signingprovider.h
1 // Copyright (c) 2009-2010 Satoshi Nakamoto 2 // Copyright (c) 2009-present The Bitcoin Core developers 3 // Distributed under the MIT software license, see the accompanying 4 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 6 #ifndef BITCOIN_SCRIPT_SIGNINGPROVIDER_H 7 #define BITCOIN_SCRIPT_SIGNINGPROVIDER_H 8 9 #include <addresstype.h> 10 #include <attributes.h> 11 #include <key.h> 12 #include <musig.h> 13 #include <pubkey.h> 14 #include <script/keyorigin.h> 15 #include <script/script.h> 16 #include <sync.h> 17 18 #include <functional> 19 #include <optional> 20 21 struct ShortestVectorFirstComparator 22 { 23 bool operator()(const std::vector<unsigned char>& a, const std::vector<unsigned char>& b) const 24 { 25 if (a.size() < b.size()) return true; 26 if (a.size() > b.size()) return false; 27 return a < b; 28 } 29 }; 30 31 struct TaprootSpendData 32 { 33 /** The BIP341 internal key. */ 34 XOnlyPubKey internal_key; 35 /** The Merkle root of the script tree (0 if no scripts). */ 36 uint256 merkle_root; 37 /** Map from (script, leaf_version) to (sets of) control blocks. 38 * More than one control block for a given script is only possible if it 39 * appears in multiple branches of the tree. We keep them all so that 40 * inference can reconstruct the full tree. Within each set, the control 41 * blocks are sorted by size, so that the signing logic can easily 42 * prefer the cheapest one. */ 43 std::map<std::pair<std::vector<unsigned char>, int>, std::set<std::vector<unsigned char>, ShortestVectorFirstComparator>> scripts; 44 /** Merge other TaprootSpendData (for the same scriptPubKey) into this. */ 45 void Merge(TaprootSpendData other); 46 }; 47 48 /** Utility class to construct Taproot outputs from internal key and script tree. */ 49 class TaprootBuilder 50 { 51 private: 52 /** Information about a tracked leaf in the Merkle tree. */ 53 struct LeafInfo 54 { 55 std::vector<unsigned char> script; //!< The script. 56 int leaf_version; //!< The leaf version for that script. 57 std::vector<uint256> merkle_branch; //!< The hashing partners above this leaf. 58 }; 59 60 /** Information associated with a node in the Merkle tree. */ 61 struct NodeInfo 62 { 63 /** Merkle hash of this node. */ 64 uint256 hash; 65 /** Tracked leaves underneath this node (either from the node itself, or its children). 66 * The merkle_branch field of each is the partners to get to *this* node. */ 67 std::vector<LeafInfo> leaves; 68 }; 69 /** Whether the builder is in a valid state so far. */ 70 bool m_valid = true; 71 72 /** The current state of the builder. 73 * 74 * For each level in the tree, one NodeInfo object may be present. m_branch[0] 75 * is information about the root; further values are for deeper subtrees being 76 * explored. 77 * 78 * For every right branch taken to reach the position we're currently 79 * working in, there will be a (non-nullopt) entry in m_branch corresponding 80 * to the left branch at that level. 81 * 82 * For example, imagine this tree: - N0 - 83 * / \ 84 * N1 N2 85 * / \ / \ 86 * A B C N3 87 * / \ 88 * D E 89 * 90 * Initially, m_branch is empty. After processing leaf A, it would become 91 * {nullopt, nullopt, A}. When processing leaf B, an entry at level 2 already 92 * exists, and it would thus be combined with it to produce a level 1 one, 93 * resulting in {nullopt, N1}. Adding C and D takes us to {nullopt, N1, C} 94 * and {nullopt, N1, C, D} respectively. When E is processed, it is combined 95 * with D, and then C, and then N1, to produce the root, resulting in {N0}. 96 * 97 * This structure allows processing with just O(log n) overhead if the leaves 98 * are computed on the fly. 99 * 100 * As an invariant, there can never be nullopt entries at the end. There can 101 * also not be more than 128 entries (as that would mean more than 128 levels 102 * in the tree). The depth of newly added entries will always be at least 103 * equal to the current size of m_branch (otherwise it does not correspond 104 * to a depth-first traversal of a tree). m_branch is only empty if no entries 105 * have ever be processed. m_branch having length 1 corresponds to being done. 106 */ 107 std::vector<std::optional<NodeInfo>> m_branch; 108 109 XOnlyPubKey m_internal_key; //!< The internal key, set when finalizing. 110 XOnlyPubKey m_output_key; //!< The output key, computed when finalizing. 111 bool m_parity; //!< The tweak parity, computed when finalizing. 112 113 /** Combine information about a parent Merkle tree node from its child nodes. */ 114 static NodeInfo Combine(NodeInfo&& a, NodeInfo&& b); 115 /** Insert information about a node at a certain depth, and propagate information up. */ 116 void Insert(NodeInfo&& node, int depth); 117 118 public: 119 /** Add a new script at a certain depth in the tree. Add() operations must be called 120 * in depth-first traversal order of binary tree. If track is true, it will be included in 121 * the GetSpendData() output. */ 122 TaprootBuilder& Add(int depth, std::span<const unsigned char> script, int leaf_version, bool track = true); 123 /** Like Add(), but for a Merkle node with a given hash to the tree. */ 124 TaprootBuilder& AddOmitted(int depth, const uint256& hash); 125 /** Finalize the construction. Can only be called when IsComplete() is true. 126 internal_key.IsFullyValid() must be true. */ 127 TaprootBuilder& Finalize(const XOnlyPubKey& internal_key); 128 129 /** Return true if so far all input was valid. */ 130 bool IsValid() const { return m_valid; } 131 /** Return whether there were either no leaves, or the leaves form a Huffman tree. */ 132 bool IsComplete() const { return m_valid && (m_branch.size() == 0 || (m_branch.size() == 1 && m_branch[0].has_value())); } 133 /** Compute scriptPubKey (after Finalize()). */ 134 WitnessV1Taproot GetOutput(); 135 /** Check if a list of depths is legal (will lead to IsComplete()). */ 136 static bool ValidDepths(const std::vector<int>& depths); 137 /** Compute spending data (after Finalize()). */ 138 TaprootSpendData GetSpendData() const; 139 /** Returns a vector of tuples representing the depth, leaf version, and script */ 140 std::vector<std::tuple<uint8_t, uint8_t, std::vector<unsigned char>>> GetTreeTuples() const; 141 /** Returns true if there are any tapscripts */ 142 bool HasScripts() const { return !m_branch.empty(); } 143 144 bool operator==(const TaprootBuilder& other) const { return GetTreeTuples() == other.GetTreeTuples(); } 145 }; 146 147 /** Given a TaprootSpendData and the output key, reconstruct its script tree. 148 * 149 * If the output doesn't match the spenddata, or if the data in spenddata is incomplete, 150 * std::nullopt is returned. Otherwise, a vector of (depth, script, leaf_ver) tuples is 151 * returned, corresponding to a depth-first traversal of the script tree. 152 */ 153 std::optional<std::vector<std::tuple<int, std::vector<unsigned char>, int>>> InferTaprootTree(const TaprootSpendData& spenddata, const XOnlyPubKey& output); 154 155 /** An interface to be implemented by keystores that support signing. */ 156 class SigningProvider 157 { 158 public: 159 virtual ~SigningProvider() = default; 160 virtual bool GetCScript(const CScriptID &scriptid, CScript& script) const { return false; } 161 virtual bool HaveCScript(const CScriptID &scriptid) const { return false; } 162 virtual bool GetPubKey(const CKeyID &address, CPubKey& pubkey) const { return false; } 163 virtual bool GetKey(const CKeyID &address, CKey& key) const { return false; } 164 virtual bool HaveKey(const CKeyID &address) const { return false; } 165 virtual bool GetKeyOrigin(const CKeyID& keyid, KeyOriginInfo& info) const { return false; } 166 virtual bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const { return false; } 167 virtual bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const { return false; } 168 virtual std::vector<CPubKey> GetMuSig2ParticipantPubkeys(const CPubKey& pubkey) const { return {}; } 169 virtual std::map<CPubKey, std::vector<CPubKey>> GetAllMuSig2ParticipantPubkeys() const {return {}; } 170 virtual void SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const {} 171 virtual std::optional<std::reference_wrapper<MuSig2SecNonce>> GetMuSig2SecNonce(const uint256& session_id) const { return std::nullopt; } 172 virtual void DeleteMuSig2Session(const uint256& session_id) const {} 173 174 bool GetKeyByXOnly(const XOnlyPubKey& pubkey, CKey& key) const 175 { 176 for (const auto& id : pubkey.GetKeyIDs()) { 177 if (GetKey(id, key)) return true; 178 } 179 return false; 180 } 181 182 bool GetPubKeyByXOnly(const XOnlyPubKey& pubkey, CPubKey& out) const 183 { 184 for (const auto& id : pubkey.GetKeyIDs()) { 185 if (GetPubKey(id, out)) return true; 186 } 187 return false; 188 } 189 190 bool GetKeyOriginByXOnly(const XOnlyPubKey& pubkey, KeyOriginInfo& info) const 191 { 192 for (const auto& id : pubkey.GetKeyIDs()) { 193 if (GetKeyOrigin(id, info)) return true; 194 } 195 return false; 196 } 197 }; 198 199 extern const SigningProvider& DUMMY_SIGNING_PROVIDER; 200 201 class HidingSigningProvider : public SigningProvider 202 { 203 private: 204 const bool m_hide_secret; 205 const bool m_hide_origin; 206 const SigningProvider* m_provider; 207 208 public: 209 HidingSigningProvider(const SigningProvider* provider, bool hide_secret, bool hide_origin) : m_hide_secret(hide_secret), m_hide_origin(hide_origin), m_provider(provider) {} 210 bool GetCScript(const CScriptID& scriptid, CScript& script) const override; 211 bool GetPubKey(const CKeyID& keyid, CPubKey& pubkey) const override; 212 bool GetKey(const CKeyID& keyid, CKey& key) const override; 213 bool GetKeyOrigin(const CKeyID& keyid, KeyOriginInfo& info) const override; 214 bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const override; 215 bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const override; 216 std::vector<CPubKey> GetMuSig2ParticipantPubkeys(const CPubKey& pubkey) const override; 217 std::map<CPubKey, std::vector<CPubKey>> GetAllMuSig2ParticipantPubkeys() const override; 218 void SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const override; 219 std::optional<std::reference_wrapper<MuSig2SecNonce>> GetMuSig2SecNonce(const uint256& session_id) const override; 220 void DeleteMuSig2Session(const uint256& session_id) const override; 221 }; 222 223 struct FlatSigningProvider final : public SigningProvider 224 { 225 std::map<CScriptID, CScript> scripts; 226 std::map<CKeyID, CPubKey> pubkeys; 227 std::map<CKeyID, std::pair<CPubKey, KeyOriginInfo>> origins; 228 std::map<CKeyID, CKey> keys; 229 std::map<XOnlyPubKey, TaprootBuilder> tr_trees; /** Map from output key to Taproot tree (which can then make the TaprootSpendData */ 230 std::map<CPubKey, std::vector<CPubKey>> aggregate_pubkeys; /** MuSig2 aggregate pubkeys */ 231 std::map<uint256, MuSig2SecNonce>* musig2_secnonces{nullptr}; 232 233 bool GetCScript(const CScriptID& scriptid, CScript& script) const override; 234 bool GetPubKey(const CKeyID& keyid, CPubKey& pubkey) const override; 235 bool GetKeyOrigin(const CKeyID& keyid, KeyOriginInfo& info) const override; 236 bool HaveKey(const CKeyID &keyid) const override; 237 bool GetKey(const CKeyID& keyid, CKey& key) const override; 238 bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const override; 239 bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const override; 240 std::vector<CPubKey> GetMuSig2ParticipantPubkeys(const CPubKey& pubkey) const override; 241 std::map<CPubKey, std::vector<CPubKey>> GetAllMuSig2ParticipantPubkeys() const override; 242 void SetMuSig2SecNonce(const uint256& id, MuSig2SecNonce&& nonce) const override; 243 std::optional<std::reference_wrapper<MuSig2SecNonce>> GetMuSig2SecNonce(const uint256& session_id) const override; 244 void DeleteMuSig2Session(const uint256& session_id) const override; 245 246 FlatSigningProvider& Merge(FlatSigningProvider&& b) LIFETIMEBOUND; 247 }; 248 249 /** Fillable signing provider that keeps keys in an address->secret map */ 250 class FillableSigningProvider : public SigningProvider 251 { 252 protected: 253 using KeyMap = std::map<CKeyID, CKey>; 254 using ScriptMap = std::map<CScriptID, CScript>; 255 256 /** 257 * Map of key id to unencrypted private keys known by the signing provider. 258 * Map may be empty if the provider has another source of keys, like an 259 * encrypted store. 260 */ 261 KeyMap mapKeys GUARDED_BY(cs_KeyStore); 262 263 /** 264 * Map of script id to scripts known by the signing provider. 265 * 266 * This map originally just held P2SH redeemScripts, and was used by wallet 267 * code to look up script ids referenced in "OP_HASH160 <script id> 268 * OP_EQUAL" P2SH outputs. Later in 605e8473a7d it was extended to hold 269 * P2WSH witnessScripts as well, and used to look up nested scripts 270 * referenced in "OP_0 <script hash>" P2WSH outputs. Later in commits 271 * f4691ab3a9d and 248f3a76a82, it was extended once again to hold segwit 272 * "OP_0 <key or script hash>" scriptPubKeys, in order to give the wallet a 273 * way to distinguish between segwit outputs that it generated addresses for 274 * and wanted to receive payments from, and segwit outputs that it never 275 * generated addresses for, but it could spend just because of having keys. 276 * (Before segwit activation it was also important to not treat segwit 277 * outputs to arbitrary wallet keys as payments, because these could be 278 * spent by anyone without even needing to sign with the keys.) 279 * 280 * Some of the scripts stored in mapScripts are memory-only and 281 * intentionally not saved to disk. Specifically, scripts added by 282 * ImplicitlyLearnRelatedKeyScripts(pubkey) calls are not written to disk so 283 * future wallet code can have flexibility to be more selective about what 284 * transaction outputs it recognizes as payments, instead of having to treat 285 * all outputs spending to keys it knows as payments. By contrast, 286 * mapScripts entries added by AddCScript(script), 287 * LearnRelatedScripts(pubkey, type), and LearnAllRelatedScripts(pubkey) 288 * calls are saved because they are all intentionally used to receive 289 * payments. 290 * 291 * The FillableSigningProvider::mapScripts script map should not be confused 292 * with LegacyScriptPubKeyMan::setWatchOnly script set. The two collections 293 * can hold the same scripts, but they serve different purposes. The 294 * setWatchOnly script set is intended to expand the set of outputs the 295 * wallet considers payments. Every output with a script it contains is 296 * considered to belong to the wallet, regardless of whether the script is 297 * solvable or signable. By contrast, the scripts in mapScripts are only 298 * used for solving, and to restrict which outputs are considered payments 299 * by the wallet. An output with a script in mapScripts, unlike 300 * setWatchOnly, is not automatically considered to belong to the wallet if 301 * it can't be solved and signed for. 302 */ 303 ScriptMap mapScripts GUARDED_BY(cs_KeyStore); 304 305 void ImplicitlyLearnRelatedKeyScripts(const CPubKey& pubkey) EXCLUSIVE_LOCKS_REQUIRED(cs_KeyStore); 306 307 public: 308 mutable RecursiveMutex cs_KeyStore; 309 310 virtual bool AddKeyPubKey(const CKey& key, const CPubKey &pubkey); 311 virtual bool AddKey(const CKey &key) { return AddKeyPubKey(key, key.GetPubKey()); } 312 virtual bool GetPubKey(const CKeyID &address, CPubKey& vchPubKeyOut) const override; 313 virtual bool HaveKey(const CKeyID &address) const override; 314 virtual std::set<CKeyID> GetKeys() const; 315 virtual bool GetKey(const CKeyID &address, CKey &keyOut) const override; 316 virtual bool AddCScript(const CScript& redeemScript); 317 virtual bool HaveCScript(const CScriptID &hash) const override; 318 virtual std::set<CScriptID> GetCScripts() const; 319 virtual bool GetCScript(const CScriptID &hash, CScript& redeemScriptOut) const override; 320 }; 321 322 /** Return the CKeyID of the key involved in a script (if there is a unique one). */ 323 CKeyID GetKeyForDestination(const SigningProvider& store, const CTxDestination& dest); 324 325 /** A signing provider to be used to interface with multiple signing providers at once. */ 326 class MultiSigningProvider: public SigningProvider { 327 std::vector<std::unique_ptr<SigningProvider>> m_providers; 328 329 public: 330 void AddProvider(std::unique_ptr<SigningProvider> provider); 331 332 bool GetCScript(const CScriptID& scriptid, CScript& script) const override; 333 bool GetPubKey(const CKeyID& keyid, CPubKey& pubkey) const override; 334 bool GetKeyOrigin(const CKeyID& keyid, KeyOriginInfo& info) const override; 335 bool GetKey(const CKeyID& keyid, CKey& key) const override; 336 bool GetTaprootSpendData(const XOnlyPubKey& output_key, TaprootSpendData& spenddata) const override; 337 bool GetTaprootBuilder(const XOnlyPubKey& output_key, TaprootBuilder& builder) const override; 338 }; 339 340 #endif // BITCOIN_SCRIPT_SIGNINGPROVIDER_H