Merge #8499: Add several policy limits and disable uncompressed keys for segwit scripts

67d6ee1 remove redundant tests in p2p-segwit.py (Johnson Lau)
9260085 test segwit uncompressed key fixes (Johnson Lau)
248f3a7 Fix ismine and addwitnessaddress: no uncompressed keys in segwit (Pieter Wuille)
b811124 [qa] Add tests for uncompressed pubkeys in segwit (Suhas Daftuar)
9f0397a Make test framework produce lowS signatures (Johnson Lau)
4c0c25a Require compressed keys in segwit as policy and disable signing with uncompressed keys for segwit scripts (Johnson Lau)
3ade2f6 Add standard limits for P2WSH with tests (Johnson Lau)

4 files changed, 675 insertions, 11 deletions

diff --git a/qa/rpc-tests/p2p-segwit.py b/qa/rpc-tests/p2p-segwit.py
index c2ea20bb84..09ab1b80fc 100755
--- a/qa/rpc-tests/p2p-segwit.py
+++ b/qa/rpc-tests/p2p-segwit.py
@@ -166,6 +166,17 @@ class UTXO(object):
         self.n = n
         self.nValue = nValue
 
+# Helper for getting the script associated with a P2PKH
+def GetP2PKHScript(pubkeyhash):
+    return CScript([CScriptOp(OP_DUP), CScriptOp(OP_HASH160), pubkeyhash, CScriptOp(OP_EQUALVERIFY), CScriptOp(OP_CHECKSIG)])
+
+# Add signature for a P2PK witness program.
+def sign_P2PK_witness_input(script, txTo, inIdx, hashtype, value, key):
+    tx_hash = SegwitVersion1SignatureHash(script, txTo, inIdx, hashtype, value)
+    signature = key.sign(tx_hash) + chr(hashtype).encode('latin-1')
+    txTo.wit.vtxinwit[inIdx].scriptWitness.stack = [signature, script]
+    txTo.rehash()
+
 
 class SegWitTest(BitcoinTestFramework):
 
@@ -1323,13 +1334,6 @@ class SegWitTest(BitcoinTestFramework):
         sync_blocks(self.nodes)
         self.utxo.pop(0)
 
-        # Add signature for a P2PK witness program.
-        def sign_P2PK_witness_input(script, txTo, inIdx, hashtype, value, key):
-            tx_hash = SegwitVersion1SignatureHash(script, txTo, inIdx, hashtype, value)
-            signature = key.sign(tx_hash) + chr(hashtype).encode('latin-1')
-            txTo.wit.vtxinwit[inIdx].scriptWitness.stack = [signature, script]
-            txTo.rehash()
-
         # Test each hashtype
         prev_utxo = UTXO(tx.sha256, 0, tx.vout[0].nValue)
         for sigflag in [ 0, SIGHASH_ANYONECANPAY ]:
@@ -1443,7 +1447,7 @@ class SegWitTest(BitcoinTestFramework):
         tx2.vin.append(CTxIn(COutPoint(tx.sha256, 0), b""))
         tx2.vout.append(CTxOut(tx.vout[0].nValue, CScript([OP_TRUE])))
 
-        script = CScript([CScriptOp(OP_DUP), CScriptOp(OP_HASH160), pubkeyhash, CScriptOp(OP_EQUALVERIFY), CScriptOp(OP_CHECKSIG)])
+        script = GetP2PKHScript(pubkeyhash)
         sig_hash = SegwitVersion1SignatureHash(script, tx2, 0, SIGHASH_ALL, tx.vout[0].nValue)
         signature = key.sign(sig_hash) + b'\x01' # 0x1 is SIGHASH_ALL
 
@@ -1706,6 +1710,211 @@ class SegWitTest(BitcoinTestFramework):
         assert(block_version & (1 << VB_WITNESS_BIT) != 0)
         self.nodes[0].setmocktime(0) # undo mocktime
 
+    # Uncompressed pubkeys are no longer supported in default relay policy,
+    # but (for now) are still valid in blocks.
+    def test_uncompressed_pubkey(self):
+        print("\tTesting uncompressed pubkeys")
+        # Segwit transactions using uncompressed pubkeys are not accepted
+        # under default policy, but should still pass consensus.
+        key = CECKey()
+        key.set_secretbytes(b"9")
+        key.set_compressed(False)
+        pubkey = CPubKey(key.get_pubkey())
+        assert_equal(len(pubkey), 65) # This should be an uncompressed pubkey
+
+        assert(len(self.utxo) > 0)
+        utxo = self.utxo.pop(0)
+
+        # Test 1: P2WPKH
+        # First create a P2WPKH output that uses an uncompressed pubkey
+        pubkeyhash = hash160(pubkey)
+        scriptPKH = CScript([OP_0, pubkeyhash])
+        tx = CTransaction()
+        tx.vin.append(CTxIn(COutPoint(utxo.sha256, utxo.n), b""))
+        tx.vout.append(CTxOut(utxo.nValue-1000, scriptPKH))
+        tx.rehash()
+
+        # Confirm it in a block.
+        block = self.build_next_block()
+        self.update_witness_block_with_transactions(block, [tx])
+        self.test_node.test_witness_block(block, accepted=True)
+
+        # Now try to spend it. Send it to a P2WSH output, which we'll
+        # use in the next test.
+        witness_program = CScript([pubkey, CScriptOp(OP_CHECKSIG)])
+        witness_hash = sha256(witness_program)
+        scriptWSH = CScript([OP_0, witness_hash])
+
+        tx2 = CTransaction()
+        tx2.vin.append(CTxIn(COutPoint(tx.sha256, 0), b""))
+        tx2.vout.append(CTxOut(tx.vout[0].nValue-1000, scriptWSH))
+        script = GetP2PKHScript(pubkeyhash)
+        sig_hash = SegwitVersion1SignatureHash(script, tx2, 0, SIGHASH_ALL, tx.vout[0].nValue)
+        signature = key.sign(sig_hash) + b'\x01' # 0x1 is SIGHASH_ALL
+        tx2.wit.vtxinwit.append(CTxInWitness())
+        tx2.wit.vtxinwit[0].scriptWitness.stack = [ signature, pubkey ]
+        tx2.rehash()
+
+        # Should fail policy test.
+        self.test_node.test_transaction_acceptance(tx2, True, False, b'non-mandatory-script-verify-flag (Using non-compressed keys in segwit)')
+        # But passes consensus.
+        block = self.build_next_block()
+        self.update_witness_block_with_transactions(block, [tx2])
+        self.test_node.test_witness_block(block, accepted=True)
+
+        # Test 2: P2WSH
+        # Try to spend the P2WSH output created in last test.
+        # Send it to a P2SH(P2WSH) output, which we'll use in the next test.
+        p2sh_witness_hash = hash160(scriptWSH)
+        scriptP2SH = CScript([OP_HASH160, p2sh_witness_hash, OP_EQUAL])
+        scriptSig = CScript([scriptWSH])
+
+        tx3 = CTransaction()
+        tx3.vin.append(CTxIn(COutPoint(tx2.sha256, 0), b""))
+        tx3.vout.append(CTxOut(tx2.vout[0].nValue-1000, scriptP2SH))
+        tx3.wit.vtxinwit.append(CTxInWitness())
+        sign_P2PK_witness_input(witness_program, tx3, 0, SIGHASH_ALL, tx2.vout[0].nValue, key)
+
+        # Should fail policy test.
+        self.test_node.test_transaction_acceptance(tx3, True, False, b'non-mandatory-script-verify-flag (Using non-compressed keys in segwit)')
+        # But passes consensus.
+        block = self.build_next_block()
+        self.update_witness_block_with_transactions(block, [tx3])
+        self.test_node.test_witness_block(block, accepted=True)
+
+        # Test 3: P2SH(P2WSH)
+        # Try to spend the P2SH output created in the last test.
+        # Send it to a P2PKH output, which we'll use in the next test.
+        scriptPubKey = GetP2PKHScript(pubkeyhash)
+        tx4 = CTransaction()
+        tx4.vin.append(CTxIn(COutPoint(tx3.sha256, 0), scriptSig))
+        tx4.vout.append(CTxOut(tx3.vout[0].nValue-1000, scriptPubKey))
+        tx4.wit.vtxinwit.append(CTxInWitness())
+        sign_P2PK_witness_input(witness_program, tx4, 0, SIGHASH_ALL, tx3.vout[0].nValue, key)
+
+        # Should fail policy test.
+        self.test_node.test_transaction_acceptance(tx4, True, False, b'non-mandatory-script-verify-flag (Using non-compressed keys in segwit)')
+        block = self.build_next_block()
+        self.update_witness_block_with_transactions(block, [tx4])
+        self.test_node.test_witness_block(block, accepted=True)
+
+        # Test 4: Uncompressed pubkeys should still be valid in non-segwit
+        # transactions.
+        tx5 = CTransaction()
+        tx5.vin.append(CTxIn(COutPoint(tx4.sha256, 0), b""))
+        tx5.vout.append(CTxOut(tx4.vout[0].nValue-1000, CScript([OP_TRUE])))
+        (sig_hash, err) = SignatureHash(scriptPubKey, tx5, 0, SIGHASH_ALL)
+        signature = key.sign(sig_hash) + b'\x01' # 0x1 is SIGHASH_ALL
+        tx5.vin[0].scriptSig = CScript([signature, pubkey])
+        tx5.rehash()
+        # Should pass policy and consensus.
+        self.test_node.test_transaction_acceptance(tx5, True, True)
+        block = self.build_next_block()
+        self.update_witness_block_with_transactions(block, [tx5])
+        self.test_node.test_witness_block(block, accepted=True)
+        self.utxo.append(UTXO(tx5.sha256, 0, tx5.vout[0].nValue))
+
+    def test_non_standard_witness(self):
+        print("\tTesting detection of non-standard P2WSH witness")
+        pad = chr(1).encode('latin-1')
+
+        # Create scripts for tests
+        scripts = []
+        scripts.append(CScript([OP_DROP] * 100))
+        scripts.append(CScript([OP_DROP] * 99))
+        scripts.append(CScript([pad * 59] * 59 + [OP_DROP] * 60))
+        scripts.append(CScript([pad * 59] * 59 + [OP_DROP] * 61))
+
+        p2wsh_scripts = []
+
+        assert(len(self.utxo))
+        tx = CTransaction()
+        tx.vin.append(CTxIn(COutPoint(self.utxo[0].sha256, self.utxo[0].n), b""))
+
+        # For each script, generate a pair of P2WSH and P2SH-P2WSH output.
+        outputvalue = (self.utxo[0].nValue - 1000) // (len(scripts) * 2)
+        for i in scripts:
+            p2wsh = CScript([OP_0, sha256(i)])
+            p2sh = hash160(p2wsh)
+            p2wsh_scripts.append(p2wsh)
+            tx.vout.append(CTxOut(outputvalue, p2wsh))
+            tx.vout.append(CTxOut(outputvalue, CScript([OP_HASH160, p2sh, OP_EQUAL])))
+        tx.rehash()
+        txid = tx.sha256
+        self.test_node.test_transaction_acceptance(tx, with_witness=False, accepted=True)
+
+        self.nodes[0].generate(1)
+        sync_blocks(self.nodes)
+
+        # Creating transactions for tests
+        p2wsh_txs = []
+        p2sh_txs = []
+        for i in range(len(scripts)):
+            p2wsh_tx = CTransaction()
+            p2wsh_tx.vin.append(CTxIn(COutPoint(txid,i*2)))
+            p2wsh_tx.vout.append(CTxOut(outputvalue - 5000, CScript([OP_0, hash160(hex_str_to_bytes(""))])))
+            p2wsh_tx.wit.vtxinwit.append(CTxInWitness())
+            p2wsh_tx.rehash()
+            p2wsh_txs.append(p2wsh_tx)
+            p2sh_tx = CTransaction()
+            p2sh_tx.vin.append(CTxIn(COutPoint(txid,i*2+1), CScript([p2wsh_scripts[i]])))
+            p2sh_tx.vout.append(CTxOut(outputvalue - 5000, CScript([OP_0, hash160(hex_str_to_bytes(""))])))
+            p2sh_tx.wit.vtxinwit.append(CTxInWitness())
+            p2sh_tx.rehash()
+            p2sh_txs.append(p2sh_tx)
+
+        # Testing native P2WSH
+        # Witness stack size, excluding witnessScript, over 100 is non-standard
+        p2wsh_txs[0].wit.vtxinwit[0].scriptWitness.stack = [pad] * 101 + [scripts[0]]
+        self.std_node.test_transaction_acceptance(p2wsh_txs[0], True, False, b'bad-witness-nonstandard')
+        # Non-standard nodes should accept
+        self.test_node.test_transaction_acceptance(p2wsh_txs[0], True, True)
+
+        # Stack element size over 80 bytes is non-standard
+        p2wsh_txs[1].wit.vtxinwit[0].scriptWitness.stack = [pad * 81] * 100 + [scripts[1]]
+        self.std_node.test_transaction_acceptance(p2wsh_txs[1], True, False, b'bad-witness-nonstandard')
+        # Non-standard nodes should accept
+        self.test_node.test_transaction_acceptance(p2wsh_txs[1], True, True)
+        # Standard nodes should accept if element size is not over 80 bytes
+        p2wsh_txs[1].wit.vtxinwit[0].scriptWitness.stack = [pad * 80] * 100 + [scripts[1]]
+        self.std_node.test_transaction_acceptance(p2wsh_txs[1], True, True)
+
+        # witnessScript size at 3600 bytes is standard
+        p2wsh_txs[2].wit.vtxinwit[0].scriptWitness.stack = [pad, pad, scripts[2]]
+        self.test_node.test_transaction_acceptance(p2wsh_txs[2], True, True)
+        self.std_node.test_transaction_acceptance(p2wsh_txs[2], True, True)
+
+        # witnessScript size at 3601 bytes is non-standard
+        p2wsh_txs[3].wit.vtxinwit[0].scriptWitness.stack = [pad, pad, pad, scripts[3]]
+        self.std_node.test_transaction_acceptance(p2wsh_txs[3], True, False, b'bad-witness-nonstandard')
+        # Non-standard nodes should accept
+        self.test_node.test_transaction_acceptance(p2wsh_txs[3], True, True)
+
+        # Repeating the same tests with P2SH-P2WSH
+        p2sh_txs[0].wit.vtxinwit[0].scriptWitness.stack = [pad] * 101 + [scripts[0]]
+        self.std_node.test_transaction_acceptance(p2sh_txs[0], True, False, b'bad-witness-nonstandard')
+        self.test_node.test_transaction_acceptance(p2sh_txs[0], True, True)
+        p2sh_txs[1].wit.vtxinwit[0].scriptWitness.stack = [pad * 81] * 100 + [scripts[1]]
+        self.std_node.test_transaction_acceptance(p2sh_txs[1], True, False, b'bad-witness-nonstandard')
+        self.test_node.test_transaction_acceptance(p2sh_txs[1], True, True)
+        p2sh_txs[1].wit.vtxinwit[0].scriptWitness.stack = [pad * 80] * 100 + [scripts[1]]
+        self.std_node.test_transaction_acceptance(p2sh_txs[1], True, True)
+        p2sh_txs[2].wit.vtxinwit[0].scriptWitness.stack = [pad, pad, scripts[2]]
+        self.test_node.test_transaction_acceptance(p2sh_txs[2], True, True)
+        self.std_node.test_transaction_acceptance(p2sh_txs[2], True, True)
+        p2sh_txs[3].wit.vtxinwit[0].scriptWitness.stack = [pad, pad, pad, scripts[3]]
+        self.std_node.test_transaction_acceptance(p2sh_txs[3], True, False, b'bad-witness-nonstandard')
+        self.test_node.test_transaction_acceptance(p2sh_txs[3], True, True)
+
+        self.nodes[0].generate(1)  # Mine and clean up the mempool of non-standard node
+        # Valid but non-standard transactions in a block should be accepted by standard node
+        sync_blocks(self.nodes)
+        assert_equal(len(self.nodes[0].getrawmempool()), 0)
+        assert_equal(len(self.nodes[1].getrawmempool()), 0)
+
+        self.utxo.pop(0)
+
+
     def run_test(self):
         # Setup the p2p connections and start up the network thread.
         self.test_node = TestNode() # sets NODE_WITNESS|NODE_NETWORK
@@ -1777,7 +1986,9 @@ class SegWitTest(BitcoinTestFramework):
         self.test_standardness_v0(segwit_activated=True)
         self.test_segwit_versions()
         self.test_premature_coinbase_witness_spend()
+        self.test_uncompressed_pubkey()
         self.test_signature_version_1()
+        self.test_non_standard_witness()
         sync_blocks(self.nodes)
         if self.test_upgrade:
             self.test_upgrade_after_activation(self.nodes[2], 2)
diff --git a/qa/rpc-tests/segwit.py b/qa/rpc-tests/segwit.py
index 745a1d4750..41a1b3b20f 100755
--- a/qa/rpc-tests/segwit.py
+++ b/qa/rpc-tests/segwit.py
@@ -9,7 +9,10 @@
 
 from test_framework.test_framework import BitcoinTestFramework
 from test_framework.util import *
-from test_framework.mininode import sha256, ripemd160
+from test_framework.mininode import sha256, ripemd160, CTransaction, CTxIn, COutPoint, CTxOut
+from test_framework.address import script_to_p2sh, key_to_p2pkh
+from test_framework.script import CScript, OP_HASH160, OP_CHECKSIG, OP_0, hash160, OP_EQUAL, OP_DUP, OP_EQUALVERIFY, OP_1, OP_2, OP_CHECKMULTISIG
+from io import BytesIO
 
 NODE_0 = 0
 NODE_1 = 1
@@ -242,5 +245,360 @@ class SegWitTest(BitcoinTestFramework):
             # This is an acceptable outcome
             pass
 
+        print("Verify behaviour of importaddress, addwitnessaddress and listunspent")
+
+        # Some public keys to be used later
+        pubkeys = [
+            "0363D44AABD0F1699138239DF2F042C3282C0671CC7A76826A55C8203D90E39242", # cPiM8Ub4heR9NBYmgVzJQiUH1if44GSBGiqaeJySuL2BKxubvgwb
+            "02D3E626B3E616FC8662B489C123349FECBFC611E778E5BE739B257EAE4721E5BF", # cPpAdHaD6VoYbW78kveN2bsvb45Q7G5PhaPApVUGwvF8VQ9brD97
+            "04A47F2CBCEFFA7B9BCDA184E7D5668D3DA6F9079AD41E422FA5FD7B2D458F2538A62F5BD8EC85C2477F39650BD391EA6250207065B2A81DA8B009FC891E898F0E", # 91zqCU5B9sdWxzMt1ca3VzbtVm2YM6Hi5Rxn4UDtxEaN9C9nzXV
+            "02A47F2CBCEFFA7B9BCDA184E7D5668D3DA6F9079AD41E422FA5FD7B2D458F2538", # cPQFjcVRpAUBG8BA9hzr2yEzHwKoMgLkJZBBtK9vJnvGJgMjzTbd
+            "036722F784214129FEB9E8129D626324F3F6716555B603FFE8300BBCB882151228", # cQGtcm34xiLjB1v7bkRa4V3aAc9tS2UTuBZ1UnZGeSeNy627fN66
+            "0266A8396EE936BF6D99D17920DB21C6C7B1AB14C639D5CD72B300297E416FD2EC", # cTW5mR5M45vHxXkeChZdtSPozrFwFgmEvTNnanCW6wrqwaCZ1X7K
+            "0450A38BD7F0AC212FEBA77354A9B036A32E0F7C81FC4E0C5ADCA7C549C4505D2522458C2D9AE3CEFD684E039194B72C8A10F9CB9D4764AB26FCC2718D421D3B84", # 92h2XPssjBpsJN5CqSP7v9a7cf2kgDunBC6PDFwJHMACM1rrVBJ
+        ]
+
+        # Import a compressed key and an uncompressed key, generate some multisig addresses
+        self.nodes[0].importprivkey("92e6XLo5jVAVwrQKPNTs93oQco8f8sDNBcpv73Dsrs397fQtFQn")
+        uncompressed_spendable_address = ["mvozP4UwyGD2mGZU4D2eMvMLPB9WkMmMQu"]
+        self.nodes[0].importprivkey("cNC8eQ5dg3mFAVePDX4ddmPYpPbw41r9bm2jd1nLJT77e6RrzTRR")
+        compressed_spendable_address = ["mmWQubrDomqpgSYekvsU7HWEVjLFHAakLe"]
+        assert ((self.nodes[0].validateaddress(uncompressed_spendable_address[0])['iscompressed'] == False))
+        assert ((self.nodes[0].validateaddress(compressed_spendable_address[0])['iscompressed'] == True))
+
+        self.nodes[0].importpubkey(pubkeys[0])
+        compressed_solvable_address = [key_to_p2pkh(pubkeys[0])]
+        self.nodes[0].importpubkey(pubkeys[1])
+        compressed_solvable_address.append(key_to_p2pkh(pubkeys[1]))
+        self.nodes[0].importpubkey(pubkeys[2])
+        uncompressed_solvable_address = [key_to_p2pkh(pubkeys[2])]
+
+        spendable_anytime = []                      # These outputs should be seen anytime after importprivkey and addmultisigaddress
+        spendable_after_importaddress = []          # These outputs should be seen after importaddress
+        solvable_after_importaddress = []           # These outputs should be seen after importaddress but not spendable
+        unsolvable_after_importaddress = []         # These outputs should be unsolvable after importaddress
+        solvable_anytime = []                       # These outputs should be solvable after importpubkey
+        unseen_anytime = []                         # These outputs should never be seen
+
+        uncompressed_spendable_address.append(self.nodes[0].addmultisigaddress(2, [uncompressed_spendable_address[0], compressed_spendable_address[0]]))
+        uncompressed_spendable_address.append(self.nodes[0].addmultisigaddress(2, [uncompressed_spendable_address[0], uncompressed_spendable_address[0]]))
+        compressed_spendable_address.append(self.nodes[0].addmultisigaddress(2, [compressed_spendable_address[0], compressed_spendable_address[0]]))
+        uncompressed_solvable_address.append(self.nodes[0].addmultisigaddress(2, [compressed_spendable_address[0], uncompressed_solvable_address[0]]))
+        compressed_solvable_address.append(self.nodes[0].addmultisigaddress(2, [compressed_spendable_address[0], compressed_solvable_address[0]]))
+        compressed_solvable_address.append(self.nodes[0].addmultisigaddress(2, [compressed_solvable_address[0], compressed_solvable_address[1]]))
+        unknown_address = ["mtKKyoHabkk6e4ppT7NaM7THqPUt7AzPrT", "2NDP3jLWAFT8NDAiUa9qiE6oBt2awmMq7Dx"]
+
+        # Test multisig_without_privkey
+        # We have 2 public keys without private keys, use addmultisigaddress to add to wallet.
+        # Money sent to P2SH of multisig of this should only be seen after importaddress with the BASE58 P2SH address.
+
+        multisig_without_privkey_address = self.nodes[0].addmultisigaddress(2, [pubkeys[3], pubkeys[4]])
+        script = CScript([OP_2, hex_str_to_bytes(pubkeys[3]), hex_str_to_bytes(pubkeys[4]), OP_2, OP_CHECKMULTISIG])
+        solvable_after_importaddress.append(CScript([OP_HASH160, hash160(script), OP_EQUAL]))
+
+        for i in compressed_spendable_address:
+            v = self.nodes[0].validateaddress(i)
+            if (v['isscript']):
+                [bare, p2sh, p2wsh, p2sh_p2wsh] = self.p2sh_address_to_script(v)
+                # bare and p2sh multisig with compressed keys should always be spendable
+                spendable_anytime.extend([bare, p2sh])
+                # P2WSH and P2SH(P2WSH) multisig with compressed keys are spendable after direct importaddress
+                spendable_after_importaddress.extend([p2wsh, p2sh_p2wsh])
+            else:
+                [p2wpkh, p2sh_p2wpkh, p2pk, p2pkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh] = self.p2pkh_address_to_script(v)
+                # normal P2PKH and P2PK with compressed keys should always be spendable
+                spendable_anytime.extend([p2pkh, p2pk])
+                # P2SH_P2PK, P2SH_P2PKH, and witness with compressed keys are spendable after direct importaddress
+                spendable_after_importaddress.extend([p2wpkh, p2sh_p2wpkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh])
+
+        for i in uncompressed_spendable_address:
+            v = self.nodes[0].validateaddress(i)
+            if (v['isscript']):
+                [bare, p2sh, p2wsh, p2sh_p2wsh] = self.p2sh_address_to_script(v)
+                # bare and p2sh multisig with uncompressed keys should always be spendable
+                spendable_anytime.extend([bare, p2sh])
+                # P2WSH and P2SH(P2WSH) multisig with uncompressed keys are never seen
+                unseen_anytime.extend([p2wsh, p2sh_p2wsh])
+            else:
+                [p2wpkh, p2sh_p2wpkh, p2pk, p2pkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh] = self.p2pkh_address_to_script(v)
+                # normal P2PKH and P2PK with uncompressed keys should always be spendable
+                spendable_anytime.extend([p2pkh, p2pk])
+                # P2SH_P2PK and P2SH_P2PKH are spendable after direct importaddress
+                spendable_after_importaddress.extend([p2sh_p2pk, p2sh_p2pkh])
+                # witness with uncompressed keys are never seen
+                unseen_anytime.extend([p2wpkh, p2sh_p2wpkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh])
+
+        for i in compressed_solvable_address:
+            v = self.nodes[0].validateaddress(i)
+            if (v['isscript']):
+                # Multisig without private is not seen after addmultisigaddress, but seen after importaddress
+                [bare, p2sh, p2wsh, p2sh_p2wsh] = self.p2sh_address_to_script(v)
+                solvable_after_importaddress.extend([bare, p2sh, p2wsh, p2sh_p2wsh])
+            else:
+                [p2wpkh, p2sh_p2wpkh, p2pk, p2pkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh] = self.p2pkh_address_to_script(v)
+                # normal P2PKH and P2PK with compressed keys should always be seen
+                solvable_anytime.extend([p2pkh, p2pk])
+                # P2SH_P2PK, P2SH_P2PKH, and witness with compressed keys are seen after direct importaddress
+                solvable_after_importaddress.extend([p2wpkh, p2sh_p2wpkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh])
+
+        for i in uncompressed_solvable_address:
+            v = self.nodes[0].validateaddress(i)
+            if (v['isscript']):
+                [bare, p2sh, p2wsh, p2sh_p2wsh] = self.p2sh_address_to_script(v)
+                # Base uncompressed multisig without private is not seen after addmultisigaddress, but seen after importaddress
+                solvable_after_importaddress.extend([bare, p2sh])
+                # P2WSH and P2SH(P2WSH) multisig with uncompressed keys are never seen
+                unseen_anytime.extend([p2wsh, p2sh_p2wsh])
+            else:
+                [p2wpkh, p2sh_p2wpkh, p2pk, p2pkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh] = self.p2pkh_address_to_script(v)
+                # normal P2PKH and P2PK with uncompressed keys should always be seen
+                solvable_anytime.extend([p2pkh, p2pk])
+                # P2SH_P2PK, P2SH_P2PKH with uncompressed keys are seen after direct importaddress
+                solvable_after_importaddress.extend([p2sh_p2pk, p2sh_p2pkh])
+                # witness with uncompressed keys are never seen
+                unseen_anytime.extend([p2wpkh, p2sh_p2wpkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh])
+
+        op1 = CScript([OP_1])
+        op0 = CScript([OP_0])
+        # 2N7MGY19ti4KDMSzRfPAssP6Pxyuxoi6jLe is the P2SH(P2PKH) version of mjoE3sSrb8ByYEvgnC3Aox86u1CHnfJA4V
+        unsolvable_address = ["mjoE3sSrb8ByYEvgnC3Aox86u1CHnfJA4V", "2N7MGY19ti4KDMSzRfPAssP6Pxyuxoi6jLe", script_to_p2sh(op1), script_to_p2sh(op0)]
+        unsolvable_address_key = hex_str_to_bytes("02341AEC7587A51CDE5279E0630A531AEA2615A9F80B17E8D9376327BAEAA59E3D")
+        unsolvablep2pkh = CScript([OP_DUP, OP_HASH160, hash160(unsolvable_address_key), OP_EQUALVERIFY, OP_CHECKSIG])
+        unsolvablep2wshp2pkh = CScript([OP_0, sha256(unsolvablep2pkh)])
+        p2shop0 = CScript([OP_HASH160, hash160(op0), OP_EQUAL])
+        p2wshop1 = CScript([OP_0, sha256(op1)])
+        unsolvable_after_importaddress.append(unsolvablep2pkh)
+        unsolvable_after_importaddress.append(unsolvablep2wshp2pkh)
+        unsolvable_after_importaddress.append(op1) # OP_1 will be imported as script
+        unsolvable_after_importaddress.append(p2wshop1)
+        unseen_anytime.append(op0) # OP_0 will be imported as P2SH address with no script provided
+        unsolvable_after_importaddress.append(p2shop0)
+
+        spendable_txid = []
+        solvable_txid = []
+        spendable_txid.append(self.mine_and_test_listunspent(spendable_anytime, 2))
+        solvable_txid.append(self.mine_and_test_listunspent(solvable_anytime, 1))
+        self.mine_and_test_listunspent(spendable_after_importaddress + solvable_after_importaddress + unseen_anytime + unsolvable_after_importaddress, 0)
+
+        importlist = []
+        for i in compressed_spendable_address + uncompressed_spendable_address + compressed_solvable_address + uncompressed_solvable_address:
+            v = self.nodes[0].validateaddress(i)
+            if (v['isscript']):
+                bare = hex_str_to_bytes(v['hex'])
+                importlist.append(bytes_to_hex_str(bare))
+                importlist.append(bytes_to_hex_str(CScript([OP_0, sha256(bare)])))
+            else:
+                pubkey = hex_str_to_bytes(v['pubkey'])
+                p2pk = CScript([pubkey, OP_CHECKSIG])
+                p2pkh = CScript([OP_DUP, OP_HASH160, hash160(pubkey), OP_EQUALVERIFY, OP_CHECKSIG])
+                importlist.append(bytes_to_hex_str(p2pk))
+                importlist.append(bytes_to_hex_str(p2pkh))
+                importlist.append(bytes_to_hex_str(CScript([OP_0, hash160(pubkey)])))
+                importlist.append(bytes_to_hex_str(CScript([OP_0, sha256(p2pk)])))
+                importlist.append(bytes_to_hex_str(CScript([OP_0, sha256(p2pkh)])))
+
+        importlist.append(bytes_to_hex_str(unsolvablep2pkh))
+        importlist.append(bytes_to_hex_str(unsolvablep2wshp2pkh))
+        importlist.append(bytes_to_hex_str(op1))
+        importlist.append(bytes_to_hex_str(p2wshop1))
+
+        for i in importlist:
+            try:
+                self.nodes[0].importaddress(i,"",False,True)
+            except JSONRPCException as exp:
+                assert_equal(exp.error["message"], "The wallet already contains the private key for this address or script")
+
+        self.nodes[0].importaddress(script_to_p2sh(op0)) # import OP_0 as address only
+        self.nodes[0].importaddress(multisig_without_privkey_address) # Test multisig_without_privkey
+
+        spendable_txid.append(self.mine_and_test_listunspent(spendable_anytime + spendable_after_importaddress, 2))
+        solvable_txid.append(self.mine_and_test_listunspent(solvable_anytime + solvable_after_importaddress, 1))
+        self.mine_and_test_listunspent(unsolvable_after_importaddress, 1)
+        self.mine_and_test_listunspent(unseen_anytime, 0)
+
+        # addwitnessaddress should refuse to return a witness address if an uncompressed key is used or the address is
+        # not in the wallet
+        # note that no witness address should be returned by unsolvable addresses
+        # the multisig_without_privkey_address will fail because its keys were not added with importpubkey
+        for i in uncompressed_spendable_address + uncompressed_solvable_address + unknown_address + unsolvable_address + [multisig_without_privkey_address]:
+            try:
+                self.nodes[0].addwitnessaddress(i)
+            except JSONRPCException as exp:
+                assert_equal(exp.error["message"], "Public key or redeemscript not known to wallet, or the key is uncompressed")
+            else:
+                assert(False)
+
+        for i in compressed_spendable_address + compressed_solvable_address:
+            witaddress = self.nodes[0].addwitnessaddress(i)
+            # addwitnessaddress should return the same address if it is a known P2SH-witness address
+            assert_equal(witaddress, self.nodes[0].addwitnessaddress(witaddress))
+
+        spendable_txid.append(self.mine_and_test_listunspent(spendable_anytime + spendable_after_importaddress, 2))
+        solvable_txid.append(self.mine_and_test_listunspent(solvable_anytime + solvable_after_importaddress, 1))
+        self.mine_and_test_listunspent(unsolvable_after_importaddress, 1)
+        self.mine_and_test_listunspent(unseen_anytime, 0)
+
+        # Repeat some tests. This time we don't add witness scripts with importaddress
+        # Import a compressed key and an uncompressed key, generate some multisig addresses
+        self.nodes[0].importprivkey("927pw6RW8ZekycnXqBQ2JS5nPyo1yRfGNN8oq74HeddWSpafDJH")
+        uncompressed_spendable_address = ["mguN2vNSCEUh6rJaXoAVwY3YZwZvEmf5xi"]
+        self.nodes[0].importprivkey("cMcrXaaUC48ZKpcyydfFo8PxHAjpsYLhdsp6nmtB3E2ER9UUHWnw")
+        compressed_spendable_address = ["n1UNmpmbVUJ9ytXYXiurmGPQ3TRrXqPWKL"]
+
+        self.nodes[0].importpubkey(pubkeys[5])
+        compressed_solvable_address = [key_to_p2pkh(pubkeys[5])]
+        self.nodes[0].importpubkey(pubkeys[6])
+        uncompressed_solvable_address = [key_to_p2pkh(pubkeys[6])]
+
+        spendable_after_addwitnessaddress = []      # These outputs should be seen after importaddress
+        solvable_after_addwitnessaddress=[]         # These outputs should be seen after importaddress but not spendable
+        unseen_anytime = []                         # These outputs should never be seen
+
+        uncompressed_spendable_address.append(self.nodes[0].addmultisigaddress(2, [uncompressed_spendable_address[0], compressed_spendable_address[0]]))
+        uncompressed_spendable_address.append(self.nodes[0].addmultisigaddress(2, [uncompressed_spendable_address[0], uncompressed_spendable_address[0]]))
+        compressed_spendable_address.append(self.nodes[0].addmultisigaddress(2, [compressed_spendable_address[0], compressed_spendable_address[0]]))
+        uncompressed_solvable_address.append(self.nodes[0].addmultisigaddress(2, [compressed_solvable_address[0], uncompressed_solvable_address[0]]))
+        compressed_solvable_address.append(self.nodes[0].addmultisigaddress(2, [compressed_spendable_address[0], compressed_solvable_address[0]]))
+
+        premature_witaddress = []
+
+        for i in compressed_spendable_address:
+            v = self.nodes[0].validateaddress(i)
+            if (v['isscript']):
+                [bare, p2sh, p2wsh, p2sh_p2wsh] = self.p2sh_address_to_script(v)
+                # P2WSH and P2SH(P2WSH) multisig with compressed keys are spendable after addwitnessaddress
+                spendable_after_addwitnessaddress.extend([p2wsh, p2sh_p2wsh])
+                premature_witaddress.append(script_to_p2sh(p2wsh))
+            else:
+                [p2wpkh, p2sh_p2wpkh, p2pk, p2pkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh] = self.p2pkh_address_to_script(v)
+                # P2WPKH, P2SH_P2WPKH are spendable after addwitnessaddress
+                spendable_after_addwitnessaddress.extend([p2wpkh, p2sh_p2wpkh])
+                premature_witaddress.append(script_to_p2sh(p2wpkh))
+
+        for i in uncompressed_spendable_address + uncompressed_solvable_address:
+            v = self.nodes[0].validateaddress(i)
+            if (v['isscript']):
+                [bare, p2sh, p2wsh, p2sh_p2wsh] = self.p2sh_address_to_script(v)
+                # P2WSH and P2SH(P2WSH) multisig with uncompressed keys are never seen
+                unseen_anytime.extend([p2wsh, p2sh_p2wsh])
+            else:
+                [p2wpkh, p2sh_p2wpkh, p2pk, p2pkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh] = self.p2pkh_address_to_script(v)
+                # P2WPKH, P2SH_P2WPKH with uncompressed keys are never seen
+                unseen_anytime.extend([p2wpkh, p2sh_p2wpkh])
+
+        for i in compressed_solvable_address:
+            v = self.nodes[0].validateaddress(i)
+            if (v['isscript']):
+                # P2WSH multisig without private key are seen after addwitnessaddress
+                [bare, p2sh, p2wsh, p2sh_p2wsh] = self.p2sh_address_to_script(v)
+                solvable_after_addwitnessaddress.extend([p2wsh, p2sh_p2wsh])
+                premature_witaddress.append(script_to_p2sh(p2wsh))
+            else:
+                [p2wpkh, p2sh_p2wpkh, p2pk, p2pkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh] = self.p2pkh_address_to_script(v)
+                # P2SH_P2PK, P2SH_P2PKH with compressed keys are seen after addwitnessaddress
+                solvable_after_addwitnessaddress.extend([p2wpkh, p2sh_p2wpkh])
+                premature_witaddress.append(script_to_p2sh(p2wpkh))
+
+        self.mine_and_test_listunspent(spendable_after_addwitnessaddress + solvable_after_addwitnessaddress + unseen_anytime, 0)
+
+        # addwitnessaddress should refuse to return a witness address if an uncompressed key is used
+        # note that a multisig address returned by addmultisigaddress is not solvable until it is added with importaddress
+        # premature_witaddress are not accepted until the script is added with addwitnessaddress first
+        for i in uncompressed_spendable_address + uncompressed_solvable_address + premature_witaddress + [compressed_solvable_address[1]]:
+            try:
+                self.nodes[0].addwitnessaddress(i)
+            except JSONRPCException as exp:
+                assert_equal(exp.error["message"], "Public key or redeemscript not known to wallet, or the key is uncompressed")
+            else:
+                assert(False)
+
+        # after importaddress it should pass addwitnessaddress
+        v = self.nodes[0].validateaddress(compressed_solvable_address[1])
+        self.nodes[0].importaddress(v['hex'],"",False,True)
+        for i in compressed_spendable_address + compressed_solvable_address + premature_witaddress:
+            witaddress = self.nodes[0].addwitnessaddress(i)
+            assert_equal(witaddress, self.nodes[0].addwitnessaddress(witaddress))
+
+        spendable_txid.append(self.mine_and_test_listunspent(spendable_after_addwitnessaddress, 2))
+        solvable_txid.append(self.mine_and_test_listunspent(solvable_after_addwitnessaddress, 1))
+        self.mine_and_test_listunspent(unseen_anytime, 0)
+
+        # Check that spendable outputs are really spendable
+        self.create_and_mine_tx_from_txids(spendable_txid)
+
+        # import all the private keys so solvable addresses become spendable
+        self.nodes[0].importprivkey("cPiM8Ub4heR9NBYmgVzJQiUH1if44GSBGiqaeJySuL2BKxubvgwb")
+        self.nodes[0].importprivkey("cPpAdHaD6VoYbW78kveN2bsvb45Q7G5PhaPApVUGwvF8VQ9brD97")
+        self.nodes[0].importprivkey("91zqCU5B9sdWxzMt1ca3VzbtVm2YM6Hi5Rxn4UDtxEaN9C9nzXV")
+        self.nodes[0].importprivkey("cPQFjcVRpAUBG8BA9hzr2yEzHwKoMgLkJZBBtK9vJnvGJgMjzTbd")
+        self.nodes[0].importprivkey("cQGtcm34xiLjB1v7bkRa4V3aAc9tS2UTuBZ1UnZGeSeNy627fN66")
+        self.nodes[0].importprivkey("cTW5mR5M45vHxXkeChZdtSPozrFwFgmEvTNnanCW6wrqwaCZ1X7K")
+        self.create_and_mine_tx_from_txids(solvable_txid)
+
+    def mine_and_test_listunspent(self, script_list, ismine):
+        utxo = find_unspent(self.nodes[0], 50)
+        tx = CTransaction()
+        tx.vin.append(CTxIn(COutPoint(int('0x'+utxo['txid'],0), utxo['vout'])))
+        for i in script_list:
+            tx.vout.append(CTxOut(10000000, i))
+        tx.rehash()
+        signresults = self.nodes[0].signrawtransaction(bytes_to_hex_str(tx.serialize_without_witness()))['hex']
+        txid = self.nodes[0].sendrawtransaction(signresults, True)
+        self.nodes[0].generate(1)
+        sync_blocks(self.nodes)
+        watchcount = 0
+        spendcount = 0
+        for i in self.nodes[0].listunspent():
+            if (i['txid'] == txid):
+                watchcount += 1
+                if (i['spendable'] == True):
+                    spendcount += 1
+        if (ismine == 2):
+            assert_equal(spendcount, len(script_list))
+        elif (ismine == 1):
+            assert_equal(watchcount, len(script_list))
+            assert_equal(spendcount, 0)
+        else:
+            assert_equal(watchcount, 0)
+        return txid
+
+    def p2sh_address_to_script(self,v):
+        bare = CScript(hex_str_to_bytes(v['hex']))
+        p2sh = CScript(hex_str_to_bytes(v['scriptPubKey']))
+        p2wsh = CScript([OP_0, sha256(bare)])
+        p2sh_p2wsh = CScript([OP_HASH160, hash160(p2wsh), OP_EQUAL])
+        return([bare, p2sh, p2wsh, p2sh_p2wsh])
+
+    def p2pkh_address_to_script(self,v):
+        pubkey = hex_str_to_bytes(v['pubkey'])
+        p2wpkh = CScript([OP_0, hash160(pubkey)])
+        p2sh_p2wpkh = CScript([OP_HASH160, hash160(p2wpkh), OP_EQUAL])
+        p2pk = CScript([pubkey, OP_CHECKSIG])
+        p2pkh = CScript(hex_str_to_bytes(v['scriptPubKey']))
+        p2sh_p2pk = CScript([OP_HASH160, hash160(p2pk), OP_EQUAL])
+        p2sh_p2pkh = CScript([OP_HASH160, hash160(p2pkh), OP_EQUAL])
+        p2wsh_p2pk = CScript([OP_0, sha256(p2pk)])
+        p2wsh_p2pkh = CScript([OP_0, sha256(p2pkh)])
+        p2sh_p2wsh_p2pk = CScript([OP_HASH160, hash160(p2wsh_p2pk), OP_EQUAL])
+        p2sh_p2wsh_p2pkh = CScript([OP_HASH160, hash160(p2wsh_p2pkh), OP_EQUAL])
+        return [p2wpkh, p2sh_p2wpkh, p2pk, p2pkh, p2sh_p2pk, p2sh_p2pkh, p2wsh_p2pk, p2wsh_p2pkh, p2sh_p2wsh_p2pk, p2sh_p2wsh_p2pkh]
+
+    def create_and_mine_tx_from_txids(self, txids, success = True):
+        tx = CTransaction()
+        for i in txids:
+            txtmp = CTransaction()
+            txraw = self.nodes[0].getrawtransaction(i)
+            f = BytesIO(hex_str_to_bytes(txraw))
+            txtmp.deserialize(f)
+            for j in range(len(txtmp.vout)):
+                tx.vin.append(CTxIn(COutPoint(int('0x'+i,0), j)))
+        tx.vout.append(CTxOut(0, CScript()))
+        tx.rehash()
+        signresults = self.nodes[0].signrawtransaction(bytes_to_hex_str(tx.serialize_without_witness()))['hex']
+        self.nodes[0].sendrawtransaction(signresults, True)
+        self.nodes[0].generate(1)
+        sync_blocks(self.nodes)
+
+
 if __name__ == '__main__':
     SegWitTest().main()
diff --git a/qa/rpc-tests/test_framework/address.py b/qa/rpc-tests/test_framework/address.py
new file mode 100644
index 0000000000..50b999be61
--- /dev/null
+++ b/qa/rpc-tests/test_framework/address.py
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+# Copyright (c) 2016 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#
+# address.py
+#
+# This file encodes and decodes BASE58 P2PKH and P2SH addresses
+#
+
+from .script import hash256, hash160, sha256, CScript, OP_0
+from .util import bytes_to_hex_str, hex_str_to_bytes
+
+chars = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
+
+def byte_to_base58(b, version):
+    result = ''
+    str = bytes_to_hex_str(b)
+    str = bytes_to_hex_str(chr(version).encode('latin-1')) + str
+    checksum = bytes_to_hex_str(hash256(hex_str_to_bytes(str)))
+    str += checksum[:8]
+    value = int('0x'+str,0)
+    while value > 0:
+        result = chars[value % 58] + result
+        value //= 58
+    while (str[:2] == '00'):
+        result = chars[0] + result
+        str = str[2:]
+    return result
+
+# TODO: def base58_decode
+
+def keyhash_to_p2pkh(hash, main = False):
+    assert (len(hash) == 20)
+    version = 0 if main else 111
+    return byte_to_base58(hash, version)
+
+def scripthash_to_p2sh(hash, main = False):
+    assert (len(hash) == 20)
+    version = 5 if main else 196
+    return byte_to_base58(hash, version)
+
+def key_to_p2pkh(key, main = False):
+    key = check_key(key)
+    return keyhash_to_p2pkh(hash160(key), main)
+
+def script_to_p2sh(script, main = False):
+    script = check_script(script)
+    return scripthash_to_p2sh(hash160(script), main)
+
+def key_to_p2sh_p2wpkh(key, main = False):
+    key = check_key(key)
+    p2shscript = CScript([OP_0, hash160(key)])
+    return script_to_p2sh(p2shscript, main)
+
+def script_to_p2sh_p2wsh(script, main = False):
+    script = check_script(script)
+    p2shscript = CScript([OP_0, sha256(script)])
+    return script_to_p2sh(p2shscript, main)
+
+def check_key(key):
+    if (type(key) is str):
+        key = hex_str_to_bytes(key) # Assuming this is hex string
+    if (type(key) is bytes and (len(key) == 33 or len(key) == 65)):
+        return key
+    assert(False)
+
+def check_script(script):
+    if (type(script) is str):
+        script = hex_str_to_bytes(script) # Assuming this is hex string
+    if (type(script) is bytes or type(script) is CScript):
+        return script
+    assert(False)
diff --git a/qa/rpc-tests/test_framework/key.py b/qa/rpc-tests/test_framework/key.py
index ba3038fe04..c63a15c1e0 100644
--- a/qa/rpc-tests/test_framework/key.py
+++ b/qa/rpc-tests/test_framework/key.py
@@ -75,6 +75,9 @@ ssl.EC_POINT_mul.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p,
 # this specifies the curve used with ECDSA.
 NID_secp256k1 = 714 # from openssl/obj_mac.h
 
+SECP256K1_ORDER = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
+SECP256K1_ORDER_HALF = SECP256K1_ORDER // 2
+
 # Thx to Sam Devlin for the ctypes magic 64-bit fix.
 def _check_result(val, func, args):
     if val == 0:
@@ -147,7 +150,7 @@ class CECKey(object):
         r = self.get_raw_ecdh_key(other_pubkey)
         return kdf(r)
 
-    def sign(self, hash):
+    def sign(self, hash, low_s = True):
         # FIXME: need unit tests for below cases
         if not isinstance(hash, bytes):
             raise TypeError('Hash must be bytes instance; got %r' % hash.__class__)
@@ -159,7 +162,25 @@ class CECKey(object):
         mb_sig = ctypes.create_string_buffer(sig_size0.value)
         result = ssl.ECDSA_sign(0, hash, len(hash), mb_sig, ctypes.byref(sig_size0), self.k)
         assert 1 == result
-        return mb_sig.raw[:sig_size0.value]
+        assert mb_sig.raw[0] == 0x30
+        assert mb_sig.raw[1] == sig_size0.value - 2
+        total_size = mb_sig.raw[1]
+        assert mb_sig.raw[2] == 2
+        r_size = mb_sig.raw[3]
+        assert mb_sig.raw[4 + r_size] == 2
+        s_size = mb_sig.raw[5 + r_size]
+        s_value = int.from_bytes(mb_sig.raw[6+r_size:6+r_size+s_size], byteorder='big')
+        if (not low_s) or s_value <= SECP256K1_ORDER_HALF:
+            return mb_sig.raw[:sig_size0.value]
+        else:
+            low_s_value = SECP256K1_ORDER - s_value
+            low_s_bytes = (low_s_value).to_bytes(33, byteorder='big')
+            while len(low_s_bytes) > 1 and low_s_bytes[0] == 0 and low_s_bytes[1] < 0x80:
+                low_s_bytes = low_s_bytes[1:]
+            new_s_size = len(low_s_bytes)
+            new_total_size_byte = (total_size + new_s_size - s_size).to_bytes(1,byteorder='big')
+            new_s_size_byte = (new_s_size).to_bytes(1,byteorder='big')
+            return b'\x30' + new_total_size_byte + mb_sig.raw[2:5+r_size] + new_s_size_byte + low_s_bytes
 
     def verify(self, hash, sig):
         """Verify a DER signature"""