Add more parameters to BOLT 12 signing function

jkczyz · jkczyz · commit 226dbf9cea0a · 2023-03-02T09:33:33.000-06:00
The function used to sign BOLT 12 messages only takes a message digest.
This doesn't allow signers to independently verify the message before
signing nor does it allow them to derive the necessary signing keys, if
they had been derived. Include additional parameters to support these
use cases.
diff --git a/fuzz/src/invoice_request_deser.rs b/fuzz/src/invoice_request_deser.rs
@@ -38,15 +38,15 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 			if signing_pubkey == odd_pubkey || signing_pubkey == even_pubkey {
 				unsigned_invoice
 					.sign::<_, Infallible>(
-						|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+						|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
 					)
 					.unwrap()
 					.write(&mut buffer)
 					.unwrap();
 			} else {
 				unsigned_invoice
 					.sign::<_, Infallible>(
-						|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+						|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
 					)
 					.unwrap_err();
 			}
diff --git a/fuzz/src/offer_deser.rs b/fuzz/src/offer_deser.rs
@@ -30,7 +30,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 		if let Ok(invoice_request) = build_response(&offer, pubkey) {
 			invoice_request
 				.sign::<_, Infallible>(
-					|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+					|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
 				)
 				.unwrap()
 				.write(&mut buffer)
diff --git a/fuzz/src/refund_deser.rs b/fuzz/src/refund_deser.rs
@@ -34,7 +34,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 		if let Ok(invoice) = build_response(&refund, pubkey, &secp_ctx) {
 			invoice
 				.sign::<_, Infallible>(
-					|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+					|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
 				)
 				.unwrap()
 				.write(&mut buffer)
diff --git a/lightning/src/offers/invoice.rs b/lightning/src/offers/invoice.rs
@@ -55,7 +55,7 @@
 //!     .allow_mpp()
 //!     .fallback_v0_p2wpkh(&wpubkey_hash)
 //!     .build()?
-//!     .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+//!     .sign::<_, Infallible>(|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -84,7 +84,7 @@
 //!     .allow_mpp()
 //!     .fallback_v0_p2wpkh(&wpubkey_hash)
 //!     .build()?
-//!     .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+//!     .sign::<_, Infallible>(|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -277,7 +277,7 @@ impl<'a> UnsignedInvoice<'a> {
 	/// Signs the invoice using the given function.
 	pub fn sign<F, E>(self, sign: F) -> Result<Invoice, SignError<E>>
 	where
-		F: FnOnce(&Message) -> Result<Signature, E>
+		F: FnOnce(&Message, &str, &[u8], &[u8]) -> Result<Signature, E>
 	{
 		// Use the invoice_request bytes instead of the invoice_request TLV stream as the latter may
 		// have contained unknown TLV records, which are not stored in `InvoiceRequestContents` or
@@ -289,8 +289,9 @@ impl<'a> UnsignedInvoice<'a> {
 		let mut bytes = Vec::new();
 		unsigned_tlv_stream.write(&mut bytes).unwrap();
 
+		let metadata = self.invoice.metadata();
 		let pubkey = self.invoice.fields().signing_pubkey;
-		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, pubkey)?;
+		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, metadata, pubkey)?;
 
 		// Append the signature TLV record to the bytes.
 		let signature_tlv_stream = SignatureTlvStreamRef {
@@ -489,6 +490,13 @@ impl Invoice {
 }
 
 impl InvoiceContents {
+	fn metadata(&self) -> &[u8] {
+		match self {
+			InvoiceContents::ForOffer { invoice_request, .. } => invoice_request.metadata(),
+			InvoiceContents::ForRefund { refund, .. } => refund.metadata(),
+		}
+	}
+
 	/// Whether the original offer or refund has expired.
 	#[cfg(feature = "std")]
 	fn is_offer_or_refund_expired(&self) -> bool {
@@ -1212,7 +1220,7 @@ mod tests {
 			.sign(payer_sign).unwrap()
 			.respond_with_no_std(payment_paths(), payment_hash(), now()).unwrap()
 			.build().unwrap()
-			.sign(|_| Err(()))
+			.sign(|_, _, _, _| Err(()))
 		{
 			Ok(_) => panic!("expected error"),
 			Err(e) => assert_eq!(e, SignError::Signing(())),
diff --git a/lightning/src/offers/invoice_request.rs b/lightning/src/offers/invoice_request.rs
@@ -44,7 +44,7 @@
 //!     .quantity(5)?
 //!     .payer_note("foo".to_string())
 //!     .build()?
-//!     .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+//!     .sign::<_, Infallible>(|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -268,7 +268,7 @@ impl<'a> UnsignedInvoiceRequest<'a> {
 	/// Signs the invoice request using the given function.
 	pub fn sign<F, E>(self, sign: F) -> Result<InvoiceRequest, SignError<E>>
 	where
-		F: FnOnce(&Message) -> Result<Signature, E>
+		F: FnOnce(&Message, &str, &[u8], &[u8]) -> Result<Signature, E>
 	{
 		// Use the offer bytes instead of the offer TLV stream as the offer may have contained
 		// unknown TLV records, which are not stored in `OfferContents`.
@@ -280,8 +280,9 @@ impl<'a> UnsignedInvoiceRequest<'a> {
 		let mut bytes = Vec::new();
 		unsigned_tlv_stream.write(&mut bytes).unwrap();
 
+		let metadata = self.offer.metadata().map(|metadata| metadata.as_slice()).unwrap_or(&[]);
 		let pubkey = self.invoice_request.payer_id;
-		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, pubkey)?;
+		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, metadata, pubkey)?;
 
 		// Append the signature TLV record to the bytes.
 		let signature_tlv_stream = SignatureTlvStreamRef {
@@ -332,7 +333,7 @@ impl InvoiceRequest {
 	///
 	/// [`payer_id`]: Self::payer_id
 	pub fn metadata(&self) -> &[u8] {
-		&self.contents.payer.0[..]
+		self.contents.metadata()
 	}
 
 	/// A chain from [`Offer::chains`] that the offer is valid for.
@@ -442,6 +443,10 @@ impl InvoiceRequest {
 }
 
 impl InvoiceRequestContents {
+	pub(super) fn metadata(&self) -> &[u8] {
+		&self.payer.0
+	}
+
 	pub(super) fn chain(&self) -> ChainHash {
 		self.chain.unwrap_or_else(|| self.offer.implied_chain())
 	}
@@ -755,7 +760,8 @@ mod tests {
 		tlv_stream.write(&mut bytes).unwrap();
 
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, invoice_request.metadata(),
+			recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -790,7 +796,9 @@ mod tests {
 			.build().unwrap();
 		let invoice_request = offer.request_invoice_deriving_payer_id(payer_pubkey).unwrap()
 			.build().unwrap()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+			)
 			.unwrap();
 		assert_eq!(invoice_request.metadata()[..Nonce::LENGTH], nonce.0);
 		assert_eq!(invoice_request.payer_id(), keys.public_key());
@@ -814,7 +822,8 @@ mod tests {
 		tlv_stream.write(&mut bytes).unwrap();
 
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, invoice_request.metadata(),
+			recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -1164,7 +1173,7 @@ mod tests {
 			.build().unwrap()
 			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
 			.build().unwrap()
-			.sign(|_| Err(()))
+			.sign(|_, _, _, _| Err(()))
 		{
 			Ok(_) => panic!("expected error"),
 			Err(e) => assert_eq!(e, SignError::Signing(())),
@@ -1578,7 +1587,9 @@ mod tests {
 			.build().unwrap()
 			.request_invoice(vec![1; 32], keys.public_key()).unwrap()
 			.build().unwrap()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+			)
 			.unwrap();
 
 		let mut encoded_invoice_request = Vec::new();
diff --git a/lightning/src/offers/merkle.rs b/lightning/src/offers/merkle.rs
@@ -36,15 +36,18 @@ pub enum SignError<E> {
 /// Signs a message digest consisting of a tagged hash of the given bytes, checking if it can be
 /// verified with the supplied pubkey.
 ///
+/// `metadata` is either the payer or offer metadata, depending on the message type and origin, and
+/// may be used by `sign` to derive the signing keys.
+///
 /// Panics if `bytes` is not a well-formed TLV stream containing at least one TLV record.
 pub(super) fn sign_message<F, E>(
-	sign: F, tag: &str, bytes: &[u8], pubkey: PublicKey,
+	sign: F, tag: &str, bytes: &[u8], metadata: &[u8], pubkey: PublicKey,
 ) -> Result<Signature, SignError<E>>
 where
-	F: FnOnce(&Message) -> Result<Signature, E>
+	F: FnOnce(&Message, &str, &[u8], &[u8]) -> Result<Signature, E>
 {
 	let digest = message_digest(tag, bytes);
-	let signature = sign(&digest).map_err(|e| SignError::Signing(e))?;
+	let signature = sign(&digest, tag, bytes, metadata).map_err(|e| SignError::Signing(e))?;
 
 	let pubkey = pubkey.into();
 	let secp_ctx = Secp256k1::verification_only();
@@ -270,7 +273,9 @@ mod tests {
 			.build_unchecked()
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys))
+			)
 			.unwrap();
 		assert_eq!(
 			invoice_request.to_string(),
@@ -299,7 +304,9 @@ mod tests {
 			.build_unchecked()
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys))
+			)
 			.unwrap();
 
 		let mut bytes_without_signature = Vec::new();
@@ -329,7 +336,9 @@ mod tests {
 			.build_unchecked()
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys))
+			)
 			.unwrap();
 
 		let tlv_stream = TlvStream::new(&invoice_request.bytes).range(0..1)
diff --git a/lightning/src/offers/refund.rs b/lightning/src/offers/refund.rs
@@ -340,7 +340,7 @@ impl Refund {
 	///
 	/// [`payer_id`]: Self::payer_id
 	pub fn metadata(&self) -> &[u8] {
-		&self.contents.payer.0
+		self.contents.metadata()
 	}
 
 	/// A chain that the refund is valid for.
@@ -454,6 +454,10 @@ impl RefundContents {
 		}
 	}
 
+	pub(super) fn metadata(&self) -> &[u8] {
+		&self.payer.0
+	}
+
 	pub(super) fn chain(&self) -> ChainHash {
 		self.chain.unwrap_or_else(|| self.implied_chain())
 	}
diff --git a/lightning/src/offers/test_utils.rs b/lightning/src/offers/test_utils.rs
@@ -23,7 +23,9 @@ pub(super) fn payer_keys() -> KeyPair {
 	KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap())
 }
 
-pub(super) fn payer_sign(digest: &Message) -> Result<Signature, Infallible> {
+pub(super) fn payer_sign(
+	digest: &Message, tag: &str, bytes: &[u8], metadata: &[u8]
+) -> Result<Signature, Infallible> {
 	let secp_ctx = Secp256k1::new();
 	let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap());
 	Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
@@ -38,7 +40,9 @@ pub(super) fn recipient_keys() -> KeyPair {
 	KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[43; 32]).unwrap())
 }
 
-pub(super) fn recipient_sign(digest: &Message) -> Result<Signature, Infallible> {
+pub(super) fn recipient_sign(
+	digest: &Message, tag: &str, bytes: &[u8], metadata: &[u8]
+) -> Result<Signature, Infallible> {
 	let secp_ctx = Secp256k1::new();
 	let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[43; 32]).unwrap());
 	Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))

Original file line number	Diff line number	Diff line change
`@@ -38,15 +38,15 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {`
`38`	`38`	`if signing_pubkey == odd_pubkey \|\| signing_pubkey == even_pubkey {`
`39`	`39`	`unsigned_invoice`
`40`	`40`	`.sign::<_, Infallible>(`
`41`		`- \|digest\| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))`
	`41`	`+ \|digest, _, _, _\| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))`
`42`	`42`	`)`
`43`	`43`	`.unwrap()`
`44`	`44`	`.write(&mut buffer)`
`45`	`45`	`.unwrap();`
`46`	`46`	`} else {`
`47`	`47`	`unsigned_invoice`
`48`	`48`	`.sign::<_, Infallible>(`
`49`		`- \|digest\| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))`
	`49`	`+ \|digest, _, _, _\| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))`
`50`	`50`	`)`
`51`	`51`	`.unwrap_err();`
`52`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {`
`30`	`30`	`if let Ok(invoice_request) = build_response(&offer, pubkey) {`
`31`	`31`	`invoice_request`
`32`	`32`	`.sign::<_, Infallible>(`
`33`		`- \|digest\| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))`
	`33`	`+ \|digest, _, _, _\| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))`
`34`	`34`	`)`
`35`	`35`	`.unwrap()`
`36`	`36`	`.write(&mut buffer)`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {`
`34`	`34`	`if let Ok(invoice) = build_response(&refund, pubkey, &secp_ctx) {`
`35`	`35`	`invoice`
`36`	`36`	`.sign::<_, Infallible>(`
`37`		`- \|digest\| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))`
	`37`	`+ \|digest, _, _, _\| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))`
`38`	`38`	`)`
`39`	`39`	`.unwrap()`
`40`	`40`	`.write(&mut buffer)`
Original file line number	Diff line number	Diff line change
`@@ -340,7 +340,7 @@ impl Refund {`
`340`	`340`	`///`
`341`	`341`	/// [`payer_id`]: Self::payer_id
`342`	`342`	`pub fn metadata(&self) -> &[u8] {`
`343`		`- &self.contents.payer.0`
	`343`	`+ self.contents.metadata()`
`344`	`344`	`}`
`345`	`345`
`346`	`346`	`/// A chain that the refund is valid for.`
`@@ -454,6 +454,10 @@ impl RefundContents {`
`454`	`454`	`}`
`455`	`455`	`}`
`456`	`456`
	`457`	`+ pub(super) fn metadata(&self) -> &[u8] {`
	`458`	`+ &self.payer.0`
	`459`	`+ }`
	`460`	`+`
`457`	`461`	`pub(super) fn chain(&self) -> ChainHash {`
`458`	`462`	`self.chain.unwrap_or_else(\|\| self.implied_chain())`
`459`	`463`	`}`