Introduce CommitmentTransactionInfo

This class maintains the per-commitment transaction fields needed to construct the bitcoin transaction.  It replaces passing around of Bitcoin transactions.

Author: devrandom

lightning/src/ln/chan_utils.rs

@@ -28,12 +28,16 @@ use ln::msgs::DecodeError;
 use util::ser::{Readable, Writeable, Writer, WriterWriteAdaptor};
 use util::byte_utils;
 
+use bitcoin::hash_types::WPubkeyHash;
 use bitcoin::secp256k1::key::{SecretKey, PublicKey};
-use bitcoin::secp256k1::{Secp256k1, Signature};
+use bitcoin::secp256k1::{Secp256k1, Signature, Message};
 use bitcoin::secp256k1::Error as SecpError;
 use bitcoin::secp256k1;
 
 use std::{cmp, mem};
+use ln::chan_utils;
+use util::transaction_utils::sort_outputs;
+use ln::channel::INITIAL_COMMITMENT_NUMBER;
 
 const MAX_ALLOC_SIZE: usize = 64*1024;
 
@@ -550,6 +554,260 @@ pub fn build_htlc_transaction(prev_hash: &Txid, feerate_per_kw: u32, contest_del
 	}
 }
 
+#[derive(Clone)]
+/// We use this class to track the information needed to build a commitment transaction and to actually
+/// build and sign.  It is used for holder transactions that we sign only when needed
+/// and for transactions we sign for the counterparty.
+///
+/// This class can be used inside a signer implementation to generate a signature given the relevant
+/// secret key.
+pub struct CommitmentTransactionInfo {
+	/// The backwards-counting commitment number
+	pub commitment_number: u64,
+	/// The value to be sent to the broadcaster
+	pub to_broadcaster_value_sat: u64,
+	/// The value to be sent to the counterparty
+	pub to_countersignatory_value_sat: u64,
+	/// The feerate paid per 1000-weight-unit in this commitment transaction.
+	pub feerate_per_kw: u32,
+	/// The HTLCs which were included in this commitment transaction in output order.
+	pub htlcs: Vec<HTLCOutputInCommitment>,
+	pub(crate) keys: TxCreationKeys,
+}
+
+impl CommitmentTransactionInfo {
+	/// Construct an object of the class while assigning transaction output indices to HTLCs.
+	///
+	/// Also keeps track of associated HTLC data and returns it along with the mutated HTLCs.
+	pub fn new_with_auxiliary_htlc_data<T: Copy>(
+		commitment_number: u64,
+		to_broadcaster_value_sat: u64,
+		to_countersignatory_value_sat: u64,
+		keys: TxCreationKeys,
+		feerate_per_kw: u32,
+		htlcs_with_aux: Vec<(HTLCOutputInCommitment, T)>,
+		broadcaster_pubkeys: &ChannelPublicKeys,
+		countersignatory_pubkeys: &ChannelPublicKeys,
+		contest_delay: u16,
+		secp_ctx: &Secp256k1<secp256k1::All>
+	) -> (CommitmentTransactionInfo, Vec<(HTLCOutputInCommitment, T)>) {
+		// Populate output indices while keeping track of the auxiliary data
+		let mut txouts = Self::do_build_outputs(&keys, to_broadcaster_value_sat, to_countersignatory_value_sat, &htlcs_with_aux, broadcaster_pubkeys, countersignatory_pubkeys, contest_delay, &secp_ctx).unwrap();
+		let mut result_htlcs_with_aux = Vec::new();
+		let mut htlcs = Vec::new();
+		for (idx, mut out) in txouts.drain(..).enumerate() {
+			if let Some(mut htlc) = (out.1).1.take() {
+				htlc.0.transaction_output_index = Some(idx as u32);
+				result_htlcs_with_aux.push((htlc.0.clone(), htlc.1));
+				htlcs.push(htlc.0);
+			}
+		}
+
+		let info = CommitmentTransactionInfo {
+			commitment_number,
+			to_broadcaster_value_sat,
+			to_countersignatory_value_sat,
+			feerate_per_kw,
+			htlcs,
+			keys,
+		};
+		(info, result_htlcs_with_aux)
+	}
+
+	/// Build the Bitcoin transaction.
+	///
+	/// Required channel-static fields are provided by the caller.
+	///
+	/// is_outbound is true if the channel is outbound from the point of view of the broadcaster
+	pub fn build<T: secp256k1::Signing + secp256k1::Verification>(
+		&self,
+		broadcaster_pubkeys: &ChannelPublicKeys,
+		countersignatory_pubkeys: &ChannelPublicKeys,
+		funding_outpoint: &OutPoint,
+		contest_delay: u16,
+		is_outbound: bool,
+		secp_ctx: &Secp256k1<T>,
+	) -> Result<(bitcoin::Transaction, Vec<HTLCOutputInCommitment>, Vec<Script>), ()> {
+		let (obscured_commitment_transaction_number, txins) = self.build_inputs(broadcaster_pubkeys, countersignatory_pubkeys, funding_outpoint, is_outbound);
+
+		let mut txouts = self.build_outputs(broadcaster_pubkeys, countersignatory_pubkeys, contest_delay, secp_ctx)?;
+
+		let mut outputs = Vec::with_capacity(txouts.len());
+		let mut scripts = Vec::with_capacity(txouts.len());
+		let mut htlcs = Vec::new();
+		for (idx, mut out) in txouts.drain(..).enumerate() {
+			outputs.push(out.0);
+			scripts.push((out.1).0.clone());
+			if let Some(mut htlc) = (out.1).1.take() {
+				htlc.transaction_output_index = Some(idx as u32);
+				htlcs.push(htlc);
+			}
+		}
+
+		Ok((
+			Transaction {
+				version: 2,
+				lock_time: ((0x20 as u32) << 8 * 3) | ((obscured_commitment_transaction_number & 0xffffffu64) as u32),
+				input: txins,
+				output: outputs,
+			},
+			htlcs,
+			scripts,
+		))
+	}
+
+	fn build_outputs<T: secp256k1::Signing + secp256k1::Verification>(&self, broadcaster_pubkeys: &ChannelPublicKeys, countersignatory_pubkeys: &ChannelPublicKeys, contest_delay: u16, secp_ctx: &Secp256k1<T>) -> Result<Vec<(TxOut, (Script, Option<HTLCOutputInCommitment>))>, ()> {
+		let htlcs = self.htlcs.iter().map(|h| (h.clone(), ())).collect();
+		let mut txouts = Self::do_build_outputs(&self.keys, self.to_broadcaster_value_sat, self.to_countersignatory_value_sat, &htlcs, broadcaster_pubkeys, countersignatory_pubkeys, contest_delay, secp_ctx)?;
+		let outs = txouts.drain(..).map(|(out, (s, extra))| (out, (s, extra.map(|(p, _)| p)))).collect();
+		Ok(outs)
+	}
+
+	fn do_build_outputs<T: Copy, S: secp256k1::Signing + secp256k1::Verification>(
+		keys: &TxCreationKeys,
+		to_broadcaster_value_sat: u64,
+		to_countersignatory_value_sat: u64,
+		htlcs: &Vec<(HTLCOutputInCommitment, T)>,
+		broadcaster_pubkeys: &ChannelPublicKeys, countersignatory_pubkeys: &ChannelPublicKeys, contest_delay: u16, secp_ctx: &Secp256k1<S>) -> Result<Vec<(TxOut, (Script, Option<(HTLCOutputInCommitment, T)>))>, ()> {
+		let per_commitment_point = &keys.per_commitment_point;
+		let to_broadcaster_delayed_pubkey = derive_public_key(
+			&secp_ctx,
+			&per_commitment_point,
+			&broadcaster_pubkeys.delayed_payment_basepoint,
+		).map_err(|_| ())?;
+
+		let revocation_pubkey = derive_public_revocation_key(
+			&secp_ctx,
+			per_commitment_point,
+			&countersignatory_pubkeys.revocation_basepoint,
+		).map_err(|_| ())?;
+
+		let mut txouts: Vec<(TxOut, (Script, Option<(HTLCOutputInCommitment, T)>))> = Vec::new();
+
+		if to_countersignatory_value_sat > 0 {
+			let script = script_for_p2wpkh(&countersignatory_pubkeys.payment_point);
+			txouts.push((
+				TxOut {
+					script_pubkey: script.clone(),
+					value: to_countersignatory_value_sat,
+				},
+				(script, None),
+			))
+		}
+
+		if to_broadcaster_value_sat > 0 {
+			let redeem_script = get_revokeable_redeemscript(
+				&revocation_pubkey,
+				contest_delay,
+				&to_broadcaster_delayed_pubkey,
+			);
+			txouts.push((
+				TxOut {
+					script_pubkey: redeem_script.to_v0_p2wsh(),
+					value: to_broadcaster_value_sat,
+				},
+				(redeem_script, None),
+			));
+		}
+
+		for (htlc, t) in htlcs {
+			let script = chan_utils::get_htlc_redeemscript(&htlc, &keys);
+			let txout = TxOut {
+				script_pubkey: script.to_v0_p2wsh(),
+				value: htlc.amount_msat / 1000,
+			};
+			txouts.push((txout, (script, Some((htlc.clone(), *t)))));
+		}
+
+		sort_outputs(&mut txouts, |a, b| {
+			if let &(_, Some(ref a_htlcout)) = a {
+				if let &(_, Some(ref b_htlcout)) = b {
+					a_htlcout.0.cltv_expiry.cmp(&b_htlcout.0.cltv_expiry)
+				} else {
+					cmp::Ordering::Equal
+				}
+			} else {
+				cmp::Ordering::Equal
+			}
+		});
+		Ok(txouts)
+	}
+
+	fn build_inputs(&self, broadcaster_pubkeys: &ChannelPublicKeys, countersignatory_pubkeys: &ChannelPublicKeys, funding_outpoint: &OutPoint, is_outbound: bool) -> (u64, Vec<TxIn>) {
+		let commitment_transaction_number_obscure_factor = get_commitment_transaction_number_obscure_factor(
+			&broadcaster_pubkeys.payment_point,
+			&countersignatory_pubkeys.payment_point,
+			is_outbound,
+		);
+
+		let obscured_commitment_transaction_number =
+			commitment_transaction_number_obscure_factor ^ (INITIAL_COMMITMENT_NUMBER - self.commitment_number);
+
+		let txins = {
+			let mut ins: Vec<TxIn> = Vec::new();
+			ins.push(TxIn {
+				previous_output: funding_outpoint.clone(),
+				script_sig: Script::new(),
+				sequence: ((0x80 as u32) << 8 * 3)
+					| ((obscured_commitment_transaction_number >> 3 * 8) as u32),
+				witness: Vec::new(),
+			});
+			ins
+		};
+		(obscured_commitment_transaction_number, txins)
+	}
+
+	/// Sign a transaction, either because we are counter-signing the counterparty's transaction or
+	/// because we are about to broadcast a holder transaction.
+	///
+	/// is_outbound is true if the channel is outbound from the point of view of the broadcaster
+	pub fn get_signature<T: secp256k1::Signing + secp256k1::Verification>(&self, broadcaster_pubkeys: &ChannelPublicKeys, countersignatory_pubkeys: &ChannelPublicKeys, funding_outpoint: &OutPoint, contest_delay: u16, is_outbound: bool, funding_key: &SecretKey, funding_redeemscript: &Script, channel_value_satoshis: u64, secp_ctx: &Secp256k1<T>) -> Signature {
+		let sighash = self.get_sighash(broadcaster_pubkeys, countersignatory_pubkeys, funding_outpoint, contest_delay, is_outbound, funding_redeemscript, channel_value_satoshis, secp_ctx).0;
+		secp_ctx.sign(&sighash, funding_key)
+	}
+
+	/// Get the sighash and the transaction.
+	///
+	/// Builds the transaction and computes the sighash.  This can be used to verify a signature.
+	pub fn get_sighash<T: secp256k1::Signing + secp256k1::Verification>(&self, broadcaster_pubkeys: &ChannelPublicKeys, countersignatory_pubkeys: &ChannelPublicKeys, funding_outpoint: &OutPoint, contest_delay: u16, is_outbound: bool, funding_redeemscript: &Script, channel_value_satoshis: u64, secp_ctx: &Secp256k1<T>) -> (Message, Transaction) {
+		let (unsigned_tx, _, _) = self.build(broadcaster_pubkeys, countersignatory_pubkeys, funding_outpoint, contest_delay, is_outbound, secp_ctx).unwrap();
+		let sighash = hash_to_message!(&bip143::SigHashCache::new(&unsigned_tx)
+			.signature_hash(0, funding_redeemscript, channel_value_satoshis, SigHashType::All)[..]);
+		(sighash, unsigned_tx)
+	}
+}
+
+/// Get the transaction number obscure factor
+pub fn get_commitment_transaction_number_obscure_factor(
+	broadcaster_payment_basepoint: &PublicKey,
+	countersignatory_payment_basepoint: &PublicKey,
+	outbound: bool,
+) -> u64 {
+	let mut sha = Sha256::engine();
+
+	if outbound {
+		sha.input(&broadcaster_payment_basepoint.serialize());
+		sha.input(&countersignatory_payment_basepoint.serialize());
+	} else {
+		sha.input(&countersignatory_payment_basepoint.serialize());
+		sha.input(&broadcaster_payment_basepoint.serialize());
+	}
+	let res = Sha256::from_engine(sha).into_inner();
+
+	((res[26] as u64) << 5 * 8)
+		| ((res[27] as u64) << 4 * 8)
+		| ((res[28] as u64) << 3 * 8)
+		| ((res[29] as u64) << 2 * 8)
+		| ((res[30] as u64) << 1 * 8)
+		| ((res[31] as u64) << 0 * 8)
+}
+
+fn script_for_p2wpkh(key: &PublicKey) -> Script {
+	Builder::new().push_opcode(opcodes::all::OP_PUSHBYTES_0)
+		.push_slice(&WPubkeyHash::hash(&key.serialize())[..])
+		.into_script()
+}
+
 #[derive(Clone)]
 /// We use this to track holder commitment transactions and put off signing them until we are ready
 /// to broadcast. This class can be used inside a signer implementation to generate a signature