add devtool/bip137-verifysignature utility

To validate BIP137 signatures produced by core-lightning in tests.

Changelog-None.

Signed-off-by: Lagrang3 <lagrang3@protonmail.com>

Author: Lagrang3

devtools/.gitignore

@@ -20,3 +20,4 @@ topology
 fp16
 rune
 gossmap-compress
+bip137-verifysignature

devtools/Makefile

@@ -1,4 +1,4 @@
-DEVTOOLS := devtools/bolt11-cli devtools/decodemsg devtools/onion devtools/dump-gossipstore devtools/gossipwith devtools/create-gossipstore devtools/mkcommit devtools/mkfunding devtools/mkclose devtools/mkgossip devtools/mkencoded devtools/mkquery devtools/lightning-checkmessage devtools/topology devtools/route devtools/bolt12-cli devtools/encodeaddr devtools/features devtools/fp16 devtools/rune devtools/gossmap-compress
+DEVTOOLS := devtools/bolt11-cli devtools/decodemsg devtools/onion devtools/dump-gossipstore devtools/gossipwith devtools/create-gossipstore devtools/mkcommit devtools/mkfunding devtools/mkclose devtools/mkgossip devtools/mkencoded devtools/mkquery devtools/lightning-checkmessage devtools/topology devtools/route devtools/bolt12-cli devtools/encodeaddr devtools/features devtools/fp16 devtools/rune devtools/gossmap-compress devtools/bip137-verifysignature
 ifeq ($(HAVE_SQLITE3),1)
 DEVTOOLS += devtools/checkchannels
 endif
@@ -99,6 +99,8 @@ devtools/mkquery: $(DEVTOOLS_COMMON_OBJS) $(BITCOIN_OBJS) wire/fromwire.o wire/t
 
 devtools/lightning-checkmessage: $(DEVTOOLS_COMMON_OBJS) $(BITCOIN_OBJS) wire/fromwire.o wire/towire.o devtools/lightning-checkmessage.o
 
+devtools/bip137-verifysignature: $(DEVTOOLS_COMMON_OBJS) $(BITCOIN_OBJS) wire/fromwire.o wire/towire.o devtools/bip137-verifysignature.o
+
 devtools/route: $(DEVTOOLS_COMMON_OBJS) $(BITCOIN_OBJS) wire/fromwire.o wire/towire.o wire/tlvstream.o common/gossmap.o common/fp16.o common/random_select.o common/route.o common/dijkstra.o devtools/clean_topo.o devtools/route.o
 
 devtools/topology: $(DEVTOOLS_COMMON_OBJS) $(BITCOIN_OBJS) wire/fromwire.o wire/towire.o wire/tlvstream.o common/gossmap.o common/fp16.o common/random_select.o common/dijkstra.o common/route.o devtools/clean_topo.o devtools/topology.o

devtools/bip137-verifysignature.c

@@ -0,0 +1,142 @@
+#include "config.h"
+#include <assert.h>
+#include <bitcoin/base58.h>
+#include <bitcoin/pubkey.h>
+#include <bitcoin/shadouble.h>
+#include <bitcoin/varint.h>
+#include <ccan/err/err.h>
+#include <common/addr.h>
+#include <common/bech32.h>
+#include <common/utils.h>
+#include <secp256k1_recovery.h>
+#include <stdio.h>
+#include <wally_core.h>
+
+static void usage(void)
+{
+	fprintf(stderr,
+		"Usage: bip137-verifysignature message hex-sig [address]\n"
+		"If key does not match, signature is not valid!\n");
+	exit(1);
+}
+
+static char *encode_pubkey_to_p2wpkh_addr(const tal_t *ctx,
+					  const struct pubkey *pubkey,
+					  const struct chainparams *chain)
+{
+	char *out;
+	const char *hrp;
+	struct ripemd160 h160;
+        bool ok;
+	hrp = chain->onchain_hrp;
+
+	/* out buffer is 73 + strlen(human readable part),
+	 * see common/bech32.h*/
+	out = tal_arr(ctx, char, 73 + strlen(hrp));
+	pubkey_to_hash160(pubkey, &h160);
+	ok = segwit_addr_encode(out, hrp, 0, h160.u.u8, sizeof(h160));
+        if(!ok)
+                tal_free(out);
+	return out;
+}
+
+static const struct chainparams *chainparams_from_address(const char *addr)
+{
+	const struct chainparams *network[3];
+	network[0] = chainparams_for_network("regtest");
+	network[1] = chainparams_for_network("testnet");
+	network[2] = chainparams_for_network("bitcoin");
+
+	/* Is it base58? */
+	u8 addr_version;
+	struct ripemd160 h160;
+	if (ripemd160_from_base58(&addr_version, &h160, addr, strlen(addr))) {
+		for (int i = 0; i < 3; i++) {
+			if (addr_version == network[i]->p2sh_version ||
+			    addr_version == network[i]->p2pkh_version)
+				return network[i];
+		}
+		return NULL;
+	}
+
+	/* Is it bech32 or bech32m? */
+	uint8_t data[84];
+	char hrp_actual[84];
+	size_t data_len;
+	bech32_encoding enc =
+	    bech32_decode(hrp_actual, data, &data_len, addr, strlen(addr));
+	if (enc == BECH32_ENCODING_NONE)
+		return NULL;
+	for (int i = 0; i < 3; i++)
+		if (strcmp(network[i]->onchain_hrp, hrp_actual) == 0)
+			return network[i];
+	return NULL;
+}
+
+int main(int argc, char *argv[])
+{
+	u8 *sig;
+	u8 varint[VARINT_MAX_LEN];
+	size_t varintlen, msg_len;
+	secp256k1_ecdsa_recoverable_signature rsig;
+	struct sha256_ctx sctx = SHA256_INIT;
+	struct sha256_double shad;
+	struct pubkey reckey;
+	const char *addr;
+	const struct chainparams *chain;
+
+	setup_locale();
+	err_set_progname(argv[0]);
+	wally_init(0);
+	secp256k1_ctx = wally_get_secp_context();
+
+	if (argc != 3 && argc != 4)
+		usage();
+
+	sig = tal_hexdata(NULL, argv[2], strlen(argv[2]));
+	if (!sig)
+		errx(1, "Not a valid hex string");
+
+	if (sig[0] < 39 || sig[0] >= 43)
+		errx(1,
+		     "Signature header does not correspond to a P2WPKH type");
+
+	if (!secp256k1_ecdsa_recoverable_signature_parse_compact(
+		secp256k1_ctx, &rsig, sig + 1, sig[0] - 39))
+		errx(1, "Signature not parsable");
+
+	sha256_update(&sctx,
+		      "\x18"
+		      "Bitcoin Signed Message:\n",
+		      strlen("\x18"
+			     "Bitcoin Signed Message:\n"));
+	msg_len = strlen(argv[1]);
+	varintlen = varint_put(varint, msg_len);
+	sha256_update(&sctx, varint, varintlen);
+	sha256_update(&sctx, argv[1], msg_len);
+	sha256_double_done(&sctx, &shad);
+
+	if (!secp256k1_ecdsa_recover(secp256k1_ctx, &reckey.pubkey, &rsig,
+				     shad.sha.u.u8))
+		errx(1, "Signature not recoverable");
+
+	if (argv[3]) {
+		chain = chainparams_from_address(argv[3]);
+		if (!chain)
+			errx(1, "Invalid address");
+	} else {
+		/* By default, assume we are verifying a mainnet signature. */
+		chain = chainparams_for_network("bitcoin");
+	}
+	addr = encode_pubkey_to_p2wpkh_addr(NULL, &reckey, chain);
+	if (!addr)
+		errx(1, "Failed to derive address from recovered key");
+	if (argv[3]) {
+		if (!streq(addr, argv[3]))
+			errx(1, "Signature is invalid");
+		printf("Signature is valid!\n");
+	} else
+		printf("Signature claims to be from address %s\n", addr);
+	return 0;
+}
+