fixup: Add method to derive Peer Storage encryption key

adi2011 · adi2011 · commit 57341a1d7a31 · 2025-03-12T00:19:08.000+05:30
diff --git a/fuzz/src/chanmon_consistency.rs b/fuzz/src/chanmon_consistency.rs
@@ -338,8 +338,8 @@ impl NodeSigner for KeyProvider {
 		unreachable!()
 	}
 
-	fn get_peer_storage_key(&self) -> SecretKey {
-		SecretKey::from_slice(&[42; 32]).unwrap()
+	fn get_peer_storage_key(&self) -> [u8; 32] {
+		SecretKey::from_slice(&[42; 32]).unwrap().secret_bytes()
 	}
 
 	fn sign_bolt12_invoice(
diff --git a/fuzz/src/full_stack.rs b/fuzz/src/full_stack.rs
@@ -422,8 +422,8 @@ impl NodeSigner for KeyProvider {
 		Ok(secp_ctx.sign_ecdsa(&msg_hash, &self.node_secret))
 	}
 
-	fn get_peer_storage_key(&self) -> SecretKey {
-		SecretKey::from_slice(&[42; 32]).unwrap()
+	fn get_peer_storage_key(&self) -> [u8; 32] {
+		SecretKey::from_slice(&[42; 32]).unwrap().secret_bytes()
 	}
 }
 
diff --git a/fuzz/src/onion_message.rs b/fuzz/src/onion_message.rs
@@ -247,7 +247,7 @@ impl NodeSigner for KeyProvider {
 		unreachable!()
 	}
 
-	fn get_peer_storage_key(&self) -> SecretKey {
+	fn get_peer_storage_key(&self) -> [u8; 32] {
 		unreachable!()
 	}
 }
diff --git a/lightning/src/ln/blinded_payment_tests.rs b/lightning/src/ln/blinded_payment_tests.rs
@@ -1609,7 +1609,7 @@ fn route_blinding_spec_test_vector() {
 		fn sign_invoice(
 			&self, _invoice: &RawBolt11Invoice, _recipient: Recipient,
 		) -> Result<RecoverableSignature, ()> { unreachable!() }
-		fn get_peer_storage_key(&self) -> SecretKey { unreachable!() }
+		fn get_peer_storage_key(&self) -> [u8; 32] { unreachable!() }
 		fn sign_bolt12_invoice(
 			&self, _invoice: &UnsignedBolt12Invoice,
 		) -> Result<schnorr::Signature, ()> { unreachable!() }
@@ -1919,7 +1919,7 @@ fn test_trampoline_inbound_payment_decoding() {
 		fn sign_invoice(
 			&self, _invoice: &RawBolt11Invoice, _recipient: Recipient,
 		) -> Result<RecoverableSignature, ()> { unreachable!() }
-		fn get_peer_storage_key(&self) -> SecretKey { unreachable!() }
+		fn get_peer_storage_key(&self) -> [u8; 32] { unreachable!() }
 		fn sign_bolt12_invoice(
 			&self, _invoice: &UnsignedBolt12Invoice,
 		) -> Result<schnorr::Signature, ()> { unreachable!() }
diff --git a/lightning/src/sign/mod.rs b/lightning/src/sign/mod.rs
@@ -833,24 +833,10 @@ pub trait NodeSigner {
 	///
 	/// Implementations of this method must derive a secure encryption key.
 	/// The key is used to encrypt or decrypt backups of our state stored with our peers.
-	/// Thus, if you wish to rely on recovery using this method, you should use a key which can be re-derived from data which would be available after state loss (eg the wallet seed)
 	///
-	/// # Implementation Details
-	///
-	/// - The key must be derived from a node-specific secret to ensure uniqueness.
-	/// - The derived key must be exactly **32 bytes** and suitable for symmetric
-	///   encryption algorithms.
-	///
-	/// # Returns
-	///
-	/// A [`SecretKey`] representing the encryption key for peer storage.
-	///
-	/// # Usage
-	///
-	/// This method is invoked when encrypting or decrypting peer storage data.
-	/// It must return the same key every time it is called, ensuring consistency
-	/// for encryption and decryption operations.
-	fn get_peer_storage_key(&self) -> SecretKey;
+	/// Thus, if you wish to rely on recovery using this method, you should use a key which
+	/// can be re-derived from data which would be available after state loss (eg the wallet seed)
+	fn get_peer_storage_key(&self) -> [u8; 32];
 
 	/// Get node id based on the provided [`Recipient`].
 	///
@@ -2116,8 +2102,8 @@ impl NodeSigner for KeysManager {
 		self.inbound_payment_key.clone()
 	}
 
-	fn get_peer_storage_key(&self) -> SecretKey {
-		self.peer_storage_key
+	fn get_peer_storage_key(&self) -> [u8; 32] {
+		self.peer_storage_key.secret_bytes()
 	}
 
 	fn sign_invoice(
@@ -2281,8 +2267,8 @@ impl NodeSigner for PhantomKeysManager {
 		self.inbound_payment_key.clone()
 	}
 
-	fn get_peer_storage_key(&self) -> SecretKey {
-		self.inner.peer_storage_key
+	fn get_peer_storage_key(&self) -> [u8; 32] {
+		self.inner.peer_storage_key.secret_bytes()
 	}
 
 	fn sign_invoice(
diff --git a/lightning/src/util/dyn_signer.rs b/lightning/src/util/dyn_signer.rs
@@ -221,7 +221,7 @@ inner,
 		invoice: &crate::offers::invoice::UnsignedBolt12Invoice
 	) -> Result<secp256k1::schnorr::Signature, ()>,
 	fn get_inbound_payment_key(,) -> ExpandedKey,
-	fn get_peer_storage_key(,) -> SecretKey
+	fn get_peer_storage_key(,) -> [u8; 32]
 );
 
 delegate!(DynKeysInterface, SignerProvider,
@@ -290,7 +290,7 @@ delegate!(DynPhantomKeysInterface, NodeSigner,
 	fn sign_bolt12_invoice(, invoice: &crate::offers::invoice::UnsignedBolt12Invoice
 	) -> Result<secp256k1::schnorr::Signature, ()>,
 	fn get_inbound_payment_key(,) -> ExpandedKey,
-	fn get_peer_storage_key(,) -> SecretKey
+	fn get_peer_storage_key(,) -> [u8; 32]
 );
 
 impl SignerProvider for DynPhantomKeysInterface {
diff --git a/lightning/src/util/test_utils.rs b/lightning/src/util/test_utils.rs
@@ -1452,7 +1452,7 @@ impl NodeSigner for TestNodeSigner {
 		unreachable!()
 	}
 
-	fn get_peer_storage_key(&self) -> SecretKey {
+	fn get_peer_storage_key(&self) -> [u8; 32] {
 		unreachable!()
 	}
 
@@ -1534,7 +1534,7 @@ impl NodeSigner for TestKeysInterface {
 		self.backing.sign_invoice(invoice, recipient)
 	}
 
-	fn get_peer_storage_key(&self) -> SecretKey {
+	fn get_peer_storage_key(&self) -> [u8; 32] {
 		self.backing.get_peer_storage_key()
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -338,8 +338,8 @@ impl NodeSigner for KeyProvider {`
`338`	`338`	`unreachable!()`
`339`	`339`	`}`
`340`	`340`
`341`		`- fn get_peer_storage_key(&self) -> SecretKey {`
`342`		`- SecretKey::from_slice(&[42; 32]).unwrap()`
	`341`	`+ fn get_peer_storage_key(&self) -> [u8; 32] {`
	`342`	`+ SecretKey::from_slice(&[42; 32]).unwrap().secret_bytes()`
`343`	`343`	`}`
`344`	`344`
`345`	`345`	`fn sign_bolt12_invoice(`
Original file line number	Diff line number	Diff line change
`@@ -422,8 +422,8 @@ impl NodeSigner for KeyProvider {`
`422`	`422`	`Ok(secp_ctx.sign_ecdsa(&msg_hash, &self.node_secret))`
`423`	`423`	`}`
`424`	`424`
`425`		`- fn get_peer_storage_key(&self) -> SecretKey {`
`426`		`- SecretKey::from_slice(&[42; 32]).unwrap()`
	`425`	`+ fn get_peer_storage_key(&self) -> [u8; 32] {`
	`426`	`+ SecretKey::from_slice(&[42; 32]).unwrap().secret_bytes()`
`427`	`427`	`}`
`428`	`428`	`}`
`429`	`429`
Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ impl NodeSigner for KeyProvider {`
`247`	`247`	`unreachable!()`
`248`	`248`	`}`
`249`	`249`
`250`		`- fn get_peer_storage_key(&self) -> SecretKey {`
	`250`	`+ fn get_peer_storage_key(&self) -> [u8; 32] {`
`251`	`251`	`unreachable!()`
`252`	`252`	`}`
`253`	`253`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1452,7 +1452,7 @@ impl NodeSigner for TestNodeSigner {`
`1452`	`1452`	`unreachable!()`
`1453`	`1453`	`}`
`1454`	`1454`
`1455`		`- fn get_peer_storage_key(&self) -> SecretKey {`
	`1455`	`+ fn get_peer_storage_key(&self) -> [u8; 32] {`
`1456`	`1456`	`unreachable!()`
`1457`	`1457`	`}`
`1458`	`1458`
`@@ -1534,7 +1534,7 @@ impl NodeSigner for TestKeysInterface {`
`1534`	`1534`	`self.backing.sign_invoice(invoice, recipient)`
`1535`	`1535`	`}`
`1536`	`1536`
`1537`		`- fn get_peer_storage_key(&self) -> SecretKey {`
	`1537`	`+ fn get_peer_storage_key(&self) -> [u8; 32] {`
`1538`	`1538`	`self.backing.get_peer_storage_key()`
`1539`	`1539`	`}`
`1540`	`1540`