Add another ExpandedKey derivation for Offers

jkczyz · jkczyz · commit 4ed63edad601 · 2023-02-09T15:26:52.000-06:00
To support transient signing pubkeys and payer ids for Offers, add
another key derivation to ExpandedKey. Also useful for constructing
metadata for stateless message authentication.
diff --git a/lightning/src/ln/inbound_payment.rs b/lightning/src/ln/inbound_payment.rs
@@ -19,7 +19,7 @@ use crate::ln::{PaymentHash, PaymentPreimage, PaymentSecret};
 use crate::ln::msgs;
 use crate::ln::msgs::MAX_VALUE_MSAT;
 use crate::util::chacha20::ChaCha20;
-use crate::util::crypto::hkdf_extract_expand_thrice;
+use crate::util::crypto::hkdf_extract_expand_4x;
 use crate::util::errors::APIError;
 use crate::util::logger::Logger;
 
@@ -48,19 +48,22 @@ pub struct ExpandedKey {
 	/// The key used to authenticate a user-provided payment hash and metadata as previously
 	/// registered with LDK.
 	user_pmt_hash_key: [u8; 32],
+	/// The base key used to derive signing keys and authenticate messages for BOLT 12 Offers.
+	offers_base_key: [u8; 32],
 }
 
 impl ExpandedKey {
 	/// Create a  new [`ExpandedKey`] for generating an inbound payment hash and secret.
 	///
 	/// It is recommended to cache this value and not regenerate it for each new inbound payment.
 	pub fn new(key_material: &KeyMaterial) -> ExpandedKey {
-		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key) =
-			hkdf_extract_expand_thrice(b"LDK Inbound Payment Key Expansion", &key_material.0);
+		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key, offers_base_key) =
+			hkdf_extract_expand_4x(b"LDK Inbound Payment Key Expansion", &key_material.0);
 		Self {
 			metadata_key,
 			ldk_pmt_hash_key,
 			user_pmt_hash_key,
+			offers_base_key,
 		}
 	}
 }
diff --git a/lightning/src/util/crypto.rs b/lightning/src/util/crypto.rs
@@ -27,15 +27,28 @@ macro_rules! hkdf_extract_expand {
 		hmac.input(&k2);
 		hmac.input(&[3; 1]);
 		(k1, k2, Hmac::from_engine(hmac).into_inner())
+	}};
+	($salt: expr, $ikm: expr, 4) => {{
+		let (k1, k2, prk) = hkdf_extract_expand!($salt, $ikm);
+
+		let mut hmac = HmacEngine::<Sha256>::new(&prk[..]);
+		hmac.input(&k2);
+		hmac.input(&[3; 1]);
+		let k3 = Hmac::from_engine(hmac).into_inner();
+
+		let mut hmac = HmacEngine::<Sha256>::new(&prk[..]);
+		hmac.input(&k3);
+		hmac.input(&[4; 1]);
+		(k1, k2, k3, Hmac::from_engine(hmac).into_inner())
 	}}
 }
 
 pub fn hkdf_extract_expand_twice(salt: &[u8], ikm: &[u8]) -> ([u8; 32], [u8; 32]) {
 	hkdf_extract_expand!(salt, ikm, 2)
 }
 
-pub fn hkdf_extract_expand_thrice(salt: &[u8], ikm: &[u8]) -> ([u8; 32], [u8; 32], [u8; 32]) {
-	hkdf_extract_expand!(salt, ikm, 3)
+pub fn hkdf_extract_expand_4x(salt: &[u8], ikm: &[u8]) -> ([u8; 32], [u8; 32], [u8; 32], [u8; 32]) {
+	hkdf_extract_expand!(salt, ikm, 4)
 }
 
 #[inline]
