use bitcoin::hashes::{Hash, HashEngine, sha256};
use bitcoin::secp256k1::{Message, PublicKey, Secp256k1, self};
use bitcoin::secp256k1::schnorr::Signature;
+use core::convert::AsRef;
use crate::io;
use crate::util::ser::{BigSize, Readable, Writeable, Writer};
(240, signature: Signature),
});
+/// A hash for use in a specific context by tweaking with a context-dependent tag as per [BIP 340]
+/// and computed over the merkle root of a TLV stream to sign as defined in [BOLT 12].
+///
+/// [BIP 340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
+/// [BOLT 12]: https://github.com/rustyrussell/lightning-rfc/blob/guilt/offers/12-offer-encoding.md#signature-calculation
+#[derive(Debug, PartialEq)]
+pub struct TaggedHash(Message);
+
+impl TaggedHash {
+ /// Creates a tagged hash with the given parameters.
+ ///
+ /// Panics if `tlv_stream` is not a well-formed TLV stream containing at least one TLV record.
+ pub(super) fn new(tag: &str, tlv_stream: &[u8]) -> Self {
+ Self(message_digest(tag, tlv_stream))
+ }
+
+ /// Returns the digest to sign.
+ pub fn as_digest(&self) -> &Message {
+ &self.0
+ }
+}
+
+impl AsRef<TaggedHash> for TaggedHash {
+ fn as_ref(&self) -> &TaggedHash {
+ self
+ }
+}
+
/// Error when signing messages.
#[derive(Debug, PartialEq)]
pub enum SignError<E> {
Verification(secp256k1::Error),
}
-/// Signs a message digest consisting of a tagged hash of the given bytes, checking if it can be
-/// verified with the supplied pubkey.
+/// Signs a [`TaggedHash`] computed over the merkle root of `message`'s TLV stream, checking if it
+/// can be verified with the supplied `pubkey`.
///
-/// Panics if `bytes` is not a well-formed TLV stream containing at least one TLV record.
-pub(super) fn sign_message<F, E>(
- sign: F, tag: &str, bytes: &[u8], pubkey: PublicKey,
+/// Since `message` is any type that implements [`AsRef<TaggedHash>`], `sign` may be a closure that
+/// takes a message such as [`Bolt12Invoice`] or [`InvoiceRequest`]. This allows further message
+/// verification before signing its [`TaggedHash`].
+///
+/// [`Bolt12Invoice`]: crate::offers::invoice::Bolt12Invoice
+/// [`InvoiceRequest`]: crate::offers::invoice_request::InvoiceRequest
+pub(super) fn sign_message<F, E, T>(
+ sign: F, message: &T, pubkey: PublicKey,
) -> Result<Signature, SignError<E>>
where
- F: FnOnce(&Message) -> Result<Signature, E>
+ F: FnOnce(&T) -> Result<Signature, E>,
+ T: AsRef<TaggedHash>,
{
- let digest = message_digest(tag, bytes);
- let signature = sign(&digest).map_err(|e| SignError::Signing(e))?;
+ let signature = sign(message).map_err(|e| SignError::Signing(e))?;
+ let digest = message.as_ref().as_digest();
let pubkey = pubkey.into();
let secp_ctx = Secp256k1::verification_only();
- secp_ctx.verify_schnorr(&signature, &digest, &pubkey).map_err(|e| SignError::Verification(e))?;
+ secp_ctx.verify_schnorr(&signature, digest, &pubkey).map_err(|e| SignError::Verification(e))?;
Ok(signature)
}
-/// Verifies the signature with a pubkey over the given bytes using a tagged hash as the message
+/// Verifies the signature with a pubkey over the given message using a tagged hash as the message
/// digest.
-///
-/// Panics if `bytes` is not a well-formed TLV stream containing at least one TLV record.
pub(super) fn verify_signature(
- signature: &Signature, tag: &str, bytes: &[u8], pubkey: PublicKey,
+ signature: &Signature, message: TaggedHash, pubkey: PublicKey,
) -> Result<(), secp256k1::Error> {
- let digest = message_digest(tag, bytes);
+ let digest = message.as_digest();
let pubkey = pubkey.into();
let secp_ctx = Secp256k1::verification_only();
- secp_ctx.verify_schnorr(signature, &digest, &pubkey)
+ secp_ctx.verify_schnorr(signature, digest, &pubkey)
}
-fn message_digest(tag: &str, bytes: &[u8]) -> Message {
+pub(super) fn message_digest(tag: &str, bytes: &[u8]) -> Message {
let tag = sha256::Hash::hash(tag.as_bytes());
let merkle_root = root_hash(bytes);
Message::from_slice(&tagged_hash(tag, merkle_root)).unwrap()
/// [`Iterator`] over a sequence of bytes yielding [`TlvRecord`]s. The input is assumed to be a
/// well-formed TLV stream.
-struct TlvStream<'a> {
+#[derive(Clone)]
+pub(super) struct TlvStream<'a> {
data: io::Cursor<&'a [u8]>,
}
impl<'a> TlvStream<'a> {
- fn new(data: &'a [u8]) -> Self {
+ pub fn new(data: &'a [u8]) -> Self {
Self {
data: io::Cursor::new(data),
}
}
+ pub fn range<T>(self, types: T) -> impl core::iter::Iterator<Item = TlvRecord<'a>>
+ where
+ T: core::ops::RangeBounds<u64> + Clone,
+ {
+ let take_range = types.clone();
+ self.skip_while(move |record| !types.contains(&record.r#type))
+ .take_while(move |record| take_range.contains(&record.r#type))
+ }
+
fn skip_signatures(self) -> core::iter::Filter<TlvStream<'a>, fn(&TlvRecord) -> bool> {
self.filter(|record| !SIGNATURE_TYPES.contains(&record.r#type))
}
}
/// A slice into a [`TlvStream`] for a record.
-struct TlvRecord<'a> {
- r#type: u64,
+pub(super) struct TlvRecord<'a> {
+ pub(super) r#type: u64,
type_bytes: &'a [u8],
// The entire TLV record.
- record_bytes: &'a [u8],
+ pub(super) record_bytes: &'a [u8],
}
impl<'a> Iterator for TlvStream<'a> {
/// Encoding for a pre-serialized TLV stream that excludes any signature TLV records.
///
/// Panics if the wrapped bytes are not a well-formed TLV stream.
-pub(super) struct WithoutSignatures<'a>(pub &'a Vec<u8>);
+pub(super) struct WithoutSignatures<'a>(pub &'a [u8]);
impl<'a> Writeable for WithoutSignatures<'a> {
#[inline]
fn write<W: Writer>(&self, writer: &mut W) -> Result<(), io::Error> {
- let tlv_stream = TlvStream::new(&self.0[..]);
+ let tlv_stream = TlvStream::new(self.0);
for record in tlv_stream.skip_signatures() {
writer.write_all(record.record_bytes)?;
}
#[cfg(test)]
mod tests {
- use super::{TlvStream, WithoutSignatures};
+ use super::{SIGNATURE_TYPES, TlvStream, WithoutSignatures};
use bitcoin::hashes::{Hash, sha256};
use bitcoin::secp256k1::{KeyPair, Secp256k1, SecretKey};
+ use bitcoin::secp256k1::schnorr::Signature;
use core::convert::Infallible;
use crate::offers::offer::{Amount, OfferBuilder};
use crate::offers::invoice_request::InvoiceRequest;
.build_unchecked()
.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
.build_unchecked()
- .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+ .sign::<_, Infallible>(
+ |message| Ok(secp_ctx.sign_schnorr_no_aux_rand(message.as_ref().as_digest(), &payer_keys))
+ )
.unwrap();
assert_eq!(
invoice_request.to_string(),
super::root_hash(&invoice_request.bytes[..]),
sha256::Hash::from_slice(&hex::decode("608407c18ad9a94d9ea2bcdbe170b6c20c462a7833a197621c916f78cf18e624").unwrap()).unwrap(),
);
+ assert_eq!(
+ invoice_request.signature(),
+ Signature::from_slice(&hex::decode("b8f83ea3288cfd6ea510cdb481472575141e8d8744157f98562d162cc1c472526fdb24befefbdebab4dbb726bbd1b7d8aec057f8fa805187e5950d2bbe0e5642").unwrap()).unwrap(),
+ );
}
#[test]
.build_unchecked()
.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
.build_unchecked()
- .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+ .sign::<_, Infallible>(
+ |message| Ok(secp_ctx.sign_schnorr_no_aux_rand(message.as_ref().as_digest(), &payer_keys))
+ )
.unwrap();
let mut bytes_without_signature = Vec::new();
);
}
+ #[test]
+ fn iterates_over_tlv_stream_range() {
+ let secp_ctx = Secp256k1::new();
+ let recipient_pubkey = {
+ let secret_key = SecretKey::from_slice(&[41; 32]).unwrap();
+ KeyPair::from_secret_key(&secp_ctx, &secret_key).public_key()
+ };
+ let payer_keys = {
+ let secret_key = SecretKey::from_slice(&[42; 32]).unwrap();
+ KeyPair::from_secret_key(&secp_ctx, &secret_key)
+ };
+
+ let invoice_request = OfferBuilder::new("foo".into(), recipient_pubkey)
+ .amount_msats(100)
+ .build_unchecked()
+ .request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
+ .build_unchecked()
+ .sign::<_, Infallible>(
+ |message| Ok(secp_ctx.sign_schnorr_no_aux_rand(message.as_ref().as_digest(), &payer_keys))
+ )
+ .unwrap();
+
+ let tlv_stream = TlvStream::new(&invoice_request.bytes).range(0..1)
+ .chain(TlvStream::new(&invoice_request.bytes).range(1..80))
+ .chain(TlvStream::new(&invoice_request.bytes).range(80..160))
+ .chain(TlvStream::new(&invoice_request.bytes).range(160..240))
+ .chain(TlvStream::new(&invoice_request.bytes).range(SIGNATURE_TYPES))
+ .map(|r| r.record_bytes.to_vec())
+ .flatten()
+ .collect::<Vec<u8>>();
+
+ assert_eq!(tlv_stream, invoice_request.bytes);
+ }
+
impl AsRef<[u8]> for InvoiceRequest {
fn as_ref(&self) -> &[u8] {
&self.bytes
projects / rust-lightning / blobdiff