Add offer signature verification

Author: jkczyz

lightning/src/offers/merkle.rs

@@ -0,0 +1,120 @@
+// This file is Copyright its original authors, visible in version control
+// history.
+//
+// This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
+// or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
+// You may not use this file except in accordance with one or both of these
+// licenses.
+
+//! Tagged hashes for use in signature calculation and verification.
+
+use bitcoin::hashes::{Hash, HashEngine, sha256};
+use util::ser::{BigSize, Readable};
+
+const SIGNATURE_TYPES: core::ops::RangeInclusive<u64> = 240..=1000;
+
+pub(super) fn tagged_root_hash(tag: sha256::Hash, data: &[u8]) -> sha256::Hash {
+	let mut engine = sha256::Hash::engine();
+	engine.input("LnAll".as_bytes());
+	for record in TlvStream::new(&data[..]) {
+		if !SIGNATURE_TYPES.contains(&record.r#type.0) {
+			engine.input(record.as_ref());
+		}
+	}
+	let nonce_tag = sha256::Hash::from_engine(engine);
+	let leaf_tag = sha256::Hash::hash("LnLeaf".as_bytes());
+	let branch_tag = sha256::Hash::hash("LnBranch".as_bytes());
+
+	let mut merkle_leaves = Vec::new();
+	for record in TlvStream::new(&data[..]) {
+		if !SIGNATURE_TYPES.contains(&record.r#type.0) {
+			merkle_leaves.push(tagged_hash(leaf_tag, &record));
+			merkle_leaves.push(tagged_hash(nonce_tag, &record));
+		}
+	}
+
+	while merkle_leaves.len() != 1 {
+		let mut parents = Vec::with_capacity(merkle_leaves.len() / 2 + merkle_leaves.len() % 2);
+		let mut iter = merkle_leaves.chunks_exact(2);
+		for leaves in iter.by_ref() {
+			parents.push(tagged_branch_hash(branch_tag, leaves[0], leaves[1]));
+		}
+		for leaf in iter.remainder() {
+			parents.push(*leaf);
+		}
+		core::mem::swap(&mut parents, &mut merkle_leaves);
+	}
+
+	tagged_hash(tag, merkle_leaves.first().unwrap())
+}
+
+fn tagged_branch_hash(tag: sha256::Hash, leaf1: sha256::Hash, leaf2: sha256::Hash) -> sha256::Hash {
+	let mut engine = sha256::Hash::engine();
+	engine.input(tag.as_ref());
+	engine.input(tag.as_ref());
+	if leaf1 < leaf2 {
+		engine.input(leaf1.as_ref());
+		engine.input(leaf2.as_ref());
+	} else {
+		engine.input(leaf2.as_ref());
+		engine.input(leaf1.as_ref());
+	};
+	sha256::Hash::from_engine(engine)
+}
+
+fn tagged_hash<T: AsRef<[u8]>>(tag: sha256::Hash, msg: T) -> sha256::Hash {
+	let mut engine = sha256::Hash::engine();
+	engine.input(tag.as_ref());
+	engine.input(tag.as_ref());
+	engine.input(msg.as_ref());
+	sha256::Hash::from_engine(engine)
+}
+
+struct TlvStream<'a> {
+	data: ::io::Cursor<&'a [u8]>,
+}
+
+impl<'a> TlvStream<'a> {
+	fn new(data: &'a [u8]) -> Self {
+		Self {
+			data: ::io::Cursor::new(data),
+		}
+	}
+}
+
+struct TlvRecord<'a> {
+	r#type: BigSize,
+	length: BigSize,
+	value: &'a [u8],
+	data: &'a [u8],
+}
+
+impl AsRef<[u8]> for TlvRecord<'_> {
+	fn as_ref(&self) -> &[u8] { &self.data }
+}
+
+impl<'a> Iterator for TlvStream<'a> {
+	type Item = TlvRecord<'a>;
+
+	fn next(&mut self) -> Option<Self::Item> {
+		if self.data.position() < self.data.get_ref().len() as u64 {
+			let start = self.data.position();
+
+			let r#type: BigSize = Readable::read(&mut self.data).unwrap();
+			let length: BigSize = Readable::read(&mut self.data).unwrap();
+
+			let offset = self.data.position();
+			let end = offset + length.0;
+
+			let value = &self.data.get_ref()[offset as usize..end as usize];
+			let data = &self.data.get_ref()[start as usize..end as usize];
+
+			self.data.set_position(end);
+
+			Some(TlvRecord { r#type, length, value, data })
+		} else {
+			None
+		}
+	}
+}

lightning/src/offers/mod.rs

@@ -14,8 +14,9 @@ use bitcoin::bech32;
 use bitcoin::bech32::FromBase32;
 use bitcoin::blockdata::constants::genesis_block;
 use bitcoin::hash_types::BlockHash;
+use bitcoin::hashes::{Hash, sha256};
 use bitcoin::network::constants::Network;
-use bitcoin::secp256k1::{PublicKey, XOnlyPublicKey};
+use bitcoin::secp256k1::{Message, PublicKey, Secp256k1, XOnlyPublicKey, self};
 use bitcoin::secp256k1::schnorr::Signature;
 use core::convert::TryFrom;
 use core::str::FromStr;
@@ -30,6 +31,8 @@ use prelude::*;
 #[cfg(feature = "std")]
 use std::time::SystemTime;
 
+mod merkle;
+
 ///
 #[derive(Clone, Debug)]
 pub struct Offer {
@@ -184,6 +187,15 @@ pub enum Destination {
 	Paths(Vec<BlindedPath>),
 }
 
+impl Destination {
+	fn node_id(&self) -> XOnlyPublicKey {
+		match self {
+			Destination::NodeId(node_id) => *node_id,
+			Destination::Paths(paths) => unimplemented!(),
+		}
+	}
+}
+
 ///
 #[derive(Clone, Debug)]
 pub struct SendInvoice {
@@ -255,6 +267,10 @@ struct Recurrence {
 
 impl_writeable!(Recurrence, { time_unit, period });
 
+/// An offer parsed from a bech32-encoded string as a TLV stream and the corresponding bytes. The
+/// latter is used for signature verification.
+struct ParsedOffer(OfferTlvStream, Vec<u8>);
+
 /// Error when parsing a bech32 encoded message using [`str::parse`].
 #[derive(Debug, PartialEq)]
 pub enum ParseError {
@@ -293,6 +309,8 @@ pub enum SemanticError {
 	InvalidQuantity,
 	///
 	UnexpectedRefund,
+	///
+	InvalidSignature(secp256k1::Error),
 }
 
 impl From<bech32::Error> for ParseError {
@@ -313,23 +331,28 @@ impl From<SemanticError> for ParseError {
 	}
 }
 
+impl From<secp256k1::Error> for SemanticError {
+	fn from(error: secp256k1::Error) -> Self {
+		Self::InvalidSignature(error)
+	}
+}
+
 impl FromStr for Offer {
 	type Err = ParseError;
 
 	fn from_str(s: &str) -> Result<Self, <Self as FromStr>::Err> {
-		let tlv_stream = OfferTlvStream::from_str(s)?;
-		Ok(Offer::try_from(tlv_stream)?)
+		Ok(Offer::try_from(ParsedOffer::from_str(s)?)?)
 	}
 }
 
-impl TryFrom<OfferTlvStream> for Offer {
+impl TryFrom<ParsedOffer> for Offer {
 	type Error = SemanticError;
 
-	fn try_from(tlv_stream: OfferTlvStream) -> Result<Self, Self::Error> {
-		let OfferTlvStream {
+	fn try_from(offer: ParsedOffer) -> Result<Self, Self::Error> {
+		let ParsedOffer(OfferTlvStream {
 			chains, currency, amount, description, features, absolute_expiry, paths, issuer,
 			quantity_min, quantity_max, recurrence, node_id, send_invoice, refund_for, signature,
-		} = tlv_stream;
+		}, data) = offer;
 
 		let supported_chains = [
 			genesis_block(Network::Bitcoin).block_hash(),
@@ -394,6 +417,14 @@ impl TryFrom<OfferTlvStream> for Offer {
 			(Some(_), _) => Some(SendInvoice { refund_for }),
 		};
 
+
+		if let Some(signature) = &signature {
+			let tag = sha256::Hash::hash(concat!("lightning", "offer", "signature").as_bytes());
+			let message = Message::from_slice(&merkle::tagged_root_hash(tag, &data)).unwrap();
+			let secp_ctx = Secp256k1::verification_only();
+			secp_ctx.verify_schnorr(signature, &message, &destination.node_id())?;
+		}
+
 		Ok(Offer {
 			chains,
 			amount,
@@ -414,7 +445,7 @@ impl TryFrom<OfferTlvStream> for Offer {
 
 const OFFER_BECH32_HRP: &str = "lno";
 
-impl FromStr for OfferTlvStream {
+impl FromStr for ParsedOffer {
 	type Err = ParseError;
 
 	fn from_str(s: &str) -> Result<Self, <Self as FromStr>::Err> {
@@ -434,7 +465,7 @@ impl FromStr for OfferTlvStream {
 		}
 
 		let data = Vec::<u8>::from_base32(&data)?;
-		Ok(Readable::read(&mut &data[..])?)
+		Ok(ParsedOffer(Readable::read(&mut &data[..])?, data))
 	}
 }
 
@@ -460,7 +491,7 @@ impl core::fmt::Display for OfferTlvStream {
 
 #[cfg(test)]
 mod tests {
-	use super::{Offer, OfferTlvStream, ParseError};
+	use super::{Offer, ParseError, ParsedOffer};
 	use bitcoin::bech32;
 	use ln::msgs::DecodeError;
 
@@ -487,7 +518,7 @@ mod tests {
 		];
 		for encoded_offer in &offers {
 			// TODO: Use Offer once Destination semantics are finalized.
-			if let Err(e) = encoded_offer.parse::<OfferTlvStream>() {
+			if let Err(e) = encoded_offer.parse::<ParsedOffer>() {
 				panic!("Invalid offer ({:?}): {}", e, encoded_offer);
 			}
 		}