Add more parameters to BOLT 12 signing function

The function used to sign BOLT 12 messages only takes a message digest.
This doesn't allow signers to independently verify the message before
signing nor does it allow them to derive the necessary signing keys, if
they had been derived. Include additional parameters to support these
use cases.

Author: jkczyz

fuzz/src/invoice_request_deser.rs

@@ -38,15 +38,15 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 			if signing_pubkey == odd_pubkey || signing_pubkey == even_pubkey {
 				unsigned_invoice
 					.sign::<_, Infallible>(
-						|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+						|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
 					)
 					.unwrap()
 					.write(&mut buffer)
 					.unwrap();
 			} else {
 				unsigned_invoice
 					.sign::<_, Infallible>(
-						|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+						|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
 					)
 					.unwrap_err();
 			}

fuzz/src/offer_deser.rs

@@ -30,7 +30,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 		if let Ok(invoice_request) = build_response(&offer, pubkey) {
 			invoice_request
 				.sign::<_, Infallible>(
-					|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+					|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
 				)
 				.unwrap()
 				.write(&mut buffer)

fuzz/src/refund_deser.rs

@@ -34,7 +34,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 		if let Ok(invoice) = build_response(&refund, pubkey, &secp_ctx) {
 			invoice
 				.sign::<_, Infallible>(
-					|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+					|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
 				)
 				.unwrap()
 				.write(&mut buffer)

lightning/src/offers/invoice.rs

@@ -55,7 +55,7 @@
 //!     .allow_mpp()
 //!     .fallback_v0_p2wpkh(&wpubkey_hash)
 //!     .build()?
-//!     .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+//!     .sign::<_, Infallible>(|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -84,7 +84,7 @@
 //!     .allow_mpp()
 //!     .fallback_v0_p2wpkh(&wpubkey_hash)
 //!     .build()?
-//!     .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+//!     .sign::<_, Infallible>(|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -358,7 +358,9 @@ impl<'a> InvoiceBuilder<'a, DerivedSigningPubkey> {
 
 		let keys = keys.unwrap();
 		let invoice = unsigned_invoice
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+			)
 			.unwrap();
 		Ok(invoice)
 	}
@@ -381,7 +383,7 @@ impl<'a> UnsignedInvoice<'a> {
 	/// This is not exported to bindings users as functions aren't currently mapped.
 	pub fn sign<F, E>(self, sign: F) -> Result<Invoice, SignError<E>>
 	where
-		F: FnOnce(&Message) -> Result<Signature, E>
+		F: FnOnce(&Message, &str, &[u8], &[u8]) -> Result<Signature, E>
 	{
 		// Use the invoice_request bytes instead of the invoice_request TLV stream as the latter may
 		// have contained unknown TLV records, which are not stored in `InvoiceRequestContents` or
@@ -393,8 +395,9 @@ impl<'a> UnsignedInvoice<'a> {
 		let mut bytes = Vec::new();
 		unsigned_tlv_stream.write(&mut bytes).unwrap();
 
+		let metadata = self.invoice.metadata();
 		let pubkey = self.invoice.fields().signing_pubkey;
-		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, pubkey)?;
+		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, metadata, pubkey)?;
 
 		// Append the signature TLV record to the bytes.
 		let signature_tlv_stream = SignatureTlvStreamRef {
@@ -609,6 +612,13 @@ impl Invoice {
 }
 
 impl InvoiceContents {
+	fn metadata(&self) -> &[u8] {
+		match self {
+			InvoiceContents::ForOffer { invoice_request, .. } => invoice_request.metadata(),
+			InvoiceContents::ForRefund { refund, .. } => refund.metadata(),
+		}
+	}
+
 	/// Whether the original offer or refund has expired.
 	#[cfg(feature = "std")]
 	fn is_offer_or_refund_expired(&self) -> bool {
@@ -1458,7 +1468,7 @@ mod tests {
 			.sign(payer_sign).unwrap()
 			.respond_with_no_std(payment_paths(), payment_hash(), now()).unwrap()
 			.build().unwrap()
-			.sign(|_| Err(()))
+			.sign(|_, _, _, _| Err(()))
 		{
 			Ok(_) => panic!("expected error"),
 			Err(e) => assert_eq!(e, SignError::Signing(())),

lightning/src/offers/invoice_request.rs

@@ -44,7 +44,7 @@
 //!     .quantity(5)?
 //!     .payer_note("foo".to_string())
 //!     .build()?
-//!     .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+//!     .sign::<_, Infallible>(|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -306,7 +306,9 @@ impl<'a, 'b, T: secp256k1::Signing> InvoiceRequestBuilder<'a, 'b, DerivedPayerId
 		let secp_ctx = secp_ctx.unwrap();
 		let keys = keys.unwrap();
 		let invoice_request = unsigned_invoice_request
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+			)
 			.unwrap();
 		Ok(invoice_request)
 	}
@@ -352,7 +354,7 @@ impl<'a> UnsignedInvoiceRequest<'a> {
 	/// This is not exported to bindings users as functions are not yet mapped.
 	pub fn sign<F, E>(self, sign: F) -> Result<InvoiceRequest, SignError<E>>
 	where
-		F: FnOnce(&Message) -> Result<Signature, E>
+		F: FnOnce(&Message, &str, &[u8], &[u8]) -> Result<Signature, E>
 	{
 		// Use the offer bytes instead of the offer TLV stream as the offer may have contained
 		// unknown TLV records, which are not stored in `OfferContents`.
@@ -364,8 +366,9 @@ impl<'a> UnsignedInvoiceRequest<'a> {
 		let mut bytes = Vec::new();
 		unsigned_tlv_stream.write(&mut bytes).unwrap();
 
+		let metadata = self.offer.metadata().map(|metadata| metadata.as_slice()).unwrap_or(&[]);
 		let pubkey = self.invoice_request.payer_id;
-		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, pubkey)?;
+		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, metadata, pubkey)?;
 
 		// Append the signature TLV record to the bytes.
 		let signature_tlv_stream = SignatureTlvStreamRef {
@@ -591,7 +594,7 @@ impl InvoiceRequest {
 }
 
 impl InvoiceRequestContents {
-	pub fn metadata(&self) -> &[u8] {
+	pub(super) fn metadata(&self) -> &[u8] {
 		self.inner.metadata()
 	}
 
@@ -923,7 +926,8 @@ mod tests {
 		tlv_stream.write(&mut bytes).unwrap();
 
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, invoice_request.metadata(),
+			recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -947,7 +951,7 @@ mod tests {
 		tlv_stream.write(&mut bytes).unwrap();
 
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, &metadata, recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -993,7 +997,8 @@ mod tests {
 		tlv_stream.write(&mut bytes).unwrap();
 
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, invoice_request.metadata(),
+			recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -1017,7 +1022,8 @@ mod tests {
 		tlv_stream.write(&mut bytes).unwrap();
 
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, invoice_request.metadata(),
+			recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -1357,7 +1363,7 @@ mod tests {
 			.build().unwrap()
 			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
 			.build().unwrap()
-			.sign(|_| Err(()))
+			.sign(|_, _, _, _| Err(()))
 		{
 			Ok(_) => panic!("expected error"),
 			Err(e) => assert_eq!(e, SignError::Signing(())),
@@ -1771,7 +1777,9 @@ mod tests {
 			.build().unwrap()
 			.request_invoice(vec![1; 32], keys.public_key()).unwrap()
 			.build().unwrap()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+			)
 			.unwrap();
 
 		let mut encoded_invoice_request = Vec::new();

lightning/src/offers/merkle.rs

@@ -36,15 +36,18 @@ pub enum SignError<E> {
 /// Signs a message digest consisting of a tagged hash of the given bytes, checking if it can be
 /// verified with the supplied pubkey.
 ///
+/// `metadata` is either the payer or offer metadata, depending on the message type and origin, and
+/// may be used by `sign` to derive the signing keys.
+///
 /// Panics if `bytes` is not a well-formed TLV stream containing at least one TLV record.
 pub(super) fn sign_message<F, E>(
-	sign: F, tag: &str, bytes: &[u8], pubkey: PublicKey,
+	sign: F, tag: &str, bytes: &[u8], metadata: &[u8], pubkey: PublicKey,
 ) -> Result<Signature, SignError<E>>
 where
-	F: FnOnce(&Message) -> Result<Signature, E>
+	F: FnOnce(&Message, &str, &[u8], &[u8]) -> Result<Signature, E>
 {
 	let digest = message_digest(tag, bytes);
-	let signature = sign(&digest).map_err(|e| SignError::Signing(e))?;
+	let signature = sign(&digest, tag, bytes, metadata).map_err(|e| SignError::Signing(e))?;
 
 	let pubkey = pubkey.into();
 	let secp_ctx = Secp256k1::verification_only();
@@ -271,7 +274,9 @@ mod tests {
 			.build_unchecked()
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys))
+			)
 			.unwrap();
 		assert_eq!(
 			invoice_request.to_string(),
@@ -304,7 +309,9 @@ mod tests {
 			.build_unchecked()
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys))
+			)
 			.unwrap();
 
 		let mut bytes_without_signature = Vec::new();
@@ -334,7 +341,9 @@ mod tests {
 			.build_unchecked()
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+			.sign::<_, Infallible>(
+				|digest, _, _, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys))
+			)
 			.unwrap();
 
 		let tlv_stream = TlvStream::new(&invoice_request.bytes).range(0..1)

lightning/src/offers/test_utils.rs

@@ -24,7 +24,9 @@ pub(super) fn payer_keys() -> KeyPair {
 	KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap())
 }
 
-pub(super) fn payer_sign(digest: &Message) -> Result<Signature, Infallible> {
+pub(super) fn payer_sign(
+	digest: &Message, _tag: &str, _bytes: &[u8], _metadata: &[u8]
+) -> Result<Signature, Infallible> {
 	let secp_ctx = Secp256k1::new();
 	let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap());
 	Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
@@ -39,7 +41,9 @@ pub(super) fn recipient_keys() -> KeyPair {
 	KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[43; 32]).unwrap())
 }
 
-pub(super) fn recipient_sign(digest: &Message) -> Result<Signature, Infallible> {
+pub(super) fn recipient_sign(
+	digest: &Message, _tag: &str, _bytes: &[u8], _metadata: &[u8]
+) -> Result<Signature, Infallible> {
 	let secp_ctx = Secp256k1::new();
 	let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[43; 32]).unwrap());
 	Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))