From 5eccca7911b5bca0b5aedddf24d5c8a9b531e5df Mon Sep 17 00:00:00 2001
From: Martin Hoffmann <martin@nlnetlabs.nl>
Date: Thu, 15 Aug 2019 13:08:20 +0200
Subject: [PATCH] Parse and encode ROA versions as explicitely tagged.

---
 Changelog.md               |   5 +++++
 src/roa.rs                 |  25 +++++++++++++++----------
 test-data/example-ripe.roa | Bin 0 -> 1807 bytes
 3 files changed, 20 insertions(+), 10 deletions(-)
 create mode 100644 test-data/example-ripe.roa

diff --git a/Changelog.md b/Changelog.md
index 6a34bee6..401258cb 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -21,6 +21,10 @@ Bug Fixes
 
 * Various improvements to the RRDP implementation. [(#62)]
 * Fix a endless loop and an off-by-one error in Chain::trim. [(#64)]
+* The `version` field of a ROA’s `RouteOriginAttestation` structure was
+  parsed and constructed as implicitly tagged whereas the standard demands
+  explicit tagging. This would have lead to a parse error for all ROAs
+  that actually contain the (optional) version field. [(#70)]
 
 Dependencies
 
@@ -29,6 +33,7 @@ Dependencies
 [(#64)]: https://github.com/NLnetLabs/rpki-rs/pull/64
 [(#67)]: https://github.com/NLnetLabs/rpki-rs/pull/67
 [(#69)]: https://github.com/NLnetLabs/rpki-rs/pull/69
+[(#70)]: https://github.com/NLnetLabs/rpki-rs/pull/70
 
 
 # 0.5.0
diff --git a/src/roa.rs b/src/roa.rs
index 6cebd4a8..9818dca6 100644
--- a/src/roa.rs
+++ b/src/roa.rs
@@ -8,7 +8,6 @@ use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
 use std::sync::Arc;
 use bcder::{decode, encode};
 use bcder::{Captured, Mode, OctetString, Oid, Tag, xerr};
-use bcder::decode::Source;
 use bcder::encode::{PrimitiveContent, Values};
 use bytes::Bytes;
 use serde::{Serialize, Serializer, Deserialize, Deserializer};
@@ -140,14 +139,8 @@ impl RouteOriginAttestation {
         cons: &mut decode::Constructed<S>
     ) -> Result<Self, S::Err> {
         cons.take_sequence(|cons| {
-            cons.take_opt_primitive_if(Tag::CTX_0, |prim| {
-                if prim.take_u8()? != 0 {
-                    xerr!(Err(decode::Malformed.into()))
-                }
-                else {
-                    Ok(())
-                }
-            })?;
+            // version [0] EXPLICIT INTEGER DEFAULT 0
+            cons.take_opt_constructed_if(Tag::CTX_0, |c| c.skip_u8_if(0))?;
             let as_id = AsId::take_from(cons)?;
             let mut v4 = None;
             let mut v6 = None;
@@ -218,7 +211,7 @@ impl RouteOriginAttestation {
 
     pub fn encode_ref<'a>(&'a self) -> impl encode::Values + 'a {
         encode::sequence((
-            0u8.encode_as(Tag::CTX_0),
+            encode::sequence_as(Tag::CTX_0, 0u8.encode()),
             self.as_id.encode(),
             encode::sequence((
                 self.v4_addrs.encode_ref_family([0x00, 0x01]),
@@ -622,6 +615,17 @@ impl Extend<RoaIpAddress> for RoaIpAddressesBuilder {
 
 #[cfg(test)]
 mod test {
+    use super::*;
+
+    #[test]
+    fn decode_roa() {
+        assert!(
+            Roa::decode(
+                include_bytes!("../test-data/example-ripe.roa").as_ref(),
+                false
+            ).is_ok()
+        )
+    }
 }
 
 #[cfg(all(test, feature="softkeys"))]
@@ -681,6 +685,7 @@ mod signer_test {
     fn encode_roa() {
         make_roa();
     }
+        
 
     #[test]
     fn serde_roa() {
diff --git a/test-data/example-ripe.roa b/test-data/example-ripe.roa
new file mode 100644
index 0000000000000000000000000000000000000000..1bfb1b1ec5689fb64d0c814dc34e522e64b1feb3
GIT binary patch
literal 1807
zcmcIlX;4#F6wZ5j1OtQzhyhWA0gWt%+(%yW5;u$>#tlRX0*V+y0s)j5w1A@+0s>kU
zi-L>-hRsr|f~+m5IF1W#1+3d(6-Pl_SVTYsMNESgt4^oWKfS;1J?G4K&pqFK-vufP
z)hR`oGDL&)VT}r?V2F&NfJUKiND)F(G6F+-B%q=gek`JzK$aTSbQNL)tYI>l-2~{s
z9DzwNFa}0seLW|m>V@b97;+|kSUN;C(ht<+KQv?*f?<SwwS_W<{t*r`)S<I646rC<
z5kj8mz>%`K0CVMp$N+({c^IF^Aut&mXY+ZkIKVKDn9BoFR{*A2&@evW0<J5D<2WbK
zf~E@+00SRZ;1{4=j7RV#Tp;GKIj(FmPDpt;Ato>&4Po;LsZ1u3u_b(t1gIgq&zsXd
zovemXk}hrlt09O~T9@1XCdwnn;nZozV0oK%w_7cJ!x{I!ga$s5UsYA>9@O8TRMOW<
zo6i`oq*5CEokL!|7{YV!Hqp2Souq}N(`WA#tT}<)zklwr=xp$@+)K(7QMYGpAD5J7
zS0NfaI8t0$7Y5DQQDS%CseVa!bJ<oGe`wZ=HVddf!@sLhwO?7C{$Mw@nqipdwUUy+
zSON8B&XU8$Vy`kwzL!C8=CSOqn~CTZ)46oV<W^Z{h)H?grOufTK-S)SH|yOG%9c!K
z+`l#yR=o3ZiD{>%A32k5C_tmlDP<$63wx%NM$KN)T$)ufTALx-YaJ=y7+rfL@{wg>
zai4FHX`A^Zm<*AiLN#mz)bIpgt>etv7@;HP;?$fC#T@&hgye0TjVn@n-wph-4%m#P
z?GZ~rSDCNpLNn_1CnjdEvBCN31*U=F#<swCtN?`|ErO6?eH93$OmL<^dV2a0g!ltL
z;5&W>aEeeF6Te9^o5fNpBIPbhxkBo)NxFrllq#ZQ<XfVZ@hp!;o&wQwUzUGFz`~^=
zJmDgIae!YO4|oSG6)f^oM0>~uE)uB{B<>rBg$$8I6-WTv#{<AHMe(2S;c!^E3=icK
zOi8E|W8zZ4WAY_{%jEO05HS(z8o~~hu`pIZfK(E&OoT1ru40A@6>%O)Zy^!9ZCkuw
ztcx;Q3=$K^#$bbN199LR%@&RFf9T;~XQGS(mSZj0jxnKAF)$dPhcOK7#`lnp6)iFm
zm;&^J+^L_${<&gwa@HvZB5m&ICNqfi-)#7G9Z%`6qUvj777xan+NTkuM=kL^6<sI8
z;VQSHE~CpbcX@m9pvo0)XZQ{8*@az?%q`=NWCc7$mniHnEcG~NQDL@Iz&xGrM!h#o
zyuPPQ&A9I1-&z_ZynXrgIy=1D?QY)LdFE3`wKbRT47Eo55L6|I!dE<BA1HM2dGXLR
ztlZfLFA9o&t#zok$mn4<F`gf;uMRBmDPVb1=37oXl0PqN^2p?wZ|j{ZEsAp@RCRX-
zJk=h~+v9#bYIfDAXo{mI^LFP;o7DrN21_$X*XUk}Sa}?EKOEaU7#sfb8ctJGH^$sF
zsY}9o6mdtP2fQ6wj+00vObwmX`9_J(PgVb{k1st|6A7$7*&>yU(Y~-;F!k@89)^D9
zeLD9XH&iNu*&((o1KY3V7{0$<7M{(E$#xoAJ-V-4U85CDknir;bx2D8iZVnEksLf1
zFK4+t4))w0HjJ(}j|dZ_77qA7S$o7yvi4&8`}_klPha96Zt2*ksM@c7=S4{fwzYeE
zITiNaxf6X;YF1%2h-RMrUVD7U39bCubd156*wOn_WvkPvkTc>a{a;avS5tFIn)RWu
z@{WOryMh`RbN9}1X?gj~Aj#x+y9}7xtX`bFpezeTGjCk*<#!jFS#R8U;Q5RLj~Xro
z$qlTY)J_rntVrwfK@Id67vDw%SKq?4L|3|{P<x7&w0%!1&h$aHt{weu*%Oaj=L`GZ
zHVd-fFTWymOnz|mne}<!n#L2<Z)-;D{2P1o^H<$Cv^J97(tD-NN@G&MiEs4IYx?WI
F`V%pjhYJ7z

literal 0
HcmV?d00001