multi: add revocation AuxSig signing and verification

When revoking a commitment via RevokeAndAck, sign both spending paths
(success and timeout) for each in-flight HTLC's second-level virtual
transaction. The signatures are packed into an HTLC-index-tagged blob
that the receiver can match to HTLCs unambiguously, regardless of
ordering differences between local and remote commitment views.

On the receiving side, verify all signatures against the breach-time
key ring before accepting the revocation. Store both primary and
alternate path signatures in the revocation log so the honest party
can reconstruct valid proofs for whichever spending path the
breaching party used on-chain.

Both signing and verification are gated by IsDeterministicHTLCs
(formerly IsSigHashDefault), ensuring backward compatibility with
peers that have not negotiated the feature.

Key changes:
- Add signLocalHtlcAuxSigs to produce dual-path AuxSigs per HTLC
- Add verifyRevocationAuxSigs to validate sigs at ReceiveRevocation
- Add injectRevocationAuxSigs to store sigs in the revocation log
- Add HTLC-index-tagged pack/unpack format for revocation sig blobs
- Add AuxSigAlt field to AuxSigDesc for alternate spending path
- Add IncomingHTLCLookup to BaseAuxJob for correct aux output lookup
  when Incoming is flipped for alternate spending path generation
- Add WhoseCommit, HtlcTimeout fields to BaseAuxJob
- Add CustomRecords field to RevokeAndAck for carrying aux sig blobs
- Rename IsSigHashDefault to IsDeterministicHTLCs
- Use ResolveHtlcSigHashType instead of hardcoded SigHashAll
- Add ConfirmHeight to AuxNotifyOpts for porter height hints

Author: GeorgeTsagk

contractcourt/breach_arbitrator.go

@@ -845,11 +845,12 @@ func updateBreachInfo(breachInfo *retributionInfo, spends []spend,
 // notifyConfirmedJusticeTx checks if any of the spend details match one of our
 // justice transactions. If a confirmed justice transaction is detected and we
 // haven't already notified about it, we call NotifyBroadcast on the aux sweeper
-// to generate asset-level proofs.
+// to generate aux-level proofs.
 func (b *BreachArbitrator) notifyConfirmedJusticeTx(spends []spend,
 	justiceTxs *justiceTxVariants,
 	historicJusticeTxs map[chainhash.Hash]*justiceTxCtx,
-	notifiedTxs map[chainhash.Hash]bool) {
+	notifiedTxs map[chainhash.Hash]bool,
+	breachedOutputs []breachedOutput) {
 
 	// Check each spend to see if it's from one of our justice txs.
 	for _, s := range spends {
@@ -871,22 +872,29 @@ func (b *BreachArbitrator) notifyConfirmedJusticeTx(spends []spend,
 		}
 
 		var justiceCtx *justiceTxCtx
+		var matchSource string
 		switch {
 		case matchesJusticeTx(justiceTxs.spendAll):
 			justiceCtx = justiceTxs.spendAll
+			matchSource = "spendAll"
 
 		case matchesJusticeTx(justiceTxs.spendCommitOuts):
 			justiceCtx = justiceTxs.spendCommitOuts
+			matchSource = "spendCommitOuts"
 
 		case matchesJusticeTx(justiceTxs.spendHTLCs):
 			justiceCtx = justiceTxs.spendHTLCs
+			matchSource = "spendHTLCs"
 		}
 
 		// Also check the individual second-level sweeps.
 		if justiceCtx == nil {
-			for _, tx := range justiceTxs.spendSecondLevelHTLCs {
+			for i, tx := range justiceTxs.spendSecondLevelHTLCs {
 				if matchesJusticeTx(tx) {
 					justiceCtx = tx
+					matchSource = fmt.Sprintf(
+						"secondLevel[%d]", i,
+					)
 
 					break
 				}
@@ -899,12 +907,70 @@ func (b *BreachArbitrator) notifyConfirmedJusticeTx(spends []spend,
 		// justiceTxs has been replaced with newer variants.
 		if justiceCtx == nil {
 			justiceCtx = historicJusticeTxs[spendingTxHash]
+			if justiceCtx != nil {
+				matchSource = "historic"
+			}
 		}
 
 		// If this is one of our justice txs, notify the aux sweeper.
 		if justiceCtx != nil {
+			brarLog.Infof("[NOTIFY-JUSTICE] matched spend "+
+				"txid=%v to justice tx via %s "+
+				"(numInputs=%d), notifying aux sweeper",
+				spendingTxHash, matchSource,
+				len(justiceCtx.inputs))
+			for i, inp := range justiceCtx.inputs {
+				brarLog.Infof("[NOTIFY-JUSTICE]   "+
+					"input[%d]: outpoint=%v "+
+					"witnessType=%v",
+					i, inp.OutPoint(),
+					inp.WitnessType())
+			}
+		} else {
+			brarLog.Infof("[NOTIFY-JUSTICE] spend txid=%v "+
+				"did NOT match any justice tx",
+				spendingTxHash)
+		}
+		if justiceCtx != nil {
+			// Build a fresh input list by matching the
+			// confirmed tx's BTC inputs against the
+			// current breachedOutputs. This avoids using
+			// stale pointers from historic variants
+			// whose data may have been mutated by
+			// second-level morphing or slice compaction.
+			spendingTx := s.detail.SpendingTx
+			boByOutpoint := make(
+				map[wire.OutPoint]*breachedOutput,
+			)
+			for i := range breachedOutputs {
+				bo := &breachedOutputs[i]
+				boByOutpoint[bo.outpoint] = bo
+			}
+
+			var freshInputs []input.Input
+			hasSecondLevel := false
+			for _, txIn := range spendingTx.TxIn {
+				op := txIn.PreviousOutPoint
+				bo, ok := boByOutpoint[op]
+				if !ok {
+					continue
+				}
+				freshInputs = append(freshInputs, bo)
+
+				wt := bo.WitnessType()
+				//nolint:ll
+				if wt == input.HtlcSecondLevelRevoke || wt == input.TaprootHtlcSecondLevelRevoke {
+					hasSecondLevel = true
+				}
+			}
+
+			brarLog.Infof("[NOTIFY-JUSTICE] built "+
+				"fresh input list: %d inputs "+
+				"(hasSecondLevel=%v)",
+				len(freshInputs), hasSecondLevel)
+
 			bumpReq := sweep.BumpRequest{
-				Inputs:          justiceCtx.inputs,
+				Inputs:          freshInputs,
 				DeliveryAddress: justiceCtx.sweepAddr,
 				ExtraTxOut:      justiceCtx.extraTxOut,
 			}
@@ -913,14 +979,17 @@ func (b *BreachArbitrator) notifyConfirmedJusticeTx(spends []spend,
 				b.cfg.AuxSweeper,
 				func(aux sweep.AuxSweeper) error {
 					// The tx is already confirmed, so
-					// skip broadcast and proof verify
-					// (placeholder witnesses).
+					// skip broadcast. Proof verification
+					// must run to ensure valid anchor
+					// metadata for spending.
+					h := uint32(s.detail.SpendingHeight)
 					return aux.NotifyBroadcast(
 						&bumpReq, s.detail.SpendingTx,
 						justiceCtx.fee, nil,
 						sweep.AuxNotifyOpts{
-							SkipBroadcast:   true,
-							SkipProofVerify: true,
+							SkipBroadcast:     true,
+							ConfirmHeight:     h,
+							LookupInputProofs: hasSecondLevel, //nolint:ll
 						},
 					)
 				},
@@ -1038,15 +1107,13 @@ justiceTxBroadcast:
 	recordJusticeTxVariants(justiceTxs, historicJusticeTxs)
 	finalTx := justiceTxs.spendAll
 
-	brarLog.Debugf("Broadcasting justice tx: %v", lnutils.SpewLogClosure(
-		finalTx))
-
 	// We'll now attempt to broadcast the transaction which finalized the
 	// channel's retribution against the cheating counter party.
 	label := labels.MakeLabel(labels.LabelTypeJusticeTransaction, nil)
 	err = b.cfg.PublishTransaction(finalTx.justiceTx, label)
 	if err != nil {
-		brarLog.Errorf("Unable to broadcast justice tx: %v", err)
+		brarLog.Errorf("Unable to broadcast initial spendAll "+
+			"justice tx: %v", err)
 	}
 
 	// Regardless of publication succeeded or not, we now wait for any of
@@ -1092,12 +1159,14 @@ Loop:
 				spends, justiceTxs,
 				historicJusticeTxs,
 				notifiedJusticeTxs,
+				breachInfo.breachedOutputs,
 			)
 
 			// Update the breach info with the new spends.
 			t, r := updateBreachInfo(
 				breachInfo, spends, b.cfg.AuxResolver,
 			)
+
 			totalFunds += t
 			revokedFunds += r
 
@@ -1175,24 +1244,19 @@ Loop:
 				justiceTxs, historicJusticeTxs,
 			)
 
-			// Re-attempt the spendAll variant first, in
-			// case the breach info was updated since the
-			// initial broadcast. This avoids splitting into
-			// small txs that can't pay fees when a combined
-			// tx would work.
+			// Re-attempt the spendAll variant first.
 			if justiceTxs.spendAll != nil {
+				sa := justiceTxs.spendAll
 				label := labels.MakeLabel(
 					labels.LabelTypeJusticeTransaction,
 					nil,
 				)
 				err = b.cfg.PublishTransaction(
-					justiceTxs.spendAll.justiceTx,
-					label,
+					sa.justiceTx, label,
 				)
 				if err != nil {
-					brarLog.Warnf("Unable to "+
-						"broadcast updated "+
-						"spendAll justice "+
+					brarLog.Warnf("Unable to broadcast "+
+						"rebuild spendAll justice "+
 						"tx: %v", err)
 				}
 			}

contractcourt/breach_arbitrator_test.go

@@ -3039,6 +3039,7 @@ func TestNotifyConfirmedJusticeTx(t *testing.T) {
 			brar.notifyConfirmedJusticeTx(
 				tc.spends, tc.justiceTxs,
 				historicTxs, tc.notifiedTxs,
+				nil,
 			)
 
 			// Verify the number of NotifyBroadcast calls.
@@ -3059,9 +3060,12 @@ func TestNotifyConfirmedJusticeTx(t *testing.T) {
 				require.Equal(t, tc.expectedSkipFlag,
 					call.opts.SkipBroadcast,
 					"SkipBroadcast should be true")
-				require.Equal(t, tc.expectedSkipFlag,
+				// SkipProofVerify is NOT set —
+				// proof verification must run to
+				// ensure valid anchor metadata.
+				require.False(t,
 					call.opts.SkipProofVerify,
-					"SkipProofVerify should be true")
+					"SkipProofVerify should be false")
 			}
 
 			// Verify notifiedTxs map was updated for successful
@@ -3112,7 +3116,7 @@ func TestNotifyConfirmedJusticeTxNoAuxSweeper(t *testing.T) {
 	// aux sweeper to notify.
 	historicTxs := make(map[chainhash.Hash]*justiceTxCtx)
 	brar.notifyConfirmedJusticeTx(
-		spends, justiceTxs, historicTxs, notifiedTxs,
+		spends, justiceTxs, historicTxs, notifiedTxs, nil,
 	)
 
 	// The tx should still be marked as notified even without an aux

input/signdescriptor.go

@@ -11,7 +11,6 @@ import (
 	"github.com/lightningnetwork/lnd/keychain"
 )
 
-
 // SignDescriptor houses the necessary information required to successfully
 // sign a given segwit output. This struct is used by the Signer interface in
 // order to gain access to critical data needed to generate a valid signature.

lnwallet/aux_resolutions.go

@@ -28,11 +28,17 @@ const (
 // AuxSigDesc stores optional information related to 2nd level HTLCs for aux
 // channels.
 type AuxSigDesc struct {
-	// AuxSig is the second-level signature for the HTLC that we are trying
-	// to resolve. This is only present if this is a resolution request for
-	// an HTLC on our commitment transaction.
+	// AuxSig is the second-level signature for the HTLC's primary
+	// spending path (success for incoming, timeout for outgoing).
 	AuxSig []byte
 
+	// AuxSigAlt is the second-level signature for the HTLC's
+	// alternate spending path (timeout for incoming, success for
+	// outgoing). At breach time, the honest party uses the BTC-level
+	// witness to determine which path was used and selects the
+	// matching sig.
+	AuxSigAlt []byte
+
 	// SignDetails is the sign details for the second-level HTLC. This may
 	// be used to generate the second signature needed for broadcast.
 	SignDetails input.SignDetails

lnwallet/aux_signer.go

@@ -194,16 +194,37 @@ type BaseAuxJob struct {
 	HTLC AuxHtlcDescriptor
 
 	// Incoming is a boolean that indicates if the HTLC is incoming or
-	// outgoing.
+	// outgoing from the LOCAL party's perspective. This is used with
+	// WhoseCommit to determine the correct HTLC script variant
+	// (sender vs receiver).
 	Incoming bool
 
+	// IncomingHTLCLookup controls which HTLC aux output list in the
+	// commitment blob the signer uses to find the aux outputs.
+	// When true, the signer looks in IncomingHtlcAssets; when false,
+	// in OutgoingHtlcAssets. This is normally the same as Incoming,
+	// but differs for revocation self-signing where the Incoming
+	// flag is flipped for script generation but the aux output lookup
+	// must still use the original direction.
+	IncomingHTLCLookup bool
+
 	// CommitBlob is the commitment transaction blob that contains the aux
 	// information for this channel.
 	CommitBlob fn.Option[tlv.Blob]
 
 	// HtlcLeaf is the aux tap leaf that corresponds to the HTLC being
 	// signed/verified.
 	HtlcLeaf input.AuxTapLeaf
+
+	// WhoseCommit indicates which party's commitment transaction the
+	// second-level HTLC belongs to.
+	WhoseCommit lntypes.ChannelParty
+
+	// HtlcTimeout, if set, overrides the timeout logic in
+	// generateHtlcSignature and verifyHtlcSignature. When nil,
+	// the timeout is derived from Incoming (the normal CommitSig
+	// convention). When set, it is used directly.
+	HtlcTimeout fn.Option[uint32]
 }
 
 // AuxSigJob is a struct that contains all the information needed to sign an
@@ -224,20 +245,24 @@ type AuxSigJob struct {
 	Cancel <-chan struct{}
 }
 
-// NewAuxSigJob creates a new AuxSigJob.
+// NewAuxSigJob creates a new AuxSigJob. The whoseCommit parameter indicates
+// which party's commitment the HTLC belongs to.
 func NewAuxSigJob(sigJob SignJob, keyRing CommitmentKeyRing, incoming bool,
 	htlc AuxHtlcDescriptor, commitBlob fn.Option[tlv.Blob],
-	htlcLeaf input.AuxTapLeaf, cancelChan <-chan struct{}) AuxSigJob {
+	htlcLeaf input.AuxTapLeaf, whoseCommit lntypes.ChannelParty,
+	cancelChan <-chan struct{}) AuxSigJob {
 
 	return AuxSigJob{
 		SignDesc: sigJob.SignDesc,
 		BaseAuxJob: BaseAuxJob{
-			OutputIndex: sigJob.OutputIndex,
-			KeyRing:     keyRing,
-			HTLC:        htlc,
-			Incoming:    incoming,
-			CommitBlob:  commitBlob,
-			HtlcLeaf:    htlcLeaf,
+			OutputIndex:        sigJob.OutputIndex,
+			KeyRing:            keyRing,
+			HTLC:               htlc,
+			Incoming:           incoming,
+			IncomingHTLCLookup: incoming,
+			CommitBlob:         commitBlob,
+			HtlcLeaf:           htlcLeaf,
+			WhoseCommit:        whoseCommit,
 		},
 		Resp:   make(chan AuxSigJobResp, 1),
 		Cancel: cancelChan,
@@ -353,11 +378,12 @@ func ResolveHtlcSigHashType(chanType channeldb.ChannelType,
 	return sigHash.UnwrapOr(HtlcSigHashType(chanType))
 }
 
-// IsSigHashDefault returns true if the resolved HTLC sighash type for the
-// given channel is SigHashDefault. This is used to determine whether
-// second-level HTLC transactions must carry their own fee (since the sweeper
-// cannot add wallet inputs under SigHashDefault).
-func IsSigHashDefault(chanType channeldb.ChannelType,
+// IsDeterministicHTLCs returns true if the DeterministicHTLCs feature is
+// active for the given channel. When true, second-level HTLC transactions
+// use SigHashDefault (making them fully deterministic), must carry their
+// own fees, and the revoking party includes dual-path AuxSigs in
+// RevokeAndAck for breach proof reconstruction.
+func IsDeterministicHTLCs(chanType channeldb.ChannelType,
 	auxSigner fn.Option[AuxSigner],
 	req HtlcSigHashReq) bool {