aboutsummaryrefslogtreecommitdiff
path: root/src/script/sign.h
AgeCommit message (Collapse)Author
2019-02-16Merge #13932: Additional utility RPCs for PSBTWladimir J. van der Laan
540729ef4bf1b6c6da1ec795e441d2ce56a9a58b Implement analyzepsbt RPC and tests (Andrew Chow) 77542cf2a5f8abb97dd46f782c1b0199cc062033 Move PSBT UTXO fetching to a separate method (Andrew Chow) cb40b3abd4514361a024a1e7a1a281da9261261b Figure out what is missing during signing (Andrew Chow) 08f749c9147a5f3fdbbd880e0974b97084429002 Implement joinpsbts RPC and tests (Andrew Chow) 7344a7b9984b99882e136efc8ad48fb31740df93 Implement utxoupdatepsbt RPC and tests (Andrew Chow) Pull request description: This PR adds 3 new utility RPCs for interacting with PSBTs. `utxoupdatepsbt` updates a PSBT with UTXO information from the node. It only works with witness UTXOs because full transactions (as would be needed for non-witness UTXOs) are not available unless txindex is enabled. `joinpsbts` joins the inputs from multiple distinct PSBTs into one PSBT. e.g. if PSBT 1 has inputs 1 and 2, and PSBT 2 has inputs 3 and 4, `joinpsbts` would create a new PSBT with inputs 1, 2, 3, and 4. `analyzepsbt` analyzes a PSBT and determines the current state of it and all of its inputs, and the next step that needs to be done. Tree-SHA512: 3c1fa302201abca76a8901d0c2be7b4ccbce334d989533c215f8b3e50e22f2f018ce6209544b26789f58f5980a253c0655111e1e20d47d5656e0414c64891a5c
2019-02-16Figure out what is missing during signingAndrew Chow
When signing an input, figure out what was requested for but was unable to be found and store it in a SignatureData. Return this information in SignPSBTInput.
2019-02-14Store key origin info in key metadataAndrew Chow
Store the master key fingerprint and derivation path in the key metadata. hdKeypath is kept to indicate the seed and for backwards compatibility, but all key derivation path output uses the key origin info instead of hdKeypath.
2019-02-11Move PSBT definitions and code to separate filesGlenn Willen
Move non-wallet PSBT code to src/psbt.{h,cpp}, and PSBT wallet code to src/wallet/psbtwallet.{h,cpp}. This commit contains only code movement (and adjustments to includes and Makefile.am.)
2018-12-17 Minimal changes to comply with explicit CMutableTransaction -> CTranaction ↵lucash-dev
conversion. This commit makes the minimal changes necessary to fix compilation once CTransaction(const CMutableTransaction &tx) is made explicit. In each case an explicit call `CTransaction(...)` was added. Shouldn't affect behaviour or performance.
2018-11-27Merge #14477: Add ability to convert solvability info to descriptorPieter Wuille
109699dd33 Add release notes (Pieter Wuille) b65326b562 Add matching descriptors to scantxoutset output + tests (Pieter Wuille) 16203d5df7 Add descriptors to listunspent and getaddressinfo + tests (Pieter Wuille) 9b2a25b13f Add tests for InferDescriptor and Descriptor::IsSolvable (Pieter Wuille) 225bf3e3b0 Add Descriptor::IsSolvable() to distinguish addr/raw from others (Pieter Wuille) 4d78bd93b5 Add support for inferring descriptors from scripts (Pieter Wuille) Pull request description: This PR adds functionality to convert a script to a descriptor, given a `SigningProvider` with the relevant information about public keys and redeemscripts/witnessscripts. The feature is exposed in `listunspent`, `getaddressinfo`, and `scantxoutset` whenever these calls are applied to solvable outputs/addresses. This is not very useful on its own, though when we add RPCs to import descriptors, or sign PSBTs using descriptors, these strings become a compact and standalone way of conveying everything necessary to sign an output (excluding private keys). Unit tests and rudimentary RPC tests are included (more relevant tests can be added once RPCs support descriptors). Fixes #14503. Tree-SHA512: cb36b84a3e0200375b7e06a98c7e750cfaf95cf5de132cad59f7ec3cbd201f739427de0dc108f515be7aca203652089fbf5f24ed283d4553bddf23a3224ab31f
2018-11-13Merge #14690: Throw error if CPubKey is invalid during PSBT keypath ↵Wladimir J. van der Laan
serialization 4e4de10f69d5d705256cadfb15d76314dff16e77 Throw error if CPubKey is invalid during PSBT keypath serialization (Gregory Sanders) Pull request description: Related to https://github.com/bitcoin/bitcoin/pull/14689 We should catch this error before attempting to deserialize it later. Tree-SHA512: d2f3ea7f363818ac70c81ee988231b2bb50d055b6919f7bff3f27120c85a7048bfa183efae33e23e6b81d684bcb8bb81e5b209abb3acbcaff1d88014f4f1aa93
2018-11-08Throw error if CPubKey is invalid during PSBT keypath serializationGregory Sanders
2018-11-01Simplify arguments to SignPSBTInputGlenn Willen
Remove redundant arguments to SignPSBTInput -- since it needs several bits of the PartiallySignedTransaction, pass in a reference instead of doing it piecemeal. This saves us having to pass in both a PSBTInput and its index, as well as having to pass in the CTransaction. Also avoid redundantly passing the sighash_type, which is contained in the PSBTInput already.
2018-11-01Add bool PSBTInputSignedGlenn Willen
Refactor out a "PSBTInputSigned" function to check if a PSBT is signed, for use in subsequent commits. Also improve a related comment.
2018-11-01New PartiallySignedTransaction constructor from CTransctionGlenn Willen
New constructor that creates a PartiallySignedTransaction from a CTransaction, automatically sizing the inputs and outputs vectors for convenience.
2018-11-01Merge #14377: check that a separator is found for psbt inputs, outputs, and ↵Wladimir J. van der Laan
global map 4fb3388db95f408566e43ebb9736842cfbff0a7d check that a separator is found for psbt inputs, outputs, and global map (Andrew Chow) Pull request description: Currently it doesn't make sure that a separator was found so PSBTs missing a trailing separator would still pass. This fixes that and adds a test case for it. It really only makes sense to check for the separator for the output maps as if an input or global map was missing a separator, the fields following it would be interpreted as belonging to the previous input or global map. However I have added the check for those two anyways to be consistent. Tree-SHA512: 50c0c08e201ba02494b369a4d36ddb73e6634eb5a4e4e201c4ef38fd2dbeea2c642b8a04d50c91615da61ecbfade37309e47431368f4b1064539c42015766b50
2018-10-26Add tests for InferDescriptor and Descriptor::IsSolvablePieter Wuille
2018-10-20Add key origin support to descriptorsPieter Wuille
2018-10-03check that a separator is found for psbt inputs, outputs, and global mapAndrew Chow
2018-09-11Drop minor GetSerializeSize templateBen Woosley
Now that `GetType()` is not propagated, the benefits are not worth the code.
2018-08-28Merge #13723: PSBT key path cleanupsWladimir J. van der Laan
917353c8b0eff4cd95f9a5f7719f6756bb8338b1 Make SignPSBTInput operate on a private SignatureData object (Pieter Wuille) cad5dd2368109ec398a3b79c8b9e94dfd23f0845 Pass HD path data through SignatureData (Pieter Wuille) 03a99586a398ee38f40c3b72d24c6a2ba4b88579 Implement key origin lookup in CWallet (Pieter Wuille) 3b01efa0d1bf3d23d1b7b7e518849f1fc26314f9 [MOVEONLY] Move ParseHDKeypath to utilstrencodings (Pieter Wuille) 81e1dd5ce1a32114a38691ec6b55e72ab04dbbb1 Generalize PublicOnlySigningProvider into HidingSigningProvider (Pieter Wuille) 84f1f1bfdf900cd28099e428441aa42f9d11a0ed Make SigningProvider expose key origin information (Pieter Wuille) 611ab307fbd8b6f8f7ffc1d569bb86d1f9cb4e92 Introduce KeyOriginInfo for fingerprint + path (Pieter Wuille) Pull request description: This PR adds "key origin" (master fingeprint + key path) information to what is exposed from `SigningProvider`s, allowing this information to be used by the generic PSBT code instead of having the RPC pull it directly from the wallet. This is also a preparation to having PSBT interact with output descriptors, which can then directly expose key origin information for the scripts they generate. Tree-SHA512: c718382ba8ba2d6fc9a32c062bd4cff08b6f39b133838aa03115c39aeca0f654c7cc3ec72d87005bf8306e550824cd8eb9d60f0bd41784a3e22e17b2afcfe833
2018-08-14Merge #13917: Additional safety checks in PSBT signerWladimir J. van der Laan
5df6f089b53c5b5859e5a3454c026447e4752f82 More tests of signer checks (Andrew Chow) 7c8bffdc24e005c3044a9a80bbc227b2a39b8605 Test that a non-witness script as witness utxo is not signed (Andrew Chow) 8254e9950f67d750c7f5905bfdef526d825965ed Additional sanity checks in SignPSBTInput (Pieter Wuille) c05712cb590c8c76729a71d75a290c67ae9e3c06 Only wipe wrong UTXO type data if overwritten by wallet (Pieter Wuille) Pull request description: The current PSBT signing code can end up producing a non-segwit signature, while only the UTXO being spent is provided in the PSBT (as opposed to the entire transaction being spent). This may be used to trick a user to incorrectly decide a transaction has the semantics he intends to sign. Fix this by refusing to sign if there is any mismatch between the provided data and what is being signed. Tree-SHA512: b55790d79d8166e05513fc4c603a982a33710e79dc3c045060cddac6b48a1be3a28ebf8db63f988b6567b15dd27fd09bbaf48846e323c8635376ac20178956f4
2018-08-13Serialize non-witness utxo as a non-witness tx but always deserialize as witnessAndrew Chow
Strip out the witnesses when serializing the non-witness utxo. However witness serializations are allowed, so make sure we always deserialize as witness.
2018-08-13Fix PSBT deserialization of 0-input transactionsAndrew Chow
0-input transactions can be ambiguously deserialized as being witness transactions. Since the unsigned transaction is never serialized as a witness transaction as it has no witnesses, we should always deserialize it as a non-witness transaction and set the serialization flags as such. Also always serialize the unsigned transaction as a non-witness transaction.
2018-08-13Make SignPSBTInput operate on a private SignatureData objectPieter Wuille
2018-08-13Pass HD path data through SignatureDataPieter Wuille
2018-08-13Generalize PublicOnlySigningProvider into HidingSigningProviderPieter Wuille
2018-08-13Make SigningProvider expose key origin informationPieter Wuille
2018-08-13Introduce KeyOriginInfo for fingerprint + pathPieter Wuille
2018-08-13Additional sanity checks in SignPSBTInputPieter Wuille
2018-08-13Merge #13666: Always create signatures with Low R valuesWladimir J. van der Laan
e306be742932d4ea5aca0ea4768e54b2fc3dc6a0 Use 72 byte dummy signatures when watching only inputs may be used (Andrew Chow) 48b1473c898129a99212e2db36c61cf93625ea17 Use 71 byte signature for DUMMY_SIGNATURE_CREATOR (Andrew Chow) 18dfea0dd082af18dfb02981b7ee1cd44d514388 Always create 70 byte signatures with low R values (Andrew Chow) Pull request description: When creating signatures for transactions, always make one which has a 32 byte or smaller R and 32 byte or smaller S value. This results in signatures that are always less than 71 bytes (32 byte R + 32 byte S + 6 bytes DER + 1 byte sighash) with low R values. In most cases, the signature will be 71 bytes. Because R is not mutable in the same way that S is, a low R value can only be found by trying different nonces. RFC 6979 for deterministic nonce generation has the option to specify additional entropy, so we simply use that and add a uin32_t counter which we increment in order to try different nonces. Nonces are sill deterministically generated as the nonce used will the be the first one where the counter results in a nonce that results in a low R value. Because different nonces need to be tried, time to produce a signature does increase. On average, it takes twice as long to make a signature as two signatures need to be created, on average, to find one with a low R. Having a fixed size signature makes size calculations easier and also saves half a byte of transaction size, on average. DUMMY_SIGNATURE_CREATOR has been modified to produce 71 byte dummy signatures instead of 72 byte signatures. Tree-SHA512: 3cd791505126ce92da7c631856a97ba0b59e87d9c132feff6e0eef1dc47768e81fbb38bfbe970371bedf9714b7f61a13a5fe9f30f962c81734092a4d19a4ef33
2018-08-09Use 72 byte dummy signatures when watching only inputs may be usedAndrew Chow
With watching only inputs, we do not know how large the signatures for those inputs will be as their signers may not have implemented 71 byte signatures. Thus we estimate their fees using the 72 byte dummy signature to ensure that we pay enough fees. This only effects fundrawtransaction when includeWatching is true.
2018-08-08Merge #13780: 0.17: Pre-branch maintenanceWladimir J. van der Laan
3fc20632a3ad30809356a58d2cf0ea4a4ad4cec3 qt: Set BLOCK_CHAIN_SIZE = 220 (DrahtBot) 2b6a2f4a28792f2fe9dc1be843b1ff1ecae35e8a Regenerate manpages (DrahtBot) eb7daf4d600eeb631427c018a984a77a34aca66e Update copyright headers to 2018 (DrahtBot) Pull request description: Some trivial maintenance to avoid having to do it again after the 0.17 branch off. (The scripts to do this are in `./contrib/`) Tree-SHA512: 16b2af45e0351b1c691c5311d48025dc6828079e98c2aa2e600dc5910ee8aa01858ca6c356538150dc46fe14c8819ed8ec8e4ec9a0f682b9950dd41bc50518fa
2018-07-27Add simple FlatSigningProviderPieter Wuille
2018-07-27Update copyright headers to 2018DrahtBot
2018-07-25Merge #13721: Bugfixes for BIP 174 combining and deserializationWladimir J. van der Laan
fad231ad41e12b7047deb64220942ca8cb8357bc Fix merging of global unknown data in PSBTs (Andrew Chow) 41df035ee1694715ee1e0f89b08ac8c73987807b Check that PSBT keys are the correct length (Andrew Chow) Pull request description: This PR fixes a few bugs that were found and adds tests checking for these errors. Specifically: - Single byte keys are checked to actually be one byte. - Unknown global data must be merged when combining two PSBTs. Tree-SHA512: c0e7b4bc607d510cc005aaa7c0813ee58c5467ab7ce4adce485522dfeee92b1af3d29fe89df778b0ea812bb3827e085b30e04d4f4ebcefd8364d809573991332
2018-07-19Check that PSBT keys are the correct lengthAndrew Chow
Checks that all of the one byte type keys are actually one byte and throw an error if they are not. Add tests for each type to check for this behavior.
2018-07-19Avoid creating a temporary vector for size-prefixed elementsPieter Wuille
2018-07-16Create wallet RPCs for PSBTAndrew Chow
walletprocesspsbt takes a PSBT format transaction, updates the PSBT with any inputs related to this wallet, signs, and finalizes the transaction. There is also an option to not sign and just update. walletcreatefundedpsbt creates a PSBT from user provided data in the same form as createrawtransaction. It also funds the transaction and takes an options argument in the same form as fundrawtransaction. The resulting PSBT is blank with no input or output data filled in.
2018-07-13SignPSBTInput wrapper functionAndrew Chow
The SignPSBTInput function takes a PSBTInput, SignatureData, SigningProvider, and other data necessary for signing. It fills the SignatureData with data from the PSBTInput, retrieves the UTXO from the PSBTInput, signs and finalizes the input if possible, and then extracts the results from the SignatureData and puts them back into the PSBTInput.
2018-07-13Methods for interacting with PSBT structsAndrew Chow
Added methods which move data to/from SignaturData objects to PSBTInput and PSBTOutput objects. Added sanity checks for PSBTs as a whole which are done immediately after deserialization. Added Merge methods to merge a PSBT into another one.
2018-07-13Add pubkeys and whether input was witness to SignatureDataAndrew Chow
Stores pubkeys in SignatureData and retrieves them when using GetPubKey(). Stores whether the signatures in a SignatureData are for a witness input.
2018-07-13Implement PSBT Structures and un/serialization methods per BIP 174Andrew Chow
2018-07-03Remove CombineSignatures and replace testsAndrew Chow
Removes CombineSignatures and replaces its use in tests with ProduceSignature to test the same behavior for ProduceSignature.
2018-07-03Replace CombineSignatures with ProduceSignatureAndrew Chow
Instead of using CombineSignatures to create the final scriptSig or scriptWitness of an input, use ProduceSignature itself. To allow for ProduceSignature to place signatures, pubkeys, and scripts that it does not know about, we pass down the SignatureData to SignStep which pulls out the information that it needs from the SignatureData.
2018-07-03Make SignatureData able to store signatures and scriptsAndrew Chow
In addition to having the scriptSig and scriptWitness, have SignatureData also be able to store just the signatures (pubkeys mapped to sigs) and scripts (script ids mapped to scripts). Also have DataFromTransaction be able to extract signatures and scripts from the scriptSig and scriptWitness of an input to put them in SignatureData. Adds a new SignatureChecker which takes a SignatureData and puts pubkeys and signatures into it when it successfully verifies a signature. Adds a new field in SignatureData which stores whether the SignatureData was complete. This allows us to also update the scriptSig and scriptWitness to the final one when updating a SignatureData with another one.
2018-06-05Merge #13269: refactoring: Drop UpdateTransaction in favor of UpdateInputWladimir J. van der Laan
6aa33feadbe11bfa505a80a691d84db966aca134 Drop UpdateTransaction in favor of UpdateInput (Ben Woosley) Pull request description: Updating the input explicitly requires the caller to present a mutable input, which more clearly communicates the effects and intent of the call (and, often, the enclosing loop). In most cases, this input is already immediately available and need not be looked up. Tree-SHA512: 8c7914a8b7ae975d8ad0e9d760e3c5da65776a5f79d060b8ffb6b3ff7a32235f71ad705f2185b368d9263742d7796bb562395d22b806d90e8502d8c496011e57
2018-05-30Generic TransactionSignatureCreator works with both CTransaction and ↵Martin Ankerl
CMutableTransaction Templated version so that no copying of CMutableTransaction into a CTransaction is necessary. This speeds up the test case transaction_tests/test_big_witness_transaction from 7.9 seconds to 3.1 seconds on my machine.
2018-05-18Drop UpdateTransaction in favor of UpdateInputBen Woosley
Updating the input explicitly requires the caller to present a mutable input, which more clearly communicates the effects and intent of the method. In most cases, this input is already immediately available and need not be looked up.
2018-04-10Make DummySignatureCreator a singletonPieter Wuille
2018-04-10Make BaseSignatureCreator a pure interfacePieter Wuille
2018-03-25Introduce interface for signing providersPieter Wuille
CKeyStore is a rich interface that provides many features, including knowledge of scripts and pubkeys for solving, private keys for signing, in addition to watch-only keys and scripts, and distinguishing lack of keys from them just being encrypted. The signing logic in script/sign does not actually need most of these features. Here we introduce a simpler interface (SigningProvider) which *only* provides keys and scripts. This is actually sufficient for signing. In addtion, we swap the dependency between keystore and script/sign (keystore now depends on script/script with CKeyStore deriving from SigningProvider, rather than CKeyStore being the interface that signing relies on).
2018-03-09Calculate and store the number of bytes required to spend an inputAndrew Chow
2018-01-10Merge #11403: SegWit wallet supportJonas Schnelli
b224a47a1 Add address_types test (Pieter Wuille) 7ee54fd7c Support downgrading after recovered keypool witness keys (Pieter Wuille) 940a21932 SegWit wallet support (Pieter Wuille) f37c64e47 Implicitly know about P2WPKH redeemscripts (Pieter Wuille) 57273f2b3 [test] Serialize CTransaction with witness by default (Pieter Wuille) cf2c0b6f5 Support P2WPKH and P2SH-P2WPKH in dumpprivkey (Pieter Wuille) 37c03d3e0 Support P2WPKH addresses in create/addmultisig (Pieter Wuille) 3eaa003c8 Extend validateaddress information for P2SH-embedded witness (Pieter Wuille) 30a27dc5b Expose method to find key for a single-key destination (Pieter Wuille) 985c79552 Improve witness destination types and use them more (Pieter Wuille) cbe197470 [refactor] GetAccount{PubKey,Address} -> GetAccountDestination (Pieter Wuille) 0c8ea6380 Abstract out IsSolvable from Witnessifier (Pieter Wuille) Pull request description: This implements a minimum viable implementation of SegWit wallet support, based on top of #11389, and includes part of the functionality from #11089. Two new configuration options are added: * `-addresstype`, with options `legacy`, `p2sh`, and `bech32`. It controls what kind of addresses are produced by `getnewaddress`, `getaccountaddress`, and `createmultisigaddress`. * `-changetype`, with the same options, and by default equal to `-addresstype`, that controls what kind of change is used. All wallet private and public keys can be used for any type of address. Support for address types dependent on different derivation paths will need a major overhaul of how our internal detection of outputs work. I expect that that will happen for a next major version. The above also applies to imported keys, as having a distinction there but not for normal operations is a disaster for testing, and probably for comprehension of users. This has some ugly effects, like needing to associate the provided label to `importprivkey` with each style address for the corresponding key. To deal with witness outputs requiring a corresponding redeemscript in wallet, three approaches are used: * All SegWit addresses created through `getnewaddress` or multisig RPCs explicitly get their redeemscripts added to the wallet file. This means that downgrading after creating a witness address will work, as long as the wallet file is up to date. * All SegWit keys in the wallet get an _implicit_ redeemscript added, without it being written to the file. This means recovery of an old backup will work, as long as you use new software. * All keypool keys that are seen used in transactions explicitly get their redeemscripts added to the wallet files. This means that downgrading after recovering from a backup that includes a witness address will work. These approaches correspond to solutions 3a, 1a, and 5a respectively from https://gist.github.com/sipa/125cfa1615946d0c3f3eec2ad7f250a2. As argued there, there is no full solution for dealing with the case where you both downgrade and restore a backup, so that's also not implemented. `dumpwallet`, `importwallet`, `importmulti`, `signmessage` and `verifymessage` don't work with SegWit addresses yet. They're remaining TODOs, for this PR or a follow-up. Because of that, several tests unexpectedly run with `-addresstype=legacy` for now. Tree-SHA512: d425dbe517c0422061ab8dacdc3a6ae47da071450932ed992c79559d922dff7b2574a31a8c94feccd3761c1dffb6422c50055e6dca8e3cf94a169bc95e39e959