WIP: Offer stateless verification

jkczyz · jkczyz · commit db77daabae1e · 2023-01-30T15:44:45.000-06:00
diff --git a/lightning/src/ln/inbound_payment.rs b/lightning/src/ln/inbound_payment.rs
@@ -63,6 +63,15 @@ impl ExpandedKey {
 			user_pmt_hash_key,
 		}
 	}
+
+	/// Returns an [`HmacEngine`] used to construct [`Offer::metadata`].
+	///
+	/// [`Offer::metadata`]: crate::offers::offer::Offer::metadata
+	pub(crate) fn hmac_for_offer(&self) -> HmacEngine<Sha256> {
+		let mut hmac = HmacEngine::<Sha256>::new(&self.ldk_pmt_hash_key);
+		//hmac.input(&entropy_source.get_secure_random_bytes());
+		hmac
+	}
 }
 
 enum Method {
diff --git a/lightning/src/offers/invoice_request.rs b/lightning/src/offers/invoice_request.rs
@@ -60,9 +60,10 @@ use core::convert::TryFrom;
 use crate::io;
 use crate::ln::PaymentHash;
 use crate::ln::features::InvoiceRequestFeatures;
+use crate::ln::inbound_payment::ExpandedKey;
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice::{BlindedPayInfo, InvoiceBuilder};
-use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, self};
+use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TlvStream, self};
 use crate::offers::offer::{Offer, OfferContents, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{ParseError, ParsedMessage, SemanticError};
 use crate::offers::payer::{PayerContents, PayerTlvStream, PayerTlvStreamRef};
@@ -322,6 +323,11 @@ impl InvoiceRequest {
 		self.signature
 	}
 
+	/// Verifies that the request was for an offer created using the given key.
+	pub(crate) fn verify(&self, key: &ExpandedKey) -> bool {
+		self.contents.offer.verify(TlvStream::new(&self.bytes), key)
+	}
+
 	/// Creates an [`Invoice`] for the request with the given required fields.
 	///
 	/// Unless [`InvoiceBuilder::relative_expiry`] is set, the invoice will expire two hours after
diff --git a/lightning/src/offers/offer.rs b/lightning/src/offers/offer.rs
@@ -67,6 +67,9 @@
 //! ```
 
 use bitcoin::blockdata::constants::ChainHash;
+use bitcoin::hashes::{Hash, HashEngine};
+use bitcoin::hashes::hmac::{Hmac, HmacEngine};
+use bitcoin::hashes::sha256::Hash as Sha256;
 use bitcoin::network::constants::Network;
 use bitcoin::secp256k1::PublicKey;
 use core::convert::TryFrom;
@@ -75,8 +78,10 @@ use core::str::FromStr;
 use core::time::Duration;
 use crate::io;
 use crate::ln::features::OfferFeatures;
+use crate::ln::inbound_payment::ExpandedKey;
 use crate::ln::msgs::MAX_VALUE_MSAT;
 use crate::offers::invoice_request::InvoiceRequestBuilder;
+use crate::offers::merkle::TlvStream;
 use crate::offers::parse::{Bech32Encode, ParseError, ParsedMessage, SemanticError};
 use crate::onion_message::BlindedPath;
 use crate::util::ser::{HighZeroBytesDroppedBigSize, WithoutLength, Writeable, Writer};
@@ -94,6 +99,7 @@ use std::time::SystemTime;
 /// [module-level documentation]: self
 pub struct OfferBuilder {
 	offer: OfferContents,
+	hmac: Option<HmacEngine<Sha256>>,
 }
 
 impl OfferBuilder {
@@ -108,7 +114,7 @@ impl OfferBuilder {
 			features: OfferFeatures::empty(), absolute_expiry: None, issuer: None, paths: None,
 			supported_quantity: Quantity::One, signing_pubkey,
 		};
-		OfferBuilder { offer }
+		OfferBuilder { offer, hmac: None }
 	}
 
 	/// Adds the chain hash of the given [`Network`] to [`Offer::chains`]. If not called,
@@ -127,11 +133,24 @@ impl OfferBuilder {
 		self
 	}
 
-	/// Sets the [`Offer::metadata`].
+	/// Sets the [`Offer::metadata`] to the given bytes.
 	///
-	/// Successive calls to this method will override the previous setting.
+	/// Successive calls to this method will override the previous setting and any previous calls to
+	/// [`OfferBuilder::metadata_derived`].
 	pub fn metadata(mut self, metadata: Vec<u8>) -> Self {
 		self.offer.metadata = Some(metadata);
+		self.hmac = None;
+		self
+	}
+
+	/// Sets the [`Offer::metadata`] derived from the given `key` and any fields set prior to
+	/// calling [`OfferBuilder::build`].
+	///
+	/// Successive calls to this method will override the previous setting and any previous calls to
+	/// [`OfferBuilder::metadata`].
+	pub fn metadata_derived(mut self, key: &ExpandedKey) -> Self {
+		self.offer.metadata = None;
+		self.hmac = Some(key.hmac_for_offer());
 		self
 	}
 
@@ -204,6 +223,11 @@ impl OfferBuilder {
 			}
 		}
 
+		if let Some(mut hmac) = self.hmac {
+			self.offer.write(&mut hmac).unwrap();
+			self.offer.metadata = Some(Hmac::from_engine(hmac).into_inner().to_vec());
+		}
+
 		let mut bytes = Vec::new();
 		self.offer.write(&mut bytes).unwrap();
 
@@ -482,6 +506,26 @@ impl OfferContents {
 		self.signing_pubkey
 	}
 
+	/// Verifies that the offer metadata was produced from the offer in the TLV stream.
+	pub(super) fn verify(&self, tlv_stream: TlvStream<'_>, key: &ExpandedKey) -> bool {
+		match &self.metadata {
+			Some(metadata) => {
+				let mut hmac = key.hmac_for_offer();
+
+				for record in tlv_stream.range(OFFER_TYPES) {
+					if record.r#type != OFFER_METADATA_TYPE {
+						hmac.input(record.record_bytes);
+					} else {
+						// TODO: Assert value bytes == metadata?
+					}
+				}
+
+				metadata == &Hmac::from_engine(hmac).into_inner()
+			},
+			None => false,
+		}
+	}
+
 	pub(super) fn as_tlv_stream(&self) -> OfferTlvStreamRef {
 		let (currency, amount) = match &self.amount {
 			None => (None, None),
@@ -569,9 +613,15 @@ impl Quantity {
 	}
 }
 
-tlv_stream!(OfferTlvStream, OfferTlvStreamRef, 1..80, {
+/// Valid type range for offer TLV records.
+const OFFER_TYPES: core::ops::Range<u64> = 1..80;
+
+/// TLV record type for [`Offer::metadata`].
+const OFFER_METADATA_TYPE: u64 = 4;
+
+tlv_stream!(OfferTlvStream, OfferTlvStreamRef, OFFER_TYPES, {
 	(2, chains: (Vec<ChainHash>, WithoutLength)),
-	(4, metadata: (Vec<u8>, WithoutLength)),
+	(OFFER_METADATA_TYPE, metadata: (Vec<u8>, WithoutLength)),
 	(6, currency: CurrencyCode),
 	(8, amount: (u64, HighZeroBytesDroppedBigSize)),
 	(10, description: (String, WithoutLength)),
@@ -665,17 +715,40 @@ mod tests {
 
 	use bitcoin::blockdata::constants::ChainHash;
 	use bitcoin::network::constants::Network;
-	use bitcoin::secp256k1::{PublicKey, Secp256k1, SecretKey};
-	use core::convert::TryFrom;
+	use bitcoin::secp256k1::{KeyPair, Message, PublicKey, Secp256k1, SecretKey};
+	use bitcoin::secp256k1::schnorr::Signature;
+	use core::convert::{Infallible, TryFrom};
 	use core::num::NonZeroU64;
 	use core::time::Duration;
+	use crate::chain::keysinterface::KeyMaterial;
 	use crate::ln::features::OfferFeatures;
+	use crate::ln::inbound_payment::ExpandedKey;
 	use crate::ln::msgs::{DecodeError, MAX_VALUE_MSAT};
 	use crate::offers::parse::{ParseError, SemanticError};
 	use crate::onion_message::{BlindedHop, BlindedPath};
 	use crate::util::ser::{BigSize, Writeable};
 	use crate::util::string::PrintableString;
 
+	fn payer_keys() -> KeyPair {
+		let secp_ctx = Secp256k1::new();
+		KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap())
+	}
+
+	fn payer_sign(digest: &Message) -> Result<Signature, Infallible> {
+		let secp_ctx = Secp256k1::new();
+		let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap());
+		Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+	}
+
+	fn payer_pubkey() -> PublicKey {
+		payer_keys().public_key()
+	}
+
+	fn recipient_pubkey() -> PublicKey {
+		let secp_ctx = Secp256k1::new();
+		KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[43; 32]).unwrap()).public_key()
+	}
+
 	fn pubkey(byte: u8) -> PublicKey {
 		let secp_ctx = Secp256k1::new();
 		PublicKey::from_secret_key(&secp_ctx, &privkey(byte))
@@ -788,6 +861,35 @@ mod tests {
 		assert_eq!(offer.as_tlv_stream().metadata, Some(&vec![43; 32]));
 	}
 
+	#[test]
+	fn builds_offer_with_metadata_derived() {
+		let keys = ExpandedKey::new(&KeyMaterial([42; 32]));
+		let invoice_request = OfferBuilder::new("foo".into(), recipient_pubkey())
+			.metadata_derived(&keys)
+			.amount_msats(1000)
+			.build().unwrap()
+			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.build().unwrap()
+			.sign(payer_sign).unwrap();
+		assert!(invoice_request.verify(&keys));
+
+		let offer = OfferBuilder::new("foo".into(), recipient_pubkey())
+			.metadata_derived(&keys)
+			.amount_msats(1000)
+			.build().unwrap();
+		let mut tlv_stream = offer.as_tlv_stream();
+		tlv_stream.amount = Some(100);
+
+		let mut encoded_offer = Vec::new();
+		tlv_stream.write(&mut encoded_offer).unwrap();
+
+		let invoice_request = Offer::try_from(encoded_offer).unwrap()
+			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.build().unwrap()
+			.sign(payer_sign).unwrap();
+		assert!(!invoice_request.verify(&keys));
+	}
+
 	#[test]
 	fn builds_offer_with_amount() {
 		let bitcoin_amount = Amount::Bitcoin { amount_msats: 1000 };

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,15 @@ impl ExpandedKey {`
`63`	`63`	`user_pmt_hash_key,`
`64`	`64`	`}`
`65`	`65`	`}`
	`66`	`+`
	`67`	+ /// Returns an [`HmacEngine`] used to construct [`Offer::metadata`].
	`68`	`+ ///`
	`69`	+ /// [`Offer::metadata`]: crate::offers::offer::Offer::metadata
	`70`	`+ pub(crate) fn hmac_for_offer(&self) -> HmacEngine<Sha256> {`
	`71`	`+ let mut hmac = HmacEngine::<Sha256>::new(&self.ldk_pmt_hash_key);`
	`72`	`+ //hmac.input(&entropy_source.get_secure_random_bytes());`
	`73`	`+ hmac`
	`74`	`+ }`
`66`	`75`	`}`
`67`	`76`
`68`	`77`	`enum Method {`