+ /// Creates a Transaction which spends the given descriptors to the given outputs, plus an
+ /// output to the given change destination (if sufficient change value remains). The
+ /// transaction will have a feerate, at least, of the given value.
+ ///
+ /// Returns `Err(())` if the output value is greater than the input value minus required fee,
+ /// if a descriptor was duplicated, or if an output descriptor `script_pubkey`
+ /// does not match the one we can spend.
+ ///
+ /// We do not enforce that outputs meet the dust limit or that any output scripts are standard.
+ ///
+ /// May panic if the `SpendableOutputDescriptor`s were not generated by Channels which used
+ /// this KeysManager or one of the `InMemorySigner` created by this KeysManager.
+ pub fn spend_spendable_outputs<C: Signing>(&self, descriptors: &[&SpendableOutputDescriptor], outputs: Vec<TxOut>, change_destination_script: Script, feerate_sat_per_1000_weight: u32, secp_ctx: &Secp256k1<C>) -> Result<Transaction, ()> {
+ let mut input = Vec::new();
+ let mut input_value = 0;
+ let mut witness_weight = 0;
+ let mut output_set = HashSet::with_capacity(descriptors.len());
+ for outp in descriptors {
+ match outp {
+ SpendableOutputDescriptor::StaticPaymentOutput(descriptor) => {
+ input.push(TxIn {
+ previous_output: descriptor.outpoint.into_bitcoin_outpoint(),
+ script_sig: Script::new(),
+ sequence: 0,
+ witness: Witness::new(),
+ });
+ witness_weight += StaticPaymentOutputDescriptor::MAX_WITNESS_LENGTH;
+ input_value += descriptor.output.value;
+ if !output_set.insert(descriptor.outpoint) { return Err(()); }
+ },
+ SpendableOutputDescriptor::DelayedPaymentOutput(descriptor) => {
+ input.push(TxIn {
+ previous_output: descriptor.outpoint.into_bitcoin_outpoint(),
+ script_sig: Script::new(),
+ sequence: descriptor.to_self_delay as u32,
+ witness: Witness::new(),
+ });
+ witness_weight += DelayedPaymentOutputDescriptor::MAX_WITNESS_LENGTH;
+ input_value += descriptor.output.value;
+ if !output_set.insert(descriptor.outpoint) { return Err(()); }
+ },
+ SpendableOutputDescriptor::StaticOutput { ref outpoint, ref output } => {
+ input.push(TxIn {
+ previous_output: outpoint.into_bitcoin_outpoint(),
+ script_sig: Script::new(),
+ sequence: 0,
+ witness: Witness::new(),
+ });
+ witness_weight += 1 + 73 + 34;
+ input_value += output.value;
+ if !output_set.insert(*outpoint) { return Err(()); }
+ }
+ }
+ if input_value > MAX_VALUE_MSAT / 1000 { return Err(()); }
+ }
+ let mut spend_tx = Transaction {
+ version: 2,
+ lock_time: 0,
+ input,
+ output: outputs,
+ };
+ let expected_max_weight =
+ transaction_utils::maybe_add_change_output(&mut spend_tx, input_value, witness_weight, feerate_sat_per_1000_weight, change_destination_script)?;
+
+ let mut keys_cache: Option<(InMemorySigner, [u8; 32])> = None;
+ let mut input_idx = 0;
+ for outp in descriptors {
+ match outp {
+ SpendableOutputDescriptor::StaticPaymentOutput(descriptor) => {
+ if keys_cache.is_none() || keys_cache.as_ref().unwrap().1 != descriptor.channel_keys_id {
+ keys_cache = Some((
+ self.derive_channel_keys(descriptor.channel_value_satoshis, &descriptor.channel_keys_id),
+ descriptor.channel_keys_id));
+ }
+ spend_tx.input[input_idx].witness = Witness::from_vec(keys_cache.as_ref().unwrap().0.sign_counterparty_payment_input(&spend_tx, input_idx, &descriptor, &secp_ctx)?);
+ },
+ SpendableOutputDescriptor::DelayedPaymentOutput(descriptor) => {
+ if keys_cache.is_none() || keys_cache.as_ref().unwrap().1 != descriptor.channel_keys_id {
+ keys_cache = Some((
+ self.derive_channel_keys(descriptor.channel_value_satoshis, &descriptor.channel_keys_id),
+ descriptor.channel_keys_id));
+ }
+ spend_tx.input[input_idx].witness = Witness::from_vec(keys_cache.as_ref().unwrap().0.sign_dynamic_p2wsh_input(&spend_tx, input_idx, &descriptor, &secp_ctx)?);
+ },
+ SpendableOutputDescriptor::StaticOutput { ref output, .. } => {
+ let derivation_idx = if output.script_pubkey == self.destination_script {
+ 1
+ } else {
+ 2
+ };
+ let secret = {
+ // Note that when we aren't serializing the key, network doesn't matter
+ match ExtendedPrivKey::new_master(Network::Testnet, &self.seed) {
+ Ok(master_key) => {
+ match master_key.ckd_priv(&secp_ctx, ChildNumber::from_hardened_idx(derivation_idx).expect("key space exhausted")) {
+ Ok(key) => key,
+ Err(_) => panic!("Your RNG is busted"),
+ }
+ }
+ Err(_) => panic!("Your rng is busted"),
+ }
+ };
+ let pubkey = ExtendedPubKey::from_priv(&secp_ctx, &secret).to_pub();
+ if derivation_idx == 2 {
+ assert_eq!(pubkey.inner, self.shutdown_pubkey);
+ }
+ let witness_script = bitcoin::Address::p2pkh(&pubkey, Network::Testnet).script_pubkey();
+ let payment_script = bitcoin::Address::p2wpkh(&pubkey, Network::Testnet).expect("uncompressed key found").script_pubkey();
+
+ if payment_script != output.script_pubkey { return Err(()); };
+
+ let sighash = hash_to_message!(&sighash::SighashCache::new(&spend_tx).segwit_signature_hash(input_idx, &witness_script, output.value, EcdsaSighashType::All).unwrap()[..]);
+ let sig = sign(secp_ctx, &sighash, &secret.private_key);
+ let mut sig_ser = sig.serialize_der().to_vec();
+ sig_ser.push(EcdsaSighashType::All as u8);
+ spend_tx.input[input_idx].witness.push(sig_ser);
+ spend_tx.input[input_idx].witness.push(pubkey.inner.serialize().to_vec());
+ },
+ }
+ input_idx += 1;
+ }
+
+ debug_assert!(expected_max_weight >= spend_tx.weight());
+ // Note that witnesses with a signature vary somewhat in size, so allow
+ // `expected_max_weight` to overshoot by up to 3 bytes per input.
+ debug_assert!(expected_max_weight <= spend_tx.weight() + descriptors.len() * 3);
+
+ Ok(spend_tx)
+ }
+}
+
+impl KeysInterface for KeysManager {
+ type Signer = InMemorySigner;
+
+ fn get_node_secret(&self, recipient: Recipient) -> Result<SecretKey, ()> {
+ match recipient {
+ Recipient::Node => Ok(self.node_secret.clone()),
+ Recipient::PhantomNode => Err(())
+ }
+ }
+
+ fn get_inbound_payment_key_material(&self) -> KeyMaterial {
+ self.inbound_payment_key.clone()
+ }
+
+ fn get_destination_script(&self) -> Script {
+ self.destination_script.clone()
+ }
+
+ fn get_shutdown_scriptpubkey(&self) -> ShutdownScript {
+ ShutdownScript::new_p2wpkh_from_pubkey(self.shutdown_pubkey.clone())
+ }
+
+ fn get_channel_signer(&self, _inbound: bool, channel_value_satoshis: u64) -> Self::Signer {
+ let child_ix = self.channel_child_index.fetch_add(1, Ordering::AcqRel);
+ assert!(child_ix <= core::u32::MAX as usize);
+ let mut id = [0; 32];
+ id[0..8].copy_from_slice(&byte_utils::be64_to_array(child_ix as u64));
+ id[8..16].copy_from_slice(&byte_utils::be64_to_array(self.starting_time_nanos as u64));
+ id[16..24].copy_from_slice(&byte_utils::be64_to_array(self.starting_time_secs));
+ self.derive_channel_keys(channel_value_satoshis, &id)
+ }
+
+ fn get_secure_random_bytes(&self) -> [u8; 32] {
+ let mut sha = self.rand_bytes_unique_start.clone();
+
+ let child_ix = self.rand_bytes_child_index.fetch_add(1, Ordering::AcqRel);
+ let child_privkey = self.rand_bytes_master_key.ckd_priv(&self.secp_ctx, ChildNumber::from_hardened_idx(child_ix as u32).expect("key space exhausted")).expect("Your RNG is busted");
+ sha.input(&child_privkey.private_key[..]);
+
+ sha.input(b"Unique Secure Random Bytes Salt");
+ Sha256::from_engine(sha).into_inner()
+ }
+
+ fn read_chan_signer(&self, reader: &[u8]) -> Result<Self::Signer, DecodeError> {
+ InMemorySigner::read(&mut io::Cursor::new(reader), self.node_secret.clone())
+ }
+
+ fn sign_invoice(&self, hrp_bytes: &[u8], invoice_data: &[u5], recipient: Recipient) -> Result<RecoverableSignature, ()> {
+ let preimage = construct_invoice_preimage(&hrp_bytes, &invoice_data);
+ let secret = match recipient {
+ Recipient::Node => self.get_node_secret(Recipient::Node)?,
+ Recipient::PhantomNode => return Err(()),
+ };
+ Ok(self.secp_ctx.sign_ecdsa_recoverable(&hash_to_message!(&Sha256::hash(&preimage)), &secret))
+ }
+}
+
+/// Similar to [`KeysManager`], but allows the node using this struct to receive phantom node
+/// payments.
+///
+/// A phantom node payment is a payment made to a phantom invoice, which is an invoice that can be
+/// paid to one of multiple nodes. This works because we encode the invoice route hints such that
+/// LDK will recognize an incoming payment as destined for a phantom node, and collect the payment
+/// itself without ever needing to forward to this fake node.
+///
+/// Phantom node payments are useful for load balancing between multiple LDK nodes. They also
+/// provide some fault tolerance, because payers will automatically retry paying other provided
+/// nodes in the case that one node goes down.
+///
+/// Note that multi-path payments are not supported in phantom invoices for security reasons.
+// In the hypothetical case that we did support MPP phantom payments, there would be no way for
+// nodes to know when the full payment has been received (and the preimage can be released) without
+// significantly compromising on our safety guarantees. I.e., if we expose the ability for the user
+// to tell LDK when the preimage can be released, we open ourselves to attacks where the preimage
+// is released too early.
+//
+/// Switching between this struct and [`KeysManager`] will invalidate any previously issued
+/// invoices and attempts to pay previous invoices will fail.
+pub struct PhantomKeysManager {
+ inner: KeysManager,
+ inbound_payment_key: KeyMaterial,
+ phantom_secret: SecretKey,
+}
+
+impl KeysInterface for PhantomKeysManager {
+ type Signer = InMemorySigner;
+
+ fn get_node_secret(&self, recipient: Recipient) -> Result<SecretKey, ()> {
+ match recipient {
+ Recipient::Node => self.inner.get_node_secret(Recipient::Node),
+ Recipient::PhantomNode => Ok(self.phantom_secret.clone()),
+ }
+ }
+
+ fn get_inbound_payment_key_material(&self) -> KeyMaterial {
+ self.inbound_payment_key.clone()
+ }