fix: rename BIP322 commands, validate address ownership before signing and add Bip322Error variant

aagbotemi · aagbotemi · commit e03f123c480d · 2026-04-17T14:36:23.000+01:00
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -3,17 +3,10 @@ name: Audit
 on:
   push:
     paths:
-      # Run if workflow changes
-      - '.github/workflows/audit.yml'
-      # Run on changed dependencies
       - '**/Cargo.toml'
       - '**/Cargo.lock'
-      # Run if the configuration file changes
-      - '**/audit.toml'
   schedule:
     - cron: '0 0 * * 0' # Once per week
-  # Run manually
-  workflow_dispatch:
 
 jobs:
 
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -34,9 +34,9 @@ bdk_esplora = { version = "0.22.1", features = ["async-https", "tokio"], optiona
 bdk_kyoto = { version = "0.15.4", optional = true }
 bdk_redb = { version = "0.1.1", optional = true }
 shlex = {  version = "1.3.0", optional = true }
-payjoin = { version = "1.0.0-rc.1", features = ["v1", "v2", "io", "_test-utils"], optional = true}
-reqwest = { version = "0.12.23", default-features = false, optional = true }
-url = { version = "2.5.4", optional = true }
+payjoin = { version = "=1.0.0-rc.1", features = ["v1", "v2", "io", "_test-utils"], optional = true}
+reqwest = { version = "0.13.2", default-features = false, optional = true }
+url = { version = "2.5.8", optional = true }
 bdk-bip322 = { git = "https://github.com/aagbotemi/bdk-bip322.git", branch = "master", optional = true }
 
 [features]
diff --git a/src/commands.rs b/src/commands.rs
@@ -463,7 +463,7 @@ pub enum OfflineWalletSubCommand {
     },
     /// Sign a message using BIP322
     #[cfg(feature = "bip322")]
-    SignBip322 {
+    SignMessage {
         /// The message to sign
         #[arg(long)]
         message: String,
@@ -473,21 +473,19 @@ pub enum OfflineWalletSubCommand {
         /// Address to sign
         #[arg(long)]
         address: String,
-        // Optional list of specific UTXOs for proof-of-funds (only for `FullWithProofOfFunds`)        #[arg(long)]
+        /// Optional list of specific UTXOs for proof-of-funds (only for `FullWithProofOfFunds`)
+        #[arg(long)]
         utxos: Option<Vec<OutPoint>>,
     },
     /// Verify a BIP322 signature
     #[cfg(feature = "bip322")]
-    VerifyBip322 {
+    VerifyMessage {
         /// The signature proof to verify
         #[arg(long)]
         proof: String,
         /// The message that was signed
         #[arg(long)]
         message: String,
-        /// The signature format (e.g., Legacy, Simple, Full)
-        #[arg(long, default_value = "simple")]
-        signature_type: String,
         /// The address associated with the signature
         #[arg(long)]
         address: String,
diff --git a/src/error.rs b/src/error.rs
@@ -140,6 +140,10 @@ pub enum BDKCliError {
     #[cfg(feature = "payjoin")]
     #[error("Payjoin create request error: {0}")]
     PayjoinCreateRequest(#[from] payjoin::send::v2::CreateRequestError),
+
+    #[cfg(feature = "bip322")]
+    #[error("BIP-322 error: {0}")]
+    Bip322Error(#[from] bdk_bip322::error::Error),
 }
 
 impl From<ExtractTxError> for BDKCliError {
diff --git a/src/handlers.rs b/src/handlers.rs
@@ -73,7 +73,7 @@ use std::sync::Arc;
 #[cfg(feature = "bip322")]
 use crate::error::BDKCliError;
 #[cfg(feature = "bip322")]
-use bdk_bip322::{BIP322, Bip322Proof, Bip322VerificationResult};
+use bdk_bip322::{BIP322, MessageProof, MessageVerificationResult};
 
 #[cfg(any(
     feature = "electrum",
@@ -598,7 +598,7 @@ pub fn handle_offline_wallet_subcommand(
             )?)
         }
         #[cfg(feature = "bip322")]
-        SignBip322 {
+        SignMessage {
             message,
             signature_type,
             address,
@@ -607,29 +607,30 @@ pub fn handle_offline_wallet_subcommand(
             let address: Address = parse_address(&address)?;
             let signature_format = parse_signature_format(&signature_type)?;
 
-            let proof: Bip322Proof = wallet
-                .sign_bip322(message.as_str(), signature_format, &address, utxos)
-                .map_err(|e| {
-                    BDKCliError::Generic(format!("Failed to sign BIP-322 message: {e}"))
-                })?;
+            if !wallet.is_mine(address.script_pubkey()) {
+                return Err(Error::Generic(format!(
+                    "Address {} does not belong to this wallet.",
+                    address
+                )));
+            }
+
+            let proof: MessageProof =
+                wallet.sign_message(message.as_str(), signature_format, &address, utxos)?;
 
             Ok(json!({"proof": proof.to_base64()}).to_string())
         }
         #[cfg(feature = "bip322")]
-        VerifyBip322 {
+        VerifyMessage {
             proof,
             message,
-            signature_type,
             address,
         } => {
             let address: Address = parse_address(&address)?;
-            let signature_format = parse_signature_format(&signature_type)?;
-
-            let parsed_proof: Bip322Proof = Bip322Proof::from_base64(&proof)
+            let parsed_proof: MessageProof = MessageProof::from_base64(&proof)
                 .map_err(|e| BDKCliError::Generic(format!("Invalid proof: {e}")))?;
 
-            let is_valid: Bip322VerificationResult =
-                wallet.verify_bip322(&parsed_proof, &message, signature_format, &address)?;
+            let is_valid: MessageVerificationResult =
+                wallet.verify_message(&parsed_proof, &message, &address)?;
 
             Ok(json!({
                 "valid": is_valid.valid,
