HSMD: add new wire BIP137 sign message API

Lagrang3 · rustyrussell · commit b6388c710f50 · 2025-05-13T13:19:03.000+09:30
Changelog-Added: HSMD: add new wire API to sign messages with bitcoin wallet keys according to BIP137.

Signed-off-by: Lagrang3 &lt;lagrang3@protonmail.com&gt;
diff --git a/common/hsm_version.h b/common/hsm_version.h
@@ -28,7 +28,8 @@
  * v6 no secret from get_per_commitment_point: 0cad1790beb3473d64355f4cb4f64daa80c28c8a241998b7ef0223385d7ffff9
  * v6 with sign_bolt12_2 (tweak using node id): 8fcb731279a10af3f95aeb8be1da6b2ced76a1984afa18c5f46a03515d70ea0e
  * v6 with dev_warn_on_overgrind: a273b68e19336073e551c01a78bcd1e1f8cc510da7d0dde3afc45e249f9830cc
-*/
+ * v6 with bip137_sign_message: 4bfe28b02e92aae276b8eca2228e32f32d5dee8d5381639e7364939fa2fa1370
+ */
 #define HSM_MIN_VERSION 5
 #define HSM_MAX_VERSION 6
 #endif /* LIGHTNING_COMMON_HSM_VERSION_H */
diff --git a/hsmd/hsmd.c b/hsmd/hsmd.c
@@ -692,6 +692,7 @@ static struct io_plan *handle_client(struct io_conn *conn, struct client *c)
 	case WIRE_HSMD_GET_CHANNEL_BASEPOINTS:
 	case WIRE_HSMD_SIGN_INVOICE:
 	case WIRE_HSMD_SIGN_MESSAGE:
+	case WIRE_HSMD_BIP137_SIGN_MESSAGE:
 	case WIRE_HSMD_SIGN_OPTION_WILL_FUND_OFFER:
 	case WIRE_HSMD_SIGN_BOLT12:
 	case WIRE_HSMD_SIGN_BOLT12_2:
@@ -748,6 +749,7 @@ static struct io_plan *handle_client(struct io_conn *conn, struct client *c)
 	case WIRE_HSMD_GET_CHANNEL_BASEPOINTS_REPLY:
 	case WIRE_HSMD_DEV_MEMLEAK_REPLY:
 	case WIRE_HSMD_SIGN_MESSAGE_REPLY:
+	case WIRE_HSMD_BIP137_SIGN_MESSAGE_REPLY:
 	case WIRE_HSMD_GET_OUTPUT_SCRIPTPUBKEY_REPLY:
 	case WIRE_HSMD_SIGN_BOLT12_REPLY:
 	case WIRE_HSMD_SIGN_BOLT12_2_REPLY:
diff --git a/hsmd/hsmd_wire.csv b/hsmd/hsmd_wire.csv
@@ -364,6 +364,15 @@ msgdata,hsmd_sign_message,msg,u8,len
 msgtype,hsmd_sign_message_reply,123
 msgdata,hsmd_sign_message_reply,sig,secp256k1_ecdsa_recoverable_signature,
 
+# sign a raw message with a derived key
+msgtype,hsmd_bip137_sign_message,45
+msgdata,hsmd_bip137_sign_message,len,u16,
+msgdata,hsmd_bip137_sign_message,msg,u8,len
+msgdata,hsmd_bip137_sign_message,keyidx,u32,
+
+msgtype,hsmd_bip137_sign_message_reply,145
+msgdata,hsmd_bip137_sign_message_reply,sig,secp256k1_ecdsa_recoverable_signature,
+
 # lightningd needs to get a scriptPubkey for a utxo with closeinfo
 msgtype,hsmd_get_output_scriptpubkey,24
 msgdata,hsmd_get_output_scriptpubkey,channel_id,u64,
diff --git a/hsmd/libhsmd.c b/hsmd/libhsmd.c
@@ -136,6 +136,7 @@ bool hsmd_check_client_capabilities(struct hsmd_client *client,
 	case WIRE_HSMD_GET_CHANNEL_BASEPOINTS:
 	case WIRE_HSMD_DEV_MEMLEAK:
 	case WIRE_HSMD_SIGN_MESSAGE:
+	case WIRE_HSMD_BIP137_SIGN_MESSAGE:
 	case WIRE_HSMD_GET_OUTPUT_SCRIPTPUBKEY:
 	case WIRE_HSMD_SIGN_BOLT12:
 	case WIRE_HSMD_SIGN_BOLT12_2:
@@ -182,6 +183,7 @@ bool hsmd_check_client_capabilities(struct hsmd_client *client,
 	case WIRE_HSMD_GET_CHANNEL_BASEPOINTS_REPLY:
 	case WIRE_HSMD_DEV_MEMLEAK_REPLY:
 	case WIRE_HSMD_SIGN_MESSAGE_REPLY:
+	case WIRE_HSMD_BIP137_SIGN_MESSAGE_REPLY:
 	case WIRE_HSMD_GET_OUTPUT_SCRIPTPUBKEY_REPLY:
 	case WIRE_HSMD_SIGN_BOLT12_REPLY:
 	case WIRE_HSMD_SIGN_BOLT12_2_REPLY:
@@ -715,6 +717,51 @@ static u8 *handle_sign_message(struct hsmd_client *c, const u8 *msg_in)
 	return towire_hsmd_sign_message_reply(NULL, &rsig);
 }
 
+/* FIXME: implement BIP0322 signature scheme so that we can support any type of
+ * address. */
+/* Sign a message with a private key (see BIP137):
+ * signature = base64(SigRec(SHA256(SHA256(
+ *      "\x18Bitcoin Signed Message:\n" + var_int(len(message)) + message
+ *      )))) */
+static u8 *handle_bip137_sign_message(struct hsmd_client *c, const u8 *msg_in)
+{
+	u8 *msg;
+	u32 keyidx;
+	struct sha256_ctx sctx = SHA256_INIT;
+	struct sha256_double shad;
+	secp256k1_ecdsa_recoverable_signature rsig;
+	struct privkey privkey;
+	struct pubkey pubkey;
+
+	if (!fromwire_hsmd_bip137_sign_message(tmpctx, msg_in, &msg, &keyidx))
+		return hsmd_status_malformed_request(c, msg_in);
+
+	/* double sha256 the message */
+	const char header[] = "\x18"
+			      "Bitcoin Signed Message:\n";
+	sha256_update(&sctx, (const u8 *)header, strlen(header));
+
+	u8 vt[VARINT_MAX_LEN];
+	size_t msg_len = tal_count(msg);
+	size_t vtlen = varint_put(vt, msg_len);
+	sha256_update(&sctx, vt, vtlen);
+
+	sha256_update(&sctx, msg, msg_len);
+	sha256_double_done(&sctx, &shad);
+
+	/* get the private key BIP32 */
+	bitcoin_key(&privkey, &pubkey, keyidx);
+
+	if (!secp256k1_ecdsa_sign_recoverable(
+		secp256k1_ctx, &rsig, shad.sha.u.u8, privkey.secret.data, NULL,
+		NULL)) {
+		return hsmd_status_bad_request(c, msg_in,
+					       "Failed to sign message");
+	}
+
+	return towire_hsmd_bip137_sign_message_reply(NULL, &rsig);
+}
+
 /*~ lightningd asks us to sign a liquidity ad offer */
 static u8 *handle_sign_option_will_fund_offer(struct hsmd_client *c,
 					      const u8 *msg_in)
@@ -2181,6 +2228,8 @@ u8 *hsmd_handle_client_message(const tal_t *ctx, struct hsmd_client *client,
 		return handle_preapprove_keysend(client, msg);
 	case WIRE_HSMD_SIGN_MESSAGE:
 		return handle_sign_message(client, msg);
+	case WIRE_HSMD_BIP137_SIGN_MESSAGE:
+		return handle_bip137_sign_message(client, msg);
 	case WIRE_HSMD_GET_CHANNEL_BASEPOINTS:
 		return handle_get_channel_basepoints(client, msg);
 	case WIRE_HSMD_CANNOUNCEMENT_SIG_REQ:
@@ -2263,6 +2312,7 @@ u8 *hsmd_handle_client_message(const tal_t *ctx, struct hsmd_client *client,
 	case WIRE_HSMD_GET_CHANNEL_BASEPOINTS_REPLY:
 	case WIRE_HSMD_DEV_MEMLEAK_REPLY:
 	case WIRE_HSMD_SIGN_MESSAGE_REPLY:
+	case WIRE_HSMD_BIP137_SIGN_MESSAGE_REPLY:
 	case WIRE_HSMD_GET_OUTPUT_SCRIPTPUBKEY_REPLY:
 	case WIRE_HSMD_SIGN_BOLT12_REPLY:
 	case WIRE_HSMD_SIGN_BOLT12_2_REPLY:
@@ -2297,6 +2347,7 @@ u8 *hsmd_init(struct secret hsm_secret, const u64 hsmd_version,
 		WIRE_HSMD_FORGET_CHANNEL,
 		WIRE_HSMD_REVOKE_COMMITMENT_TX,
 		WIRE_HSMD_SIGN_BOLT12_2,
+		WIRE_HSMD_BIP137_SIGN_MESSAGE,
 		WIRE_HSMD_PREAPPROVE_INVOICE_CHECK,
 		WIRE_HSMD_PREAPPROVE_KEYSEND_CHECK,
 	};
