]> git.bitcoin.ninja Git - rust-lightning/blob - src/chain/keysinterface.rs
Merge pull request #259 from TheBlueMatt/2018-11-256-redux
[rust-lightning] / src / chain / keysinterface.rs
1 //! keysinterface provides keys into rust-lightning and defines some useful enums which describe
2 //! spendable on-chain outputs which the user owns and is responsible for using just as any other
3 //! on-chain output which is theirs.
4
5 use bitcoin::blockdata::transaction::{OutPoint, TxOut};
6 use bitcoin::blockdata::script::{Script, Builder};
7 use bitcoin::blockdata::opcodes;
8 use bitcoin::network::constants::Network;
9 use bitcoin::util::hash::Hash160;
10 use bitcoin::util::bip32::{ExtendedPrivKey, ExtendedPubKey, ChildNumber};
11
12 use secp256k1::key::{SecretKey, PublicKey};
13 use secp256k1::Secp256k1;
14 use secp256k1;
15
16 use crypto::hkdf::{hkdf_extract,hkdf_expand};
17 use crypto::digest::Digest;
18
19 use util::sha2::Sha256;
20 use util::logger::Logger;
21 use util::rng;
22 use util::byte_utils;
23
24 use std::time::{SystemTime, UNIX_EPOCH};
25 use std::sync::Arc;
26 use std::sync::atomic::{AtomicUsize, Ordering};
27
28 /// When on-chain outputs are created by rust-lightning an event is generated which informs the
29 /// user thereof. This enum describes the format of the output and provides the OutPoint.
30 pub enum SpendableOutputDescriptor {
31         /// Outpoint with an output to a script which was provided via KeysInterface, thus you should
32         /// have stored somewhere how to spend script_pubkey!
33         /// Outputs from a justice tx, claim tx or preimage tx
34         StaticOutput {
35                 /// The outpoint spendable by user wallet
36                 outpoint: OutPoint,
37                 /// The output which is referenced by the given outpoint
38                 output: TxOut,
39         },
40         /// Outpoint commits to a P2WSH
41         /// P2WSH should be spend by the following witness :
42         /// <local_delayedsig> 0 <witnessScript>
43         /// With input nSequence set to_self_delay.
44         /// Outputs from a HTLC-Success/Timeout tx/commitment tx
45         DynamicOutputP2WSH {
46                 /// Outpoint spendable by user wallet
47                 outpoint: OutPoint,
48                 /// local_delayedkey = delayed_payment_basepoint_secret + SHA256(per_commitment_point || delayed_payment_basepoint) OR
49                 key: SecretKey,
50                 /// witness redeemScript encumbering output.
51                 witness_script: Script,
52                 /// nSequence input must commit to self_delay to satisfy script's OP_CSV
53                 to_self_delay: u16,
54                 /// The output which is referenced by the given outpoint
55                 output: TxOut,
56         },
57         /// Outpoint commits to a P2WPKH
58         /// P2WPKH should be spend by the following witness :
59         /// <local_sig> <local_pubkey>
60         /// Outputs to_remote from a commitment tx
61         DynamicOutputP2WPKH {
62                 /// Outpoint spendable by user wallet
63                 outpoint: OutPoint,
64                 /// localkey = payment_basepoint_secret + SHA256(per_commitment_point || payment_basepoint
65                 key: SecretKey,
66                 /// The output which is reference by the given outpoint
67                 output: TxOut,
68         }
69 }
70
71 /// A trait to describe an object which can get user secrets and key material.
72 pub trait KeysInterface: Send + Sync {
73         /// Get node secret key (aka node_id or network_key)
74         fn get_node_secret(&self) -> SecretKey;
75         /// Get destination redeemScript to encumber static protocol exit points.
76         fn get_destination_script(&self) -> Script;
77         /// Get shutdown_pubkey to use as PublicKey at channel closure
78         fn get_shutdown_pubkey(&self) -> PublicKey;
79         /// Get a new set of ChannelKeys for per-channel secrets. These MUST be unique even if you
80         /// restarted with some stale data!
81         fn get_channel_keys(&self, inbound: bool) -> ChannelKeys;
82 }
83
84 /// Set of lightning keys needed to operate a channel as described in BOLT 3
85 #[derive(Clone)]
86 pub struct ChannelKeys {
87         /// Private key of anchor tx
88         pub funding_key: SecretKey,
89         /// Local secret key for blinded revocation pubkey
90         pub revocation_base_key: SecretKey,
91         /// Local secret key used in commitment tx htlc outputs
92         pub payment_base_key: SecretKey,
93         /// Local secret key used in HTLC tx
94         pub delayed_payment_base_key: SecretKey,
95         /// Local htlc secret key used in commitment tx htlc outputs
96         pub htlc_base_key: SecretKey,
97         /// Commitment seed
98         pub commitment_seed: [u8; 32],
99 }
100
101 impl_writeable!(ChannelKeys, 0, {
102         funding_key,
103         revocation_base_key,
104         payment_base_key,
105         delayed_payment_base_key,
106         htlc_base_key,
107         commitment_seed
108 });
109
110 impl ChannelKeys {
111         /// Generate a set of lightning keys needed to operate a channel by HKDF-expanding a given
112         /// random 32-byte seed
113         pub fn new_from_seed(seed: &[u8; 32]) -> ChannelKeys {
114                 let mut prk = [0; 32];
115                 hkdf_extract(Sha256::new(), b"rust-lightning key gen salt", seed, &mut prk);
116                 let secp_ctx = Secp256k1::without_caps();
117
118                 let mut okm = [0; 32];
119                 hkdf_expand(Sha256::new(), &prk, b"rust-lightning funding key info", &mut okm);
120                 let funding_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken");
121
122                 hkdf_expand(Sha256::new(), &prk, b"rust-lightning revocation base key info", &mut okm);
123                 let revocation_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken");
124
125                 hkdf_expand(Sha256::new(), &prk, b"rust-lightning payment base key info", &mut okm);
126                 let payment_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken");
127
128                 hkdf_expand(Sha256::new(), &prk, b"rust-lightning delayed payment base key info", &mut okm);
129                 let delayed_payment_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken");
130
131                 hkdf_expand(Sha256::new(), &prk, b"rust-lightning htlc base key info", &mut okm);
132                 let htlc_base_key = SecretKey::from_slice(&secp_ctx, &okm).expect("Sha256 is broken");
133
134                 hkdf_expand(Sha256::new(), &prk, b"rust-lightning local commitment seed info", &mut okm);
135
136                 ChannelKeys {
137                         funding_key: funding_key,
138                         revocation_base_key: revocation_base_key,
139                         payment_base_key: payment_base_key,
140                         delayed_payment_base_key: delayed_payment_base_key,
141                         htlc_base_key: htlc_base_key,
142                         commitment_seed: okm
143                 }
144         }
145 }
146
147 /// Simple KeysInterface implementor that takes a 32-byte seed for use as a BIP 32 extended key
148 /// and derives keys from that.
149 ///
150 /// Your node_id is seed/0'
151 /// ChannelMonitor closes may use seed/1'
152 /// Cooperative closes may use seed/2'
153 /// The two close keys may be needed to claim on-chain funds!
154 pub struct KeysManager {
155         secp_ctx: Secp256k1<secp256k1::All>,
156         node_secret: SecretKey,
157         destination_script: Script,
158         shutdown_pubkey: PublicKey,
159         channel_master_key: ExtendedPrivKey,
160         channel_child_index: AtomicUsize,
161
162         logger: Arc<Logger>,
163 }
164
165 impl KeysManager {
166         /// Constructs a KeysManager from a 32-byte seed. If the seed is in some way biased (eg your
167         /// RNG is busted) this may panic.
168         pub fn new(seed: &[u8; 32], network: Network, logger: Arc<Logger>) -> KeysManager {
169                 let secp_ctx = Secp256k1::new();
170                 match ExtendedPrivKey::new_master(&secp_ctx, network.clone(), seed) {
171                         Ok(master_key) => {
172                                 let node_secret = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(0)).expect("Your RNG is busted").secret_key;
173                                 let destination_script = match master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(1)) {
174                                         Ok(destination_key) => {
175                                                 let pubkey_hash160 = Hash160::from_data(&ExtendedPubKey::from_private(&secp_ctx, &destination_key).public_key.serialize()[..]);
176                                                 Builder::new().push_opcode(opcodes::All::OP_PUSHBYTES_0)
177                                                               .push_slice(pubkey_hash160.as_bytes())
178                                                               .into_script()
179                                         },
180                                         Err(_) => panic!("Your RNG is busted"),
181                                 };
182                                 let shutdown_pubkey = match master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(2)) {
183                                         Ok(shutdown_key) => ExtendedPubKey::from_private(&secp_ctx, &shutdown_key).public_key,
184                                         Err(_) => panic!("Your RNG is busted"),
185                                 };
186                                 let channel_master_key = master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(3)).expect("Your RNG is busted");
187                                 KeysManager {
188                                         secp_ctx,
189                                         node_secret,
190                                         destination_script,
191                                         shutdown_pubkey,
192                                         channel_master_key,
193                                         channel_child_index: AtomicUsize::new(0),
194
195                                         logger,
196                                 }
197                         },
198                         Err(_) => panic!("Your rng is busted"),
199                 }
200         }
201 }
202
203 impl KeysInterface for KeysManager {
204         fn get_node_secret(&self) -> SecretKey {
205                 self.node_secret.clone()
206         }
207
208         fn get_destination_script(&self) -> Script {
209                 self.destination_script.clone()
210         }
211
212         fn get_shutdown_pubkey(&self) -> PublicKey {
213                 self.shutdown_pubkey.clone()
214         }
215
216         fn get_channel_keys(&self, _inbound: bool) -> ChannelKeys {
217                 // We only seriously intend to rely on the channel_master_key for true secure
218                 // entropy, everything else just ensures uniqueness. We generally don't expect
219                 // all clients to have non-broken RNGs here, so we also include the current
220                 // time as a fallback to get uniqueness.
221                 let mut sha = Sha256::new();
222
223                 let mut seed = [0u8; 32];
224                 rng::fill_bytes(&mut seed[..]);
225                 sha.input(&seed);
226
227                 let now = SystemTime::now().duration_since(UNIX_EPOCH).expect("Time went backwards");
228                 sha.input(&byte_utils::be32_to_array(now.subsec_nanos()));
229                 sha.input(&byte_utils::be64_to_array(now.as_secs()));
230
231                 let child_ix = self.channel_child_index.fetch_add(1, Ordering::AcqRel);
232                 let child_privkey = self.channel_master_key.ckd_priv(&self.secp_ctx, ChildNumber::from_hardened_idx(child_ix as u32)).expect("Your RNG is busted");
233                 sha.input(&child_privkey.secret_key[..]);
234
235                 sha.result(&mut seed);
236                 ChannelKeys::new_from_seed(&seed)
237         }
238 }