Offer metadata and signing pubkey derivation

[rust-lightning] / lightning / src / offers / signer.rs

// This file is Copyright its original authors, visible in version control
// history.
//
// This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
// or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
// You may not use this file except in accordance with one or both of these
// licenses.

//! Utilities for signing offer messages and verifying metadata.

use bitcoin::hashes::{Hash, HashEngine};
use bitcoin::hashes::hmac::{Hmac, HmacEngine};
use bitcoin::hashes::sha256::Hash as Sha256;
use bitcoin::secp256k1::{KeyPair, Secp256k1, SecretKey, self};
use core::convert::TryInto;
use core::fmt;
use crate::ln::inbound_payment::{ExpandedKey, IV_LEN, Nonce};
use crate::util::ser::Writeable;

use crate::prelude::*;

const DERIVED_METADATA_HMAC_INPUT: &[u8; 16] = &[1; 16];
const DERIVED_METADATA_AND_KEYS_HMAC_INPUT: &[u8; 16] = &[2; 16];

/// Message metadata which possibly is derived from [`MetadataMaterial`] such that it can be
/// verified.
#[derive(Clone)]
pub(super) enum Metadata {
        /// Metadata as parsed, supplied by the user, or derived from the message contents.
        Bytes(Vec<u8>),

        /// Metadata to be derived from message contents and given material.
        Derived(MetadataMaterial),

        /// Metadata and signing pubkey to be derived from message contents and given material.
        DerivedSigningPubkey(MetadataMaterial),
}

impl Metadata {
        pub fn as_bytes(&self) -> Option<&Vec<u8>> {
                match self {
                        Metadata::Bytes(bytes) => Some(bytes),
                        Metadata::Derived(_) => None,
                        Metadata::DerivedSigningPubkey(_) => None,
                }
        }

        pub fn has_derivation_material(&self) -> bool {
                match self {
                        Metadata::Bytes(_) => false,
                        Metadata::Derived(_) => true,
                        Metadata::DerivedSigningPubkey(_) => true,
                }
        }

        pub fn derives_keys(&self) -> bool {
                match self {
                        Metadata::Bytes(_) => false,
                        Metadata::Derived(_) => false,
                        Metadata::DerivedSigningPubkey(_) => true,
                }
        }

        pub fn without_keys(self) -> Self {
                match self {
                        Metadata::Bytes(_) => self,
                        Metadata::Derived(_) => self,
                        Metadata::DerivedSigningPubkey(material) => Metadata::Derived(material),
                }
        }

        pub fn derive_from<W: Writeable, T: secp256k1::Signing>(
                self, tlv_stream: W, secp_ctx: Option<&Secp256k1<T>>
        ) -> (Self, Option<KeyPair>) {
                match self {
                        Metadata::Bytes(_) => (self, None),
                        Metadata::Derived(mut metadata_material) => {
                                tlv_stream.write(&mut metadata_material.hmac).unwrap();
                                (Metadata::Bytes(metadata_material.derive_metadata()), None)
                        },
                        Metadata::DerivedSigningPubkey(mut metadata_material) => {
                                tlv_stream.write(&mut metadata_material.hmac).unwrap();
                                let secp_ctx = secp_ctx.unwrap();
                                let (metadata, keys) = metadata_material.derive_metadata_and_keys(secp_ctx);
                                (Metadata::Bytes(metadata), Some(keys))
                        },
                }
        }
}

impl fmt::Debug for Metadata {
        fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
                match self {
                        Metadata::Bytes(bytes) => bytes.fmt(f),
                        Metadata::Derived(_) => f.write_str("Derived"),
                        Metadata::DerivedSigningPubkey(_) => f.write_str("DerivedSigningPubkey"),
                }
        }
}

#[cfg(test)]
impl PartialEq for Metadata {
        fn eq(&self, other: &Self) -> bool {
                match self {
                        Metadata::Bytes(bytes) => if let Metadata::Bytes(other_bytes) = other {
                                bytes == other_bytes
                        } else {
                                false
                        },
                        Metadata::Derived(_) => false,
                        Metadata::DerivedSigningPubkey(_) => false,
                }
        }
}

/// Material used to create metadata for a message.
#[derive(Clone)]
pub(super) struct MetadataMaterial {
        nonce: Nonce,
        hmac: HmacEngine<Sha256>,
}

impl MetadataMaterial {
        pub fn new(nonce: Nonce, expanded_key: &ExpandedKey, iv_bytes: &[u8; IV_LEN]) -> Self {
                Self {
                        nonce,
                        hmac: expanded_key.hmac_for_offer(nonce, iv_bytes),
                }
        }

        fn derive_metadata(mut self) -> Vec<u8> {
                self.hmac.input(DERIVED_METADATA_HMAC_INPUT);

                let mut bytes = self.nonce.as_slice().to_vec();
                bytes.extend_from_slice(&Hmac::from_engine(self.hmac).into_inner());
                bytes
        }

        fn derive_metadata_and_keys<T: secp256k1::Signing>(
                mut self, secp_ctx: &Secp256k1<T>
        ) -> (Vec<u8>, KeyPair) {
                self.hmac.input(DERIVED_METADATA_AND_KEYS_HMAC_INPUT);

                let hmac = Hmac::from_engine(self.hmac);
                let privkey = SecretKey::from_slice(hmac.as_inner()).unwrap();
                let keys = KeyPair::from_secret_key(secp_ctx, &privkey);
                (self.nonce.as_slice().to_vec(), keys)
        }
}