Support signing BOLT 12 messages in NodeSigner

BOLT 12 messages need to be signed in the following scenarios:
- constructing an InvoiceRequest after scanning an Offer,
- constructing an Invoice after scanning a Refund, and
- constructing an Invoice when handling an InvoiceRequest.

Extend the NodeSigner trait to support signing BOLT 12 messages such
that it can be used in these contexts. The method could be used then in
OnionMessenger and an OffersMessageHandler.

Author: jkczyz

fuzz/src/chanmon_consistency.rs

@@ -57,6 +57,7 @@ use crate::utils::test_persister::TestPersister;
 use bitcoin::secp256k1::{Message, PublicKey, SecretKey, Scalar, Secp256k1};
 use bitcoin::secp256k1::ecdh::SharedSecret;
 use bitcoin::secp256k1::ecdsa::{RecoverableSignature, Signature};
+use bitcoin::secp256k1::schnorr;
 
 use std::mem;
 use std::cmp::{self, Ordering};
@@ -211,6 +212,12 @@ impl NodeSigner for KeyProvider {
 		unreachable!()
 	}
 
+	fn sign_bolt12_message(
+		&self, _digest: &Message, _tag: &str, _bytes: &[u8], _metadata: &[u8]
+	) -> Result<schnorr::Signature, ()> {
+		unreachable!()
+	}
+
 	fn sign_gossip_message(&self, msg: lightning::ln::msgs::UnsignedGossipMessage) -> Result<Signature, ()> {
 		let msg_hash = Message::from_slice(&Sha256dHash::hash(&msg.encode()[..])[..]).map_err(|_| ())?;
 		let secp_ctx = Secp256k1::signing_only();

fuzz/src/full_stack.rs

@@ -55,6 +55,7 @@ use crate::utils::test_persister::TestPersister;
 use bitcoin::secp256k1::{Message, PublicKey, SecretKey, Scalar, Secp256k1};
 use bitcoin::secp256k1::ecdh::SharedSecret;
 use bitcoin::secp256k1::ecdsa::{RecoverableSignature, Signature};
+use bitcoin::secp256k1::schnorr;
 
 use std::cell::RefCell;
 use hashbrown::{HashMap, hash_map};
@@ -316,6 +317,12 @@ impl NodeSigner for KeyProvider {
 		unreachable!()
 	}
 
+	fn sign_bolt12_message(
+		&self, _digest: &Message, _tag: &str, _bytes: &[u8], _metadata: &[u8]
+	) -> Result<schnorr::Signature, ()> {
+		unreachable!()
+	}
+
 	fn sign_gossip_message(&self, msg: lightning::ln::msgs::UnsignedGossipMessage) -> Result<Signature, ()> {
 		let msg_hash = Message::from_slice(&Sha256dHash::hash(&msg.encode()[..])[..]).map_err(|_| ())?;
 		let secp_ctx = Secp256k1::signing_only();

fuzz/src/onion_message.rs

@@ -1,9 +1,10 @@
 // Imports that need to be added manually
 use bitcoin::bech32::u5;
 use bitcoin::blockdata::script::Script;
-use bitcoin::secp256k1::{PublicKey, Scalar, Secp256k1, SecretKey};
+use bitcoin::secp256k1::{Message, PublicKey, Scalar, Secp256k1, SecretKey};
 use bitcoin::secp256k1::ecdh::SharedSecret;
 use bitcoin::secp256k1::ecdsa::RecoverableSignature;
+use bitcoin::secp256k1::schnorr;
 
 use lightning::sign::{Recipient, KeyMaterial, EntropySource, NodeSigner, SignerProvider};
 use lightning::ln::msgs::{self, DecodeError, OnionMessageHandler};
@@ -153,6 +154,12 @@ impl NodeSigner for KeyProvider {
 		unreachable!()
 	}
 
+	fn sign_bolt12_message(
+		&self, _digest: &Message, _tag: &str, _bytes: &[u8], _metadata: &[u8]
+	) -> Result<schnorr::Signature, ()> {
+		unreachable!()
+	}
+
 	fn sign_gossip_message(&self, _msg: lightning::ln::msgs::UnsignedGossipMessage) -> Result<bitcoin::secp256k1::ecdsa::Signature, ()> {
 		unreachable!()
 	}

lightning/src/sign/mod.rs

@@ -26,9 +26,10 @@ use bitcoin::hashes::sha256::Hash as Sha256;
 use bitcoin::hashes::sha256d::Hash as Sha256dHash;
 use bitcoin::hash_types::WPubkeyHash;
 
-use bitcoin::secp256k1::{PublicKey, Scalar, Secp256k1, SecretKey, Signing};
+use bitcoin::secp256k1::{KeyPair, Message, PublicKey, Scalar, Secp256k1, SecretKey, Signing};
 use bitcoin::secp256k1::ecdh::SharedSecret;
 use bitcoin::secp256k1::ecdsa::{RecoverableSignature, Signature};
+use bitcoin::secp256k1::schnorr;
 use bitcoin::{PackedLockTime, secp256k1, Sequence, Witness};
 
 use crate::util::transaction_utils;
@@ -620,6 +621,19 @@ pub trait NodeSigner {
 	/// Errors if the [`Recipient`] variant is not supported by the implementation.
 	fn sign_invoice(&self, hrp_bytes: &[u8], invoice_data: &[u5], recipient: Recipient) -> Result<RecoverableSignature, ()>;
 
+	/// Signs a BOLT 12 message.
+	///
+	/// The message is given in `bytes` as a serialized TLV stream with `tag` identifying the
+	/// message type as defined in the BOLT 12 spec's "Signature Calculation" section. The `digest`
+	/// is the tagged merkle root to be signed and can be re-calculated using `tag` and `bytes` if
+	/// blindly signing the digest should be avoided.
+	///
+	/// `metadata` is either the payer or offer metadata, depending on the message type and origin,
+	/// and may be useful in order to derive the signing keys.
+	fn sign_bolt12_message(
+		&self, digest: &Message, tag: &str, bytes: &[u8], metadata: &[u8]
+	) -> Result<schnorr::Signature, ()>;
+
 	/// Sign a gossip message.
 	///
 	/// Note that if this fails, LDK may panic and the message will not be broadcast to the network
@@ -1453,6 +1467,14 @@ impl NodeSigner for KeysManager {
 		Ok(self.secp_ctx.sign_ecdsa_recoverable(&hash_to_message!(&Sha256::hash(&preimage)), secret))
 	}
 
+	fn sign_bolt12_message(
+		&self, digest: &Message, _tag: &str, _bytes: &[u8], _metadata: &[u8]
+	) -> Result<schnorr::Signature, ()> {
+		let keys = KeyPair::from_secret_key(&self.secp_ctx, &self.node_secret);
+		let aux_rand = self.get_secure_random_bytes();
+		Ok(self.secp_ctx.sign_schnorr_with_aux_rand(digest, &keys, &aux_rand))
+	}
+
 	fn sign_gossip_message(&self, msg: UnsignedGossipMessage) -> Result<Signature, ()> {
 		let msg_hash = hash_to_message!(&Sha256dHash::hash(&msg.encode()[..])[..]);
 		Ok(self.secp_ctx.sign_ecdsa(&msg_hash, &self.node_secret))
@@ -1561,6 +1583,12 @@ impl NodeSigner for PhantomKeysManager {
 		Ok(self.inner.secp_ctx.sign_ecdsa_recoverable(&hash_to_message!(&Sha256::hash(&preimage)), secret))
 	}
 
+	fn sign_bolt12_message(
+		&self, digest: &Message, tag: &str, bytes: &[u8], metadata: &[u8]
+	) -> Result<schnorr::Signature, ()> {
+		self.inner.sign_bolt12_message(digest, tag, bytes, metadata)
+	}
+
 	fn sign_gossip_message(&self, msg: UnsignedGossipMessage) -> Result<Signature, ()> {
 		self.inner.sign_gossip_message(msg)
 	}

lightning/src/util/test_utils.rs

@@ -41,9 +41,10 @@ use bitcoin::blockdata::block::Block;
 use bitcoin::network::constants::Network;
 use bitcoin::hash_types::{BlockHash, Txid};
 
-use bitcoin::secp256k1::{PublicKey, Scalar, Secp256k1, SecretKey};
+use bitcoin::secp256k1::{Message, PublicKey, Scalar, Secp256k1, SecretKey};
 use bitcoin::secp256k1::ecdh::SharedSecret;
 use bitcoin::secp256k1::ecdsa::{RecoverableSignature, Signature};
+use bitcoin::secp256k1::schnorr;
 
 use regex;
 
@@ -795,6 +796,12 @@ impl NodeSigner for TestNodeSigner {
 		unreachable!()
 	}
 
+	fn sign_bolt12_message(
+		&self, _digest: &Message, _tag: &str, _bytes: &[u8], _metadata: &[u8]
+	) -> Result<schnorr::Signature, ()> {
+		unreachable!()
+	}
+
 	fn sign_gossip_message(&self, _msg: msgs::UnsignedGossipMessage) -> Result<Signature, ()> {
 		unreachable!()
 	}
@@ -835,6 +842,12 @@ impl NodeSigner for TestKeysInterface {
 		self.backing.sign_invoice(hrp_bytes, invoice_data, recipient)
 	}
 
+	fn sign_bolt12_message(
+		&self, digest: &Message, tag: &str, bytes: &[u8], metadata: &[u8]
+	) -> Result<schnorr::Signature, ()> {
+		self.backing.sign_bolt12_message(digest, tag, bytes, metadata)
+	}
+
 	fn sign_gossip_message(&self, msg: msgs::UnsignedGossipMessage) -> Result<Signature, ()> {
 		self.backing.sign_gossip_message(msg)
 	}