Stateless verification of InvoiceRequest

jkczyz · jkczyz · commit e5564eced3ac · 2023-02-21T14:17:21.000-06:00
Verify that an InvoiceRequest was produced from an Offer constructed by
the recipient using the Offer metadata reflected in the InvoiceRequest.
The Offer metadata consists of a 128-bit nonce and a 256-bit HMAC over
the nonce and Offer TLV records (excluding the signing pubkey). Thus,
the HMAC can be reproduced using the nonce and the ExpandedKey used to
produce the HMAC, and then checked against the metadata.
diff --git a/lightning/src/offers/invoice_request.rs b/lightning/src/offers/invoice_request.rs
@@ -60,9 +60,10 @@ use core::convert::TryFrom;
 use crate::io;
 use crate::ln::PaymentHash;
 use crate::ln::features::InvoiceRequestFeatures;
+use crate::ln::inbound_payment::ExpandedKey;
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice::{BlindedPayInfo, InvoiceBuilder};
-use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, self};
+use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TlvStream, self};
 use crate::offers::offer::{Offer, OfferContents, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{ParseError, ParsedMessage, SemanticError};
 use crate::offers::payer::{PayerContents, PayerTlvStream, PayerTlvStreamRef};
@@ -370,6 +371,12 @@ impl InvoiceRequest {
 		InvoiceBuilder::for_offer(self, payment_paths, created_at, payment_hash)
 	}
 
+	/// Verifies that the request was for an offer created using the given key.
+	#[allow(unused)]
+	pub(crate) fn verify(&self, key: &ExpandedKey) -> bool {
+		self.contents.offer.verify(TlvStream::new(&self.bytes), key)
+	}
+
 	#[cfg(test)]
 	fn as_tlv_stream(&self) -> FullInvoiceRequestTlvStreamRef {
 		let (payer_tlv_stream, offer_tlv_stream, invoice_request_tlv_stream) =
diff --git a/lightning/src/offers/offer.rs b/lightning/src/offers/offer.rs
@@ -78,8 +78,9 @@ use crate::ln::features::OfferFeatures;
 use crate::ln::inbound_payment::{ExpandedKey, Nonce};
 use crate::ln::msgs::MAX_VALUE_MSAT;
 use crate::offers::invoice_request::InvoiceRequestBuilder;
+use crate::offers::merkle::TlvStream;
 use crate::offers::parse::{Bech32Encode, ParseError, ParsedMessage, SemanticError};
-use crate::offers::signer::{MetadataMaterial, DerivedPubkey};
+use crate::offers::signer::{MetadataMaterial, DerivedPubkey, self};
 use crate::onion_message::BlindedPath;
 use crate::util::ser::{HighZeroBytesDroppedBigSize, WithoutLength, Writeable, Writer};
 use crate::util::string::PrintableString;
@@ -543,6 +544,24 @@ impl OfferContents {
 		self.signing_pubkey
 	}
 
+	/// Verifies that the offer metadata was produced from the offer in the TLV stream.
+	pub(super) fn verify(&self, tlv_stream: TlvStream<'_>, key: &ExpandedKey) -> bool {
+		match &self.metadata {
+			Some(metadata) => {
+				let tlv_stream = tlv_stream.range(OFFER_TYPES).filter(|record| {
+					match record.r#type {
+						// TODO: Assert value bytes == metadata?
+						OFFER_METADATA_TYPE => false,
+						OFFER_NODE_ID_TYPE => false,
+						_ => true,
+					}
+				});
+				signer::verify_metadata(metadata, key, tlv_stream)
+			},
+			None => false,
+		}
+	}
+
 	pub(super) fn as_tlv_stream(&self) -> OfferTlvStreamRef {
 		let (currency, amount) = match &self.amount {
 			None => (None, None),
@@ -630,9 +649,18 @@ impl Quantity {
 	}
 }
 
-tlv_stream!(OfferTlvStream, OfferTlvStreamRef, 1..80, {
+/// Valid type range for offer TLV records.
+const OFFER_TYPES: core::ops::Range<u64> = 1..80;
+
+/// TLV record type for [`Offer::metadata`].
+const OFFER_METADATA_TYPE: u64 = 4;
+
+/// TLV record type for [`Offer::signing_pubkey`].
+const OFFER_NODE_ID_TYPE: u64 = 22;
+
+tlv_stream!(OfferTlvStream, OfferTlvStreamRef, OFFER_TYPES, {
 	(2, chains: (Vec<ChainHash>, WithoutLength)),
-	(4, metadata: (Vec<u8>, WithoutLength)),
+	(OFFER_METADATA_TYPE, metadata: (Vec<u8>, WithoutLength)),
 	(6, currency: CurrencyCode),
 	(8, amount: (u64, HighZeroBytesDroppedBigSize)),
 	(10, description: (String, WithoutLength)),
@@ -641,7 +669,7 @@ tlv_stream!(OfferTlvStream, OfferTlvStreamRef, 1..80, {
 	(16, paths: (Vec<BlindedPath>, WithoutLength)),
 	(18, issuer: (String, WithoutLength)),
 	(20, quantity_max: (u64, HighZeroBytesDroppedBigSize)),
-	(22, node_id: PublicKey),
+	(OFFER_NODE_ID_TYPE, node_id: PublicKey),
 });
 
 impl Bech32Encode for Offer {
@@ -729,9 +757,12 @@ mod tests {
 	use core::convert::TryFrom;
 	use core::num::NonZeroU64;
 	use core::time::Duration;
+	use crate::chain::keysinterface::KeyMaterial;
 	use crate::ln::features::OfferFeatures;
+	use crate::ln::inbound_payment::{ExpandedKey, Nonce};
 	use crate::ln::msgs::{DecodeError, MAX_VALUE_MSAT};
 	use crate::offers::parse::{ParseError, SemanticError};
+	use crate::offers::signer::DerivedPubkey;
 	use crate::offers::test_utils::*;
 	use crate::onion_message::{BlindedHop, BlindedPath};
 	use crate::util::ser::{BigSize, Writeable};
@@ -840,6 +871,82 @@ mod tests {
 		assert_eq!(offer.as_tlv_stream().metadata, Some(&vec![43; 32]));
 	}
 
+	#[test]
+	fn builds_offer_with_metadata_derived() {
+		let expanded_key = ExpandedKey::new(&KeyMaterial([42; 32]));
+		let nonce = Nonce([42; Nonce::LENGTH]);
+
+		let offer = OfferBuilder::new("foo".into(), recipient_pubkey())
+			.amount_msats(1000)
+			.metadata_derived(&expanded_key, nonce).unwrap()
+			.build().unwrap();
+		assert_eq!(offer.metadata().unwrap()[..Nonce::LENGTH], nonce.0);
+		assert_eq!(offer.signing_pubkey(), recipient_pubkey());
+
+		let invoice_request = offer.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.build().unwrap()
+			.sign(payer_sign).unwrap();
+		assert!(invoice_request.verify(&expanded_key));
+
+		let mut tlv_stream = offer.as_tlv_stream();
+		tlv_stream.amount = Some(100);
+
+		let mut encoded_offer = Vec::new();
+		tlv_stream.write(&mut encoded_offer).unwrap();
+
+		let invoice_request = Offer::try_from(encoded_offer).unwrap()
+			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.build().unwrap()
+			.sign(payer_sign).unwrap();
+		assert!(!invoice_request.verify(&expanded_key));
+
+		match OfferBuilder::new("foo".into(), recipient_pubkey())
+			.metadata_derived(&expanded_key, nonce).unwrap()
+			.metadata_derived(&expanded_key, nonce)
+		{
+			Ok(_) => panic!("expected error"),
+			Err(e) => assert_eq!(e, SemanticError::UnexpectedMetadata),
+		}
+	}
+
+	#[test]
+	fn builds_offer_with_derived_signing_pubkey() {
+		let expanded_key = ExpandedKey::new(&KeyMaterial([42; 32]));
+		let nonce = Nonce([42; Nonce::LENGTH]);
+
+		let recipient_pubkey = DerivedPubkey::new(&expanded_key, nonce);
+		let offer = OfferBuilder::deriving_signing_pubkey("foo".into(), recipient_pubkey)
+			.amount_msats(1000)
+			.build().unwrap();
+		assert_eq!(offer.metadata().unwrap()[..Nonce::LENGTH], nonce.0);
+		assert_eq!(offer.signing_pubkey(), expanded_key.signing_pubkey_for_offer(nonce));
+
+		let invoice_request = offer.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.build().unwrap()
+			.sign(payer_sign).unwrap();
+		assert!(invoice_request.verify(&expanded_key));
+
+		let mut tlv_stream = offer.as_tlv_stream();
+		tlv_stream.amount = Some(100);
+
+		let mut encoded_offer = Vec::new();
+		tlv_stream.write(&mut encoded_offer).unwrap();
+
+		let invoice_request = Offer::try_from(encoded_offer).unwrap()
+			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.build().unwrap()
+			.sign(payer_sign).unwrap();
+		assert!(!invoice_request.verify(&expanded_key));
+
+		let recipient_pubkey = DerivedPubkey::new(&expanded_key, nonce);
+		match OfferBuilder::deriving_signing_pubkey("foo".into(), recipient_pubkey)
+			.metadata_derived(&expanded_key, nonce)
+		{
+			Ok(_) => panic!("expected error"),
+			Err(e) => assert_eq!(e, SemanticError::UnexpectedMetadata),
+		}
+	}
+
 	#[test]
 	fn builds_offer_with_amount() {
 		let bitcoin_amount = Amount::Bitcoin { amount_msats: 1000 };
diff --git a/lightning/src/offers/signer.rs b/lightning/src/offers/signer.rs
@@ -16,6 +16,7 @@ use core::convert::TryInto;
 use bitcoin::secp256k1::PublicKey;
 use crate::io;
 use crate::ln::inbound_payment::{ExpandedKey, Nonce};
+use crate::offers::merkle::TlvRecord;
 
 use crate::prelude::*;
 
@@ -70,3 +71,24 @@ impl io::Write for MetadataMaterial {
 		self.hmac.flush()
 	}
 }
+
+/// Verifies data given in a TLV stream was used to produce the given metadata, consisting of:
+/// - a 128-bit [`Nonce`] and
+/// - a [`Sha256Hash`] of the nonce and the TLV records using the [`ExpandedKey`].
+pub(super) fn verify_metadata<'a>(
+	metadata: &Vec<u8>, expanded_key: &ExpandedKey,
+	tlv_stream: impl core::iter::Iterator<Item = TlvRecord<'a>>
+) -> bool {
+	let mut hmac = if metadata.len() < Nonce::LENGTH {
+		return false;
+	} else {
+		let nonce = Nonce(metadata[..Nonce::LENGTH].try_into().unwrap());
+		expanded_key.hmac_for_offer(nonce)
+	};
+
+	for record in tlv_stream {
+		hmac.input(record.record_bytes);
+	}
+
+	&metadata[Nonce::LENGTH..] == &Hmac::from_engine(hmac).into_inner()
+}
