rpki-client 8.0

The OpenBSD rpki-client is a free, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system, downloads and validates Route Origin Authorisations (ROAs) and finally outputs Validated ROA Payloads (VRPs) in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks.

Tags rpki bgp routing security bird openbgpd
License ISC
State stable

Recent Releases

8.011 Sep 2022 21:36 major feature: Add suport for validating Autonomous System Provider Authorization (ASPA) objects conforming to draft-ietf-sidrops-aspa-profile-10. Validated ASPA payloads are visible in JSON and filemode (-f) output. Set rsync connection I/O idle timeout to 15 seconds. Unify the maximum idle I/O and connect timeouts for RSYNC HTTPS. Rpki-client now performs stricter EE certificate validation: Disallow AS Resources extensions in ROA EE certificates; disallow Subject Information Access (SIA) extensions in RPKI Signed Checklist (RSC) EE certs; check the resources in ROAs and RSCs against EE certs. Improve readability and add various information being printed in verbose mode. Extend filemode (-f) output and print X.509 certificates in PEM format when increased verbosity (-vv) is specified. Shorten the RRDP I/O idle timeout. Introduce a deadline timer that aborts all repository synchronization after seven eights of timeout (-s). With this rpki-client has improved chances to complete and produce an output even when a CA is excessivly slow. Abort a currently running RRDP request process when the per-repository timeout is reached. Permit multiple AccessDescription entries in SIA X.509 extensions. While fetching from secondary locations is not yet supported, rpki-client will not treat occurence as a fatal error. Resolve a potential for a race condition in non-atomic RRDP deltas. Fix some memory leaks. Improve compliance with the HTTP protocol specification.
7.914 Jul 2022 10:25 minor feature: Add support for an operator-configurable skiplist facility. Operators can specify a list of FQDNs which should not be contacted when synchronizing the local cache to the network. Emit a warning when a RRDP session serial number decreases. DER decoding functions were refactored to leverage ASN.1 templates. Add support to validate inspect .sig files containing RPKI Signed Checklists in filemode (-f) (draft-ietf-sidrops-rpki-rsc-08). Print various statistics after the completion of the main process. Add support to decode print TAL (RFC 8630) details in filemode (-f). Emit objects in Concatenated JSON format when filemode (-f) and the JSON output flag (-j) are combined.
7.809 Apr 2022 20:28 major bugfix: Do not apply timezone offsets when converting X509 times. X509 times are in UTC and comparing them to times in different timezones would cause validity problems.
7.707 Apr 2022 23:09 major feature: Add various RFC 6488 compliance checks to improve the CMS parser. Improve RRDP replication through less aggressive cache cleanup. Add a check whether a given Manifest EE certificate is listed on the applicable CRL. For forward compatibility permit ASPA object to appear on Manifests. Various improvements to the '-f ' diagnostic option to now also validate files containing Trust Anchor certs and CRLs.
7.607 Feb 2022 22:51 major bugfix: Enforce the correct namespace of rrdp files. Fail certificate verification if a certificate contains unknown critical extensions. Improve cleanup of rrdp directory contents. Introduce a validated cache which holds all the files that have successfully been verified by rpki-client. Add a new option '-f file' to validate a signed object in a file against the RPKI cache.
7.509 Nov 2021 22:45 security: Make rpki-client more resilient regarding untrusted input: Fail repository synchronisation after 15min runtime, limit the number of repositories per TAL, don't allow DOCTYPE definitions in RRDP XML files, fix detection of HTTP redirect loops, limit the number of concurrent rsync processes, fix CRLF in TAL files.
7.430 Oct 2021 03:18 security: Added support for validating BGPsec Router Public Keys. Fix issues with chunked transfer encoding in the RRDP HTTP client. Cleanup and improvement of how IO is handled. Improvements in the way X509 certificates are verified. Make rpki-client more resilient regarding untrusted input: Limit the allowed character set for filename listings on Manifests, limit the length of SIA URIs, limit the size of certain untrusted inputs, don't exit on failures to parse x509 objects, limit the size of objects retreived via RRDP or RSYNC, limit the number of FileAndHash entries on a manifest, constrain RRDP such that the delta/snapshot files must be hosted at the same host as the notification file.
7.323 Sep 2021 06:45 minor feature: Improve the HTTP client code (status code handling, http proxy support, keep-alive). In RRDP, do not access URI with userinfo (@-sign). Improve RRDP syncing by considering a notification file serial jumping backwards as synced repository. Make -R (rsync only) also apply to the fetching of TA files. Only sync *. cer,crl,gbr,mft,roa files via rsync and exclude all others. When producing output for OpenBGPd, make use of the 'roa-set expires' attribute to prevent machines from loading outdated roa-sets. In RRDP, limit the number of deltas to 300 per repo. If more deltas exist, downloading a full snapshot is faster. Limit the validation depth of X509 certificate chains to 12, double the current depth seen in RPKI.
7.228 Jul 2021 21:18 major feature: Use RRDP as default protocol for syncronizing the RPKI repository data, with rsync used as secondary. At startup, warn if the filesystem containing the cache directory is probably too small. 500 MB is the suggested minimum size. Handle running out of disk space more gracefully, including cleanup of temporary and old files before exiting. Improve the HTTP/1.1 request headers being sent. Improved validation checks for ROA and MFT objects.
7.118 May 2021 21:52 major feature: Add keep-alive support to the HTTP client code for RRDP. Reference-count and delete unused files synced via RRDP, as far as possible. In the JSON output, change the AS Number from a string ("AS123") to an integer ("123") to make processing of the output easier. Add an 'expires' column to CSV JSON output, based on certificate and CRL validity times. The 'expires' value can be used to avoid route selection based on stale data when generating VRP sets, when faced with loss of communication between consumer and valdiator, or validator and CA repository. Make the runtime timeout ("-s" option) also triggers in child processes. Improved RRDP support, upstream encourages testing of RRDP with the "-r" option so that RRDP can be enabled by default in a future release. In the portable version additionally: Improve support for older libressl versions (although the latest stable release is recommended). Add missing compat headers in release packages so they build on Alpine Linux and macOS.
7.015 Apr 2021 23:28 major feature: Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support as a 'technology preview'. To use it, the "-r" flag needs to be used. Support the use of more than one URI in the TAL file sorting with a preference for https. Validation of ghostbuster records (RFC 6493). Fixed checks of the manifest validity interval. The rsync connection is now killed when the rsync server stalls. Limited the URL embedded in .cer files to alphanumeric characters and punctuation. Added a "-V" option to show version. Included the default cert.pem file path in tls_load_file error messages. Use of the ibuf (imsg) API for data exchange between the rpki-client processes. In the portable version additionally: Emit all output formats, no need to choose with options. Changes to for using GitHub actions for automatic testing. The RRDP support requires HTTPS connections, necessitating a dependency for libtls from LibreSSL. Support for building rpki-client on Mac OS X. Added expat as an extra dependency, needed for RRDP support.
6.8p112 Nov 2020 20:33 security: Incorporate OpenBSD 6.8 errata 006 of November 10, 2020: rpki-client incorrectly checks the manifest validity interval. Add compat code for the LibreSSL ASN1_time_parse() and ASN1_time_tm_cmp() functions. Those are needed to properly check the validity of MFT files.
6.8p020 Oct 2020 21:07 major feature: Improve how repositories are downloaded: do not fetch symlinks and clean extraneous files in the repositories after download using the cryptographically signed RPKI manifest listings. Fix a bug where rpki-client could hang after calling rsync. Remove the -f option, no longer needed. Improved validation of the trust anchors. Add new option '-s timeout' to make rpki-client automatically terminate after a timeout (default 1 hour). This helps when rpki-client is run via cron to prevent a hanging process to cause problems. Portability improvements: Replace warnc() with warnx() + strerror(), replace b64_pton() with code using the libcrypto EVP_Decode* functionality, adjust for OpenSSL 1.1.x compatible use of the EVP_ENCODE_CTX struct.
6.7p130 Jul 2020 22:54 security: Incorrect use of "EVP_PKEY_cmp" allowed an authentication bypass.
6.7p019 May 2020 00:38 major bugfix: Document the suggested interval for running rpki-client in man page. Always initialize cachedir and outputdir. Print statistics as comments at the top of the output files which can take comments, including the date and time when the files were produced, and runtime statistics when producing them. Improve log messages to clarify what's happening. Fix a bug where rpki-client would not properly wait for exiting rsync processes, causing rpki-client to hang.