityLength = getValidityLengthInDays(certificate);
+    if (validityLength > maxValidityDays) {
+      if (new DateTime(certificate.getNotBefore())
+          .isBefore(DateTime.parse("2020-09-01T00:00:00Z"))) {
+        if (validityLength > 825) {
+          violations.add(certificateOldValidityLengthValidViolation);
+        }
+      } else {
+        violations.add(certificateValidityLengthViolation);
+      }
+    }
+
+    // Check Key Strengths
+    PublicKey key = certificate.getPublicKey();
+    if (key.getAlgorithm().equals("RSA")) {
+      RSAPublicKey rsaPublicKey = (RSAPublicKey) key;
+      if (rsaPublicKey.getModulus().bitLength() < minimumRsaKeyLength) {
+        violations.add(certificateRsaKeyLengthViolation);
+      }
+    } else if (key.getAlgorithm().equals("EC")) {
+      // TODO(sarahbot): Add verification of ECDSA curves
+    } else {
+      violations.add(certificateAlgorithmViolation);
+    }
+    return violations.build();
+  }
+
+  /** Returns true if the certificate is nearing expiration. */
+  public boolean isNearingExpiration(X509Certificate certificate, Date now) {
+    Date nearingExpirationDate =
+        DateTime.parse(certificate.getNotAfter().toInstant().toString())
+            .minusDays(daysToExpiration)
+            .toDate();
+    return now.after(nearingExpirationDate);
+  }
+
+  private static int getValidityLengthInDays(X509Certificate certificate) {
+    DateTime start = DateTime.parse(certificate.getNotBefore().toInstant().toString());
+    DateTime end = DateTime.parse(certificate.getNotAfter().toInstant().toString());
+    return Days.daysBetween(start.withTimeAtStartOfDay(), end.withTimeAtStartOfDay()).getDays();
+  }
+}
+
+/**
+ * The type of violation a certificate has based on the certificate requirements
+ * (go/registry-proxy-security).
+ */
+@AutoValue
+abstract class CertificateViolation {
+
+  public abstract String name();
+
+  public abstract String displayMessage();
+
+  public static CertificateViolation create(String name, String displayMessage) {
+    return new AutoValue_CertificateViolation(name, displayMessage);
+  }
+}

util/src/main/java/google/registry/util/SelfSignedCaCertificate.java

@@ -12,8 +12,11 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package google.registry.networking.util;
+package google.registry.util;
 
+import static com.google.common.base.Preconditions.checkArgument;
+
+import com.google.common.collect.ImmutableMap;
 import java.math.BigInteger;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
@@ -47,6 +50,9 @@ public class SelfSignedCaCertificate {
   private static final Random RANDOM = new Random();
   private static final BouncyCastleProvider PROVIDER = new BouncyCastleProvider();
   private static final KeyPairGenerator keyGen = createKeyPairGenerator();
+  private static final ImmutableMap<String, String> KEY_SIGNATURE_ALGS =
+      ImmutableMap.of(
+          "EC", "SHA256WithECDSA", "DSA", "SHA256WithDSA", "RSA", "SHA256WithRSAEncryption");
 
   private final PrivateKey privateKey;
   private final X509Certificate cert;
@@ -96,8 +102,11 @@ public class SelfSignedCaCertificate {
   static X509Certificate createCaCert(KeyPair keyPair, String fqdn, Date from, Date to)
       throws Exception {
     X500Name owner = new X500Name("CN=" + fqdn);
+    String publicKeyAlg = keyPair.getPublic().getAlgorithm();
+    checkArgument(KEY_SIGNATURE_ALGS.containsKey(publicKeyAlg), "Unexpected public key algorithm");
+    String signatureAlgorithm = KEY_SIGNATURE_ALGS.get(publicKeyAlg);
     ContentSigner signer =
-        new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
+        new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
     X509v3CertificateBuilder builder =
         new JcaX509v3CertificateBuilder(
             owner, new BigInteger(64, RANDOM), from, to, owner, keyPair.getPublic());

util/src/test/java/google/registry/util/CertificateCheckerTest.java

@@ -0,0 +1,184 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import static com.google.common.truth.Truth.assertThat;
+import static org.joda.time.DateTimeZone.UTC;
+
+import com.google.common.collect.ImmutableSet;
+import java.security.KeyPairGenerator;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.joda.time.DateTime;
+import org.junit.jupiter.api.Test;
+
+/** Unit tests for {@link CertificateChecker} */
+public class CertificateCheckerTest {
+
+  private static final String SSL_HOST = "www.example.tld";
+
+  private static CertificateChecker certificateChecker = new CertificateChecker(398, 30, 2048);
+
+  @Test
+  void test_compliantCertificate() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(5).toDate(),
+                DateTime.now(UTC).plusDays(80).toDate())
+            .cert();
+    assertThat(certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate()))
+        .isEqualTo(ImmutableSet.of());
+  }
+
+  @Test
+  void test_certificateWithSeveralIssues() throws Exception {
+    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
+    keyGen.initialize(1024, new SecureRandom());
+
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                keyGen.generateKeyPair(),
+                SSL_HOST,
+                DateTime.now(UTC).plusDays(5).toDate(),
+                DateTime.now(UTC).plusDays(1000).toDate())
+            .cert();
+
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).hasSize(3);
+    assertThat(violations)
+        .isEqualTo(
+            ImmutableSet.of(
+                certificateChecker.certificateNotYetValidViolation,
+                certificateChecker.certificateValidityLengthViolation,
+                certificateChecker.certificateRsaKeyLengthViolation));
+    ;
+  }
+
+  @Test
+  void test_expiredCertificate() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(50).toDate(),
+                DateTime.now(UTC).minusDays(10).toDate())
+            .cert();
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).containsExactly(certificateChecker.certificateExpiredViolation);
+  }
+
+  @Test
+  void test_notYetValid() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).plusDays(10).toDate(),
+                DateTime.now(UTC).plusDays(50).toDate())
+            .cert();
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).containsExactly(certificateChecker.certificateNotYetValidViolation);
+  }
+
+  @Test
+  void test_checkValidityLength() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(10).toDate(),
+                DateTime.now(UTC).plusDays(1000).toDate())
+            .cert();
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).containsExactly(certificateChecker.certificateValidityLengthViolation);
+
+    certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.parse("2020-08-01T00:00:00Z").toDate(),
+                DateTime.parse("2023-11-01T00:00:00Z").toDate())
+            .cert();
+    violations = certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations)
+        .containsExactly(certificateChecker.certificateOldValidityLengthValidViolation);
+
+    certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.parse("2020-08-01T00:00:00Z").toDate(),
+                DateTime.parse("2021-11-01T00:00:00Z").toDate())
+            .cert();
+    violations = certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).isEmpty();
+  }
+
+  @Test
+  void test_nearingExpiration() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(50).toDate(),
+                DateTime.now(UTC).plusDays(10).toDate())
+            .cert();
+    assertThat(certificateChecker.isNearingExpiration(certificate, DateTime.now(UTC).toDate()))
+        .isTrue();
+
+    certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(50).toDate(),
+                DateTime.now(UTC).plusDays(100).toDate())
+            .cert();
+    assertThat(certificateChecker.isNearingExpiration(certificate, DateTime.now(UTC).toDate()))
+        .isFalse();
+  }
+
+  @Test
+  void test_checkRsaKeyLength() throws Exception {
+    // Key length too low
+    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
+    keyGen.initialize(1024, new SecureRandom());
+
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                keyGen.generateKeyPair(),
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(5).toDate(),
+                DateTime.now(UTC).plusDays(100).toDate())
+            .cert();
+
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).containsExactly(certificateChecker.certificateRsaKeyLengthViolation);
+
+    // Key length higher than required
+    keyGen = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
+    keyGen.initialize(4096, new SecureRandom());
+
+    certificate =
+        SelfSignedCaCertificate.create(
+                keyGen.generateKeyPair(),
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(5).toDate(),
+                DateTime.now(UTC).plusDays(100).toDate())
+            .cert();
+
+    assertThat(certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate()))
+        .isEqualTo(ImmutableSet.of());
+  }
+}