Split KeysInterface into EntropySource, NodeSigner, and SignerProvider #1910
Conversation
|
Needs rebase, sorry about that. |
| /// | ||
| /// This method should return a different value each time it is called, to avoid linking | ||
| /// on-chain funds across channels as controlled to the same user. | ||
| fn get_destination_script(&self) -> Script; |
There was a problem hiding this comment.
Also, ISTM that get_destination_script and get_shutdown_script should be merged (we have an old issue for this, maybe a PR too?) and maybe placed in the Signer instead - its value should really be channel-specific.
There was a problem hiding this comment.
Are you thinking to push this off to a later PR?
There was a problem hiding this comment.
Yeah, the merging of these two should be in a separate PR imo
There was a problem hiding this comment.
Actually, maybe lets not move these into Sign when we merge them. That way someone using an external wallet for static payouts doesn't need to touch InMemorySigner.
There was a problem hiding this comment.
hm, interesting point. Thankfully outside the scope of this PR, but do you think that's sufficient reason? These values really are rather channel-specific.
In a more object-oriented world, the signers could in principle retain a reference to their SignerProvider, and by default take the value from there if they don't override the implementation, but I don't think that's a path we wanna go down.
|
Agree with your comments, Matt, just trying not to break too much at once. |
Codecov ReportBase: 90.73% // Head: 91.44% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #1910 +/- ##
==========================================
+ Coverage 90.73% 91.44% +0.71%
==========================================
Files 94 95 +1
Lines 49603 53483 +3880
Branches 49603 53483 +3880
==========================================
+ Hits 45006 48908 +3902
+ Misses 4597 4575 -22
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
arik-so
force-pushed
the
2022-12-keys-interface-name-split
branch
from
01cecb7
to
7b70d4b
Compare
TheBlueMatt
added
the
blocked on next release
|
Think this should wait for 114, given it, by itself, leaves the code in a kinda intermediate state. |
arik-so
force-pushed
the
2022-12-keys-interface-name-split
branch
2 times, most recently
from
f07dbf9
to
06af918
Compare
arik-so
changed the title
There was a problem hiding this comment.
Last unresolved link to fix:
error: unresolved link to `KeysInterface::derive_channel_signer`
--> lightning/src/ln/channel.rs:743:8
|
743 | /// [`KeysInterface::derive_channel_signer`].
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the trait `KeysInterface` has no associated item named `derive_channel_signer`
| // We need to override the invoice signing implementation for phantom keys managers | ||
| fn sign_invoice<C: Signing>(&self, hrp_bytes: &[u8], invoice_data: &[u5], recipient: Recipient, _secp_context: &Secp256k1<C>) -> Result<RecoverableSignature, ()> { | ||
| let preimage = construct_invoice_preimage(&hrp_bytes, &invoice_data); | ||
| let secret = self.get_node_secret(recipient)?; |
There was a problem hiding this comment.
Wouldn't we want to return an error if Recipient::Node is provided so that we don't accidentally sign with the node secret? I know we currently can't because the PhantomKeysManager owns KeysManager, but perhaps we could if we took a reference?
There was a problem hiding this comment.
I think it will be part of your get_node_secret removal PR :)
lightning/src/ln/channelmanager.rs
Outdated
| T::Target: BroadcasterInterface, | ||
| K::Target: KeysInterface, | ||
| K::Target: KeysInterface + NodeSigner, |
There was a problem hiding this comment.
Do we still need the explicit NodeSigner constraint after keeping the methods with default implementations on the traits and not on impl blocks?
There was a problem hiding this comment.
Unfortunately, we do.
There was a problem hiding this comment.
Sorry. When I responded, we still had the default implementation in the trait.
There was a problem hiding this comment.
That's why I said "anymore" :)
arik-so
force-pushed
the
2022-12-keys-interface-name-split
branch
2 times, most recently
from
37535c1
to
7536509
Compare
arik-so
removed
the
blocked on next release
arik-so
force-pushed
the
2022-12-keys-interface-name-split
branch
from
7536509
to
8527d4b
Compare
lightning/src/chain/keysinterface.rs
Outdated
| fn ecdh(&self, recipient: Recipient, other_key: &PublicKey, tweak: Option<&Scalar>) -> Result<SharedSecret, ()>; | ||
| /// Get a script pubkey which we send funds to when claiming on-chain contestable outputs. | ||
| fn ecdh(&self, recipient: Recipient, other_key: &PublicKey, tweak: Option<&Scalar>) -> Result<SharedSecret, ()> { | ||
| let mut node_secret = self.get_node_secret(recipient)?; |
There was a problem hiding this comment.
I don't think we should add a default implementation here - (a) we want to remove get_node_secret, not rely on it more, (b) it makes this single commit less move-only, which I'd really prefer to keep it as move-only as possible.
There was a problem hiding this comment.
Yeah, I see your point. When writing this PR, the idea was to just keep the same functions, but move them around, and for that situation, a reimplementation of the same code seemed redundant. I can add back the non-default implementations, or just leave it for @wpaulino's follow-up PR that's removing node_secret. Same with ecdh and sign_invoice.
There was a problem hiding this comment.
Not moving then is less diff :)
lightning/src/chain/keysinterface.rs
Outdated
| /// on-chain funds across channels as controlled to the same user. | ||
| fn get_shutdown_scriptpubkey(&self) -> ShutdownScript; | ||
| /// Errors if the [`Recipient`] variant is not supported by the implementation. | ||
| fn sign_invoice<C: Signing>(&self, hrp_bytes: &[u8], invoice_data: &[u5], recipient: Recipient, secp_context: &Secp256k1<C>) -> Result<RecoverableSignature, ()> { |
lightning/src/chain/keysinterface.rs
Outdated
| @@ -954,7 +984,6 @@ impl ReadableArgs<SecretKey> for InMemorySigner { | |||
| pub struct KeysManager { | |||
| secp_ctx: Secp256k1<secp256k1::All>, | |||
| node_secret: SecretKey, | |||
| node_id: PublicKey, | |||
There was a problem hiding this comment.
Why are you removing the caching here?
There was a problem hiding this comment.
Because it was throwing a notice saying it wasn't used.
There was a problem hiding this comment.
Right, when you drop the default methods you'll want to keep the caching here. Even more reason to not do the default methods :)
|
Once we land this, we'll definitely want to land the followup(s) required to at least split the traits into different objects in the same release. It'd be nice to get the followup PRs open sooner rather than later, though we can land this without. |
|
Soo… once I undo the part of the PR where I remove the overrides, is this PR otherwise ready? |
|
I'm happy with it, yes. As long as we move quickly to splitting the interfaces up fully. |
|
Please dont change something in one commit and then revert it in the next. |
|
Huh, what do you mean? Isn't the idea to squash all of these commits into one at the end? |
|
No - we dont squash + merge, we've always used merge commits. |
|
Right, but before we do that, I was planning to squash these commits myself. |
arik-so
force-pushed
the
2022-12-keys-interface-name-split
branch
from
953127a
to
7d8b0aa
Compare
|
Please go ahead and squash so we can ACK it :) |
|
I will once the tests complete so it's easier to compare and go back. Will do once they're all green. |
|
Ok, enough tests have passed to to squash it now, I think |
arik-so
force-pushed
the
2022-12-keys-interface-name-split
branch
from
7d8b0aa
to
aa24b99
Compare
lightning-invoice/src/utils.rs
Outdated
| @@ -17,7 +17,7 @@ use lightning::ln::inbound_payment::{create, create_from_hash, ExpandedKey}; | |||
| use lightning::routing::gossip::RoutingFees; | |||
| use lightning::routing::router::{InFlightHtlcs, Route, RouteHint, RouteHintHop}; | |||
| use lightning::util::logger::Logger; | |||
| use secp256k1::PublicKey; | |||
| use secp256k1::{PublicKey}; | |||
There was a problem hiding this comment.
Please keep diffs minimal.
lightning-invoice/src/utils.rs
Outdated
| @@ -54,7 +54,7 @@ use core::time::Duration; | |||
| pub fn create_phantom_invoice<K: Deref, L: Deref>( | |||
| amt_msat: Option<u64>, payment_hash: Option<PaymentHash>, description: String, | |||
| invoice_expiry_delta_secs: u32, phantom_route_hints: Vec<PhantomRouteHints>, keys_manager: K, | |||
| logger: L, network: Currency, | |||
| logger: L, network: Currency | |||
There was a problem hiding this comment.
same here (and on many lines below)
lightning-invoice/src/utils.rs
Outdated
| T::Target: BroadcasterInterface, | ||
| K::Target: KeysInterface, | ||
| F::Target: FeeEstimator, | ||
| L::Target: Logger, | ||
| L::Target: Logger |
There was a problem hiding this comment.
incl here and below in tests.
lightning/src/ln/channelmanager.rs
Outdated
| T::Target: BroadcasterInterface, | ||
| K::Target: KeysInterface, | ||
| K::Target: KeysInterface + NodeSigner, |
|
In the future, this kind of PR would probably be a chunk easier to review if it were separate commits - adding separate commits for the new traits would give a reviewer fewer things to look at in more digestible chunks. |
arik-so
force-pushed
the
2022-12-keys-interface-name-split
branch
from
aa24b99
to
9d7bb73
Compare
| /// By parameterizing by the raw invoice bytes instead of the hash, we allow implementors of | ||
| /// this trait to parse the invoice and make sure they're signing what they expect, rather than | ||
| /// blindly signing the hash. | ||
| /// The hrp is ascii bytes, while the invoice data is base32. |
There was a problem hiding this comment.
Why did you decapitalize ASCII (and remove ticks on hrp, which maybe should read hrp_bytes instead)?
|
|
||
| #[cfg(feature = "std")] | ||
| use std::time::{SystemTime, UNIX_EPOCH}; | ||
| use bitcoin::secp256k1::ecdh::SharedSecret; |
There was a problem hiding this comment.
Why did this get moved away from the other secp entries?
|
FYI if there's gonna be a follow-up, it looks like some |
|
I'm pretty sure some of them are false positives that depend on the configuration flag, because removing the unuseds causes things to break. I will try to narrow down the config flags for those imports in the follow-up though. And yes, there will be at least two follow-ups to this PR. |
Context for reviewers:
The idea behind this PR is splitting KeysInterface into the three independent tasks and traits it actually comprises. The core changes of this PR are basically lightning::src::chain::keysinterface.rs:429-561.
While updating the trait implementers (KeyProvider [fuzz::chanmon_consistency, fuzz::full_stack, fuzz::onion_messages], Keys [channel::tests], KeysManager, PhantomKeysManager, OnlyReadsKeysInterface [util::test_utils], TestKeysInterface [util::test_utils]), we noticed that they all pretty much had the same implementation for
get_node_id(),ecdh(), andsign_invoice(), with the sole exceptions of the PhantomKeysManager and TestKeysInterface.So rather than requiring each type duplicate the same code, we put the implementation on the trait itself (
NodeSigner), which, forsign_invoice(), required the addition of a secp context parameter.All the other changes in this PR are simply a reflection of the new method location (docs) and the new method signature (mostly the invoice crate, which was using
sign_invoiceextensively, as well as a couple tests).