lnd+server+netann: use signing interface in node signer

This commit is contained in:
Oliver Gugger 2020-04-28 10:06:27 +02:00
parent 6f702a43aa
commit be890ef9be
No known key found for this signature in database
GPG Key ID: 8E4256593F177720
6 changed files with 53 additions and 34 deletions

14
lnd.go

@ -484,6 +484,18 @@ func Main(cfg *Config, lisCfg ListenerCfg, shutdownChan <-chan struct{}) error {
} }
idPrivKey.Curve = btcec.S256() idPrivKey.Curve = btcec.S256()
idKeyDesc, err := activeChainControl.keyRing.DeriveKey(
keychain.KeyLocator{
Family: keychain.KeyFamilyNodeKey,
Index: 0,
},
)
if err != nil {
err := fmt.Errorf("error deriving node key: %v", err)
ltndLog.Error(err)
return err
}
if cfg.Tor.Active { if cfg.Tor.Active {
srvrLog.Infof("Proxying all network traffic via Tor "+ srvrLog.Infof("Proxying all network traffic via Tor "+
"(stream_isolation=%v)! NOTE: Ensure the backend node "+ "(stream_isolation=%v)! NOTE: Ensure the backend node "+
@ -612,7 +624,7 @@ func Main(cfg *Config, lisCfg ListenerCfg, shutdownChan <-chan struct{}) error {
// connections. // connections.
server, err := newServer( server, err := newServer(
cfg, cfg.Listeners, chanDB, towerClientDB, activeChainControl, cfg, cfg.Listeners, chanDB, towerClientDB, activeChainControl,
idPrivKey, walletInitParams.ChansToRestore, chainedAcceptor, idPrivKey, &idKeyDesc, walletInitParams.ChansToRestore, chainedAcceptor,
torController, torController,
) )
if err != nil { if err != nil {

@ -14,6 +14,7 @@ import (
"github.com/btcsuite/btcd/btcec" "github.com/btcsuite/btcd/btcec"
"github.com/btcsuite/btcd/wire" "github.com/btcsuite/btcd/wire"
"github.com/lightningnetwork/lnd/channeldb" "github.com/lightningnetwork/lnd/channeldb"
"github.com/lightningnetwork/lnd/keychain"
"github.com/lightningnetwork/lnd/lnwire" "github.com/lightningnetwork/lnd/lnwire"
"github.com/lightningnetwork/lnd/netann" "github.com/lightningnetwork/lnd/netann"
) )
@ -309,6 +310,7 @@ func newManagerCfg(t *testing.T, numChannels int,
if err != nil { if err != nil {
t.Fatalf("unable to generate key pair: %v", err) t.Fatalf("unable to generate key pair: %v", err)
} }
privKeySigner := &keychain.PrivKeyDigestSigner{PrivKey: privKey}
graph := newMockGraph( graph := newMockGraph(
t, numChannels, startEnabled, startEnabled, privKey.PubKey(), t, numChannels, startEnabled, startEnabled, privKey.PubKey(),
@ -320,7 +322,7 @@ func newManagerCfg(t *testing.T, numChannels int,
ChanEnableTimeout: 500 * time.Millisecond, ChanEnableTimeout: 500 * time.Millisecond,
ChanDisableTimeout: time.Second, ChanDisableTimeout: time.Second,
OurPubKey: privKey.PubKey(), OurPubKey: privKey.PubKey(),
MessageSigner: netann.NewNodeSigner(privKey), MessageSigner: netann.NewNodeSigner(privKeySigner),
IsChannelActive: htlcSwitch.HasActiveLink, IsChannelActive: htlcSwitch.HasActiveLink,
ApplyChannelUpdate: graph.ApplyChannelUpdate, ApplyChannelUpdate: graph.ApplyChannelUpdate,
DB: graph, DB: graph,

@ -7,6 +7,7 @@ import (
"github.com/btcsuite/btcd/btcec" "github.com/btcsuite/btcd/btcec"
"github.com/lightningnetwork/lnd/input" "github.com/lightningnetwork/lnd/input"
"github.com/lightningnetwork/lnd/keychain"
"github.com/lightningnetwork/lnd/lnwallet" "github.com/lightningnetwork/lnd/lnwallet"
"github.com/lightningnetwork/lnd/lnwire" "github.com/lightningnetwork/lnd/lnwire"
"github.com/lightningnetwork/lnd/netann" "github.com/lightningnetwork/lnd/netann"
@ -30,7 +31,8 @@ func (m *mockSigner) SignMessage(pk *btcec.PublicKey,
var _ lnwallet.MessageSigner = (*mockSigner)(nil) var _ lnwallet.MessageSigner = (*mockSigner)(nil)
var ( var (
privKey, _ = btcec.NewPrivateKey(btcec.S256()) privKey, _ = btcec.NewPrivateKey(btcec.S256())
privKeySigner = &keychain.PrivKeyDigestSigner{PrivKey: privKey}
pubKey = privKey.PubKey() pubKey = privKey.PubKey()
@ -52,35 +54,35 @@ var updateDisableTests = []updateDisableTest{
startEnabled: true, startEnabled: true,
disable: true, disable: true,
startTime: time.Now(), startTime: time.Now(),
signer: netann.NewNodeSigner(privKey), signer: netann.NewNodeSigner(privKeySigner),
}, },
{ {
name: "working signer enabled to enabled", name: "working signer enabled to enabled",
startEnabled: true, startEnabled: true,
disable: false, disable: false,
startTime: time.Now(), startTime: time.Now(),
signer: netann.NewNodeSigner(privKey), signer: netann.NewNodeSigner(privKeySigner),
}, },
{ {
name: "working signer disabled to enabled", name: "working signer disabled to enabled",
startEnabled: false, startEnabled: false,
disable: false, disable: false,
startTime: time.Now(), startTime: time.Now(),
signer: netann.NewNodeSigner(privKey), signer: netann.NewNodeSigner(privKeySigner),
}, },
{ {
name: "working signer disabled to disabled", name: "working signer disabled to disabled",
startEnabled: false, startEnabled: false,
disable: true, disable: true,
startTime: time.Now(), startTime: time.Now(),
signer: netann.NewNodeSigner(privKey), signer: netann.NewNodeSigner(privKeySigner),
}, },
{ {
name: "working signer future monotonicity", name: "working signer future monotonicity",
startEnabled: true, startEnabled: true,
disable: true, disable: true,
startTime: time.Now().Add(time.Hour), // must increment startTime: time.Now().Add(time.Hour), // must increment
signer: netann.NewNodeSigner(privKey), signer: netann.NewNodeSigner(privKeySigner),
}, },
{ {
name: "failing signer", name: "failing signer",

@ -6,25 +6,21 @@ import (
"github.com/btcsuite/btcd/btcec" "github.com/btcsuite/btcd/btcec"
"github.com/btcsuite/btcd/chaincfg/chainhash" "github.com/btcsuite/btcd/chaincfg/chainhash"
"github.com/lightningnetwork/lnd/input" "github.com/lightningnetwork/lnd/input"
"github.com/lightningnetwork/lnd/keychain"
"github.com/lightningnetwork/lnd/lnwallet" "github.com/lightningnetwork/lnd/lnwallet"
) )
// NodeSigner is an implementation of the MessageSigner interface backed by the // NodeSigner is an implementation of the MessageSigner interface backed by the
// identity private key of running lnd node. // identity private key of running lnd node.
type NodeSigner struct { type NodeSigner struct {
privKey *btcec.PrivateKey keySigner keychain.SingleKeyDigestSigner
} }
// NewNodeSigner creates a new instance of the NodeSigner backed by the target // NewNodeSigner creates a new instance of the NodeSigner backed by the target
// private key. // private key.
func NewNodeSigner(key *btcec.PrivateKey) *NodeSigner { func NewNodeSigner(keySigner keychain.SingleKeyDigestSigner) *NodeSigner {
priv := &btcec.PrivateKey{}
priv.Curve = btcec.S256()
priv.PublicKey.X = key.X
priv.PublicKey.Y = key.Y
priv.D = key.D
return &NodeSigner{ return &NodeSigner{
privKey: priv, keySigner: keySigner,
} }
} }
@ -36,13 +32,14 @@ func (n *NodeSigner) SignMessage(pubKey *btcec.PublicKey,
// If this isn't our identity public key, then we'll exit early with an // If this isn't our identity public key, then we'll exit early with an
// error as we can't sign with this key. // error as we can't sign with this key.
if !pubKey.IsEqual(n.privKey.PubKey()) { if !pubKey.IsEqual(n.keySigner.PubKey()) {
return nil, fmt.Errorf("unknown public key") return nil, fmt.Errorf("unknown public key")
} }
// Otherwise, we'll sign the dsha256 of the target message. // Otherwise, we'll sign the dsha256 of the target message.
digest := chainhash.DoubleHashB(msg) var digest [32]byte
sig, err := n.privKey.Sign(digest) copy(digest[:], chainhash.DoubleHashB(msg))
sig, err := n.keySigner.SignDigest(digest)
if err != nil { if err != nil {
return nil, fmt.Errorf("can't sign the message: %v", err) return nil, fmt.Errorf("can't sign the message: %v", err)
} }
@ -63,14 +60,11 @@ func (n *NodeSigner) SignCompact(msg []byte) ([]byte, error) {
// SignDigestCompact signs the provided message digest under the resident // SignDigestCompact signs the provided message digest under the resident
// node's private key. The returned signature is a pubkey-recoverable signature. // node's private key. The returned signature is a pubkey-recoverable signature.
func (n *NodeSigner) SignDigestCompact(hash []byte) ([]byte, error) { func (n *NodeSigner) SignDigestCompact(hash []byte) ([]byte, error) {
var digest [32]byte
copy(digest[:], hash)
// Should the signature reference a compressed public key or not. // keychain.SignDigestCompact returns a pubkey-recoverable signature.
isCompressedKey := true sig, err := n.keySigner.SignDigestCompact(digest)
// btcec.SignCompact returns a pubkey-recoverable signature
sig, err := btcec.SignCompact(
btcec.S256(), n.privKey, hash, isCompressedKey,
)
if err != nil { if err != nil {
return nil, fmt.Errorf("can't sign the hash: %v", err) return nil, fmt.Errorf("can't sign the hash: %v", err)
} }

@ -41,6 +41,7 @@ import (
"github.com/lightningnetwork/lnd/htlcswitch/hop" "github.com/lightningnetwork/lnd/htlcswitch/hop"
"github.com/lightningnetwork/lnd/input" "github.com/lightningnetwork/lnd/input"
"github.com/lightningnetwork/lnd/invoices" "github.com/lightningnetwork/lnd/invoices"
"github.com/lightningnetwork/lnd/keychain"
"github.com/lightningnetwork/lnd/lncfg" "github.com/lightningnetwork/lnd/lncfg"
"github.com/lightningnetwork/lnd/lnpeer" "github.com/lightningnetwork/lnd/lnpeer"
"github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnrpc"
@ -324,12 +325,17 @@ func noiseDial(idPriv *btcec.PrivateKey,
// passed listener address. // passed listener address.
func newServer(cfg *Config, listenAddrs []net.Addr, chanDB *channeldb.DB, func newServer(cfg *Config, listenAddrs []net.Addr, chanDB *channeldb.DB,
towerClientDB *wtdb.ClientDB, cc *chainControl, towerClientDB *wtdb.ClientDB, cc *chainControl,
privKey *btcec.PrivateKey, privKey *btcec.PrivateKey, nodeKeyDesc *keychain.KeyDescriptor,
chansToRestore walletunlocker.ChannelsToRecover, chansToRestore walletunlocker.ChannelsToRecover,
chanPredicate chanacceptor.ChannelAcceptor, chanPredicate chanacceptor.ChannelAcceptor,
torController *tor.Controller) (*server, error) { torController *tor.Controller) (*server, error) {
var err error var (
err error
nodeKeySigner = keychain.NewPubKeyDigestSigner(
*nodeKeyDesc, cc.keyRing,
)
)
listeners := make([]net.Listener, len(listenAddrs)) listeners := make([]net.Listener, len(listenAddrs))
for i, listenAddr := range listenAddrs { for i, listenAddr := range listenAddrs {
@ -426,7 +432,7 @@ func newServer(cfg *Config, listenAddrs []net.Addr, chanDB *channeldb.DB,
channelNotifier: channelnotifier.New(chanDB), channelNotifier: channelnotifier.New(chanDB),
identityECDH: privKey, identityECDH: privKey,
nodeSigner: netann.NewNodeSigner(privKey), nodeSigner: netann.NewNodeSigner(nodeKeySigner),
listenAddrs: listenAddrs, listenAddrs: listenAddrs,

@ -103,10 +103,13 @@ func createTestPeer(notifier chainntnfs.ChainNotifier, publTx chan *wire.MsgTx,
updateChan func(a, b *channeldb.OpenChannel)) (*peer, *lnwallet.LightningChannel, updateChan func(a, b *channeldb.OpenChannel)) (*peer, *lnwallet.LightningChannel,
*lnwallet.LightningChannel, func(), error) { *lnwallet.LightningChannel, func(), error) {
aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(
alicesPrivKey) btcec.S256(), alicesPrivKey,
bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), )
bobsPrivKey) aliceKeySigner := &keychain.PrivKeyDigestSigner{PrivKey: aliceKeyPriv}
bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(
btcec.S256(), bobsPrivKey,
)
channelCapacity := btcutil.Amount(10 * 1e8) channelCapacity := btcutil.Amount(10 * 1e8)
channelBal := channelCapacity / 2 channelBal := channelCapacity / 2
@ -402,7 +405,7 @@ func createTestPeer(notifier chainntnfs.ChainNotifier, publTx chan *wire.MsgTx,
} }
s.htlcSwitch = htlcSwitch s.htlcSwitch = htlcSwitch
nodeSignerAlice := netann.NewNodeSigner(aliceKeyPriv) nodeSignerAlice := netann.NewNodeSigner(aliceKeySigner)
const chanActiveTimeout = time.Minute const chanActiveTimeout = time.Minute