hsmtool: provide nodeid from hsm secret.

This allows tools to validate that it is accessing the correct hsm_secret for this node!

This is extremely important for backups: if they are using VLS, they need to back *that*
up instead, for example.

Changelog-Added: `hsmtool`: `getnodeid` command derives the node id from the hsm_secret, to verify it's the correct secret.
Signed-off-by: Rusty Russell <[email protected]>

Author: rustyrussell

doc/lightning-hsmtool.8.md

@@ -20,46 +20,46 @@ as well as derive secrets used in channel commitments.
 METHODS
 -------
 
-**encrypt** *hsm\_secret* *password*
+**encrypt** *hsm\_secret\_path* *password*
 
-  Encrypt the `hsm_secret` file so that it can only be decrypted at
+  Encrypt the `hsm_secret_path` file so that it can only be decrypted at
 **lightningd** startup.
 You must give the option **--encrypted-hsm** to **lightningd**.
-The password of the `hsm_secret` file will be asked whenever you
+The password of the `hsm_secret_path` file will be asked whenever you
 start **lightningd**.
 
-**decrypt** *hsm\_secret* *password*
+**decrypt** *hsm\_secret\_path* *password*
 
-  Decrypt the `hsm_secret` file that was encrypted with the **encrypt**
+  Decrypt the `hsm_secret_path` file that was encrypted with the **encrypt**
 method.
 
-**dumpcommitments** *node\_id* *channel\_dbid* *depth* *hsm\_secret* \[*password*\]
+**dumpcommitments** *node\_id* *channel\_dbid* *depth* *hsm\_secret\_path* \[*password*\]
 
   Show the per-commitment secret and point of up to *depth* commitments,
 of the specified channel with the specified peer,
 identified by the channel database index.
-Specify *password* if the `hsm_secret` is encrypted.
+Specify *password* if the `hsm_secret_path` is encrypted.
 
-**guesstoremote** *p2wpkh* *node\_id* *max\_channel\_dbid* *hsm\_secret* \[*password*\]
+**guesstoremote** *p2wpkh* *node\_id* *max\_channel\_dbid* *hsm\_secret\_path* \[*password*\]
 
   Brute-force the private key to our funds from a remote unilateral close
 of a channel, in a case where we have lost all database data except for
-our `hsm_secret`.
+our `hsm_secret_path`.
 The peer must be the one to close the channel (and the funds will remain
 unrecoverable until the channel is closed).
 *max\_channel\_dbid* is your own guess on what the *channel\_dbid* was,
 or at least the maximum possible value,
 and is usually no greater than the number of channels that the node has
 ever had.
-Specify *password* if the `hsm_secret` is encrypted.
+Specify *password* if the `hsm_secret_path` is encrypted.
 
 **generatehsm** *hsm\_secret\_path*
   Generates a new hsm\_secret using BIP39.
 
 **checkhsm** *hsm\_secret\_path*
   Checks that hsm\_secret matches a BIP39 passphrase.
 
-**dumponchaindescriptors** \[*--show-secrets*\] *hsm\_secret* \[*network*\]
+**dumponchaindescriptors** \[*--show-secrets*\] *hsm\_secret\_path* \[*network*\]
   Dump output descriptors for our onchain wallet.
 This command requires the path to the hsm\_secret containing the wallet seed.
 If the flag *--show-secrets* is set the command will show the BIP32 extended private
@@ -74,7 +74,7 @@ password.
 To generate descriptors using testnet master keys, you may specify *testnet* as
 the last parameter. By default, mainnet-encoded keys are generated.
 
-**makerune** *hsm\_secret*
+**makerune** *hsm\_secret\_path*
   Make a master rune for this node (with `uniqueid` 0)
 This produces the same results as lightning-commando-rune(7) on a fresh node.
 You will still need to create a rune once the node starts, if you want commando to work (as it is only activated once it has generated one).
@@ -85,6 +85,9 @@ You will still need to create a rune once the node starts, if you want commando
 **getemergencyrecover** *emergency.recover\_path*
   Print out the bech32 encoded emergency.recover file.
 
+**getnodeid** *hsm\_secret\_path*
+  Print out the node id that a node using this hsm secret would have: useful for verifying that you are accessing the correct secret!
+
 BUGS
 ----
 

tests/test_wallet.py

@@ -1701,3 +1701,11 @@ def test_hsmtool_makerune(node_factory):
     # We have to generate a rune now, for commando to even start processing!
     rune = l1.rpc.commando_rune()['rune']
     assert rune == out
+
+
+def test_hsmtool_getnodeid(node_factory):
+    l1 = node_factory.get_node()
+
+    cmd_line = ["tools/hsmtool", "getnodeid", os.path.join(l1.daemon.lightning_dir, TEST_NETWORK, "hsm_secret")]
+    out = subprocess.check_output(cmd_line).decode('utf-8').strip()
+    assert out == l1.info['id']

tools/hsmtool.c

@@ -49,6 +49,7 @@ static void show_usage(const char *progname)
 	printf("	- makerune <path/to/hsm_secret>\n");
 	printf("	- getcodexsecret <path/to/hsm_secret> <id>\n");
 	printf("	- getemergencyrecover <path/to/emergency.recover>\n");
+	printf("	- getnodeid <path/to/hsm_secret>\n");
 	exit(0);
 }
 
@@ -697,6 +698,38 @@ static int make_rune(const char *hsm_secret_path)
 	return 0;
 }
 
+static int get_node_id(const char *hsm_secret_path)
+{
+	u32 salt = 0;
+	struct secret hsm_secret;
+	struct privkey node_privkey;
+	struct pubkey node_id;
+
+	secp256k1_ctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+	                                         | SECP256K1_CONTEXT_SIGN);
+
+	/* Get hsm_secret */
+	get_hsm_secret(&hsm_secret, hsm_secret_path);
+
+	/*~ So, there is apparently a 1 in 2^127 chance that a random value is
+	 * not a valid private key, so this never actually loops. */
+	do {
+		/*~ ccan/crypto/hkdf_sha256 implements RFC5869 "Hardened Key
+		 * Derivation Functions".  That means that if a derived key
+		 * leaks somehow, the other keys are not compromised. */
+		hkdf_sha256(&node_privkey, sizeof(node_privkey),
+			    &salt, sizeof(salt),
+			    &hsm_secret,
+			    sizeof(hsm_secret),
+			    "nodeid", 6);
+		salt++;
+	} while (!secp256k1_ec_pubkey_create(secp256k1_ctx, &node_id.pubkey,
+					     node_privkey.secret.data));
+
+	printf("%s\n", fmt_pubkey(tmpctx, &node_id));
+	return 0;
+}
+
 int main(int argc, char *argv[])
 {
 	const char *method;
@@ -838,5 +871,11 @@ int main(int argc, char *argv[])
 		return getemergencyrecover(argv[2]);
 	}
 
+	if (streq(method, "getnodeid")) {
+		if (argc < 3)
+			show_usage(argv[0]);
+		return get_node_id(argv[2]);
+	}
+
 	show_usage(argv[0]);
 }