]> git.bitcoin.ninja Git - rust-lightning/blob - lightning/src/util/enforcing_trait_impls.rs
Use ClosingTransaction in BaseSign
[rust-lightning] / lightning / src / util / enforcing_trait_impls.rs
1 // This file is Copyright its original authors, visible in version control
2 // history.
3 //
4 // This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
5 // or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
6 // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
7 // You may not use this file except in accordance with one or both of these
8 // licenses.
9
10 use ln::chan_utils::{HTLCOutputInCommitment, ChannelPublicKeys, HolderCommitmentTransaction, CommitmentTransaction, ChannelTransactionParameters, TrustedCommitmentTransaction, ClosingTransaction};
11 use ln::{chan_utils, msgs};
12 use chain::keysinterface::{Sign, InMemorySigner, BaseSign};
13
14 use prelude::*;
15 use core::cmp;
16 use sync::{Mutex, Arc};
17 #[cfg(test)] use sync::MutexGuard;
18
19 use bitcoin::blockdata::transaction::{Transaction, SigHashType};
20 use bitcoin::util::bip143;
21
22 use bitcoin::secp256k1;
23 use bitcoin::secp256k1::key::{SecretKey, PublicKey};
24 use bitcoin::secp256k1::{Secp256k1, Signature};
25 use util::ser::{Writeable, Writer};
26 use io::Error;
27
28 /// Initial value for revoked commitment downward counter
29 pub const INITIAL_REVOKED_COMMITMENT_NUMBER: u64 = 1 << 48;
30
31 /// An implementation of Sign that enforces some policy checks.  The current checks
32 /// are an incomplete set.  They include:
33 ///
34 /// - When signing, the holder transaction has not been revoked
35 /// - When revoking, the holder transaction has not been signed
36 /// - The holder commitment number is monotonic and without gaps
37 /// - The revoked holder commitment number is monotonic and without gaps
38 /// - There is at least one unrevoked holder transaction at all times
39 /// - The counterparty commitment number is monotonic and without gaps
40 /// - The pre-derived keys and pre-built transaction in CommitmentTransaction were correctly built
41 ///
42 /// Eventually we will probably want to expose a variant of this which would essentially
43 /// be what you'd want to run on a hardware wallet.
44 ///
45 /// Note that counterparty signatures on the holder transaction are not checked, but it should
46 /// be in a complete implementation.
47 ///
48 /// Note that before we do so we should ensure its serialization format has backwards- and
49 /// forwards-compatibility prefix/suffixes!
50 #[derive(Clone)]
51 pub struct EnforcingSigner {
52         pub inner: InMemorySigner,
53         /// Channel state used for policy enforcement
54         pub state: Arc<Mutex<EnforcementState>>,
55         pub disable_revocation_policy_check: bool,
56 }
57
58 impl EnforcingSigner {
59         /// Construct an EnforcingSigner
60         pub fn new(inner: InMemorySigner) -> Self {
61                 let state = Arc::new(Mutex::new(EnforcementState::new()));
62                 Self {
63                         inner,
64                         state,
65                         disable_revocation_policy_check: false
66                 }
67         }
68
69         /// Construct an EnforcingSigner with externally managed storage
70         ///
71         /// Since there are multiple copies of this struct for each channel, some coordination is needed
72         /// so that all copies are aware of enforcement state.  A pointer to this state is provided
73         /// here, usually by an implementation of KeysInterface.
74         pub fn new_with_revoked(inner: InMemorySigner, state: Arc<Mutex<EnforcementState>>, disable_revocation_policy_check: bool) -> Self {
75                 Self {
76                         inner,
77                         state,
78                         disable_revocation_policy_check
79                 }
80         }
81
82         #[cfg(test)]
83         pub fn get_enforcement_state(&self) -> MutexGuard<EnforcementState> {
84                 self.state.lock().unwrap()
85         }
86 }
87
88 impl BaseSign for EnforcingSigner {
89         fn get_per_commitment_point(&self, idx: u64, secp_ctx: &Secp256k1<secp256k1::All>) -> PublicKey {
90                 self.inner.get_per_commitment_point(idx, secp_ctx)
91         }
92
93         fn release_commitment_secret(&self, idx: u64) -> [u8; 32] {
94                 {
95                         let mut state = self.state.lock().unwrap();
96                         assert!(idx == state.last_holder_revoked_commitment || idx == state.last_holder_revoked_commitment - 1, "can only revoke the current or next unrevoked commitment - trying {}, last revoked {}", idx, state.last_holder_revoked_commitment);
97                         assert!(idx > state.last_holder_commitment, "cannot revoke the last holder commitment - attempted to revoke {} last commitment {}", idx, state.last_holder_commitment);
98                         state.last_holder_revoked_commitment = idx;
99                 }
100                 self.inner.release_commitment_secret(idx)
101         }
102
103         fn validate_holder_commitment(&self, holder_tx: &HolderCommitmentTransaction) -> Result<(), ()> {
104                 let mut state = self.state.lock().unwrap();
105                 let idx = holder_tx.commitment_number();
106                 assert!(idx == state.last_holder_commitment || idx == state.last_holder_commitment - 1, "expecting to validate the current or next holder commitment - trying {}, current {}", idx, state.last_holder_commitment);
107                 state.last_holder_commitment = idx;
108                 Ok(())
109         }
110
111         fn pubkeys(&self) -> &ChannelPublicKeys { self.inner.pubkeys() }
112         fn channel_keys_id(&self) -> [u8; 32] { self.inner.channel_keys_id() }
113
114         fn sign_counterparty_commitment(&self, commitment_tx: &CommitmentTransaction, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<(Signature, Vec<Signature>), ()> {
115                 self.verify_counterparty_commitment_tx(commitment_tx, secp_ctx);
116
117                 {
118                         let mut state = self.state.lock().unwrap();
119                         let actual_commitment_number = commitment_tx.commitment_number();
120                         let last_commitment_number = state.last_counterparty_commitment;
121                         // These commitment numbers are backwards counting.  We expect either the same as the previously encountered,
122                         // or the next one.
123                         assert!(last_commitment_number == actual_commitment_number || last_commitment_number - 1 == actual_commitment_number, "{} doesn't come after {}", actual_commitment_number, last_commitment_number);
124                         // Ensure that the counterparty doesn't get more than two broadcastable commitments -
125                         // the last and the one we are trying to sign
126                         assert!(actual_commitment_number >= state.last_counterparty_revoked_commitment - 2, "cannot sign a commitment if second to last wasn't revoked - signing {} revoked {}", actual_commitment_number, state.last_counterparty_revoked_commitment);
127                         state.last_counterparty_commitment = cmp::min(last_commitment_number, actual_commitment_number)
128                 }
129
130                 Ok(self.inner.sign_counterparty_commitment(commitment_tx, secp_ctx).unwrap())
131         }
132
133         fn validate_counterparty_revocation(&self, idx: u64, _secret: &SecretKey) -> Result<(), ()> {
134                 let mut state = self.state.lock().unwrap();
135                 assert!(idx == state.last_counterparty_revoked_commitment || idx == state.last_counterparty_revoked_commitment - 1, "expecting to validate the current or next counterparty revocation - trying {}, current {}", idx, state.last_counterparty_revoked_commitment);
136                 state.last_counterparty_revoked_commitment = idx;
137                 Ok(())
138         }
139
140         fn sign_holder_commitment_and_htlcs(&self, commitment_tx: &HolderCommitmentTransaction, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<(Signature, Vec<Signature>), ()> {
141                 let trusted_tx = self.verify_holder_commitment_tx(commitment_tx, secp_ctx);
142                 let commitment_txid = trusted_tx.txid();
143                 let holder_csv = self.inner.counterparty_selected_contest_delay();
144
145                 let state = self.state.lock().unwrap();
146                 let commitment_number = trusted_tx.commitment_number();
147                 if state.last_holder_revoked_commitment - 1 != commitment_number && state.last_holder_revoked_commitment - 2 != commitment_number {
148                         if !self.disable_revocation_policy_check {
149                                 panic!("can only sign the next two unrevoked commitment numbers, revoked={} vs requested={} for {}",
150                                        state.last_holder_revoked_commitment, commitment_number, self.inner.commitment_seed[0])
151                         }
152                 }
153
154                 for (this_htlc, sig) in trusted_tx.htlcs().iter().zip(&commitment_tx.counterparty_htlc_sigs) {
155                         assert!(this_htlc.transaction_output_index.is_some());
156                         let keys = trusted_tx.keys();
157                         let htlc_tx = chan_utils::build_htlc_transaction(&commitment_txid, trusted_tx.feerate_per_kw(), holder_csv, &this_htlc, &keys.broadcaster_delayed_payment_key, &keys.revocation_key);
158
159                         let htlc_redeemscript = chan_utils::get_htlc_redeemscript(&this_htlc, &keys);
160
161                         let sighash = hash_to_message!(&bip143::SigHashCache::new(&htlc_tx).signature_hash(0, &htlc_redeemscript, this_htlc.amount_msat / 1000, SigHashType::All)[..]);
162                         secp_ctx.verify(&sighash, sig, &keys.countersignatory_htlc_key).unwrap();
163                 }
164
165                 Ok(self.inner.sign_holder_commitment_and_htlcs(commitment_tx, secp_ctx).unwrap())
166         }
167
168         #[cfg(any(test,feature = "unsafe_revoked_tx_signing"))]
169         fn unsafe_sign_holder_commitment_and_htlcs(&self, commitment_tx: &HolderCommitmentTransaction, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<(Signature, Vec<Signature>), ()> {
170                 Ok(self.inner.unsafe_sign_holder_commitment_and_htlcs(commitment_tx, secp_ctx).unwrap())
171         }
172
173         fn sign_justice_revoked_output(&self, justice_tx: &Transaction, input: usize, amount: u64, per_commitment_key: &SecretKey, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()> {
174                 Ok(self.inner.sign_justice_revoked_output(justice_tx, input, amount, per_commitment_key, secp_ctx).unwrap())
175         }
176
177         fn sign_justice_revoked_htlc(&self, justice_tx: &Transaction, input: usize, amount: u64, per_commitment_key: &SecretKey, htlc: &HTLCOutputInCommitment, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()> {
178                 Ok(self.inner.sign_justice_revoked_htlc(justice_tx, input, amount, per_commitment_key, htlc, secp_ctx).unwrap())
179         }
180
181         fn sign_counterparty_htlc_transaction(&self, htlc_tx: &Transaction, input: usize, amount: u64, per_commitment_point: &PublicKey, htlc: &HTLCOutputInCommitment, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()> {
182                 Ok(self.inner.sign_counterparty_htlc_transaction(htlc_tx, input, amount, per_commitment_point, htlc, secp_ctx).unwrap())
183         }
184
185         fn sign_closing_transaction(&self, closing_tx: &ClosingTransaction, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()> {
186                 closing_tx.verify(self.inner.funding_outpoint().into_bitcoin_outpoint())
187                         .expect("derived different closing transaction");
188                 Ok(self.inner.sign_closing_transaction(closing_tx, secp_ctx).unwrap())
189         }
190
191         fn sign_channel_announcement(&self, msg: &msgs::UnsignedChannelAnnouncement, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()> {
192                 self.inner.sign_channel_announcement(msg, secp_ctx)
193         }
194
195         fn ready_channel(&mut self, channel_parameters: &ChannelTransactionParameters) {
196                 self.inner.ready_channel(channel_parameters)
197         }
198 }
199
200 impl Sign for EnforcingSigner {}
201
202 impl Writeable for EnforcingSigner {
203         fn write<W: Writer>(&self, writer: &mut W) -> Result<(), Error> {
204                 // EnforcingSigner has two fields - `inner` ([`InMemorySigner`]) and `state`
205                 // ([`EnforcementState`]). `inner` is serialized here and deserialized by
206                 // [`KeysInterface::read_chan_signer`]. `state` is managed by [`KeysInterface`]
207                 // and will be serialized as needed by the implementation of that trait.
208                 self.inner.write(writer)?;
209                 Ok(())
210         }
211 }
212
213 impl EnforcingSigner {
214         fn verify_counterparty_commitment_tx<'a, T: secp256k1::Signing + secp256k1::Verification>(&self, commitment_tx: &'a CommitmentTransaction, secp_ctx: &Secp256k1<T>) -> TrustedCommitmentTransaction<'a> {
215                 commitment_tx.verify(&self.inner.get_channel_parameters().as_counterparty_broadcastable(),
216                                      self.inner.counterparty_pubkeys(), self.inner.pubkeys(), secp_ctx)
217                         .expect("derived different per-tx keys or built transaction")
218         }
219
220         fn verify_holder_commitment_tx<'a, T: secp256k1::Signing + secp256k1::Verification>(&self, commitment_tx: &'a CommitmentTransaction, secp_ctx: &Secp256k1<T>) -> TrustedCommitmentTransaction<'a> {
221                 commitment_tx.verify(&self.inner.get_channel_parameters().as_holder_broadcastable(),
222                                      self.inner.pubkeys(), self.inner.counterparty_pubkeys(), secp_ctx)
223                         .expect("derived different per-tx keys or built transaction")
224         }
225 }
226
227 /// The state used by [`EnforcingSigner`] in order to enforce policy checks
228 ///
229 /// This structure is maintained by KeysInterface since we may have multiple copies of
230 /// the signer and they must coordinate their state.
231 #[derive(Clone)]
232 pub struct EnforcementState {
233         /// The last counterparty commitment number we signed, backwards counting
234         pub last_counterparty_commitment: u64,
235         /// The last counterparty commitment they revoked, backwards counting
236         pub last_counterparty_revoked_commitment: u64,
237         /// The last holder commitment number we revoked, backwards counting
238         pub last_holder_revoked_commitment: u64,
239         /// The last validated holder commitment number, backwards counting
240         pub last_holder_commitment: u64,
241 }
242
243 impl EnforcementState {
244         /// Enforcement state for a new channel
245         pub fn new() -> Self {
246                 EnforcementState {
247                         last_counterparty_commitment: INITIAL_REVOKED_COMMITMENT_NUMBER,
248                         last_counterparty_revoked_commitment: INITIAL_REVOKED_COMMITMENT_NUMBER,
249                         last_holder_revoked_commitment: INITIAL_REVOKED_COMMITMENT_NUMBER,
250                         last_holder_commitment: INITIAL_REVOKED_COMMITMENT_NUMBER,
251                 }
252         }
253 }