aboutsummaryrefslogtreecommitdiff
path: root/src/script/sign.h
AgeCommit message (Collapse)Author
2018-08-15Additional sanity checks in SignPSBTInputPieter Wuille
GitHub-Pull: #13917 Rebased-From: 8254e99
2018-08-15Serialize non-witness utxo as a non-witness tx but always deserialize as witnessAndrew Chow
Strip out the witnesses when serializing the non-witness utxo. However witness serializations are allowed, so make sure we always deserialize as witness. GitHub-Pull: #13960 Rebased-From: bd19cc7
2018-08-15Fix PSBT deserialization of 0-input transactionsAndrew Chow
0-input transactions can be ambiguously deserialized as being witness transactions. Since the unsigned transaction is never serialized as a witness transaction as it has no witnesses, we should always deserialize it as a non-witness transaction and set the serialization flags as such. Also always serialize the unsigned transaction as a non-witness transaction. GitHub-Pull: #13960 Rebased-From: 43811e6
2018-08-13Merge #13666: Always create signatures with Low R valuesWladimir J. van der Laan
e306be742932d4ea5aca0ea4768e54b2fc3dc6a0 Use 72 byte dummy signatures when watching only inputs may be used (Andrew Chow) 48b1473c898129a99212e2db36c61cf93625ea17 Use 71 byte signature for DUMMY_SIGNATURE_CREATOR (Andrew Chow) 18dfea0dd082af18dfb02981b7ee1cd44d514388 Always create 70 byte signatures with low R values (Andrew Chow) Pull request description: When creating signatures for transactions, always make one which has a 32 byte or smaller R and 32 byte or smaller S value. This results in signatures that are always less than 71 bytes (32 byte R + 32 byte S + 6 bytes DER + 1 byte sighash) with low R values. In most cases, the signature will be 71 bytes. Because R is not mutable in the same way that S is, a low R value can only be found by trying different nonces. RFC 6979 for deterministic nonce generation has the option to specify additional entropy, so we simply use that and add a uin32_t counter which we increment in order to try different nonces. Nonces are sill deterministically generated as the nonce used will the be the first one where the counter results in a nonce that results in a low R value. Because different nonces need to be tried, time to produce a signature does increase. On average, it takes twice as long to make a signature as two signatures need to be created, on average, to find one with a low R. Having a fixed size signature makes size calculations easier and also saves half a byte of transaction size, on average. DUMMY_SIGNATURE_CREATOR has been modified to produce 71 byte dummy signatures instead of 72 byte signatures. Tree-SHA512: 3cd791505126ce92da7c631856a97ba0b59e87d9c132feff6e0eef1dc47768e81fbb38bfbe970371bedf9714b7f61a13a5fe9f30f962c81734092a4d19a4ef33
2018-08-09Use 72 byte dummy signatures when watching only inputs may be usedAndrew Chow
With watching only inputs, we do not know how large the signatures for those inputs will be as their signers may not have implemented 71 byte signatures. Thus we estimate their fees using the 72 byte dummy signature to ensure that we pay enough fees. This only effects fundrawtransaction when includeWatching is true.
2018-08-08Merge #13780: 0.17: Pre-branch maintenanceWladimir J. van der Laan
3fc20632a3ad30809356a58d2cf0ea4a4ad4cec3 qt: Set BLOCK_CHAIN_SIZE = 220 (DrahtBot) 2b6a2f4a28792f2fe9dc1be843b1ff1ecae35e8a Regenerate manpages (DrahtBot) eb7daf4d600eeb631427c018a984a77a34aca66e Update copyright headers to 2018 (DrahtBot) Pull request description: Some trivial maintenance to avoid having to do it again after the 0.17 branch off. (The scripts to do this are in `./contrib/`) Tree-SHA512: 16b2af45e0351b1c691c5311d48025dc6828079e98c2aa2e600dc5910ee8aa01858ca6c356538150dc46fe14c8819ed8ec8e4ec9a0f682b9950dd41bc50518fa
2018-07-27Add simple FlatSigningProviderPieter Wuille
2018-07-27Update copyright headers to 2018DrahtBot
2018-07-25Merge #13721: Bugfixes for BIP 174 combining and deserializationWladimir J. van der Laan
fad231ad41e12b7047deb64220942ca8cb8357bc Fix merging of global unknown data in PSBTs (Andrew Chow) 41df035ee1694715ee1e0f89b08ac8c73987807b Check that PSBT keys are the correct length (Andrew Chow) Pull request description: This PR fixes a few bugs that were found and adds tests checking for these errors. Specifically: - Single byte keys are checked to actually be one byte. - Unknown global data must be merged when combining two PSBTs. Tree-SHA512: c0e7b4bc607d510cc005aaa7c0813ee58c5467ab7ce4adce485522dfeee92b1af3d29fe89df778b0ea812bb3827e085b30e04d4f4ebcefd8364d809573991332
2018-07-19Check that PSBT keys are the correct lengthAndrew Chow
Checks that all of the one byte type keys are actually one byte and throw an error if they are not. Add tests for each type to check for this behavior.
2018-07-19Avoid creating a temporary vector for size-prefixed elementsPieter Wuille
2018-07-16Create wallet RPCs for PSBTAndrew Chow
walletprocesspsbt takes a PSBT format transaction, updates the PSBT with any inputs related to this wallet, signs, and finalizes the transaction. There is also an option to not sign and just update. walletcreatefundedpsbt creates a PSBT from user provided data in the same form as createrawtransaction. It also funds the transaction and takes an options argument in the same form as fundrawtransaction. The resulting PSBT is blank with no input or output data filled in.
2018-07-13SignPSBTInput wrapper functionAndrew Chow
The SignPSBTInput function takes a PSBTInput, SignatureData, SigningProvider, and other data necessary for signing. It fills the SignatureData with data from the PSBTInput, retrieves the UTXO from the PSBTInput, signs and finalizes the input if possible, and then extracts the results from the SignatureData and puts them back into the PSBTInput.
2018-07-13Methods for interacting with PSBT structsAndrew Chow
Added methods which move data to/from SignaturData objects to PSBTInput and PSBTOutput objects. Added sanity checks for PSBTs as a whole which are done immediately after deserialization. Added Merge methods to merge a PSBT into another one.
2018-07-13Add pubkeys and whether input was witness to SignatureDataAndrew Chow
Stores pubkeys in SignatureData and retrieves them when using GetPubKey(). Stores whether the signatures in a SignatureData are for a witness input.
2018-07-13Implement PSBT Structures and un/serialization methods per BIP 174Andrew Chow
2018-07-03Remove CombineSignatures and replace testsAndrew Chow
Removes CombineSignatures and replaces its use in tests with ProduceSignature to test the same behavior for ProduceSignature.
2018-07-03Replace CombineSignatures with ProduceSignatureAndrew Chow
Instead of using CombineSignatures to create the final scriptSig or scriptWitness of an input, use ProduceSignature itself. To allow for ProduceSignature to place signatures, pubkeys, and scripts that it does not know about, we pass down the SignatureData to SignStep which pulls out the information that it needs from the SignatureData.
2018-07-03Make SignatureData able to store signatures and scriptsAndrew Chow
In addition to having the scriptSig and scriptWitness, have SignatureData also be able to store just the signatures (pubkeys mapped to sigs) and scripts (script ids mapped to scripts). Also have DataFromTransaction be able to extract signatures and scripts from the scriptSig and scriptWitness of an input to put them in SignatureData. Adds a new SignatureChecker which takes a SignatureData and puts pubkeys and signatures into it when it successfully verifies a signature. Adds a new field in SignatureData which stores whether the SignatureData was complete. This allows us to also update the scriptSig and scriptWitness to the final one when updating a SignatureData with another one.
2018-06-05Merge #13269: refactoring: Drop UpdateTransaction in favor of UpdateInputWladimir J. van der Laan
6aa33feadbe11bfa505a80a691d84db966aca134 Drop UpdateTransaction in favor of UpdateInput (Ben Woosley) Pull request description: Updating the input explicitly requires the caller to present a mutable input, which more clearly communicates the effects and intent of the call (and, often, the enclosing loop). In most cases, this input is already immediately available and need not be looked up. Tree-SHA512: 8c7914a8b7ae975d8ad0e9d760e3c5da65776a5f79d060b8ffb6b3ff7a32235f71ad705f2185b368d9263742d7796bb562395d22b806d90e8502d8c496011e57
2018-05-30Generic TransactionSignatureCreator works with both CTransaction and ↵Martin Ankerl
CMutableTransaction Templated version so that no copying of CMutableTransaction into a CTransaction is necessary. This speeds up the test case transaction_tests/test_big_witness_transaction from 7.9 seconds to 3.1 seconds on my machine.
2018-05-18Drop UpdateTransaction in favor of UpdateInputBen Woosley
Updating the input explicitly requires the caller to present a mutable input, which more clearly communicates the effects and intent of the method. In most cases, this input is already immediately available and need not be looked up.
2018-04-10Make DummySignatureCreator a singletonPieter Wuille
2018-04-10Make BaseSignatureCreator a pure interfacePieter Wuille
2018-03-25Introduce interface for signing providersPieter Wuille
CKeyStore is a rich interface that provides many features, including knowledge of scripts and pubkeys for solving, private keys for signing, in addition to watch-only keys and scripts, and distinguishing lack of keys from them just being encrypted. The signing logic in script/sign does not actually need most of these features. Here we introduce a simpler interface (SigningProvider) which *only* provides keys and scripts. This is actually sufficient for signing. In addtion, we swap the dependency between keystore and script/sign (keystore now depends on script/script with CKeyStore deriving from SigningProvider, rather than CKeyStore being the interface that signing relies on).
2018-03-09Calculate and store the number of bytes required to spend an inputAndrew Chow
2018-01-10Merge #11403: SegWit wallet supportJonas Schnelli
b224a47a1 Add address_types test (Pieter Wuille) 7ee54fd7c Support downgrading after recovered keypool witness keys (Pieter Wuille) 940a21932 SegWit wallet support (Pieter Wuille) f37c64e47 Implicitly know about P2WPKH redeemscripts (Pieter Wuille) 57273f2b3 [test] Serialize CTransaction with witness by default (Pieter Wuille) cf2c0b6f5 Support P2WPKH and P2SH-P2WPKH in dumpprivkey (Pieter Wuille) 37c03d3e0 Support P2WPKH addresses in create/addmultisig (Pieter Wuille) 3eaa003c8 Extend validateaddress information for P2SH-embedded witness (Pieter Wuille) 30a27dc5b Expose method to find key for a single-key destination (Pieter Wuille) 985c79552 Improve witness destination types and use them more (Pieter Wuille) cbe197470 [refactor] GetAccount{PubKey,Address} -> GetAccountDestination (Pieter Wuille) 0c8ea6380 Abstract out IsSolvable from Witnessifier (Pieter Wuille) Pull request description: This implements a minimum viable implementation of SegWit wallet support, based on top of #11389, and includes part of the functionality from #11089. Two new configuration options are added: * `-addresstype`, with options `legacy`, `p2sh`, and `bech32`. It controls what kind of addresses are produced by `getnewaddress`, `getaccountaddress`, and `createmultisigaddress`. * `-changetype`, with the same options, and by default equal to `-addresstype`, that controls what kind of change is used. All wallet private and public keys can be used for any type of address. Support for address types dependent on different derivation paths will need a major overhaul of how our internal detection of outputs work. I expect that that will happen for a next major version. The above also applies to imported keys, as having a distinction there but not for normal operations is a disaster for testing, and probably for comprehension of users. This has some ugly effects, like needing to associate the provided label to `importprivkey` with each style address for the corresponding key. To deal with witness outputs requiring a corresponding redeemscript in wallet, three approaches are used: * All SegWit addresses created through `getnewaddress` or multisig RPCs explicitly get their redeemscripts added to the wallet file. This means that downgrading after creating a witness address will work, as long as the wallet file is up to date. * All SegWit keys in the wallet get an _implicit_ redeemscript added, without it being written to the file. This means recovery of an old backup will work, as long as you use new software. * All keypool keys that are seen used in transactions explicitly get their redeemscripts added to the wallet files. This means that downgrading after recovering from a backup that includes a witness address will work. These approaches correspond to solutions 3a, 1a, and 5a respectively from https://gist.github.com/sipa/125cfa1615946d0c3f3eec2ad7f250a2. As argued there, there is no full solution for dealing with the case where you both downgrade and restore a backup, so that's also not implemented. `dumpwallet`, `importwallet`, `importmulti`, `signmessage` and `verifymessage` don't work with SegWit addresses yet. They're remaining TODOs, for this PR or a follow-up. Because of that, several tests unexpectedly run with `-addresstype=legacy` for now. Tree-SHA512: d425dbe517c0422061ab8dacdc3a6ae47da071450932ed992c79559d922dff7b2574a31a8c94feccd3761c1dffb6422c50055e6dca8e3cf94a169bc95e39e959
2018-01-03Abstract out IsSolvable from WitnessifierPieter Wuille
2018-01-03Increment MIT Licence copyright header year on files modified in 2017Akira Takizawa
2017-11-16scripted-diff: Replace #include "" with #include <> (ryanofsky)MeshCollider
-BEGIN VERIFY SCRIPT- for f in \ src/*.cpp \ src/*.h \ src/bench/*.cpp \ src/bench/*.h \ src/compat/*.cpp \ src/compat/*.h \ src/consensus/*.cpp \ src/consensus/*.h \ src/crypto/*.cpp \ src/crypto/*.h \ src/crypto/ctaes/*.h \ src/policy/*.cpp \ src/policy/*.h \ src/primitives/*.cpp \ src/primitives/*.h \ src/qt/*.cpp \ src/qt/*.h \ src/qt/test/*.cpp \ src/qt/test/*.h \ src/rpc/*.cpp \ src/rpc/*.h \ src/script/*.cpp \ src/script/*.h \ src/support/*.cpp \ src/support/*.h \ src/support/allocators/*.h \ src/test/*.cpp \ src/test/*.h \ src/wallet/*.cpp \ src/wallet/*.h \ src/wallet/test/*.cpp \ src/wallet/test/*.h \ src/zmq/*.cpp \ src/zmq/*.h do base=${f%/*}/ relbase=${base#src/} sed -i "s:#include \"\(.*\)\"\(.*\):if test -e \$base'\\1'; then echo \"#include <\"\$relbase\"\\1>\\2\"; else echo \"#include <\\1>\\2\"; fi:e" $f done -END VERIFY SCRIPT-
2017-08-16Declare single-argument (non-converting) constructors "explicit"practicalswift
In order to avoid unintended implicit conversions.
2017-06-28Use the override specifier (C++11) where we expect to be overriding the ↵practicalswift
virtual function of a base class
2017-03-03Merge #8808: Do not shadow variables (gcc set)Wladimir J. van der Laan
ad1ae7a Check and enable -Wshadow by default. (Pavel Janík) 9de90bb Do not shadow variables (gcc set) (Pavel Janík) Tree-SHA512: 9517feb423dc8ddd63896016b25324673bfbe0bffa97f22996f59d7a3fcbdc2ebf2e43ac02bc067546f54e293e9b2f2514be145f867321e9031f895c063d9fb8
2016-12-31Increment MIT Licence copyright header year on files modified in 2016isle2983
Edited via: $ contrib/devtools/copyright_header.py update .
2016-12-05Do not shadow variables (gcc set)Pavel Janík
2016-08-22[doc] Fix typos in comments, doxygen: Fix comment syntaxMarcoFalke
2016-06-22BIP143: Signing logicPieter Wuille
2016-06-22BIP143: Verification logicPieter Wuille
Includes simplifications by Eric Lombrozo.
2015-12-13Bump copyright headers to 2015MarcoFalke
2015-06-11Add DummySignatureCreator which just creates zeroed sigsPieter Wuille
2015-03-21Abstract out Ctransaction-specific signing into TransactionSignatureCreatorPieter Wuille
2014-12-19Added "Core" to copyright headerssandakersmann
Github-Pull: #5494 Rebased-From: 15de949bb9277e442302bdd8dee299a8d6deee60
2014-11-10Make comments in /src/script doxygen compatibleMichael Ford
2014-11-04Avoid a bunch of copying/conversion in script/signPieter Wuille
2014-11-03Fix all header definesPavel Janík
2014-09-14cleanup new script files (no code changes)Philip Kaufmann
- add missing header end comments - ensure alphabetical ordering - update copyright year and license
2014-09-08Separate script/signjtimon