CHANGELOG

Version 9.3 - Sep 19th, 2024
============================

- Avoid a quadratic complexity issue in ibuf_realloc() due to misuse of
  recallocarray(). Transferring a manifest with a large FileAndHash
  list across a privsep boundary could cost significant resources.

- RRDP sessions are periodically reinitialized to snapshot at random
  intervals. RRDP deltas and snapshots can diverge content-wise over
  time, leaving stale files in the cache. Reinitialization is triggered
  at random with increasing probability with increasing snapshot age, at
  least once every three months. this helps garbage collection.

- The internal state file format changed. The first run after an upgrade
  may produce harmless warning messages about invalid last_reset.

- Signed Prefix List statistics are now only emitted when rpki-client
  is run with -x.
  This changes the JSON output: without -x some keys are missing from
  'metadata'.

- The -r command line option formerly enabling RRDP has long been the
  default and is now removed.

- The CRL number extension in CRLs is checked to be in the range [0..2^159-1]
  and otherwise the CRL is considered invalid, see
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-crl-numbers

Version 9.2 - Aug 21st, 2024
============================

- Ensure synchronization jobs are stopped when the timeout is reached.

- Fix a corner case in repository handling. If the last RRDP repository
  failed to load, rpki-client would fail to fall back to rsync due to an
  ordering bug in the event loop.

- Improve detection of duplicate file paths. Only trigger a duplicate
  error if a valid path is revisited otherwise a bad CA could prevent
  legitimate files from being considered valid.

- Normalize internal representation of the caRepository to have a
  trailing slash and ensure that the rpkiManifest is a file inside it.

Version 9.1 - Jun 22nd, 2024
============================

- Impose same-origin policy for RRDP

  This addresses an oversight in the original RRDP specification
  (RFC8182) which allowed any publication server to cause load on
  another server by tricking RPs into making cross-origin requests.
  Imposing a same-origin policy in RRDP client/server communication
  isolates resources such as Delta and Snapshot files from different
  Repository Servers, reducing possible attack vectors.
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rrdp-same-origin

- Introduce tiebreaking for trust anchors

  Instead of always using newly-retrieved trust anchors, compare a
  fetched TA with one stored in the cache. Later notBefore and earlier
  notAfter are used to identify a trust anchor certificate as newer.
  This prevents certain forms of replay attack.
  https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ta-tiebreaker

- Fix internal identification of CA resource certificates

  The rpki-client utility tracks CA certificates across privilege
  separation boundaries. The original design was to use the subject key
  identifier, which is problematic because the SKI is not guaranteed to
  be globally unique. On the one hand, operators could choose to reuse
  their keys for multiple CAs and on the other hand, publishing a CA
  cert in the RPKI requires no proof of possession: anyone can publish
  CA certificates with any public key they please.

- Verify self-signage for trust anchors

  In other PKIs, trust anchors come from a trusted source and contain
  little to no important information apart from the public key. Therefore,
  libcrypto's chain verifier does not check their signatures by default
  because this "doesn't add any security and just wastes time". None of
  this is true in the RPKI and therefore trust anchors need an extra
  verification step.

- Introduce a check for filenames as presented by publication points

  Filenames presented by publication points are unsigned data, they must
  match the location in the signed object's EE certificate SIA extension
  which is signed data. This prevents some forms of replay attack.
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers

- Improved compliance with RFCs 6487 and 8209 for certificates and CRLs

  The issuer field of certificates and CRLs is checked to comply with
  section 4.4 of RFC 6487. Various aspects of URIs provided in SIA, AIA
  and CRL distribution points were improved. Criticality of key usage is
  now enforced and the extension is inspected for all certificate types.

- Presence of CMS signing-time is now enforced and presence of
  CMS binary-signing-time is disallowed, per RFC 9589.
  https://www.rfc-editor.org/rfc/rfc9589.html

- Lowered the maximum acceptable manifest number to 2^159 - 1, per
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers

- Limit number of validated ASPAs per customer ASID, per
  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile

- Ignore the CRL Number extension in CRLs, per
  https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-crl-numbers

- Various minor bug fixes and improvements in logging and error reporting

Version 9.0 - Mar 2nd, 2024
===========================

- Added support for RPKI Signed Prefix Lists

  Signed Prefix Lists carry the complete list of prefixes which an Autonomous
  System may originate its routing peers. The validation of a Signed Prefix
  List confirms that the holder of the listed ASN produced the object. This
  list is a current, accurate and complete description of address prefixes
  that may be announced into the routing system originated by this AS.

  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

  Signed prefix lists are only parsed in filemode or if rpki-client is run
  with the new -x flag.

- Added an -x flag to opt into parsing and evaluation of file types that are
  still considered experimental. At this point in time this covers the signed
  prefix lists.

- Added a metric to track the number of new files that were moved to the
  validated cache. In the OpenMetrics output, per-repository counters are
  shown. The main process and the JSON output only show the total.

- Per the announcement in the last release, the stale manifest counters were
  removed from the OpenMetrics and the JSON output.

- Ensure that the FileAndHashes list in a Manifest contains no duplicate
  file names and no duplicate hashes.

- Various refactoring work, notably to reduce the warning spam generated by
  OpenSSL 3's deprecations and to remove unergonomic internal structs.


Version 8.9 - Feb 13th, 2024
============================

- The handling of manifests fetched via rsync or RRDP was reworked to
  fully conform to RFC 9286. The issuance date and manifest number of
  the purported new manifest file must have been increased, otherwise
  the cached version is used.

- As a consequence of the above changes, some warnings for .mft files
  were reworded. The notion of a stale manifest is no longer used.
  The following counters will be removed in rpki-client 9.0:
  - The stalemanifest counter in JSON output.
  - The "stale" state for manifest objects in Open Metrics output.

- A race condition between closing an idle connection and scheduling a
  new request on it could trigger an assert in rare circumstances.

- The evaluation time specified with -P now also applies to trust anchor
  certificates.

- Check that the entire CMS eContent was consumed. Previously, trailing
  data would be silently discarded on deserialization of products.

- In file mode do not consider overclaiming intermediate CA certificates
  as invalid.  A warning is still issued.

- Print the revocation time of certificates in file mode.

- Be more careful when converting OpenSSL numeric identifiers (NIDs)
  to strings.

Version 8.8 - Dec 29th, 2023
============================

- A failed manifest fetch could result in a NULL pointer dereference or
  a use after free.

- Reject non-conforming RRDP delta elements that contain neither publish
  nor a withdraw element and fall back to the RRDP snapshot.

- Refactoring and minor bug fixes in the warning display functions.

Version 8.7 - Dec 20th, 2023
============================

- Add ability to constrain an RPKI Trust Anchor's effective signing
  authority to a limited set of Internet numbers. This allows Relying
  Parties to enjoy the potential benefits of assuming trust, but within
  a bounded scope. This distribution includes curated constraints files.
  More information:
  https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust-anchors

- Following a 'failed fetch' (described in RFC 9286), emit a warning and
  continue with a previously cached Manifest file, if present and still
  valid.

- Emit a warning when the same manifestNumber is re-used across multiple
  issuances.

- Emit a warning when the remote repository presents a Manifest with an
  unexpected manifestNumber. Purported new manifests are expected to
  have a higher manifestNumber than previously validated manifests.
  Otherwise fall back to the previously cached manifest, if it is still
  valid. This warning can be indicative of manifest replays or of
  out-of-order publishing.

- Require RPKI object files to be of a minimum of 100 bytes in both the
  RRDP and RSYNC transports.

- No longer synchronize directory modtimes in the local cache to align
  with remote RSYNC repository sources.

- Improved CRL extension checking.

- Experimental support for the P-256 signature algorithm.

- Various refactoring work.

Version 8.6 - Oct 4th, 2023
==============================

- A compliance check was added to ensure the X.509 Subject only
  contains commonName and optionally serialNumber.

- A compliance check was added to ensure the CMS SignedData and
  SignerInfo versions to be 3.
                                                                                                                
- Fisher-Yates shuffle the order in which Manifest entries are
  processed. Previously, work items were enqueued in the order the CA
  intended them to appear on a Manifest. However, there is no obvious
  benefit to third parties deciding the order in which things are
  processed. Now the Manifest ordering is randomized (as the order has
  no meaning anyway), and the number of concurrent repository
  synchronization operations is limited & timeboxed.

- Various refactoring work.

Version 8.5 - Jul 29th, 2023
==============================

- ASPA support was updated to draft-ietf-sidrops-aspa-profile-16.
  As part of supporting AFI-agnostic ASPAs, the JSON syntax for
  Validated ASPA Payloads changed in both filemode and normal output.

- Support for gzip and deflate HTTP Content-Encoding compression was
  added. This allows web servers to send RRDP XML in compressed form,
  saving around 50% of bandwidth. Zlib was added as a dependency.

- File modification timestamps of objects retrieved via RRDP are now
  deterministically set to prepare the on-disk cache for seamless
  failovers from RRDP to RSYNC. See draft-ietf-sidrops-cms-signing-time
  for more information.

- A 30%-50% performance improvement was achieved through libcrypto's
  partial chains certificate validation feature. Already validated
  non-inheriting CA certificates are now marked as trusted roots. This
  way it can be ensured that a leaf's delegated resources are properly
  covered, and at the same time most validation paths are significantly
  shortened.

- Improved detection of RRDP session desynchronization: a check was
  added to compare whether the delta hashes associated to previously
  seen serials are different in newly fetched notification files.

- Improved handling of RRDP deltas in which objects are published,
  withdrawn, and published again.

- A check to disallow duplicate X.509 certificate extensions was added.

- A check to disallow empty sets of IP Addresses or AS numbers in RFC
  3779 extensions was added.

- A compliance check for the proper X.509 Certificate version and CRL
  version was added.

- A warning is printed when the CMS signing-time attribute in a Signed
  Object is missing.

- Warnings about unrecoverable message digest mismatches now include the
  manifestNumber to aid debugging the cause.

- A check was added to disallow multiple RRDP publish elements for the
  same file in RRDP snapshots. If this error condition is encountered,
  the RRDP transfer is failed and the RP falls back to rsync.

- A compliance check was added to ensure CMS Signed Objects contain
  SignedData, in accordance to RFC 6488 section 3 checklist item 1a.

- Compliance checks were added for the version, KeyUsage, and
  ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed
  Objects.

- A CMS signing-time value being after the X.509 notAfter timestamp was
  downgraded from an error to a warning.

- A bug was fixed in the handling of CA certificates which inherit IP
  resources.

Version 8.4 - May 2nd, 2023
==============================

- The synchronisation protocol used to sync the repository is now
  included in the OpenMetrics output.

- In filemode (-f option) the applicable manifests are now shown as
  part of the signature path.

- A new -P option was added to manually specify a moment in time
  to use when parsing the validity window of certificates. Useful
  for regression testing. Default is invocation time of rpki-client.

- The -A option will now also exclude ASPA data from the JSON output.

- Improved accounting by tracking objects both by repo and tal.

- For consistency, emit an explicit 'AS 0' Provider entry for ASPAs
  containing implicit information for one AFI.

- Fix missing whitespace in ASPA-set output for OpenBGPD.
  (This bugfix was also released as OpenBSD 7.3 errata 001.)

- Disallow X.509 v2 issuer and subject unique identifiers in certs.
  RPKI CAs will never issue certificates with V2 unique identifiers.

- Check whether products listed on a manifest were issued by the same
  authority as the manifest itself.

Version 8.3 - March 19th, 2023
==============================

- Repository statistics (for example, how long it took to synchronize
  a repository) are now tracked and available in OpenMetrics format.
  Use the new '-m' command line option to emit various statistics
  into the 'metrics' file in the output directory.

- The 'expires' key in the JSON/CSV/OpenBGPD output formats is now
  calculated with more accuracy. The calculation takes into account the
  nextUpdate value of all intermediate CRLs in the signature path
  towards the trust anchor, in addition to the expiry moment of the
  leaf-CRL and CAs.

- Handling of CRLs and Manifests in the face of inconsistent RRDP delta
  publications has been improved. A copy of an alternative version of
  the applicable CRL is kept in the staging area of the cache directory,
  in order to increase the potential for establishing a complete
  publication point, in cases where a single publication point update
  was smeared across multiple RRDP delta files.

- The OpenBGPD configuration output now includes validated Autonomous
  System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
  configuration block.

- When rpki-client is invoked with increased verbosity ('-v'), the
  current RRDP Serial & Session ID are shown to aid debugging.

- Self-signed X.509 certificates (such as Trust Anchor certificates)
  now are considered invalid if they contain an X.509
  AuthorityInfoAccess extension.

- Signed Objects where the CMS signing-time attribute contains a
  timestamp later then the X.509 certificate's notAfter timestamp are
  considered invalid.

- Manifests where the CMS signing-time attribute contains a timestamp
  later then the Manifest eContent nextUpdate timestamp are considered
  invalid.

- Any objects whose CRL Distribution Points extension contains a
  CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
  considered invalid in accordance with RFC 6487 section 4.8.6.

- For every X.509 certificate the SHA-1 of the Subject Public Key is
  calculated and compared to the Subject Key Identifier (SKI), if a
  mismatch is found the certificate is not trusted.

- Require the outside-TBS signature OID for every X.509 intermediate
  CA certificate and CRL to be sha256WithRSAEncryption.

- Require the RSA key pair modulus and public exponent parameters to
  strictly conform to the RFC 7935 profile.
 
- Ensure there is no trailing garbage present in Signed Objects beyond
  the self-embedded length field.

- Require RRDP Session IDs to strictly be version 4 UUIDs.

- When decoding and validating an individual RPKI file using filemode
  (rpki-client -f file), display the signature path towards the trust
  anchor, and the timestamp when the signature path will expire.

- When decoding and validating an individual RPKI file using filemode
  (rpki-client -f file), display the optional CMS signing-time, and
  non-optional X.509 notBefore, and X.509 notAfter timestamps.

Version 8.2 - December 14th, 2022
=================================

- Add a new '-H' command line option to create a shortlist of repositories to
  synchronize to. For example, when invoking "rpki-client -H rpki.ripe.net -H
  chloe.sobornost.net", the utility will not connect to any other hosts other
  than the two specified through the -H option.

- Add support for validating Geofeed (RFC 9092) authenticators.  To see an
  example download https://sobornost.net/geofeed.csv and run
  "rpki-client -f geofeed.csv"

- Add support for validating Trust Anchor Key (TAK) objects. TAK objects can be
  used to produce new Trust Anchor Locators (TALs) signed by and verified
  against the previous Trust Anchor. See draft-ietf-sidrops-signed-tal for the
  full specification.

- Log lines related to RRDP/HTTPS connection problems now include the IP
  address of the problematic endpoint (in brackets).

- Improve the error message when an invalid filename is encountered in the
  rpkiManifest field in the Subject Access Information (SIA) extension.

- Emit a warning when unexpected X.509 extensions are encountered.

- Restrict the ROA ipAddrBlocks field to only allow two ROAIPAddressFamily
  structures (one per address family). See draft-ietf-sidrops-rfc6482bis.

- Check the absence of the Path Length constraint in the Basic Constraints
  extension.

- Restrict the SIA extension to only allow the signedObject and rpkiNotify
  accessMethods.

- Check that the Signed Object access method is present in ROA, MFT, ASPA, TAK,
  and GBR End-Entity certificates.

- In addition to the 'rsync://' scheme, also permit other schemes (such as
  'https://') in the SIA signedObject access method.

- Check that the KeyUsage extension is set to nothing but digitalSignature on
  End-Entity certificates.

- Chect that the KeyUsage extension is set to nothing but keyCertSign and
  CRLSign on CA certificates.

- Check that the ExtendedKeyUsage extension is absent on CA certificates.

- Fix a bug in the handling of the port of http_proxy.

- The '-r' command line option has been deprecated.

- Filemode (-f) output is now presented as a text based table.

Version 8.0 - September 11th, 2022
==================================

- Add suport for validating Autonomous System Provider Authorization
  (ASPA) objects conforming to draft-ietf-sidrops-aspa-profile-10.
  Validated ASPA payloads are visible in JSON and filemode (-f) output.

- Set rsync connection I/O idle timeout to 15 seconds.

- Unify the maximum idle I/O and connect timeouts for RSYNC & HTTPS.

- Rpki-client now performs stricter EE certificate validation:
    - Disallow AS Resources extensions in ROA EE certificates.
    - Disallow Subject Information Access (SIA) extensions in RPKI
      Signed Checklist (RSC) EE certs.
    - Check the resources in ROAs and RSCs against EE certs.

- Improve readability and add various information being printed in
  verbose mode.

- Extend filemode (-f) output and print X.509 certificates in PEM format
  when increased verbosity (-vv) is specified.

- Shorten the RRDP I/O idle timeout.

- Introduce a deadline timer that aborts all repository synchronization
  after seven eights of timeout (-s). With this rpki-client has improved
  chances to complete and produce an output even when a CA is excessivly
  slow.

- Abort a currently running RRDP request process when the per-repository
  timeout is reached.

- Permit multiple AccessDescription entries in SIA X.509 extensions.
  While fetching from secondary locations is not yet supported,
  rpki-client will not treat occurence as a fatal error.

- Resolve a potential for a race condition in non-atomic RRDP deltas.

- Fix some memory leaks.

- Improve compliance with the HTTP protocol specification.

Version 7.9 - July 14th, 2022
=============================

- Add support for an operator-configurable skiplist facility. Operators
  can specify a list of FQDNs which should not be contacted when
  synchronizing the local cache to the network.

- Emit a warning when a RRDP session serial number decreases.

- DER decoding functions were refactored to leverage ASN.1 templates.

- Add support to validate & inspect .sig files containing RPKI Signed
  Checklists in filemode (-f). (draft-ietf-sidrops-rpki-rsc-08)

- Print various statistics after the completion of the main process.

- Add support to decode & print TAL (RFC 8630) details in filemode (-f).

- Emit objects in Concatenated JSON format when filemode (-f) and the
  JSON output flag (-j) are combined.

Version 7.8 - April 9th, 2022
=============================

- Do not apply timezone offsets when converting X509 times.  X509 times
  are in UTC and comparing them to times in different timezones would
  cause validity problems.

Version 7.7 - April 7th, 2022
=============================

- Add various RFC 6488 compliance checks to improve the CMS parser.

- Improve RRDP replication through less aggressive cache cleanup.

- Add a check whether a given Manifest EE certificate is listed on the
  applicable CRL.

- For forward compatibility permit ASPA object to appear on Manifests.

- Various improvements to the '-f <file>' diagnostic option to now also
  validate files containing Trust Anchor certs and CRLs.

Version 7.6 - February 7th, 2022
================================

- Enforce the correct namespace of rrdp files.

- Fail certificate verification if a certificate contains unknown
  critical extensions.

- Improve cleanup of rrdp directory contents.

- Introduce a validated cache which holds all the files that have
  successfully been verified by rpki-client.

- Add a new option '-f <file>' to validate a signed object in a file
  against the RPKI cache.

Version 7.5 - November 9th, 2021
================================

- Make rpki-client more resilient regarding untrusted input:
  * fail repository synchronisation after 15 min runtime.
  * limit the number of repositories per TAL.
  * don't allow DOCTYPE definitions in RRDP XML files.
  * fix detection of HTTP redirect loops.

- limit the number of concurrent rsync processes.

- fix CRLF in TAL files.

Version 7.4 - October 30th, 2021
================================

- Added support for validating BGPsec Router Public Keys.

- Fix issues with chunked transfer encoding in the RRDP HTTP client.

- Cleanup and improvement of how IO is handled.

- Improvements in the way X509 certificates are verified.

- Make rpki-client more resilient regarding untrusted input:
  * Limit the allowed character set for filename listings on
    Manifests.
  * Limit the length of SIA URIs.
  * Limit the size of certain untrusted inputs.
  * Don't exit on failures to parse x509 objects.
  * Limit the size of objects retreived via RRDP or RSYNC.
  * Limit the number of FileAndHash entries on a manifest.
  * Constrain RRDP such that the delta/snapshot files must be hosted
    at the same host as the notification file.

Version 7.3 - September 23rd, 2021
==================================

- Improve the HTTP client code (status code handling, http proxy
  support, keep-alive).

- In RRDP, do not access URI with userinfo (@-sign)

- Improve RRDP syncing by considering a notification file serial
  jumping backwards as synced repository.

- Make -R (rsync only) also apply to the fetching of TA files.

- Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others.

- When producing output for OpenBGPd, make use of the 'roa-set expires'
  attribute to prevent machines from loading outdated roa-sets.

- In RRDP, limit the number of deltas to 300 per repo. If more deltas
  exist, downloading a full snapshot is faster.

- Limit the validation depth of X509 certificate chains to 12, double
  the current depth seen in RPKI.

Version 7.2 - July 28th, 2021
=============================

- Use RRDP as default protocol for syncronizing the RPKI repository
  data, with rsync used as secondary.

- At startup, warn if the filesystem containing the cache directory is
  probably too small. 500 MB is the suggested minimum size.

- Handle running out of disk space more gracefully, including cleanup of
  temporary and old files before exiting.

- Improve the HTTP/1.1 request headers being sent.

- Improved validation checks for ROA and MFT objects.

Version 7.1 - May 18th, 2021
============================

- Add keep-alive support to the HTTP client code for RRDP.

- Reference-count and delete unused files synced via RRDP, as far as
  possible.

- In the JSON output, change the AS Number from a string ("AS123") to an
  integer ("123") to make processing of the output easier.

- Add an 'expires' column to CSV & JSON output, based on certificate and
  CRL validity times. The 'expires' value can be used to avoid route
  selection based on stale data when generating VRP sets, when faced
  with loss of communication between consumer and valdiator, or
  validator and CA repository.

- Make the runtime timeout (-s option) also triggers in child processes.

- Improved RRDP support, we encourage testing of RRDP with the -r option
  so that RRDP can be enabled by default in a future release.  Please
  report any issues found.

- Improved RRDP support, we encourage testing of RRDP with the -r option
  so that RRDP can be enabled by default in a future release.  Please
  report any issues found.

Version 7.0 - April 15th, 2021
==============================

- Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support as a
  'technology preview'. To use it, the "-r" flag needs to be used.

- Support the use of more than one URI in the TAL file sorting with a
  preference for https.

- Validation of ghostbuster records (RFC 6493).

- Fixed checks of the manifest validity interval.

- The rsync connection is now killed when the rsync server stalls.

- Limited the URL embedded in .cer files to alphanumeric characters and
  punctuation.

- Added a "-V" option to show version.

- Included the default cert.pem file path in tls_load_file error
  messages.

- Use of the ibuf (imsg) API for data exchange between the rpki-client
  processes.

Version 6.8 - November 12th, 2020
=================================

- incorporate OpenBSD 6.8 errata 006 of November 10, 2020: rpki-client
  incorrectly checks the manifest validity interval.

In the portable version,

- Add compat code for the LibreSSL ASN1_time_parse() and
  ASN1_time_tm_cmp() functions. Those are needed to properly check the
  validity of MFT files.

Version 6.7 - May 19th, 2020
============================

- Document the suggested interval for running rpki-client in man page.

- Always initialize cachedir and outputdir.

- Print statistics as comments at the top of the output files which can
  take comments, including the date and time when the files were
  produced, and runtime statistics when producing them.

- Improve log messages to clarify what's happening.

- Fix a bug where rpki-client would not properly wait for exiting rsync
  processes, causing rpki-client to hang.

Version 6.6 - April 19th, 2020
==============================

- First release, based on the OpenBSD source code available in the
  OpenBSD CVS repository as of 2020-04-19.