Secure v2 payloads with authenticated encryption

Author: DanGould

Cargo.lock

@@ -206,13 +206,9 @@ impl App {
 
     #[cfg(feature = "v2")]
     pub async fn receive_payjoin(self, amount_arg: &str) -> Result<()> {
-        let secp = bitcoin::secp256k1::Secp256k1::new();
-        let mut rng = bitcoin::secp256k1::rand::thread_rng();
-        let key = bitcoin::secp256k1::KeyPair::new(&secp, &mut rng);
-        let b64_config = base64::Config::new(base64::CharacterSet::UrlSafe, false);
-        let pubkey_base64 = base64::encode_config(key.public_key().to_string(), b64_config);
-
-        let pj_uri_string = self.construct_payjoin_uri(amount_arg, Some(&pubkey_base64))?;
+        let context = payjoin::receive::ProposalContext::new();
+        let pj_uri_string =
+            self.construct_payjoin_uri(amount_arg, Some(&context.subdirectory()))?;
         println!(
             "Listening at {}. Configured to accept payjoin at BIP 21 Payjoin Uri:",
             self.config.pj_host
@@ -224,20 +220,21 @@ impl App {
             .build()
             .with_context(|| "Failed to build reqwest http client")?;
         log::debug!("Awaiting request");
-        let receive_endpoint =
-            format!("{}/{}/{}", self.config.pj_endpoint, pubkey_base64, payjoin::v2::RECEIVE);
-        let buffer = Self::long_poll(&client, &receive_endpoint).await?;
+        let receive_endpoint = format!("{}/{}", self.config.pj_endpoint, context.receive_subdir());
+        let mut buffer = Self::long_poll(&client, &receive_endpoint).await?;
 
         log::debug!("Received request");
-        let proposal = UncheckedProposal::from_streamed(&buffer)
+        let (proposal, e) = context
+            .parse_proposal(&mut buffer)
             .map_err(|e| anyhow!("Failed to parse into UncheckedProposal {}", e))?;
         let payjoin_psbt = self
             .process_proposal(proposal)
             .map_err(|e| anyhow!("Failed to process UncheckedProposal {}", e))?;
-        let payjoin_psbt_ser = base64::encode(&payjoin_psbt.serialize());
+        let mut payjoin_bytes = payjoin_psbt.serialize();
+        let payjoin = payjoin::v2::encrypt_message_b(&mut payjoin_bytes, e);
         let _ = client
             .post(receive_endpoint)
-            .body(payjoin_psbt_ser)
+            .body(payjoin)
             .send()
             .await
             .with_context(|| "HTTP request failed")?;
@@ -368,10 +365,7 @@ impl App {
             headers,
         )?;
 
-        let payjoin_proposal_psbt = self.process_proposal(proposal)?;
-        log::debug!("Receiver's Payjoin proposal PSBT Rsponse: {:#?}", payjoin_proposal_psbt);
-
-        let payload = base64::encode(&payjoin_proposal_psbt.serialize());
+        let payload = self.process_proposal(proposal)?;
         log::info!("successful response");
         Ok(Response::text(payload))
     }

payjoin-cli/src/app.rs

@@ -15,11 +15,12 @@ edition = "2018"
 [features]
 send = []
 receive = ["rand"]
-v2 = ["serde", "serde_json"]
+v2 = ["bitcoin/rand-std", "chacha20poly1305", "serde", "serde_json"]
 
 [dependencies]
 bitcoin = { version = "0.30.0", features = ["base64"] }
 bip21 = "0.3.1"
+chacha20poly1305 = { version = "0.10.1", optional = true }
 log = { version = "0.4.14"}
 rand = { version = "0.8.4", optional = true }
 serde = { version = "1.0", optional = true }

payjoin/Cargo.toml

@@ -278,6 +278,7 @@ pub use error::{Error, RequestError, SelectionError};
 use error::{InternalRequestError, InternalSelectionError};
 use rand::seq::SliceRandom;
 use rand::Rng;
+use serde::Serialize;
 
 use crate::input_type::InputType;
 use crate::optional_parameters::Params;
@@ -287,6 +288,45 @@ pub trait Headers {
     fn get_header(&self, key: &str) -> Option<&str>;
 }
 
+#[cfg(feature = "v2")]
+pub struct ProposalContext {
+    s: bitcoin::secp256k1::KeyPair,
+}
+
+impl ProposalContext {
+    pub fn new() -> Self {
+        let secp = bitcoin::secp256k1::Secp256k1::new();
+        let (sk, _) = secp.generate_keypair(&mut rand::rngs::OsRng);
+        ProposalContext { s: bitcoin::secp256k1::KeyPair::from_secret_key(&secp, &sk) }
+    }
+
+    pub fn subdirectory(&self) -> String {
+        let pubkey = &self.s.public_key().serialize();
+        let b64_config =
+            bitcoin::base64::Config::new(bitcoin::base64::CharacterSet::UrlSafe, false);
+        let pubkey_base64 = bitcoin::base64::encode_config(pubkey, b64_config);
+        pubkey_base64
+    }
+
+    pub fn receive_subdir(&self) -> String {
+        format!("{}/{}", self.subdirectory(), crate::v2::RECEIVE)
+    }
+
+    pub fn parse_proposal(
+        self,
+        encrypted_proposal: &mut [u8],
+    ) -> Result<(UncheckedProposal, bitcoin::secp256k1::PublicKey), RequestError> {
+        let (proposal, e) = crate::v2::decrypt_message_a(encrypted_proposal, self.s.secret_key());
+        let mut proposal = serde_json::from_slice::<UncheckedProposal>(&proposal)
+            .map_err(InternalRequestError::Json)?;
+        proposal.psbt = proposal.psbt.validate().map_err(InternalRequestError::InconsistentPsbt)?;
+        log::debug!("Received original psbt: {:?}", proposal.psbt);
+        log::debug!("Received request with params: {:?}", proposal.params);
+
+        Ok((proposal, e))
+    }
+}
+
 /// The sender's original PSBT and optional parameters
 ///
 /// This type is used to proces the request. It is returned by
@@ -341,20 +381,8 @@ where
     Ok(unchecked_psbt)
 }
 
-#[cfg(feature = "v2")]
-impl UncheckedProposal {
-    pub fn from_streamed(streamed: &[u8]) -> Result<Self, RequestError> {
-        let mut proposal = serde_json::from_slice::<UncheckedProposal>(streamed)
-            .map_err(InternalRequestError::Json)?;
-        proposal.psbt = proposal.psbt.validate().map_err(InternalRequestError::InconsistentPsbt)?;
-        log::debug!("Received original psbt: {:?}", proposal.psbt);
-        log::debug!("Received request with params: {:?}", proposal.params);
-
-        Ok(proposal)
-    }
-}
-
 impl UncheckedProposal {
+    #[cfg(not(feature = "v2"))]
     pub fn from_request(
         mut body: impl std::io::Read,
         query: &str,

payjoin/src/receive/mod.rs

@@ -322,6 +322,8 @@ pub struct Context {
     input_type: InputType,
     sequence: Sequence,
     payee: ScriptBuf,
+    #[cfg(feature = "v2")]
+    e: bitcoin::secp256k1::SecretKey,
 }
 
 macro_rules! check_eq {
@@ -348,6 +350,7 @@ impl Context {
     /// Call this method with response from receiver to continue BIP78 flow. If the response is
     /// valid you will get appropriate PSBT that you should sign and broadcast.
     #[inline]
+    #[cfg(not(feature = "v2"))]
     pub fn process_response(
         self,
         response: &mut impl std::io::Read,
@@ -360,6 +363,19 @@ impl Context {
         self.process_proposal(proposal).map(Into::into).map_err(Into::into)
     }
 
+    #[cfg(feature = "v2")]
+    pub fn process_response(
+        self,
+        response: &mut impl std::io::Read,
+    ) -> Result<Psbt, ValidationError> {
+        let mut res_buf = Vec::new();
+        response.read_to_end(&mut res_buf).map_err(InternalValidationError::Io)?;
+        let psbt = crate::v2::decrypt_message_b(&mut res_buf, self.e);
+        let proposal = Psbt::deserialize(&psbt).expect("PSBT deserialization failed");
+        // process in non-generic function
+        self.process_proposal(proposal).map(Into::into).map_err(Into::into)
+    }
+
     fn process_proposal(self, proposal: Psbt) -> InternalResult<Psbt> {
         self.basic_checks(&proposal)?;
         let in_stats = self.check_inputs(&proposal)?;
@@ -833,13 +849,20 @@ pub(crate) fn from_psbt_and_uri(
     let sequence = zeroth_input.txin.sequence;
     let txout = zeroth_input.previous_txout().expect("We already checked this above");
     let input_type = InputType::from_spent_input(txout, zeroth_input.psbtin).unwrap();
-    let url = uri.extras._endpoint;
+    let rs_base64 = crate::v2::subdir(uri.extras._endpoint.as_str()).to_string();
+    log::debug!("rs_base64: {:?}", rs_base64);
+    let b64_config = bitcoin::base64::Config::new(bitcoin::base64::CharacterSet::UrlSafe, false);
+    let rs = bitcoin::base64::decode_config(rs_base64, b64_config).unwrap();
+    log::debug!("rs: {:?}", rs.len());
+    let rs = bitcoin::secp256k1::PublicKey::from_slice(&rs).unwrap();
     let body = serialize_v2_body(
         &psbt,
         disable_output_substitution,
         fee_contribution,
         params.min_fee_rate,
     );
+    let (body, e) = crate::v2::encrypt_message_a(&body, rs);
+    let url = uri.extras._endpoint;
     Ok((
         Request { url, body },
         Context {
@@ -850,13 +873,15 @@ pub(crate) fn from_psbt_and_uri(
             input_type,
             sequence,
             min_fee_rate: params.min_fee_rate,
+            e,
         },
     ))
 }
 
 #[cfg(test)]
 mod tests {
     #[test]
+    #[cfg(not(feature = "v2"))]
     fn official_vectors() {
         use std::str::FromStr;