offer: make the merkle tree signature public

vincenzopalazzo · vincenzopalazzo · commit 0bdf4344c40b · 2025-07-15T11:05:19.000+02:00
This is helpfull for the users that want to use the merkle tree
signature in their own code, for example to verify the
signature of bolt12 invoices or recreate it.

Very useful for people that are building command line tools
for the bolt12 offers.

Signed-off-by: Vincenzo Palazzo &lt;vincenzopalazzodev@gmail.com&gt;
diff --git a/lightning/src/offers/invoice.rs b/lightning/src/offers/invoice.rs
@@ -1032,6 +1032,11 @@ impl Bolt12Invoice {
 			InvoiceContents::ForRefund { .. } => self.message_paths().is_empty(),
 		}
 	}
+
+	/// Returns the [`TaggedHash`] of the invoice that was signed.
+	pub fn tagged_hash(&self) -> &TaggedHash {
+		&self.tagged_hash
+	}
 }
 
 impl PartialEq for Bolt12Invoice {
@@ -1785,7 +1790,6 @@ mod tests {
 	use bitcoin::script::ScriptBuf;
 	use bitcoin::secp256k1::{self, Keypair, Message, Secp256k1, SecretKey, XOnlyPublicKey};
 	use bitcoin::{CompressedPublicKey, WitnessProgram, WitnessVersion};
-
 	use core::time::Duration;
 
 	use crate::blinded_path::message::BlindedMessagePath;
@@ -3560,4 +3564,86 @@ mod tests {
 			),
 		}
 	}
+
+	#[test]
+	fn invoice_offer_id_matches_offer_id() {
+		let expanded_key = ExpandedKey::new([42; 32]);
+		let entropy = FixedEntropy {};
+		let nonce = Nonce::from_entropy_source(&entropy);
+		let secp_ctx = Secp256k1::new();
+		let payment_id = PaymentId([1; 32]);
+
+		let offer = OfferBuilder::new(recipient_pubkey()).amount_msats(1000).build().unwrap();
+
+		let offer_id = offer.id();
+
+		let invoice_request = offer
+			.request_invoice(&expanded_key, nonce, &secp_ctx, payment_id)
+			.unwrap()
+			.build_and_sign()
+			.unwrap();
+
+		let invoice = invoice_request
+			.respond_with_no_std(payment_paths(), payment_hash(), now())
+			.unwrap()
+			.build()
+			.unwrap()
+			.sign(recipient_sign)
+			.unwrap();
+
+		assert_eq!(invoice.offer_id(), Some(offer_id));
+	}
+
+	#[test]
+	fn refund_invoice_has_no_offer_id() {
+		let refund =
+			RefundBuilder::new(vec![1; 32], payer_pubkey(), 1000).unwrap().build().unwrap();
+
+		let invoice = refund
+			.respond_with_no_std(payment_paths(), payment_hash(), recipient_pubkey(), now())
+			.unwrap()
+			.build()
+			.unwrap()
+			.sign(recipient_sign)
+			.unwrap();
+
+		assert_eq!(invoice.offer_id(), None);
+	}
+
+	#[test]
+	fn verifies_invoice_signature_with_tagged_hash() {
+		let secp_ctx = Secp256k1::new();
+		let expanded_key = ExpandedKey::new([42; 32]);
+		let entropy = FixedEntropy {};
+		let nonce = Nonce::from_entropy_source(&entropy);
+		let node_id = recipient_pubkey();
+		let payment_paths = payment_paths();
+		let now = Duration::from_secs(123456);
+		let payment_id = PaymentId([1; 32]);
+
+		let offer = OfferBuilder::new(node_id)
+			.amount_msats(1000)
+			.path(crate::offers::test_utils::blinded_path())
+			.build()
+			.unwrap();
+
+		let invoice_request = offer
+			.request_invoice(&expanded_key, nonce, &secp_ctx, payment_id)
+			.unwrap()
+			.build_and_sign()
+			.unwrap();
+
+		let invoice = invoice_request
+			.respond_with_no_std(payment_paths, payment_hash(), now)
+			.unwrap()
+			.build()
+			.unwrap()
+			.sign(recipient_sign)
+			.unwrap();
+
+		let issuer_sign_pubkey = offer.issuer_signing_pubkey().unwrap();
+		let tagged_hash = invoice.tagged_hash();
+		let signature = invoice.signature();
+		assert!(merkle::verify_signature(&signature, tagged_hash, issuer_sign_pubkey).is_ok());
+	}
 }
diff --git a/lightning/src/offers/merkle.rs b/lightning/src/offers/merkle.rs
@@ -94,7 +94,7 @@ pub enum SignError {
 }
 
 /// A function for signing a [`TaggedHash`].
-pub(super) trait SignFn<T: AsRef<TaggedHash>> {
+pub trait SignFn<T: AsRef<TaggedHash>> {
 	/// Signs a [`TaggedHash`] computed over the merkle root of `message`'s TLV stream.
 	fn sign(&self, message: &T) -> Result<Signature, ()>;
 }
@@ -117,9 +117,7 @@ where
 ///
 /// [`Bolt12Invoice`]: crate::offers::invoice::Bolt12Invoice
 /// [`InvoiceRequest`]: crate::offers::invoice_request::InvoiceRequest
-pub(super) fn sign_message<F, T>(
-	f: F, message: &T, pubkey: PublicKey,
-) -> Result<Signature, SignError>
+pub fn sign_message<F, T>(f: F, message: &T, pubkey: PublicKey) -> Result<Signature, SignError>
 where
 	F: SignFn<T>,
 	T: AsRef<TaggedHash>,
@@ -136,7 +134,7 @@ where
 
 /// Verifies the signature with a pubkey over the given message using a tagged hash as the message
 /// digest.
-pub(super) fn verify_signature(
+pub fn verify_signature(
 	signature: &Signature, message: &TaggedHash, pubkey: PublicKey,
 ) -> Result<(), secp256k1::Error> {
 	let digest = message.as_digest();
