Add another ExpandedKey derivation for Offers

To support transient signing pubkeys and payer ids for Offers, add
another key derivation to ExpandedKey. Also useful for constructing
metadata for stateless message authentication.

Author: jkczyz

lightning/src/ln/inbound_payment.rs

@@ -19,7 +19,7 @@ use crate::ln::{PaymentHash, PaymentPreimage, PaymentSecret};
 use crate::ln::msgs;
 use crate::ln::msgs::MAX_VALUE_MSAT;
 use crate::util::chacha20::ChaCha20;
-use crate::util::crypto::hkdf_extract_expand_thrice;
+use crate::util::crypto::hkdf_extract_expand_4x;
 use crate::util::errors::APIError;
 use crate::util::logger::Logger;
 
@@ -48,19 +48,22 @@ pub struct ExpandedKey {
 	/// The key used to authenticate a user-provided payment hash and metadata as previously
 	/// registered with LDK.
 	user_pmt_hash_key: [u8; 32],
+	/// The base key used to derive signing keys and authenticate messages for BOLT 12 Offers.
+	offers_base_key: [u8; 32],
 }
 
 impl ExpandedKey {
 	/// Create a  new [`ExpandedKey`] for generating an inbound payment hash and secret.
 	///
 	/// It is recommended to cache this value and not regenerate it for each new inbound payment.
 	pub fn new(key_material: &KeyMaterial) -> ExpandedKey {
-		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key) =
-			hkdf_extract_expand_thrice(b"LDK Inbound Payment Key Expansion", &key_material.0);
+		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key, offers_base_key) =
+			hkdf_extract_expand_4x(b"LDK Inbound Payment Key Expansion", &key_material.0);
 		Self {
 			metadata_key,
 			ldk_pmt_hash_key,
 			user_pmt_hash_key,
+			offers_base_key,
 		}
 	}
 }

lightning/src/util/crypto.rs

@@ -20,22 +20,27 @@ macro_rules! hkdf_extract_expand {
 		let (k1, k2, _) = hkdf_extract_expand!($salt, $ikm);
 		(k1, k2)
 	}};
-	($salt: expr, $ikm: expr, 3) => {{
+	($salt: expr, $ikm: expr, 4) => {{
 		let (k1, k2, prk) = hkdf_extract_expand!($salt, $ikm);
 
 		let mut hmac = HmacEngine::<Sha256>::new(&prk[..]);
 		hmac.input(&k2);
 		hmac.input(&[3; 1]);
-		(k1, k2, Hmac::from_engine(hmac).into_inner())
+		let k3 = Hmac::from_engine(hmac).into_inner();
+
+		let mut hmac = HmacEngine::<Sha256>::new(&prk[..]);
+		hmac.input(&k3);
+		hmac.input(&[4; 1]);
+		(k1, k2, k3, Hmac::from_engine(hmac).into_inner())
 	}}
 }
 
 pub fn hkdf_extract_expand_twice(salt: &[u8], ikm: &[u8]) -> ([u8; 32], [u8; 32]) {
 	hkdf_extract_expand!(salt, ikm, 2)
 }
 
-pub fn hkdf_extract_expand_thrice(salt: &[u8], ikm: &[u8]) -> ([u8; 32], [u8; 32], [u8; 32]) {
-	hkdf_extract_expand!(salt, ikm, 3)
+pub fn hkdf_extract_expand_4x(salt: &[u8], ikm: &[u8]) -> ([u8; 32], [u8; 32], [u8; 32], [u8; 32]) {
+	hkdf_extract_expand!(salt, ikm, 4)
 }
 
 #[inline]