Stateless verification of Invoice for Offer

jkczyz · jkczyz · commit aed58c43bc59 · 2023-02-13T16:39:28.000-06:00
Verify that an Invoice was produced from an InvoiceRequest constructed
by the payer using the payer metadata reflected in the Invoice.
The payer metadata consists of a 128-bit nonce and a 256-bit HMAC over
the nonce and InvoiceRequest TLV records (excluding the payer id).
Thus, the HMAC can be reproduced using the nonce and the ExpandedKey
used to produce the HMAC, and then checked against the metadata.
diff --git a/lightning/src/ln/inbound_payment.rs b/lightning/src/ln/inbound_payment.rs
@@ -14,7 +14,7 @@ use bitcoin::hashes::{Hash, HashEngine};
 use bitcoin::hashes::cmp::fixed_time_eq;
 use bitcoin::hashes::hmac::{Hmac, HmacEngine};
 use bitcoin::hashes::sha256::{Hash as Sha256, self};
-use bitcoin::secp256k1::{PublicKey, Secp256k1, SecretKey};
+use bitcoin::secp256k1::{KeyPair, Secp256k1};
 use crate::chain::keysinterface::{KeyMaterial, EntropySource};
 use crate::ln::{PaymentHash, PaymentPreimage, PaymentSecret};
 use crate::ln::msgs;
@@ -78,18 +78,18 @@ impl ExpandedKey {
 		hmac
 	}
 
-	/// Derives a pubkey using the given nonce for use as [`Offer::signing_pubkey`].
+	/// Derives keys using the given nonce for use with [`Offer::signing_pubkey`].
 	///
 	/// [`Offer::signing_pubkey`]: crate::offers::offer::Offer::signing_pubkey
 	#[allow(unused)]
-	pub(crate) fn signing_pubkey_for_offer(&self, nonce: Nonce) -> PublicKey {
+	pub(crate) fn signing_keypair_for_offer(&self, nonce: Nonce) -> KeyPair {
 		let mut engine = sha256::Hash::engine();
 		engine.input(&self.offers_base_key);
 		engine.input(&nonce.0);
 
-		let hash = sha256::Hash::from_engine(engine);
 		let secp_ctx = Secp256k1::new();
-		SecretKey::from_slice(&hash).unwrap().public_key(&secp_ctx)
+		let hash = sha256::Hash::from_engine(engine);
+		KeyPair::from_seckey_slice(&secp_ctx, &hash).unwrap()
 	}
 }
 
diff --git a/lightning/src/offers/invoice.rs b/lightning/src/offers/invoice.rs
@@ -106,9 +106,10 @@ use core::time::Duration;
 use crate::io;
 use crate::ln::PaymentHash;
 use crate::ln::features::{BlindedHopFeatures, Bolt12InvoiceFeatures};
+use crate::ln::inbound_payment::ExpandedKey;
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice_request::{InvoiceRequest, InvoiceRequestContents, InvoiceRequestTlvStream, InvoiceRequestTlvStreamRef};
-use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, WithoutSignatures, self};
+use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TlvStream, WithoutSignatures, self};
 use crate::offers::offer::{Amount, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{ParseError, ParsedMessage, SemanticError};
 use crate::offers::payer::{PayerTlvStream, PayerTlvStreamRef};
@@ -123,7 +124,7 @@ use std::time::SystemTime;
 
 const DEFAULT_RELATIVE_EXPIRY: Duration = Duration::from_secs(7200);
 
-const SIGNATURE_TAG: &'static str = concat!("lightning", "invoice", "signature");
+pub(super) const SIGNATURE_TAG: &'static str = concat!("lightning", "invoice", "signature");
 
 /// Builds an [`Invoice`] from either:
 /// - an [`InvoiceRequest`] for the "offer to be paid" flow or
@@ -463,8 +464,14 @@ impl Invoice {
 		self.signature
 	}
 
+	/// Verifies that the invoice was for a request or refund created using the given key.
+	#[allow(unused)]
+	pub(crate) fn verify(&self, key: &ExpandedKey) -> bool {
+		self.contents.verify(TlvStream::new(&self.bytes), key)
+	}
+
 	#[cfg(test)]
-	fn as_tlv_stream(&self) -> FullInvoiceTlvStreamRef {
+	pub(super) fn as_tlv_stream(&self) -> FullInvoiceTlvStreamRef {
 		let (payer_tlv_stream, offer_tlv_stream, invoice_request_tlv_stream, invoice_tlv_stream) =
 			self.contents.as_tlv_stream();
 		let signature_tlv_stream = SignatureTlvStreamRef {
@@ -506,6 +513,15 @@ impl InvoiceContents {
 		}
 	}
 
+	fn verify(&self, tlv_stream: TlvStream<'_>, key: &ExpandedKey) -> bool {
+		match self {
+			InvoiceContents::ForOffer { invoice_request, .. } => {
+				invoice_request.verify(tlv_stream, key)
+			},
+			_ => todo!(),
+		}
+	}
+
 	fn as_tlv_stream(&self) -> PartialInvoiceTlvStreamRef {
 		let (payer, offer, invoice_request) = match self {
 			InvoiceContents::ForOffer { invoice_request, .. } => invoice_request.as_tlv_stream(),
diff --git a/lightning/src/offers/invoice_request.rs b/lightning/src/offers/invoice_request.rs
@@ -64,10 +64,10 @@ use crate::ln::inbound_payment::{ExpandedKey, Nonce};
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice::{BlindedPayInfo, InvoiceBuilder};
 use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TlvStream, self};
-use crate::offers::offer::{Offer, OfferContents, OfferTlvStream, OfferTlvStreamRef};
+use crate::offers::offer::{OFFER_TYPES, Offer, OfferContents, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{ParseError, ParsedMessage, SemanticError};
-use crate::offers::payer::{PayerContents, PayerTlvStream, PayerTlvStreamRef};
-use crate::offers::signer::{MetadataMaterial, DerivedPubkey};
+use crate::offers::payer::{PAYER_METADATA_TYPE, PayerContents, PayerTlvStream, PayerTlvStreamRef};
+use crate::offers::signer::{MetadataMaterial, DerivedPubkey, self};
 use crate::onion_message::BlindedPath;
 use crate::util::ser::{HighZeroBytesDroppedBigSize, SeekReadable, WithoutLength, Writeable, Writer};
 use crate::util::string::PrintableString;
@@ -446,6 +446,20 @@ impl InvoiceRequestContents {
 		self.chain.unwrap_or_else(|| self.offer.implied_chain())
 	}
 
+	/// Verifies that the payer metadata was produced from the invoice request in the TLV stream.
+	pub(super) fn verify(&self, tlv_stream: TlvStream<'_>, key: &ExpandedKey) -> bool {
+		let offer_records = tlv_stream.clone().range(OFFER_TYPES);
+		let invreq_records = tlv_stream.range(INVOICE_REQUEST_TYPES).filter(|record| {
+			match record.r#type {
+				PAYER_METADATA_TYPE => false, // Should be outside range
+				INVOICE_REQUEST_PAYER_ID_TYPE => false,
+				_ => true,
+			}
+		});
+		let tlv_stream = offer_records.chain(invreq_records);
+		signer::verify_metadata(&self.payer.0, key, tlv_stream)
+	}
+
 	pub(super) fn as_tlv_stream(&self) -> PartialInvoiceRequestTlvStreamRef {
 		let payer = PayerTlvStreamRef {
 			metadata: Some(&self.payer.0),
@@ -483,12 +497,20 @@ impl Writeable for InvoiceRequestContents {
 	}
 }
 
-tlv_stream!(InvoiceRequestTlvStream, InvoiceRequestTlvStreamRef, 80..160, {
+/// Valid type range for invoice_request TLV records.
+const INVOICE_REQUEST_TYPES: core::ops::Range<u64> = 80..160;
+
+/// TLV record type for [`InvoiceRequest::payer_id`] and [`Refund::payer_id`].
+///
+/// [`Refund::payer_id`]: crate::offers::refund::Refund::payer_id
+const INVOICE_REQUEST_PAYER_ID_TYPE: u64 = 88;
+
+tlv_stream!(InvoiceRequestTlvStream, InvoiceRequestTlvStreamRef, INVOICE_REQUEST_TYPES, {
 	(80, chain: ChainHash),
 	(82, amount: (u64, HighZeroBytesDroppedBigSize)),
 	(84, features: (InvoiceRequestFeatures, WithoutLength)),
 	(86, quantity: (u64, HighZeroBytesDroppedBigSize)),
-	(88, payer_id: PublicKey),
+	(INVOICE_REQUEST_PAYER_ID_TYPE, payer_id: PublicKey),
 	(89, payer_note: (String, WithoutLength)),
 });
 
@@ -597,12 +619,16 @@ mod tests {
 	use core::num::NonZeroU64;
 	#[cfg(feature = "std")]
 	use core::time::Duration;
+	use crate::chain::keysinterface::KeyMaterial;
 	use crate::ln::features::InvoiceRequestFeatures;
+	use crate::ln::inbound_payment::{ExpandedKey, Nonce};
 	use crate::ln::msgs::{DecodeError, MAX_VALUE_MSAT};
+	use crate::offers::invoice::{Invoice, SIGNATURE_TAG as INVOICE_SIGNATURE_TAG};
 	use crate::offers::merkle::{SignError, SignatureTlvStreamRef, self};
 	use crate::offers::offer::{Amount, OfferBuilder, OfferTlvStreamRef, Quantity};
 	use crate::offers::parse::{ParseError, SemanticError};
 	use crate::offers::payer::PayerTlvStreamRef;
+	use crate::offers::signer::DerivedPubkey;
 	use crate::offers::test_utils::*;
 	use crate::util::ser::{BigSize, Writeable};
 	use crate::util::string::PrintableString;
@@ -695,6 +721,120 @@ mod tests {
 		}
 	}
 
+	#[test]
+	fn builds_invoice_request_with_metadata_derived() {
+		let expanded_key = ExpandedKey::new(&KeyMaterial([42; 32]));
+		let nonce = Nonce([42; Nonce::LENGTH]);
+
+		let offer = OfferBuilder::new("foo".into(), recipient_pubkey())
+			.amount_msats(1000)
+			.build().unwrap();
+		let invoice_request = offer.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.metadata_derived(&expanded_key, nonce).unwrap()
+			.build().unwrap()
+			.sign(payer_sign).unwrap();
+		assert_eq!(invoice_request.metadata()[..Nonce::LENGTH], nonce.0);
+		assert_eq!(invoice_request.payer_id(), payer_pubkey());
+
+		let invoice = invoice_request.respond_with_no_std(payment_paths(), payment_hash(), now())
+			.unwrap()
+			.build().unwrap()
+			.sign(recipient_sign).unwrap();
+		assert!(invoice.verify(&expanded_key));
+
+		let (
+			payer_tlv_stream, offer_tlv_stream, mut invoice_request_tlv_stream,
+			mut invoice_tlv_stream, mut signature_tlv_stream
+		) = invoice.as_tlv_stream();
+		invoice_request_tlv_stream.amount = Some(2000);
+		invoice_tlv_stream.amount = Some(2000);
+
+		let tlv_stream =
+			(payer_tlv_stream, offer_tlv_stream, invoice_request_tlv_stream, invoice_tlv_stream);
+		let mut bytes = Vec::new();
+		tlv_stream.write(&mut bytes).unwrap();
+
+		let signature = merkle::sign_message(
+			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+		).unwrap();
+		signature_tlv_stream.signature = Some(&signature);
+
+		let mut encoded_invoice = bytes;
+		signature_tlv_stream.write(&mut encoded_invoice).unwrap();
+
+		let invoice = Invoice::try_from(encoded_invoice).unwrap();
+		assert!(!invoice.verify(&expanded_key));
+
+		match OfferBuilder::new("foo".into(), recipient_pubkey())
+			.build().unwrap()
+			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.metadata_derived(&expanded_key, nonce).unwrap()
+			.metadata_derived(&expanded_key, nonce)
+		{
+			Ok(_) => panic!("expected error"),
+			Err(e) => assert_eq!(e, SemanticError::UnexpectedMetadata),
+		}
+	}
+
+	#[test]
+	fn builds_invoice_request_with_derived_payer_id() {
+		let expanded_key = ExpandedKey::new(&KeyMaterial([42; 32]));
+		let nonce = Nonce([42; Nonce::LENGTH]);
+		let payer_pubkey = DerivedPubkey::new(&expanded_key, nonce);
+
+		let secp_ctx = Secp256k1::new();
+		let keys = expanded_key.signing_keypair_for_offer(nonce);
+
+		let offer = OfferBuilder::new("foo".into(), recipient_pubkey())
+			.amount_msats(1000)
+			.build().unwrap();
+		let invoice_request = offer.request_invoice_deriving_payer_id(payer_pubkey).unwrap()
+			.build().unwrap()
+			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+			.unwrap();
+		assert_eq!(invoice_request.metadata()[..Nonce::LENGTH], nonce.0);
+		assert_eq!(invoice_request.payer_id(), keys.public_key());
+
+		let invoice = invoice_request.respond_with_no_std(payment_paths(), payment_hash(), now())
+			.unwrap()
+			.build().unwrap()
+			.sign(recipient_sign).unwrap();
+		assert!(invoice.verify(&expanded_key));
+
+		let (
+			payer_tlv_stream, offer_tlv_stream, mut invoice_request_tlv_stream,
+			mut invoice_tlv_stream, mut signature_tlv_stream
+		) = invoice.as_tlv_stream();
+		invoice_request_tlv_stream.amount = Some(2000);
+		invoice_tlv_stream.amount = Some(2000);
+
+		let tlv_stream =
+			(payer_tlv_stream, offer_tlv_stream, invoice_request_tlv_stream, invoice_tlv_stream);
+		let mut bytes = Vec::new();
+		tlv_stream.write(&mut bytes).unwrap();
+
+		let signature = merkle::sign_message(
+			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+		).unwrap();
+		signature_tlv_stream.signature = Some(&signature);
+
+		let mut encoded_invoice = bytes;
+		signature_tlv_stream.write(&mut encoded_invoice).unwrap();
+
+		let invoice = Invoice::try_from(encoded_invoice).unwrap();
+		assert!(!invoice.verify(&expanded_key));
+
+		let payer_pubkey = DerivedPubkey::new(&expanded_key, nonce);
+		match OfferBuilder::new("foo".into(), recipient_pubkey())
+			.build().unwrap()
+			.request_invoice_deriving_payer_id(payer_pubkey).unwrap()
+			.metadata_derived(&expanded_key, nonce)
+		{
+			Ok(_) => panic!("expected error"),
+			Err(e) => assert_eq!(e, SemanticError::UnexpectedMetadata),
+		}
+	}
+
 	#[test]
 	fn builds_invoice_request_with_chain() {
 		let mainnet = ChainHash::using_genesis_block(Network::Bitcoin);
diff --git a/lightning/src/offers/merkle.rs b/lightning/src/offers/merkle.rs
@@ -143,6 +143,7 @@ fn tagged_branch_hash_from_engine(
 
 /// [`Iterator`] over a sequence of bytes yielding [`TlvRecord`]s. The input is assumed to be a
 /// well-formed TLV stream.
+#[derive(Clone)]
 pub(super) struct TlvStream<'a> {
 	data: io::Cursor<&'a [u8]>,
 }
diff --git a/lightning/src/offers/offer.rs b/lightning/src/offers/offer.rs
@@ -669,7 +669,7 @@ impl Quantity {
 }
 
 /// Valid type range for offer TLV records.
-const OFFER_TYPES: core::ops::Range<u64> = 1..80;
+pub(super) const OFFER_TYPES: core::ops::Range<u64> = 1..80;
 
 /// TLV record type for [`Offer::metadata`].
 const OFFER_METADATA_TYPE: u64 = 4;
@@ -932,13 +932,14 @@ mod tests {
 	fn builds_offer_with_derived_signing_pubkey() {
 		let expanded_key = ExpandedKey::new(&KeyMaterial([42; 32]));
 		let nonce = Nonce([42; Nonce::LENGTH]);
+		let keys = expanded_key.signing_keypair_for_offer(nonce);
 
 		let recipient_pubkey = DerivedPubkey::new(&expanded_key, nonce);
 		let offer = OfferBuilder::deriving_signing_pubkey("foo".into(), recipient_pubkey)
 			.amount_msats(1000)
 			.build().unwrap();
 		assert_eq!(offer.metadata().unwrap()[..Nonce::LENGTH], nonce.0);
-		assert_eq!(offer.signing_pubkey(), expanded_key.signing_pubkey_for_offer(nonce));
+		assert_eq!(offer.signing_pubkey(), keys.public_key());
 
 		let invoice_request = offer.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
 			.build().unwrap()
diff --git a/lightning/src/offers/payer.rs b/lightning/src/offers/payer.rs
@@ -20,6 +20,12 @@ use crate::prelude::*;
 #[derive(Clone, Debug, PartialEq)]
 pub(super) struct PayerContents(pub Vec<u8>);
 
+/// TLV record type for [`InvoiceRequest::metadata`] and [`Refund::metadata`].
+///
+/// [`InvoiceRequest::metadata`]: crate::offers::invoice_request::InvoiceRequest::metadata
+/// [`Refund::metadata`]: crate::offers::refund::Refund::metadata
+pub(super) const PAYER_METADATA_TYPE: u64 = 0;
+
 tlv_stream!(PayerTlvStream, PayerTlvStreamRef, 0..1, {
-	(0, metadata: (Vec<u8>, WithoutLength)),
+	(PAYER_METADATA_TYPE, metadata: (Vec<u8>, WithoutLength)),
 });
diff --git a/lightning/src/offers/signer.rs b/lightning/src/offers/signer.rs
@@ -30,7 +30,7 @@ pub(crate) struct DerivedPubkey {
 impl DerivedPubkey {
 	pub(crate) fn new(expanded_key: &ExpandedKey, nonce: Nonce) -> Self {
 		Self {
-			public_key: expanded_key.signing_pubkey_for_offer(nonce),
+			public_key: expanded_key.signing_keypair_for_offer(nonce).public_key(),
 			metadata_material: MetadataMaterial::new(nonce, expanded_key),
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,7 @@ fn tagged_branch_hash_from_engine(`
`143`	`143`
`144`	`144`	/// [`Iterator`] over a sequence of bytes yielding [`TlvRecord`]s. The input is assumed to be a
`145`	`145`	`/// well-formed TLV stream.`
	`146`	`+#[derive(Clone)]`
`146`	`147`	`pub(super) struct TlvStream<'a> {`
`147`	`148`	`data: io::Cursor<&'a [u8]>,`
`148`	`149`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ pub(crate) struct DerivedPubkey {`
`30`	`30`	`impl DerivedPubkey {`
`31`	`31`	`pub(crate) fn new(expanded_key: &ExpandedKey, nonce: Nonce) -> Self {`
`32`	`32`	`Self {`
`33`		`- public_key: expanded_key.signing_pubkey_for_offer(nonce),`
	`33`	`+ public_key: expanded_key.signing_keypair_for_offer(nonce).public_key(),`
`34`	`34`	`metadata_material: MetadataMaterial::new(nonce, expanded_key),`
`35`	`35`	`}`
`36`	`36`	`}`