package lnwallet import ( "bytes" "crypto/sha256" "encoding/hex" "fmt" "testing" "time" "github.com/lightningnetwork/lnd/keychain" "github.com/btcsuite/btcd/btcec" "github.com/btcsuite/btcd/chaincfg/chainhash" "github.com/btcsuite/btcd/txscript" "github.com/btcsuite/btcd/wire" "github.com/btcsuite/btcutil" ) // TestCommitmentSpendValidation test the spendability of both outputs within // the commitment transaction. // // The following spending cases are covered by this test: // * Alice's spend from the delayed output on her commitment transaction. // * Bob's spend from Alice's delayed output when she broadcasts a revoked // commitment transaction. // * Bob's spend from his unencumbered output within Alice's commitment // transaction. func TestCommitmentSpendValidation(t *testing.T) { t.Parallel() // We generate a fake output, and the corresponding txin. This output // doesn't need to exist, as we'll only be validating spending from the // transaction that references this. txid, err := chainhash.NewHash(testHdSeed.CloneBytes()) if err != nil { t.Fatalf("unable to create txid: %v", err) } fundingOut := &wire.OutPoint{ Hash: *txid, Index: 50, } fakeFundingTxIn := wire.NewTxIn(fundingOut, nil, nil) const channelBalance = btcutil.Amount(1 * 10e8) const csvTimeout = uint32(5) // We also set up set some resources for the commitment transaction. // Each side currently has 1 BTC within the channel, with a total // channel capacity of 2BTC. aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), testWalletPrivKey) bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), bobsPrivKey) revocationPreimage := testHdSeed.CloneBytes() commitSecret, commitPoint := btcec.PrivKeyFromBytes(btcec.S256(), revocationPreimage) revokePubKey := DeriveRevocationPubkey(bobKeyPub, commitPoint) aliceDelayKey := TweakPubKey(aliceKeyPub, commitPoint) bobPayKey := TweakPubKey(bobKeyPub, commitPoint) aliceCommitTweak := SingleTweakBytes(commitPoint, aliceKeyPub) bobCommitTweak := SingleTweakBytes(commitPoint, bobKeyPub) aliceSelfOutputSigner := &mockSigner{ privkeys: []*btcec.PrivateKey{aliceKeyPriv}, } // With all the test data set up, we create the commitment transaction. // We only focus on a single party's transactions, as the scripts are // identical with the roles reversed. // // This is Alice's commitment transaction, so she must wait a CSV delay // of 5 blocks before sweeping the output, while bob can spend // immediately with either the revocation key, or his regular key. keyRing := &CommitmentKeyRing{ DelayKey: aliceDelayKey, RevocationKey: revokePubKey, NoDelayKey: bobPayKey, } commitmentTx, err := CreateCommitTx(*fakeFundingTxIn, keyRing, csvTimeout, channelBalance, channelBalance, DefaultDustLimit()) if err != nil { t.Fatalf("unable to create commitment transaction: %v", nil) } delayOutput := commitmentTx.TxOut[0] regularOutput := commitmentTx.TxOut[1] // We're testing an uncooperative close, output sweep, so construct a // transaction which sweeps the funds to a random address. targetOutput, err := commitScriptUnencumbered(aliceKeyPub) if err != nil { t.Fatalf("unable to create target output: %v", err) } sweepTx := wire.NewMsgTx(2) sweepTx.AddTxIn(wire.NewTxIn(&wire.OutPoint{ Hash: commitmentTx.TxHash(), Index: 0, }, nil, nil)) sweepTx.AddTxOut(&wire.TxOut{ PkScript: targetOutput, Value: 0.5 * 10e8, }) // First, we'll test spending with Alice's key after the timeout. delayScript, err := CommitScriptToSelf(csvTimeout, aliceDelayKey, revokePubKey) if err != nil { t.Fatalf("unable to generate alice delay script: %v", err) } sweepTx.TxIn[0].Sequence = lockTimeToSequence(false, csvTimeout) signDesc := &SignDescriptor{ WitnessScript: delayScript, KeyDesc: keychain.KeyDescriptor{ PubKey: aliceKeyPub, }, SingleTweak: aliceCommitTweak, SigHashes: txscript.NewTxSigHashes(sweepTx), Output: &wire.TxOut{ Value: int64(channelBalance), }, HashType: txscript.SigHashAll, InputIndex: 0, } aliceWitnessSpend, err := CommitSpendTimeout(aliceSelfOutputSigner, signDesc, sweepTx) if err != nil { t.Fatalf("unable to generate delay commit spend witness: %v", err) } sweepTx.TxIn[0].Witness = aliceWitnessSpend vm, err := txscript.NewEngine(delayOutput.PkScript, sweepTx, 0, txscript.StandardVerifyFlags, nil, nil, int64(channelBalance)) if err != nil { t.Fatalf("unable to create engine: %v", err) } if err := vm.Execute(); err != nil { t.Fatalf("spend from delay output is invalid: %v", err) } bobSigner := &mockSigner{privkeys: []*btcec.PrivateKey{bobKeyPriv}} // Next, we'll test bob spending with the derived revocation key to // simulate the scenario when Alice broadcasts this commitment // transaction after it's been revoked. signDesc = &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, DoubleTweak: commitSecret, WitnessScript: delayScript, SigHashes: txscript.NewTxSigHashes(sweepTx), Output: &wire.TxOut{ Value: int64(channelBalance), }, HashType: txscript.SigHashAll, InputIndex: 0, } bobWitnessSpend, err := CommitSpendRevoke(bobSigner, signDesc, sweepTx) if err != nil { t.Fatalf("unable to generate revocation witness: %v", err) } sweepTx.TxIn[0].Witness = bobWitnessSpend vm, err = txscript.NewEngine(delayOutput.PkScript, sweepTx, 0, txscript.StandardVerifyFlags, nil, nil, int64(channelBalance)) if err != nil { t.Fatalf("unable to create engine: %v", err) } if err := vm.Execute(); err != nil { t.Fatalf("revocation spend is invalid: %v", err) } // In order to test the final scenario, we modify the TxIn of the sweep // transaction to instead point to the regular output (non delay) // within the commitment transaction. sweepTx.TxIn[0] = &wire.TxIn{ PreviousOutPoint: wire.OutPoint{ Hash: commitmentTx.TxHash(), Index: 1, }, } // Finally, we test bob sweeping his output as normal in the case that // Alice broadcasts this commitment transaction. bobScriptP2WKH, err := commitScriptUnencumbered(bobPayKey) if err != nil { t.Fatalf("unable to create bob p2wkh script: %v", err) } signDesc = &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, SingleTweak: bobCommitTweak, WitnessScript: bobScriptP2WKH, SigHashes: txscript.NewTxSigHashes(sweepTx), Output: &wire.TxOut{ Value: int64(channelBalance), PkScript: bobScriptP2WKH, }, HashType: txscript.SigHashAll, InputIndex: 0, } bobRegularSpend, err := CommitSpendNoDelay(bobSigner, signDesc, sweepTx) if err != nil { t.Fatalf("unable to create bob regular spend: %v", err) } sweepTx.TxIn[0].Witness = bobRegularSpend vm, err = txscript.NewEngine(regularOutput.PkScript, sweepTx, 0, txscript.StandardVerifyFlags, nil, nil, int64(channelBalance)) if err != nil { t.Fatalf("unable to create engine: %v", err) } if err := vm.Execute(); err != nil { t.Fatalf("bob p2wkh spend is invalid: %v", err) } } // TestRevocationKeyDerivation tests that given a public key, and a revocation // hash, the homomorphic revocation public and private key derivation work // properly. func TestRevocationKeyDerivation(t *testing.T) { t.Parallel() // First, we'll generate a commitment point, and a commitment secret. // These will be used to derive the ultimate revocation keys. revocationPreimage := testHdSeed.CloneBytes() commitSecret, commitPoint := btcec.PrivKeyFromBytes(btcec.S256(), revocationPreimage) // With the commitment secrets generated, we'll now create the base // keys we'll use to derive the revocation key from. basePriv, basePub := btcec.PrivKeyFromBytes(btcec.S256(), testWalletPrivKey) // With the point and key obtained, we can now derive the revocation // key itself. revocationPub := DeriveRevocationPubkey(basePub, commitPoint) // The revocation public key derived from the original public key, and // the one derived from the private key should be identical. revocationPriv := DeriveRevocationPrivKey(basePriv, commitSecret) if !revocationPub.IsEqual(revocationPriv.PubKey()) { t.Fatalf("derived public keys don't match!") } } // TestTweakKeyDerivation tests that given a public key, and commitment tweak, // then we're able to properly derive a tweaked private key that corresponds to // the computed tweak public key. This scenario ensure that our key derivation // for any of the non revocation keys on the commitment transaction is correct. func TestTweakKeyDerivation(t *testing.T) { t.Parallel() // First, we'll generate a base public key that we'll be "tweaking". baseSecret := testHdSeed.CloneBytes() basePriv, basePub := btcec.PrivKeyFromBytes(btcec.S256(), baseSecret) // With the base key create, we'll now create a commitment point, and // from that derive the bytes we'll used to tweak the base public key. commitPoint := ComputeCommitmentPoint(bobsPrivKey) commitTweak := SingleTweakBytes(commitPoint, basePub) // Next, we'll modify the public key. When we apply the same operation // to the private key we should get a key that matches. tweakedPub := TweakPubKey(basePub, commitPoint) // Finally, attempt to re-generate the private key that matches the // tweaked public key. The derived key should match exactly. derivedPriv := TweakPrivKey(basePriv, commitTweak) if !derivedPriv.PubKey().IsEqual(tweakedPub) { t.Fatalf("pub keys don't match") } } // makeWitnessTestCase is a helper function used within test cases involving // the validity of a crafted witness. This function is a wrapper function which // allows constructing table-driven tests. In the case of an error while // constructing the witness, the test fails fatally. func makeWitnessTestCase(t *testing.T, f func() (wire.TxWitness, error)) func() wire.TxWitness { return func() wire.TxWitness { witness, err := f() if err != nil { t.Fatalf("unable to create witness test case: %v", err) } return witness } } // TestHTLCSenderSpendValidation tests all possible valid+invalid redemption // paths in the script used within the sender's commitment transaction for an // outgoing HTLC. // // The following cases are exercised by this test: // sender script: // * receiver spends // * revoke w/ sig // * HTLC with invalid preimage size // * HTLC with valid preimage size + sig // * sender spends // * invalid lock-time for CLTV // * invalid sequence for CSV // * valid lock-time+sequence, valid sig func TestHTLCSenderSpendValidation(t *testing.T) { t.Parallel() // We generate a fake output, and the corresponding txin. This output // doesn't need to exist, as we'll only be validating spending from the // transaction that references this. txid, err := chainhash.NewHash(testHdSeed.CloneBytes()) if err != nil { t.Fatalf("unable to create txid: %v", err) } fundingOut := &wire.OutPoint{ Hash: *txid, Index: 50, } fakeFundingTxIn := wire.NewTxIn(fundingOut, nil, nil) // Next we'll the commitment secret for our commitment tx and also the // revocation key that we'll use as well. revokePreimage := testHdSeed.CloneBytes() commitSecret, commitPoint := btcec.PrivKeyFromBytes(btcec.S256(), revokePreimage) // Generate a payment preimage to be used below. paymentPreimage := revokePreimage paymentPreimage[0] ^= 1 paymentHash := sha256.Sum256(paymentPreimage[:]) // We'll also need some tests keys for alice and bob, and metadata of // the HTLC output. aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), testWalletPrivKey) bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), bobsPrivKey) paymentAmt := btcutil.Amount(1 * 10e8) aliceLocalKey := TweakPubKey(aliceKeyPub, commitPoint) bobLocalKey := TweakPubKey(bobKeyPub, commitPoint) // As we'll be modeling spends from Alice's commitment transaction, // we'll be using Bob's base point for the revocation key. revocationKey := DeriveRevocationPubkey(bobKeyPub, commitPoint) // Generate the raw HTLC redemption scripts, and its p2wsh counterpart. htlcWitnessScript, err := senderHTLCScript(aliceLocalKey, bobLocalKey, revocationKey, paymentHash[:]) if err != nil { t.Fatalf("unable to create htlc sender script: %v", err) } htlcPkScript, err := WitnessScriptHash(htlcWitnessScript) if err != nil { t.Fatalf("unable to create p2wsh htlc script: %v", err) } // This will be Alice's commitment transaction. In this scenario Alice // is sending an HTLC to a node she has a path to (could be Bob, could // be multiple hops down, it doesn't really matter). htlcOutput := &wire.TxOut{ Value: int64(paymentAmt), PkScript: htlcPkScript, } senderCommitTx := wire.NewMsgTx(2) senderCommitTx.AddTxIn(fakeFundingTxIn) senderCommitTx.AddTxOut(htlcOutput) prevOut := &wire.OutPoint{ Hash: senderCommitTx.TxHash(), Index: 0, } sweepTx := wire.NewMsgTx(2) sweepTx.AddTxIn(wire.NewTxIn(prevOut, nil, nil)) sweepTx.AddTxOut( &wire.TxOut{ PkScript: []byte("doesn't matter"), Value: 1 * 10e8, }, ) sweepTxSigHashes := txscript.NewTxSigHashes(sweepTx) bobCommitTweak := SingleTweakBytes(commitPoint, bobKeyPub) aliceCommitTweak := SingleTweakBytes(commitPoint, aliceKeyPub) // Finally, we'll create mock signers for both of them based on their // private keys. This test simplifies a bit and uses the same key as // the base point for all scripts and derivations. bobSigner := &mockSigner{privkeys: []*btcec.PrivateKey{bobKeyPriv}} aliceSigner := &mockSigner{privkeys: []*btcec.PrivateKey{aliceKeyPriv}} // We'll also generate a signature on the sweep transaction above // that will act as Bob's signature to Alice for the second level HTLC // transaction. bobSignDesc := SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, SingleTweak: bobCommitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } bobRecvrSig, err := bobSigner.SignOutputRaw(sweepTx, &bobSignDesc) if err != nil { t.Fatalf("unable to generate alice signature: %v", err) } testCases := []struct { witness func() wire.TxWitness valid bool }{ { // revoke w/ sig // TODO(roasbeef): test invalid revoke makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, DoubleTweak: commitSecret, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return senderHtlcSpendRevoke(bobSigner, signDesc, revocationKey, sweepTx) }), true, }, { // HTLC with invalid preimage size makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, SingleTweak: bobCommitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return SenderHtlcSpendRedeem(bobSigner, signDesc, sweepTx, // Invalid preimage length bytes.Repeat([]byte{1}, 45)) }), false, }, { // HTLC with valid preimage size + sig // TODO(roasbeef): invalid preimage makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, SingleTweak: bobCommitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return SenderHtlcSpendRedeem(bobSigner, signDesc, sweepTx, paymentPreimage) }), true, }, { // valid spend to the transition the state of the HTLC // output with the second level HTLC timeout // transaction. makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: aliceKeyPub, }, SingleTweak: aliceCommitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return senderHtlcSpendTimeout(bobRecvrSig, aliceSigner, signDesc, sweepTx) }), true, }, } // TODO(roasbeef): set of cases to ensure able to sign w/ keypath and // not for i, testCase := range testCases { sweepTx.TxIn[0].Witness = testCase.witness() vm, err := txscript.NewEngine(htlcPkScript, sweepTx, 0, txscript.StandardVerifyFlags, nil, nil, int64(paymentAmt)) if err != nil { t.Fatalf("unable to create engine: %v", err) } // This buffer will trace execution of the Script, only dumping // out to stdout in the case that a test fails. var debugBuf bytes.Buffer done := false for !done { dis, err := vm.DisasmPC() if err != nil { t.Fatalf("stepping (%v)\n", err) } debugBuf.WriteString(fmt.Sprintf("stepping %v\n", dis)) done, err = vm.Step() if err != nil && testCase.valid { fmt.Println(debugBuf.String()) t.Fatalf("spend test case #%v failed, spend "+ "should be valid: %v", i, err) } else if err == nil && !testCase.valid && done { fmt.Println(debugBuf.String()) t.Fatalf("spend test case #%v succeed, spend "+ "should be invalid: %v", i, err) } debugBuf.WriteString(fmt.Sprintf("Stack: %v", vm.GetStack())) debugBuf.WriteString(fmt.Sprintf("AltStack: %v", vm.GetAltStack())) } } } // TestHTLCReceiverSpendValidation tests all possible valid+invalid redemption // paths in the script used within the receiver's commitment transaction for an // incoming HTLC. // // The following cases are exercised by this test: // * receiver spends // * HTLC redemption w/ invalid preimage size // * HTLC redemption w/ invalid sequence // * HTLC redemption w/ valid preimage size // * sender spends // * revoke w/ sig // * refund w/ invalid lock time // * refund w/ valid lock time func TestHTLCReceiverSpendValidation(t *testing.T) { t.Parallel() // We generate a fake output, and the corresponding txin. This output // doesn't need to exist, as we'll only be validating spending from the // transaction that references this. txid, err := chainhash.NewHash(testHdSeed.CloneBytes()) if err != nil { t.Fatalf("unable to create txid: %v", err) } fundingOut := &wire.OutPoint{ Hash: *txid, Index: 50, } fakeFundingTxIn := wire.NewTxIn(fundingOut, nil, nil) // Next we'll the commitment secret for our commitment tx and also the // revocation key that we'll use as well. revokePreimage := testHdSeed.CloneBytes() commitSecret, commitPoint := btcec.PrivKeyFromBytes(btcec.S256(), revokePreimage) // Generate a payment preimage to be used below. paymentPreimage := revokePreimage paymentPreimage[0] ^= 1 paymentHash := sha256.Sum256(paymentPreimage[:]) // We'll also need some tests keys for alice and bob, and metadata of // the HTLC output. aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), testWalletPrivKey) bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), bobsPrivKey) paymentAmt := btcutil.Amount(1 * 10e8) cltvTimeout := uint32(8) aliceLocalKey := TweakPubKey(aliceKeyPub, commitPoint) bobLocalKey := TweakPubKey(bobKeyPub, commitPoint) // As we'll be modeling spends from Bob's commitment transaction, we'll // be using Alice's base point for the revocation key. revocationKey := DeriveRevocationPubkey(aliceKeyPub, commitPoint) // Generate the raw HTLC redemption scripts, and its p2wsh counterpart. htlcWitnessScript, err := receiverHTLCScript(cltvTimeout, aliceLocalKey, bobLocalKey, revocationKey, paymentHash[:]) if err != nil { t.Fatalf("unable to create htlc sender script: %v", err) } htlcPkScript, err := WitnessScriptHash(htlcWitnessScript) if err != nil { t.Fatalf("unable to create p2wsh htlc script: %v", err) } // This will be Bob's commitment transaction. In this scenario Alice is // sending an HTLC to a node she has a path to (could be Bob, could be // multiple hops down, it doesn't really matter). htlcOutput := &wire.TxOut{ Value: int64(paymentAmt), PkScript: htlcWitnessScript, } receiverCommitTx := wire.NewMsgTx(2) receiverCommitTx.AddTxIn(fakeFundingTxIn) receiverCommitTx.AddTxOut(htlcOutput) prevOut := &wire.OutPoint{ Hash: receiverCommitTx.TxHash(), Index: 0, } sweepTx := wire.NewMsgTx(2) sweepTx.AddTxIn(&wire.TxIn{ PreviousOutPoint: *prevOut, }) sweepTx.AddTxOut( &wire.TxOut{ PkScript: []byte("doesn't matter"), Value: 1 * 10e8, }, ) sweepTxSigHashes := txscript.NewTxSigHashes(sweepTx) bobCommitTweak := SingleTweakBytes(commitPoint, bobKeyPub) aliceCommitTweak := SingleTweakBytes(commitPoint, aliceKeyPub) // Finally, we'll create mock signers for both of them based on their // private keys. This test simplifies a bit and uses the same key as // the base point for all scripts and derivations. bobSigner := &mockSigner{privkeys: []*btcec.PrivateKey{bobKeyPriv}} aliceSigner := &mockSigner{privkeys: []*btcec.PrivateKey{aliceKeyPriv}} // We'll also generate a signature on the sweep transaction above // that will act as Alice's signature to Bob for the second level HTLC // transaction. aliceSignDesc := SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: aliceKeyPub, }, SingleTweak: aliceCommitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } aliceSenderSig, err := aliceSigner.SignOutputRaw(sweepTx, &aliceSignDesc) if err != nil { t.Fatalf("unable to generate alice signature: %v", err) } // TODO(roasbeef): modify valid to check precise script errors? testCases := []struct { witness func() wire.TxWitness valid bool }{ { // HTLC redemption w/ invalid preimage size makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, SingleTweak: bobCommitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return receiverHtlcSpendRedeem(aliceSenderSig, bytes.Repeat([]byte{1}, 45), bobSigner, signDesc, sweepTx) }), false, }, { // HTLC redemption w/ valid preimage size makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, SingleTweak: bobCommitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return receiverHtlcSpendRedeem(aliceSenderSig, paymentPreimage[:], bobSigner, signDesc, sweepTx) }), true, }, { // revoke w/ sig makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: aliceKeyPub, }, DoubleTweak: commitSecret, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return receiverHtlcSpendRevoke(aliceSigner, signDesc, revocationKey, sweepTx) }), true, }, { // refund w/ invalid lock time makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: aliceKeyPub, }, SingleTweak: aliceCommitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return receiverHtlcSpendTimeout(aliceSigner, signDesc, sweepTx, int32(cltvTimeout-2)) }), false, }, { // refund w/ valid lock time makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: aliceKeyPub, }, SingleTweak: aliceCommitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return receiverHtlcSpendTimeout(aliceSigner, signDesc, sweepTx, int32(cltvTimeout)) }), true, }, } for i, testCase := range testCases { sweepTx.TxIn[0].Witness = testCase.witness() vm, err := txscript.NewEngine(htlcPkScript, sweepTx, 0, txscript.StandardVerifyFlags, nil, nil, int64(paymentAmt)) if err != nil { t.Fatalf("unable to create engine: %v", err) } // This buffer will trace execution of the Script, only dumping // out to stdout in the case that a test fails. var debugBuf bytes.Buffer done := false for !done { dis, err := vm.DisasmPC() if err != nil { t.Fatalf("stepping (%v)\n", err) } debugBuf.WriteString(fmt.Sprintf("stepping %v\n", dis)) done, err = vm.Step() if err != nil && testCase.valid { fmt.Println(debugBuf.String()) t.Fatalf("spend test case #%v failed, spend should be valid: %v", i, err) } else if err == nil && !testCase.valid && done { fmt.Println(debugBuf.String()) t.Fatalf("spend test case #%v succeed, spend should be invalid: %v", i, err) } debugBuf.WriteString(fmt.Sprintf("Stack: %v", vm.GetStack())) debugBuf.WriteString(fmt.Sprintf("AltStack: %v", vm.GetAltStack())) } } } // TestSecondLevelHtlcSpends tests all the possible redemption clauses from the // HTLC success and timeout covenant transactions. func TestSecondLevelHtlcSpends(t *testing.T) { t.Parallel() // We'll start be creating a creating a 2BTC HTLC. const htlcAmt = btcutil.Amount(2 * 10e8) // In all of our scenarios, the CSV timeout to claim a self output will // be 5 blocks. const claimDelay = 5 // First we'll set up some initial key state for Alice and Bob that // will be used in the scripts we created below. aliceKeyPriv, aliceKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), testWalletPrivKey) bobKeyPriv, bobKeyPub := btcec.PrivKeyFromBytes(btcec.S256(), bobsPrivKey) revokePreimage := testHdSeed.CloneBytes() commitSecret, commitPoint := btcec.PrivKeyFromBytes( btcec.S256(), revokePreimage) // As we're modeling this as Bob sweeping the HTLC on-chain from his // commitment transaction after a period of time, we'll be using a // revocation key derived from Alice's base point and his secret. revocationKey := DeriveRevocationPubkey(aliceKeyPub, commitPoint) // Next, craft a fake HTLC outpoint that we'll use to generate the // sweeping transaction using. txid, err := chainhash.NewHash(testHdSeed.CloneBytes()) if err != nil { t.Fatalf("unable to create txid: %v", err) } htlcOutPoint := &wire.OutPoint{ Hash: *txid, Index: 0, } sweepTx := wire.NewMsgTx(2) sweepTx.AddTxIn(wire.NewTxIn(htlcOutPoint, nil, nil)) sweepTx.AddTxOut( &wire.TxOut{ PkScript: []byte("doesn't matter"), Value: 1 * 10e8, }, ) sweepTxSigHashes := txscript.NewTxSigHashes(sweepTx) // The delay key will be crafted using Bob's public key as the output // we created will be spending from Alice's commitment transaction. delayKey := TweakPubKey(bobKeyPub, commitPoint) // The commit tweak will be required in order for Bob to derive the // proper key need to spend the output. commitTweak := SingleTweakBytes(commitPoint, bobKeyPub) // Finally we'll generate the HTLC script itself that we'll be spending // from. The revocation clause can be claimed by Alice, while Bob can // sweep the output after a particular delay. htlcWitnessScript, err := secondLevelHtlcScript(revocationKey, delayKey, claimDelay) if err != nil { t.Fatalf("unable to create htlc script: %v", err) } htlcPkScript, err := WitnessScriptHash(htlcWitnessScript) if err != nil { t.Fatalf("unable to create htlc output: %v", err) } htlcOutput := &wire.TxOut{ PkScript: htlcPkScript, Value: int64(htlcAmt), } // TODO(roasbeef): make actually use timeout/success txns? // Finally, we'll create mock signers for both of them based on their // private keys. This test simplifies a bit and uses the same key as // the base point for all scripts and derivations. bobSigner := &mockSigner{privkeys: []*btcec.PrivateKey{bobKeyPriv}} aliceSigner := &mockSigner{privkeys: []*btcec.PrivateKey{aliceKeyPriv}} testCases := []struct { witness func() wire.TxWitness valid bool }{ { // Sender of the HTLC attempts to activate the // revocation clause, but uses the wrong key (fails to // use the double tweak in this case). makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: aliceKeyPub, }, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return htlcSpendRevoke(aliceSigner, signDesc, sweepTx) }), false, }, { // Sender of HTLC activates the revocation clause. makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: aliceKeyPub, }, DoubleTweak: commitSecret, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return htlcSpendRevoke(aliceSigner, signDesc, sweepTx) }), true, }, { // Receiver of the HTLC attempts to sweep, but tries to // do so pre-maturely with a smaller CSV delay (2 // blocks instead of 5 blocks). makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, SingleTweak: commitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return htlcSpendSuccess(bobSigner, signDesc, sweepTx, claimDelay-3) }), false, }, { // Receiver of the HTLC sweeps with the proper CSV // delay, but uses the wrong key (leaves off the single // tweak). makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return htlcSpendSuccess(bobSigner, signDesc, sweepTx, claimDelay) }), false, }, { // Receiver of the HTLC sweeps with the proper CSV // delay, and the correct key. makeWitnessTestCase(t, func() (wire.TxWitness, error) { signDesc := &SignDescriptor{ KeyDesc: keychain.KeyDescriptor{ PubKey: bobKeyPub, }, SingleTweak: commitTweak, WitnessScript: htlcWitnessScript, Output: htlcOutput, HashType: txscript.SigHashAll, SigHashes: sweepTxSigHashes, InputIndex: 0, } return htlcSpendSuccess(bobSigner, signDesc, sweepTx, claimDelay) }), true, }, } for i, testCase := range testCases { sweepTx.TxIn[0].Witness = testCase.witness() vm, err := txscript.NewEngine(htlcPkScript, sweepTx, 0, txscript.StandardVerifyFlags, nil, nil, int64(htlcAmt)) if err != nil { t.Fatalf("unable to create engine: %v", err) } // This buffer will trace execution of the Script, only dumping // out to stdout in the case that a test fails. var debugBuf bytes.Buffer done := false for !done { dis, err := vm.DisasmPC() if err != nil { t.Fatalf("stepping (%v)\n", err) } debugBuf.WriteString(fmt.Sprintf("stepping %v\n", dis)) done, err = vm.Step() if err != nil && testCase.valid { fmt.Println(debugBuf.String()) t.Fatalf("spend test case #%v failed, spend "+ "should be valid: %v", i, err) } else if err == nil && !testCase.valid && done { fmt.Println(debugBuf.String()) t.Fatalf("spend test case #%v succeed, spend "+ "should be invalid: %v", i, err) } debugBuf.WriteString(fmt.Sprintf("Stack: %v", vm.GetStack())) debugBuf.WriteString(fmt.Sprintf("AltStack: %v", vm.GetAltStack())) } } } func TestCommitTxStateHint(t *testing.T) { t.Parallel() stateHintTests := []struct { name string from uint64 to uint64 inputs int shouldFail bool }{ { name: "states 0 to 1000", from: 0, to: 1000, inputs: 1, shouldFail: false, }, { name: "states 'maxStateHint-1000' to 'maxStateHint'", from: maxStateHint - 1000, to: maxStateHint, inputs: 1, shouldFail: false, }, { name: "state 'maxStateHint+1'", from: maxStateHint + 1, to: maxStateHint + 10, inputs: 1, shouldFail: true, }, { name: "commit transaction with two inputs", inputs: 2, shouldFail: true, }, } var obfuscator [StateHintSize]byte copy(obfuscator[:], testHdSeed[:StateHintSize]) timeYesterday := uint32(time.Now().Unix() - 24*60*60) for _, test := range stateHintTests { commitTx := wire.NewMsgTx(2) // Add supplied number of inputs to the commitment transaction. for i := 0; i < test.inputs; i++ { commitTx.AddTxIn(&wire.TxIn{}) } for i := test.from; i <= test.to; i++ { stateNum := uint64(i) err := SetStateNumHint(commitTx, stateNum, obfuscator) if err != nil && !test.shouldFail { t.Fatalf("unable to set state num %v: %v", i, err) } else if err == nil && test.shouldFail { t.Fatalf("Failed(%v): test should fail but did not", test.name) } locktime := commitTx.LockTime sequence := commitTx.TxIn[0].Sequence // Locktime should not be less than 500,000,000 and not larger // than the time 24 hours ago. One day should provide a good // enough buffer for the tests. if locktime < 5e8 || locktime > timeYesterday { if !test.shouldFail { t.Fatalf("The value of locktime (%v) may cause the commitment "+ "transaction to be unspendable", locktime) } } if sequence&wire.SequenceLockTimeDisabled == 0 { if !test.shouldFail { t.Fatalf("Sequence locktime is NOT disabled when it should be") } } extractedStateNum := GetStateNumHint(commitTx, obfuscator) if extractedStateNum != stateNum && !test.shouldFail { t.Fatalf("state number mismatched, expected %v, got %v", stateNum, extractedStateNum) } else if extractedStateNum == stateNum && test.shouldFail { t.Fatalf("Failed(%v): test should fail but did not", test.name) } } t.Logf("Passed: %v", test.name) } } // TestSpecificationKeyDerivation implements the test vectors provided in // BOLT-03, Appendix E. func TestSpecificationKeyDerivation(t *testing.T) { const ( baseSecretHex = "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" perCommitmentSecretHex = "1f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100" basePointHex = "036d6caac248af96f6afa7f904f550253a0f3ef3f5aa2fe6838a95b216691468e2" perCommitmentPointHex = "025f7117a78150fe2ef97db7cfc83bd57b2e2c0d0dd25eaf467a4a1c2a45ce1486" ) baseSecret, err := privkeyFromHex(baseSecretHex) if err != nil { t.Fatalf("Failed to parse serialized privkey: %v", err) } perCommitmentSecret, err := privkeyFromHex(perCommitmentSecretHex) if err != nil { t.Fatalf("Failed to parse serialized privkey: %v", err) } basePoint, err := pubkeyFromHex(basePointHex) if err != nil { t.Fatalf("Failed to parse serialized pubkey: %v", err) } perCommitmentPoint, err := pubkeyFromHex(perCommitmentPointHex) if err != nil { t.Fatalf("Failed to parse serialized pubkey: %v", err) } // name: derivation of key from basepoint and per_commitment_point const expectedLocalKeyHex = "0235f2dbfaa89b57ec7b055afe29849ef7ddfeb1cefdb9ebdc43f5494984db29e5" actualLocalKey := TweakPubKey(basePoint, perCommitmentPoint) actualLocalKeyHex := pubkeyToHex(actualLocalKey) if actualLocalKeyHex != expectedLocalKeyHex { t.Errorf("Incorrect derivation of local public key: "+ "expected %v, got %v", expectedLocalKeyHex, actualLocalKeyHex) } // name: derivation of secret key from basepoint secret and per_commitment_secret const expectedLocalPrivKeyHex = "cbced912d3b21bf196a766651e436aff192362621ce317704ea2f75d87e7be0f" tweak := SingleTweakBytes(perCommitmentPoint, basePoint) actualLocalPrivKey := TweakPrivKey(baseSecret, tweak) actualLocalPrivKeyHex := privkeyToHex(actualLocalPrivKey) if actualLocalPrivKeyHex != expectedLocalPrivKeyHex { t.Errorf("Incorrect derivation of local private key: "+ "expected %v, got %v, %v", expectedLocalPrivKeyHex, actualLocalPrivKeyHex, hex.EncodeToString(tweak)) } // name: derivation of revocation key from basepoint and per_commitment_point const expectedRevocationKeyHex = "02916e326636d19c33f13e8c0c3a03dd157f332f3e99c317c141dd865eb01f8ff0" actualRevocationKey := DeriveRevocationPubkey(basePoint, perCommitmentPoint) actualRevocationKeyHex := pubkeyToHex(actualRevocationKey) if actualRevocationKeyHex != expectedRevocationKeyHex { t.Errorf("Incorrect derivation of revocation public key: "+ "expected %v, got %v", expectedRevocationKeyHex, actualRevocationKeyHex) } // name: derivation of revocation secret from basepoint_secret and per_commitment_secret const expectedRevocationPrivKeyHex = "d09ffff62ddb2297ab000cc85bcb4283fdeb6aa052affbc9dddcf33b61078110" actualRevocationPrivKey := DeriveRevocationPrivKey(baseSecret, perCommitmentSecret) actualRevocationPrivKeyHex := privkeyToHex(actualRevocationPrivKey) if actualRevocationPrivKeyHex != expectedRevocationPrivKeyHex { t.Errorf("Incorrect derivation of revocation private key: "+ "expected %v, got %v", expectedRevocationPrivKeyHex, actualRevocationPrivKeyHex) } }