rpki-client 8.3 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - The 'expires' key in the JSON/CSV/OpenBGPD output formats is now calculated with more accuracy. The calculation takes into account the nextUpdate value of all intermediate CRLs in the signature path towards the trust anchor, in addition to the expiry moment of the leaf-CRL and CAs. - Handling of CRLs and Manifests in the face of inconsistent RRDP delta publications has been improved. A copy of an alternative version of the applicable CRL is kept in the staging area of the cache directory, in order to increase the potential for establishing a complete publication point, in cases where a single publication point update was smeared across multiple RRDP delta files. - The OpenBGPD configuration output now includes validated Autonomous System Provider Authorization (ASPA) payloads as an 'aspa-set {}' configuration block. - When rpki-client is invoked with increased verbosity ('-v'), the current RRDP Serial & Session ID are shown to aid debugging. - Self-signed X.509 certificates (such as Trust Anchor certificates) now are considered invalid if they contain an X.509 AuthorityInfoAccess extension. - Signed Objects where the CMS signing-time attribute contains a timestamp later then the X.509 certificate's notAfter timestamp are considered invalid. - Manifests where the CMS signing-time attribute contains a timestamp later then the Manifest eContent nextUpdate timestamp are considered invalid. - Any objects whose CRL Distribution Points extension contains a CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are considered invalid in accordance with RFC 6487 section 4.8.6. - For every X.509 certificate the SHA-1 of the Subject Public Key is calculated and compared to the Subject Key Identifier (SKI), if a mismatch is found the certificate is not trusted. - Require the outside-TBS signature OID for every X.509 intermediate CA certificate and CRL to be sha256WithRSAEncryption. - Require the RSA key pair modulus and public exponent parameters to strictly conform to the RFC 7935 profile. - Ensure there is no trailing garbage present in Signed Objects beyond the self-embedded length field. - Require RRDP Session IDs to strictly be version 4 UUIDs. - When decoding and validating an individual RPKI file using filemode (rpki-client -f file), display the signature path towards the trust anchor, and the timestamp when the signature path will expire. - When decoding and validating an individual RPKI file using filemode (rpki-client -f file), display the optional CMS signing-time, and non-optional X.509 notBefore, and X.509 notAfter timestamps. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.5, and a libtls library compatible with LibreSSL 3.5 or later. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.