+ /// Policy checks should be implemented in this function, including checking the amount
+ /// sent to us and checking the HTLCs.
+ ///
+ /// The preimages of outgoing HTLCs that were fulfilled since the last commitment are provided.
+ /// A validating signer should ensure that an HTLC output is removed only when the matching
+ /// preimage is provided, or when the value to holder is restored.
+ ///
+ /// NOTE: all the relevant preimages will be provided, but there may also be additional
+ /// irrelevant or duplicate preimages.
+ //
+ // TODO: Document the things someone using this interface should enforce before signing.
+ fn sign_counterparty_commitment(&self, commitment_tx: &CommitmentTransaction, preimages: Vec<PaymentPreimage>, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<(Signature, Vec<Signature>), ()>;
+ /// Validate the counterparty's revocation.
+ ///
+ /// This is required in order for the signer to make sure that the state has moved
+ /// forward and it is safe to sign the next counterparty commitment.
+ fn validate_counterparty_revocation(&self, idx: u64, secret: &SecretKey) -> Result<(), ()>;
+
+ /// Create a signatures for a holder's commitment transaction and its claiming HTLC transactions.
+ /// This will only ever be called with a non-revoked commitment_tx. This will be called with the
+ /// latest commitment_tx when we initiate a force-close.
+ /// This will be called with the previous latest, just to get claiming HTLC signatures, if we are
+ /// reacting to a ChannelMonitor replica that decided to broadcast before it had been updated to
+ /// the latest.
+ /// This may be called multiple times for the same transaction.
+ ///
+ /// An external signer implementation should check that the commitment has not been revoked.
+ ///
+ /// May return Err if key derivation fails. Callers, such as ChannelMonitor, will panic in such a case.
+ //
+ // TODO: Document the things someone using this interface should enforce before signing.
+ // TODO: Key derivation failure should panic rather than Err
+ fn sign_holder_commitment_and_htlcs(&self, commitment_tx: &HolderCommitmentTransaction, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<(Signature, Vec<Signature>), ()>;
+
+ /// Same as sign_holder_commitment, but exists only for tests to get access to holder commitment
+ /// transactions which will be broadcasted later, after the channel has moved on to a newer
+ /// state. Thus, needs its own method as sign_holder_commitment may enforce that we only ever
+ /// get called once.
+ #[cfg(any(test,feature = "unsafe_revoked_tx_signing"))]
+ fn unsafe_sign_holder_commitment_and_htlcs(&self, commitment_tx: &HolderCommitmentTransaction, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<(Signature, Vec<Signature>), ()>;
+
+ /// Create a signature for the given input in a transaction spending an HTLC transaction output
+ /// or a commitment transaction `to_local` output when our counterparty broadcasts an old state.
+ ///
+ /// A justice transaction may claim multiple outputs at the same time if timelocks are
+ /// similar, but only a signature for the input at index `input` should be signed for here.
+ /// It may be called multiple times for same output(s) if a fee-bump is needed with regards
+ /// to an upcoming timelock expiration.
+ ///
+ /// Amount is value of the output spent by this input, committed to in the BIP 143 signature.
+ ///
+ /// per_commitment_key is revocation secret which was provided by our counterparty when they
+ /// revoked the state which they eventually broadcast. It's not a _holder_ secret key and does
+ /// not allow the spending of any funds by itself (you need our holder revocation_secret to do
+ /// so).
+ fn sign_justice_revoked_output(&self, justice_tx: &Transaction, input: usize, amount: u64, per_commitment_key: &SecretKey, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()>;
+
+ /// Create a signature for the given input in a transaction spending a commitment transaction
+ /// HTLC output when our counterparty broadcasts an old state.
+ ///
+ /// A justice transaction may claim multiple outputs at the same time if timelocks are
+ /// similar, but only a signature for the input at index `input` should be signed for here.
+ /// It may be called multiple times for same output(s) if a fee-bump is needed with regards
+ /// to an upcoming timelock expiration.
+ ///
+ /// Amount is value of the output spent by this input, committed to in the BIP 143 signature.
+ ///
+ /// per_commitment_key is revocation secret which was provided by our counterparty when they
+ /// revoked the state which they eventually broadcast. It's not a _holder_ secret key and does
+ /// not allow the spending of any funds by itself (you need our holder revocation_secret to do
+ /// so).
+ ///
+ /// htlc holds HTLC elements (hash, timelock), thus changing the format of the witness script
+ /// (which is committed to in the BIP 143 signatures).
+ fn sign_justice_revoked_htlc(&self, justice_tx: &Transaction, input: usize, amount: u64, per_commitment_key: &SecretKey, htlc: &HTLCOutputInCommitment, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()>;
+
+ /// Create a signature for a claiming transaction for a HTLC output on a counterparty's commitment
+ /// transaction, either offered or received.
+ ///
+ /// Such a transaction may claim multiples offered outputs at same time if we know the
+ /// preimage for each when we create it, but only the input at index `input` should be
+ /// signed for here. It may be called multiple times for same output(s) if a fee-bump is
+ /// needed with regards to an upcoming timelock expiration.
+ ///
+ /// Witness_script is either a offered or received script as defined in BOLT3 for HTLC
+ /// outputs.
+ ///
+ /// Amount is value of the output spent by this input, committed to in the BIP 143 signature.
+ ///
+ /// Per_commitment_point is the dynamic point corresponding to the channel state
+ /// detected onchain. It has been generated by our counterparty and is used to derive
+ /// channel state keys, which are then included in the witness script and committed to in the
+ /// BIP 143 signature.
+ fn sign_counterparty_htlc_transaction(&self, htlc_tx: &Transaction, input: usize, amount: u64, per_commitment_point: &PublicKey, htlc: &HTLCOutputInCommitment, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()>;
+
+ /// Create a signature for a (proposed) closing transaction.
+ ///
+ /// Note that, due to rounding, there may be one "missing" satoshi, and either party may have
+ /// chosen to forgo their output as dust.
+ fn sign_closing_transaction(&self, closing_tx: &ClosingTransaction, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()>;
+
+ /// Signs a channel announcement message with our funding key and our node secret key (aka
+ /// node_id or network_key), proving it comes from one of the channel participants.
+ ///
+ /// The first returned signature should be from our node secret key, the second from our
+ /// funding key.
+ ///
+ /// Note that if this fails or is rejected, the channel will not be publicly announced and
+ /// our counterparty may (though likely will not) close the channel on us for violating the
+ /// protocol.
+ fn sign_channel_announcement(&self, msg: &UnsignedChannelAnnouncement, secp_ctx: &Secp256k1<secp256k1::All>)
+ -> Result<(Signature, Signature), ()>;
+
+ /// Set the counterparty static channel data, including basepoints,
+ /// counterparty_selected/holder_selected_contest_delay and funding outpoint.
+ /// This is done as soon as the funding outpoint is known. Since these are static channel data,
+ /// they MUST NOT be allowed to change to different values once set.
+ ///
+ /// channel_parameters.is_populated() MUST be true.
+ ///
+ /// We bind holder_selected_contest_delay late here for API convenience.
+ ///
+ /// Will be called before any signatures are applied.
+ fn ready_channel(&mut self, channel_parameters: &ChannelTransactionParameters);
+}
+
+/// A cloneable signer.
+///
+/// Although we require signers to be cloneable, it may be useful for developers to be able to use
+/// signers in an un-sized way, for example as `dyn BaseSign`. Therefore we separate the Clone trait,
+/// which implies Sized, into this derived trait.
+pub trait Sign: BaseSign + Writeable + Clone {
+}
+
+/// Specifies the recipient of an invoice, to indicate to [`KeysInterface::sign_invoice`] what node
+/// secret key should be used to sign the invoice.
+pub enum Recipient {
+ /// The invoice should be signed with the local node secret key.
+ Node,
+ /// The invoice should be signed with the phantom node secret key. This secret key must be the
+ /// same for all nodes participating in the [phantom node payment].
+ ///
+ /// [phantom node payment]: PhantomKeysManager
+ PhantomNode,
+}
+
+/// A trait to describe an object which can get user secrets and key material.
+pub trait KeysInterface {
+ /// A type which implements Sign which will be returned by get_channel_signer.
+ type Signer : Sign;
+
+ /// Get node secret key (aka node_id or network_key) based on the provided [`Recipient`].
+ ///
+ /// This method must return the same value each time it is called with a given `Recipient`
+ /// parameter.
+ fn get_node_secret(&self, recipient: Recipient) -> Result<SecretKey, ()>;
+ /// Get a script pubkey which we send funds to when claiming on-chain contestable outputs.
+ ///
+ /// This method should return a different value each time it is called, to avoid linking
+ /// on-chain funds across channels as controlled to the same user.
+ fn get_destination_script(&self) -> Script;
+ /// Get a script pubkey which we will send funds to when closing a channel.
+ ///
+ /// This method should return a different value each time it is called, to avoid linking
+ /// on-chain funds across channels as controlled to the same user.
+ fn get_shutdown_scriptpubkey(&self) -> ShutdownScript;
+ /// Get a new set of Sign for per-channel secrets. These MUST be unique even if you
+ /// restarted with some stale data!
+ ///
+ /// This method must return a different value each time it is called.
+ fn get_channel_signer(&self, inbound: bool, channel_value_satoshis: u64) -> Self::Signer;
+ /// Gets a unique, cryptographically-secure, random 32 byte value. This is used for encrypting
+ /// onion packets and for temporary channel IDs. There is no requirement that these be
+ /// persisted anywhere, though they must be unique across restarts.
+ ///
+ /// This method must return a different value each time it is called.
+ fn get_secure_random_bytes(&self) -> [u8; 32];
+
+ /// Reads a `Signer` for this `KeysInterface` from the given input stream.
+ /// This is only called during deserialization of other objects which contain
+ /// `Sign`-implementing objects (ie `ChannelMonitor`s and `ChannelManager`s).
+ /// The bytes are exactly those which `<Self::Signer as Writeable>::write()` writes, and
+ /// contain no versioning scheme. You may wish to include your own version prefix and ensure
+ /// you've read all of the provided bytes to ensure no corruption occurred.
+ fn read_chan_signer(&self, reader: &[u8]) -> Result<Self::Signer, DecodeError>;
+
+ /// Sign an invoice.
+ /// By parameterizing by the raw invoice bytes instead of the hash, we allow implementors of
+ /// this trait to parse the invoice and make sure they're signing what they expect, rather than
+ /// blindly signing the hash.
+ /// The hrp is ascii bytes, while the invoice data is base32.
+ ///
+ /// The secret key used to sign the invoice is dependent on the [`Recipient`].
+ fn sign_invoice(&self, hrp_bytes: &[u8], invoice_data: &[u5], receipient: Recipient) -> Result<RecoverableSignature, ()>;
+
+ /// Get secret key material as bytes for use in encrypting and decrypting inbound payment data.
+ ///
+ /// If the implementor of this trait supports [phantom node payments], then every node that is
+ /// intended to be included in the phantom invoice route hints must return the same value from
+ /// this method.
+ // This is because LDK avoids storing inbound payment data by encrypting payment data in the
+ // payment hash and/or payment secret, therefore for a payment to be receivable by multiple
+ // nodes, they must share the key that encrypts this payment data.
+ ///
+ /// This method must return the same value each time it is called.
+ ///
+ /// [phantom node payments]: PhantomKeysManager
+ fn get_inbound_payment_key_material(&self) -> KeyMaterial;