lnwire: update Sig to support both ECDSA and schnorr sigs

In this commit, we update the Sig type to support ECDSA and schnorr
signatures. We need to do this as the HTLC signatures will become
schnorr sigs for taproot channels. The current spec draft opts to
overload this field since both the sigs are actually 64 bytes in length.
The only consideration with this move is that callers need to "coerce" a
sig to the proper type if they need schnorr signatures.

lnwire/signature.go

@@ -5,15 +5,10 @@ import (
 	"fmt"
 
 	"github.com/btcsuite/btcd/btcec/v2/ecdsa"
+	"github.com/btcsuite/btcd/btcec/v2/schnorr"
 	"github.com/lightningnetwork/lnd/input"
 )
 
-// Sig is a fixed-sized ECDSA signature. Unlike Bitcoin, we use fixed sized
-// signatures on the wire, instead of DER encoded signatures. This type
-// provides several methods to convert to/from a regular Bitcoin DER encoded
-// signature (raw bytes and *ecdsa.Signature).
-type Sig [64]byte
-
 var (
 	errSigTooShort = errors.New("malformed signature: too short")
 	errBadLength   = errors.New("malformed signature: bad length")
@@ -23,14 +18,74 @@ var (
 	errSTooLong    = errors.New("S is over 32 bytes long without padding")
 )
 
-// NewSigFromRawSignature returns a Sig from a Bitcoin raw signature encoded in
-// the canonical DER encoding.
-func NewSigFromRawSignature(sig []byte) (Sig, error) {
-	var b Sig
+// sigType represents the type of signature that is carried within the Sig.
+// Today this can either be an ECDSA sig or a schnorr sig. Both of these can
+// fit cleanly into 64 bytes.
+type sigType uint
+
+const (
+	// sigTypeECDSA represents an ECDSA signature.
+	sigTypeECDSA sigType = iota
+
+	// sigTypeSchnorr represents a schnorr signature.
+	sigTypeSchnorr
+)
+
+// Sig is a fixed-sized ECDSA signature or 64-byte schnorr signature. For the
+// ECDSA sig, unlike Bitcoin, we use fixed sized signatures on the wire,
+// instead of DER encoded signatures. This type provides several methods to
+// convert to/from a regular Bitcoin DER encoded signature (raw bytes and
+// *ecdsa.Signature).
+type Sig struct {
+	bytes [64]byte
+
+	sigType sigType
+}
+
+// ForceSchnorr forces the signature to be interpreted as a schnorr signature.
+// This is useful when reading an HTLC sig off the wire for a taproot channel.
+// In this case, in order to obtain an input.Signature, we need to know that
+// the sig is a schnorr sig.
+func (s *Sig) ForceSchnorr() {
+	s.sigType = sigTypeSchnorr
+}
+
+// RawBytes returns the raw bytes of signature.
+func (s *Sig) RawBytes() []byte {
+	return s.bytes[:]
+}
+
+// Copy copies the signature into a new Sig instance.
+func (s *Sig) Copy() Sig {
+	var sCopy Sig
+	copy(sCopy.bytes[:], s.bytes[:])
+	sCopy.sigType = s.sigType
+
+	return sCopy
+}
+
+// NewSigFromWireECDSA returns a Sig instance based on an ECDSA signature
+// that's already in the 64-byte format we expect.
+func NewSigFromWireECDSA(sig []byte) (Sig, error) {
+	if len(sig) != 64 {
+		return Sig{}, fmt.Errorf("%w: %v bytes", errSigTooShort,
+			len(sig))
+	}
+
+	var s Sig
+	copy(s.bytes[:], sig)
+
+	return s, nil
+}
+
+// NewSigFromECDSARawSignature returns a Sig from a Bitcoin raw signature
+// encoded in the canonical DER encoding.
+func NewSigFromECDSARawSignature(sig []byte) (Sig, error) {
+	var b [64]byte
 
 	// Check the total length is above the minimal.
 	if len(sig) < ecdsa.MinSigLen {
-		return b, errSigTooShort
+		return Sig{}, errSigTooShort
 	}
 
 	// The DER representation is laid out as:
@@ -46,7 +101,7 @@ func NewSigFromRawSignature(sig []byte) (Sig, error) {
 	// siglen should be less than the entire message and greater than
 	// the minimal message size.
 	if sigLen+2 > len(sig) || sigLen+2 < ecdsa.MinSigLen {
-		return b, errBadLength
+		return Sig{}, errBadLength
 	}
 
 	// Reading <length r>, remaining: [r 0x02 <length s> s]
@@ -56,7 +111,7 @@ func NewSigFromRawSignature(sig []byte) (Sig, error) {
 	// Assuming s is one byte, then we have 0x30, <length>, 0x20,
 	// <length r>, 0x20, <length s>, s, a total of 7 bytes.
 	if rLen <= 0 || rLen+7 > len(sig) {
-		return b, errBadRLength
+		return Sig{}, errBadRLength
 	}
 
 	// Reading <length s>, remaining: [s]
@@ -67,7 +122,7 @@ func NewSigFromRawSignature(sig []byte) (Sig, error) {
 	// We know r is rLen bytes, and we have 0x30, <length>, 0x20,
 	// <length r>, 0x20, <length s>, a total of rLen+6 bytes.
 	if sLen <= 0 || sLen+rLen+6 > len(sig) {
-		return b, errBadSLength
+		return Sig{}, errBadSLength
 	}
 
 	// Check to make sure R and S can both fit into their intended buffers.
@@ -78,7 +133,7 @@ func NewSigFromRawSignature(sig []byte) (Sig, error) {
 	// check S first.
 	if sLen > 32 {
 		if (sLen > 33) || (sig[6+rLen] != 0x00) {
-			return b, errSTooLong
+			return Sig{}, errSTooLong
 		}
 		sLen--
 		copy(b[64-sLen:], sig[7+rLen:])
@@ -89,7 +144,7 @@ func NewSigFromRawSignature(sig []byte) (Sig, error) {
 	// Do the same for R as we did for S
 	if rLen > 32 {
 		if (rLen > 33) || (sig[4] != 0x00) {
-			return b, errRTooLong
+			return Sig{}, errRTooLong
 		}
 		rLen--
 		copy(b[32-rLen:], sig[5:5+rLen])
@@ -97,11 +152,24 @@ func NewSigFromRawSignature(sig []byte) (Sig, error) {
 		copy(b[32-rLen:], sig[4:4+rLen])
 	}
 
-	return b, nil
+	return Sig{
+		bytes:   b,
+		sigType: sigTypeECDSA,
+	}, nil
+}
+
+// NewSigFromSchnorrRawSignature converts a raw schnorr signature into an
+// lnwire.Sig.
+func NewSigFromSchnorrRawSignature(sig []byte) (Sig, error) {
+	var s Sig
+	copy(s.bytes[:], sig)
+	s.sigType = sigTypeSchnorr
+
+	return s, nil
 }
 
 // NewSigFromSignature creates a new signature as used on the wire, from an
-// existing ecdsa.Signature.
+// existing ecdsa.Signature or schnorr.Signature.
 func NewSigFromSignature(e input.Signature) (Sig, error) {
 	if e == nil {
 		return Sig{}, fmt.Errorf("cannot decode empty signature")
@@ -113,45 +181,85 @@ func NewSigFromSignature(e input.Signature) (Sig, error) {
 		return Sig{}, fmt.Errorf("cannot decode empty signature")
 	}
 
-	// Serialize the signature with all the checks that entails.
-	return NewSigFromRawSignature(e.Serialize())
-}
+	switch ecSig := e.(type) {
+	// If this is a schnorr signature, then we can just pack it as normal,
+	// since the default encoding is already 64 bytes.
+	case *schnorr.Signature:
+		return NewSigFromSchnorrRawSignature(e.Serialize())
 
-// ToSignature converts the fixed-sized signature to a ecdsa.Signature objects
-// which can be used for signature validation checks.
-func (b *Sig) ToSignature() (*ecdsa.Signature, error) {
-	// Parse the signature with strict checks.
-	sigBytes := b.ToSignatureBytes()
-	sig, err := ecdsa.ParseDERSignature(sigBytes)
-	if err != nil {
-		return nil, err
+	// For ECDSA signatures, we'll need to do a bit more work to map the
+	// signature into a compact 64 byte form.
+	case *ecdsa.Signature:
+		// Serialize the signature with all the checks that entails.
+		return NewSigFromECDSARawSignature(e.Serialize())
+
+	default:
+		return Sig{}, fmt.Errorf("unknown wire sig type: %T", ecSig)
 	}
-
-	return sig, nil
 }
 
-// ToSignatureBytes serializes the target fixed-sized signature into the raw
-// bytes of a DER encoding.
-func (b *Sig) ToSignatureBytes() []byte {
-	// Extract canonically-padded bigint representations from buffer
-	r := extractCanonicalPadding(b[0:32])
-	s := extractCanonicalPadding(b[32:64])
-	rLen := uint8(len(r))
-	sLen := uint8(len(s))
+// ToSignature converts the fixed-sized signature to a input.Signature which
+// can be used for signature validation checks.
+func (s *Sig) ToSignature() (input.Signature, error) {
+	switch s.sigType {
+	case sigTypeSchnorr:
+		return schnorr.ParseSignature(s.bytes[:])
 
-	// Create a canonical serialized signature. DER format is:
-	// 0x30 <length> 0x02 <length r> r 0x02 <length s> s
-	sigBytes := make([]byte, 6+rLen+sLen)
-	sigBytes[0] = 0x30            // DER signature magic value
-	sigBytes[1] = 4 + rLen + sLen // Length of rest of signature
-	sigBytes[2] = 0x02            // Big integer magic value
-	sigBytes[3] = rLen            // Length of R
-	sigBytes[rLen+4] = 0x02       // Big integer magic value
-	sigBytes[rLen+5] = sLen       // Length of S
-	copy(sigBytes[4:], r)         // Copy R
-	copy(sigBytes[rLen+6:], s)    // Copy S
+	case sigTypeECDSA:
+		// Parse the signature with strict checks.
+		sigBytes := s.ToSignatureBytes()
+		sig, err := ecdsa.ParseDERSignature(sigBytes)
+		if err != nil {
+			return nil, err
+		}
 
-	return sigBytes
+		return sig, nil
+
+	default:
+		return nil, fmt.Errorf("unknown sig type: %v", s.sigType)
+	}
+}
+
+// ToSignatureBytes serializes the target fixed-sized signature into the
+// encoding of the primary domain for the signature. For ECDSA signatures, this
+// is the raw bytes of a DER encoding.
+func (s *Sig) ToSignatureBytes() []byte {
+	switch s.sigType {
+	// For ECDSA signatures, we'll convert to DER encoding.
+	case sigTypeECDSA:
+		// Extract canonically-padded bigint representations from buffer
+		r := extractCanonicalPadding(s.bytes[0:32])
+		s := extractCanonicalPadding(s.bytes[32:64])
+		rLen := uint8(len(r))
+		sLen := uint8(len(s))
+
+		// Create a canonical serialized signature. DER format is:
+		// 0x30 <length> 0x02 <length r> r 0x02 <length s> s
+		sigBytes := make([]byte, 6+rLen+sLen)
+		sigBytes[0] = 0x30            // DER signature magic value
+		sigBytes[1] = 4 + rLen + sLen // Length of rest of signature
+		sigBytes[2] = 0x02            // Big integer magic value
+		sigBytes[3] = rLen            // Length of R
+		sigBytes[rLen+4] = 0x02       // Big integer magic value
+		sigBytes[rLen+5] = sLen       // Length of S
+		copy(sigBytes[4:], r)         // Copy R
+		copy(sigBytes[rLen+6:], s)    // Copy S
+
+		return sigBytes
+
+	// For schnorr signatures, we can use the same internal 64 bytes.
+	case sigTypeSchnorr:
+		// We'll make a copy of the signature so we don't return a
+		// refrence into the raw slice.
+		var sig [64]byte
+		copy(sig[:], s.bytes[:])
+		return sig[:]
+
+	default:
+		// TODO(roasbeef): can only be called via public methods so
+		// never reachable?
+		panic("sig type not set")
+	}
 }
 
 // extractCanonicalPadding is a utility function to extract the canonical