[Sidrops] Manifest entry filename validation

Erik Rozendaal <erozendaal@ripe.net> Thu, 19 November 2020 09:03 UTC

Return-Path: <erozendaal@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id F16C03A1245 for <sidrops@ietfa.amsl.com>; Thu, 19 Nov 2020 01:03:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id h8uanhbrvet5 for <sidrops@ietfa.amsl.com>; Thu, 19 Nov 2020 01:03:56 -0800 (PST)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE9963A1246 for <sidrops@ietf.org>; Thu, 19 Nov 2020 01:03:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Date:Message-Id:Subject:Mime-Version:Content-Type:From: CC; bh=WPWHfFEX3Kkp68YIvvye7haARg+p1Mv5dc5Bl5EN08o=; b=Mh5GOgFEz6xJGXcubGKIkP 7cALGeNP5JmVyQXT7bvOgCVOTSpytA5UKwC7hFsa5c8P+k9yU0yHY4MJEws9yfsCCq+RDro5ezMby rdRYKu/gM0cZdhpEhQeTGjNZEIeE2oKTjBc/kFv+TIXxpLy4PUuqrXVEsw3zR3LtVMWMUAWcvdROW AwLtzeIKUempJDgkWAXOHJ4xD+kJd+9Wtc4fa4qibBGrUMQBd5nByMO6pPn2g6v1lR9XXhDOoycUN TFs7U2ru1faqlbEBvT1DPhLhhuvT2RCbtsCA32sZtYWhQkKhFsmpijPQhLXeACZU/zj5wXCYsTgqr v94DyHSM8q2Q==;
Received: from bufobufo.ripe.net ([]:43432) by molamola.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from <erozendaal@ripe.net>) id 1kffr8-0003YW-KB for sidrops@ietf.org; Thu, 19 Nov 2020 10:03:54 +0100
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=[IPv6:2001:67c:2e8:1200::346]) by bufobufo.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from <erozendaal@ripe.net>) id 1kffr8-0007il-BM for sidrops@ietf.org; Thu, 19 Nov 2020 10:03:54 +0100
From: Erik Rozendaal <erozendaal@ripe.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_48EB6C8D-C09A-4473-936B-8E802C97C0E2"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Message-Id: <18CC986C-97FA-41F6-A530-F782D3104A31@ripe.net>
Date: Thu, 19 Nov 2020 10:03:53 +0100
To: sidrops@ietf.org
X-Mailer: Apple Mail (2.3608.
X-ACL-Warn: Delaying message
X-RIPE-Signature: 3081e9bfa2e75d9dc8fe5e8110458a383f50b0a5e24c6ca4d1ae405cb3115ed6
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/vHQU6jV08Sgee1wuDxT0_UQsaGs>
Subject: [Sidrops] Manifest entry filename validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 09:03:58 -0000

Hi all,

During the past months we've been working on improving the RPKI 
validator to track the 6468bis RFC. As part of that effort we've also
been finding and fixing various other mismatches with the current

One part of this is validating manifest entry file names. Currently the
various validator implementations handle manifest filename entries
differently, potentially resulting in different validation results.


We think the manifest RFC 6486 should define rules used for the filename
entries in a manifest.

Our proposal is to only allow a minimal set of
characters from the ASN.1 IA5String type: a-z, A-Z, 0-9, . (dot), -
(dash), _ (underscore).  Furthermore blank entries, ".", and ".." must
not be allowed. Filename extensions should be matched in a case
insensitive manner when determining object type (ROA, CRL, etc).

These rules validate all current objects from the major trust anchors
(all RIRs and APNIc AS0). They avoid special URI characters and
characters that may be used to navigate file system directories.

We may also want to add rules such as:

- Avoid illegal (Windows) filenames such as PRN, NUL, or CON (see
 https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file <https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file>).

- Require that all entries have a three letter filename extension.

- Prohibit entries that only differ by upper or lower case (FOO.CER vs


Manifest entry filename validation

Currently the different RPKI validators use different rules to
validate the filename of a manifest entry. The RFC says (section
4.2.1 under "fileList"):

"Each FileAndHash is an ordered pair consisting of the name of the
file in the repository publication point (directory) that contains
the object in question and a hash of the file's contents."

Unfortunately it is not exactly clear what is allowed as the
filename. The three validators that I investigated use different

rpki-validator-3: anything goes. Filename is resolved using the
base repository URI and the `resolve` method on the Java URI
class. This allows subdirectories, escaping to parent directories,
etc. This will be fixed by
https://github.com/RIPE-NCC/rpki-commons/pull/30 <https://github.com/RIPE-NCC/rpki-commons/pull/30> where a filename

- only have characters a-z, A-Z, 0-9, <dot>, (, ), +, -, ', :, =, or _.
- not be blank
- not be "."
- not be ".."

All currently published objects pass these test.

rpki-client: filename entries must be at least four characters and
the filename should not contain a forward slash (/). See
https://cvsweb.openbsd.org/src/usr.sbin/rpki-client/mft.c?rev= <https://cvsweb.openbsd.org/src/usr.sbin/rpki-client/mft.c?rev=>
in the `mft_parse_filehash` function.

routinator: filename cannot have control characters or spaces, ", #,
<, >, ?, [, \, ], ^, `, {, |, } or have value >= 0x7f (see
https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L682 <https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L682>).
Furthermore "."  and ".." are not allowed as segment anywhere in a
complete rsync URI (see
https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L95 <https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L95>).

Kind regards,