utils: validate MuSig2 signer inputs

starius · starius · commit f006cbd8902f · 2026-04-05T14:50:27.000-05:00
diff --git a/utils/musig.go b/utils/musig.go
@@ -9,11 +9,21 @@ import (
 )
 
 // MuSig2Sign will create a MuSig2 signature for the passed message using the
-// passed private keys.
+// passed private keys. It expects at least two signing keys, and the number of
+// private keys and public keys must match.
 func MuSig2Sign(version input.MuSig2Version, privKeys []*btcec.PrivateKey,
 	pubKeys []*btcec.PublicKey, tweaks *input.MuSig2Tweaks,
 	msg [32]byte) ([]byte, error) {
 
+	if len(privKeys) != len(pubKeys) {
+		return nil, fmt.Errorf("number of private keys (%d) must "+
+			"match number of public keys (%d)",
+			len(privKeys), len(pubKeys))
+	}
+	if len(privKeys) < 2 {
+		return nil, fmt.Errorf("need at least two signing keys")
+	}
+
 	// Next we'll create MuSig2 sessions for each individual private
 	// signing key.
 	sessions := make([]input.MuSig2Session, len(privKeys))
@@ -74,7 +84,7 @@ func MuSig2Sign(version input.MuSig2Version, privKeys []*btcec.PrivateKey,
 	}
 
 	if !haveAllSigs {
-		return nil, fmt.Errorf("combinging MuSig2 signatures " +
+		return nil, fmt.Errorf("combining MuSig2 signatures " +
 			"failed")
 	}
 
diff --git a/utils/musig_test.go b/utils/musig_test.go
@@ -0,0 +1,41 @@
+package utils
+
+import (
+	"testing"
+
+	"github.com/btcsuite/btcd/btcec/v2"
+	"github.com/lightninglabs/loop/test"
+	"github.com/lightningnetwork/lnd/input"
+	"github.com/stretchr/testify/require"
+)
+
+// TestMuSig2SignRejectsSingleSigner ensures the helper fails fast with a clear
+// error instead of entering an invalid one-party MuSig2 flow.
+func TestMuSig2SignRejectsSingleSigner(t *testing.T) {
+	privKey, pubKey := test.CreateKey(1)
+
+	_, err := MuSig2Sign(
+		input.MuSig2Version100RC2,
+		[]*btcec.PrivateKey{privKey},
+		[]*btcec.PublicKey{pubKey},
+		&input.MuSig2Tweaks{},
+		[32]byte{},
+	)
+	require.ErrorContains(t, err, "need at least two signing keys")
+}
+
+// TestMuSig2SignRejectsMismatchedKeyCounts ensures we fail before creating any
+// MuSig2 sessions when the signer sets are inconsistent.
+func TestMuSig2SignRejectsMismatchedKeyCounts(t *testing.T) {
+	privKey, pubKey1 := test.CreateKey(1)
+	_, pubKey2 := test.CreateKey(2)
+
+	_, err := MuSig2Sign(
+		input.MuSig2Version100RC2,
+		[]*btcec.PrivateKey{privKey},
+		[]*btcec.PublicKey{pubKey1, pubKey2},
+		&input.MuSig2Tweaks{},
+		[32]byte{},
+	)
+	require.ErrorContains(t, err, "must match number of public keys")
+}
