rpki-client 8.3 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon.
rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of BGP announcements. The program queries the
global RPKI repository system and validates untrusted network inputs.
The program outputs validated ROA payloads, BGPsec Router keys, and
ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
and supports emitting CSV and JSON for consumption by other routing
stacks.
See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.
rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.
This release includes the following changes to the previous release:
- The 'expires' key in the JSON/CSV/OpenBGPD output formats is now
calculated with more accuracy. The calculation takes into account the
nextUpdate value of all intermediate CRLs in the signature path
towards the trust anchor, in addition to the expiry moment of the
leaf-CRL and CAs.
- Handling of CRLs and Manifests in the face of inconsistent RRDP delta
publications has been improved. A copy of an alternative version of
the applicable CRL is kept in the staging area of the cache directory,
in order to increase the potential for establishing a complete
publication point, in cases where a single publication point update
was smeared across multiple RRDP delta files.
- The OpenBGPD configuration output now includes validated Autonomous
System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
configuration block.
- When rpki-client is invoked with increased verbosity ('-v'), the
current RRDP Serial & Session ID are shown to aid debugging.
- Self-signed X.509 certificates (such as Trust Anchor certificates)
now are considered invalid if they contain an X.509
AuthorityInfoAccess extension.
- Signed Objects where the CMS signing-time attribute contains a
timestamp later then the X.509 certificate's notAfter timestamp are
considered invalid.
- Manifests where the CMS signing-time attribute contains a timestamp
later then the Manifest eContent nextUpdate timestamp are considered
invalid.
- Any objects whose CRL Distribution Points extension contains a
CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
considered invalid in accordance with RFC 6487 section 4.8.6.
- For every X.509 certificate the SHA-1 of the Subject Public Key is
calculated and compared to the Subject Key Identifier (SKI), if a
mismatch is found the certificate is not trusted.
- Require the outside-TBS signature OID for every X.509 intermediate
CA certificate and CRL to be sha256WithRSAEncryption.
- Require the RSA key pair modulus and public exponent parameters to
strictly conform to the RFC 7935 profile.
- Ensure there is no trailing garbage present in Signed Objects beyond
the self-embedded length field.
- Require RRDP Session IDs to strictly be version 4 UUIDs.
- When decoding and validating an individual RPKI file using filemode
(rpki-client -f file), display the signature path towards the trust
anchor, and the timestamp when the signature path will expire.
- When decoding and validating an individual RPKI file using filemode
(rpki-client -f file), display the optional CMS signing-time, and
non-optional X.509 notBefore, and X.509 notAfter timestamps.
rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.5, and a libtls library compatible
with LibreSSL 3.5 or later.
rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!
It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.
The mirrors where rpki-client can be found are on
https://www.rpki-client.org/portable.html
Reporting Bugs:
===============
General bugs may be reported to tech@openbsd.org
Portable bugs may be filed at
https://github.com/rpki-client/rpki-client-portable
We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.
Assistance to coordinate security issues is available via
security@openbsd.org.
No comments:
Post a Comment