Extend BaseSign with HTLC output signing support for external claims

Author: wpaulino

lightning/src/chain/keysinterface.rs

@@ -324,6 +324,17 @@ pub trait BaseSign {
 	/// (which is committed to in the BIP 143 signatures).
 	fn sign_justice_revoked_htlc(&self, justice_tx: &Transaction, input: usize, amount: u64, per_commitment_key: &SecretKey, htlc: &HTLCOutputInCommitment, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()>;
 
+	#[cfg(anchors)]
+	/// Computes the signature for a commitment transaction's HTLC output used as an input within
+	/// `htlc_tx`, which spends the commitment transaction, at index `input`.
+	/// Note that this should only be used to sign HTLC transactions from channels supporting anchor
+	/// outputs after all additional inputs/outputs have been added to the transaction.
+	fn sign_holder_htlc_transaction(
+		&self, htlc_tx: &Transaction, input: usize, per_commitment_number: u64,
+		htlc: &HTLCOutputInCommitment, counterparty_base_htlc_key: &PublicKey,
+		counterparty_base_revocation_key: &PublicKey, secp_ctx: &Secp256k1<secp256k1::All>
+	) -> Result<Signature, ()>;
+
 	/// Create a signature for a claiming transaction for a HTLC output on a counterparty's commitment
 	/// transaction, either offered or received.
 	///
@@ -671,7 +682,6 @@ impl InMemorySigner {
 		witness.push(witness_script.clone().into_bytes());
 		Ok(witness)
 	}
-
 }
 
 impl BaseSign for InMemorySigner {
@@ -767,6 +777,36 @@ impl BaseSign for InMemorySigner {
 		return Ok(sign(secp_ctx, &sighash, &revocation_key))
 	}
 
+	#[cfg(anchors)]
+	fn sign_holder_htlc_transaction(
+		&self, htlc_tx: &Transaction, input: usize, per_commitment_number: u64,
+		htlc: &HTLCOutputInCommitment, counterparty_base_htlc_key: &PublicKey,
+		counterparty_base_revocation_key: &PublicKey, secp_ctx: &Secp256k1<secp256k1::All>
+	) -> Result<Signature, ()> {
+		let per_commitment_point = self.get_per_commitment_point(per_commitment_number, &secp_ctx);
+		let witness_script = {
+			let our_htlc_key = chan_utils::derive_public_key(
+				secp_ctx, &per_commitment_point, &self.pubkeys().htlc_basepoint
+			).map_err(|_| ())?;
+			let counterparty_htlc_key = chan_utils::derive_public_revocation_key(
+				secp_ctx, &per_commitment_point, counterparty_base_htlc_key
+			).map_err(|_| ())?;
+			let revocation_key = chan_utils::derive_public_revocation_key(
+				secp_ctx, &per_commitment_point, counterparty_base_revocation_key
+			).map_err(|_| ())?;
+			chan_utils::get_htlc_redeemscript_with_explicit_keys(
+				&htlc, true /* opt_anchors */, &our_htlc_key, &counterparty_htlc_key, &revocation_key,
+			)
+		};
+		let sighash = &sighash::SighashCache::new(&*htlc_tx).segwit_signature_hash(
+			input, &witness_script, htlc.amount_msat / 1000, EcdsaSighashType::All
+		).map_err(|_| ())?;
+		let our_htlc_private_key = chan_utils::derive_private_key(
+			&secp_ctx, &per_commitment_point, &self.htlc_base_key
+		).map_err(|_| ())?;
+		Ok(sign(&secp_ctx, &hash_to_message!(sighash), &our_htlc_private_key))
+	}
+
 	fn sign_counterparty_htlc_transaction(&self, htlc_tx: &Transaction, input: usize, amount: u64, per_commitment_point: &PublicKey, htlc: &HTLCOutputInCommitment, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()> {
 		if let Ok(htlc_key) = chan_utils::derive_private_key(&secp_ctx, &per_commitment_point, &self.htlc_base_key) {
 			let witness_script = if let Ok(revocation_pubkey) = chan_utils::derive_public_revocation_key(&secp_ctx, &per_commitment_point, &self.pubkeys().revocation_basepoint) {

lightning/src/ln/chan_utils.rs

@@ -698,6 +698,37 @@ pub fn build_htlc_transaction(commitment_txid: &Txid, feerate_per_kw: u32, conte
 	}
 }
 
+/// Returns the witness required to satisfy and spend a HTLC input.
+pub fn build_htlc_input_witness(
+	local_sig: &Signature, remote_sig: &Signature, preimage: &Option<PaymentPreimage>,
+	redeem_script: &Script, opt_anchors: bool,
+) -> Witness {
+	let remote_sighash_type = if opt_anchors {
+		EcdsaSighashType::SinglePlusAnyoneCanPay
+	} else {
+		EcdsaSighashType::All
+	};
+	let mut remote_sig = remote_sig.serialize_der().to_vec();
+	remote_sig.push(remote_sighash_type as u8);
+
+	let mut local_sig = local_sig.serialize_der().to_vec();
+	local_sig.push(EcdsaSighashType::All as u8);
+
+	let mut witness_vec = Vec::with_capacity(5);
+	// First push the multisig dummy, note that due to BIP147 (NULLDUMMY) it must be a zero-length element.
+	witness_vec.push(vec![]);
+	witness_vec.push(remote_sig);
+	witness_vec.push(local_sig);
+	if let Some(preimage) = preimage {
+		witness_vec.push(preimage.0.to_vec());
+	} else {
+		// Due to BIP146 (MINIMALIF) this must be a zero-length element to relay.
+		witness_vec.push(vec![]);
+	}
+	witness_vec.push(redeem_script.to_bytes());
+	Witness::from_vec(witness_vec)
+}
+
 /// Gets the witnessScript for the to_remote output when anchors are enabled.
 #[inline]
 pub(crate) fn get_to_countersignatory_with_anchors_redeemscript(payment_point: &PublicKey) -> Script {
@@ -1518,26 +1549,9 @@ impl<'a> TrustedCommitmentTransaction<'a> {
 
 		let htlc_redeemscript = get_htlc_redeemscript_with_explicit_keys(&this_htlc, self.opt_anchors(), &keys.broadcaster_htlc_key, &keys.countersignatory_htlc_key, &keys.revocation_key);
 
-		let sighashtype = if self.opt_anchors() { EcdsaSighashType::SinglePlusAnyoneCanPay } else { EcdsaSighashType::All };
-
-		// First push the multisig dummy, note that due to BIP147 (NULLDUMMY) it must be a zero-length element.
-		htlc_tx.input[0].witness.push(Vec::new());
-
-		let mut cp_sig_ser = counterparty_signature.serialize_der().to_vec();
-		cp_sig_ser.push(sighashtype as u8);
-		htlc_tx.input[0].witness.push(cp_sig_ser);
-		let mut holder_sig_ser = signature.serialize_der().to_vec();
-		holder_sig_ser.push(EcdsaSighashType::All as u8);
-		htlc_tx.input[0].witness.push(holder_sig_ser);
-
-		if this_htlc.offered {
-			// Due to BIP146 (MINIMALIF) this must be a zero-length element to relay.
-			htlc_tx.input[0].witness.push(Vec::new());
-		} else {
-			htlc_tx.input[0].witness.push(preimage.unwrap().0.to_vec());
-		}
-
-		htlc_tx.input[0].witness.push(htlc_redeemscript.as_bytes().to_vec());
+		htlc_tx.input[0].witness = chan_utils::build_htlc_input_witness(
+			signature, counterparty_signature, preimage, &htlc_redeemscript, self.opt_anchors(),
+		);
 		htlc_tx
 	}
 }

lightning/src/util/enforcing_trait_impls.rs

@@ -190,6 +190,18 @@ impl BaseSign for EnforcingSigner {
 		Ok(self.inner.sign_justice_revoked_htlc(justice_tx, input, amount, per_commitment_key, htlc, secp_ctx).unwrap())
 	}
 
+	#[cfg(anchors)]
+	fn sign_holder_htlc_transaction(
+		&self, htlc_tx: &Transaction, input: usize, per_commitment_number: u64,
+		htlc: &HTLCOutputInCommitment, counterparty_base_htlc_key: &PublicKey,
+		counterparty_base_revocation_key: &PublicKey, secp_ctx: &Secp256k1<secp256k1::All>
+	) -> Result<Signature, ()> {
+		Ok(self.inner.sign_holder_htlc_transaction(
+			htlc_tx, input, per_commitment_number, htlc, counterparty_base_htlc_key,
+			counterparty_base_revocation_key, secp_ctx
+		).unwrap())
+	}
+
 	fn sign_counterparty_htlc_transaction(&self, htlc_tx: &Transaction, input: usize, amount: u64, per_commitment_point: &PublicKey, htlc: &HTLCOutputInCommitment, secp_ctx: &Secp256k1<secp256k1::All>) -> Result<Signature, ()> {
 		Ok(self.inner.sign_counterparty_htlc_transaction(htlc_tx, input, amount, per_commitment_point, htlc, secp_ctx).unwrap())
 	}