[Sidrops] Manifest entry filename validation

[Erik Rozendaal <erozendaal@ripe.net>]

Hi all,

During the past months we've been working on improving the RPKI 
validator to track the 6468bis RFC. As part of that effort we've also
been finding and fixing various other mismatches with the current
RPKI RFCs.

One part of this is validating manifest entry file names. Currently the
various validator implementations handle manifest filename entries
differently, potentially resulting in different validation results.

Summary:

We think the manifest RFC 6486 should define rules used for the filename
entries in a manifest.

Our proposal is to only allow a minimal set of
characters from the ASN.1 IA5String type: a-z, A-Z, 0-9, . (dot), -
(dash), _ (underscore).  Furthermore blank entries, ".", and ".." must
not be allowed. Filename extensions should be matched in a case
insensitive manner when determining object type (ROA, CRL, etc).

These rules validate all current objects from the major trust anchors
(all RIRs and APNIc AS0). They avoid special URI characters and
characters that may be used to navigate file system directories.

We may also want to add rules such as:

- Avoid illegal (Windows) filenames such as PRN, NUL, or CON (see
 https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file <https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file>).

- Require that all entries have a three letter filename extension.

- Prohibit entries that only differ by upper or lower case (FOO.CER vs
 foo.cer).


Background:

Manifest entry filename validation

Currently the different RPKI validators use different rules to
validate the filename of a manifest entry. The RFC says (section
4.2.1 under "fileList"):

"Each FileAndHash is an ordered pair consisting of the name of the
file in the repository publication point (directory) that contains
the object in question and a hash of the file's contents."

Unfortunately it is not exactly clear what is allowed as the
filename. The three validators that I investigated use different
strategies:


rpki-validator-3: anything goes. Filename is resolved using the
base repository URI and the `resolve` method on the Java URI
class. This allows subdirectories, escaping to parent directories,
etc. This will be fixed by
https://github.com/RIPE-NCC/rpki-commons/pull/30 <https://github.com/RIPE-NCC/rpki-commons/pull/30> where a filename
must:

- only have characters a-z, A-Z, 0-9, <dot>, (, ), +, -, ', :, =, or _.
- not be blank
- not be "."
- not be ".."

All currently published objects pass these test.


rpki-client: filename entries must be at least four characters and
the filename should not contain a forward slash (/). See
https://cvsweb.openbsd.org/src/usr.sbin/rpki-client/mft.c?rev=1.14.4.1&content-type=text/x-cvsweb-markup <https://cvsweb.openbsd.org/src/usr.sbin/rpki-client/mft.c?rev=1.14.4.1&content-type=text/x-cvsweb-markup>
in the `mft_parse_filehash` function.


routinator: filename cannot have control characters or spaces, ", #,
<, >, ?, [, \, ], ^, `, {, |, } or have value >= 0x7f (see
https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L682 <https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L682>).
Furthermore "."  and ".." are not allowed as segment anywhere in a
complete rsync URI (see
https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L95 <https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L95>).


Kind regards,
Erik