Implement Script for Witness and Add Tweak in Spendable Output to Partially Signed Bitcoin Transaction Input converter.

Adding Witness Script and key tweaks makes PSBT a single data source needed for a Signer to produce valid signatures.
A Signer is not required to be able to generate L2 keys, e.g delayed payment basepoint.

Author: yellowred

lightning/src/ln/channel_keys.rs

@@ -37,6 +37,19 @@ macro_rules! basepoint_impl {
             pub fn to_public_key(&self) -> PublicKey {
                 self.0
             }
+
+            /// Derives a per-commitment-transaction (eg an htlc key or delayed_payment key) private key addition tweak
+            /// from a basepoint and a per_commitment_point:
+            /// `privkey = basepoint_secret + SHA256(per_commitment_point || basepoint)`
+            pub fn derive_add_tweak(
+                &self,
+                per_commitment_point: &PublicKey,
+            ) -> [u8; 32] {
+                let mut sha = Sha256::engine();
+                sha.input(&per_commitment_point.serialize());
+                sha.input(&self.to_public_key().serialize());
+                Sha256::from_engine(sha).to_byte_array()
+            }
         }
 
         impl From<PublicKey> for $BasepointT {
@@ -226,7 +239,6 @@ impl RevocationKey {
 key_read_write!(RevocationKey);
 
 
-
 #[cfg(test)]
 mod test {
     use bitcoin::secp256k1::{Secp256k1, SecretKey, PublicKey};

lightning/src/sign/mod.rs

@@ -18,7 +18,7 @@ use bitcoin::blockdata::script::{Script, ScriptBuf, Builder};
 use bitcoin::blockdata::opcodes;
 use bitcoin::ecdsa::Signature as EcdsaSignature;
 use bitcoin::network::constants::Network;
-use bitcoin::psbt::PartiallySignedTransaction;
+use bitcoin::psbt::{PartiallySignedTransaction, raw};
 use bitcoin::bip32::{ExtendedPrivKey, ExtendedPubKey, ChildNumber};
 use bitcoin::sighash;
 use bitcoin::sighash::EcdsaSighashType;
@@ -37,14 +37,14 @@ use bitcoin::secp256k1::ecdsa::{RecoverableSignature, Signature};
 use bitcoin::secp256k1::schnorr;
 use bitcoin::{secp256k1, Sequence, Witness, Txid};
 
+use crate::ln::channel::ANCHOR_OUTPUT_VALUE_SATOSHI;
 use crate::util::transaction_utils;
 use crate::util::crypto::{hkdf_extract_expand_twice, sign, sign_with_aux_rand};
 use crate::util::ser::{Writeable, Writer, Readable, ReadableArgs};
 use crate::chain::transaction::OutPoint;
-use crate::ln::channel::ANCHOR_OUTPUT_VALUE_SATOSHI;
 use crate::ln::{chan_utils, PaymentPreimage};
-use crate::ln::chan_utils::{HTLCOutputInCommitment, make_funding_redeemscript, ChannelPublicKeys, HolderCommitmentTransaction, ChannelTransactionParameters, CommitmentTransaction, ClosingTransaction};
-use crate::ln::channel_keys::{DelayedPaymentBasepoint, DelayedPaymentKey, HtlcKey, HtlcBasepoint, RevocationKey, RevocationBasepoint};
+use crate::ln::chan_utils::{HTLCOutputInCommitment, make_funding_redeemscript, ChannelPublicKeys, HolderCommitmentTransaction, ChannelTransactionParameters, CommitmentTransaction, ClosingTransaction, get_revokeable_redeemscript};
+use crate::ln::channel_keys::{DelayedPaymentBasepoint, DelayedPaymentKey, HtlcKey, HtlcBasepoint, RevocationKey, RevocationBasepoint, PaymentBasepoint};
 use crate::ln::msgs::{UnsignedChannelAnnouncement, UnsignedGossipMessage};
 #[cfg(taproot)]
 use crate::ln::msgs::PartialSignatureWithNonce;
@@ -104,6 +104,7 @@ pub struct DelayedPaymentOutputDescriptor {
 	/// The value of the channel which this output originated from, possibly indirectly.
 	pub channel_value_satoshis: u64,
 }
+
 impl DelayedPaymentOutputDescriptor {
 	/// The maximum length a well-formed witness spending one of these should have.
 	/// Note: If you have the grind_signatures feature enabled, this will be at least 1 byte
@@ -149,6 +150,7 @@ pub struct StaticPaymentOutputDescriptor {
 	/// Added as optional, but always `Some` if the descriptor was produced in v0.0.117 or later.
 	pub channel_transaction_parameters: Option<ChannelTransactionParameters>,
 }
+
 impl StaticPaymentOutputDescriptor {
 	/// Returns the `witness_script` of the spendable output.
 	///
@@ -304,7 +306,7 @@ impl SpendableOutputDescriptor {
 	///
 	/// This is not exported to bindings users as there is no standard serialization for an input.
 	/// See [`Self::create_spendable_outputs_psbt`] instead.
-	pub fn to_psbt_input(&self) -> bitcoin::psbt::Input {
+	pub fn to_psbt_input<T: secp256k1::Signing>(&self, secp_ctx: &Secp256k1<T>, channel_public_keys: Option<&ChannelPublicKeys>) -> bitcoin::psbt::Input {
 		match self {
 			SpendableOutputDescriptor::StaticOutput { output, .. } => {
 				// Is a standard P2WPKH, no need for witness script
@@ -314,16 +316,72 @@ impl SpendableOutputDescriptor {
 				}
 			},
 			SpendableOutputDescriptor::DelayedPaymentOutput(descriptor) => {
-				// TODO we could add the witness script as well
+				let delayed_payment_basepoint = channel_public_keys.map(|keys| DelayedPaymentBasepoint::from(
+					keys.delayed_payment_basepoint,
+				));
+
+				let (witness_script, add_tweak) = if let Some(basepoint) = delayed_payment_basepoint.as_ref() {
+					let payment_key = DelayedPaymentKey::from_basepoint(
+						secp_ctx,
+						basepoint,
+						&descriptor.per_commitment_point,
+					);
+					// Required to derive signing key: privkey = basepoint_secret + SHA256(per_commitment_point || basepoint)
+					let add_tweak = basepoint.derive_add_tweak(&descriptor.per_commitment_point);
+					(Some(get_revokeable_redeemscript(
+						&descriptor.revocation_pubkey,
+						descriptor.to_self_delay,
+						&payment_key,
+					)), Some(add_tweak))
+				} else {
+				   (None, None)
+				};
+				
 				bitcoin::psbt::Input {
 					witness_utxo: Some(descriptor.output.clone()),
+					witness_script,
+					proprietary: add_tweak.map(|add_tweak| {vec![(
+						raw::ProprietaryKey {
+							prefix: "LDK_spendable_output".as_bytes().to_vec(),
+							subtype: 0,
+							key: "add_tweak".as_bytes().to_vec(),
+						},
+						add_tweak.to_vec(),
+					)].into_iter().collect()}).unwrap_or_default(),
 					..Default::default()
 				}
 			},
 			SpendableOutputDescriptor::StaticPaymentOutput(descriptor) => {
-				// TODO we could add the witness script as well
+				// Use simplified derivation, assuming `option_static_remotekey` or `option_anchors` is negotiated.
+				// `remote_payment_basepoint` is used as Payment Key.
+				let remote_payment_basepoint = channel_public_keys.map(|keys| 
+					PaymentBasepoint::from(keys.payment_point)
+				);
+
+				let witness_script = match remote_payment_basepoint {
+					Some(ref basepoint) => {
+						// We cannot always assume that `channel_parameters` is set, so can't just call
+						// `self.channel_parameters()` or anything that relies on it
+						let supports_anchors_zero_fee_htlc_tx = descriptor.channel_transaction_parameters.as_ref()
+							.map(|features| features.channel_type_features.supports_anchors_zero_fee_htlc_tx())
+							.unwrap_or(false);
+
+						let witness_script = if supports_anchors_zero_fee_htlc_tx {
+							chan_utils::get_to_countersignatory_with_anchors_redeemscript(&basepoint.to_public_key())
+						} else {
+							ScriptBuf::new_p2pkh(&bitcoin::PublicKey::new(basepoint.to_public_key()).pubkey_hash())
+						};
+
+						// With simplified derivation, the private payment key is equal to private payment basepoint, 
+						// so add tweak is not needed.
+						Some(witness_script)
+					},
+					_ => None,
+    			};
+				
 				bitcoin::psbt::Input {
 					witness_utxo: Some(descriptor.output.clone()),
+					witness_script,
 					..Default::default()
 				}
 			},
@@ -346,7 +404,8 @@ impl SpendableOutputDescriptor {
 	/// does not match the one we can spend.
 	///
 	/// We do not enforce that outputs meet the dust limit or that any output scripts are standard.
-	pub fn create_spendable_outputs_psbt(descriptors: &[&SpendableOutputDescriptor], outputs: Vec<TxOut>, change_destination_script: ScriptBuf, feerate_sat_per_1000_weight: u32, locktime: Option<LockTime>) -> Result<(PartiallySignedTransaction, u64), ()> {
+	pub fn create_spendable_outputs_psbt(descriptors: &[&SpendableOutputDescriptor], outputs: Vec<TxOut>, change_destination_script: ScriptBuf, feerate_sat_per_1000_weight: u32, locktime: Option<LockTime>, channel_public_keys: Option<&ChannelPublicKeys>) -> Result<(PartiallySignedTransaction, u64), ()> {
+		let secp_ctx = Secp256k1::new();
 		let mut input = Vec::with_capacity(descriptors.len());
 		let mut input_value = 0;
 		let mut witness_weight = 0;
@@ -413,7 +472,7 @@ impl SpendableOutputDescriptor {
 		let expected_max_weight =
 			transaction_utils::maybe_add_change_output(&mut tx, input_value, witness_weight, feerate_sat_per_1000_weight, change_destination_script)?;
 
-		let psbt_inputs = descriptors.iter().map(|d| d.to_psbt_input()).collect::<Vec<_>>();
+		let psbt_inputs = descriptors.iter().map(|d| d.to_psbt_input(&secp_ctx, channel_public_keys)).collect::<Vec<_>>();
 		let psbt = PartiallySignedTransaction {
 			inputs: psbt_inputs,
 			outputs: vec![Default::default(); tx.output.len()],
@@ -1615,7 +1674,8 @@ impl KeysManager {
 	/// May panic if the [`SpendableOutputDescriptor`]s were not generated by channels which used
 	/// this [`KeysManager`] or one of the [`InMemorySigner`] created by this [`KeysManager`].
 	pub fn spend_spendable_outputs<C: Signing>(&self, descriptors: &[&SpendableOutputDescriptor], outputs: Vec<TxOut>, change_destination_script: ScriptBuf, feerate_sat_per_1000_weight: u32, locktime: Option<LockTime>, secp_ctx: &Secp256k1<C>) -> Result<Transaction, ()> {
-		let (mut psbt, expected_max_weight) = SpendableOutputDescriptor::create_spendable_outputs_psbt(descriptors, outputs, change_destination_script, feerate_sat_per_1000_weight, locktime)?;
+		// TODO: provide channel keys to construct witness script
+		let (mut psbt, expected_max_weight) = SpendableOutputDescriptor::create_spendable_outputs_psbt(descriptors, outputs, change_destination_script, feerate_sat_per_1000_weight, locktime, None)?;
 		psbt = self.sign_spendable_outputs_psbt(descriptors, psbt, secp_ctx)?;
 
 		let spend_tx = psbt.extract_tx();