psbt.h
1 // Copyright (c) 2009-present The Bitcoin Core developers 2 // Distributed under the MIT software license, see the accompanying 3 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 4 5 #ifndef BITCOIN_PSBT_H 6 #define BITCOIN_PSBT_H 7 8 #include <common/types.h> 9 #include <node/transaction.h> 10 #include <policy/feerate.h> 11 #include <primitives/transaction.h> 12 #include <pubkey.h> 13 #include <script/keyorigin.h> 14 #include <script/sign.h> 15 #include <script/signingprovider.h> 16 #include <span.h> 17 #include <streams.h> 18 19 #include <optional> 20 21 namespace node { 22 enum class TransactionError; 23 } // namespace node 24 25 using common::PSBTError; 26 27 // Magic bytes 28 static constexpr uint8_t PSBT_MAGIC_BYTES[5] = {'p', 's', 'b', 't', 0xff}; 29 30 // Global types 31 static constexpr uint8_t PSBT_GLOBAL_UNSIGNED_TX = 0x00; 32 static constexpr uint8_t PSBT_GLOBAL_XPUB = 0x01; 33 static constexpr uint8_t PSBT_GLOBAL_VERSION = 0xFB; 34 static constexpr uint8_t PSBT_GLOBAL_PROPRIETARY = 0xFC; 35 36 // Input types 37 static constexpr uint8_t PSBT_IN_NON_WITNESS_UTXO = 0x00; 38 static constexpr uint8_t PSBT_IN_WITNESS_UTXO = 0x01; 39 static constexpr uint8_t PSBT_IN_PARTIAL_SIG = 0x02; 40 static constexpr uint8_t PSBT_IN_SIGHASH = 0x03; 41 static constexpr uint8_t PSBT_IN_REDEEMSCRIPT = 0x04; 42 static constexpr uint8_t PSBT_IN_WITNESSSCRIPT = 0x05; 43 static constexpr uint8_t PSBT_IN_BIP32_DERIVATION = 0x06; 44 static constexpr uint8_t PSBT_IN_SCRIPTSIG = 0x07; 45 static constexpr uint8_t PSBT_IN_SCRIPTWITNESS = 0x08; 46 static constexpr uint8_t PSBT_IN_RIPEMD160 = 0x0A; 47 static constexpr uint8_t PSBT_IN_SHA256 = 0x0B; 48 static constexpr uint8_t PSBT_IN_HASH160 = 0x0C; 49 static constexpr uint8_t PSBT_IN_HASH256 = 0x0D; 50 static constexpr uint8_t PSBT_IN_TAP_KEY_SIG = 0x13; 51 static constexpr uint8_t PSBT_IN_TAP_SCRIPT_SIG = 0x14; 52 static constexpr uint8_t PSBT_IN_TAP_LEAF_SCRIPT = 0x15; 53 static constexpr uint8_t PSBT_IN_TAP_BIP32_DERIVATION = 0x16; 54 static constexpr uint8_t PSBT_IN_TAP_INTERNAL_KEY = 0x17; 55 static constexpr uint8_t PSBT_IN_TAP_MERKLE_ROOT = 0x18; 56 static constexpr uint8_t PSBT_IN_MUSIG2_PARTICIPANT_PUBKEYS = 0x1a; 57 static constexpr uint8_t PSBT_IN_MUSIG2_PUB_NONCE = 0x1b; 58 static constexpr uint8_t PSBT_IN_MUSIG2_PARTIAL_SIG = 0x1c; 59 static constexpr uint8_t PSBT_IN_PROPRIETARY = 0xFC; 60 61 // Output types 62 static constexpr uint8_t PSBT_OUT_REDEEMSCRIPT = 0x00; 63 static constexpr uint8_t PSBT_OUT_WITNESSSCRIPT = 0x01; 64 static constexpr uint8_t PSBT_OUT_BIP32_DERIVATION = 0x02; 65 static constexpr uint8_t PSBT_OUT_TAP_INTERNAL_KEY = 0x05; 66 static constexpr uint8_t PSBT_OUT_TAP_TREE = 0x06; 67 static constexpr uint8_t PSBT_OUT_TAP_BIP32_DERIVATION = 0x07; 68 static constexpr uint8_t PSBT_OUT_MUSIG2_PARTICIPANT_PUBKEYS = 0x08; 69 static constexpr uint8_t PSBT_OUT_PROPRIETARY = 0xFC; 70 71 // The separator is 0x00. Reading this in means that the unserializer can interpret it 72 // as a 0 length key which indicates that this is the separator. The separator has no value. 73 static constexpr uint8_t PSBT_SEPARATOR = 0x00; 74 75 // BIP 174 does not specify a maximum file size, but we set a limit anyway 76 // to prevent reading a stream indefinitely and running out of memory. 77 const std::streamsize MAX_FILE_SIZE_PSBT = 100000000; // 100 MB 78 79 // PSBT version number 80 static constexpr uint32_t PSBT_HIGHEST_VERSION = 0; 81 82 /** A structure for PSBT proprietary types */ 83 struct PSBTProprietary 84 { 85 uint64_t subtype; 86 std::vector<unsigned char> identifier; 87 std::vector<unsigned char> key; 88 std::vector<unsigned char> value; 89 90 bool operator<(const PSBTProprietary &b) const { 91 return key < b.key; 92 } 93 bool operator==(const PSBTProprietary &b) const { 94 return key == b.key; 95 } 96 }; 97 98 // Takes a stream and multiple arguments and serializes them as if first serialized into a vector and then into the stream 99 // The resulting output into the stream has the total serialized length of all of the objects followed by all objects concatenated with each other. 100 template<typename Stream, typename... X> 101 void SerializeToVector(Stream& s, const X&... args) 102 { 103 SizeComputer sizecomp; 104 SerializeMany(sizecomp, args...); 105 WriteCompactSize(s, sizecomp.size()); 106 SerializeMany(s, args...); 107 } 108 109 // Takes a stream and multiple arguments and unserializes them first as a vector then each object individually in the order provided in the arguments 110 template<typename Stream, typename... X> 111 void UnserializeFromVector(Stream& s, X&&... args) 112 { 113 size_t expected_size = ReadCompactSize(s); 114 size_t remaining_before = s.size(); 115 UnserializeMany(s, args...); 116 size_t remaining_after = s.size(); 117 if (remaining_after + expected_size != remaining_before) { 118 throw std::ios_base::failure("Size of value was not the stated size"); 119 } 120 } 121 122 // Deserialize bytes of given length from the stream as a KeyOriginInfo 123 template<typename Stream> 124 KeyOriginInfo DeserializeKeyOrigin(Stream& s, uint64_t length) 125 { 126 // Read in key path 127 if (length % 4 || length == 0) { 128 throw std::ios_base::failure("Invalid length for HD key path"); 129 } 130 131 KeyOriginInfo hd_keypath; 132 s >> hd_keypath.fingerprint; 133 for (unsigned int i = 4; i < length; i += sizeof(uint32_t)) { 134 uint32_t index; 135 s >> index; 136 hd_keypath.path.push_back(index); 137 } 138 return hd_keypath; 139 } 140 141 // Deserialize a length prefixed KeyOriginInfo from a stream 142 template<typename Stream> 143 void DeserializeHDKeypath(Stream& s, KeyOriginInfo& hd_keypath) 144 { 145 hd_keypath = DeserializeKeyOrigin(s, ReadCompactSize(s)); 146 } 147 148 // Deserialize HD keypaths into a map 149 template<typename Stream> 150 void DeserializeHDKeypaths(Stream& s, const std::vector<unsigned char>& key, std::map<CPubKey, KeyOriginInfo>& hd_keypaths) 151 { 152 // Make sure that the key is the size of pubkey + 1 153 if (key.size() != CPubKey::SIZE + 1 && key.size() != CPubKey::COMPRESSED_SIZE + 1) { 154 throw std::ios_base::failure("Size of key was not the expected size for the type BIP32 keypath"); 155 } 156 // Read in the pubkey from key 157 CPubKey pubkey(key.begin() + 1, key.end()); 158 if (!pubkey.IsFullyValid()) { 159 throw std::ios_base::failure("Invalid pubkey"); 160 } 161 if (hd_keypaths.count(pubkey) > 0) { 162 throw std::ios_base::failure("Duplicate Key, pubkey derivation path already provided"); 163 } 164 165 KeyOriginInfo keypath; 166 DeserializeHDKeypath(s, keypath); 167 168 // Add to map 169 hd_keypaths.emplace(pubkey, std::move(keypath)); 170 } 171 172 // Serialize a KeyOriginInfo to a stream 173 template<typename Stream> 174 void SerializeKeyOrigin(Stream& s, KeyOriginInfo hd_keypath) 175 { 176 s << hd_keypath.fingerprint; 177 for (const auto& path : hd_keypath.path) { 178 s << path; 179 } 180 } 181 182 // Serialize a length prefixed KeyOriginInfo to a stream 183 template<typename Stream> 184 void SerializeHDKeypath(Stream& s, KeyOriginInfo hd_keypath) 185 { 186 WriteCompactSize(s, (hd_keypath.path.size() + 1) * sizeof(uint32_t)); 187 SerializeKeyOrigin(s, hd_keypath); 188 } 189 190 // Serialize HD keypaths to a stream from a map 191 template<typename Stream> 192 void SerializeHDKeypaths(Stream& s, const std::map<CPubKey, KeyOriginInfo>& hd_keypaths, CompactSizeWriter type) 193 { 194 for (const auto& keypath_pair : hd_keypaths) { 195 if (!keypath_pair.first.IsValid()) { 196 throw std::ios_base::failure("Invalid CPubKey being serialized"); 197 } 198 SerializeToVector(s, type, std::span{keypath_pair.first}); 199 SerializeHDKeypath(s, keypath_pair.second); 200 } 201 } 202 203 // Deserialize a PSBT_{IN/OUT}_MUSIG2_PARTICIPANT_PUBKEYS field 204 template<typename Stream> 205 void DeserializeMuSig2ParticipantPubkeys(Stream& s, SpanReader& skey, std::map<CPubKey, std::vector<CPubKey>>& out, std::string context) 206 { 207 std::array<unsigned char, CPubKey::COMPRESSED_SIZE> agg_pubkey_bytes; 208 skey >> std::as_writable_bytes(std::span{agg_pubkey_bytes}); 209 CPubKey agg_pubkey(agg_pubkey_bytes); 210 211 std::vector<CPubKey> participants; 212 std::vector<unsigned char> val; 213 s >> val; 214 SpanReader s_val{val}; 215 while (s_val.size() >= CPubKey::COMPRESSED_SIZE) { 216 std::array<unsigned char, CPubKey::COMPRESSED_SIZE> part_pubkey_bytes; 217 s_val >> std::as_writable_bytes(std::span{part_pubkey_bytes}); 218 participants.emplace_back(std::span{part_pubkey_bytes}); 219 } 220 if (!s_val.empty()) { 221 throw std::ios_base::failure(context + " musig2 participants pubkeys value size is not a multiple of 33"); 222 } 223 224 out.emplace(agg_pubkey, participants); 225 } 226 227 // Deserialize the MuSig2 participant identifiers from PSBT_MUSIG2_{PUBNONCE/PARTIAL_SIG} fields 228 // Both fields contain the same data after the type byte - aggregate pubkey | participant pubkey | leaf script hash 229 template<typename Stream> 230 void DeserializeMuSig2ParticipantDataIdentifier(Stream& skey, CPubKey& agg_pub, CPubKey& part_pub, uint256& leaf_hash) 231 { 232 leaf_hash.SetNull(); 233 234 std::array<unsigned char, CPubKey::COMPRESSED_SIZE> part_pubkey_bytes; 235 std::array<unsigned char, CPubKey::COMPRESSED_SIZE> agg_pubkey_bytes; 236 237 skey >> std::as_writable_bytes(std::span{part_pubkey_bytes}) >> std::as_writable_bytes(std::span{agg_pubkey_bytes}); 238 agg_pub.Set(agg_pubkey_bytes.begin(), agg_pubkey_bytes.end()); 239 part_pub.Set(part_pubkey_bytes.begin(), part_pubkey_bytes.end()); 240 241 if (!skey.empty()) { 242 skey >> leaf_hash; 243 } 244 } 245 246 /** A structure for PSBTs which contain per-input information */ 247 struct PSBTInput 248 { 249 CTransactionRef non_witness_utxo; 250 CTxOut witness_utxo; 251 CScript redeem_script; 252 CScript witness_script; 253 CScript final_script_sig; 254 CScriptWitness final_script_witness; 255 std::map<CPubKey, KeyOriginInfo> hd_keypaths; 256 std::map<CKeyID, SigPair> partial_sigs; 257 std::map<uint160, std::vector<unsigned char>> ripemd160_preimages; 258 std::map<uint256, std::vector<unsigned char>> sha256_preimages; 259 std::map<uint160, std::vector<unsigned char>> hash160_preimages; 260 std::map<uint256, std::vector<unsigned char>> hash256_preimages; 261 262 // Taproot fields 263 std::vector<unsigned char> m_tap_key_sig; 264 std::map<std::pair<XOnlyPubKey, uint256>, std::vector<unsigned char>> m_tap_script_sigs; 265 std::map<std::pair<std::vector<unsigned char>, int>, std::set<std::vector<unsigned char>, ShortestVectorFirstComparator>> m_tap_scripts; 266 std::map<XOnlyPubKey, std::pair<std::set<uint256>, KeyOriginInfo>> m_tap_bip32_paths; 267 XOnlyPubKey m_tap_internal_key; 268 uint256 m_tap_merkle_root; 269 270 // MuSig2 fields 271 std::map<CPubKey, std::vector<CPubKey>> m_musig2_participants; 272 // Key is the aggregate pubkey and the script leaf hash, value is a map of participant pubkey to pubnonce 273 std::map<std::pair<CPubKey, uint256>, std::map<CPubKey, std::vector<uint8_t>>> m_musig2_pubnonces; 274 // Key is the aggregate pubkey and the script leaf hash, value is a map of participant pubkey to partial_sig 275 std::map<std::pair<CPubKey, uint256>, std::map<CPubKey, uint256>> m_musig2_partial_sigs; 276 277 std::map<std::vector<unsigned char>, std::vector<unsigned char>> unknown; 278 std::set<PSBTProprietary> m_proprietary; 279 std::optional<int> sighash_type; 280 281 bool IsNull() const; 282 void FillSignatureData(SignatureData& sigdata) const; 283 void FromSignatureData(const SignatureData& sigdata); 284 void Merge(const PSBTInput& input); 285 PSBTInput() = default; 286 287 template <typename Stream> 288 inline void Serialize(Stream& s) const { 289 // Write the utxo 290 if (non_witness_utxo) { 291 SerializeToVector(s, CompactSizeWriter(PSBT_IN_NON_WITNESS_UTXO)); 292 SerializeToVector(s, TX_NO_WITNESS(non_witness_utxo)); 293 } 294 if (!witness_utxo.IsNull()) { 295 SerializeToVector(s, CompactSizeWriter(PSBT_IN_WITNESS_UTXO)); 296 SerializeToVector(s, witness_utxo); 297 } 298 299 if (final_script_sig.empty() && final_script_witness.IsNull()) { 300 // Write any partial signatures 301 for (const auto& sig_pair : partial_sigs) { 302 SerializeToVector(s, CompactSizeWriter(PSBT_IN_PARTIAL_SIG), std::span{sig_pair.second.first}); 303 s << sig_pair.second.second; 304 } 305 306 // Write the sighash type 307 if (sighash_type != std::nullopt) { 308 SerializeToVector(s, CompactSizeWriter(PSBT_IN_SIGHASH)); 309 SerializeToVector(s, *sighash_type); 310 } 311 312 // Write the redeem script 313 if (!redeem_script.empty()) { 314 SerializeToVector(s, CompactSizeWriter(PSBT_IN_REDEEMSCRIPT)); 315 s << redeem_script; 316 } 317 318 // Write the witness script 319 if (!witness_script.empty()) { 320 SerializeToVector(s, CompactSizeWriter(PSBT_IN_WITNESSSCRIPT)); 321 s << witness_script; 322 } 323 324 // Write any hd keypaths 325 SerializeHDKeypaths(s, hd_keypaths, CompactSizeWriter(PSBT_IN_BIP32_DERIVATION)); 326 327 // Write any ripemd160 preimage 328 for (const auto& [hash, preimage] : ripemd160_preimages) { 329 SerializeToVector(s, CompactSizeWriter(PSBT_IN_RIPEMD160), std::span{hash}); 330 s << preimage; 331 } 332 333 // Write any sha256 preimage 334 for (const auto& [hash, preimage] : sha256_preimages) { 335 SerializeToVector(s, CompactSizeWriter(PSBT_IN_SHA256), std::span{hash}); 336 s << preimage; 337 } 338 339 // Write any hash160 preimage 340 for (const auto& [hash, preimage] : hash160_preimages) { 341 SerializeToVector(s, CompactSizeWriter(PSBT_IN_HASH160), std::span{hash}); 342 s << preimage; 343 } 344 345 // Write any hash256 preimage 346 for (const auto& [hash, preimage] : hash256_preimages) { 347 SerializeToVector(s, CompactSizeWriter(PSBT_IN_HASH256), std::span{hash}); 348 s << preimage; 349 } 350 351 // Write taproot key sig 352 if (!m_tap_key_sig.empty()) { 353 SerializeToVector(s, PSBT_IN_TAP_KEY_SIG); 354 s << m_tap_key_sig; 355 } 356 357 // Write taproot script sigs 358 for (const auto& [pubkey_leaf, sig] : m_tap_script_sigs) { 359 const auto& [xonly, leaf_hash] = pubkey_leaf; 360 SerializeToVector(s, PSBT_IN_TAP_SCRIPT_SIG, xonly, leaf_hash); 361 s << sig; 362 } 363 364 // Write taproot leaf scripts 365 for (const auto& [leaf, control_blocks] : m_tap_scripts) { 366 const auto& [script, leaf_ver] = leaf; 367 for (const auto& control_block : control_blocks) { 368 SerializeToVector(s, PSBT_IN_TAP_LEAF_SCRIPT, std::span{control_block}); 369 std::vector<unsigned char> value_v(script.begin(), script.end()); 370 value_v.push_back((uint8_t)leaf_ver); 371 s << value_v; 372 } 373 } 374 375 // Write taproot bip32 keypaths 376 for (const auto& [xonly, leaf_origin] : m_tap_bip32_paths) { 377 const auto& [leaf_hashes, origin] = leaf_origin; 378 SerializeToVector(s, PSBT_IN_TAP_BIP32_DERIVATION, xonly); 379 std::vector<unsigned char> value; 380 VectorWriter s_value{value, 0}; 381 s_value << leaf_hashes; 382 SerializeKeyOrigin(s_value, origin); 383 s << value; 384 } 385 386 // Write taproot internal key 387 if (!m_tap_internal_key.IsNull()) { 388 SerializeToVector(s, PSBT_IN_TAP_INTERNAL_KEY); 389 s << ToByteVector(m_tap_internal_key); 390 } 391 392 // Write taproot merkle root 393 if (!m_tap_merkle_root.IsNull()) { 394 SerializeToVector(s, PSBT_IN_TAP_MERKLE_ROOT); 395 SerializeToVector(s, m_tap_merkle_root); 396 } 397 398 // Write MuSig2 Participants 399 for (const auto& [agg_pubkey, part_pubs] : m_musig2_participants) { 400 SerializeToVector(s, CompactSizeWriter(PSBT_IN_MUSIG2_PARTICIPANT_PUBKEYS), std::span{agg_pubkey}); 401 std::vector<unsigned char> value; 402 VectorWriter s_value{value, 0}; 403 for (auto& pk : part_pubs) { 404 s_value << std::span{pk}; 405 } 406 s << value; 407 } 408 409 // Write MuSig2 pubnonces 410 for (const auto& [agg_pubkey_leaf_hash, pubnonces] : m_musig2_pubnonces) { 411 const auto& [agg_pubkey, leaf_hash] = agg_pubkey_leaf_hash; 412 for (const auto& [part_pubkey, pubnonce] : pubnonces) { 413 if (leaf_hash.IsNull()) { 414 SerializeToVector(s, CompactSizeWriter(PSBT_IN_MUSIG2_PUB_NONCE), std::span{part_pubkey}, std::span{agg_pubkey}); 415 } else { 416 SerializeToVector(s, CompactSizeWriter(PSBT_IN_MUSIG2_PUB_NONCE), std::span{part_pubkey}, std::span{agg_pubkey}, leaf_hash); 417 } 418 s << pubnonce; 419 } 420 } 421 422 // Write MuSig2 partial signatures 423 for (const auto& [agg_pubkey_leaf_hash, psigs] : m_musig2_partial_sigs) { 424 const auto& [agg_pubkey, leaf_hash] = agg_pubkey_leaf_hash; 425 for (const auto& [pubkey, psig] : psigs) { 426 if (leaf_hash.IsNull()) { 427 SerializeToVector(s, CompactSizeWriter(PSBT_IN_MUSIG2_PARTIAL_SIG), std::span{pubkey}, std::span{agg_pubkey}); 428 } else { 429 SerializeToVector(s, CompactSizeWriter(PSBT_IN_MUSIG2_PARTIAL_SIG), std::span{pubkey}, std::span{agg_pubkey}, leaf_hash); 430 } 431 SerializeToVector(s, psig); 432 } 433 } 434 } 435 436 // Write script sig 437 if (!final_script_sig.empty()) { 438 SerializeToVector(s, CompactSizeWriter(PSBT_IN_SCRIPTSIG)); 439 s << final_script_sig; 440 } 441 // write script witness 442 if (!final_script_witness.IsNull()) { 443 SerializeToVector(s, CompactSizeWriter(PSBT_IN_SCRIPTWITNESS)); 444 SerializeToVector(s, final_script_witness.stack); 445 } 446 447 // Write proprietary things 448 for (const auto& entry : m_proprietary) { 449 s << entry.key; 450 s << entry.value; 451 } 452 453 // Write unknown things 454 for (auto& entry : unknown) { 455 s << entry.first; 456 s << entry.second; 457 } 458 459 s << PSBT_SEPARATOR; 460 } 461 462 463 template <typename Stream> 464 inline void Unserialize(Stream& s) { 465 // Used for duplicate key detection 466 std::set<std::vector<unsigned char>> key_lookup; 467 468 // Read loop 469 bool found_sep = false; 470 while(!s.empty()) { 471 // Read the key of format "<keylen><keytype><keydata>" after which 472 // "key" will contain "<keytype><keydata>" 473 std::vector<unsigned char> key; 474 s >> key; 475 476 // the key is empty if that was actually a separator byte 477 // This is a special case for key lengths 0 as those are not allowed (except for separator) 478 if (key.empty()) { 479 found_sep = true; 480 break; 481 } 482 483 // "skey" is used so that "key" is unchanged after reading keytype below 484 SpanReader skey{key}; 485 // keytype is of the format compact size uint at the beginning of "key" 486 uint64_t type = ReadCompactSize(skey); 487 488 // Do stuff based on keytype "type", i.e., key checks, reading values of the 489 // format "<valuelen><valuedata>" from the stream "s", and value checks 490 switch(type) { 491 case PSBT_IN_NON_WITNESS_UTXO: 492 { 493 if (!key_lookup.emplace(key).second) { 494 throw std::ios_base::failure("Duplicate Key, input non-witness utxo already provided"); 495 } else if (key.size() != 1) { 496 throw std::ios_base::failure("Non-witness utxo key is more than one byte type"); 497 } 498 // Set the stream to unserialize with witness since this is always a valid network transaction 499 UnserializeFromVector(s, TX_WITH_WITNESS(non_witness_utxo)); 500 break; 501 } 502 case PSBT_IN_WITNESS_UTXO: 503 if (!key_lookup.emplace(key).second) { 504 throw std::ios_base::failure("Duplicate Key, input witness utxo already provided"); 505 } else if (key.size() != 1) { 506 throw std::ios_base::failure("Witness utxo key is more than one byte type"); 507 } 508 UnserializeFromVector(s, witness_utxo); 509 break; 510 case PSBT_IN_PARTIAL_SIG: 511 { 512 // Make sure that the key is the size of pubkey + 1 513 if (key.size() != CPubKey::SIZE + 1 && key.size() != CPubKey::COMPRESSED_SIZE + 1) { 514 throw std::ios_base::failure("Size of key was not the expected size for the type partial signature pubkey"); 515 } 516 // Read in the pubkey from key 517 CPubKey pubkey(key.begin() + 1, key.end()); 518 if (!pubkey.IsFullyValid()) { 519 throw std::ios_base::failure("Invalid pubkey"); 520 } 521 if (partial_sigs.count(pubkey.GetID()) > 0) { 522 throw std::ios_base::failure("Duplicate Key, input partial signature for pubkey already provided"); 523 } 524 525 // Read in the signature from value 526 std::vector<unsigned char> sig; 527 s >> sig; 528 529 // Check that the signature is validly encoded 530 if (sig.empty() || !CheckSignatureEncoding(sig, SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_STRICTENC, nullptr)) { 531 throw std::ios_base::failure("Signature is not a valid encoding"); 532 } 533 534 // Add to list 535 partial_sigs.emplace(pubkey.GetID(), SigPair(pubkey, std::move(sig))); 536 break; 537 } 538 case PSBT_IN_SIGHASH: 539 if (!key_lookup.emplace(key).second) { 540 throw std::ios_base::failure("Duplicate Key, input sighash type already provided"); 541 } else if (key.size() != 1) { 542 throw std::ios_base::failure("Sighash type key is more than one byte type"); 543 } 544 int sighash; 545 UnserializeFromVector(s, sighash); 546 sighash_type = sighash; 547 break; 548 case PSBT_IN_REDEEMSCRIPT: 549 { 550 if (!key_lookup.emplace(key).second) { 551 throw std::ios_base::failure("Duplicate Key, input redeemScript already provided"); 552 } else if (key.size() != 1) { 553 throw std::ios_base::failure("Input redeemScript key is more than one byte type"); 554 } 555 s >> redeem_script; 556 break; 557 } 558 case PSBT_IN_WITNESSSCRIPT: 559 { 560 if (!key_lookup.emplace(key).second) { 561 throw std::ios_base::failure("Duplicate Key, input witnessScript already provided"); 562 } else if (key.size() != 1) { 563 throw std::ios_base::failure("Input witnessScript key is more than one byte type"); 564 } 565 s >> witness_script; 566 break; 567 } 568 case PSBT_IN_BIP32_DERIVATION: 569 { 570 DeserializeHDKeypaths(s, key, hd_keypaths); 571 break; 572 } 573 case PSBT_IN_SCRIPTSIG: 574 { 575 if (!key_lookup.emplace(key).second) { 576 throw std::ios_base::failure("Duplicate Key, input final scriptSig already provided"); 577 } else if (key.size() != 1) { 578 throw std::ios_base::failure("Final scriptSig key is more than one byte type"); 579 } 580 s >> final_script_sig; 581 break; 582 } 583 case PSBT_IN_SCRIPTWITNESS: 584 { 585 if (!key_lookup.emplace(key).second) { 586 throw std::ios_base::failure("Duplicate Key, input final scriptWitness already provided"); 587 } else if (key.size() != 1) { 588 throw std::ios_base::failure("Final scriptWitness key is more than one byte type"); 589 } 590 UnserializeFromVector(s, final_script_witness.stack); 591 break; 592 } 593 case PSBT_IN_RIPEMD160: 594 { 595 // Make sure that the key is the size of a ripemd160 hash + 1 596 if (key.size() != CRIPEMD160::OUTPUT_SIZE + 1) { 597 throw std::ios_base::failure("Size of key was not the expected size for the type ripemd160 preimage"); 598 } 599 // Read in the hash from key 600 std::vector<unsigned char> hash_vec(key.begin() + 1, key.end()); 601 uint160 hash(hash_vec); 602 if (ripemd160_preimages.count(hash) > 0) { 603 throw std::ios_base::failure("Duplicate Key, input ripemd160 preimage already provided"); 604 } 605 606 // Read in the preimage from value 607 std::vector<unsigned char> preimage; 608 s >> preimage; 609 610 // Add to preimages list 611 ripemd160_preimages.emplace(hash, std::move(preimage)); 612 break; 613 } 614 case PSBT_IN_SHA256: 615 { 616 // Make sure that the key is the size of a sha256 hash + 1 617 if (key.size() != CSHA256::OUTPUT_SIZE + 1) { 618 throw std::ios_base::failure("Size of key was not the expected size for the type sha256 preimage"); 619 } 620 // Read in the hash from key 621 std::vector<unsigned char> hash_vec(key.begin() + 1, key.end()); 622 uint256 hash(hash_vec); 623 if (sha256_preimages.count(hash) > 0) { 624 throw std::ios_base::failure("Duplicate Key, input sha256 preimage already provided"); 625 } 626 627 // Read in the preimage from value 628 std::vector<unsigned char> preimage; 629 s >> preimage; 630 631 // Add to preimages list 632 sha256_preimages.emplace(hash, std::move(preimage)); 633 break; 634 } 635 case PSBT_IN_HASH160: 636 { 637 // Make sure that the key is the size of a hash160 hash + 1 638 if (key.size() != CHash160::OUTPUT_SIZE + 1) { 639 throw std::ios_base::failure("Size of key was not the expected size for the type hash160 preimage"); 640 } 641 // Read in the hash from key 642 std::vector<unsigned char> hash_vec(key.begin() + 1, key.end()); 643 uint160 hash(hash_vec); 644 if (hash160_preimages.count(hash) > 0) { 645 throw std::ios_base::failure("Duplicate Key, input hash160 preimage already provided"); 646 } 647 648 // Read in the preimage from value 649 std::vector<unsigned char> preimage; 650 s >> preimage; 651 652 // Add to preimages list 653 hash160_preimages.emplace(hash, std::move(preimage)); 654 break; 655 } 656 case PSBT_IN_HASH256: 657 { 658 // Make sure that the key is the size of a hash256 hash + 1 659 if (key.size() != CHash256::OUTPUT_SIZE + 1) { 660 throw std::ios_base::failure("Size of key was not the expected size for the type hash256 preimage"); 661 } 662 // Read in the hash from key 663 std::vector<unsigned char> hash_vec(key.begin() + 1, key.end()); 664 uint256 hash(hash_vec); 665 if (hash256_preimages.count(hash) > 0) { 666 throw std::ios_base::failure("Duplicate Key, input hash256 preimage already provided"); 667 } 668 669 // Read in the preimage from value 670 std::vector<unsigned char> preimage; 671 s >> preimage; 672 673 // Add to preimages list 674 hash256_preimages.emplace(hash, std::move(preimage)); 675 break; 676 } 677 case PSBT_IN_TAP_KEY_SIG: 678 { 679 if (!key_lookup.emplace(key).second) { 680 throw std::ios_base::failure("Duplicate Key, input Taproot key signature already provided"); 681 } else if (key.size() != 1) { 682 throw std::ios_base::failure("Input Taproot key signature key is more than one byte type"); 683 } 684 s >> m_tap_key_sig; 685 if (m_tap_key_sig.size() < 64) { 686 throw std::ios_base::failure("Input Taproot key path signature is shorter than 64 bytes"); 687 } else if (m_tap_key_sig.size() > 65) { 688 throw std::ios_base::failure("Input Taproot key path signature is longer than 65 bytes"); 689 } 690 break; 691 } 692 case PSBT_IN_TAP_SCRIPT_SIG: 693 { 694 if (!key_lookup.emplace(key).second) { 695 throw std::ios_base::failure("Duplicate Key, input Taproot script signature already provided"); 696 } else if (key.size() != 65) { 697 throw std::ios_base::failure("Input Taproot script signature key is not 65 bytes"); 698 } 699 SpanReader s_key{std::span{key}.subspan(1)}; 700 XOnlyPubKey xonly; 701 uint256 hash; 702 s_key >> xonly; 703 s_key >> hash; 704 std::vector<unsigned char> sig; 705 s >> sig; 706 if (sig.size() < 64) { 707 throw std::ios_base::failure("Input Taproot script path signature is shorter than 64 bytes"); 708 } else if (sig.size() > 65) { 709 throw std::ios_base::failure("Input Taproot script path signature is longer than 65 bytes"); 710 } 711 m_tap_script_sigs.emplace(std::make_pair(xonly, hash), sig); 712 break; 713 } 714 case PSBT_IN_TAP_LEAF_SCRIPT: 715 { 716 if (!key_lookup.emplace(key).second) { 717 throw std::ios_base::failure("Duplicate Key, input Taproot leaf script already provided"); 718 } else if (key.size() < 34) { 719 throw std::ios_base::failure("Taproot leaf script key is not at least 34 bytes"); 720 } else if ((key.size() - 2) % 32 != 0) { 721 throw std::ios_base::failure("Input Taproot leaf script key's control block size is not valid"); 722 } 723 std::vector<unsigned char> script_v; 724 s >> script_v; 725 if (script_v.empty()) { 726 throw std::ios_base::failure("Input Taproot leaf script must be at least 1 byte"); 727 } 728 uint8_t leaf_ver = script_v.back(); 729 script_v.pop_back(); 730 const auto leaf_script = std::make_pair(script_v, (int)leaf_ver); 731 m_tap_scripts[leaf_script].insert(std::vector<unsigned char>(key.begin() + 1, key.end())); 732 break; 733 } 734 case PSBT_IN_TAP_BIP32_DERIVATION: 735 { 736 if (!key_lookup.emplace(key).second) { 737 throw std::ios_base::failure("Duplicate Key, input Taproot BIP32 keypath already provided"); 738 } else if (key.size() != 33) { 739 throw std::ios_base::failure("Input Taproot BIP32 keypath key is not at 33 bytes"); 740 } 741 SpanReader s_key{std::span{key}.subspan(1)}; 742 XOnlyPubKey xonly; 743 s_key >> xonly; 744 std::set<uint256> leaf_hashes; 745 uint64_t value_len = ReadCompactSize(s); 746 size_t before_hashes = s.size(); 747 s >> leaf_hashes; 748 size_t after_hashes = s.size(); 749 size_t hashes_len = before_hashes - after_hashes; 750 if (hashes_len > value_len) { 751 throw std::ios_base::failure("Input Taproot BIP32 keypath has an invalid length"); 752 } 753 size_t origin_len = value_len - hashes_len; 754 m_tap_bip32_paths.emplace(xonly, std::make_pair(leaf_hashes, DeserializeKeyOrigin(s, origin_len))); 755 break; 756 } 757 case PSBT_IN_TAP_INTERNAL_KEY: 758 { 759 if (!key_lookup.emplace(key).second) { 760 throw std::ios_base::failure("Duplicate Key, input Taproot internal key already provided"); 761 } else if (key.size() != 1) { 762 throw std::ios_base::failure("Input Taproot internal key key is more than one byte type"); 763 } 764 UnserializeFromVector(s, m_tap_internal_key); 765 break; 766 } 767 case PSBT_IN_TAP_MERKLE_ROOT: 768 { 769 if (!key_lookup.emplace(key).second) { 770 throw std::ios_base::failure("Duplicate Key, input Taproot merkle root already provided"); 771 } else if (key.size() != 1) { 772 throw std::ios_base::failure("Input Taproot merkle root key is more than one byte type"); 773 } 774 UnserializeFromVector(s, m_tap_merkle_root); 775 break; 776 } 777 case PSBT_IN_MUSIG2_PARTICIPANT_PUBKEYS: 778 { 779 if (!key_lookup.emplace(key).second) { 780 throw std::ios_base::failure("Duplicate Key, input participant pubkeys for an aggregate key already provided"); 781 } else if (key.size() != CPubKey::COMPRESSED_SIZE + 1) { 782 throw std::ios_base::failure("Input musig2 participants pubkeys aggregate key is not 34 bytes"); 783 } 784 DeserializeMuSig2ParticipantPubkeys(s, skey, m_musig2_participants, std::string{"Input"}); 785 break; 786 } 787 case PSBT_IN_MUSIG2_PUB_NONCE: 788 { 789 if (!key_lookup.emplace(key).second) { 790 throw std::ios_base::failure("Duplicate Key, input musig2 pubnonce already provided"); 791 } else if (key.size() != 2 * CPubKey::COMPRESSED_SIZE + 1 && key.size() != 2 * CPubKey::COMPRESSED_SIZE + CSHA256::OUTPUT_SIZE + 1) { 792 throw std::ios_base::failure("Input musig2 pubnonce key is not expected size of 67 or 99 bytes"); 793 } 794 CPubKey agg_pub, part_pub; 795 uint256 leaf_hash; 796 DeserializeMuSig2ParticipantDataIdentifier(skey, agg_pub, part_pub, leaf_hash); 797 798 std::vector<uint8_t> pubnonce; 799 s >> pubnonce; 800 if (pubnonce.size() != MUSIG2_PUBNONCE_SIZE) { 801 throw std::ios_base::failure("Input musig2 pubnonce value is not 66 bytes"); 802 } 803 804 m_musig2_pubnonces[std::make_pair(agg_pub, leaf_hash)].emplace(part_pub, pubnonce); 805 break; 806 } 807 case PSBT_IN_MUSIG2_PARTIAL_SIG: 808 { 809 if (!key_lookup.emplace(key).second) { 810 throw std::ios_base::failure("Duplicate Key, input musig2 partial sig already provided"); 811 } else if (key.size() != 2 * CPubKey::COMPRESSED_SIZE + 1 && key.size() != 2 * CPubKey::COMPRESSED_SIZE + CSHA256::OUTPUT_SIZE + 1) { 812 throw std::ios_base::failure("Input musig2 partial sig key is not expected size of 67 or 99 bytes"); 813 } 814 CPubKey agg_pub, part_pub; 815 uint256 leaf_hash; 816 DeserializeMuSig2ParticipantDataIdentifier(skey, agg_pub, part_pub, leaf_hash); 817 818 uint256 partial_sig; 819 UnserializeFromVector(s, partial_sig); 820 821 m_musig2_partial_sigs[std::make_pair(agg_pub, leaf_hash)].emplace(part_pub, partial_sig); 822 break; 823 } 824 case PSBT_IN_PROPRIETARY: 825 { 826 PSBTProprietary this_prop; 827 skey >> this_prop.identifier; 828 this_prop.subtype = ReadCompactSize(skey); 829 this_prop.key = key; 830 831 if (m_proprietary.count(this_prop) > 0) { 832 throw std::ios_base::failure("Duplicate Key, proprietary key already found"); 833 } 834 s >> this_prop.value; 835 m_proprietary.insert(this_prop); 836 break; 837 } 838 // Unknown stuff 839 default: 840 if (unknown.count(key) > 0) { 841 throw std::ios_base::failure("Duplicate Key, key for unknown value already provided"); 842 } 843 // Read in the value 844 std::vector<unsigned char> val_bytes; 845 s >> val_bytes; 846 unknown.emplace(std::move(key), std::move(val_bytes)); 847 break; 848 } 849 } 850 851 if (!found_sep) { 852 throw std::ios_base::failure("Separator is missing at the end of an input map"); 853 } 854 } 855 856 template <typename Stream> 857 PSBTInput(deserialize_type, Stream& s) { 858 Unserialize(s); 859 } 860 }; 861 862 /** A structure for PSBTs which contains per output information */ 863 struct PSBTOutput 864 { 865 CScript redeem_script; 866 CScript witness_script; 867 std::map<CPubKey, KeyOriginInfo> hd_keypaths; 868 XOnlyPubKey m_tap_internal_key; 869 std::vector<std::tuple<uint8_t, uint8_t, std::vector<unsigned char>>> m_tap_tree; 870 std::map<XOnlyPubKey, std::pair<std::set<uint256>, KeyOriginInfo>> m_tap_bip32_paths; 871 std::map<CPubKey, std::vector<CPubKey>> m_musig2_participants; 872 std::map<std::vector<unsigned char>, std::vector<unsigned char>> unknown; 873 std::set<PSBTProprietary> m_proprietary; 874 875 bool IsNull() const; 876 void FillSignatureData(SignatureData& sigdata) const; 877 void FromSignatureData(const SignatureData& sigdata); 878 void Merge(const PSBTOutput& output); 879 PSBTOutput() = default; 880 881 template <typename Stream> 882 inline void Serialize(Stream& s) const { 883 // Write the redeem script 884 if (!redeem_script.empty()) { 885 SerializeToVector(s, CompactSizeWriter(PSBT_OUT_REDEEMSCRIPT)); 886 s << redeem_script; 887 } 888 889 // Write the witness script 890 if (!witness_script.empty()) { 891 SerializeToVector(s, CompactSizeWriter(PSBT_OUT_WITNESSSCRIPT)); 892 s << witness_script; 893 } 894 895 // Write any hd keypaths 896 SerializeHDKeypaths(s, hd_keypaths, CompactSizeWriter(PSBT_OUT_BIP32_DERIVATION)); 897 898 // Write proprietary things 899 for (const auto& entry : m_proprietary) { 900 s << entry.key; 901 s << entry.value; 902 } 903 904 // Write taproot internal key 905 if (!m_tap_internal_key.IsNull()) { 906 SerializeToVector(s, PSBT_OUT_TAP_INTERNAL_KEY); 907 s << ToByteVector(m_tap_internal_key); 908 } 909 910 // Write taproot tree 911 if (!m_tap_tree.empty()) { 912 SerializeToVector(s, PSBT_OUT_TAP_TREE); 913 std::vector<unsigned char> value; 914 VectorWriter s_value{value, 0}; 915 for (const auto& [depth, leaf_ver, script] : m_tap_tree) { 916 s_value << depth; 917 s_value << leaf_ver; 918 s_value << script; 919 } 920 s << value; 921 } 922 923 // Write taproot bip32 keypaths 924 for (const auto& [xonly, leaf] : m_tap_bip32_paths) { 925 const auto& [leaf_hashes, origin] = leaf; 926 SerializeToVector(s, PSBT_OUT_TAP_BIP32_DERIVATION, xonly); 927 std::vector<unsigned char> value; 928 VectorWriter s_value{value, 0}; 929 s_value << leaf_hashes; 930 SerializeKeyOrigin(s_value, origin); 931 s << value; 932 } 933 934 // Write MuSig2 Participants 935 for (const auto& [agg_pubkey, part_pubs] : m_musig2_participants) { 936 SerializeToVector(s, CompactSizeWriter(PSBT_OUT_MUSIG2_PARTICIPANT_PUBKEYS), std::span{agg_pubkey}); 937 std::vector<unsigned char> value; 938 VectorWriter s_value{value, 0}; 939 for (auto& pk : part_pubs) { 940 s_value << std::span{pk}; 941 } 942 s << value; 943 } 944 945 // Write unknown things 946 for (auto& entry : unknown) { 947 s << entry.first; 948 s << entry.second; 949 } 950 951 s << PSBT_SEPARATOR; 952 } 953 954 955 template <typename Stream> 956 inline void Unserialize(Stream& s) { 957 // Used for duplicate key detection 958 std::set<std::vector<unsigned char>> key_lookup; 959 960 // Read loop 961 bool found_sep = false; 962 while(!s.empty()) { 963 // Read the key of format "<keylen><keytype><keydata>" after which 964 // "key" will contain "<keytype><keydata>" 965 std::vector<unsigned char> key; 966 s >> key; 967 968 // the key is empty if that was actually a separator byte 969 // This is a special case for key lengths 0 as those are not allowed (except for separator) 970 if (key.empty()) { 971 found_sep = true; 972 break; 973 } 974 975 // "skey" is used so that "key" is unchanged after reading keytype below 976 SpanReader skey{key}; 977 // keytype is of the format compact size uint at the beginning of "key" 978 uint64_t type = ReadCompactSize(skey); 979 980 // Do stuff based on keytype "type", i.e., key checks, reading values of the 981 // format "<valuelen><valuedata>" from the stream "s", and value checks 982 switch(type) { 983 case PSBT_OUT_REDEEMSCRIPT: 984 { 985 if (!key_lookup.emplace(key).second) { 986 throw std::ios_base::failure("Duplicate Key, output redeemScript already provided"); 987 } else if (key.size() != 1) { 988 throw std::ios_base::failure("Output redeemScript key is more than one byte type"); 989 } 990 s >> redeem_script; 991 break; 992 } 993 case PSBT_OUT_WITNESSSCRIPT: 994 { 995 if (!key_lookup.emplace(key).second) { 996 throw std::ios_base::failure("Duplicate Key, output witnessScript already provided"); 997 } else if (key.size() != 1) { 998 throw std::ios_base::failure("Output witnessScript key is more than one byte type"); 999 } 1000 s >> witness_script; 1001 break; 1002 } 1003 case PSBT_OUT_BIP32_DERIVATION: 1004 { 1005 DeserializeHDKeypaths(s, key, hd_keypaths); 1006 break; 1007 } 1008 case PSBT_OUT_TAP_INTERNAL_KEY: 1009 { 1010 if (!key_lookup.emplace(key).second) { 1011 throw std::ios_base::failure("Duplicate Key, output Taproot internal key already provided"); 1012 } else if (key.size() != 1) { 1013 throw std::ios_base::failure("Output Taproot internal key key is more than one byte type"); 1014 } 1015 UnserializeFromVector(s, m_tap_internal_key); 1016 break; 1017 } 1018 case PSBT_OUT_TAP_TREE: 1019 { 1020 if (!key_lookup.emplace(key).second) { 1021 throw std::ios_base::failure("Duplicate Key, output Taproot tree already provided"); 1022 } else if (key.size() != 1) { 1023 throw std::ios_base::failure("Output Taproot tree key is more than one byte type"); 1024 } 1025 std::vector<unsigned char> tree_v; 1026 s >> tree_v; 1027 SpanReader s_tree{tree_v}; 1028 if (s_tree.empty()) { 1029 throw std::ios_base::failure("Output Taproot tree must not be empty"); 1030 } 1031 TaprootBuilder builder; 1032 while (!s_tree.empty()) { 1033 uint8_t depth; 1034 uint8_t leaf_ver; 1035 std::vector<unsigned char> script; 1036 s_tree >> depth; 1037 s_tree >> leaf_ver; 1038 s_tree >> script; 1039 if (depth > TAPROOT_CONTROL_MAX_NODE_COUNT) { 1040 throw std::ios_base::failure("Output Taproot tree has as leaf greater than Taproot maximum depth"); 1041 } 1042 if ((leaf_ver & ~TAPROOT_LEAF_MASK) != 0) { 1043 throw std::ios_base::failure("Output Taproot tree has a leaf with an invalid leaf version"); 1044 } 1045 m_tap_tree.emplace_back(depth, leaf_ver, script); 1046 builder.Add((int)depth, script, (int)leaf_ver, /*track=*/true); 1047 } 1048 if (!builder.IsComplete()) { 1049 throw std::ios_base::failure("Output Taproot tree is malformed"); 1050 } 1051 break; 1052 } 1053 case PSBT_OUT_TAP_BIP32_DERIVATION: 1054 { 1055 if (!key_lookup.emplace(key).second) { 1056 throw std::ios_base::failure("Duplicate Key, output Taproot BIP32 keypath already provided"); 1057 } else if (key.size() != 33) { 1058 throw std::ios_base::failure("Output Taproot BIP32 keypath key is not at 33 bytes"); 1059 } 1060 XOnlyPubKey xonly(uint256(std::span<uint8_t>(key).last(32))); 1061 std::set<uint256> leaf_hashes; 1062 uint64_t value_len = ReadCompactSize(s); 1063 size_t before_hashes = s.size(); 1064 s >> leaf_hashes; 1065 size_t after_hashes = s.size(); 1066 size_t hashes_len = before_hashes - after_hashes; 1067 if (hashes_len > value_len) { 1068 throw std::ios_base::failure("Output Taproot BIP32 keypath has an invalid length"); 1069 } 1070 size_t origin_len = value_len - hashes_len; 1071 m_tap_bip32_paths.emplace(xonly, std::make_pair(leaf_hashes, DeserializeKeyOrigin(s, origin_len))); 1072 break; 1073 } 1074 case PSBT_OUT_MUSIG2_PARTICIPANT_PUBKEYS: 1075 { 1076 if (!key_lookup.emplace(key).second) { 1077 throw std::ios_base::failure("Duplicate Key, output participant pubkeys for an aggregate key already provided"); 1078 } else if (key.size() != CPubKey::COMPRESSED_SIZE + 1) { 1079 throw std::ios_base::failure("Output musig2 participants pubkeys aggregate key is not 34 bytes"); 1080 } 1081 DeserializeMuSig2ParticipantPubkeys(s, skey, m_musig2_participants, std::string{"Output"}); 1082 break; 1083 } 1084 case PSBT_OUT_PROPRIETARY: 1085 { 1086 PSBTProprietary this_prop; 1087 skey >> this_prop.identifier; 1088 this_prop.subtype = ReadCompactSize(skey); 1089 this_prop.key = key; 1090 1091 if (m_proprietary.count(this_prop) > 0) { 1092 throw std::ios_base::failure("Duplicate Key, proprietary key already found"); 1093 } 1094 s >> this_prop.value; 1095 m_proprietary.insert(this_prop); 1096 break; 1097 } 1098 // Unknown stuff 1099 default: { 1100 if (unknown.count(key) > 0) { 1101 throw std::ios_base::failure("Duplicate Key, key for unknown value already provided"); 1102 } 1103 // Read in the value 1104 std::vector<unsigned char> val_bytes; 1105 s >> val_bytes; 1106 unknown.emplace(std::move(key), std::move(val_bytes)); 1107 break; 1108 } 1109 } 1110 } 1111 1112 if (!found_sep) { 1113 throw std::ios_base::failure("Separator is missing at the end of an output map"); 1114 } 1115 } 1116 1117 template <typename Stream> 1118 PSBTOutput(deserialize_type, Stream& s) { 1119 Unserialize(s); 1120 } 1121 }; 1122 1123 /** A version of CTransaction with the PSBT format*/ 1124 struct PartiallySignedTransaction 1125 { 1126 std::optional<CMutableTransaction> tx; 1127 // We use a vector of CExtPubKey in the event that there happens to be the same KeyOriginInfos for different CExtPubKeys 1128 // Note that this map swaps the key and values from the serialization 1129 std::map<KeyOriginInfo, std::set<CExtPubKey>> m_xpubs; 1130 std::vector<PSBTInput> inputs; 1131 std::vector<PSBTOutput> outputs; 1132 std::map<std::vector<unsigned char>, std::vector<unsigned char>> unknown; 1133 std::optional<uint32_t> m_version; 1134 std::set<PSBTProprietary> m_proprietary; 1135 1136 bool IsNull() const; 1137 uint32_t GetVersion() const; 1138 1139 /** Merge psbt into this. The two psbts must have the same underlying CTransaction (i.e. the 1140 * same actual Bitcoin transaction.) Returns true if the merge succeeded, false otherwise. */ 1141 [[nodiscard]] bool Merge(const PartiallySignedTransaction& psbt); 1142 bool AddInput(const CTxIn& txin, PSBTInput& psbtin); 1143 bool AddOutput(const CTxOut& txout, const PSBTOutput& psbtout); 1144 PartiallySignedTransaction() = default; 1145 explicit PartiallySignedTransaction(const CMutableTransaction& tx); 1146 /** 1147 * Finds the UTXO for a given input index 1148 * 1149 * @param[out] utxo The UTXO of the input if found 1150 * @param[in] input_index Index of the input to retrieve the UTXO of 1151 * @return Whether the UTXO for the specified input was found 1152 */ 1153 bool GetInputUTXO(CTxOut& utxo, int input_index) const; 1154 1155 template <typename Stream> 1156 inline void Serialize(Stream& s) const { 1157 1158 // magic bytes 1159 s << PSBT_MAGIC_BYTES; 1160 1161 // unsigned tx flag 1162 SerializeToVector(s, CompactSizeWriter(PSBT_GLOBAL_UNSIGNED_TX)); 1163 1164 // Write serialized tx to a stream 1165 SerializeToVector(s, TX_NO_WITNESS(*tx)); 1166 1167 // Write xpubs 1168 for (const auto& xpub_pair : m_xpubs) { 1169 for (const auto& xpub : xpub_pair.second) { 1170 unsigned char ser_xpub[BIP32_EXTKEY_WITH_VERSION_SIZE]; 1171 xpub.EncodeWithVersion(ser_xpub); 1172 // Note that the serialization swaps the key and value 1173 // The xpub is the key (for uniqueness) while the path is the value 1174 SerializeToVector(s, PSBT_GLOBAL_XPUB, ser_xpub); 1175 SerializeHDKeypath(s, xpub_pair.first); 1176 } 1177 } 1178 1179 // PSBT version 1180 if (GetVersion() > 0) { 1181 SerializeToVector(s, CompactSizeWriter(PSBT_GLOBAL_VERSION)); 1182 SerializeToVector(s, *m_version); 1183 } 1184 1185 // Write proprietary things 1186 for (const auto& entry : m_proprietary) { 1187 s << entry.key; 1188 s << entry.value; 1189 } 1190 1191 // Write the unknown things 1192 for (auto& entry : unknown) { 1193 s << entry.first; 1194 s << entry.second; 1195 } 1196 1197 // Separator 1198 s << PSBT_SEPARATOR; 1199 1200 // Write inputs 1201 for (const PSBTInput& input : inputs) { 1202 s << input; 1203 } 1204 // Write outputs 1205 for (const PSBTOutput& output : outputs) { 1206 s << output; 1207 } 1208 } 1209 1210 1211 template <typename Stream> 1212 inline void Unserialize(Stream& s) { 1213 // Read the magic bytes 1214 uint8_t magic[5]; 1215 s >> magic; 1216 if (!std::equal(magic, magic + 5, PSBT_MAGIC_BYTES)) { 1217 throw std::ios_base::failure("Invalid PSBT magic bytes"); 1218 } 1219 1220 // Used for duplicate key detection 1221 std::set<std::vector<unsigned char>> key_lookup; 1222 1223 // Track the global xpubs we have already seen. Just for sanity checking 1224 std::set<CExtPubKey> global_xpubs; 1225 1226 // Read global data 1227 bool found_sep = false; 1228 while(!s.empty()) { 1229 // Read the key of format "<keylen><keytype><keydata>" after which 1230 // "key" will contain "<keytype><keydata>" 1231 std::vector<unsigned char> key; 1232 s >> key; 1233 1234 // the key is empty if that was actually a separator byte 1235 // This is a special case for key lengths 0 as those are not allowed (except for separator) 1236 if (key.empty()) { 1237 found_sep = true; 1238 break; 1239 } 1240 1241 // "skey" is used so that "key" is unchanged after reading keytype below 1242 SpanReader skey{key}; 1243 // keytype is of the format compact size uint at the beginning of "key" 1244 uint64_t type = ReadCompactSize(skey); 1245 1246 // Do stuff based on keytype "type", i.e., key checks, reading values of the 1247 // format "<valuelen><valuedata>" from the stream "s", and value checks 1248 switch(type) { 1249 case PSBT_GLOBAL_UNSIGNED_TX: 1250 { 1251 if (!key_lookup.emplace(key).second) { 1252 throw std::ios_base::failure("Duplicate Key, unsigned tx already provided"); 1253 } else if (key.size() != 1) { 1254 throw std::ios_base::failure("Global unsigned tx key is more than one byte type"); 1255 } 1256 CMutableTransaction mtx; 1257 // Set the stream to serialize with non-witness since this should always be non-witness 1258 UnserializeFromVector(s, TX_NO_WITNESS(mtx)); 1259 tx = std::move(mtx); 1260 // Make sure that all scriptSigs and scriptWitnesses are empty 1261 for (const CTxIn& txin : tx->vin) { 1262 if (!txin.scriptSig.empty() || !txin.scriptWitness.IsNull()) { 1263 throw std::ios_base::failure("Unsigned tx does not have empty scriptSigs and scriptWitnesses."); 1264 } 1265 } 1266 break; 1267 } 1268 case PSBT_GLOBAL_XPUB: 1269 { 1270 if (key.size() != BIP32_EXTKEY_WITH_VERSION_SIZE + 1) { 1271 throw std::ios_base::failure("Size of key was not the expected size for the type global xpub"); 1272 } 1273 // Read in the xpub from key 1274 CExtPubKey xpub; 1275 xpub.DecodeWithVersion(&key.data()[1]); 1276 if (!xpub.pubkey.IsFullyValid()) { 1277 throw std::ios_base::failure("Invalid pubkey"); 1278 } 1279 if (global_xpubs.count(xpub) > 0) { 1280 throw std::ios_base::failure("Duplicate key, global xpub already provided"); 1281 } 1282 global_xpubs.insert(xpub); 1283 // Read in the keypath from stream 1284 KeyOriginInfo keypath; 1285 DeserializeHDKeypath(s, keypath); 1286 1287 // Note that we store these swapped to make searches faster. 1288 // Serialization uses xpub -> keypath to enqure key uniqueness 1289 if (m_xpubs.count(keypath) == 0) { 1290 // Make a new set to put the xpub in 1291 m_xpubs[keypath] = {xpub}; 1292 } else { 1293 // Insert xpub into existing set 1294 m_xpubs[keypath].insert(xpub); 1295 } 1296 break; 1297 } 1298 case PSBT_GLOBAL_VERSION: 1299 { 1300 if (m_version) { 1301 throw std::ios_base::failure("Duplicate Key, version already provided"); 1302 } else if (key.size() != 1) { 1303 throw std::ios_base::failure("Global version key is more than one byte type"); 1304 } 1305 uint32_t v; 1306 UnserializeFromVector(s, v); 1307 m_version = v; 1308 if (*m_version > PSBT_HIGHEST_VERSION) { 1309 throw std::ios_base::failure("Unsupported version number"); 1310 } 1311 break; 1312 } 1313 case PSBT_GLOBAL_PROPRIETARY: 1314 { 1315 PSBTProprietary this_prop; 1316 skey >> this_prop.identifier; 1317 this_prop.subtype = ReadCompactSize(skey); 1318 this_prop.key = key; 1319 1320 if (m_proprietary.count(this_prop) > 0) { 1321 throw std::ios_base::failure("Duplicate Key, proprietary key already found"); 1322 } 1323 s >> this_prop.value; 1324 m_proprietary.insert(this_prop); 1325 break; 1326 } 1327 // Unknown stuff 1328 default: { 1329 if (unknown.count(key) > 0) { 1330 throw std::ios_base::failure("Duplicate Key, key for unknown value already provided"); 1331 } 1332 // Read in the value 1333 std::vector<unsigned char> val_bytes; 1334 s >> val_bytes; 1335 unknown.emplace(std::move(key), std::move(val_bytes)); 1336 } 1337 } 1338 } 1339 1340 if (!found_sep) { 1341 throw std::ios_base::failure("Separator is missing at the end of the global map"); 1342 } 1343 1344 // Make sure that we got an unsigned tx 1345 if (!tx) { 1346 throw std::ios_base::failure("No unsigned transaction was provided"); 1347 } 1348 1349 // Read input data 1350 unsigned int i = 0; 1351 while (!s.empty() && i < tx->vin.size()) { 1352 PSBTInput input; 1353 s >> input; 1354 inputs.push_back(input); 1355 1356 // Make sure the non-witness utxo matches the outpoint 1357 if (input.non_witness_utxo) { 1358 if (input.non_witness_utxo->GetHash() != tx->vin[i].prevout.hash) { 1359 throw std::ios_base::failure("Non-witness UTXO does not match outpoint hash"); 1360 } 1361 if (tx->vin[i].prevout.n >= input.non_witness_utxo->vout.size()) { 1362 throw std::ios_base::failure("Input specifies output index that does not exist"); 1363 } 1364 } 1365 ++i; 1366 } 1367 // Make sure that the number of inputs matches the number of inputs in the transaction 1368 if (inputs.size() != tx->vin.size()) { 1369 throw std::ios_base::failure("Inputs provided does not match the number of inputs in transaction."); 1370 } 1371 1372 // Read output data 1373 i = 0; 1374 while (!s.empty() && i < tx->vout.size()) { 1375 PSBTOutput output; 1376 s >> output; 1377 outputs.push_back(output); 1378 ++i; 1379 } 1380 // Make sure that the number of outputs matches the number of outputs in the transaction 1381 if (outputs.size() != tx->vout.size()) { 1382 throw std::ios_base::failure("Outputs provided does not match the number of outputs in transaction."); 1383 } 1384 } 1385 1386 template <typename Stream> 1387 PartiallySignedTransaction(deserialize_type, Stream& s) { 1388 Unserialize(s); 1389 } 1390 }; 1391 1392 enum class PSBTRole { 1393 CREATOR, 1394 UPDATER, 1395 SIGNER, 1396 FINALIZER, 1397 EXTRACTOR 1398 }; 1399 1400 std::string PSBTRoleName(PSBTRole role); 1401 1402 /** Compute a PrecomputedTransactionData object from a psbt. */ 1403 PrecomputedTransactionData PrecomputePSBTData(const PartiallySignedTransaction& psbt); 1404 1405 /** Checks whether a PSBTInput is already signed by checking for non-null finalized fields. */ 1406 bool PSBTInputSigned(const PSBTInput& input); 1407 1408 /** Checks whether a PSBTInput is already signed by doing script verification using final fields. */ 1409 bool PSBTInputSignedAndVerified(const PartiallySignedTransaction psbt, unsigned int input_index, const PrecomputedTransactionData* txdata); 1410 1411 /** Signs a PSBTInput, verifying that all provided data matches what is being signed. 1412 * 1413 * txdata should be the output of PrecomputePSBTData (which can be shared across 1414 * multiple SignPSBTInput calls). If it is nullptr, a dummy signature will be created. 1415 **/ 1416 [[nodiscard]] PSBTError SignPSBTInput(const SigningProvider& provider, PartiallySignedTransaction& psbt, int index, const PrecomputedTransactionData* txdata, std::optional<int> sighash = std::nullopt, SignatureData* out_sigdata = nullptr, bool finalize = true); 1417 1418 /** Reduces the size of the PSBT by dropping unnecessary `non_witness_utxos` (i.e. complete previous transactions) from a psbt when all inputs are segwit v1. */ 1419 void RemoveUnnecessaryTransactions(PartiallySignedTransaction& psbtx); 1420 1421 /** Counts the unsigned inputs of a PSBT. */ 1422 size_t CountPSBTUnsignedInputs(const PartiallySignedTransaction& psbt); 1423 1424 /** Updates a PSBTOutput with information from provider. 1425 * 1426 * This fills in the redeem_script, witness_script, and hd_keypaths where possible. 1427 */ 1428 void UpdatePSBTOutput(const SigningProvider& provider, PartiallySignedTransaction& psbt, int index); 1429 1430 /** 1431 * Finalizes a PSBT if possible, combining partial signatures. 1432 * 1433 * @param[in,out] psbtx PartiallySignedTransaction to finalize 1434 * return True if the PSBT is now complete, false otherwise 1435 */ 1436 bool FinalizePSBT(PartiallySignedTransaction& psbtx); 1437 1438 /** 1439 * Finalizes a PSBT if possible, and extracts it to a CMutableTransaction if it could be finalized. 1440 * 1441 * @param[in] psbtx PartiallySignedTransaction 1442 * @param[out] result CMutableTransaction representing the complete transaction, if successful 1443 * @return True if we successfully extracted the transaction, false otherwise 1444 */ 1445 bool FinalizeAndExtractPSBT(PartiallySignedTransaction& psbtx, CMutableTransaction& result); 1446 1447 /** 1448 * Combines PSBTs with the same underlying transaction, resulting in a single PSBT with all partial signatures from each input. 1449 * 1450 * @param[out] out the combined PSBT, if successful 1451 * @param[in] psbtxs the PSBTs to combine 1452 * @return True if we successfully combined the transactions, false if they were not compatible 1453 */ 1454 [[nodiscard]] bool CombinePSBTs(PartiallySignedTransaction& out, const std::vector<PartiallySignedTransaction>& psbtxs); 1455 1456 //! Decode a base64ed PSBT into a PartiallySignedTransaction 1457 [[nodiscard]] bool DecodeBase64PSBT(PartiallySignedTransaction& decoded_psbt, const std::string& base64_psbt, std::string& error); 1458 //! Decode a raw (binary blob) PSBT into a PartiallySignedTransaction 1459 [[nodiscard]] bool DecodeRawPSBT(PartiallySignedTransaction& decoded_psbt, std::span<const std::byte> raw_psbt, std::string& error); 1460 1461 #endif // BITCOIN_PSBT_H