f - abstraction for metadata material

Author: jkczyz

lightning/src/offers/offer.rs

@@ -67,12 +67,9 @@
 //! ```
 
 use bitcoin::blockdata::constants::ChainHash;
-use bitcoin::hashes::{Hash, HashEngine};
-use bitcoin::hashes::hmac::{Hmac, HmacEngine};
-use bitcoin::hashes::sha256::Hash as Sha256;
 use bitcoin::network::constants::Network;
 use bitcoin::secp256k1::PublicKey;
-use core::convert::{TryFrom, TryInto};
+use core::convert::TryFrom;
 use core::num::NonZeroU64;
 use core::str::FromStr;
 use core::time::Duration;
@@ -83,7 +80,7 @@ use crate::ln::msgs::MAX_VALUE_MSAT;
 use crate::offers::invoice_request::InvoiceRequestBuilder;
 use crate::offers::merkle::TlvStream;
 use crate::offers::parse::{Bech32Encode, ParseError, ParsedMessage, SemanticError};
-use crate::offers::signer::SigningPubkey;
+use crate::offers::signer::{MetadataMaterial, SigningPubkey, self};
 use crate::onion_message::BlindedPath;
 use crate::util::ser::{HighZeroBytesDroppedBigSize, WithoutLength, Writeable, Writer};
 use crate::util::string::PrintableString;
@@ -100,7 +97,7 @@ use std::time::SystemTime;
 /// [module-level documentation]: self
 pub struct OfferBuilder {
 	offer: OfferContents,
-	metadata_material: Option<(Nonce, HmacEngine<Sha256>)>,
+	metadata_material: Option<MetadataMaterial>,
 }
 
 impl OfferBuilder {
@@ -110,14 +107,7 @@ impl OfferBuilder {
 	///
 	/// Use a different pubkey per offer to avoid correlating offers.
 	pub fn new(description: String, signing_pubkey: SigningPubkey) -> Self {
-		let (metadata_material, signing_pubkey) = match signing_pubkey {
-			SigningPubkey::Explicit(pubkey) => (None, pubkey),
-			SigningPubkey::Derived(expanded_key, nonce) => {
-				let metadata_material = (nonce, expanded_key.hmac_for_offer(nonce));
-				let signing_pubkey = expanded_key.signing_pubkey_for_offer(nonce);
-				(Some(metadata_material), signing_pubkey)
-			},
-		};
+		let (metadata_material, signing_pubkey) = signing_pubkey.into_parts();
 		let offer = OfferContents {
 			chains: None, metadata: None, amount: None, description,
 			features: OfferFeatures::empty(), absolute_expiry: None, issuer: None, paths: None,
@@ -167,7 +157,7 @@ impl OfferBuilder {
 	/// [`InvoiceRequest`]: crate::offers::invoice_request::InvoiceRequest
 	pub fn metadata_derived(mut self, key: &ExpandedKey, nonce: Nonce) -> Self {
 		self.offer.metadata = None;
-		self.metadata_material = Some((nonce, key.hmac_for_offer(nonce)));
+		self.metadata_material = Some(MetadataMaterial::new(nonce, key));
 		self
 	}
 
@@ -240,18 +230,14 @@ impl OfferBuilder {
 			}
 		}
 
-		// Create the metadata for stateless verification. It consists of a 16-byte nonce and a
-		// 32-byte HMAC of the offer bytes excluding the signing pubkey.
-		if let Some((nonce, mut hmac)) = self.metadata_material {
+		// Create the metadata for stateless verification of an InvoiceRequest.
+		if let Some(mut metadata_material) = self.metadata_material {
 			debug_assert!(self.offer.metadata.is_none());
 			let mut tlv_stream = self.offer.as_tlv_stream();
 			tlv_stream.node_id = None;
-			tlv_stream.write(&mut hmac).unwrap();
-
-			let mut metadata = nonce.as_slice().to_vec();
-			metadata.extend_from_slice(&Hmac::from_engine(hmac).into_inner());
+			tlv_stream.write(&mut metadata_material).unwrap();
 
-			self.offer.metadata = Some(metadata);
+			self.offer.metadata = Some(metadata_material.into_metadata());
 		}
 
 		let mut bytes = Vec::new();
@@ -536,23 +522,15 @@ impl OfferContents {
 	pub(super) fn verify(&self, tlv_stream: TlvStream<'_>, key: &ExpandedKey) -> bool {
 		match &self.metadata {
 			Some(metadata) => {
-				let mut hmac = if metadata.len() < Nonce::LENGTH {
-					return false;
-				} else {
-					let nonce = Nonce(metadata[..Nonce::LENGTH].try_into().unwrap());
-					key.hmac_for_offer(nonce)
-				};
-
-				for record in tlv_stream.range(OFFER_TYPES) {
+				let tlv_stream = tlv_stream.range(OFFER_TYPES).filter(|record| {
 					match record.r#type {
 						// TODO: Assert value bytes == metadata?
-						OFFER_METADATA_TYPE => {},
-						OFFER_NODE_ID_TYPE => {},
-						_ => hmac.input(record.record_bytes),
+						OFFER_METADATA_TYPE => false,
+						OFFER_NODE_ID_TYPE => false,
+						_ => true,
 					}
-				}
-
-				&metadata[Nonce::LENGTH..] == &Hmac::from_engine(hmac).into_inner()
+				});
+				signer::verify_metadata(metadata, key, tlv_stream)
 			},
 			None => false,
 		}

lightning/src/offers/signer.rs

@@ -7,10 +7,16 @@
 // You may not use this file except in accordance with one or both of these
 // licenses.
 
-//! Data structures for signing offer messages.
+//! Utilities for signing offer messages and verifying metadata.
 
+use bitcoin::hashes::{Hash, HashEngine};
+use bitcoin::hashes::hmac::{Hmac, HmacEngine};
+use bitcoin::hashes::sha256::Hash as Sha256;
+use core::convert::TryInto;
 use bitcoin::secp256k1::PublicKey;
+use crate::io;
 use crate::ln::inbound_payment::{ExpandedKey, Nonce};
+use crate::offers::merkle::TlvRecord;
 
 /// A pubkey for signing messages, either given explicitly or derived.
 pub enum SigningPubkey<'a> {
@@ -21,8 +27,74 @@ pub enum SigningPubkey<'a> {
 	Derived(&'a ExpandedKey, Nonce),
 }
 
+impl<'a> SigningPubkey<'a> {
+	pub(super) fn into_parts(self) -> (Option<MetadataMaterial>, PublicKey) {
+		match self {
+			SigningPubkey::Explicit(pubkey) => (None, pubkey),
+			SigningPubkey::Derived(expanded_key, nonce) => {
+				let metadata_material = MetadataMaterial::new(nonce, expanded_key);
+				let signing_pubkey = expanded_key.signing_pubkey_for_offer(nonce);
+				(Some(metadata_material), signing_pubkey)
+			},
+		}
+	}
+}
+
 impl<'a> From<PublicKey> for SigningPubkey<'a> {
 	fn from(pubkey: PublicKey) -> Self {
 		SigningPubkey::Explicit(pubkey)
 	}
 }
+
+/// Material used to create metadata for a message. Once initialized, write the applicable data from
+/// the message into it and call [`MetadataMaterial::into_metadata`].
+pub(super) struct MetadataMaterial {
+	nonce: Nonce,
+	hmac: HmacEngine<Sha256>,
+}
+
+impl MetadataMaterial {
+	pub fn new(nonce: Nonce, expanded_key: &ExpandedKey) -> Self {
+		Self {
+			nonce,
+			hmac: expanded_key.hmac_for_offer(nonce),
+		}
+	}
+
+	pub fn into_metadata(self) -> Vec<u8> {
+		let mut bytes = self.nonce.as_slice().to_vec();
+		bytes.extend_from_slice(&Hmac::from_engine(self.hmac).into_inner());
+		bytes
+	}
+}
+
+impl io::Write for MetadataMaterial {
+	fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+		self.hmac.write(buf)
+	}
+
+	fn flush(&mut self) -> io::Result<()> {
+		self.hmac.flush()
+	}
+}
+
+/// Verifies data given in a TLV stream was used to produce the given metadata, consisting of:
+/// - a 128-bit [`Nonce`] and
+/// - a [`Sha256Hash`] of the nonce and the TLV records using the [`ExpandedKey`].
+pub(super) fn verify_metadata<'a>(
+	metadata: &Vec<u8>, expanded_key: &ExpandedKey,
+	tlv_stream: impl core::iter::Iterator<Item = TlvRecord<'a>>
+) -> bool {
+	let mut hmac = if metadata.len() < Nonce::LENGTH {
+		return false;
+	} else {
+		let nonce = Nonce(metadata[..Nonce::LENGTH].try_into().unwrap());
+		expanded_key.hmac_for_offer(nonce)
+	};
+
+	for record in tlv_stream {
+		hmac.input(record.record_bytes);
+	}
+
+	&metadata[Nonce::LENGTH..] == &Hmac::from_engine(hmac).into_inner()
+}