Copyright (c) 2010-2023 RIPE NCC All rights reserved.
This software, including all its separate source codes, is licensed under the terms of the BSD 3-Clause License. If a copy of the license was not distributed to you, you can obtain one at https://github.com/RIPE-NCC/rpki-commons/blob/main/LICENSE.txt.
Resource Certification is a robust security framework for verifying the association between resource holders and their Internet resources. In this context, 'resource holders' are organizations such as Regional Internet Registries (RIRs), Local Internet Registries (LIRs), Internet Service Providers (ISPs), or end-user organizations, while 'Internet resources' are IPv4 and IPv6 address blocks and Autonomous System (AS) numbers.
This library contains an implementation of an X.509 v3 certificate extension which binds a list of IP address blocks or prefixes to the subject of a certificate (IP Address Delegation Extension).
This library also contains an implementation of other RPKI signed objects:
-
ROA CMS: The purpose of a ROA is to express authorization for an AS to originate a route to the prefix(es) in the ROA.
-
Manifest CMS: A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository.
-
CRL: A signed, timestamped list identifying a set of certificates that are no longer considered valid by the certificate issuer.
-
Ghostbusters Record (RFC 6493): A signed vCard (RFC 6350) that includes contact information of an RPKI CA certificate maintainer.
This library supports the concept of path validation, the process that verifies the binding between the subject and the subject-public-key defined in the target certificate, using a trust anchor and set of known constraints.
This library also contains an implementation of the RPKI certificate provisioning protocol.
To release a version of rpki-commons you can push a tag
rpki-commons-<VERSION>. The Github release action will build and
publish the artifacts for <VERSION>. E.g. a tag rpki-commons-1.0
updates the POM version to 1.0 and then builds and releases the
artifacts.
After successful deployment update the pom version to point to the
next (snapshot) release, e.g. 1.1-SNAPSHOT after releasing 1.0.
- Clean up some style (SonarQube) warnings
- Fix: Javadoc syntax error that broke the previous release tag
- Javadoc now runs on ever
verifybuild. - Sign maven release tags again (and override locally if needed)
- Use dependabot for regular dependency updates in addition to security updates.
- Remove the dependency check maven plugin, which was unreliable, now that dependabot does the dependency updates.
- Add and use interfaces for ValidationState logic
- Update release plugin, and do not sign tags with release plugin.
- Raise RpkiCaCertificateRequestParserException instead of NPE when an invalid CSR is passed.
- Use bouncy castle 1.77 (and update API usage accordingly)
- removed deprecated RemoteCertificateFetcher
- removed deprected ProvisioningCmsObject constructor
- Improved the parsing of resource extensions
- fix: Do not encode redundant maxlength in ROAs
- Use a more modern version of the jing (RelaxNG) library
- Add support for router certificates to the time parsing in
SignedObjectUtil. - Add withValidityPeriod to manifest and CRL builders
- Add string representation for
RepositoryObjectType - Add
isCmsBasedproperty onRepositoryObjectType. - Add initial step towards Resource Signed Checklist/Trust Anchor Key support, extensions are now recognised.
- Access the certificate for the generic signed object parser.
- Build targets JDK 11
- Prefixes in ROAs are sorted by (prefix, maxlength - missing first)
- Incorporate a number of extra checks on resource extensions
- Update ASPA implementation to create objects in draft-ietf-sidrops-aspa-profile-16 profile.
- Bouncy Castle 1.74
- Add
GenericRpkiSignedObjectParserto parse object type fromcontent-typeand signing time. - Update a number of dependencies.
- Verify non-overlap, not being continous, being in order of resource extension elements.
- Add
ResourceExtensionclass to represent the RFC3779 resource extension.
- Use ImmutableResourceSet to store resources of X509ResourceCertificate. This breaks serialisation compatibility.
- Validate that ASPA customer ASN does not appear in provider ASNs.
- Improve binary signing time support for CMS
- Support ASPA CMS objects based on draft standard and sidrops mailing list ASN.1 schema.
- Add JDK 17 to build matrix in Github actions
- Add ASPA support
- Support RFC8183
publisher_requestandrepository_responseXML messages. - Validate that provisioning identity certificates are self-signed.
- xstream 1.4.18
- Daxon-HE, joda-time, guava dependencies updated to newer versions.
- Depend on ipresource-1.49 fixing parsing some "IPv4 mapped to IPv6" addresses.
- LICENSE is now in README and repository and not explicitly part of each file.
- Copyright year updated to 2022
- Check KeyUsage bits in resource certificates
- Added multiple BBN compliance test certificates as unit-tests
- Simplified Base64 encoding
- Use and support bouncy castle 1.70
- ipresource 1.48 (removes test dependencies from non-test scopes)
Add factory for non-namespace aware XML builder to prevent code duplication.
XStream 1.4.18
Refactored the XML parsing to use manually constructed parsers for untrusted documents. Only internal documents use XStream.
Upgrade XStream for security updates.
Various other dependency upgrades.
Validate that manifest this update time is before next update time.
Manifest entry file names should only refer to current directory and use a limited set of allowed characters.
Validate that SIA and CRL URIs have the hostname specified and are not opaque.
Upgrade to bouncy castle 1.67.
Validate subject information access (SIA) entries according to RFC6487 section 4.8.8.
Validate issuer and subject distinguished names according to RFC6487 sections 4.4 and 4.5.
Use case insensitive comparions of URI scheme component.
Fix inconsistencies in ValidationOptions behaviour.
Provide option to avoid storing passed checks in validation result to reduce memory usage.
This release improves performance of the validation process.
WARNING: The internal implementation of some classes have changed, breaking Java serialization compatibility with previous versions of this library.
This release provide configurable options for handling of not-yet valid or expired objects.
When you want to accept expired/stale objects, you can set an grace period through
ValidationOptions.withStaleConfiguration(maxCrlStalePeriod, maxMftStalePeriod)
If you are happy with warnings (behaviour of 1.9.0) you can use presets:
ValidationOptions.defaultRipeNccValidator()
There is also presets that will reject CRL/MFT having less than 7 hours of validity.
ValidationOptions.strictValidations()
Grace perioud behaviour are as follows:
- Warn for CRLs with nextUpdate in grace period, reject CRLs with nextUpdate outside grace period.
- Warn for manifests with nextUpdate in grace period, reject manifests with nextUpdate outside grace period.
Fixes:
- Reject CRLs with thisUpdate in future.
- Reject manifests with thisUpdate in future.
- Revert Bouncy Castle version.
- Update to recent Guava, Bouncy Castle, Joda Time version.
- Fix: make sure all the time operations are doen using UTC.
-
Update to recent XStream version.
-
Use class whitelisting for XStream deserialization.
- GitLab continuous integration.
-
Java 1.8 or higher required
-
Support parsing and validation of Ghostbusters records (RFC 6493).
-
Improve error messages and reporting.
-
Handle the new XML format for out-of-band identity exchange as described in https://tools.ietf.org/html/draft-ietf-sidr-rpki-oob-setup-04.
When a pull request is merged to master GitLab CI builds a snapshot release and publishes it on maven central.
Running mvn release:prepare locally creates a release version and
tags it. This version automatically is published by GitLab CI. The new
snapshot version will also be set and committed.