2016-12-08 21:56:37 +01:00
|
|
|
package lnwire
|
|
|
|
|
|
|
|
import (
|
2022-03-08 07:35:22 +01:00
|
|
|
"errors"
|
2016-12-08 21:56:37 +01:00
|
|
|
"fmt"
|
|
|
|
|
2022-02-23 14:48:00 +01:00
|
|
|
"github.com/btcsuite/btcd/btcec/v2/ecdsa"
|
2023-01-17 04:33:21 +01:00
|
|
|
"github.com/btcsuite/btcd/btcec/v2/schnorr"
|
2020-04-06 02:06:38 +02:00
|
|
|
"github.com/lightningnetwork/lnd/input"
|
2024-01-03 03:44:44 +01:00
|
|
|
"github.com/lightningnetwork/lnd/tlv"
|
2016-12-08 21:56:37 +01:00
|
|
|
)
|
|
|
|
|
2022-03-08 07:35:22 +01:00
|
|
|
var (
|
|
|
|
errSigTooShort = errors.New("malformed signature: too short")
|
|
|
|
errBadLength = errors.New("malformed signature: bad length")
|
|
|
|
errBadRLength = errors.New("malformed signature: bogus R length")
|
|
|
|
errBadSLength = errors.New("malformed signature: bogus S length")
|
|
|
|
errRTooLong = errors.New("R is over 32 bytes long without padding")
|
|
|
|
errSTooLong = errors.New("S is over 32 bytes long without padding")
|
|
|
|
)
|
|
|
|
|
2023-01-17 04:33:21 +01:00
|
|
|
// sigType represents the type of signature that is carried within the Sig.
|
|
|
|
// Today this can either be an ECDSA sig or a schnorr sig. Both of these can
|
|
|
|
// fit cleanly into 64 bytes.
|
|
|
|
type sigType uint
|
|
|
|
|
|
|
|
const (
|
|
|
|
// sigTypeECDSA represents an ECDSA signature.
|
|
|
|
sigTypeECDSA sigType = iota
|
|
|
|
|
|
|
|
// sigTypeSchnorr represents a schnorr signature.
|
|
|
|
sigTypeSchnorr
|
|
|
|
)
|
|
|
|
|
|
|
|
// Sig is a fixed-sized ECDSA signature or 64-byte schnorr signature. For the
|
|
|
|
// ECDSA sig, unlike Bitcoin, we use fixed sized signatures on the wire,
|
|
|
|
// instead of DER encoded signatures. This type provides several methods to
|
|
|
|
// convert to/from a regular Bitcoin DER encoded signature (raw bytes and
|
|
|
|
// *ecdsa.Signature).
|
|
|
|
type Sig struct {
|
|
|
|
bytes [64]byte
|
|
|
|
|
|
|
|
sigType sigType
|
|
|
|
}
|
|
|
|
|
|
|
|
// ForceSchnorr forces the signature to be interpreted as a schnorr signature.
|
|
|
|
// This is useful when reading an HTLC sig off the wire for a taproot channel.
|
|
|
|
// In this case, in order to obtain an input.Signature, we need to know that
|
|
|
|
// the sig is a schnorr sig.
|
|
|
|
func (s *Sig) ForceSchnorr() {
|
|
|
|
s.sigType = sigTypeSchnorr
|
|
|
|
}
|
|
|
|
|
|
|
|
// RawBytes returns the raw bytes of signature.
|
|
|
|
func (s *Sig) RawBytes() []byte {
|
|
|
|
return s.bytes[:]
|
|
|
|
}
|
|
|
|
|
|
|
|
// Copy copies the signature into a new Sig instance.
|
|
|
|
func (s *Sig) Copy() Sig {
|
|
|
|
var sCopy Sig
|
|
|
|
copy(sCopy.bytes[:], s.bytes[:])
|
|
|
|
sCopy.sigType = s.sigType
|
|
|
|
|
|
|
|
return sCopy
|
|
|
|
}
|
|
|
|
|
2024-01-03 03:44:44 +01:00
|
|
|
// Record returns a Record that can be used to encode or decode the backing
|
|
|
|
// object.
|
|
|
|
//
|
|
|
|
// This returns a record that serializes the sig as a 64-byte fixed size
|
|
|
|
// signature.
|
|
|
|
func (s *Sig) Record() tlv.Record {
|
|
|
|
// We set a type here as zero as it isn't needed when used as a
|
|
|
|
// RecordT.
|
|
|
|
return tlv.MakePrimitiveRecord(0, &s.bytes)
|
|
|
|
}
|
|
|
|
|
2023-01-17 04:33:21 +01:00
|
|
|
// NewSigFromWireECDSA returns a Sig instance based on an ECDSA signature
|
|
|
|
// that's already in the 64-byte format we expect.
|
|
|
|
func NewSigFromWireECDSA(sig []byte) (Sig, error) {
|
|
|
|
if len(sig) != 64 {
|
|
|
|
return Sig{}, fmt.Errorf("%w: %v bytes", errSigTooShort,
|
|
|
|
len(sig))
|
|
|
|
}
|
|
|
|
|
|
|
|
var s Sig
|
|
|
|
copy(s.bytes[:], sig)
|
|
|
|
|
|
|
|
return s, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewSigFromECDSARawSignature returns a Sig from a Bitcoin raw signature
|
|
|
|
// encoded in the canonical DER encoding.
|
|
|
|
func NewSigFromECDSARawSignature(sig []byte) (Sig, error) {
|
|
|
|
var b [64]byte
|
2016-12-08 21:56:37 +01:00
|
|
|
|
2022-03-08 07:35:22 +01:00
|
|
|
// Check the total length is above the minimal.
|
|
|
|
if len(sig) < ecdsa.MinSigLen {
|
2023-01-17 04:33:21 +01:00
|
|
|
return Sig{}, errSigTooShort
|
2018-06-08 22:24:59 +02:00
|
|
|
}
|
|
|
|
|
2022-03-08 07:35:22 +01:00
|
|
|
// The DER representation is laid out as:
|
|
|
|
// 0x30 <length> 0x02 <length r> r 0x02 <length s> s
|
|
|
|
// which means the length of R is the 4th byte and the length of S is
|
|
|
|
// the second byte after R ends. 0x02 signifies a length-prefixed,
|
2018-02-07 04:11:11 +01:00
|
|
|
// zero-padded, big-endian bigint. 0x30 signifies a DER signature.
|
2022-02-23 14:48:00 +01:00
|
|
|
// See the Serialize() method for ecdsa.Signature for details.
|
2022-03-08 07:35:22 +01:00
|
|
|
|
|
|
|
// Reading <length>, remaining: [0x02 <length r> r 0x02 <length s> s]
|
|
|
|
sigLen := int(sig[1])
|
|
|
|
|
|
|
|
// siglen should be less than the entire message and greater than
|
|
|
|
// the minimal message size.
|
|
|
|
if sigLen+2 > len(sig) || sigLen+2 < ecdsa.MinSigLen {
|
2023-01-17 04:33:21 +01:00
|
|
|
return Sig{}, errBadLength
|
2022-03-08 07:35:22 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Reading <length r>, remaining: [r 0x02 <length s> s]
|
|
|
|
rLen := int(sig[3])
|
|
|
|
|
|
|
|
// rLen must be positive and must be able to fit in other elements.
|
|
|
|
// Assuming s is one byte, then we have 0x30, <length>, 0x20,
|
|
|
|
// <length r>, 0x20, <length s>, s, a total of 7 bytes.
|
|
|
|
if rLen <= 0 || rLen+7 > len(sig) {
|
2023-01-17 04:33:21 +01:00
|
|
|
return Sig{}, errBadRLength
|
2022-03-08 07:35:22 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Reading <length s>, remaining: [s]
|
|
|
|
sLen := int(sig[5+rLen])
|
|
|
|
|
|
|
|
// S should be the rest of the string.
|
|
|
|
// sLen must be positive and must be able to fit in other elements.
|
|
|
|
// We know r is rLen bytes, and we have 0x30, <length>, 0x20,
|
|
|
|
// <length r>, 0x20, <length s>, a total of rLen+6 bytes.
|
|
|
|
if sLen <= 0 || sLen+rLen+6 > len(sig) {
|
2023-01-17 04:33:21 +01:00
|
|
|
return Sig{}, errBadSLength
|
2022-03-08 07:35:22 +01:00
|
|
|
}
|
2016-12-08 21:56:37 +01:00
|
|
|
|
|
|
|
// Check to make sure R and S can both fit into their intended buffers.
|
2018-01-31 04:40:30 +01:00
|
|
|
// We check S first because these code blocks decrement sLen and rLen
|
|
|
|
// in the case of a 33-byte 0-padded integer returned from Serialize()
|
|
|
|
// and rLen is used in calculating array indices for S. We can track
|
|
|
|
// this with additional variables, but it's more efficient to just
|
|
|
|
// check S first.
|
2016-12-08 21:56:37 +01:00
|
|
|
if sLen > 32 {
|
|
|
|
if (sLen > 33) || (sig[6+rLen] != 0x00) {
|
2023-01-17 04:33:21 +01:00
|
|
|
return Sig{}, errSTooLong
|
2016-12-08 21:56:37 +01:00
|
|
|
}
|
2017-02-23 20:56:47 +01:00
|
|
|
sLen--
|
|
|
|
copy(b[64-sLen:], sig[7+rLen:])
|
2016-12-08 21:56:37 +01:00
|
|
|
} else {
|
|
|
|
copy(b[64-sLen:], sig[6+rLen:])
|
|
|
|
}
|
|
|
|
|
|
|
|
// Do the same for R as we did for S
|
|
|
|
if rLen > 32 {
|
|
|
|
if (rLen > 33) || (sig[4] != 0x00) {
|
2023-01-17 04:33:21 +01:00
|
|
|
return Sig{}, errRTooLong
|
2016-12-08 21:56:37 +01:00
|
|
|
}
|
2017-02-23 20:56:47 +01:00
|
|
|
rLen--
|
|
|
|
copy(b[32-rLen:], sig[5:5+rLen])
|
2016-12-08 21:56:37 +01:00
|
|
|
} else {
|
|
|
|
copy(b[32-rLen:], sig[4:4+rLen])
|
|
|
|
}
|
2018-01-31 04:40:30 +01:00
|
|
|
|
2023-01-17 04:33:21 +01:00
|
|
|
return Sig{
|
|
|
|
bytes: b,
|
|
|
|
sigType: sigTypeECDSA,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewSigFromSchnorrRawSignature converts a raw schnorr signature into an
|
|
|
|
// lnwire.Sig.
|
|
|
|
func NewSigFromSchnorrRawSignature(sig []byte) (Sig, error) {
|
|
|
|
var s Sig
|
|
|
|
copy(s.bytes[:], sig)
|
|
|
|
s.sigType = sigTypeSchnorr
|
|
|
|
|
|
|
|
return s, nil
|
2016-12-08 21:56:37 +01:00
|
|
|
}
|
|
|
|
|
2018-01-31 04:40:30 +01:00
|
|
|
// NewSigFromSignature creates a new signature as used on the wire, from an
|
2023-01-17 04:33:21 +01:00
|
|
|
// existing ecdsa.Signature or schnorr.Signature.
|
2020-04-06 02:06:38 +02:00
|
|
|
func NewSigFromSignature(e input.Signature) (Sig, error) {
|
2018-06-08 22:24:59 +02:00
|
|
|
if e == nil {
|
|
|
|
return Sig{}, fmt.Errorf("cannot decode empty signature")
|
|
|
|
}
|
|
|
|
|
2021-09-23 16:54:30 +02:00
|
|
|
// Nil is still a valid interface, apparently. So we need a more
|
|
|
|
// explicit check here.
|
2022-02-23 14:48:00 +01:00
|
|
|
if ecsig, ok := e.(*ecdsa.Signature); ok && ecsig == nil {
|
2021-09-23 16:54:30 +02:00
|
|
|
return Sig{}, fmt.Errorf("cannot decode empty signature")
|
|
|
|
}
|
|
|
|
|
2023-01-17 04:33:21 +01:00
|
|
|
switch ecSig := e.(type) {
|
|
|
|
// If this is a schnorr signature, then we can just pack it as normal,
|
|
|
|
// since the default encoding is already 64 bytes.
|
|
|
|
case *schnorr.Signature:
|
|
|
|
return NewSigFromSchnorrRawSignature(e.Serialize())
|
|
|
|
|
|
|
|
// For ECDSA signatures, we'll need to do a bit more work to map the
|
|
|
|
// signature into a compact 64 byte form.
|
|
|
|
case *ecdsa.Signature:
|
|
|
|
// Serialize the signature with all the checks that entails.
|
|
|
|
return NewSigFromECDSARawSignature(e.Serialize())
|
2016-12-08 21:56:37 +01:00
|
|
|
|
2023-01-17 04:33:21 +01:00
|
|
|
default:
|
|
|
|
return Sig{}, fmt.Errorf("unknown wire sig type: %T", ecSig)
|
2018-01-31 04:40:30 +01:00
|
|
|
}
|
2023-01-17 04:33:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// ToSignature converts the fixed-sized signature to a input.Signature which
|
|
|
|
// can be used for signature validation checks.
|
|
|
|
func (s *Sig) ToSignature() (input.Signature, error) {
|
|
|
|
switch s.sigType {
|
|
|
|
case sigTypeSchnorr:
|
|
|
|
return schnorr.ParseSignature(s.bytes[:])
|
2018-01-31 04:40:30 +01:00
|
|
|
|
2023-01-17 04:33:21 +01:00
|
|
|
case sigTypeECDSA:
|
|
|
|
// Parse the signature with strict checks.
|
|
|
|
sigBytes := s.ToSignatureBytes()
|
|
|
|
sig, err := ecdsa.ParseDERSignature(sigBytes)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return sig, nil
|
|
|
|
|
|
|
|
default:
|
|
|
|
return nil, fmt.Errorf("unknown sig type: %v", s.sigType)
|
|
|
|
}
|
2018-01-31 04:40:30 +01:00
|
|
|
}
|
|
|
|
|
2023-01-17 04:33:21 +01:00
|
|
|
// ToSignatureBytes serializes the target fixed-sized signature into the
|
|
|
|
// encoding of the primary domain for the signature. For ECDSA signatures, this
|
|
|
|
// is the raw bytes of a DER encoding.
|
|
|
|
func (s *Sig) ToSignatureBytes() []byte {
|
|
|
|
switch s.sigType {
|
|
|
|
// For ECDSA signatures, we'll convert to DER encoding.
|
|
|
|
case sigTypeECDSA:
|
|
|
|
// Extract canonically-padded bigint representations from buffer
|
|
|
|
r := extractCanonicalPadding(s.bytes[0:32])
|
|
|
|
s := extractCanonicalPadding(s.bytes[32:64])
|
|
|
|
rLen := uint8(len(r))
|
|
|
|
sLen := uint8(len(s))
|
|
|
|
|
|
|
|
// Create a canonical serialized signature. DER format is:
|
|
|
|
// 0x30 <length> 0x02 <length r> r 0x02 <length s> s
|
|
|
|
sigBytes := make([]byte, 6+rLen+sLen)
|
|
|
|
sigBytes[0] = 0x30 // DER signature magic value
|
|
|
|
sigBytes[1] = 4 + rLen + sLen // Length of rest of signature
|
|
|
|
sigBytes[2] = 0x02 // Big integer magic value
|
|
|
|
sigBytes[3] = rLen // Length of R
|
|
|
|
sigBytes[rLen+4] = 0x02 // Big integer magic value
|
|
|
|
sigBytes[rLen+5] = sLen // Length of S
|
|
|
|
copy(sigBytes[4:], r) // Copy R
|
|
|
|
copy(sigBytes[rLen+6:], s) // Copy S
|
|
|
|
|
|
|
|
return sigBytes
|
|
|
|
|
|
|
|
// For schnorr signatures, we can use the same internal 64 bytes.
|
|
|
|
case sigTypeSchnorr:
|
|
|
|
// We'll make a copy of the signature so we don't return a
|
2023-01-17 04:44:17 +01:00
|
|
|
// reference into the raw slice.
|
2023-01-17 04:33:21 +01:00
|
|
|
var sig [64]byte
|
|
|
|
copy(sig[:], s.bytes[:])
|
|
|
|
return sig[:]
|
|
|
|
|
|
|
|
default:
|
|
|
|
// TODO(roasbeef): can only be called via public methods so
|
|
|
|
// never reachable?
|
|
|
|
panic("sig type not set")
|
|
|
|
}
|
2016-12-08 21:56:37 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// extractCanonicalPadding is a utility function to extract the canonical
|
|
|
|
// padding of a big-endian integer from the wire encoding (a 0-padded
|
|
|
|
// big-endian integer) such that it passes btcec.canonicalPadding test.
|
|
|
|
func extractCanonicalPadding(b []byte) []byte {
|
|
|
|
for i := 0; i < len(b); i++ {
|
|
|
|
// Found first non-zero byte.
|
|
|
|
if b[i] > 0 {
|
|
|
|
// If the MSB is set, we need zero padding.
|
|
|
|
if b[i]&0x80 == 0x80 {
|
|
|
|
return append([]byte{0x00}, b[i:]...)
|
|
|
|
}
|
2017-02-23 20:56:47 +01:00
|
|
|
return b[i:]
|
2016-12-08 21:56:37 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return []byte{0x00}
|
|
|
|
}
|