offer: make the merkle tree signature public #3892
Conversation
|
👋 I see @valentinewallace was un-assigned. |
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
from
0ffed61 to
be23002
Compare
|
I'm not personally opposed to this and it may be nice to expose it for the use cases you mention. I'm also not sure about any API guarantees for these methods. I don't think it's too much of a hassle to treat them the same way we treat any other public API. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3892 +/- ##
==========================================
- Coverage 89.66% 88.80% -0.86%
==========================================
Files 164 166 +2
Lines 134661 119543 -15118
Branches 134661 119543 -15118
==========================================
- Hits 120743 106165 -14578
+ Misses 11237 11042 -195
+ Partials 2681 2336 -345 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
lightning/src/offers/merkle.rs
Outdated
| @@ -41,7 +41,7 @@ impl TaggedHash { | |||
| /// Creates a tagged hash with the given parameters. | |||
| /// | |||
| /// Panics if `bytes` is not a well-formed TLV stream containing at least one TLV record. | |||
| pub(super) fn from_valid_tlv_stream_bytes(tag: &'static str, bytes: &[u8]) -> Self { | |||
| pub fn from_valid_tlv_stream_bytes(tag: &'static str, bytes: &[u8]) -> Self { | |||
There was a problem hiding this comment.
Do we have a user for this? Feels pretty low-level to be exposing. Echo dunxen's sentiments about improving the docs if we do want to expose it.
There was a problem hiding this comment.
Yea, if we're gonna expose this we should really add a validating wrapper version that checks the stream is valid and can Err instead of panicking.
There was a problem hiding this comment.
Do we have a user for this? Feels pretty low-level to be exposing.
Yeah, there is. Everyone who wants to verify that an offer is linked to a bolt12 invoice, also if the big picture is that the bolt12 invoice will never be exposed, but for now that we do not have a better PoP a person should allow this kind of verification IMHO
A possible example of verification can be
/// Verify that an offer, invoice, and preimage are valid and consistent
pub fn verify_offer_payment(offer: &str, invoice: &str, preimage: &str) -> Result<()> {
log::info!("Starting verification process...");
log::info!("Offer: {}", offer);
log::info!("Invoice: {}", invoice);
log::info!("Preimage: {}", preimage);
let offer =
Offer::from_str(offer).map_err(|e| anyhow::anyhow!("Failed to parse offer: {:?}", e))?;
// Parse the bolt12 invoice preimage
let (hrp, data) = bech32::decode_without_checksum(invoice)?;
if hrp.as_str() != "lni" {
return Err(anyhow::anyhow!(
"Invalid HRP: expected 'lni', found '{}'",
hrp
));
}
let data = Vec::<u8>::from_base32(&data)?;
let invoice = Bolt12Invoice::try_from(data)
.map_err(|e| anyhow::anyhow!("Failed to parse BOLT12: {e:?}"))?;
let issuer_sign_pubkey = if let Some(issue_sign_pubkey) = offer.issuer_signing_pubkey() {
issue_sign_pubkey
} else {
let valid_signing_keys = offer
.paths()
.iter()
.filter_map(|path| path.blinded_hops().last())
.map(|hop| hop.blinded_node_id)
.collect::<Vec<_>>();
log::debug!("{:?}", valid_signing_keys);
let valid_signing_keys = valid_signing_keys
.first()
.ok_or(anyhow::anyhow!(
"Offer does not contain issuer signing pubkey"
))?
.clone();
valid_signing_keys
};
let inv_signing_pubkey = invoice.signing_pubkey();
if issuer_sign_pubkey != inv_signing_pubkey {
return Err(anyhow::anyhow!(
"Offer and invoice issuer signing pubkeys do not match"
));
}
let mut bytes = vec![];
invoice
.write(&mut bytes)
.map_err(|e| anyhow::anyhow!("Failed to serialize invoice: {:?}", e))?;
let tagged_hash = TaggedHash::from_valid_tlv_stream_bytes(SIGNATURE_TAG, &bytes);
if let Err(err) =
merkle::verify_signature(&invoice.signature(), &tagged_hash, issuer_sign_pubkey)
{
anyhow::bail!("Failed to verify invoice signature: {:?}", err);
}
let preimage =
hex::decode(preimage).map_err(|e| anyhow::anyhow!("Failed to decode preimage: {:?}", e))?;
let preimage: [u8; 32] = preimage
.try_into()
.map_err(|_| anyhow::anyhow!("Preimage must be 32 bytes"))?;
let preimage = PaymentPreimage(preimage);
// Validate the Proof of Payment for the invoice
let computed_hash = PaymentHash::from(preimage);
let payment_hash = invoice.payment_hash();
if computed_hash != payment_hash {
anyhow::bail!("Fail to perform PoP");
}
log::info!("Parsed offer: {:?}", offer);
log::info!("Parsed invoice: {:?}", invoice);
Ok(())
}
There was a problem hiding this comment.
Hmm... we verify the invoice's signature when parsing it. So it's just a matter of matching that the Offer given is the same one that is part of the Bolt12Invoice. This should be possible by comparing Offer::id -- which is just the tagged hash of the offer's merkle root -- against one obtained from the Bolt12Invoice. We could possibly add Bolt12Invoice::offer_id for this.
Note that while OfferId uses an LDK-specific tag, it is computed over the TLV stream bytes so it doesn't matter if the offer wasn't created with LDK.
There was a problem hiding this comment.
Ok implemented it @jkczyz cfd6ad4 let me know what do you think.
Thanks, left some comments.
However, I still think that ldk should expose a way to verify the signature with the public key that is inside the offer, at least till we do not get a better PoP with bolt12
Given the signature is verified when parsing, shouldn't it be sufficient to check that Bolt12Invoice::signing_pubkey matches the one in the offer? The parser is already doing this when calling check_invoice_signing_pubkey, too, FWIW. Not sure I understand why we need to expose these for the user to piece together and call on their own.
At very least, there doesn't seem to be a need to expose TaggedHash::from_valid_tlv_stream_bytes if we can just have a method on Bolt12Invoice give the TaggedHash for manual signature verification.
There was a problem hiding this comment.
Given the signature is verified when parsing, shouldn't it be sufficient to check that Bolt12Invoice::signing_pubkey matches the one in the offer?
Yes, good point, I think it is just fine for a proof of linking point of view.
FWIW. Not sure I understand why we need to expose these for the user to piece together and call on their own.
At this point is just for a learning tool purpose if some users want to do the versification as specified inside the spec. Probably, this is a separate discussion
At very least, there doesn't seem to be a need to expose TaggedHash::from_valid_tlv_stream_bytes if we can just have a method on Bolt12Invoice give the TaggedHash for manual signature verification.
This is a really good point, lets me experiment with it
|
👋 The first review has been submitted! Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer. |
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
|
🔔 1st Reminder Hey @TheBlueMatt @valentinewallace! This PR has been waiting for your review. |
1 similar comment
|
🔔 1st Reminder Hey @TheBlueMatt @valentinewallace! This PR has been waiting for your review. |
|
cc @jkczyz |
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
2 times, most recently
from
dd046d5 to
29e5bd6
Compare
lightning/src/offers/merkle.rs
Outdated
| @@ -41,7 +41,7 @@ impl TaggedHash { | |||
| /// Creates a tagged hash with the given parameters. | |||
| /// | |||
| /// Panics if `bytes` is not a well-formed TLV stream containing at least one TLV record. | |||
| pub(super) fn from_valid_tlv_stream_bytes(tag: &'static str, bytes: &[u8]) -> Self { | |||
| pub fn from_valid_tlv_stream_bytes(tag: &'static str, bytes: &[u8]) -> Self { | |||
There was a problem hiding this comment.
Ok implemented it @jkczyz cfd6ad4 let me know what do you think.
Thanks, left some comments.
However, I still think that ldk should expose a way to verify the signature with the public key that is inside the offer, at least till we do not get a better PoP with bolt12
Given the signature is verified when parsing, shouldn't it be sufficient to check that Bolt12Invoice::signing_pubkey matches the one in the offer? The parser is already doing this when calling check_invoice_signing_pubkey, too, FWIW. Not sure I understand why we need to expose these for the user to piece together and call on their own.
At very least, there doesn't seem to be a need to expose TaggedHash::from_valid_tlv_stream_bytes if we can just have a method on Bolt12Invoice give the TaggedHash for manual signature verification.
|
Will take a look at this after @jkczyz's comments are addressed, assuming he thinks it needs a second reviewer at that point. |
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
from
0c7fe08 to
123e16f
Compare
|
🔔 2nd Reminder Hey @valentinewallace! This PR has been waiting for your review. |
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
2 times, most recently
from
7429b6a to
1b958e9
Compare
|
Ok, I pushed the change that @jkczyz requested, and now the PR is organised in two commits as follows:
Let me know if you are fine with the commit divided in this way, or you prefer e60b87c |
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
from
1b958e9 to
699f37f
Compare
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
from
22ef851 to
e60b87c
Compare
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
from
e60b87c to
ec9b1c6
Compare
This is helpfull for the users that want to use the merkle tree signature in their own code, for example to verify the signature of bolt12 invoices or recreate it. Very useful for people that are building command line tools for the bolt12 offers. Signed-off-by: Vincenzo Palazzo <[email protected]>
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
from
ec9b1c6 to
98d51cd
Compare
|
BTW, could you make sure the commit messages are wrapped at 72 characters? |
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
from
98d51cd to
bf5ca05
Compare
|
Done thanks, should be ready for another pass! |
- Add an Option<OfferId> field to Bolt12Invoice to track the originating offer. - Compute the offer_id for invoices created from offers by extracting the offer TLV records and hashing them with the correct tag. - Expose a public offer_id() accessor on invoice. - Add tests to ensure the offer_id in the invoice matches the originating Offer, and that refund invoices have no offer_id. - All existing and new tests pass. This enables linking invoices to their originating offers in a robust and spec-compliant way. Signed-off-by: Vincenzo Palazzo <[email protected]> Co-authored-by: graphite-app[bot] <96075541+graphite-app[bot]@users.noreply.github.com> Signed-off-by: Vincenzo Palazzo <[email protected]>
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
from
bf5ca05 to
a68da7e
Compare
lightning/src/offers/invoice.rs
Outdated
| /// Returns the [`OfferId`] if this invoice corresponds to an [`Offer`]. | ||
| /// | ||
| /// [`Offer`]: crate::offers::offer::Offer | ||
| pub fn offer_id(&self) -> Option<OfferId> { | ||
| self.offer_id | ||
| } |
There was a problem hiding this comment.
Ah, sorry... we should put this in invoice_accessors_common such that UnsignedBolt12Invoice, UnsignedStaticInvoice, and StaticInvoice also get this method.
There was a problem hiding this comment.
Thanks, I was worried about this accessor in another invoice. Because this change is a little bit disruptive, I made a fixup commit 2da0ac8 to have a first iteration of review on the changes
There was a problem hiding this comment.
Yeah... come to think of it we probably don't need this for the unsigned invoices. Sorry about the hassle. Instead, we can drop the fixup and simply implement it directly for StaticInvoice. That should never come from a Refund, so its offer_id method won't need to use Option. Thus, we shouldn't use the macro.
Signed-off-by: Vincenzo Palazzo <[email protected]>
vincenzopalazzo
force-pushed
the
macros/markle-signature
branch
from
2da0ac8 to
a95815c
Compare
| let offer_id = match &contents { | ||
| InvoiceContents::ForOffer { .. } => Some(OfferId::from_valid_bolt12_tlv_stream(&bytes)), | ||
| InvoiceContents::ForRefund { .. } => None, | ||
| }; | ||
| Self { bytes, experimental_bytes, contents, tagged_hash, offer_id } |
There was a problem hiding this comment.
@jkczyz do you think that we should add in OfferId a maybe_from_valid_bolt12_tlv_stream(&bytes) -> Option<OfferId> to include the refund case without duplicate the match here?
There was a problem hiding this comment.
We'd need to take in the InvoiceContents then, too. Leaning towards not doing this for unsigned invoices after all. See next comment.
| // FIXME: we can have a static invoice for a Refund? if yes this should be optional | ||
| let offer_id = OfferId::from_valid_bolt12_tlv_stream(&bytes); | ||
| Self { bytes, experimental_bytes, contents, tagged_hash, offer_id: Some(offer_id) } |
There was a problem hiding this comment.
Hmm... I guess we'll never need the Refund case since those are user-initiated actions (i.e., they scan a Refund and create a Bolt12Invoice to send).
| let offer_id = match &contents { | ||
| InvoiceContents::ForOffer { .. } => Some(OfferId::from_valid_bolt12_tlv_stream(&bytes)), | ||
| InvoiceContents::ForRefund { .. } => None, | ||
| }; | ||
| Self { bytes, experimental_bytes, contents, tagged_hash, offer_id } |
There was a problem hiding this comment.
We'd need to take in the InvoiceContents then, too. Leaning towards not doing this for unsigned invoices after all. See next comment.
lightning/src/offers/invoice.rs
Outdated
| /// Returns the [`OfferId`] if this invoice corresponds to an [`Offer`]. | ||
| /// | ||
| /// [`Offer`]: crate::offers::offer::Offer | ||
| pub fn offer_id(&self) -> Option<OfferId> { | ||
| self.offer_id | ||
| } |
There was a problem hiding this comment.
Yeah... come to think of it we probably don't need this for the unsigned invoices. Sorry about the hassle. Instead, we can drop the fixup and simply implement it directly for StaticInvoice. That should never come from a Refund, so its offer_id method won't need to use Option. Thus, we shouldn't use the macro.
| @@ -3556,4 +3579,49 @@ mod tests { | |||
| ), | |||
| } | |||
| } | |||
|
|
|||
| #[test] | |||
| fn invoice_offer_id_matches_offer_id() { | |||
There was a problem hiding this comment.
Please add a test for StaticInvoice, too.
This is helpful for users who want to use the Merkle tree signature in their own code, for example, to verify the signature of bolt12 invoices or recreate it.
Very useful for people who are building command line tools for the bolt12 offers.
I am opening this, but I do not know if it is something that you want to do, but at the same time, IMHO, this is very useful to expose because it allows to use LDK in command line tools and in learning tools.
However, this is not strictly necessary because
Bolt12Invoice::try_fromalready verifies the signature, but I would open this to know your point of view.