Add more parameters to BOLT 12 signing function

The function used to sign BOLT 12 messages only takes a message digest.
This doesn't allow signers to independently verify the message before
signing nor does it allow them to derive the necessary signing keys, if
they had been derived. Include additional parameters to support these
use cases.

Author: jkczyz

fuzz/src/invoice_request_deser.rs

@@ -38,15 +38,15 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 			if signing_pubkey == odd_pubkey || signing_pubkey == even_pubkey {
 				unsigned_invoice
 					.sign::<_, Infallible>(
-						|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+						|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
 					)
 					.unwrap()
 					.write(&mut buffer)
 					.unwrap();
 			} else {
 				unsigned_invoice
 					.sign::<_, Infallible>(
-						|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+						|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
 					)
 					.unwrap_err();
 			}

fuzz/src/offer_deser.rs

@@ -30,7 +30,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 		if let Ok(invoice_request) = build_response(&offer, pubkey) {
 			invoice_request
 				.sign::<_, Infallible>(
-					|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+					|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
 				)
 				.unwrap()
 				.write(&mut buffer)

fuzz/src/refund_deser.rs

@@ -34,7 +34,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
 		if let Ok(invoice) = build_response(&refund, pubkey, &secp_ctx) {
 			invoice
 				.sign::<_, Infallible>(
-					|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+					|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
 				)
 				.unwrap()
 				.write(&mut buffer)

lightning/src/offers/invoice.rs

@@ -55,7 +55,7 @@
 //!     .allow_mpp()
 //!     .fallback_v0_p2wpkh(&wpubkey_hash)
 //!     .build()?
-//!     .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+//!     .sign::<_, Infallible>(|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -84,7 +84,7 @@
 //!     .allow_mpp()
 //!     .fallback_v0_p2wpkh(&wpubkey_hash)
 //!     .build()?
-//!     .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+//!     .sign::<_, Infallible>(|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -97,7 +97,7 @@ use bitcoin::blockdata::constants::ChainHash;
 use bitcoin::hash_types::{WPubkeyHash, WScriptHash};
 use bitcoin::hashes::Hash;
 use bitcoin::network::constants::Network;
-use bitcoin::secp256k1::{KeyPair, Message, PublicKey, Secp256k1, self};
+use bitcoin::secp256k1::{KeyPair, PublicKey, Secp256k1, self};
 use bitcoin::secp256k1::schnorr::Signature;
 use bitcoin::util::address::{Address, Payload, WitnessVersion};
 use bitcoin::util::schnorr::TweakedPublicKey;
@@ -110,7 +110,7 @@ use crate::ln::features::{BlindedHopFeatures, Bolt12InvoiceFeatures};
 use crate::ln::inbound_payment::ExpandedKey;
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice_request::{INVOICE_REQUEST_PAYER_ID_TYPE, INVOICE_REQUEST_TYPES, IV_BYTES as INVOICE_REQUEST_IV_BYTES, InvoiceRequest, InvoiceRequestContents, InvoiceRequestTlvStream, InvoiceRequestTlvStreamRef};
-use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TlvStream, WithoutSignatures, self};
+use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TaggedBytes, TlvStream, WithoutSignatures, self};
 use crate::offers::offer::{Amount, OFFER_TYPES, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{ParseError, ParsedMessage, SemanticError};
 use crate::offers::payer::{PAYER_METADATA_TYPE, PayerTlvStream, PayerTlvStreamRef};
@@ -358,7 +358,9 @@ impl<'a> InvoiceBuilder<'a, DerivedSigningPubkey> {
 
 		let keys = keys.unwrap();
 		let invoice = unsigned_invoice
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+			.sign::<_, Infallible>(
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+			)
 			.unwrap();
 		Ok(invoice)
 	}
@@ -381,7 +383,7 @@ impl<'a> UnsignedInvoice<'a> {
 	/// This is not exported to bindings users as functions aren't currently mapped.
 	pub fn sign<F, E>(self, sign: F) -> Result<Invoice, SignError<E>>
 	where
-		F: FnOnce(&Message) -> Result<Signature, E>
+		F: FnOnce(&TaggedBytes, &[u8]) -> Result<Signature, E>
 	{
 		// Use the invoice_request bytes instead of the invoice_request TLV stream as the latter may
 		// have contained unknown TLV records, which are not stored in `InvoiceRequestContents` or
@@ -393,8 +395,10 @@ impl<'a> UnsignedInvoice<'a> {
 		let mut bytes = Vec::new();
 		unsigned_tlv_stream.write(&mut bytes).unwrap();
 
+		let message = TaggedBytes::new(SIGNATURE_TAG, &bytes);
+		let metadata = self.invoice.metadata();
 		let pubkey = self.invoice.fields().signing_pubkey;
-		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, pubkey)?;
+		let signature = merkle::sign_message(sign, message, metadata, pubkey)?;
 
 		// Append the signature TLV record to the bytes.
 		let signature_tlv_stream = SignatureTlvStreamRef {
@@ -609,6 +613,13 @@ impl Invoice {
 }
 
 impl InvoiceContents {
+	fn metadata(&self) -> &[u8] {
+		match self {
+			InvoiceContents::ForOffer { invoice_request, .. } => invoice_request.metadata(),
+			InvoiceContents::ForRefund { refund, .. } => refund.metadata(),
+		}
+	}
+
 	/// Whether the original offer or refund has expired.
 	#[cfg(feature = "std")]
 	fn is_offer_or_refund_expired(&self) -> bool {
@@ -1458,7 +1469,7 @@ mod tests {
 			.sign(payer_sign).unwrap()
 			.respond_with_no_std(payment_paths(), payment_hash(), now()).unwrap()
 			.build().unwrap()
-			.sign(|_| Err(()))
+			.sign(|_, _| Err(()))
 		{
 			Ok(_) => panic!("expected error"),
 			Err(e) => assert_eq!(e, SignError::Signing(())),

lightning/src/offers/invoice_request.rs

@@ -44,7 +44,7 @@
 //!     .quantity(5)?
 //!     .payer_note("foo".to_string())
 //!     .build()?
-//!     .sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+//!     .sign::<_, Infallible>(|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys)))
 //!     .expect("failed verifying signature")
 //!     .write(&mut buffer)
 //!     .unwrap();
@@ -54,7 +54,7 @@
 
 use bitcoin::blockdata::constants::ChainHash;
 use bitcoin::network::constants::Network;
-use bitcoin::secp256k1::{KeyPair, Message, PublicKey, Secp256k1, self};
+use bitcoin::secp256k1::{KeyPair, PublicKey, Secp256k1, self};
 use bitcoin::secp256k1::schnorr::Signature;
 use core::convert::{Infallible, TryFrom};
 use core::ops::Deref;
@@ -66,7 +66,7 @@ use crate::ln::features::InvoiceRequestFeatures;
 use crate::ln::inbound_payment::{ExpandedKey, IV_LEN, Nonce};
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice::{BlindedPayInfo, DerivedSigningPubkey, ExplicitSigningPubkey, InvoiceBuilder};
-use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, self};
+use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TaggedBytes, self};
 use crate::offers::offer::{Offer, OfferContents, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{ParseError, ParsedMessage, SemanticError};
 use crate::offers::payer::{PayerContents, PayerTlvStream, PayerTlvStreamRef};
@@ -306,7 +306,9 @@ impl<'a, 'b, T: secp256k1::Signing> InvoiceRequestBuilder<'a, 'b, DerivedPayerId
 		let secp_ctx = secp_ctx.unwrap();
 		let keys = keys.unwrap();
 		let invoice_request = unsigned_invoice_request
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+			.sign::<_, Infallible>(
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+			)
 			.unwrap();
 		Ok(invoice_request)
 	}
@@ -352,7 +354,7 @@ impl<'a> UnsignedInvoiceRequest<'a> {
 	/// This is not exported to bindings users as functions are not yet mapped.
 	pub fn sign<F, E>(self, sign: F) -> Result<InvoiceRequest, SignError<E>>
 	where
-		F: FnOnce(&Message) -> Result<Signature, E>
+		F: FnOnce(&TaggedBytes, &[u8]) -> Result<Signature, E>
 	{
 		// Use the offer bytes instead of the offer TLV stream as the offer may have contained
 		// unknown TLV records, which are not stored in `OfferContents`.
@@ -364,8 +366,10 @@ impl<'a> UnsignedInvoiceRequest<'a> {
 		let mut bytes = Vec::new();
 		unsigned_tlv_stream.write(&mut bytes).unwrap();
 
+		let message = TaggedBytes::new(SIGNATURE_TAG, &bytes);
+		let metadata = self.offer.metadata().map(|metadata| metadata.as_slice()).unwrap_or(&[]);
 		let pubkey = self.invoice_request.payer_id;
-		let signature = merkle::sign_message(sign, SIGNATURE_TAG, &bytes, pubkey)?;
+		let signature = merkle::sign_message(sign, message, metadata, pubkey)?;
 
 		// Append the signature TLV record to the bytes.
 		let signature_tlv_stream = SignatureTlvStreamRef {
@@ -591,7 +595,7 @@ impl InvoiceRequest {
 }
 
 impl InvoiceRequestContents {
-	pub fn metadata(&self) -> &[u8] {
+	pub(super) fn metadata(&self) -> &[u8] {
 		self.inner.metadata()
 	}
 
@@ -790,7 +794,7 @@ mod tests {
 	use crate::ln::inbound_payment::ExpandedKey;
 	use crate::ln::msgs::{DecodeError, MAX_VALUE_MSAT};
 	use crate::offers::invoice::{Invoice, SIGNATURE_TAG as INVOICE_SIGNATURE_TAG};
-	use crate::offers::merkle::{SignError, SignatureTlvStreamRef, self};
+	use crate::offers::merkle::{SignError, SignatureTlvStreamRef, TaggedBytes, self};
 	use crate::offers::offer::{Amount, OfferBuilder, OfferTlvStreamRef, Quantity};
 	use crate::offers::parse::{ParseError, SemanticError};
 	use crate::offers::payer::PayerTlvStreamRef;
@@ -922,8 +926,9 @@ mod tests {
 		let mut bytes = Vec::new();
 		tlv_stream.write(&mut bytes).unwrap();
 
+		let message = TaggedBytes::new(INVOICE_SIGNATURE_TAG, &bytes);
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, message, invoice_request.metadata(), recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -946,8 +951,9 @@ mod tests {
 		let mut bytes = Vec::new();
 		tlv_stream.write(&mut bytes).unwrap();
 
+		let message = TaggedBytes::new(INVOICE_SIGNATURE_TAG, &bytes);
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, message, &metadata, recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -992,8 +998,9 @@ mod tests {
 		let mut bytes = Vec::new();
 		tlv_stream.write(&mut bytes).unwrap();
 
+		let message = TaggedBytes::new(INVOICE_SIGNATURE_TAG, &bytes);
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, message, invoice_request.metadata(), recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -1016,8 +1023,9 @@ mod tests {
 		let mut bytes = Vec::new();
 		tlv_stream.write(&mut bytes).unwrap();
 
+		let message = TaggedBytes::new(INVOICE_SIGNATURE_TAG, &bytes);
 		let signature = merkle::sign_message(
-			recipient_sign, INVOICE_SIGNATURE_TAG, &bytes, recipient_pubkey()
+			recipient_sign, message, invoice_request.metadata(), recipient_pubkey()
 		).unwrap();
 		signature_tlv_stream.signature = Some(&signature);
 
@@ -1357,7 +1365,7 @@ mod tests {
 			.build().unwrap()
 			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
 			.build().unwrap()
-			.sign(|_| Err(()))
+			.sign(|_, _| Err(()))
 		{
 			Ok(_) => panic!("expected error"),
 			Err(e) => assert_eq!(e, SignError::Signing(())),
@@ -1771,7 +1779,9 @@ mod tests {
 			.build().unwrap()
 			.request_invoice(vec![1; 32], keys.public_key()).unwrap()
 			.build().unwrap()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)))
+			.sign::<_, Infallible>(
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &keys))
+			)
 			.unwrap();
 
 		let mut encoded_invoice_request = Vec::new();

lightning/src/offers/merkle.rs

@@ -12,6 +12,7 @@
 use bitcoin::hashes::{Hash, HashEngine, sha256};
 use bitcoin::secp256k1::{Message, PublicKey, Secp256k1, self};
 use bitcoin::secp256k1::schnorr::Signature;
+use core::cell::RefCell;
 use crate::io;
 use crate::util::ser::{BigSize, Readable, Writeable, Writer};
 
@@ -24,6 +25,25 @@ tlv_stream!(SignatureTlvStream, SignatureTlvStreamRef, SIGNATURE_TYPES, {
 	(240, signature: Signature),
 });
 
+/// Bytes associated with a tag, which are used to produced a [`Message`] digest to sign.
+pub struct TaggedBytes<'a> {
+	tag: &'a str,
+	bytes: &'a [u8],
+	digest: RefCell<Option<Message>>,
+}
+
+impl<'a> TaggedBytes<'a> {
+	/// Creates tagged bytes with the given parameters.
+	pub fn new(tag: &'a str, bytes: &'a [u8]) -> Self {
+		Self { tag, bytes, digest: RefCell::new(None) }
+	}
+
+	/// Returns the digest to sign.
+	pub fn digest(&self) -> Message {
+		*self.digest.borrow_mut().get_or_insert_with(|| message_digest(self.tag, self.bytes))
+	}
+}
+
 /// Error when signing messages.
 #[derive(Debug, PartialEq)]
 pub enum SignError<E> {
@@ -36,19 +56,22 @@ pub enum SignError<E> {
 /// Signs a message digest consisting of a tagged hash of the given bytes, checking if it can be
 /// verified with the supplied pubkey.
 ///
-/// Panics if `bytes` is not a well-formed TLV stream containing at least one TLV record.
+/// `metadata` is either the payer or offer metadata, depending on the message type and origin, and
+/// may be used by `sign` to derive the signing keys.
+///
+/// Panics if `message` is not a well-formed TLV stream containing at least one TLV record.
 pub(super) fn sign_message<F, E>(
-	sign: F, tag: &str, bytes: &[u8], pubkey: PublicKey,
+	sign: F, message: TaggedBytes, metadata: &[u8], pubkey: PublicKey,
 ) -> Result<Signature, SignError<E>>
 where
-	F: FnOnce(&Message) -> Result<Signature, E>
+	F: FnOnce(&TaggedBytes, &[u8]) -> Result<Signature, E>
 {
-	let digest = message_digest(tag, bytes);
-	let signature = sign(&digest).map_err(|e| SignError::Signing(e))?;
+	let signature = sign(&message, metadata).map_err(|e| SignError::Signing(e))?;
 
 	let pubkey = pubkey.into();
 	let secp_ctx = Secp256k1::verification_only();
-	secp_ctx.verify_schnorr(&signature, &digest, &pubkey).map_err(|e| SignError::Verification(e))?;
+	secp_ctx.verify_schnorr(&signature, &message.digest(), &pubkey)
+		.map_err(|e| SignError::Verification(e))?;
 
 	Ok(signature)
 }
@@ -271,7 +294,9 @@ mod tests {
 			.build_unchecked()
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+			.sign::<_, Infallible>(
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &payer_keys))
+			)
 			.unwrap();
 		assert_eq!(
 			invoice_request.to_string(),
@@ -304,7 +329,9 @@ mod tests {
 			.build_unchecked()
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+			.sign::<_, Infallible>(
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &payer_keys))
+			)
 			.unwrap();
 
 		let mut bytes_without_signature = Vec::new();
@@ -334,7 +361,9 @@ mod tests {
 			.build_unchecked()
 			.request_invoice(vec![0; 8], payer_keys.public_key()).unwrap()
 			.build_unchecked()
-			.sign::<_, Infallible>(|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &payer_keys)))
+			.sign::<_, Infallible>(
+				|message, _| Ok(secp_ctx.sign_schnorr_no_aux_rand(&message.digest(), &payer_keys))
+			)
 			.unwrap();
 
 		let tlv_stream = TlvStream::new(&invoice_request.bytes).range(0..1)