BSDSec

deadsimple BSD Security Advisories and Announcements

rpki-client 9.1 released

rpki-client 9.1 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users update to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of BGP announcements. The program queries the
global RPKI repository system and validates untrusted network inputs.
The program outputs validated ROA payloads, BGPsec Router keys, and
ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
and supports emitting CSV and JSON for consumption by other routing
stacks.

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- Impose same-origin policy for RRDP

  This addresses an oversight in the original RRDP specification
  (RFC8182) which allowed any publication server to cause load on
  another server by tricking RPs into making cross-origin requests.
  Imposing a same-origin policy in RRDP client/server communication
  isolates resources such as Delta and Snapshot files from different
  Repository Servers, reducing possible attack vectors.
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rrdp-same-origin

- Introduce tiebreaking for trust anchors

  Instead of always using newly-retrieved trust anchors, compare a
  fetched TA with one stored in the cache. Later notBefore and earlier
  notAfter are used to identify a trust anchor certificate as newer.
  This prevents certain forms of replay attack.
  https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ta-tiebreaker

- Fix internal identification of CA resource certificates

  The rpki-client utility tracks CA certificates across privilege
  separation boundaries. The original design was to use the subject key
  identifier, which is problematic because the SKI is not guaranteed to
  be globally unique. On the one hand, operators could choose to reuse
  their keys for multiple CAs and on the other hand, publishing a CA
  cert in the RPKI requires no proof of possession: anyone can publish
  CA certificates with any public key they please.

- Verify self-signage for trust anchors

  In other PKIs, trust anchors come from a trusted source and contain
  little to no important information apart from the public key. Therefore,
  libcrypto's chain verifier does not check their signatures by default
  because this "doesn't add any security and just wastes time". None of
  this is true in the RPKI and therefore trust anchors need an extra
  verification step.

- Introduce a check for filenames as presented by publication points

  Filenames presented by publication points are unsigned data, they must
  match the location in the signed object's EE certificate SIA extension
  which is signed data. This prevents some forms of replay attack.
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers

- Improved compliance with RFCs 6487 and 8209 for certificates and CRLs

  The issuer field of certificates and CRLs is checked to comply with
  section 4.4 of RFC 6487. Various aspects of URIs provided in SIA, AIA
  and CRL distribution points were improved. Criticality of key usage is
  now enforced and the extension is inspected for all certificate types.

- Presence of CMS signing-time is now enforced and presence of
  CMS binary-signing-time is disallowed, per RFC 9589.
  https://www.rfc-editor.org/rfc/rfc9589.html

- Lowered the maximum acceptable manifest number to 2^159 - 1, per
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers

- Limit number of validated ASPAs per customer ASID, per
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile

- Ignore the CRL Number extension in CRLs, per
  https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-crl-numbers

- Various minor bug fixes and improvements in logging and error reporting

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible
with LibreSSL 3.6 or later, and zlib.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client is available can be found on
https://www.rpki-client.org/portable.html

Reporting Bugs:
===============

General bugs may be reported to tech@openbsd.org

Portable bugs may be filed at
https://github.com/rpki-client/rpki-client-portable

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.

Assistance to coordinate security issues is available via
security@openbsd.org.