Separate bytes for experimental TLVs

When constructing UnsignedInvoiceRequest or UnsignedBolt12Invoice, use a
separate field for experimental TLV bytes. This allows for properly
inserting the signature TLVs before the experimental TLVs when signing.

Author: jkczyz

lightning/src/offers/invoice.rs

@@ -122,7 +122,7 @@ use crate::offers::invoice_macros::{invoice_accessors_common, invoice_builder_me
 #[cfg(test)]
 use crate::offers::invoice_macros::invoice_builder_methods_test;
 use crate::offers::invoice_request::{INVOICE_REQUEST_PAYER_ID_TYPE, INVOICE_REQUEST_TYPES, IV_BYTES as INVOICE_REQUEST_IV_BYTES, InvoiceRequest, InvoiceRequestContents, InvoiceRequestTlvStream, InvoiceRequestTlvStreamRef};
-use crate::offers::merkle::{SignError, SignFn, SignatureTlvStream, SignatureTlvStreamRef, TaggedHash, TlvStream, WithoutSignatures, self};
+use crate::offers::merkle::{SignError, SignFn, SignatureTlvStream, SignatureTlvStreamRef, TaggedHash, TlvStream, self};
 use crate::offers::nonce::Nonce;
 use crate::offers::offer::{Amount, OFFER_TYPES, OfferTlvStream, OfferTlvStreamRef, Quantity};
 use crate::offers::parse::{Bolt12ParseError, Bolt12SemanticError, ParsedMessage};
@@ -461,6 +461,7 @@ for InvoiceBuilder<'a, DerivedSigningPubkey> {
 #[derive(Clone)]
 pub struct UnsignedBolt12Invoice {
 	bytes: Vec<u8>,
+	experimental_bytes: Vec<u8>,
 	contents: InvoiceContents,
 	tagged_hash: TaggedHash,
 }
@@ -491,19 +492,32 @@ where
 
 impl UnsignedBolt12Invoice {
 	fn new(invreq_bytes: &[u8], contents: InvoiceContents) -> Self {
+		const NON_EXPERIMENTAL_TYPES: core::ops::Range<u64> = 0..INVOICE_REQUEST_TYPES.end;
+		const EXPERIMENTAL_TYPES: core::ops::Range<u64> = 0..0;
+
+		let mut bytes = Vec::new();
+
 		// Use the invoice_request bytes instead of the invoice_request TLV stream as the latter may
 		// have contained unknown TLV records, which are not stored in `InvoiceRequestContents` or
 		// `RefundContents`.
+		for record in TlvStream::new(invreq_bytes).range(NON_EXPERIMENTAL_TYPES) {
+			record.write(&mut bytes).unwrap();
+		}
+
 		let (_, _, _, invoice_tlv_stream) = contents.as_tlv_stream();
-		let invoice_request_bytes = WithoutSignatures(invreq_bytes);
-		let unsigned_tlv_stream = (invoice_request_bytes, invoice_tlv_stream);
 
-		let mut bytes = Vec::new();
-		unsigned_tlv_stream.write(&mut bytes).unwrap();
+		invoice_tlv_stream.write(&mut bytes).unwrap();
 
-		let tagged_hash = TaggedHash::from_valid_tlv_stream_bytes(SIGNATURE_TAG, &bytes);
+		let mut experimental_bytes = Vec::new();
 
-		Self { bytes, contents, tagged_hash }
+		for record in TlvStream::new(invreq_bytes).range(EXPERIMENTAL_TYPES) {
+			record.write(&mut experimental_bytes).unwrap();
+		}
+
+		let tlv_stream = TlvStream::new(&bytes).chain(TlvStream::new(&experimental_bytes));
+		let tagged_hash = TaggedHash::from_tlv_stream(SIGNATURE_TAG, tlv_stream);
+
+		Self { bytes, experimental_bytes, contents, tagged_hash }
 	}
 
 	/// Returns the [`TaggedHash`] of the invoice to sign.
@@ -528,6 +542,9 @@ macro_rules! unsigned_invoice_sign_method { ($self: ident, $self_type: ty $(, $s
 		};
 		signature_tlv_stream.write(&mut $self.bytes).unwrap();
 
+		// Append the experimental bytes after the signature.
+		WithoutLength(&$self.experimental_bytes).write(&mut $self.bytes).unwrap();
+
 		Ok(Bolt12Invoice {
 			#[cfg(not(c_bindings))]
 			bytes: $self.bytes,
@@ -1211,7 +1228,7 @@ impl TryFrom<Vec<u8>> for UnsignedBolt12Invoice {
 
 	fn try_from(bytes: Vec<u8>) -> Result<Self, Self::Error> {
 		let invoice = ParsedMessage::<PartialInvoiceTlvStream>::try_from(bytes)?;
-		let ParsedMessage { bytes, tlv_stream } = invoice;
+		let ParsedMessage { mut bytes, tlv_stream } = invoice;
 		let (
 			payer_tlv_stream, offer_tlv_stream, invoice_request_tlv_stream, invoice_tlv_stream,
 		) = tlv_stream;
@@ -1221,7 +1238,14 @@ impl TryFrom<Vec<u8>> for UnsignedBolt12Invoice {
 
 		let tagged_hash = TaggedHash::from_valid_tlv_stream_bytes(SIGNATURE_TAG, &bytes);
 
-		Ok(UnsignedBolt12Invoice { bytes, contents, tagged_hash })
+		let mut offset = 0;
+		for tlv_record in TlvStream::new(&bytes).range(0..INVOICE_TYPES.end) {
+			offset = tlv_record.end;
+		}
+
+		let experimental_bytes = bytes.split_off(offset);
+
+		Ok(UnsignedBolt12Invoice { bytes, experimental_bytes, contents, tagged_hash })
 	}
 }
 

lightning/src/offers/invoice_request.rs

@@ -69,9 +69,9 @@ use crate::ln::channelmanager::PaymentId;
 use crate::ln::features::InvoiceRequestFeatures;
 use crate::ln::inbound_payment::{ExpandedKey, IV_LEN};
 use crate::ln::msgs::DecodeError;
-use crate::offers::merkle::{SignError, SignFn, SignatureTlvStream, SignatureTlvStreamRef, TaggedHash, self};
+use crate::offers::merkle::{SignError, SignFn, SignatureTlvStream, SignatureTlvStreamRef, TaggedHash, TlvStream, self};
 use crate::offers::nonce::Nonce;
-use crate::offers::offer::{Offer, OfferContents, OfferId, OfferTlvStream, OfferTlvStreamRef};
+use crate::offers::offer::{OFFER_TYPES, Offer, OfferContents, OfferId, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{Bolt12ParseError, ParsedMessage, Bolt12SemanticError};
 use crate::offers::payer::{PayerContents, PayerTlvStream, PayerTlvStreamRef};
 use crate::offers::signer::{Metadata, MetadataMaterial};
@@ -488,6 +488,7 @@ for InvoiceRequestBuilder<'a, 'b, DerivedPayerSigningPubkey, secp256k1::All> {
 #[derive(Clone)]
 pub struct UnsignedInvoiceRequest {
 	bytes: Vec<u8>,
+	experimental_bytes: Vec<u8>,
 	contents: InvoiceRequestContents,
 	tagged_hash: TaggedHash,
 }
@@ -518,19 +519,33 @@ where
 
 impl UnsignedInvoiceRequest {
 	fn new(offer: &Offer, contents: InvoiceRequestContents) -> Self {
+		let mut bytes = Vec::new();
+
 		// Use the offer bytes instead of the offer TLV stream as the offer may have contained
 		// unknown TLV records, which are not stored in `OfferContents`.
-		let (payer_tlv_stream, _offer_tlv_stream, invoice_request_tlv_stream) =
-			contents.as_tlv_stream();
-		let offer_bytes = WithoutLength(&offer.bytes);
-		let unsigned_tlv_stream = (payer_tlv_stream, offer_bytes, invoice_request_tlv_stream);
+		let (
+			payer_tlv_stream, _offer_tlv_stream, invoice_request_tlv_stream,
+		) = contents.as_tlv_stream();
 
-		let mut bytes = Vec::new();
-		unsigned_tlv_stream.write(&mut bytes).unwrap();
+		payer_tlv_stream.write(&mut bytes).unwrap();
 
-		let tagged_hash = TaggedHash::from_valid_tlv_stream_bytes(SIGNATURE_TAG, &bytes);
+		for record in TlvStream::new(&offer.bytes).range(OFFER_TYPES) {
+			record.write(&mut bytes).unwrap();
+		}
+
+		invoice_request_tlv_stream.write(&mut bytes).unwrap();
+
+		const EXPERIMENTAL_OFFER_TYPES: core::ops::Range<u64> = 0..0;
+		let mut experimental_bytes = Vec::new();
 
-		Self { bytes, contents, tagged_hash }
+		for record in TlvStream::new(&offer.bytes).range(EXPERIMENTAL_OFFER_TYPES) {
+			record.write(&mut experimental_bytes).unwrap();
+		}
+
+		let tlv_stream = TlvStream::new(&bytes).chain(TlvStream::new(&experimental_bytes));
+		let tagged_hash = TaggedHash::from_tlv_stream(SIGNATURE_TAG, tlv_stream);
+
+		Self { bytes, experimental_bytes, contents, tagged_hash }
 	}
 
 	/// Returns the [`TaggedHash`] of the invoice to sign.
@@ -557,6 +572,9 @@ macro_rules! unsigned_invoice_request_sign_method { (
 		};
 		signature_tlv_stream.write(&mut $self.bytes).unwrap();
 
+		// Append the experimental bytes after the signature.
+		WithoutLength(&$self.experimental_bytes).write(&mut $self.bytes).unwrap();
+
 		Ok(InvoiceRequest {
 			#[cfg(not(c_bindings))]
 			bytes: $self.bytes,
@@ -1106,7 +1124,7 @@ impl TryFrom<Vec<u8>> for UnsignedInvoiceRequest {
 
 	fn try_from(bytes: Vec<u8>) -> Result<Self, Self::Error> {
 		let invoice_request = ParsedMessage::<PartialInvoiceRequestTlvStream>::try_from(bytes)?;
-		let ParsedMessage { bytes, tlv_stream } = invoice_request;
+		let ParsedMessage { mut bytes, tlv_stream } = invoice_request;
 		let (
 			payer_tlv_stream, offer_tlv_stream, invoice_request_tlv_stream,
 		) = tlv_stream;
@@ -1116,7 +1134,14 @@ impl TryFrom<Vec<u8>> for UnsignedInvoiceRequest {
 
 		let tagged_hash = TaggedHash::from_valid_tlv_stream_bytes(SIGNATURE_TAG, &bytes);
 
-		Ok(UnsignedInvoiceRequest { bytes, contents, tagged_hash })
+		let mut offset = 0;
+		for tlv_record in TlvStream::new(&bytes).range(0..INVOICE_REQUEST_TYPES.end) {
+			offset = tlv_record.end;
+		}
+
+		let experimental_bytes = bytes.split_off(offset);
+
+		Ok(UnsignedInvoiceRequest { bytes, experimental_bytes, contents, tagged_hash })
 	}
 }
 

lightning/src/offers/merkle.rs

@@ -164,7 +164,7 @@ fn root_hash<'a, I: core::iter::Iterator<Item = TlvRecord<'a>>>(tlv_stream: I) -
 	let branch_tag = tagged_hash_engine(sha256::Hash::hash("LnBranch".as_bytes()));
 
 	let mut leaves = Vec::new();
-	for record in TlvStream::skip_signatures(tlv_stream) {
+	for record in tlv_stream.filter(|record| !SIGNATURE_TYPES.contains(&record.r#type)) {
 		leaves.push(tagged_hash_from_engine(leaf_tag.clone(), &record.record_bytes));
 		leaves.push(tagged_hash_from_engine(nonce_tag.clone(), &record.type_bytes));
 	}
@@ -240,12 +240,6 @@ impl<'a> TlvStream<'a> {
 		self.skip_while(move |record| !types.contains(&record.r#type))
 			.take_while(move |record| take_range.contains(&record.r#type))
 	}
-
-	fn skip_signatures(
-		tlv_stream: impl core::iter::Iterator<Item = TlvRecord<'a>>
-	) -> impl core::iter::Iterator<Item = TlvRecord<'a>> {
-		tlv_stream.filter(|record| !SIGNATURE_TYPES.contains(&record.r#type))
-	}
 }
 
 /// A slice into a [`TlvStream`] for a record.
@@ -254,6 +248,7 @@ pub(super) struct TlvRecord<'a> {
 	type_bytes: &'a [u8],
 	// The entire TLV record.
 	pub(super) record_bytes: &'a [u8],
+	pub(super) end: usize,
 }
 
 impl<'a> Iterator for TlvStream<'a> {
@@ -276,32 +271,23 @@ impl<'a> Iterator for TlvStream<'a> {
 
 			self.data.set_position(end);
 
-			Some(TlvRecord { r#type, type_bytes, record_bytes })
+			Some(TlvRecord { r#type, type_bytes, record_bytes, end: end as usize })
 		} else {
 			None
 		}
 	}
 }
 
-/// Encoding for a pre-serialized TLV stream that excludes any signature TLV records.
-///
-/// Panics if the wrapped bytes are not a well-formed TLV stream.
-pub(super) struct WithoutSignatures<'a>(pub &'a [u8]);
-
-impl<'a> Writeable for WithoutSignatures<'a> {
+impl<'a> Writeable for TlvRecord<'a> {
 	#[inline]
 	fn write<W: Writer>(&self, writer: &mut W) -> Result<(), io::Error> {
-		let tlv_stream = TlvStream::new(self.0);
-		for record in TlvStream::skip_signatures(tlv_stream) {
-			writer.write_all(record.record_bytes)?;
-		}
-		Ok(())
+		writer.write_all(self.record_bytes)
 	}
 }
 
 #[cfg(test)]
 mod tests {
-	use super::{SIGNATURE_TYPES, TlvStream, WithoutSignatures};
+	use super::{SIGNATURE_TYPES, TlvStream};
 
 	use bitcoin::hashes::{Hash, sha256};
 	use bitcoin::hex::FromHex;
@@ -411,7 +397,11 @@ mod tests {
 			.unwrap();
 
 		let mut bytes_without_signature = Vec::new();
-		WithoutSignatures(&invoice_request.bytes).write(&mut bytes_without_signature).unwrap();
+		let tlv_stream_without_signatures = TlvStream::new(&invoice_request.bytes)
+			.filter(|record| !SIGNATURE_TYPES.contains(&record.r#type));
+		for record in tlv_stream_without_signatures {
+			record.write(&mut bytes_without_signature).unwrap();
+		}
 
 		assert_ne!(bytes_without_signature, invoice_request.bytes);
 		assert_eq!(

lightning/src/offers/static_invoice.rs

@@ -170,6 +170,7 @@ impl<'a> StaticInvoiceBuilder<'a> {
 /// A semantically valid [`StaticInvoice`] that hasn't been signed.
 pub struct UnsignedStaticInvoice {
 	bytes: Vec<u8>,
+	experimental_bytes: Vec<u8>,
 	contents: InvoiceContents,
 	tagged_hash: TaggedHash,
 }
@@ -275,16 +276,30 @@ macro_rules! invoice_accessors_signing_pubkey {
 
 impl UnsignedStaticInvoice {
 	fn new(offer_bytes: &Vec<u8>, contents: InvoiceContents) -> Self {
-		let (_, invoice_tlv_stream) = contents.as_tlv_stream();
-		let offer_bytes = WithoutLength(offer_bytes);
-		let unsigned_tlv_stream = (offer_bytes, invoice_tlv_stream);
+		const NON_EXPERIMENTAL_TYPES: core::ops::Range<u64> = OFFER_TYPES;
+		const EXPERIMENTAL_TYPES: core::ops::Range<u64> = 0..0;
 
 		let mut bytes = Vec::new();
-		unsigned_tlv_stream.write(&mut bytes).unwrap();
 
-		let tagged_hash = TaggedHash::from_valid_tlv_stream_bytes(SIGNATURE_TAG, &bytes);
+		// Use the offer bytes instead of the offer TLV stream as the latter may have contained
+		// unknown TLV records, which are not stored in `InvoiceContents`.
+		for record in TlvStream::new(offer_bytes).range(NON_EXPERIMENTAL_TYPES) {
+			record.write(&mut bytes).unwrap();
+		}
+
+		let (_, invoice_tlv_stream) = contents.as_tlv_stream();
+		invoice_tlv_stream.write(&mut bytes).unwrap();
 
-		Self { contents, tagged_hash, bytes }
+		let mut experimental_bytes = Vec::new();
+
+		for record in TlvStream::new(offer_bytes).range(EXPERIMENTAL_TYPES) {
+			record.write(&mut experimental_bytes).unwrap();
+		}
+
+		let tlv_stream = TlvStream::new(&bytes).chain(TlvStream::new(&experimental_bytes));
+		let tagged_hash = TaggedHash::from_tlv_stream(SIGNATURE_TAG, tlv_stream);
+
+		Self { bytes, experimental_bytes, contents, tagged_hash }
 	}
 
 	/// Signs the [`TaggedHash`] of the invoice using the given function.
@@ -298,6 +313,9 @@ impl UnsignedStaticInvoice {
 		let signature_tlv_stream = SignatureTlvStreamRef { signature: Some(&signature) };
 		signature_tlv_stream.write(&mut self.bytes).unwrap();
 
+		// Append the experimental bytes after the signature.
+		WithoutLength(&self.experimental_bytes).write(&mut self.bytes).unwrap();
+
 		Ok(StaticInvoice { bytes: self.bytes, contents: self.contents, signature })
 	}