f - invoice_request semantic and signature checks

Author: jkczyz

lightning/src/offers/invoice_request.rs

@@ -16,8 +16,8 @@ use core::convert::TryFrom;
 use core::str::FromStr;
 use ln::features::OfferFeatures;
 use offers::PayerTlvStream;
-use offers::merkle::SignatureTlvStream;
-use offers::offer::{OfferContents, OfferTlvStream};
+use offers::merkle::{SignatureTlvStream, self};
+use offers::offer::{Amount, OfferContents, OfferTlvStream};
 use offers::parse::{Bech32Encode, ParseError, SemanticError};
 
 ///
@@ -30,10 +30,10 @@ pub struct InvoiceRequest {
 pub(crate) struct InvoiceRequestContents {
 	offer: OfferContents,
 	chain: Option<BlockHash>,
-	amount_msat: Option<u64>,
+	amount_msats: Option<u64>,
 	features: Option<OfferFeatures>,
 	quantity: Option<u64>,
-	payer_id: Option<PublicKey>,
+	payer_id: PublicKey,
 	payer_note: Option<String>,
 	payer_info: Option<Vec<u8>>,
 	signature: Option<Signature>,
@@ -69,6 +69,12 @@ impl FromStr for InvoiceRequest {
 	fn from_str(s: &str) -> Result<Self, <Self as FromStr>::Err> {
 		let (tlv_stream, bytes) = InvoiceRequest::from_bech32_str(s)?;
 		let contents = InvoiceRequestContents::try_from(tlv_stream)?;
+
+		if let Some(signature) = &contents.signature {
+			let tag = concat!("lightning", "invoice_request", "signature");
+			merkle::verify_signature(signature, tag, &bytes, contents.payer_id)?;
+		}
+
 		Ok(InvoiceRequest { bytes, contents })
 	}
 }
@@ -92,17 +98,43 @@ impl TryFrom<FullInvoiceRequestTlvStream> for InvoiceRequestContents {
 			Some(_) => return Err(SemanticError::UnsupportedChain),
 		};
 
-		// TODO: Check remaining fields against the reflected offer
-		let amount_msat = amount.map(Into::into);
+		// TODO: Determine whether quantity should be accounted for
+		let amount_msats = match (offer.amount(), amount.map(Into::into)) {
+			// TODO: Handle currency case
+			(Some(Amount::Currency { .. }), _) => return Err(SemanticError::UnexpectedCurrency),
+			(Some(_), None) => return Err(SemanticError::MissingAmount),
+			(Some(Amount::Bitcoin { amount_msats: offer_amount_msats }), Some(amount_msats)) => {
+				if amount_msats < *offer_amount_msats {
+					return Err(SemanticError::InsufficientAmount);
+				} else {
+					Some(amount_msats)
+				}
+			},
+			(_, amount_msats) => amount_msats,
+		};
+
+		if let Some(features) = &features {
+			if features.requires_unknown_bits() {
+				return Err(SemanticError::UnknownRequiredFeatures);
+			}
+		}
 
-		let quantity = quantity.map(Into::into);
+		let quantity = match quantity.map(Into::into) {
+			Some(quantity) if offer.is_valid_quantity(quantity) => Some(quantity),
+			_ => return Err(SemanticError::InvalidQuantity),
+		};
+
+		let payer_id = match payer_id {
+			None => return Err(SemanticError::MissingPayerId),
+			Some(payer_id) => payer_id,
+		};
 
 		let payer_note = payer_note.map(Into::into);
 
 		let payer_info = payer_info.map(Into::into);
 
 		Ok(InvoiceRequestContents {
-			offer, chain, amount_msat, features, quantity, payer_id, payer_note, payer_info,
+			offer, chain, amount_msats, features, quantity, payer_id, payer_note, payer_info,
 			signature,
 		})
 	}

lightning/src/offers/merkle.rs

@@ -10,6 +10,7 @@
 //! Tagged hashes for use in signature calculation and verification.
 
 use bitcoin::hashes::{Hash, HashEngine, sha256};
+use bitcoin::secp256k1::{Message, PublicKey, Secp256k1, self};
 use bitcoin::secp256k1::schnorr::Signature;
 use util::ser::{BigSize, Readable};
 
@@ -19,7 +20,18 @@ tlv_stream!(struct SignatureTlvStream {
 	(240, signature: Signature),
 });
 
-pub(super) fn root_hash(data: &[u8]) -> sha256::Hash {
+pub(super) fn verify_signature(
+	signature: &Signature, tag: &str, bytes: &[u8], pubkey: PublicKey,
+) -> Result<(), secp256k1::Error> {
+	let tag = sha256::Hash::hash(tag.as_bytes());
+	let merkle_root = root_hash(bytes);
+	let digest = Message::from_slice(&tagged_hash(tag, merkle_root)).unwrap();
+	let pubkey = pubkey.into();
+	let secp_ctx = Secp256k1::verification_only();
+	secp_ctx.verify_schnorr(signature, &digest, &pubkey)
+}
+
+fn root_hash(data: &[u8]) -> sha256::Hash {
 	let mut tlv_stream = TlvStream::new(&data[..]).peekable();
 	let nonce_tag = tagged_hash_engine(sha256::Hash::from_engine({
 		let mut engine = sha256::Hash::engine();
@@ -55,7 +67,7 @@ pub(super) fn root_hash(data: &[u8]) -> sha256::Hash {
 	*leaves.first().unwrap()
 }
 
-pub(super) fn tagged_hash<T: AsRef<[u8]>>(tag: sha256::Hash, msg: T) -> sha256::Hash {
+fn tagged_hash<T: AsRef<[u8]>>(tag: sha256::Hash, msg: T) -> sha256::Hash {
 	let engine = tagged_hash_engine(tag);
 	tagged_hash_from_engine(engine, msg)
 }

lightning/src/offers/offer.rs

@@ -183,7 +183,7 @@ impl Offer {
 
 	///
 	pub fn amount(&self) -> Option<&Amount> {
-		self.contents.amount.as_ref()
+		self.contents.amount()
 	}
 
 	///
@@ -233,6 +233,11 @@ impl Offer {
 		self.contents.quantity_max()
 	}
 
+	///
+	pub fn is_valid_quantity(&self, quantity: u64) -> bool {
+		self.contents.is_valid_quantity(quantity)
+	}
+
 	///
 	pub fn node_id(&self) -> PublicKey {
 		self.contents.node_id.unwrap()
@@ -271,6 +276,10 @@ impl OfferContents {
 			.unwrap_or_else(|| genesis_block(Network::Bitcoin).block_hash())
 	}
 
+	pub fn amount(&self) -> Option<&Amount> {
+		self.amount.as_ref()
+	}
+
 	pub fn quantity_min(&self) -> u64 {
 		self.quantity_min.unwrap_or(1)
 	}
@@ -280,6 +289,14 @@ impl OfferContents {
 			self.quantity_min.map_or(1, |_| u64::max_value()))
 	}
 
+	pub fn is_valid_quantity(&self, quantity: u64) -> bool {
+		if self.quantity_min.is_none() && self.quantity_max.is_none() {
+			false
+		} else {
+			quantity >= self.quantity_min() && quantity <= self.quantity_max()
+		}
+	}
+
 	fn as_tlv_stream(&self) -> reference::OfferTlvStream {
 		let (currency, amount) = match &self.amount {
 			None => (None, None),

lightning/src/offers/parse.rs

@@ -11,6 +11,7 @@
 
 use bitcoin::bech32;
 use bitcoin::bech32::{FromBase32, ToBase32};
+use bitcoin::secp256k1;
 use core::fmt;
 use ln::msgs::DecodeError;
 use util::ser::Readable;
@@ -68,6 +69,8 @@ pub enum ParseError {
 	Decode(DecodeError),
 	/// The parsed message has invalid semantics.
 	InvalidSemantics(SemanticError),
+	/// The parsed message has an invalid signature.
+	InvalidSignature(secp256k1::Error),
 }
 
 /// Error when interpreting a TLV stream as a specific type.
@@ -77,6 +80,12 @@ pub enum SemanticError {
 	UnsupportedChain,
 	/// A currency was provided without an amount.
 	UnexpectedCurrency,
+	///
+	MissingAmount,
+	///
+	InsufficientAmount,
+	///
+	UnknownRequiredFeatures,
 	/// A required description was not provided.
 	MissingDescription,
 	/// A node id was not provided.
@@ -85,6 +94,8 @@ pub enum SemanticError {
 	MissingPaths,
 	/// A quantity representing an empty range or that was outside of a valid range was provided.
 	InvalidQuantity,
+	///
+	MissingPayerId,
 }
 
 impl From<bech32::Error> for ParseError {
@@ -104,3 +115,9 @@ impl From<SemanticError> for ParseError {
 		Self::InvalidSemantics(error)
 	}
 }
+
+impl From<secp256k1::Error> for ParseError {
+	fn from(error: secp256k1::Error) -> Self {
+		Self::InvalidSignature(error)
+	}
+}