The OpenBSD rpki-client is a free, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system, downloads and validates Route Origin Authorisations (ROAs) and finally outputs Validated ROA Payloads (VRPs) in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks.
7.228 Jul 2021 21:18
Use RRDP as default protocol for syncronizing the RPKI repository data, with rsync used as secondary. At startup, warn if the filesystem containing the cache directory is probably too small. 500 MB is the suggested minimum size. Handle running out of disk space more gracefully, including cleanup of temporary and old files before exiting. Improve the HTTP/1.1 request headers being sent. Improved validation checks for ROA and MFT objects.
7.118 May 2021 21:52
Add keep-alive support to the HTTP client code for RRDP. Reference-count and delete unused files synced via RRDP, as far as possible. In the JSON output, change the AS Number from a string ("AS123") to an integer ("123") to make processing of the output easier. Add an 'expires' column to CSV JSON output, based on certificate and CRL validity times. The 'expires' value can be used to avoid route selection based on stale data when generating VRP sets, when faced with loss of communication between consumer and valdiator, or validator and CA repository. Make the runtime timeout ("-s" option) also triggers in child processes. Improved RRDP support, upstream encourages testing of RRDP with the "-r" option so that RRDP can be enabled by default in a future release. In the portable version additionally: Improve support for older libressl versions (although the latest stable release is recommended). Add missing compat headers in release packages so they build on Alpine Linux and macOS.
7.015 Apr 2021 23:28
Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support as a 'technology preview'. To use it, the "-r" flag needs to be used. Support the use of more than one URI in the TAL file sorting with a preference for https. Validation of ghostbuster records (RFC 6493). Fixed checks of the manifest validity interval. The rsync connection is now killed when the rsync server stalls. Limited the URL embedded in .cer files to alphanumeric characters and punctuation. Added a "-V" option to show version. Included the default cert.pem file path in tls_load_file error messages. Use of the ibuf (imsg) API for data exchange between the rpki-client processes. In the portable version additionally: Emit all output formats, no need to choose with options. Changes to for using GitHub actions for automatic testing. The RRDP support requires HTTPS connections, necessitating a dependency for libtls from LibreSSL. Support for building rpki-client on Mac OS X. Added expat as an extra dependency, needed for RRDP support.
6.8p112 Nov 2020 20:33
Incorporate OpenBSD 6.8 errata 006 of November 10, 2020: rpki-client incorrectly checks the manifest validity interval. Add compat code for the LibreSSL ASN1_time_parse() and ASN1_time_tm_cmp() functions. Those are needed to properly check the validity of MFT files.
6.8p020 Oct 2020 21:07
Improve how repositories are downloaded: do not fetch symlinks and clean extraneous files in the repositories after download using the cryptographically signed RPKI manifest listings. Fix a bug where rpki-client could hang after calling rsync. Remove the -f option, no longer needed. Improved validation of the trust anchors. Add new option '-s timeout' to make rpki-client automatically terminate after a timeout (default 1 hour). This helps when rpki-client is run via cron to prevent a hanging process to cause problems. Portability improvements: Replace warnc() with warnx() + strerror(), replace b64_pton() with code using the libcrypto EVP_Decode* functionality, adjust for OpenSSL 1.1.x compatible use of the EVP_ENCODE_CTX struct.
6.7p130 Jul 2020 22:54
Incorrect use of "EVP_PKEY_cmp" allowed an authentication bypass.