f - derive signing pubkey from nonce

jkczyz · jkczyz · commit 431e3ea3358f · 2023-01-27T18:41:48.000-06:00
diff --git a/lightning/src/ln/inbound_payment.rs b/lightning/src/ln/inbound_payment.rs
@@ -14,6 +14,8 @@ use bitcoin::hashes::{Hash, HashEngine};
 use bitcoin::hashes::cmp::fixed_time_eq;
 use bitcoin::hashes::hmac::{Hmac, HmacEngine};
 use bitcoin::hashes::sha256::Hash as Sha256;
+use bitcoin::secp256k1::{PublicKey, Secp256k1, SecretKey};
+use bitcoin::secp256k1::scalar::Scalar;
 use crate::chain::keysinterface::{KeyMaterial, EntropySource};
 use crate::ln::{PaymentHash, PaymentPreimage, PaymentSecret};
 use crate::ln::msgs;
@@ -67,11 +69,45 @@ impl ExpandedKey {
 	/// Returns an [`HmacEngine`] used to construct [`Offer::metadata`].
 	///
 	/// [`Offer::metadata`]: crate::offers::offer::Offer::metadata
-	pub(crate) fn hmac_for_offer(&self) -> HmacEngine<Sha256> {
+	pub(crate) fn hmac_for_offer(&self, nonce: Nonce) -> HmacEngine<Sha256> {
 		let mut hmac = HmacEngine::<Sha256>::new(&self.ldk_pmt_hash_key);
-		//hmac.input(&entropy_source.get_secure_random_bytes());
+		hmac.input(&nonce.0);
 		hmac
 	}
+
+	pub(crate) fn signing_pubkey_for_offer(&self, nonce: Nonce) -> PublicKey {
+		let secp_ctx = Secp256k1::new();
+		let mut tweak = [0; 32];
+		tweak[..Nonce::LENGTH].copy_from_slice(&nonce.0);
+
+		SecretKey::from_slice(&self.ldk_pmt_hash_key)
+			.unwrap()
+			.mul_tweak(&Scalar::from_be_bytes(tweak).unwrap())
+			.unwrap()
+			.public_key(&secp_ctx)
+	}
+}
+
+///
+#[derive(Clone, Copy)]
+pub struct Nonce(pub(crate) [u8; Self::LENGTH]);
+
+impl Nonce {
+	///
+	pub const LENGTH: usize = 16;
+
+	///
+	pub fn from_entropy_source<ES: EntropySource>(entropy_source: &ES) -> Self {
+		let mut bytes = [0 as u8; Self::LENGTH];
+		let rand_bytes = entropy_source.get_secure_random_bytes();
+		bytes.copy_from_slice(&rand_bytes[..Self::LENGTH]);
+		Nonce(bytes)
+	}
+
+	///
+	pub fn as_slice(&self) -> &[u8] {
+		&self.0
+	}
 }
 
 enum Method {
diff --git a/lightning/src/offers/offer.rs b/lightning/src/offers/offer.rs
@@ -72,13 +72,13 @@ use bitcoin::hashes::hmac::{Hmac, HmacEngine};
 use bitcoin::hashes::sha256::Hash as Sha256;
 use bitcoin::network::constants::Network;
 use bitcoin::secp256k1::PublicKey;
-use core::convert::TryFrom;
+use core::convert::{TryFrom, TryInto};
 use core::num::NonZeroU64;
 use core::str::FromStr;
 use core::time::Duration;
 use crate::io;
 use crate::ln::features::OfferFeatures;
-use crate::ln::inbound_payment::ExpandedKey;
+use crate::ln::inbound_payment::{ExpandedKey, Nonce};
 use crate::ln::msgs::MAX_VALUE_MSAT;
 use crate::offers::invoice_request::InvoiceRequestBuilder;
 use crate::offers::merkle::TlvStream;
@@ -99,16 +99,16 @@ use std::time::SystemTime;
 /// [module-level documentation]: self
 pub struct OfferBuilder {
 	offer: OfferContents,
-	hmac: Option<HmacEngine<Sha256>>,
+	metadata_material: Option<(Nonce, HmacEngine<Sha256>)>,
 }
 
 ///
-pub enum SigningPubkey {
+pub enum SigningPubkey<'a> {
 	Explicit(PublicKey),
-	Derived,
+	Derived(&'a ExpandedKey, Nonce),
 }
 
-impl From<PublicKey> for SigningPubkey {
+impl<'a> From<PublicKey> for SigningPubkey<'a> {
 	fn from(pubkey: PublicKey) -> Self {
 		SigningPubkey::Explicit(pubkey)
 	}
@@ -121,16 +121,20 @@ impl OfferBuilder {
 	///
 	/// Use a different pubkey per offer to avoid correlating offers.
 	pub fn new(description: String, signing_pubkey: SigningPubkey) -> Self {
-		let signing_pubkey = match signing_pubkey {
-			SigningPubkey::Explicit(pubkey) => Some(pubkey),
-			SigningPubkey::Derived => None,
+		let (metadata_material, signing_pubkey) = match signing_pubkey {
+			SigningPubkey::Explicit(pubkey) => (None, Some(pubkey)),
+			SigningPubkey::Derived(expanded_key, nonce) => {
+				let metadata_material = (nonce, expanded_key.hmac_for_offer(nonce));
+				let signing_pubkey = expanded_key.signing_pubkey_for_offer(nonce);
+				(Some(metadata_material), Some(signing_pubkey))
+			},
 		};
 		let offer = OfferContents {
 			chains: None, metadata: None, amount: None, description,
 			features: OfferFeatures::empty(), absolute_expiry: None, issuer: None, paths: None,
 			supported_quantity: Quantity::One, signing_pubkey,
 		};
-		OfferBuilder { offer, hmac: None }
+		OfferBuilder { offer, metadata_material }
 	}
 
 	/// Adds the chain hash of the given [`Network`] to [`Offer::chains`]. If not called,
@@ -159,21 +163,21 @@ impl OfferBuilder {
 		}
 
 		self.offer.metadata = Some(metadata);
-		self.hmac = None;
+		self.metadata_material = None;
 		Ok(self)
 	}
 
 	/// Sets the [`Offer::metadata`] derived from the given `key` and any fields set prior to
 	/// calling [`OfferBuilder::build`]. Allows for stateless verification of an [`InvoiceRequest`].
 	///
 	/// Successive calls to this method will override the previous setting and any previous calls to
-	/// [`OfferBuilder::metadata`]. Must be called if the builder was constructed with
-	/// [`SigningPubkey::Derived`] in order to derive [`Offer::signing_pubkey`].
+	/// [`OfferBuilder::metadata`]. Does not need to be called if the builder was constructed with
+	/// [`SigningPubkey::Derived`].
 	///
 	/// [`InvoiceRequest`]: crate::offers::invoice_request::InvoiceRequest
-	pub fn metadata_derived(mut self, key: &ExpandedKey) -> Self {
+	pub fn metadata_derived(mut self, key: &ExpandedKey, nonce: Nonce) -> Self {
 		self.offer.metadata = None;
-		self.hmac = Some(key.hmac_for_offer());
+		self.metadata_material = Some((nonce, key.hmac_for_offer(nonce)));
 		self
 	}
 
@@ -246,14 +250,17 @@ impl OfferBuilder {
 			}
 		}
 
-		// Created the metadata for stateless verification and derive the signing_pubkey, if needed.
-		if let Some(mut hmac) = self.hmac {
+		// Created the metadata for stateless verification.
+		if let Some((nonce, mut hmac)) = self.metadata_material {
 			debug_assert!(self.offer.metadata.is_none());
 			let mut tlv_stream = self.offer.as_tlv_stream();
 			tlv_stream.node_id = None;
 			tlv_stream.write(&mut hmac).unwrap();
 
-			self.offer.metadata = Some(Hmac::from_engine(hmac).into_inner().to_vec());
+			let mut metadata = nonce.as_slice().to_vec();
+			metadata.extend_from_slice(&Hmac::from_engine(hmac).into_inner());
+
+			self.offer.metadata = Some(metadata);
 		}
 
 		if self.offer.signing_pubkey.is_none() {
@@ -542,7 +549,12 @@ impl OfferContents {
 	pub(super) fn verify(&self, tlv_stream: TlvStream<'_>, key: &ExpandedKey) -> bool {
 		match &self.metadata {
 			Some(metadata) => {
-				let mut hmac = key.hmac_for_offer();
+				let mut hmac = if metadata.len() < Nonce::LENGTH {
+					return false;
+				} else {
+					let nonce = Nonce(metadata[..Nonce::LENGTH].try_into().unwrap());
+					key.hmac_for_offer(nonce)
+				};
 
 				for record in tlv_stream.range(OFFER_TYPES) {
 					match record.r#type {
@@ -553,7 +565,7 @@ impl OfferContents {
 					}
 				}
 
-				metadata == &Hmac::from_engine(hmac).into_inner()
+				&metadata[Nonce::LENGTH..] == &Hmac::from_engine(hmac).into_inner()
 			},
 			None => false,
 		}
@@ -746,7 +758,7 @@ impl core::fmt::Display for Offer {
 
 #[cfg(test)]
 mod tests {
-	use super::{Amount, Offer, OfferBuilder, OfferTlvStreamRef, Quantity};
+	use super::{Amount, Offer, OfferBuilder, OfferTlvStreamRef, Quantity, SigningPubkey};
 
 	use bitcoin::blockdata::constants::ChainHash;
 	use bitcoin::network::constants::Network;
@@ -757,7 +769,7 @@ mod tests {
 	use core::time::Duration;
 	use crate::chain::keysinterface::KeyMaterial;
 	use crate::ln::features::OfferFeatures;
-	use crate::ln::inbound_payment::ExpandedKey;
+	use crate::ln::inbound_payment::{ExpandedKey, Nonce};
 	use crate::ln::msgs::{DecodeError, MAX_VALUE_MSAT};
 	use crate::offers::parse::{ParseError, SemanticError};
 	use crate::onion_message::{BlindedHop, BlindedPath};
@@ -900,7 +912,7 @@ mod tests {
 	fn builds_offer_with_metadata_derived() {
 		let keys = ExpandedKey::new(&KeyMaterial([42; 32]));
 		let invoice_request = OfferBuilder::new("foo".into(), recipient_pubkey().into())
-			.metadata_derived(&keys)
+			.metadata_derived(&keys, Nonce([42; Nonce::LENGTH]))
 			.amount_msats(1000)
 			.build().unwrap()
 			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
@@ -909,7 +921,7 @@ mod tests {
 		assert!(invoice_request.verify(&keys));
 
 		let offer = OfferBuilder::new("foo".into(), recipient_pubkey().into())
-			.metadata_derived(&keys)
+			.metadata_derived(&keys, Nonce([42; Nonce::LENGTH]))
 			.amount_msats(1000)
 			.build().unwrap();
 		let mut tlv_stream = offer.as_tlv_stream();
@@ -925,6 +937,36 @@ mod tests {
 		assert!(!invoice_request.verify(&keys));
 	}
 
+	#[test]
+	fn builds_offer_with_signing_pubkey_derived() {
+		let keys = ExpandedKey::new(&KeyMaterial([42; 32]));
+		let nonce = Nonce([42; Nonce::LENGTH]);
+
+		let recipient_pubkey = SigningPubkey::Derived(&keys, nonce);
+		let offer = OfferBuilder::new("foo".into(), recipient_pubkey)
+			.amount_msats(1000)
+			.build().unwrap();
+		assert_eq!(offer.metadata().unwrap()[..Nonce::LENGTH], nonce.0);
+		assert_eq!(offer.signing_pubkey(), keys.signing_pubkey_for_offer(nonce));
+
+		let invoice_request = offer.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.build().unwrap()
+			.sign(payer_sign).unwrap();
+		assert!(invoice_request.verify(&keys));
+
+		let mut tlv_stream = offer.as_tlv_stream();
+		tlv_stream.amount = Some(100);
+
+		let mut encoded_offer = Vec::new();
+		tlv_stream.write(&mut encoded_offer).unwrap();
+
+		let invoice_request = Offer::try_from(encoded_offer).unwrap()
+			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
+			.build().unwrap()
+			.sign(payer_sign).unwrap();
+		assert!(!invoice_request.verify(&keys));
+	}
+
 	#[test]
 	fn builds_offer_with_amount() {
 		let bitcoin_amount = Amount::Bitcoin { amount_msats: 1000 };
