use bitcoin::hashes::sha256d::Hash as Sha256dHash;
use bitcoin::hash_types::WPubkeyHash;
-use bitcoin::secp256k1::{SecretKey, PublicKey, Scalar};
-use bitcoin::secp256k1::{Secp256k1, ecdsa::Signature, Signing};
+use bitcoin::secp256k1::{KeyPair, PublicKey, Scalar, Secp256k1, SecretKey, Signing};
use bitcoin::secp256k1::ecdh::SharedSecret;
-use bitcoin::secp256k1::ecdsa::RecoverableSignature;
+use bitcoin::secp256k1::ecdsa::{RecoverableSignature, Signature};
+use bitcoin::secp256k1::schnorr;
use bitcoin::{PackedLockTime, secp256k1, Sequence, Witness};
use crate::util::transaction_utils;
use crate::ln::chan_utils::{HTLCOutputInCommitment, make_funding_redeemscript, ChannelPublicKeys, HolderCommitmentTransaction, ChannelTransactionParameters, CommitmentTransaction, ClosingTransaction};
use crate::ln::msgs::{UnsignedChannelAnnouncement, UnsignedGossipMessage};
use crate::ln::script::ShutdownScript;
+use crate::offers::invoice::UnsignedBolt12Invoice;
+use crate::offers::invoice_request::UnsignedInvoiceRequest;
use crate::prelude::*;
use core::convert::TryInto;
use crate::util::chacha20::ChaCha20;
use crate::util::invoice::construct_invoice_preimage;
+pub(crate) mod type_resolver;
+
/// Used as initial key material, to be expanded into multiple secret keys (but not to be used
/// directly). This is used within LDK to encrypt/decrypt inbound payment data.
///
/// Information about a spendable output to a P2WSH script.
///
/// See [`SpendableOutputDescriptor::DelayedPaymentOutput`] for more details on how to spend this.
-#[derive(Clone, Debug, PartialEq, Eq)]
+#[derive(Clone, Debug, Hash, PartialEq, Eq)]
pub struct DelayedPaymentOutputDescriptor {
/// The outpoint which is spendable.
pub outpoint: OutPoint,
(12, channel_value_satoshis, required),
});
+pub(crate) const P2WPKH_WITNESS_WEIGHT: u64 = 1 /* num stack items */ +
+ 1 /* sig length */ +
+ 73 /* sig including sighash flag */ +
+ 1 /* pubkey length */ +
+ 33 /* pubkey */;
+
/// Information about a spendable output to our "payment key".
///
/// See [`SpendableOutputDescriptor::StaticPaymentOutput`] for more details on how to spend this.
-#[derive(Clone, Debug, PartialEq, Eq)]
+#[derive(Clone, Debug, Hash, PartialEq, Eq)]
pub struct StaticPaymentOutputDescriptor {
/// The outpoint which is spendable.
pub outpoint: OutPoint,
pub channel_keys_id: [u8; 32],
/// The value of the channel which this transactions spends.
pub channel_value_satoshis: u64,
+ /// The necessary channel parameters that need to be provided to the re-derived signer through
+ /// [`ChannelSigner::provide_channel_parameters`].
+ ///
+ /// Added as optional, but always `Some` if the descriptor was produced in v0.0.117 or later.
+ pub channel_transaction_parameters: Option<ChannelTransactionParameters>,
}
impl StaticPaymentOutputDescriptor {
+ /// Returns the `witness_script` of the spendable output.
+ ///
+ /// Note that this will only return `Some` for [`StaticPaymentOutputDescriptor`]s that
+ /// originated from an anchor outputs channel, as they take the form of a P2WSH script.
+ pub fn witness_script(&self) -> Option<Script> {
+ self.channel_transaction_parameters.as_ref()
+ .and_then(|channel_params|
+ if channel_params.channel_type_features.supports_anchors_zero_fee_htlc_tx() {
+ let payment_point = channel_params.holder_pubkeys.payment_point;
+ Some(chan_utils::get_to_countersignatory_with_anchors_redeemscript(&payment_point))
+ } else {
+ None
+ }
+ )
+ }
+
/// The maximum length a well-formed witness spending one of these should have.
/// Note: If you have the grind_signatures feature enabled, this will be at least 1 byte
/// shorter.
- // Calculated as 1 byte legnth + 73 byte signature, 1 byte empty vec push, 1 byte length plus
- // redeemscript push length.
- pub const MAX_WITNESS_LENGTH: usize = 1 + 73 + 34;
+ pub fn max_witness_length(&self) -> usize {
+ if self.channel_transaction_parameters.as_ref()
+ .map(|channel_params| channel_params.channel_type_features.supports_anchors_zero_fee_htlc_tx())
+ .unwrap_or(false)
+ {
+ let witness_script_weight = 1 /* pubkey push */ + 33 /* pubkey */ +
+ 1 /* OP_CHECKSIGVERIFY */ + 1 /* OP_1 */ + 1 /* OP_CHECKSEQUENCEVERIFY */;
+ 1 /* num witness items */ + 1 /* sig push */ + 73 /* sig including sighash flag */ +
+ 1 /* witness script push */ + witness_script_weight
+ } else {
+ P2WPKH_WITNESS_WEIGHT as usize
+ }
+ }
}
impl_writeable_tlv_based!(StaticPaymentOutputDescriptor, {
(0, outpoint, required),
(2, output, required),
(4, channel_keys_id, required),
(6, channel_value_satoshis, required),
+ (7, channel_transaction_parameters, option),
});
/// Describes the necessary information to spend a spendable output.
/// at that `txid`/`index`, and any keys or other information required to sign.
///
/// [`SpendableOutputs`]: crate::events::Event::SpendableOutputs
-#[derive(Clone, Debug, PartialEq, Eq)]
+#[derive(Clone, Debug, Hash, PartialEq, Eq)]
pub enum SpendableOutputDescriptor {
/// An output to a script which was provided via [`SignerProvider`] directly, either from
/// [`get_destination_script`] or [`get_shutdown_scriptpubkey`], thus you should already
/// [`DelayedPaymentOutputDescriptor::to_self_delay`] contained here to
/// [`chan_utils::get_revokeable_redeemscript`].
DelayedPaymentOutput(DelayedPaymentOutputDescriptor),
- /// An output to a P2WPKH, spendable exclusively by our payment key (i.e., the private key
- /// which corresponds to the `payment_point` in [`ChannelSigner::pubkeys`]). The witness
- /// in the spending input is, thus, simply:
+ /// An output spendable exclusively by our payment key (i.e., the private key that corresponds
+ /// to the `payment_point` in [`ChannelSigner::pubkeys`]). The output type depends on the
+ /// channel type negotiated.
+ ///
+ /// On an anchor outputs channel, the witness in the spending input is:
+ /// ```bitcoin
+ /// <BIP 143 signature> <witness script>
+ /// ```
+ ///
+ /// Otherwise, it is:
/// ```bitcoin
/// <BIP 143 signature> <payment key>
/// ```
///
/// These are generally the result of our counterparty having broadcast the current state,
- /// allowing us to claim the non-HTLC-encumbered outputs immediately.
+ /// allowing us to claim the non-HTLC-encumbered outputs immediately, or after one confirmation
+ /// in the case of anchor outputs channels.
StaticPaymentOutput(StaticPaymentOutputDescriptor),
}
match outp {
SpendableOutputDescriptor::StaticPaymentOutput(descriptor) => {
if !output_set.insert(descriptor.outpoint) { return Err(()); }
+ let sequence =
+ if descriptor.channel_transaction_parameters.as_ref()
+ .map(|channel_params| channel_params.channel_type_features.supports_anchors_zero_fee_htlc_tx())
+ .unwrap_or(false)
+ {
+ Sequence::from_consensus(1)
+ } else {
+ Sequence::ZERO
+ };
input.push(TxIn {
previous_output: descriptor.outpoint.into_bitcoin_outpoint(),
script_sig: Script::new(),
- sequence: Sequence::ZERO,
+ sequence,
witness: Witness::new(),
});
- witness_weight += StaticPaymentOutputDescriptor::MAX_WITNESS_LENGTH;
+ witness_weight += descriptor.max_witness_length();
#[cfg(feature = "grind_signatures")]
{ witness_weight -= 1; } // Guarantees a low R signature
input_value += descriptor.output.value;
/// Errors if the [`Recipient`] variant is not supported by the implementation.
fn sign_invoice(&self, hrp_bytes: &[u8], invoice_data: &[u5], recipient: Recipient) -> Result<RecoverableSignature, ()>;
+ /// Signs the [`TaggedHash`] of a BOLT 12 invoice request.
+ ///
+ /// May be called by a function passed to [`UnsignedInvoiceRequest::sign`] where
+ /// `invoice_request` is the callee.
+ ///
+ /// Implementors may check that the `invoice_request` is expected rather than blindly signing
+ /// the tagged hash. An `Ok` result should sign `invoice_request.tagged_hash().as_digest()` with
+ /// the node's signing key or an ephemeral key to preserve privacy, whichever is associated with
+ /// [`UnsignedInvoiceRequest::payer_id`].
+ ///
+ /// [`TaggedHash`]: crate::offers::merkle::TaggedHash
+ fn sign_bolt12_invoice_request(
+ &self, invoice_request: &UnsignedInvoiceRequest
+ ) -> Result<schnorr::Signature, ()>;
+
+ /// Signs the [`TaggedHash`] of a BOLT 12 invoice.
+ ///
+ /// May be called by a function passed to [`UnsignedBolt12Invoice::sign`] where `invoice` is the
+ /// callee.
+ ///
+ /// Implementors may check that the `invoice` is expected rather than blindly signing the tagged
+ /// hash. An `Ok` result should sign `invoice.tagged_hash().as_digest()` with the node's signing
+ /// key or an ephemeral key to preserve privacy, whichever is associated with
+ /// [`UnsignedBolt12Invoice::signing_pubkey`].
+ ///
+ /// [`TaggedHash`]: crate::offers::merkle::TaggedHash
+ fn sign_bolt12_invoice(
+ &self, invoice: &UnsignedBolt12Invoice
+ ) -> Result<schnorr::Signature, ()>;
+
/// Sign a gossip message.
///
/// Note that if this fails, LDK may panic and the message will not be broadcast to the network
if !spend_tx.input[input_idx].script_sig.is_empty() { return Err(()); }
if spend_tx.input[input_idx].previous_output != descriptor.outpoint.into_bitcoin_outpoint() { return Err(()); }
- let remotepubkey = self.pubkeys().payment_point;
- let witness_script = bitcoin::Address::p2pkh(&::bitcoin::PublicKey{compressed: true, inner: remotepubkey}, Network::Testnet).script_pubkey();
+ let remotepubkey = bitcoin::PublicKey::new(self.pubkeys().payment_point);
+ let witness_script = if self.channel_type_features().supports_anchors_zero_fee_htlc_tx() {
+ chan_utils::get_to_countersignatory_with_anchors_redeemscript(&remotepubkey.inner)
+ } else {
+ Script::new_p2pkh(&remotepubkey.pubkey_hash())
+ };
let sighash = hash_to_message!(&sighash::SighashCache::new(spend_tx).segwit_signature_hash(input_idx, &witness_script, descriptor.output.value, EcdsaSighashType::All).unwrap()[..]);
let remotesig = sign_with_aux_rand(secp_ctx, &sighash, &self.payment_key, &self);
- let payment_script = bitcoin::Address::p2wpkh(&::bitcoin::PublicKey{compressed: true, inner: remotepubkey}, Network::Bitcoin).unwrap().script_pubkey();
+ let payment_script = if self.channel_type_features().supports_anchors_zero_fee_htlc_tx() {
+ witness_script.to_v0_p2wsh()
+ } else {
+ Script::new_v0_p2wpkh(&remotepubkey.wpubkey_hash().unwrap())
+ };
if payment_script != descriptor.output.script_pubkey { return Err(()); }
let mut witness = Vec::with_capacity(2);
witness.push(remotesig.serialize_der().to_vec());
witness[0].push(EcdsaSighashType::All as u8);
- witness.push(remotepubkey.serialize().to_vec());
+ if self.channel_type_features().supports_anchors_zero_fee_htlc_tx() {
+ witness.push(witness_script.to_bytes());
+ } else {
+ witness.push(remotepubkey.to_bytes());
+ }
Ok(witness)
}
&self, htlc_tx: &Transaction, input: usize, htlc_descriptor: &HTLCDescriptor,
secp_ctx: &Secp256k1<secp256k1::All>
) -> Result<Signature, ()> {
- let per_commitment_point = self.get_per_commitment_point(
- htlc_descriptor.per_commitment_number, &secp_ctx
- );
- let witness_script = htlc_descriptor.witness_script(&per_commitment_point, secp_ctx);
+ let witness_script = htlc_descriptor.witness_script(secp_ctx);
let sighash = &sighash::SighashCache::new(&*htlc_tx).segwit_signature_hash(
input, &witness_script, htlc_descriptor.htlc.amount_msat / 1000, EcdsaSighashType::All
).map_err(|_| ())?;
let our_htlc_private_key = chan_utils::derive_private_key(
- &secp_ctx, &per_commitment_point, &self.htlc_base_key
+ &secp_ctx, &htlc_descriptor.per_commitment_point, &self.htlc_base_key
);
Ok(sign_with_aux_rand(&secp_ctx, &hash_to_message!(sighash), &our_htlc_private_key, &self))
}
///
/// May panic if the [`SpendableOutputDescriptor`]s were not generated by channels which used
/// this [`KeysManager`] or one of the [`InMemorySigner`] created by this [`KeysManager`].
- pub fn sign_spendable_outputs_psbt<C: Signing>(&self, descriptors: &[&SpendableOutputDescriptor], psbt: &mut PartiallySignedTransaction, secp_ctx: &Secp256k1<C>) -> Result<(), ()> {
+ pub fn sign_spendable_outputs_psbt<C: Signing>(&self, descriptors: &[&SpendableOutputDescriptor], mut psbt: PartiallySignedTransaction, secp_ctx: &Secp256k1<C>) -> Result<PartiallySignedTransaction, ()> {
let mut keys_cache: Option<(InMemorySigner, [u8; 32])> = None;
for outp in descriptors {
match outp {
SpendableOutputDescriptor::StaticPaymentOutput(descriptor) => {
let input_idx = psbt.unsigned_tx.input.iter().position(|i| i.previous_output == descriptor.outpoint.into_bitcoin_outpoint()).ok_or(())?;
if keys_cache.is_none() || keys_cache.as_ref().unwrap().1 != descriptor.channel_keys_id {
- keys_cache = Some((
- self.derive_channel_keys(descriptor.channel_value_satoshis, &descriptor.channel_keys_id),
- descriptor.channel_keys_id));
+ let mut signer = self.derive_channel_keys(descriptor.channel_value_satoshis, &descriptor.channel_keys_id);
+ if let Some(channel_params) = descriptor.channel_transaction_parameters.as_ref() {
+ signer.provide_channel_parameters(channel_params);
+ }
+ keys_cache = Some((signer, descriptor.channel_keys_id));
}
let witness = Witness::from_vec(keys_cache.as_ref().unwrap().0.sign_counterparty_payment_input(&psbt.unsigned_tx, input_idx, &descriptor, &secp_ctx)?);
psbt.inputs[input_idx].final_script_witness = Some(witness);
}
}
- Ok(())
+ Ok(psbt)
}
/// Creates a [`Transaction`] which spends the given descriptors to the given outputs, plus an
/// this [`KeysManager`] or one of the [`InMemorySigner`] created by this [`KeysManager`].
pub fn spend_spendable_outputs<C: Signing>(&self, descriptors: &[&SpendableOutputDescriptor], outputs: Vec<TxOut>, change_destination_script: Script, feerate_sat_per_1000_weight: u32, locktime: Option<PackedLockTime>, secp_ctx: &Secp256k1<C>) -> Result<Transaction, ()> {
let (mut psbt, expected_max_weight) = SpendableOutputDescriptor::create_spendable_outputs_psbt(descriptors, outputs, change_destination_script, feerate_sat_per_1000_weight, locktime)?;
- self.sign_spendable_outputs_psbt(descriptors, &mut psbt, secp_ctx)?;
+ psbt = self.sign_spendable_outputs_psbt(descriptors, psbt, secp_ctx)?;
let spend_tx = psbt.extract_tx();
Ok(self.secp_ctx.sign_ecdsa_recoverable(&hash_to_message!(&Sha256::hash(&preimage)), secret))
}
+ fn sign_bolt12_invoice_request(
+ &self, invoice_request: &UnsignedInvoiceRequest
+ ) -> Result<schnorr::Signature, ()> {
+ let message = invoice_request.tagged_hash().as_digest();
+ let keys = KeyPair::from_secret_key(&self.secp_ctx, &self.node_secret);
+ let aux_rand = self.get_secure_random_bytes();
+ Ok(self.secp_ctx.sign_schnorr_with_aux_rand(message, &keys, &aux_rand))
+ }
+
+ fn sign_bolt12_invoice(
+ &self, invoice: &UnsignedBolt12Invoice
+ ) -> Result<schnorr::Signature, ()> {
+ let message = invoice.tagged_hash().as_digest();
+ let keys = KeyPair::from_secret_key(&self.secp_ctx, &self.node_secret);
+ let aux_rand = self.get_secure_random_bytes();
+ Ok(self.secp_ctx.sign_schnorr_with_aux_rand(message, &keys, &aux_rand))
+ }
+
fn sign_gossip_message(&self, msg: UnsignedGossipMessage) -> Result<Signature, ()> {
let msg_hash = hash_to_message!(&Sha256dHash::hash(&msg.encode()[..])[..]);
Ok(self.secp_ctx.sign_ecdsa(&msg_hash, &self.node_secret))
Ok(self.inner.secp_ctx.sign_ecdsa_recoverable(&hash_to_message!(&Sha256::hash(&preimage)), secret))
}
+ fn sign_bolt12_invoice_request(
+ &self, invoice_request: &UnsignedInvoiceRequest
+ ) -> Result<schnorr::Signature, ()> {
+ self.inner.sign_bolt12_invoice_request(invoice_request)
+ }
+
+ fn sign_bolt12_invoice(
+ &self, invoice: &UnsignedBolt12Invoice
+ ) -> Result<schnorr::Signature, ()> {
+ self.inner.sign_bolt12_invoice(invoice)
+ }
+
fn sign_gossip_message(&self, msg: UnsignedGossipMessage) -> Result<Signature, ()> {
self.inner.sign_gossip_message(msg)
}