Validation Checks for rpki.conf Files

The rpkichk command performs validation checks on the rpki.conf configuration file. It provides some amount of assurance that the rpki.net system is configured in a way that best supports the system's operation and security. rpkichk validation checks fall in the following groups:

  • basic checks - simple system checks, such as the existence of files, valid hostnames, protected keys
  • cross checks - related configuration fields don't conflict
  • recommended-value checks - checks that recommended values are being used

These checking groups are described in more detail in the sections below.

This document is prepared under Contract Number HSHQDC-14-C-B0035 for DHS S&T CSD

1. Basic Checks

Section Field Checks Performed
autoconfbindirdirectory exists, is readable and searchable
datarootdirdirectory exists, is readable and searchable
sbindirdirectory exists, is readable and searchable
sysconfdirdirectory exists, is readable and searchable
irdbdsql-databasedatabase name isn't null
sql-usernamevalid SQL user name was given
sql-passwordSQL password/hash defined; at least 40 characters long
server-hostonly alphanumerics, dash, and dot; no consecutive dots
server-portonly digits; only positive numbers; no fractional part
myrpkibpki_servers_directorydirectory exists, is readable and searchable
handleonly alphanumerics, dash, and underscore
irdbd_server_hostonly alphanumerics, dash, and dot; no consecutive dots
irdbd_server_portonly digits; only positive numbers; no fractional part
irdbd_sql_databasedatabase name isn't null
irdbd_sql_passwordSQL password/hash defined; at least 40 characters long
irdbd_sql_usernamevalid SQL user name was given
pubd_server_hostonly alphanumerics, dash, and dot; no consecutive dots
pubd_server_portonly digits; only positive numbers; no fractional part
pubd_sql_databasedatabase name isn't null
pubd_sql_passwordSQL password/hash defined; at least 40 characters long
pubd_sql_usernamevalid SQL user name was given
publication_base_directorydirectory exists, is readable and searchable
publication_root_cert_directorydirectory exists, is readable and searchable
publication_root_modulemodule isn't null
publication_rsync_modulemodule isn't null
publication_rsync_serveronly alphanumerics, dash, and dot; no consecutive dots
rootd_server_hostonly alphanumerics, dash, and dot; no consecutive dots
rootd_server_portonly digits; only positive numbers; no fractional part
rpkid_server_hostonly alphanumerics, dash, and dot; no consecutive dots
rpkid_server_portonly digits; only positive numbers; no fractional part
rpkid_sql_databasedatabase name isn't null
rpkid_sql_passwordSQL password/hash defined; at least 40 characters long
rpkid_sql_usernamevalid SQL user name was given
run_pubdboolean value -- "yes" or "no" (either case)
run_rootdboolean value -- "yes" or "no" (either case)
run_rpkidboolean value -- "yes" or "no" (either case)
shared_sql_passwordSQL password/hash defined; at least 40 characters long
shared_sql_usernamevalid SQL user name was given
start_irdbdboolean value -- "yes" or "no" (either case)
start_pubdboolean value -- "yes" or "no" (either case)
start_rootdboolean value -- "yes" or "no" (either case)
start_rpkidboolean value -- "yes" or "no" (either case)
pubdbpki-tafile exists, is readable
irbe-certfile exists, is readable
pubd-certfile exists, is readable
pubd-keyfile exists, is readable only by owner
publication-basedirectory exists, is readable and searchable
server-hostonly alphanumerics, dash, and dot; no consecutive dots
server-portonly digits; only positive numbers; no fractional part
sql-databasedatabase name isn't null
sql-passwordSQL password/hash defined; at least 40 characters long
sql-usernamevalid SQL user name was given
rootdbpki-tafile exists, is readable
child-bpki-certfile exists, is readable
rootd-bpki-certfile exists, is readable
rootd-bpki-crlfile exists, is readable
rootd-bpki-keyfile exists, is readable only by owner
rpki-base-uriurl uses http:// or rsync://, network location given, 0 or 1 colons in network location
rpki-class-nameclass name isn't null
rpki-root-certfile exists, is readable
rpki-root-cert-uriurl uses http:// or rsync://, network location given, 0 or 1 colons in network location
rpki-root-crlfile exists, is readable
rpki-root-dirdirectory exists, is readable and searchable
rpki-root-keyfile exists, is readable only by owner
rpki-root-manifestfile exists, is readable
rpki-subject-certfile exists, is readable
rpki-subject-lifetimenumeric portion is positive, unit is for hours, days, or months
rpki-subject-pkcs10file exists, is readable
server-hostonly alphanumerics, dash, and dot; no consecutive dots
server-portonly digits; only positive numbers; no fractional part
rpkidbpki-tafile exists, is readable
irbe-certfile exists, is readable
irdb-certfile exists, is readable
irdb-urlurl uses http://, network location given, 0 or 1 colons in network location
rpkid-certfile exists, is readable
rpkid-keyfile exists, is readable only by owner
server-hostonly alphanumerics, dash, and dot; no consecutive dots
server-portonly digits; only positive numbers; no fractional part
sql-databasedatabase name isn't null
sql-passwordSQL password/hash defined; at least 40 characters long
sql-usernamevalid SQL user name was given
web_portalsql-databasedatabase name isn't null
sql-usernamevalid SQL user name was given
sql-passwordpassword defined and at least 40 characters long
sql-passwordSQL password/hash defined; at least 40 characters long
secret-keySQL password/hash defined; at least 40 characters long

2. Cross Checks

The cross checks ensure that pairs of configuration fields that are connected are the same. The fields may be located in the same section of the file or in different sections. The names of fields in different sections may or may not be the same.

The sections below contain tables describing the cross checks to be performed. Each table entry will list the section's field name, the "foreign" section, the foreign section's field name, and the comparison that will be performed.

For example, the rpkid and pubd sections both have a bpki-ta field, and they should contain the same values. Similarly, the myrpki section has the pubd_server_port field and the pubd section has the server-port, and they should both be the same.

The tables listed in this section contain duplicated entries. This is to allow this document to be used as a checklist to ensure that all checks have been implemented. Listing each cross check twice allows the checks to be performed in the checks for each section.

For example, the rpkid and pubd sections both have a bpki-ta field, and they should contain the same values. The rpkid section below will contain an entry for this check, as will the pubd section below.

As of this writing, all comparison checks are for equality. It is unknown if this may change in the future, so the comparison column is included in the case that it does.

Section:Field Foreign Section:Field Comparison
autoconfNo cross checks are required for this section.
 
irdbd:server-hostmyrpki:irdbd_server_hostequality
irdbd:server-portmyrpki:irdbd_server_portequality
irdbd:sql-databasemyrpki:irdbd_sql_databaseequality
irdbd:sql-passwordmyrpki:irdbd_sql_passwordequality
irdbd:sql-usernamemyrpki:irdbd_sql_usernameequality
 
myrpki:irdbd_server_hostirdbd:server-hostequality
myrpki:irdbd_server_portirdbd:server-portequality
myrpki:irdbd_sql_databaseirdbd:sql-databaseequality
myrpki:irdbd_sql_passwordirdbd:sql-passwordequality
myrpki:irdbd_sql_usernameirdbd:sql-usernameequality
myrpki:pubd_server_hostpubd:server-hostequality
myrpki:pubd_server_portpubd:server-portequality
myrpki:pubd_sql_databasepubd:sql-databaseequality
myrpki:pubd_sql_passwordpubd:sql-passwordequality
myrpki:pubd_sql_usernamepubd:sql-usernameequality
myrpki:publication_base_directorypubd:publication-baseequality
myrpki:rootd_server_hostrootd:server-hostequality
myrpki:rootd_server_portrootd:server-portequality
myrpki:rpkid_server_hostrpkid:server-hostequality
myrpki:rpkid_server_portrpkid:server-portequality
myrpki:rpkid_sql_databaserpkid:sql-databaseequality
myrpki:rpkid_sql_passwordrpkid:sql-passwordequality
myrpki:rpkid_sql_usernamerpkid:sql-usernameequality
 
pubd:bpki-tarootd:bpki-taequality
pubd:bpki-tarpkid:bpki-taequality
pubd:irbe-certrpkid:irbe-certequality
pubd:publication-basemyrpki:publication_base_directoryequality
pubd:server-hostmyrpki:pubd_server_hostequality
pubd:server-portmyrpki:pubd_server_portequality
pubd:sql-databasemyrpki:pubd_sql_databaseequality
pubd:sql-passwordmyrpki:pubd_sql_passwordequality
pubd:sql-usernamemyrpki:pubd_sql_usernameequality
 
rootd:bpki-tapubd:bpki-taequality
rootd:bpki-tarpkid:bpki-taequality
rootd:server-hostmyrpki:rootd_server_hostequality
rootd:server-portmyrpki:rootd_server_portequality
 
rpkid:bpki-tapubd:bpki-taequality
rpkid:bpki-tarootd:bpki-taequality
rpkid:irbe-certpubd:irbe-certequality
rpkid:server-hostmyrpki:rpkid_server_hostequality
rpkid:server-portmyrpki:rpkid_server_portequality
rpkid:sql-databasemyrpki:rpkid_sql_databaseequality
rpkid:sql-passwordmyrpki:rpkid_sql_passwordequality
rpkid:sql-usernamemyrpki:rpkid_sql_usernameequality
 
web_portalNo cross checks are required for this section.

3. Recommended-Value Checks

The fields in this section are given values in the default rpki.conf file that are recommended to be left alone. The default configuration file gives these fields with an accompanying comment similar to "Use this value unless you really know what you're doing." Some fields are recommended to have specific values; some fields are recommended to match other fields in the configuration file. Certain situations allow for them to be different, but most installations will not require those configurations. The Recommended-Value Checks verify that the recommended values are actually in use.

These fields have actual values they should contain.

Section:Field Suggested Value
myrpki:irdbd_server_host'localhost'
myrpki:irdbd_sql_database'irdbd'
myrpki:pubd_sql_database'pubd'
myrpki:publication_root_module'root'
myrpki:publication_rsync_module'rpki'
myrpki:rootd_server_host'localhost'
myrpki:rpkid_sql_database'rpkid'
myrpki:run_pubd'no'
myrpki:run_rootd'no'
myrpki:run_rpkid'yes'
myrpki:shared_sql_username'rpki'

These fields are strongly suggested to match each other.

Section:Field Foreign Section:Field
myrpki:bpki_servers_directoryautoconf::datarootdir/rpki
myrpki:publication_rsync_servermyrpki::pubd_server_host
myrpki:start_irdbdmyrpki::run_rpkid
myrpki:start_pubdmyrpki::run_pubd
myrpki:start_rootdmyrpki::run_rootd
myrpki:start_rpkidmyrpki::run_rpkid
 
pubd:bpki-tamyrpki::bpki_servers_directory/ca.cer
pubd:pubd-certmyrpki::bpki_servers_directory/pubd.cer
pubd:pubd-keymyrpki::bpki_servers_directory/pubd.key
pubd:irbe-certmyrpki::bpki_servers_directory/irbe.cer
 
rootd:bpki-tamyrpki::bpki_servers_directory/ca.cer
rootd:rootd-bpki-crlmyrpki::bpki_servers_directory/ca.crl
rootd:rootd-bpki-certmyrpki::bpki_servers_directory/rootd.cer
rootd:rootd-bpki-keymyrpki::bpki_servers_directory/rootd.key
rootd:child-bpki-certmyrpki::bpki_servers_directory/child.cer
 
rpkid:bpki-tamyrpki::bpki_servers_directory/ca.cer
rpkid:rpkid-certmyrpki::bpki_servers_directory/rpkid.cer
rpkid:rpkid-keymyrpki::bpki_servers_directory/rpkid.key
rpkid:irdb-certmyrpki::bpki_servers_directory/irdbd.cer
rpkid:irbe-certmyrpki::bpki_servers_directory/irbe.cer