f - Rename TaggedBytes to TaggedMessage and rewrite docs

Author: jkczyz

fuzz/src/invoice_request_deser.rs

@@ -38,15 +38,15 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 			if signing_pubkey == odd_pubkey || signing_pubkey == even_pubkey {
 				unsigned_invoice
 					.sign::<_, Infallible>(
-						|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+						|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys))
 					)
 					.unwrap()
 					.write(&mut buffer)
 					.unwrap();
 			} else {
 				unsigned_invoice
 					.sign::<_, Infallible>(
-						|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+						|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys))
 					)
 					.unwrap_err();
 			}

fuzz/src/offer_deser.rs

@@ -30,7 +30,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 		if let Ok(invoice_request) = build_response(&offer, pubkey) {
 			invoice_request
 				.sign::<_, Infallible>(
-					|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+					|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys))
 				)
 				.unwrap()
 				.write(&mut buffer)

fuzz/src/refund_deser.rs

@@ -34,7 +34,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 		if let Ok(invoice) = build_response(&refund, pubkey, &secp_ctx) {
 			invoice
 				.sign::<_, Infallible>(
-					|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+					|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys))
 				)
 				.unwrap()
 				.write(&mut buffer)

lightning/src/offers/invoice.rs

@@ -55,7 +55,7 @@
 //!     .allow_mpp()
 //!     .fallback_v0_p2wpkh(&wpubkey_hash)
 //!     .build()?
-//!     .sign::<_, Infallible>(|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys)))
+//!     .sign::<_, Infallible>(|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -84,7 +84,7 @@
 //!     .allow_mpp()
 //!     .fallback_v0_p2wpkh(&wpubkey_hash)
 //!     .build()?
-//!     .sign::<_, Infallible>(|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys)))
+//!     .sign::<_, Infallible>(|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -110,7 +110,7 @@ use crate::ln::features::{BlindedHopFeatures, Bolt12InvoiceFeatures};
 use crate::ln::inbound_payment::ExpandedKey;
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice_request::{INVOICE_REQUEST_PAYER_ID_TYPE, INVOICE_REQUEST_TYPES, IV_BYTES as INVOICE_REQUEST_IV_BYTES, InvoiceRequest, InvoiceRequestContents, InvoiceRequestTlvStream, InvoiceRequestTlvStreamRef};
-use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TaggedBytes, TlvStream, WithoutSignatures, self};
+use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TaggedHash, TlvStream, WithoutSignatures, self};
 use crate::offers::offer::{Amount, OFFER_TYPES, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{ParseError, ParsedMessage, SemanticError};
 use crate::offers::payer::{PAYER_METADATA_TYPE, PayerTlvStream, PayerTlvStreamRef};
@@ -359,7 +359,7 @@ impl<'a> InvoiceBuilder<'a, DerivedSigningPubkey> {
 		let keys = keys.unwrap();
 		let invoice = unsigned_invoice
 			.sign::<_, Infallible>(
-				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys))
 			)
 			.unwrap();
 		Ok(invoice)
@@ -383,7 +383,7 @@ impl<'a> UnsignedInvoice<'a> {
 	/// This is not exported to bindings users as functions aren't currently mapped.
 	pub fn sign<F, E>(self, sign: F) -> Result<Invoice, SignError<E>>
 	where
-		F: FnOnce(&TaggedBytes, &[u8]) -> Result<Signature, E>
+		F: FnOnce(&TaggedHash, &[u8]) -> Result<Signature, E>
 	{
 		// Use the invoice_request bytes instead of the invoice_request TLV stream as the latter may
 		// have contained unknown TLV records, which are not stored in `InvoiceRequestContents` or
@@ -395,7 +395,7 @@ impl<'a> UnsignedInvoice<'a> {
 		let mut bytes = Vec::new();
 		unsigned_tlv_stream.write(&mut bytes).unwrap();
 
-		let message = TaggedBytes::new(SIGNATURE_TAG, &bytes);
+		let message = TaggedHash::new(SIGNATURE_TAG, &bytes);
 		let metadata = self.invoice.metadata();
 		let pubkey = self.invoice.fields().signing_pubkey;
 		let signature = merkle::sign_message(sign, message, metadata, pubkey)?;

lightning/src/offers/invoice_request.rs

@@ -44,7 +44,7 @@
 //!     .quantity(5)?
 //!     .payer_note("foo".to_string())
 //!     .build()?
-//!     .sign::<_, Infallible>(|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys)))
+//!     .sign::<_, Infallible>(|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -66,7 +66,7 @@ use crate::ln::features::InvoiceRequestFeatures;
 use crate::ln::inbound_payment::{ExpandedKey, IV_LEN, Nonce};
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice::{BlindedPayInfo, DerivedSigningPubkey, ExplicitSigningPubkey, InvoiceBuilder};
-use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TaggedBytes, self};
+use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TaggedHash, self};
 use crate::offers::offer::{Offer, OfferContents, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{ParseError, ParsedMessage, SemanticError};
 use crate::offers::payer::{PayerContents, PayerTlvStream, PayerTlvStreamRef};
@@ -307,7 +307,7 @@ impl<'a, 'b, T: secp256k1::Signing> InvoiceRequestBuilder<'a, 'b, DerivedPayerId
 		let keys = keys.unwrap();
 		let invoice_request = unsigned_invoice_request
 			.sign::<_, Infallible>(
-				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys))
 			)
 			.unwrap();
 		Ok(invoice_request)
@@ -354,7 +354,7 @@ impl<'a> UnsignedInvoiceRequest<'a> {
 	/// This is not exported to bindings users as functions are not yet mapped.
 	pub fn sign<F, E>(self, sign: F) -> Result<InvoiceRequest, SignError<E>>
 	where
-		F: FnOnce(&TaggedBytes, &[u8]) -> Result<Signature, E>
+		F: FnOnce(&TaggedHash, &[u8]) -> Result<Signature, E>
 	{
 		// Use the offer bytes instead of the offer TLV stream as the offer may have contained
 		// unknown TLV records, which are not stored in `OfferContents`.
@@ -366,7 +366,7 @@ impl<'a> UnsignedInvoiceRequest<'a> {
 		let mut bytes = Vec::new();
 		unsigned_tlv_stream.write(&mut bytes).unwrap();
 
-		let message = TaggedBytes::new(SIGNATURE_TAG, &bytes);
+		let message = TaggedHash::new(SIGNATURE_TAG, &bytes);
 		let metadata = self.offer.metadata().map(|metadata| metadata.as_slice()).unwrap_or(&[]);
 		let pubkey = self.invoice_request.payer_id;
 		let signature = merkle::sign_message(sign, message, metadata, pubkey)?;
@@ -794,7 +794,7 @@ mod tests {
 	use crate::ln::inbound_payment::ExpandedKey;
 	use crate::ln::msgs::{DecodeError, MAX_VALUE_MSAT};
 	use crate::offers::invoice::{Invoice, SIGNATURE_TAG as INVOICE_SIGNATURE_TAG};
-	use crate::offers::merkle::{SignError, SignatureTlvStreamRef, TaggedBytes, self};
+	use crate::offers::merkle::{SignError, SignatureTlvStreamRef, TaggedHash, self};
 	use crate::offers::offer::{Amount, OfferBuilder, OfferTlvStreamRef, Quantity};
 	use crate::offers::parse::{ParseError, SemanticError};
 	use crate::offers::payer::PayerTlvStreamRef;
@@ -926,7 +926,7 @@ mod tests {
 		let mut bytes = Vec::new();
 		tlv_stream.write(&mut bytes).unwrap();
 
-		let message = TaggedBytes::new(INVOICE_SIGNATURE_TAG, &bytes);
+		let message = TaggedHash::new(INVOICE_SIGNATURE_TAG, &bytes);
 		let signature = merkle::sign_message(
 			recipient_sign, message, invoice_request.metadata(), recipient_pubkey()
 		).unwrap();
@@ -951,7 +951,7 @@ mod tests {
 		let mut bytes = Vec::new();
 		tlv_stream.write(&mut bytes).unwrap();
 
-		let message = TaggedBytes::new(INVOICE_SIGNATURE_TAG, &bytes);
+		let message = TaggedHash::new(INVOICE_SIGNATURE_TAG, &bytes);
 		let signature = merkle::sign_message(
 			recipient_sign, message, &metadata, recipient_pubkey()
 		).unwrap();
@@ -998,7 +998,7 @@ mod tests {
 		let mut bytes = Vec::new();
 		tlv_stream.write(&mut bytes).unwrap();
 
-		let message = TaggedBytes::new(INVOICE_SIGNATURE_TAG, &bytes);
+		let message = TaggedHash::new(INVOICE_SIGNATURE_TAG, &bytes);
 		let signature = merkle::sign_message(
 			recipient_sign, message, invoice_request.metadata(), recipient_pubkey()
 		).unwrap();
@@ -1023,7 +1023,7 @@ mod tests {
 		let mut bytes = Vec::new();
 		tlv_stream.write(&mut bytes).unwrap();
 
-		let message = TaggedBytes::new(INVOICE_SIGNATURE_TAG, &bytes);
+		let message = TaggedHash::new(INVOICE_SIGNATURE_TAG, &bytes);
 		let signature = merkle::sign_message(
 			recipient_sign, message, invoice_request.metadata(), recipient_pubkey()
 		).unwrap();
@@ -1780,7 +1780,7 @@ mod tests {
 			.request_invoice(vec![1; 32], keys.public_key()).unwrap()
 			.build().unwrap()
 			.sign::<_, Infallible>(
-				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys))
 			)
 			.unwrap();
 

lightning/src/offers/merkle.rs

@@ -25,22 +25,28 @@ tlv_stream!(SignatureTlvStream, SignatureTlvStreamRef, SIGNATURE_TYPES, {
 	(240, signature: Signature),
 });
 
-/// Bytes associated with a tag, which are used to produced a [`Message`] digest to sign.
-pub struct TaggedBytes<'a> {
+/// A hash for use in a specific context by tweaking with a context-dependent tag as per [BIP 340]
+/// and computed over the merkle root of a TLV stream to sign as defined in [BOLT 12].
+///
+/// The hash is computed lazily from the TLV stream.
+///
+/// [BIP 340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
+/// [BOLT 12]: https://github.com/rustyrussell/lightning-rfc/blob/guilt/offers/12-offer-encoding.md#signature-calculation
+pub struct TaggedHash<'a> {
 	tag: &'a str,
-	bytes: &'a [u8],
+	tlv_stream: &'a [u8],
 	digest: RefCell<Option<Message>>,
 }
 
-impl<'a> TaggedBytes<'a> {
-	/// Creates tagged bytes with the given parameters.
-	pub fn new(tag: &'a str, bytes: &'a [u8]) -> Self {
-		Self { tag, bytes, digest: RefCell::new(None) }
+impl<'a> TaggedHash<'a> {
+	/// Creates a tagged hash with the given parameters.
+	pub fn new(tag: &'a str, tlv_stream: &'a [u8]) -> Self {
+		Self { tag, tlv_stream, digest: RefCell::new(None) }
 	}
 
 	/// Returns the digest to sign.
-	pub fn digest(&self) -> Message {
-		*self.digest.borrow_mut().get_or_insert_with(|| message_digest(self.tag, self.bytes))
+	pub fn to_digest(&self) -> Message {
+		*self.digest.borrow_mut().get_or_insert_with(|| message_digest(self.tag, self.tlv_stream))
 	}
 }
 
@@ -53,24 +59,25 @@ pub enum SignError<E> {
 	Verification(secp256k1::Error),
 }
 
-/// Signs a message digest consisting of a tagged hash of the given bytes, checking if it can be
-/// verified with the supplied pubkey.
+/// Signs a message digest consisting of a tagged hash over the merkle root of a TLV stream,
+/// checking if it can be verified with the supplied pubkey.
 ///
-/// `metadata` is either the payer or offer metadata, depending on the message type and origin, and
-/// may be used by `sign` to derive the signing keys.
+/// `metadata` is either the payer or offer metadata, depending on the message type, and may be used
+/// by `sign` to derive the signing keys.
 ///
-/// Panics if `message` is not a well-formed TLV stream containing at least one TLV record.
+/// Panics if the underlying TLV stream of `message` is not a well-formed TLV stream containing at
+/// least one TLV record.
 pub(super) fn sign_message<F, E>(
-	sign: F, message: TaggedBytes, metadata: &[u8], pubkey: PublicKey,
+	sign: F, message: TaggedHash, metadata: &[u8], pubkey: PublicKey,
 ) -> Result<Signature, SignError<E>>
 where
-	F: FnOnce(&TaggedBytes, &[u8]) -> Result<Signature, E>
+	F: FnOnce(&TaggedHash, &[u8]) -> Result<Signature, E>
 {
 	let signature = sign(&message, metadata).map_err(|e| SignError::Signing(e))?;
 
 	let pubkey = pubkey.into();
 	let secp_ctx = Secp256k1::verification_only();
-	secp_ctx.verify_schnorr(&signature, &message.digest(), &pubkey)
+	secp_ctx.verify_schnorr(&signature, &message.to_digest(), &pubkey)
 		.map_err(|e| SignError::Verification(e))?;
 
 	Ok(signature)
@@ -295,7 +302,7 @@ mod tests {
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
 			.sign::<_, Infallible>(
-				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &payer_keys))
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &payer_keys))
 			)
 			.unwrap();
 		assert_eq!(
@@ -330,7 +337,7 @@ mod tests {
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
 			.sign::<_, Infallible>(
-				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &payer_keys))
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &payer_keys))
 			)
 			.unwrap();
 
@@ -362,7 +369,7 @@ mod tests {
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
 			.sign::<_, Infallible>(
-				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &payer_keys))
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &payer_keys))
 			)
 			.unwrap();
 

lightning/src/offers/test_utils.rs

@@ -18,17 +18,17 @@ use crate::sign::EntropySource;
 use crate::ln::PaymentHash;
 use crate::ln::features::BlindedHopFeatures;
 use crate::offers::invoice::BlindedPayInfo;
-use crate::offers::merkle::TaggedBytes;
+use crate::offers::merkle::TaggedHash;
 
 pub(super) fn payer_keys() -> KeyPair {
 	let secp_ctx = Secp256k1::new();
 	KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap())
 }
 
-pub(super) fn payer_sign(message: &TaggedBytes, _metadata: &[u8]) -> Result<Signature, Infallible> {
+pub(super) fn payer_sign(message: &TaggedHash, _metadata: &[u8]) -> Result<Signature, Infallible> {
 	let secp_ctx = Secp256k1::new();
 	let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap());
-	Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+	Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys))
 }
 
 pub(super) fn payer_pubkey() -> PublicKey {
@@ -41,11 +41,11 @@ pub(super) fn recipient_keys() -> KeyPair {
 }
 
 pub(super) fn recipient_sign(
-	message: &TaggedBytes, _metadata: &[u8]
+	message: &TaggedHash, _metadata: &[u8]
 ) -> Result<Signature, Infallible> {
 	let secp_ctx = Secp256k1::new();
 	let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[43; 32]).unwrap());
-	Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+	Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.to_digest(), &keys))
 }
 
 pub(super) fn recipient_pubkey() -> PublicKey {