OpenBSD Journal

rpki-client 8.3 released

Contributed by Peter N. M. Hansteen on from the routed and keyed in dept.

One small but significant step for routing security on the Internet happened Sunday 19th of March 2023 with the release of version 8.3 of rpki-client.

The announcement reads,

Subject:    rpki-client 8.3 released
From:       Sebastian Benoit <benno () openbsd ! org>
Date:       2023-03-19 12:46:27

rpki-client 8.3 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of BGP announcements. The program queries the
global RPKI repository system and validates untrusted network inputs.
The program outputs validated ROA payloads, BGPsec Router keys, and
ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
and supports emitting CSV and JSON for consumption by other routing

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- The 'expires' key in the JSON/CSV/OpenBGPD output formats is now
  calculated with more accuracy. The calculation takes into account the
  nextUpdate value of all intermediate CRLs in the signature path
  towards the trust anchor, in addition to the expiry moment of the
  leaf-CRL and CAs.

- Handling of CRLs and Manifests in the face of inconsistent RRDP delta
  publications has been improved. A copy of an alternative version of
  the applicable CRL is kept in the staging area of the cache directory,
  in order to increase the potential for establishing a complete
  publication point, in cases where a single publication point update
  was smeared across multiple RRDP delta files.

- The OpenBGPD configuration output now includes validated Autonomous
  System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
  configuration block.

- When rpki-client is invoked with increased verbosity ('-v'), the
  current RRDP Serial & Session ID are shown to aid debugging.

- Self-signed X.509 certificates (such as Trust Anchor certificates)
  now are considered invalid if they contain an X.509
  AuthorityInfoAccess extension.

- Signed Objects where the CMS signing-time attribute contains a
  timestamp later then the X.509 certificate's notAfter timestamp are
  considered invalid.

- Manifests where the CMS signing-time attribute contains a timestamp
  later then the Manifest eContent nextUpdate timestamp are considered

- Any objects whose CRL Distribution Points extension contains a
  CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
  considered invalid in accordance with RFC 6487 section 4.8.6.

- For every X.509 certificate the SHA-1 of the Subject Public Key is
  calculated and compared to the Subject Key Identifier (SKI), if a
  mismatch is found the certificate is not trusted.

- Require the outside-TBS signature OID for every X.509 intermediate
  CA certificate and CRL to be sha256WithRSAEncryption.

- Require the RSA key pair modulus and public exponent parameters to
  strictly conform to the RFC 7935 profile.
- Ensure there is no trailing garbage present in Signed Objects beyond
  the self-embedded length field.

- Require RRDP Session IDs to strictly be version 4 UUIDs.

- When decoding and validating an individual RPKI file using filemode
  (rpki-client -f file), display the signature path towards the trust
  anchor, and the timestamp when the signature path will expire.

- When decoding and validating an individual RPKI file using filemode
  (rpki-client -f file), display the optional CMS signing-time, and
  non-optional X.509 notBefore, and X.509 notAfter timestamps.

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.5, and a libtls library compatible
with LibreSSL 3.5 or later.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client can be found are on

Reporting Bugs:

General bugs may be reported to

Portable bugs may be filed at

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release

Assistance to coordinate security issues is available via

As returning readers will be aware, rpki-client is one of the several applications and subsystems developed and maintained as integral parts of the OpenBSD operating system, and serves as an upstream for several other systens that make use of the code. See the OpenBSD Innovations page for a more complete overview.

New releases of rpki-client and a few other components are known to be part of the run-up to a new release of the operating system itself, in our case the upcoming OpenBSD 7.3.

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]