diff --git a/lightningd/Makefile b/lightningd/Makefile
index 910839a7c..5af3f9957 100644
--- a/lightningd/Makefile
+++ b/lightningd/Makefile
@@ -36,6 +36,7 @@ LIGHTNINGD_LIB_SRC :=				\
 	lightningd/commit_tx.c			\
 	lightningd/cryptomsg.c			\
 	lightningd/funding_tx.c			\
+	lightningd/htlc_tx.c			\
 	lightningd/key_derive.c
 
 LIGHTNINGD_LIB_OBJS := $(LIGHTNINGD_LIB_SRC:.c=.o)
diff --git a/lightningd/htlc_tx.c b/lightningd/htlc_tx.c
new file mode 100644
index 000000000..2028382c5
--- /dev/null
+++ b/lightningd/htlc_tx.c
@@ -0,0 +1,153 @@
+#include <bitcoin/preimage.h>
+#include <bitcoin/script.h>
+#include <bitcoin/tx.h>
+#include <lightningd/commit_tx.h>
+#include <lightningd/htlc_tx.h>
+
+static struct bitcoin_tx *htlc_tx(const tal_t *ctx,
+				  const struct sha256_double *commit_txid,
+				  unsigned int commit_output_number,
+				  const struct htlc *htlc,
+				  u16 to_self_delay,
+				  const struct pubkey *revocation_pubkey,
+				  const struct pubkey *local_delayedkey,
+				  u64 htlc_fee_satoshi,
+				  u32 locktime)
+{
+	struct bitcoin_tx *tx = bitcoin_tx(ctx, 1, 1);
+	u8 *wscript;
+	u64 amount;
+
+	/* BOLT #3:
+	 *
+	 * ## HTLC-Timeout and HTLC-Success Transactions
+	 *
+	 * These HTLC transactions are almost identical, except the
+	 * HTLC-Timeout transaction is timelocked.  This is also the
+	 * transaction which can be spent by a valid penalty transaction.
+	 */
+
+	/* BOLT #3:
+	 * * version: 2
+	 */
+	assert(tx->version == 2);
+
+	/* BOLT #3:
+	 * * locktime: `0` for HTLC-Success, `htlc-timeout` for HTLC-Timeout.
+	 */
+	tx->lock_time = locktime;
+
+	/* BOLT #3:
+	 * * txin count: 1
+	 *    * `txin[0]` outpoint: `txid` of the commitment transaction and
+	 *      `output_index` of the matching HTLC output for the HTLC
+	 *      transaction.
+	 */
+	tx->input[0].txid = *commit_txid;
+	tx->input[0].index = commit_output_number;
+
+	/* We need amount for signing. */
+	amount = htlc->msatoshi / 1000;
+	tx->input[0].amount = tal_dup(tx, u64, &amount);
+
+	/* BOLT #3:
+	 *    * `txin[0]` sequence: `0`
+	 */
+	tx->input[0].sequence_number = 0;
+
+	/* BOLT #3:
+	 * * txout count: 1
+	 *    * `txout[0]` amount: the HTLC amount minus fees
+	 *       (see [Fee Calculation](#fee-calculation)).
+	 *    * `txout[0]` script: version 0 P2WSH with witness script as shown
+	 *       below.
+	 */
+	tx->output[0].amount = amount - htlc_fee_satoshi;
+	wscript = bitcoin_wscript_htlc_tx(tx, to_self_delay,
+					  revocation_pubkey, local_delayedkey);
+	tx->output[0].script = scriptpubkey_p2wsh(tx, wscript);
+	tal_free(wscript);
+
+	return tx;
+}
+
+struct bitcoin_tx *htlc_success_tx(const tal_t *ctx,
+				   const struct sha256_double *commit_txid,
+				   unsigned int commit_output_number,
+				   const struct htlc *received_htlc,
+				   u16 to_self_delay,
+				   const struct pubkey *revocation_pubkey,
+				   const struct pubkey *local_delayedkey,
+				   u64 feerate_per_kw)
+{
+	/* BOLT #3:
+	 * * locktime: `0` for HTLC-Success, `htlc-timeout` for HTLC-Timeout.
+	 */
+	return htlc_tx(ctx, commit_txid, commit_output_number, received_htlc,
+		       to_self_delay, revocation_pubkey, local_delayedkey,
+		       htlc_success_fee(feerate_per_kw), 0);
+}
+
+/* Fill in the witness for HTLC-success tx produced above. */
+void htlc_success_tx_add_witness(struct bitcoin_tx *htlc_success,
+				 const struct abs_locktime *htlc_abstimeout,
+				 const struct pubkey *localkey,
+				 const struct pubkey *remotekey,
+				 const secp256k1_ecdsa_signature *localsig,
+				 const secp256k1_ecdsa_signature *remotesig,
+				 const struct preimage *payment_preimage)
+{
+	struct sha256 hash;
+	u8 *wscript;
+
+	sha256(&hash, payment_preimage, sizeof(*payment_preimage));
+	wscript = bitcoin_wscript_htlc_receive(htlc_success,
+					       htlc_abstimeout,
+					       localkey, remotekey,
+					       &hash);
+
+	htlc_success->input[0].witness
+		= bitcoin_htlc_receive_spend_preimage(htlc_success->input,
+						      localsig, remotesig,
+						      payment_preimage,
+						      wscript);
+	tal_free(wscript);
+}
+
+struct bitcoin_tx *htlc_timeout_tx(const tal_t *ctx,
+				   const struct sha256_double *commit_txid,
+				   unsigned int commit_output_number,
+				   const struct htlc *offered_htlc,
+				   u16 to_self_delay,
+				   const struct pubkey *revocation_pubkey,
+				   const struct pubkey *local_delayedkey,
+				   u64 feerate_per_kw)
+{
+	/* BOLT #3:
+	 * * locktime: `0` for HTLC-Success, `htlc-timeout` for HTLC-Timeout.
+	 */
+	return htlc_tx(ctx, commit_txid, commit_output_number, offered_htlc,
+		       to_self_delay, revocation_pubkey, local_delayedkey,
+		       htlc_success_fee(feerate_per_kw),
+		       offered_htlc->expiry.locktime);
+}
+
+/* Fill in the witness for HTLC-timeout tx produced above. */
+void htlc_timeout_tx_add_witness(struct bitcoin_tx *htlc_timeout,
+				 const struct pubkey *localkey,
+				 const struct pubkey *remotekey,
+				 const struct sha256 *payment_hash,
+				 const secp256k1_ecdsa_signature *localsig,
+				 const secp256k1_ecdsa_signature *remotesig)
+{
+	u8 *wscript = bitcoin_wscript_htlc_offer(htlc_timeout,
+						 localkey, remotekey,
+						 payment_hash);
+
+	htlc_timeout->input[0].witness
+		= bitcoin_htlc_offer_spend_timeout(htlc_timeout->input,
+						   localsig, remotesig,
+						   wscript);
+	tal_free(wscript);
+}
+
diff --git a/lightningd/htlc_tx.h b/lightningd/htlc_tx.h
new file mode 100644
index 000000000..82b42a2bd
--- /dev/null
+++ b/lightningd/htlc_tx.h
@@ -0,0 +1,49 @@
+#ifndef LIGHTNING_LIGHTNINGD_HTLC_TX_H
+#define LIGHTNING_LIGHTNINGD_HTLC_TX_H
+#include "config.h"
+#include <daemon/htlc.h>
+
+struct preimage;
+struct pubkey;
+struct sha256_double;
+
+/* Create HTLC-success tx to spend a received HTLC commitment tx
+ * output; doesn't fill in input witness. */
+struct bitcoin_tx *htlc_success_tx(const tal_t *ctx,
+				   const struct sha256_double *commit_txid,
+				   unsigned int commit_output_number,
+				   const struct htlc *received_htlc,
+				   u16 to_self_delay,
+				   const struct pubkey *revocation_pubkey,
+				   const struct pubkey *local_delayedkey,
+				   u64 feerate_per_kw);
+
+/* Fill in the witness for HTLC-success tx produced above. */
+void htlc_success_tx_add_witness(struct bitcoin_tx *htlc_success,
+				 const struct abs_locktime *htlc_abstimeout,
+				 const struct pubkey *localkey,
+				 const struct pubkey *remotekey,
+				 const secp256k1_ecdsa_signature *localsig,
+				 const secp256k1_ecdsa_signature *remotesig,
+				 const struct preimage *payment_preimage);
+
+/* Create HTLC-timeout tx to spend an offered HTLC commitment tx
+ * output; doesn't fill in input witness. */
+struct bitcoin_tx *htlc_timeout_tx(const tal_t *ctx,
+				   const struct sha256_double *commit_txid,
+				   unsigned int commit_output_number,
+				   const struct htlc *offered_htlc,
+				   u16 to_self_delay,
+				   const struct pubkey *revocation_pubkey,
+				   const struct pubkey *local_delayedkey,
+				   u64 feerate_per_kw);
+
+/* Fill in the witness for HTLC-timeout tx produced above. */
+void htlc_timeout_tx_add_witness(struct bitcoin_tx *htlc_timeout,
+				 const struct pubkey *localkey,
+				 const struct pubkey *remotekey,
+				 const struct sha256 *payment_hash,
+				 const secp256k1_ecdsa_signature *localsig,
+				 const secp256k1_ecdsa_signature *remotesig);
+
+#endif /* LIGHTNING_LIGHTNINGD_HTLC_TX_H */