Copyright (c) 2010-2022 RIPE NCC All rights reserved.
This software, including all its separate source codes, is licensed under the terms of the BSD 3-Clause License. If a copy of the license was not distributed to you, you can obtain one at https://github.com/RIPE-NCC/rpki-commons/blob/main/LICENSE.txt.
Resource Certification is a robust security framework for verifying the association between resource holders and their Internet resources. In this context, 'resource holders' are organizations such as Regional Internet Registries (RIRs), Local Internet Registries (LIRs), Internet Service Providers (ISPs), or end-user organizations, while 'Internet resources' are IPv4 and IPv6 address blocks and Autonomous System (AS) numbers.
This library contains an implementation of an X.509 v3 certificate extension which binds a list of IP address blocks or prefixes to the subject of a certificate (IP Address Delegation Extension).
This library also contains an implementation of other RPKI signed objects:
-
ROA CMS: The purpose of a ROA is to express authorization for an AS to originate a route to the prefix(es) in the ROA.
-
Manifest CMS: A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository.
-
CRL: A signed, timestamped list identifying a set of certificates that are no longer considered valid by the certificate issuer.
-
Ghostbusters Record (RFC 6493): A signed vCard (RFC 6350) that includes contact information of an RPKI CA certificate maintainer.
This library supports the concept of path validation, the process that verifies the binding between the subject and the subject-public-key defined in the target certificate, using a trust anchor and set of known constraints.
This library also contains an implementation of the RPKI certificate provisioning protocol.
To release a version of rpki-commons you can push a tag
rpki-commons-<VERSION>. The RIPENCC internal Gitlab pipeline will build and
publish the artifacts for <VERSION>. E.g. a tag rpki-commons-1.0 updates the
POM version to 1.0 and then builds and releases the artifacts.
- Improve binary signing time support for CMS
- Support ASPA CMS objects based on draft standard and sidrops mailing list ASN.1 schema.
- Add JDK 17 to build matrix in Github actions
- Add ASPA support
- Support RFC8183
publisher_requestandrepository_responseXML messages. - Validate that provisioning identity certificates are self-signed.
- xstream 1.4.18
- Daxon-HE, joda-time, guava dependencies updated to newer versions.
- Depend on ipresource-1.49 fixing parsing some "IPv4 mapped to IPv6" addresses.
- LICENSE is now in README and repository and not explicitly part of each file.
- Copyright year updated to 2022
- Check KeyUsage bits in resource certificates
- Added multiple BBN compliance test certificates as unit-tests
- Simplified Base64 encoding
- Use and support bouncy castle 1.70
- ipresource 1.48 (removes test dependencies from non-test scopes)
Add factory for non-namespace aware XML builder to prevent code duplication.
XStream 1.4.18
Refactored the XML parsing to use manually constructed parsers for untrusted documents. Only internal documents use XStream.
Upgrade XStream for security updates.
Various other dependency upgrades.
Validate that manifest this update time is before next update time.
Manifest entry file names should only refer to current directory and use a limited set of allowed characters.
Validate that SIA and CRL URIs have the hostname specified and are not opaque.
Upgrade to bouncy castle 1.67.
Validate subject information access (SIA) entries according to RFC6487 section 4.8.8.
Validate issuer and subject distinguished names according to RFC6487 sections 4.4 and 4.5.
Use case insensitive comparions of URI scheme component.
Fix inconsistencies in ValidationOptions behaviour.
Provide option to avoid storing passed checks in validation result to reduce memory usage.
This release improves performance of the validation process.
WARNING: The internal implementation of some classes have changed, breaking Java serialization compatibility with previous versions of this library.
This release provide configurable options for handling of not-yet valid or expired objects.
When you want to accept expired/stale objects, you can set an grace period through
ValidationOptions.withStaleConfiguration(maxCrlStalePeriod, maxMftStalePeriod)
If you are happy with warnings (behaviour of 1.9.0) you can use presets:
ValidationOptions.defaultRipeNccValidator()
There is also presets that will reject CRL/MFT having less than 7 hours of validity.
ValidationOptions.strictValidations()
Grace perioud behaviour are as follows:
- Warn for CRLs with nextUpdate in grace period, reject CRLs with nextUpdate outside grace period.
- Warn for manifests with nextUpdate in grace period, reject manifests with nextUpdate outside grace period.
Fixes:
- Reject CRLs with thisUpdate in future.
- Reject manifests with thisUpdate in future.
- Revert Bouncy Castle version.
- Update to recent Guava, Bouncy Castle, Joda Time version.
- Fix: make sure all the time operations are doen using UTC.
-
Update to recent XStream version.
-
Use class whitelisting for XStream deserialization.
- GitLab continuous integration.
-
Java 1.8 or higher required
-
Support parsing and validation of Ghostbusters records (RFC 6493).
-
Improve error messages and reporting.
-
Handle the new XML format for out-of-band identity exchange as described in https://tools.ietf.org/html/draft-ietf-sidr-rpki-oob-setup-04.
When a pull request is merged to master GitLab CI builds a snapshot release and publishes it on maven central.
Running mvn release:prepare locally creates a release version and
tags it. This version automatically is published by GitLab CI. The new
snapshot version will also be set and committed.