exposesecret: new plugin and command to get hsm_secret.

Being able to back up the hsm_secret is critical, but you cannot do
this through a UI, because of course we do not allow such access.
People have lost funds because they didn't back up.

This allows access to the hsm_secret if you use a password set in the
config file.  (If it's not set, the command does not work).  This is a
compromise, of course.

Changelog-Added: `exposesecret` command for encouraging hsm_secret backups.
Signed-off-by: Rusty Russell <[email protected]>

Author: rustyrussell

contrib/msggen/msggen/schema.json

@@ -12782,6 +12782,64 @@
         }
       ]
     },
+    "lightning-exposesecret.json": {
+      "$schema": "../rpc-schema-draft.json",
+      "type": "object",
+      "additionalProperties": false,
+      "rpc": "exposesecret",
+      "title": "Command for extracting the hsm_secret file for backup",
+      "description": [
+        "The **exposesecret** RPC command allows you to read the HSM secret, and does not work with encrypted hsm secrets.  It only operates if the `exposesecret-passphrase` has been set in the configuration."
+      ],
+      "request": {
+        "required": [
+          "passphrase"
+        ],
+        "properties": {
+          "passphrase": {
+            "type": "string",
+            "description": [
+              "The passphrase, which must match the `exposesecret-passphrase` configuration parameter."
+            ]
+          },
+          "identifier": {
+            "type": "string",
+            "description": [
+              "A four-character, valid lowercase bech32 string (not 1, i, o or b) to use in the resulting BIP-93 output.  If not specified, this is generated from the node alias."
+            ]
+          }
+        }
+      },
+      "response": {
+        "required": [
+          "identifier",
+          "codex32"
+        ],
+        "properties": {
+          "identifier": {
+            "type": "string",
+            "description": [
+              "The four-character identifier used in the codex32 output.  Redundant, but presented separately for clarity."
+            ]
+          },
+          "codex32": {
+            "type": "string",
+            "description": [
+              "The full codex32-encoded (i.e. BIP-93 encoded) HSM secret."
+            ]
+          }
+        }
+      },
+      "author": [
+        "Rusty Russell <<[email protected]>> is mainly responsible."
+      ],
+      "see_also": [
+        "lightning-hsmtool(8)"
+      ],
+      "resources": [
+        "Main web site: <https://github.com/ElementsProject/lightning>"
+      ]
+    },
     "lightning-feerates.json": {
       "$schema": "../rpc-schema-draft.json",
       "type": "object",

doc/Makefile

@@ -55,6 +55,7 @@ GENERATE_MARKDOWN := doc/lightning-addgossip.7 \
 	doc/lightning-disableoffer.7 \
 	doc/lightning-disconnect.7 \
 	doc/lightning-emergencyrecover.7 \
+	doc/lightning-exposesecret.7 \
 	doc/lightning-feerates.7 \
 	doc/lightning-fetchinvoice.7 \
 	doc/lightning-fundchannel_cancel.7 \

doc/index.rst

@@ -64,6 +64,7 @@ Core Lightning Documentation
    lightning-disableoffer <lightning-disableoffer.7.md>
    lightning-disconnect <lightning-disconnect.7.md>
    lightning-emergencyrecover <lightning-emergencyrecover.7.md>
+   lightning-exposesecret <lightning-exposesecret.7.md>
    lightning-feerates <lightning-feerates.7.md>
    lightning-fetchinvoice <lightning-fetchinvoice.7.md>
    lightning-fundchannel <lightning-fundchannel.7.md>

doc/lightningd-config.5.md

@@ -702,6 +702,11 @@ authenticate to the Tor control port.
 
   Defines the path for WSS cert & key. Default path is same as RPC file path to utilize gRPC/clnrest's client certificate. If it is missing at the configured location, new identity (`client.pem` and `client-key.pem`) will be generated.
 
+* **exposesecret-passphrase**=*passphrase*  [plugin `exposesecret`]
+
+  Defines a passphrase which will let users extract the `hsm_secret` using the `exposesecret` command.  If this is not set, the `exposesecret` command always fails.
+
+
 ### Lightning Plugins
 
 lightningd(8) supports plugins, which offer additional configuration

doc/schemas/lightning-exposesecret.json

@@ -0,0 +1,58 @@
+{
+  "$schema": "../rpc-schema-draft.json",
+  "type": "object",
+  "additionalProperties": false,
+  "rpc": "exposesecret",
+  "title": "Command for extracting the hsm_secret file for backup",
+  "description": [
+    "The **exposesecret** RPC command allows you to read the HSM secret, and does not work with encrypted hsm secrets.  It only operates if the `exposesecret-passphrase` has been set in the configuration."
+  ],
+  "request": {
+    "required": [
+      "passphrase"
+    ],
+    "properties": {
+      "passphrase": {
+        "type": "string",
+        "description": [
+          "The passphrase, which must match the `exposesecret-passphrase` configuration parameter."
+        ]
+      },
+      "identifier": {
+        "type": "string",
+        "description": [
+          "A four-character, valid lowercase bech32 string (not 1, i, o or b) to use in the resulting BIP-93 output.  If not specified, this is generated from the node alias."
+        ]
+      }
+    }
+  },
+  "response": {
+    "required": [
+      "identifier",
+      "codex32"
+    ],
+    "properties": {
+      "identifier": {
+        "type": "string",
+        "description": [
+          "The four-character identifier used in the codex32 output.  Redundant, but presented separately for clarity."
+        ]
+      },
+      "codex32": {
+        "type": "string",
+        "description": [
+          "The full codex32-encoded (i.e. BIP-93 encoded) HSM secret."
+        ]
+      }
+    }
+  },
+  "author": [
+    "Rusty Russell <<[email protected]>> is mainly responsible."
+  ],
+  "see_also": [
+    "lightning-hsmtool(8)"
+  ],
+  "resources": [
+    "Main web site: <https://github.com/ElementsProject/lightning>"
+  ]
+}

plugins/Makefile

@@ -45,6 +45,10 @@ PLUGIN_SQL_SRC := plugins/sql.c
 PLUGIN_SQL_HEADER :=
 PLUGIN_SQL_OBJS := $(PLUGIN_SQL_SRC:.c=.o)
 
+PLUGIN_EXPOSESECRET_SRC := plugins/exposesecret.c
+PLUGIN_EXPOSESECRET_HEADER :=
+PLUGIN_EXPOSESECRET_OBJS := $(PLUGIN_EXPOSESECRET_SRC:.c=.o)
+
 PLUGIN_SPENDER_SRC :=				\
 	plugins/spender/fundchannel.c		\
 	plugins/spender/main.c			\
@@ -81,6 +85,7 @@ PLUGIN_ALL_SRC :=				\
 	$(PLUGIN_COMMANDO_SRC)			\
 	$(PLUGIN_FUNDER_SRC)			\
 	$(PLUGIN_TOPOLOGY_SRC)			\
+	$(PLUGIN_EXPOSESECRET_SRC)		\
 	$(PLUGIN_KEYSEND_SRC)			\
 	$(PLUGIN_TXPREPARE_SRC)			\
 	$(PLUGIN_LIB_SRC)			\
@@ -106,6 +111,7 @@ C_PLUGINS :=					\
 	plugins/commando			\
 	plugins/funder				\
 	plugins/topology			\
+	plugins/exposesecret			\
 	plugins/keysend				\
 	plugins/offers				\
 	plugins/pay				\
@@ -221,6 +227,8 @@ plugins/topology: common/route.o common/dijkstra.o common/gossmap.o common/scidd
 
 plugins/txprepare: $(PLUGIN_TXPREPARE_OBJS) $(PLUGIN_LIB_OBJS) $(PLUGIN_COMMON_OBJS) $(JSMN_OBJS)
 
+plugins/exposesecret: $(PLUGIN_EXPOSESECRET_OBJS) $(PLUGIN_LIB_OBJS) $(PLUGIN_COMMON_OBJS) $(JSMN_OBJS) common/hsm_encryption.o common/codex32.o
+
 plugins/bcli: $(PLUGIN_BCLI_OBJS) $(PLUGIN_LIB_OBJS) $(PLUGIN_COMMON_OBJS) $(JSMN_OBJS)
 
 plugins/keysend: wire/tlvstream.o wire/onion_wiregen.o $(PLUGIN_KEYSEND_OBJS) $(PLUGIN_LIB_OBJS) $(PLUGIN_PAY_LIB_OBJS) $(PLUGIN_COMMON_OBJS) $(JSMN_OBJS) common/gossmap.o common/fp16.o common/route.o common/dijkstra.o common/blindedpay.o common/blindedpath.o common/hmac.o common/blinding.o common/onion_encode.o common/gossmods_listpeerchannels.o common/sciddir_or_pubkey.o

plugins/exposesecret.c

@@ -0,0 +1,163 @@
+#include "config.h"
+#include <bitcoin/privkey.h>
+#include <ccan/array_size/array_size.h>
+#include <ccan/crypto/hkdf_sha256/hkdf_sha256.h>
+#include <ccan/crypto/sha256/sha256.h>
+#include <ccan/tal/grab_file/grab_file.h>
+#include <ccan/tal/str/str.h>
+#include <common/bech32.h>
+#include <common/codex32.h>
+#include <common/json_param.h>
+#include <common/json_stream.h>
+#include <errno.h>
+#include <plugins/libplugin.h>
+
+/* Information this plugin wants to keep. */
+struct exposesecret {
+	char *exposure_passphrase;
+	struct pubkey our_node_id;
+	const char *our_node_alias;
+};
+
+static struct exposesecret *exposesecret_data(struct plugin *plugin)
+{
+	return plugin_get_data(plugin, struct exposesecret);
+}
+
+/* Don't let compiler do clever things, which would allow the caller
+ * to measure time, and figure out how much of the passphrase matched! */
+static bool compare_passphrases(const char *a, const char *b)
+{
+	struct sha256 a_sha, b_sha;
+
+	/* Technically, this gives information about passphrase length, but
+	 * they can also just brute force it if it is small, so this doesn't
+	 * add much!  Also, hashing messes with timing quite a bit. */
+	sha256(&a_sha, a, strlen(a));
+	sha256(&b_sha, b, strlen(b));
+
+	return sha256_eq(&a_sha, &b_sha);
+}
+
+static struct command_result *json_exposesecret(struct command *cmd,
+						const char *buffer,
+						const jsmntok_t *params)
+{
+	const struct exposesecret *exposesecret = exposesecret_data(cmd->plugin);
+	struct json_stream *js;
+	u8 *contents;
+	const char *id, *passphrase, *err;
+	struct secret hsm_secret;
+	struct privkey node_privkey;
+	struct pubkey node_id;
+	char *bip93;
+	u32 salt = 0;
+
+	if (!param_check(cmd, buffer, params,
+			 p_req("passphrase", param_string, &passphrase),
+			 p_opt("identifier", param_string, &id),
+			 NULL))
+		return command_param_failed();
+
+	if (!exposesecret->exposure_passphrase)
+		return command_fail(cmd, LIGHTNINGD, "exposesecrets-passphrase is not set");
+
+	/* Technically, this could become a timing oracle. */
+	if (!compare_passphrases(exposesecret->exposure_passphrase, passphrase))
+		return command_fail(cmd, LIGHTNINGD, "passphrase does not match exposesecrets-passphrase");
+
+	contents = grab_file(tmpctx, "hsm_secret");
+	if (!contents)
+		return command_fail(cmd, LIGHTNINGD, "Could not open hsm_secret: %s", strerror(errno));
+
+	/* grab_file adds a \0 byte at the end for convenience */
+	if (tal_bytelen(contents) == sizeof(hsm_secret) + 1) {
+		memcpy(&hsm_secret, contents, sizeof(hsm_secret));
+	} else {
+		return command_fail(cmd, LIGHTNINGD, "Not a valid hsm_secret file?  Bad length (maybe encrypted?)");
+	}
+
+	/* Before we expose it, check it's correct! */
+	hkdf_sha256(&node_privkey, sizeof(node_privkey),
+		    &salt, sizeof(salt),
+		    &hsm_secret,
+		    sizeof(hsm_secret),
+		    "nodeid", 6);
+
+	/* Should not happen! */
+	if (!pubkey_from_privkey(&node_privkey, &node_id))
+		return command_fail(cmd, LIGHTNINGD, "Invalid private key?");
+
+	if (!pubkey_eq(&node_id, &exposesecret->our_node_id))
+		return command_fail(cmd, LIGHTNINGD, "This hsm_secret is not for the current node");
+
+	/* If they didn't give an identifier, we make an appropriate one! */
+	if (!id) {
+		size_t off = 0;
+		/* If we run out of alias, use x. */
+		char idstr[] = "xxxx";
+
+		for (size_t i = 0; idstr[off]; i++) {
+			unsigned char c = exposesecret->our_node_alias[i];
+			if (c == 0)
+				break;
+			if (c >= sizeof(bech32_charset_rev))
+				continue;
+			/* Convert to lower case */
+ 			c = tolower(c);
+			/* Must be a valid bech32 char now */
+			if (bech32_charset_rev[c] == -1)
+				continue;
+			idstr[off++] = c;
+		}
+
+		id = tal_strdup(cmd, idstr);
+	}
+
+	/* This also cannot fail! */
+	err = codex32_secret_encode(tmpctx, "cl", id, 0, hsm_secret.data, 32, &bip93);
+	if (err)
+		return command_fail(cmd, LIGHTNINGD, "Unexpected failure encoding hsm_secret: %s", err);
+
+	/* If we're just checking, stop */
+	if (command_check_only(cmd))
+		return command_check_done(cmd);
+
+	js = jsonrpc_stream_success(cmd);
+	json_add_string(js, "identifier", id);
+	json_add_string(js, "codex32", bip93);
+	return command_finished(cmd, js);
+}
+
+static const char *init(struct plugin *plugin,
+			const char *buf UNUSED, const jsmntok_t *config UNUSED)
+{
+	struct exposesecret *exposesecret = exposesecret_data(plugin);
+	rpc_scan(plugin, "getinfo",
+		 take(json_out_obj(NULL, NULL, NULL)),
+		 "{id:%,alias:%}",
+		 JSON_SCAN(json_to_pubkey, &exposesecret->our_node_id),
+		 JSON_SCAN_TAL(exposesecret, json_strdup, &exposesecret->our_node_alias));
+	return NULL;
+}
+
+static const struct plugin_command commands[] = {
+	{
+		"exposesecret",
+		json_exposesecret,
+	}
+};
+
+int main(int argc, char *argv[])
+{
+	setup_locale();
+
+	struct exposesecret *exposesecret = talz(NULL, struct exposesecret);
+	plugin_main(argv, init, take(exposesecret),
+		    PLUGIN_RESTARTABLE, true, NULL, commands, ARRAY_SIZE(commands),
+	            NULL, 0, NULL, 0, NULL, 0,
+		    plugin_option("exposesecret-passphrase", "string",
+				  "Enable exposesecret command to allow HSM Secret backup, with this passphrase",
+				  charp_option, NULL, &exposesecret->exposure_passphrase),
+		    NULL);
+}