feature_taproot.py
1 #!/usr/bin/env python3 2 # Copyright (c) 2019-present The Bitcoin Core developers 3 # Distributed under the MIT software license, see the accompanying 4 # file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 # Test Taproot softfork (BIPs 340-342) 6 7 from test_framework.blocktools import ( 8 COINBASE_MATURITY, 9 create_coinbase, 10 create_block, 11 add_witness_commitment, 12 MAX_BLOCK_SIGOPS_WEIGHT, 13 ) 14 from test_framework.messages import ( 15 COutPoint, 16 CTransaction, 17 CTxIn, 18 CTxInWitness, 19 CTxOut, 20 SEQUENCE_FINAL, 21 tx_from_hex, 22 TX_MAX_STANDARD_VERSION, 23 WITNESS_SCALE_FACTOR, 24 ) 25 from test_framework.script import ( 26 ANNEX_TAG, 27 BIP341_sha_amounts, 28 BIP341_sha_outputs, 29 BIP341_sha_prevouts, 30 BIP341_sha_scriptpubkeys, 31 BIP341_sha_sequences, 32 CScript, 33 CScriptNum, 34 CScriptOp, 35 hash256, 36 LEAF_VERSION_TAPSCRIPT, 37 LegacySignatureMsg, 38 LOCKTIME_THRESHOLD, 39 MAX_SCRIPT_ELEMENT_SIZE, 40 OP_0, 41 OP_1, 42 OP_2, 43 OP_3, 44 OP_4, 45 OP_5, 46 OP_6, 47 OP_7, 48 OP_8, 49 OP_9, 50 OP_10, 51 OP_11, 52 OP_12, 53 OP_16, 54 OP_2DROP, 55 OP_2DUP, 56 OP_CHECKMULTISIG, 57 OP_CHECKMULTISIGVERIFY, 58 OP_CHECKSIG, 59 OP_CHECKSIGADD, 60 OP_CHECKSIGVERIFY, 61 OP_CODESEPARATOR, 62 OP_DROP, 63 OP_DUP, 64 OP_ELSE, 65 OP_ENDIF, 66 OP_EQUAL, 67 OP_EQUALVERIFY, 68 OP_IF, 69 OP_NOP, 70 OP_NOT, 71 OP_NOTIF, 72 OP_PUSHDATA1, 73 OP_RETURN, 74 OP_SWAP, 75 OP_TUCK, 76 OP_VERIFY, 77 SIGHASH_DEFAULT, 78 SIGHASH_ALL, 79 SIGHASH_NONE, 80 SIGHASH_SINGLE, 81 SIGHASH_ANYONECANPAY, 82 SegwitV0SignatureMsg, 83 TaggedHash, 84 TaprootSignatureMsg, 85 is_op_success, 86 taproot_construct, 87 ) 88 from test_framework.script_util import ( 89 key_to_p2pk_script, 90 key_to_p2pkh_script, 91 key_to_p2wpkh_script, 92 keyhash_to_p2pkh_script, 93 script_to_p2sh_script, 94 script_to_p2wsh_script, 95 ) 96 from test_framework.test_framework import BitcoinTestFramework 97 from test_framework.util import ( 98 assert_not_equal, 99 assert_raises_rpc_error, 100 assert_equal, 101 ) 102 from test_framework.wallet_util import generate_keypair 103 from test_framework.key import ( 104 generate_privkey, 105 compute_xonly_pubkey, 106 sign_schnorr, 107 tweak_add_privkey, 108 ECKey, 109 ) 110 from test_framework.crypto import secp256k1 111 from test_framework.address import ( 112 hash160, 113 program_to_witness, 114 ) 115 from collections import OrderedDict, namedtuple 116 import json 117 import hashlib 118 import os 119 import random 120 121 # Whether or not to output generated test vectors, in JSON format. 122 GEN_TEST_VECTORS = False 123 124 # === Framework for building spending transactions. === 125 # 126 # The computation is represented as a "context" dict, whose entries store potentially-unevaluated expressions that 127 # refer to lower-level ones. By overwriting these expression, many aspects - both high and low level - of the signing 128 # process can be overridden. 129 # 130 # Specifically, a context object is a dict that maps names to compositions of: 131 # - values 132 # - lists of values 133 # - callables which, when fed the context object as argument, produce any of these 134 # 135 # The DEFAULT_CONTEXT object specifies a standard signing process, with many overridable knobs. 136 # 137 # The get(ctx, name) function can evaluate a name, and cache its result in the context. 138 # getter(name) can be used to construct a callable that evaluates name. For example: 139 # 140 # ctx1 = {**DEFAULT_CONTEXT, inputs=[getter("sign"), b'\x01']} 141 # 142 # creates a context where the script inputs are a signature plus the bytes 0x01. 143 # 144 # override(expr, name1=expr1, name2=expr2, ...) can be used to cause an expression to be evaluated in a selectively 145 # modified context. For example: 146 # 147 # ctx2 = {**DEFAULT_CONTEXT, sighash=override(default_sighash, hashtype=SIGHASH_DEFAULT)} 148 # 149 # creates a context ctx2 where the sighash is modified to use hashtype=SIGHASH_DEFAULT. This differs from 150 # 151 # ctx3 = {**DEFAULT_CONTEXT, hashtype=SIGHASH_DEFAULT} 152 # 153 # in that ctx3 will globally use hashtype=SIGHASH_DEFAULT (including in the hashtype byte appended to the signature) 154 # while ctx2 only uses the modified hashtype inside the sighash calculation. 155 156 def deep_eval(ctx, expr): 157 """Recursively replace any callables c in expr (including inside lists) with c(ctx).""" 158 while callable(expr): 159 expr = expr(ctx) 160 if isinstance(expr, list): 161 expr = [deep_eval(ctx, x) for x in expr] 162 return expr 163 164 # Data type to represent fully-evaluated expressions in a context dict (so we can avoid reevaluating them). 165 Final = namedtuple("Final", "value") 166 167 def get(ctx, name): 168 """Evaluate name in context ctx.""" 169 assert name in ctx, "Missing '%s' in context" % name 170 expr = ctx[name] 171 if not isinstance(expr, Final): 172 # Evaluate and cache the result. 173 expr = Final(deep_eval(ctx, expr)) 174 ctx[name] = expr 175 return expr.value 176 177 def getter(name, **kwargs): 178 """Return a callable that evaluates name in its passed context.""" 179 return lambda ctx: get({**ctx, **kwargs}, name) 180 181 def override(expr, **kwargs): 182 """Return a callable that evaluates expr in a modified context.""" 183 return lambda ctx: deep_eval({**ctx, **kwargs}, expr) 184 185 # === Implementations for the various default expressions in DEFAULT_CONTEXT === 186 187 def default_hashtype(ctx): 188 """Default expression for "hashtype": SIGHASH_DEFAULT for taproot, SIGHASH_ALL otherwise.""" 189 mode = get(ctx, "mode") 190 if mode == "taproot": 191 return SIGHASH_DEFAULT 192 else: 193 return SIGHASH_ALL 194 195 def default_tapleaf(ctx): 196 """Default expression for "tapleaf": looking up leaf in tap[2].""" 197 return get(ctx, "tap").leaves[get(ctx, "leaf")] 198 199 def default_script_taproot(ctx): 200 """Default expression for "script_taproot": tapleaf.script.""" 201 return get(ctx, "tapleaf").script 202 203 def default_leafversion(ctx): 204 """Default expression for "leafversion": tapleaf.version""" 205 return get(ctx, "tapleaf").version 206 207 def default_negflag(ctx): 208 """Default expression for "negflag": tap.negflag.""" 209 return get(ctx, "tap").negflag 210 211 def default_pubkey_internal(ctx): 212 """Default expression for "pubkey_internal": tap.internal_pubkey.""" 213 return get(ctx, "tap").internal_pubkey 214 215 def default_merklebranch(ctx): 216 """Default expression for "merklebranch": tapleaf.merklebranch.""" 217 return get(ctx, "tapleaf").merklebranch 218 219 def default_controlblock(ctx): 220 """Default expression for "controlblock": combine leafversion, negflag, pubkey_internal, merklebranch.""" 221 return bytes([get(ctx, "leafversion") + get(ctx, "negflag")]) + get(ctx, "pubkey_internal") + get(ctx, "merklebranch") 222 223 def default_scriptcode_suffix(ctx): 224 """Default expression for "scriptcode_suffix", the actually used portion of the scriptcode.""" 225 scriptcode = get(ctx, "scriptcode") 226 codesepnum = get(ctx, "codesepnum") 227 if codesepnum == -1: 228 return scriptcode 229 codeseps = 0 230 for (opcode, data, sop_idx) in scriptcode.raw_iter(): 231 if opcode == OP_CODESEPARATOR: 232 if codeseps == codesepnum: 233 return CScript(scriptcode[sop_idx+1:]) 234 codeseps += 1 235 assert False 236 237 def default_sigmsg(ctx): 238 """Default expression for "sigmsg": depending on mode, compute BIP341, BIP143, or legacy sigmsg.""" 239 tx = get(ctx, "tx") 240 idx = get(ctx, "idx") 241 hashtype = get(ctx, "hashtype_actual") 242 mode = get(ctx, "mode") 243 if mode == "taproot": 244 # BIP341 signature hash 245 utxos = get(ctx, "utxos") 246 annex = get(ctx, "annex") 247 if get(ctx, "leaf") is not None: 248 codeseppos = get(ctx, "codeseppos") 249 leaf_ver = get(ctx, "leafversion") 250 script = get(ctx, "script_taproot") 251 return TaprootSignatureMsg(tx, utxos, hashtype, idx, scriptpath=True, leaf_script=script, leaf_ver=leaf_ver, codeseparator_pos=codeseppos, annex=annex) 252 else: 253 return TaprootSignatureMsg(tx, utxos, hashtype, idx, scriptpath=False, annex=annex) 254 elif mode == "witv0": 255 # BIP143 signature hash 256 scriptcode = get(ctx, "scriptcode_suffix") 257 utxos = get(ctx, "utxos") 258 return SegwitV0SignatureMsg(scriptcode, tx, idx, hashtype, utxos[idx].nValue) 259 else: 260 # Pre-segwit signature hash 261 scriptcode = get(ctx, "scriptcode_suffix") 262 return LegacySignatureMsg(scriptcode, tx, idx, hashtype)[0] 263 264 def default_sighash(ctx): 265 """Default expression for "sighash": depending on mode, compute tagged hash or dsha256 of sigmsg.""" 266 msg = get(ctx, "sigmsg") 267 mode = get(ctx, "mode") 268 if mode == "taproot": 269 return TaggedHash("TapSighash", msg) 270 else: 271 if msg is None: 272 return (1).to_bytes(32, 'little') 273 else: 274 return hash256(msg) 275 276 def default_tweak(ctx): 277 """Default expression for "tweak": None if a leaf is specified, tap[0] otherwise.""" 278 if get(ctx, "leaf") is None: 279 return get(ctx, "tap").tweak 280 return None 281 282 def default_key_tweaked(ctx): 283 """Default expression for "key_tweaked": key if tweak is None, tweaked with it otherwise.""" 284 key = get(ctx, "key") 285 tweak = get(ctx, "tweak") 286 if tweak is None: 287 return key 288 else: 289 return tweak_add_privkey(key, tweak) 290 291 def default_signature(ctx): 292 """Default expression for "signature": BIP340 signature or ECDSA signature depending on mode.""" 293 sighash = get(ctx, "sighash") 294 deterministic = get(ctx, "deterministic") 295 if get(ctx, "mode") == "taproot": 296 key = get(ctx, "key_tweaked") 297 flip_r = get(ctx, "flag_flip_r") 298 flip_p = get(ctx, "flag_flip_p") 299 aux = bytes([0] * 32) 300 if not deterministic: 301 aux = random.getrandbits(256).to_bytes(32, 'big') 302 return sign_schnorr(key, sighash, flip_r=flip_r, flip_p=flip_p, aux=aux) 303 else: 304 key = get(ctx, "key") 305 return key.sign_ecdsa(sighash, rfc6979=deterministic) 306 307 def default_hashtype_actual(ctx): 308 """Default expression for "hashtype_actual": hashtype, unless mismatching SIGHASH_SINGLE in taproot.""" 309 hashtype = get(ctx, "hashtype") 310 mode = get(ctx, "mode") 311 if mode != "taproot": 312 return hashtype 313 idx = get(ctx, "idx") 314 tx = get(ctx, "tx") 315 if hashtype & 3 == SIGHASH_SINGLE and idx >= len(tx.vout): 316 return (hashtype & ~3) | SIGHASH_NONE 317 return hashtype 318 319 def default_bytes_hashtype(ctx): 320 """Default expression for "bytes_hashtype": bytes([hashtype_actual]) if not 0, b"" otherwise.""" 321 mode = get(ctx, "mode") 322 hashtype_actual = get(ctx, "hashtype_actual") 323 if mode != "taproot" or hashtype_actual != 0: 324 return bytes([hashtype_actual]) 325 else: 326 return bytes() 327 328 def default_sign(ctx): 329 """Default expression for "sign": concatenation of signature and bytes_hashtype.""" 330 return get(ctx, "signature") + get(ctx, "bytes_hashtype") 331 332 def default_inputs_keypath(ctx): 333 """Default expression for "inputs_keypath": a signature.""" 334 return [get(ctx, "sign")] 335 336 def default_witness_taproot(ctx): 337 """Default expression for "witness_taproot", consisting of inputs, script, control block, and annex as needed.""" 338 annex = get(ctx, "annex") 339 suffix_annex = [] 340 if annex is not None: 341 suffix_annex = [annex] 342 if get(ctx, "leaf") is None: 343 return get(ctx, "inputs_keypath") + suffix_annex 344 else: 345 return get(ctx, "inputs") + [bytes(get(ctx, "script_taproot")), get(ctx, "controlblock")] + suffix_annex 346 347 def default_witness_witv0(ctx): 348 """Default expression for "witness_witv0", consisting of inputs and witness script, as needed.""" 349 script = get(ctx, "script_witv0") 350 inputs = get(ctx, "inputs") 351 if script is None: 352 return inputs 353 else: 354 return inputs + [script] 355 356 def default_witness(ctx): 357 """Default expression for "witness", delegating to "witness_taproot" or "witness_witv0" as needed.""" 358 mode = get(ctx, "mode") 359 if mode == "taproot": 360 return get(ctx, "witness_taproot") 361 elif mode == "witv0": 362 return get(ctx, "witness_witv0") 363 else: 364 return [] 365 366 def default_scriptsig(ctx): 367 """Default expression for "scriptsig", consisting of inputs and redeemscript, as needed.""" 368 scriptsig = [] 369 mode = get(ctx, "mode") 370 if mode == "legacy": 371 scriptsig = get(ctx, "inputs") 372 redeemscript = get(ctx, "script_p2sh") 373 if redeemscript is not None: 374 scriptsig += [bytes(redeemscript)] 375 return scriptsig 376 377 # The default context object. 378 DEFAULT_CONTEXT = { 379 # == The main expressions to evaluate. Only override these for unusual or invalid spends. == 380 # The overall witness stack, as a list of bytes objects. 381 "witness": default_witness, 382 # The overall scriptsig, as a list of CScript objects (to be concatenated) and bytes objects (to be pushed) 383 "scriptsig": default_scriptsig, 384 385 # == Expressions you'll generally only override for intentionally invalid spends. == 386 # The witness stack for spending a taproot output. 387 "witness_taproot": default_witness_taproot, 388 # The witness stack for spending a P2WPKH/P2WSH output. 389 "witness_witv0": default_witness_witv0, 390 # The script inputs for a taproot key path spend. 391 "inputs_keypath": default_inputs_keypath, 392 # The actual hashtype to use (usually equal to hashtype, but in taproot SIGHASH_SINGLE is not always allowed). 393 "hashtype_actual": default_hashtype_actual, 394 # The bytes object for a full signature (including hashtype byte, if needed). 395 "bytes_hashtype": default_bytes_hashtype, 396 # A full script signature (bytes including hashtype, if needed) 397 "sign": default_sign, 398 # An ECDSA or Schnorr signature (excluding hashtype byte). 399 "signature": default_signature, 400 # The 32-byte tweaked key (equal to key for script path spends, or key+tweak for key path spends). 401 "key_tweaked": default_key_tweaked, 402 # The tweak to use (None for script path spends, the actual tweak for key path spends). 403 "tweak": default_tweak, 404 # The part of the scriptcode after the last executed OP_CODESEPARATOR. 405 "scriptcode_suffix": default_scriptcode_suffix, 406 # The sigmsg value (preimage of sighash) 407 "sigmsg": default_sigmsg, 408 # The sighash value (32 bytes) 409 "sighash": default_sighash, 410 # The information about the chosen script path spend (TaprootLeafInfo object). 411 "tapleaf": default_tapleaf, 412 # The script to push, and include in the sighash, for a taproot script path spend. 413 "script_taproot": default_script_taproot, 414 # The internal pubkey for a taproot script path spend (32 bytes). 415 "pubkey_internal": default_pubkey_internal, 416 # The negation flag of the internal pubkey for a taproot script path spend. 417 "negflag": default_negflag, 418 # The leaf version to include in the sighash (this does not affect the one in the control block). 419 "leafversion": default_leafversion, 420 # The Merkle path to include in the control block for a script path spend. 421 "merklebranch": default_merklebranch, 422 # The control block to push for a taproot script path spend. 423 "controlblock": default_controlblock, 424 # Whether to produce signatures with invalid P sign (Schnorr signatures only). 425 "flag_flip_p": False, 426 # Whether to produce signatures with invalid R sign (Schnorr signatures only). 427 "flag_flip_r": False, 428 429 # == Parameters that can be changed without invalidating, but do have a default: == 430 # The hashtype (as an integer). 431 "hashtype": default_hashtype, 432 # The annex (only when mode=="taproot"). 433 "annex": None, 434 # The codeseparator position (only when mode=="taproot"). 435 "codeseppos": 0xffffffff, 436 # Which OP_CODESEPARATOR is the last executed one in the script (in legacy/P2SH/P2WSH). 437 "codesepnum": -1, 438 # The redeemscript to add to the scriptSig (if P2SH; None implies not P2SH). 439 "script_p2sh": None, 440 # The script to add to the witness in (if P2WSH; None implies P2WPKH) 441 "script_witv0": None, 442 # The leaf to use in taproot spends (if script path spend; None implies key path spend). 443 "leaf": None, 444 # The input arguments to provide to the executed script 445 "inputs": [], 446 # Use deterministic signing nonces 447 "deterministic": False, 448 449 # == Parameters to be set before evaluation: == 450 # - mode: what spending style to use ("taproot", "witv0", or "legacy"). 451 # - key: the (untweaked) private key to sign with (ECKey object for ECDSA, 32 bytes for Schnorr). 452 # - tap: the TaprootInfo object (see taproot_construct; needed in mode=="taproot"). 453 # - tx: the transaction to sign. 454 # - utxos: the UTXOs being spent (needed in mode=="witv0" and mode=="taproot"). 455 # - idx: the input position being signed. 456 # - scriptcode: the scriptcode to include in legacy and witv0 sighashes. 457 } 458 459 def flatten(lst): 460 ret = [] 461 for elem in lst: 462 if isinstance(elem, list): 463 ret += flatten(elem) 464 else: 465 ret.append(elem) 466 return ret 467 468 469 def spend(tx, idx, utxos, **kwargs): 470 """Sign transaction input idx of tx, provided utxos is the list of outputs being spent. 471 472 Additional arguments may be provided that override any aspect of the signing process. 473 See DEFAULT_CONTEXT above for what can be overridden, and what must be provided. 474 """ 475 476 ctx = {**DEFAULT_CONTEXT, "tx":tx, "idx":idx, "utxos":utxos, **kwargs} 477 478 def to_script(elem): 479 """If fed a CScript, return it; if fed bytes, return a CScript that pushes it.""" 480 if isinstance(elem, CScript): 481 return elem 482 else: 483 return CScript([elem]) 484 485 scriptsig_list = flatten(get(ctx, "scriptsig")) 486 scriptsig = CScript(b"".join(bytes(to_script(elem)) for elem in scriptsig_list)) 487 witness_stack = flatten(get(ctx, "witness")) 488 return (scriptsig, witness_stack) 489 490 491 # === Spender objects === 492 # 493 # Each spender is a tuple of: 494 # - A scriptPubKey which is to be spent from (CScript) 495 # - A comment describing the test (string) 496 # - Whether the spending (on itself) is expected to be standard (bool) 497 # - A tx-signing lambda returning (scriptsig, witness_stack), taking as inputs: 498 # - A transaction to sign (CTransaction) 499 # - An input position (int) 500 # - The spent UTXOs by this transaction (list of CTxOut) 501 # - Whether to produce a valid spend (bool) 502 # - A string with an expected error message for failure case if known 503 # - The (pre-taproot) sigops weight consumed by a successful spend 504 # - Whether this spend cannot fail 505 # - Whether this test demands being placed in a txin with no corresponding txout (for testing SIGHASH_SINGLE behavior) 506 507 Spender = namedtuple("Spender", "script,comment,is_standard,sat_function,err_msg,sigops_weight,no_fail,need_vin_vout_mismatch") 508 509 510 def make_spender(comment, *, tap=None, witv0=False, script=None, pkh=None, p2sh=False, spk_mutate_pre_p2sh=None, failure=None, standard=True, err_msg=None, sigops_weight=0, need_vin_vout_mismatch=False, **kwargs): 511 """Helper for constructing Spender objects using the context signing framework. 512 513 * tap: a TaprootInfo object (see taproot_construct), for Taproot spends (cannot be combined with pkh, witv0, or script) 514 * witv0: boolean indicating the use of witness v0 spending (needs one of script or pkh) 515 * script: the actual script executed (for bare/P2WSH/P2SH spending) 516 * pkh: the public key for P2PKH or P2WPKH spending 517 * p2sh: whether the output is P2SH wrapper (this is supported even for Taproot, where it makes the output unencumbered) 518 * spk_mutate_pre_psh: a callable to be applied to the script (before potentially P2SH-wrapping it) 519 * failure: a dict of entries to override in the context when intentionally failing to spend (if None, no_fail will be set) 520 * standard: whether the (valid version of) spending is expected to be standard 521 * err_msg: a string with an expected error message for failure (or None, if not cared about) 522 * sigops_weight: the pre-taproot sigops weight consumed by a successful spend 523 * need_vin_vout_mismatch: whether this test requires being tested in a transaction input that has no corresponding 524 transaction output. 525 """ 526 527 conf = dict() 528 529 # Compute scriptPubKey and set useful defaults based on the inputs. 530 if witv0: 531 assert tap is None 532 conf["mode"] = "witv0" 533 if pkh is not None: 534 # P2WPKH 535 assert script is None 536 pubkeyhash = hash160(pkh) 537 spk = key_to_p2wpkh_script(pkh) 538 conf["scriptcode"] = keyhash_to_p2pkh_script(pubkeyhash) 539 conf["script_witv0"] = None 540 conf["inputs"] = [getter("sign"), pkh] 541 elif script is not None: 542 # P2WSH 543 spk = script_to_p2wsh_script(script) 544 conf["scriptcode"] = script 545 conf["script_witv0"] = script 546 else: 547 assert False 548 elif tap is None: 549 conf["mode"] = "legacy" 550 if pkh is not None: 551 # P2PKH 552 assert script is None 553 pubkeyhash = hash160(pkh) 554 spk = keyhash_to_p2pkh_script(pubkeyhash) 555 conf["scriptcode"] = spk 556 conf["inputs"] = [getter("sign"), pkh] 557 elif script is not None: 558 # bare 559 spk = script 560 conf["scriptcode"] = script 561 else: 562 assert False 563 else: 564 assert script is None 565 conf["mode"] = "taproot" 566 conf["tap"] = tap 567 spk = tap.scriptPubKey 568 569 if spk_mutate_pre_p2sh is not None: 570 spk = spk_mutate_pre_p2sh(spk) 571 572 if p2sh: 573 # P2SH wrapper can be combined with anything else 574 conf["script_p2sh"] = spk 575 spk = script_to_p2sh_script(spk) 576 577 conf = {**conf, **kwargs} 578 579 def sat_fn(tx, idx, utxos, valid): 580 if valid: 581 return spend(tx, idx, utxos, **conf) 582 else: 583 assert failure is not None 584 return spend(tx, idx, utxos, **{**conf, **failure}) 585 586 return Spender(script=spk, comment=comment, is_standard=standard, sat_function=sat_fn, err_msg=err_msg, sigops_weight=sigops_weight, no_fail=failure is None, need_vin_vout_mismatch=need_vin_vout_mismatch) 587 588 def add_spender(spenders, *args, **kwargs): 589 """Make a spender using make_spender, and add it to spenders.""" 590 spenders.append(make_spender(*args, **kwargs)) 591 592 # === Helpers for the test === 593 594 def random_checksig_style(pubkey): 595 """Creates a random CHECKSIG* tapscript that would succeed with only the valid signature on witness stack.""" 596 opcode = random.choice([OP_CHECKSIG, OP_CHECKSIGVERIFY, OP_CHECKSIGADD]) 597 if opcode == OP_CHECKSIGVERIFY: 598 ret = CScript([pubkey, opcode, OP_1]) 599 elif opcode == OP_CHECKSIGADD: 600 num = random.choice([0, 0x7fffffff, -0x7fffffff]) 601 ret = CScript([num, pubkey, opcode, num + 1, OP_EQUAL]) 602 else: 603 ret = CScript([pubkey, opcode]) 604 return bytes(ret) 605 606 def bitflipper(expr): 607 """Return a callable that evaluates expr and returns it with a random bitflip.""" 608 def fn(ctx): 609 sub = deep_eval(ctx, expr) 610 assert isinstance(sub, bytes) 611 return (int.from_bytes(sub, 'little') ^ (1 << random.randrange(len(sub) * 8))).to_bytes(len(sub), 'little') 612 return fn 613 614 def zero_appender(expr): 615 """Return a callable that evaluates expr and returns it with a zero added.""" 616 return lambda ctx: deep_eval(ctx, expr) + b"\x00" 617 618 def byte_popper(expr): 619 """Return a callable that evaluates expr and returns it with its last byte removed.""" 620 return lambda ctx: deep_eval(ctx, expr)[:-1] 621 622 # Expected error strings 623 624 ERR_SCHNORR_SIG_SIZE = {"err_msg": "Invalid Schnorr signature size"} 625 ERR_SCHNORR_SIG_HASHTYPE = {"err_msg": "Invalid Schnorr signature hash type"} 626 ERR_SCHNORR_SIG = {"err_msg": "Invalid Schnorr signature"} 627 ERR_OP_RETURN = {"err_msg": "OP_RETURN was encountered"} 628 ERR_TAPROOT_WRONG_CONTROL_SIZE = {"err_msg": "Invalid Taproot control block size"} 629 ERR_WITNESS_PROGRAM_MISMATCH = {"err_msg": "Witness program hash mismatch"} 630 ERR_PUSH_SIZE = {"err_msg": "Push value size limit exceeded"} 631 ERR_DISABLED_OPCODE = {"err_msg": "Attempted to use a disabled opcode"} 632 ERR_TAPSCRIPT_CHECKMULTISIG = {"err_msg": "OP_CHECKMULTISIG(VERIFY) is not available in tapscript"} 633 ERR_TAPSCRIPT_MINIMALIF = {"err_msg": "OP_IF/NOTIF argument must be minimal in tapscript"} 634 ERR_TAPSCRIPT_EMPTY_PUBKEY = {"err_msg": "Empty public key in tapscript"} 635 ERR_STACK_SIZE = {"err_msg": "Stack size limit exceeded"} 636 ERR_CLEANSTACK = {"err_msg": "Stack size must be exactly one after execution"} 637 ERR_INVALID_STACK_OPERATION = {"err_msg": "Operation not valid with the current stack size"} 638 ERR_TAPSCRIPT_VALIDATION_WEIGHT = {"err_msg": "Too much signature validation relative to witness weight"} 639 ERR_BAD_OPCODE = {"err_msg": "Opcode missing or not understood"} 640 ERR_EVAL_FALSE = {"err_msg": "Script evaluated without error but finished with a false/empty top stack element"} 641 ERR_WITNESS_PROGRAM_WITNESS_EMPTY = {"err_msg": "Witness program was passed an empty witness"} 642 ERR_CHECKSIGVERIFY = {"err_msg": "Script failed an OP_CHECKSIGVERIFY operation"} 643 ERR_SCRIPT_NUM = {"err_msg": "Script number overflowed or is non-minimally encoded"} 644 645 VALID_SIGHASHES_ECDSA = [ 646 SIGHASH_ALL, 647 SIGHASH_NONE, 648 SIGHASH_SINGLE, 649 SIGHASH_ANYONECANPAY + SIGHASH_ALL, 650 SIGHASH_ANYONECANPAY + SIGHASH_NONE, 651 SIGHASH_ANYONECANPAY + SIGHASH_SINGLE 652 ] 653 654 VALID_SIGHASHES_TAPROOT = [SIGHASH_DEFAULT] + VALID_SIGHASHES_ECDSA 655 656 VALID_SIGHASHES_TAPROOT_SINGLE = [ 657 SIGHASH_SINGLE, 658 SIGHASH_ANYONECANPAY + SIGHASH_SINGLE 659 ] 660 661 VALID_SIGHASHES_TAPROOT_NO_SINGLE = [h for h in VALID_SIGHASHES_TAPROOT if h not in VALID_SIGHASHES_TAPROOT_SINGLE] 662 663 SIGHASH_BITFLIP = {"failure": {"sighash": bitflipper(default_sighash)}} 664 SIG_POP_BYTE = {"failure": {"sign": byte_popper(default_sign)}} 665 SINGLE_SIG = {"inputs": [getter("sign")]} 666 SIG_ADD_ZERO = {"failure": {"sign": zero_appender(default_sign)}} 667 668 DUST_LIMIT = 600 669 MIN_FEE = 50000 670 671 TX_STANDARD_VERSIONS = [1, 2, TX_MAX_STANDARD_VERSION] 672 TRUC_MAX_VSIZE = 10000 # test doesn't cover in-mempool spends, so only this limit is hit 673 674 # === Actual test cases === 675 676 677 def spenders_taproot_active(): 678 """Return a list of Spenders for testing post-Taproot activation behavior.""" 679 680 secs = [generate_privkey() for _ in range(8)] 681 pubs = [compute_xonly_pubkey(sec)[0] for sec in secs] 682 683 spenders = [] 684 685 # == Tests for BIP340 signature validation. == 686 # These are primarily tested through the test vectors implemented in libsecp256k1, and in src/tests/key_tests.cpp. 687 # Some things are tested programmatically as well here. 688 689 tap = taproot_construct(pubs[0]) 690 # Test with key with bit flipped. 691 add_spender(spenders, "sig/key", tap=tap, key=secs[0], failure={"key_tweaked": bitflipper(default_key_tweaked)}, **ERR_SCHNORR_SIG) 692 # Test with sighash with bit flipped. 693 add_spender(spenders, "sig/sighash", tap=tap, key=secs[0], failure={"sighash": bitflipper(default_sighash)}, **ERR_SCHNORR_SIG) 694 # Test with invalid R sign. 695 add_spender(spenders, "sig/flip_r", tap=tap, key=secs[0], failure={"flag_flip_r": True}, **ERR_SCHNORR_SIG) 696 # Test with invalid P sign. 697 add_spender(spenders, "sig/flip_p", tap=tap, key=secs[0], failure={"flag_flip_p": True}, **ERR_SCHNORR_SIG) 698 # Test with signature with bit flipped. 699 add_spender(spenders, "sig/bitflip", tap=tap, key=secs[0], failure={"signature": bitflipper(default_signature)}, **ERR_SCHNORR_SIG) 700 701 # == Test involving an internal public key not on the curve == 702 703 # X-only public keys are 32 bytes, but not every 32-byte array is a valid public key; only 704 # around 50% of them are. This does not affect users using correct software; these "keys" have 705 # no corresponding private key, and thus will never appear as output of key 706 # generation/derivation/tweaking. 707 # 708 # Using an invalid public key as P2TR output key makes the UTXO unspendable. Revealing an 709 # invalid public key as internal key in a P2TR script path spend also makes the spend invalid. 710 # These conditions are explicitly spelled out in BIP341. 711 # 712 # It is however hard to create test vectors for this, because it involves "guessing" how a 713 # hypothetical incorrect implementation deals with an obviously-invalid condition, and making 714 # sure that guessed behavior (accepting it in certain condition) doesn't occur. 715 # 716 # The test case added here tries to detect a very specific bug a verifier could have: if they 717 # don't verify whether or not a revealed internal public key in a script path spend is valid, 718 # and (correctly) implement output_key == tweak(internal_key, tweakval) but (incorrectly) treat 719 # tweak(invalid_key, tweakval) as equal the public key corresponding to private key tweakval. 720 # This may seem like a far-fetched edge condition to test for, but in fact, the BIP341 wallet 721 # pseudocode did exactly that (but obviously only triggerable by someone invoking the tweaking 722 # function with an invalid public key, which shouldn't happen). 723 724 # Generate an invalid public key 725 while True: 726 invalid_pub = random.randbytes(32) 727 if not secp256k1.GE.is_valid_x(int.from_bytes(invalid_pub, 'big')): 728 break 729 730 # Implement a test case that detects validation logic which maps invalid public keys to the 731 # point at infinity in the tweaking logic. 732 tap = taproot_construct(invalid_pub, [("true", CScript([OP_1]))], treat_internal_as_infinity=True) 733 add_spender(spenders, "output/invalid_x", tap=tap, key_tweaked=tap.tweak, failure={"leaf": "true", "inputs": []}, **ERR_WITNESS_PROGRAM_MISMATCH) 734 735 # Do the same thing without invalid point, to make sure there is no mistake in the test logic. 736 tap = taproot_construct(pubs[0], [("true", CScript([OP_1]))]) 737 add_spender(spenders, "output/invalid_x_mock", tap=tap, key=secs[0], leaf="true", inputs=[]) 738 739 # == Tests for signature hashing == 740 741 # Run all tests once with no annex, and once with a valid random annex. 742 for annex in [None, lambda _: bytes([ANNEX_TAG]) + random.randbytes(random.randrange(0, 250))]: 743 # Non-empty annex is non-standard 744 no_annex = annex is None 745 746 # Sighash mutation tests (test all sighash combinations) 747 for hashtype in VALID_SIGHASHES_TAPROOT: 748 common = {"annex": annex, "hashtype": hashtype, "standard": no_annex} 749 750 # Pure pubkey 751 tap = taproot_construct(pubs[0]) 752 add_spender(spenders, "sighash/purepk", tap=tap, key=secs[0], **common, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 753 754 # Pubkey/P2PK script combination 755 scripts = [("s0", CScript(random_checksig_style(pubs[1])))] 756 tap = taproot_construct(pubs[0], scripts) 757 add_spender(spenders, "sighash/keypath_hashtype_%x" % hashtype, tap=tap, key=secs[0], **common, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 758 add_spender(spenders, "sighash/scriptpath_hashtype_%x" % hashtype, tap=tap, leaf="s0", key=secs[1], **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 759 760 # Test SIGHASH_SINGLE behavior in combination with mismatching outputs 761 if hashtype in VALID_SIGHASHES_TAPROOT_SINGLE: 762 add_spender(spenders, "sighash/keypath_hashtype_mis_%x" % hashtype, tap=tap, key=secs[0], annex=annex, standard=no_annex, hashtype_actual=random.choice(VALID_SIGHASHES_TAPROOT_NO_SINGLE), failure={"hashtype_actual": hashtype}, **ERR_SCHNORR_SIG_HASHTYPE, need_vin_vout_mismatch=True) 763 add_spender(spenders, "sighash/scriptpath_hashtype_mis_%x" % hashtype, tap=tap, leaf="s0", key=secs[1], annex=annex, standard=no_annex, hashtype_actual=random.choice(VALID_SIGHASHES_TAPROOT_NO_SINGLE), **SINGLE_SIG, failure={"hashtype_actual": hashtype}, **ERR_SCHNORR_SIG_HASHTYPE, need_vin_vout_mismatch=True) 764 765 # Test OP_CODESEPARATOR impact on sighashing. 766 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 767 common = {"annex": annex, "hashtype": hashtype, "standard": no_annex} 768 scripts = [ 769 ("pk_codesep", CScript(random_checksig_style(pubs[1]) + bytes([OP_CODESEPARATOR]))), # codesep after checksig 770 ("codesep_pk", CScript(bytes([OP_CODESEPARATOR]) + random_checksig_style(pubs[1]))), # codesep before checksig 771 ("branched_codesep", CScript([random.randbytes(random.randrange(2, 511)), OP_DROP, OP_IF, OP_CODESEPARATOR, pubs[0], OP_ELSE, OP_CODESEPARATOR, pubs[1], OP_ENDIF, OP_CHECKSIG])), # branch dependent codesep 772 # Note that the first data push in the "branched_codesep" script has the purpose of 773 # randomizing the sighash, both by varying script size and content. In order to 774 # avoid MINIMALDATA script verification errors caused by not-minimal-encoded data 775 # pushes (e.g. `OP_PUSH1 1` instead of `OP_1`), we set a minimum data size of 2 bytes. 776 ] 777 random.shuffle(scripts) 778 tap = taproot_construct(pubs[0], scripts) 779 add_spender(spenders, "sighash/pk_codesep", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 780 add_spender(spenders, "sighash/codesep_pk", tap=tap, leaf="codesep_pk", key=secs[1], codeseppos=0, **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 781 add_spender(spenders, "sighash/branched_codesep/left", tap=tap, leaf="branched_codesep", key=secs[0], codeseppos=3, **common, inputs=[getter("sign"), b'\x01'], **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 782 add_spender(spenders, "sighash/branched_codesep/right", tap=tap, leaf="branched_codesep", key=secs[1], codeseppos=6, **common, inputs=[getter("sign"), b''], **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 783 add_spender(spenders, "sighash/codesep_pk_wrongpos1", tap=tap, leaf="codesep_pk", key=secs[1], codeseppos=0, **common, **SINGLE_SIG, failure={"codeseppos": 1}, **ERR_SCHNORR_SIG) 784 add_spender(spenders, "sighash/codesep_pk_wrongpos2", tap=tap, leaf="codesep_pk", key=secs[1], codeseppos=0, **common, **SINGLE_SIG, failure={"codeseppos": 0xfffffffe}, **ERR_SCHNORR_SIG) 785 786 # Reusing the scripts above, test that various features affect the sighash. 787 add_spender(spenders, "sighash/annex", tap=tap, leaf="pk_codesep", key=secs[1], hashtype=hashtype, standard=False, **SINGLE_SIG, annex=bytes([ANNEX_TAG]), failure={"sighash": override(default_sighash, annex=None)}, **ERR_SCHNORR_SIG) 788 add_spender(spenders, "sighash/script", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, script_taproot=tap.leaves["codesep_pk"].script)}, **ERR_SCHNORR_SIG) 789 add_spender(spenders, "sighash/leafver", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, leafversion=random.choice([x & 0xFE for x in range(0x100) if x & 0xFE != LEAF_VERSION_TAPSCRIPT]))}, **ERR_SCHNORR_SIG) 790 add_spender(spenders, "sighash/scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, leaf=None)}, **ERR_SCHNORR_SIG) 791 add_spender(spenders, "sighash/keypath", tap=tap, key=secs[0], **common, failure={"sighash": override(default_sighash, leaf="pk_codesep")}, **ERR_SCHNORR_SIG) 792 793 # Test that invalid hashtypes don't work, both in key path and script path spends 794 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 795 for invalid_hashtype in [x for x in range(0x100) if x not in VALID_SIGHASHES_TAPROOT]: 796 add_spender(spenders, "sighash/keypath_unk_hashtype_%x" % invalid_hashtype, tap=tap, key=secs[0], hashtype=hashtype, failure={"hashtype": invalid_hashtype}, **ERR_SCHNORR_SIG_HASHTYPE) 797 add_spender(spenders, "sighash/scriptpath_unk_hashtype_%x" % invalid_hashtype, tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=hashtype, failure={"hashtype": invalid_hashtype}, **ERR_SCHNORR_SIG_HASHTYPE) 798 799 # Test that hashtype 0 cannot have a hashtype byte, and 1 must have one. 800 add_spender(spenders, "sighash/hashtype0_byte_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_DEFAULT])}, **ERR_SCHNORR_SIG_HASHTYPE) 801 add_spender(spenders, "sighash/hashtype0_byte_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_DEFAULT])}, **ERR_SCHNORR_SIG_HASHTYPE) 802 add_spender(spenders, "sighash/hashtype1_byte_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SCHNORR_SIG) 803 add_spender(spenders, "sighash/hashtype1_byte_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SCHNORR_SIG) 804 # Test that hashtype 0 and hashtype 1 cannot be transmuted into each other. 805 add_spender(spenders, "sighash/hashtype0to1_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_ALL])}, **ERR_SCHNORR_SIG) 806 add_spender(spenders, "sighash/hashtype0to1_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_ALL])}, **ERR_SCHNORR_SIG) 807 add_spender(spenders, "sighash/hashtype1to0_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SCHNORR_SIG) 808 add_spender(spenders, "sighash/hashtype1to0_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SCHNORR_SIG) 809 810 # Test aspects of signatures with unusual lengths 811 for hashtype in [SIGHASH_DEFAULT, random.choice(VALID_SIGHASHES_TAPROOT)]: 812 scripts = [ 813 ("csv", CScript([pubs[2], OP_CHECKSIGVERIFY, OP_1])), 814 ("cs_pos", CScript([pubs[2], OP_CHECKSIG])), 815 ("csa_pos", CScript([OP_0, pubs[2], OP_CHECKSIGADD, OP_1, OP_EQUAL])), 816 ("cs_neg", CScript([pubs[2], OP_CHECKSIG, OP_NOT])), 817 ("csa_neg", CScript([OP_2, pubs[2], OP_CHECKSIGADD, OP_2, OP_EQUAL])) 818 ] 819 random.shuffle(scripts) 820 tap = taproot_construct(pubs[3], scripts) 821 # Empty signatures 822 add_spender(spenders, "siglen/empty_keypath", tap=tap, key=secs[3], hashtype=hashtype, failure={"sign": b""}, **ERR_SCHNORR_SIG_SIZE) 823 add_spender(spenders, "siglen/empty_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_CHECKSIGVERIFY) 824 add_spender(spenders, "siglen/empty_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_EVAL_FALSE) 825 add_spender(spenders, "siglen/empty_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_EVAL_FALSE) 826 add_spender(spenders, "siglen/empty_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random.randbytes(random.randrange(1, 63))}, **ERR_SCHNORR_SIG_SIZE) 827 add_spender(spenders, "siglen/empty_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random.randbytes(random.randrange(66, 100))}, **ERR_SCHNORR_SIG_SIZE) 828 # Appending a zero byte to signatures invalidates them 829 add_spender(spenders, "siglen/padzero_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 830 add_spender(spenders, "siglen/padzero_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 831 add_spender(spenders, "siglen/padzero_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 832 add_spender(spenders, "siglen/padzero_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 833 add_spender(spenders, "siglen/padzero_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 834 add_spender(spenders, "siglen/padzero_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 835 # Removing the last byte from signatures invalidates them 836 add_spender(spenders, "siglen/popbyte_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 837 add_spender(spenders, "siglen/popbyte_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 838 add_spender(spenders, "siglen/popbyte_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 839 add_spender(spenders, "siglen/popbyte_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 840 add_spender(spenders, "siglen/popbyte_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 841 add_spender(spenders, "siglen/popbyte_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 842 # Verify that an invalid signature is not allowed, not even when the CHECKSIG* is expected to fail. 843 add_spender(spenders, "siglen/invalid_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SCHNORR_SIG) 844 add_spender(spenders, "siglen/invalid_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SCHNORR_SIG) 845 846 # == Test that BIP341 spending only applies to witness version 1, program length 32, no P2SH == 847 848 for p2sh in [False, True]: 849 for witver in range(1, 17): 850 for witlen in [20, 31, 32, 33]: 851 def mutate(spk): 852 prog = spk[2:] 853 assert_equal(len(prog), 32) 854 if witlen < 32: 855 prog = prog[0:witlen] 856 elif witlen > 32: 857 prog += bytes([0 for _ in range(witlen - 32)]) 858 return CScript([CScriptOp.encode_op_n(witver), prog]) 859 scripts = [("s0", CScript([pubs[0], OP_CHECKSIG])), ("dummy", CScript([OP_RETURN]))] 860 tap = taproot_construct(pubs[1], scripts) 861 if not p2sh and witver == 1 and witlen == 32: 862 add_spender(spenders, "applic/keypath", p2sh=p2sh, spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[1], **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 863 add_spender(spenders, "applic/scriptpath", p2sh=p2sh, leaf="s0", spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[0], **SINGLE_SIG, failure={"leaf": "dummy"}, **ERR_OP_RETURN) 864 else: 865 add_spender(spenders, "applic/keypath", p2sh=p2sh, spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[1], standard=False) 866 add_spender(spenders, "applic/scriptpath", p2sh=p2sh, leaf="s0", spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[0], **SINGLE_SIG, standard=False) 867 868 # == Test various aspects of BIP341 spending paths == 869 870 # A set of functions that compute the hashing partner in a Merkle tree, designed to exercise 871 # edge cases. This relies on the taproot_construct feature that a lambda can be passed in 872 # instead of a subtree, to compute the partner to be hashed with. 873 PARTNER_MERKLE_FN = [ 874 # Combine with itself 875 lambda h: h, 876 # Combine with hash 0 877 lambda h: bytes([0 for _ in range(32)]), 878 # Combine with hash 2^256-1 879 lambda h: bytes([0xff for _ in range(32)]), 880 # Combine with itself-1 (BE) 881 lambda h: (int.from_bytes(h, 'big') - 1).to_bytes(32, 'big'), 882 # Combine with itself+1 (BE) 883 lambda h: (int.from_bytes(h, 'big') + 1).to_bytes(32, 'big'), 884 # Combine with itself-1 (LE) 885 lambda h: (int.from_bytes(h, 'little') - 1).to_bytes(32, 'big'), 886 # Combine with itself+1 (LE) 887 lambda h: (int.from_bytes(h, 'little') + 1).to_bytes(32, 'little'), 888 # Combine with random bitflipped version of self. 889 lambda h: (int.from_bytes(h, 'little') ^ (1 << random.randrange(256))).to_bytes(32, 'little') 890 ] 891 # Start with a tree of that has depth 1 for "128deep" and depth 2 for "129deep". 892 scripts = [("128deep", CScript([pubs[0], OP_CHECKSIG])), [("129deep", CScript([pubs[0], OP_CHECKSIG])), random.choice(PARTNER_MERKLE_FN)]] 893 # Add 127 nodes on top of that tree, so that "128deep" and "129deep" end up at their designated depths. 894 for _ in range(127): 895 scripts = [scripts, random.choice(PARTNER_MERKLE_FN)] 896 tap = taproot_construct(pubs[0], scripts) 897 # Test that spends with a depth of 128 work, but 129 doesn't (even with a tree with weird Merkle branches in it). 898 add_spender(spenders, "spendpath/merklelimit", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"leaf": "129deep"}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 899 # Test that flipping the negation bit invalidates spends. 900 add_spender(spenders, "spendpath/negflag", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"negflag": lambda ctx: 1 - default_negflag(ctx)}, **ERR_WITNESS_PROGRAM_MISMATCH) 901 # Test that bitflips in the Merkle branch invalidate it. 902 add_spender(spenders, "spendpath/bitflipmerkle", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"merklebranch": bitflipper(default_merklebranch)}, **ERR_WITNESS_PROGRAM_MISMATCH) 903 # Test that bitflips in the internal pubkey invalidate it. 904 add_spender(spenders, "spendpath/bitflippubkey", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"pubkey_internal": bitflipper(default_pubkey_internal)}, **ERR_WITNESS_PROGRAM_MISMATCH) 905 # Test that empty witnesses are invalid. 906 add_spender(spenders, "spendpath/emptywit", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"witness": []}, **ERR_WITNESS_PROGRAM_WITNESS_EMPTY) 907 # Test that adding garbage to the control block invalidates it. 908 add_spender(spenders, "spendpath/padlongcontrol", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_controlblock(ctx) + random.randbytes(random.randrange(1, 32))}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 909 # Test that truncating the control block invalidates it. 910 add_spender(spenders, "spendpath/trunclongcontrol", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:random.randrange(1, 32)]}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 911 912 scripts = [("s", CScript([pubs[0], OP_CHECKSIG]))] 913 tap = taproot_construct(pubs[1], scripts) 914 # Test that adding garbage to the control block invalidates it. 915 add_spender(spenders, "spendpath/padshortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_controlblock(ctx) + random.randbytes(random.randrange(1, 32))}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 916 # Test that truncating the control block invalidates it. 917 add_spender(spenders, "spendpath/truncshortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:random.randrange(1, 32)]}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 918 # Test that truncating the control block to 1 byte ("-1 Merkle length") invalidates it 919 add_spender(spenders, "spendpath/trunc1shortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:1]}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 920 921 # == Test BIP342 edge cases == 922 923 csa_low_val = random.randrange(0, 17) # Within range for OP_n 924 csa_low_result = csa_low_val + 1 925 926 csa_high_val = random.randrange(17, 100) if random.getrandbits(1) else random.randrange(-100, -1) # Outside OP_n range 927 csa_high_result = csa_high_val + 1 928 929 OVERSIZE_NUMBER = 2**31 930 assert_equal(len(CScriptNum.encode(CScriptNum(OVERSIZE_NUMBER))), 6) 931 assert_equal(len(CScriptNum.encode(CScriptNum(OVERSIZE_NUMBER-1))), 5) 932 933 big_choices = [] 934 big_scriptops = [] 935 for i in range(1000): 936 r = random.randrange(len(pubs)) 937 big_choices.append(r) 938 big_scriptops += [pubs[r], OP_CHECKSIGVERIFY] 939 940 941 def big_spend_inputs(ctx): 942 """Helper function to construct the script input for t33/t34 below.""" 943 # Instead of signing 999 times, precompute signatures for every (key, hashtype) combination 944 sigs = {} 945 for ht in VALID_SIGHASHES_TAPROOT: 946 for k in range(len(pubs)): 947 sigs[(k, ht)] = override(default_sign, hashtype=ht, key=secs[k])(ctx) 948 num = get(ctx, "num") 949 return [sigs[(big_choices[i], random.choice(VALID_SIGHASHES_TAPROOT))] for i in range(num - 1, -1, -1)] 950 951 # Various BIP342 features 952 scripts = [ 953 # 0) drop stack element and OP_CHECKSIG 954 ("t0", CScript([OP_DROP, pubs[1], OP_CHECKSIG])), 955 # 1) normal OP_CHECKSIG 956 ("t1", CScript([pubs[1], OP_CHECKSIG])), 957 # 2) normal OP_CHECKSIGVERIFY 958 ("t2", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1])), 959 # 3) Hypothetical OP_CHECKMULTISIG script that takes a single sig as input 960 ("t3", CScript([OP_0, OP_SWAP, OP_1, pubs[1], OP_1, OP_CHECKMULTISIG])), 961 # 4) Hypothetical OP_CHECKMULTISIGVERIFY script that takes a single sig as input 962 ("t4", CScript([OP_0, OP_SWAP, OP_1, pubs[1], OP_1, OP_CHECKMULTISIGVERIFY, OP_1])), 963 # 5) OP_IF script that needs a true input 964 ("t5", CScript([OP_IF, pubs[1], OP_CHECKSIG, OP_ELSE, OP_RETURN, OP_ENDIF])), 965 # 6) OP_NOTIF script that needs a true input 966 ("t6", CScript([OP_NOTIF, OP_RETURN, OP_ELSE, pubs[1], OP_CHECKSIG, OP_ENDIF])), 967 # 7) OP_CHECKSIG with an empty key 968 ("t7", CScript([OP_0, OP_CHECKSIG])), 969 # 8) OP_CHECKSIGVERIFY with an empty key 970 ("t8", CScript([OP_0, OP_CHECKSIGVERIFY, OP_1])), 971 # 9) normal OP_CHECKSIGADD that also ensures return value is correct 972 ("t9", CScript([csa_low_val, pubs[1], OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 973 # 10) OP_CHECKSIGADD with empty key 974 ("t10", CScript([csa_low_val, OP_0, OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 975 # 11) OP_CHECKSIGADD with missing counter stack element 976 ("t11", CScript([pubs[1], OP_CHECKSIGADD, OP_1, OP_EQUAL])), 977 # 12) OP_CHECKSIG that needs invalid signature 978 ("t12", CScript([pubs[1], OP_CHECKSIGVERIFY, pubs[0], OP_CHECKSIG, OP_NOT])), 979 # 13) OP_CHECKSIG with empty key that needs invalid signature 980 ("t13", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_CHECKSIG, OP_NOT])), 981 # 14) OP_CHECKSIGADD that needs invalid signature 982 ("t14", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, pubs[0], OP_CHECKSIGADD, OP_NOT])), 983 # 15) OP_CHECKSIGADD with empty key that needs invalid signature 984 ("t15", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_0, OP_CHECKSIGADD, OP_NOT])), 985 # 16) OP_CHECKSIG with unknown pubkey type 986 ("t16", CScript([OP_1, OP_CHECKSIG])), 987 # 17) OP_CHECKSIGADD with unknown pubkey type 988 ("t17", CScript([OP_0, OP_1, OP_CHECKSIGADD])), 989 # 18) OP_CHECKSIGVERIFY with unknown pubkey type 990 ("t18", CScript([OP_1, OP_CHECKSIGVERIFY, OP_1])), 991 # 19) script longer than 10000 bytes and over 201 non-push opcodes 992 ("t19", CScript([OP_0, OP_0, OP_2DROP] * 10001 + [pubs[1], OP_CHECKSIG])), 993 # 20) OP_CHECKSIGVERIFY with empty key 994 ("t20", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_0, OP_CHECKSIGVERIFY, OP_1])), 995 # 21) Script that grows the stack to 1000 elements 996 ("t21", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1] + [OP_DUP] * 999 + [OP_DROP] * 999)), 997 # 22) Script that grows the stack to 1001 elements 998 ("t22", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1] + [OP_DUP] * 1000 + [OP_DROP] * 1000)), 999 # 23) Script that expects an input stack of 1000 elements 1000 ("t23", CScript([OP_DROP] * 999 + [pubs[1], OP_CHECKSIG])), 1001 # 24) Script that expects an input stack of 1001 elements 1002 ("t24", CScript([OP_DROP] * 1000 + [pubs[1], OP_CHECKSIG])), 1003 # 25) Script that pushes a MAX_SCRIPT_ELEMENT_SIZE-bytes element 1004 ("t25", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE), OP_DROP, pubs[1], OP_CHECKSIG])), 1005 # 26) Script that pushes a (MAX_SCRIPT_ELEMENT_SIZE+1)-bytes element 1006 ("t26", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, pubs[1], OP_CHECKSIG])), 1007 # 27) CHECKSIGADD that must fail because numeric argument number is >4 bytes 1008 ("t27", CScript([CScriptNum(OVERSIZE_NUMBER), pubs[1], OP_CHECKSIGADD])), 1009 # 28) Pushes random CScriptNum value, checks OP_CHECKSIGADD result 1010 ("t28", CScript([csa_high_val, pubs[1], OP_CHECKSIGADD, csa_high_result, OP_EQUAL])), 1011 # 29) CHECKSIGADD that succeeds with proper sig because numeric argument number is <=4 bytes 1012 ("t29", CScript([CScriptNum(OVERSIZE_NUMBER-1), pubs[1], OP_CHECKSIGADD])), 1013 # 30) Variant of t1 with "normal" 33-byte pubkey 1014 ("t30", CScript([b'\x03' + pubs[1], OP_CHECKSIG])), 1015 # 31) Variant of t2 with "normal" 33-byte pubkey 1016 ("t31", CScript([b'\x02' + pubs[1], OP_CHECKSIGVERIFY, OP_1])), 1017 # 32) Variant of t28 with "normal" 33-byte pubkey 1018 ("t32", CScript([csa_high_val, b'\x03' + pubs[1], OP_CHECKSIGADD, csa_high_result, OP_EQUAL])), 1019 # 33) 999-of-999 multisig 1020 ("t33", CScript(big_scriptops[:1998] + [OP_1])), 1021 # 34) 1000-of-1000 multisig 1022 ("t34", CScript(big_scriptops[:2000] + [OP_1])), 1023 # 35) Variant of t9 that uses a non-minimally encoded input arg 1024 ("t35", CScript([bytes([csa_low_val]), pubs[1], OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 1025 # 36) Empty script 1026 ("t36", CScript([])), 1027 ] 1028 # Add many dummies to test huge trees 1029 for j in range(100000): 1030 scripts.append((None, CScript([OP_RETURN, random.randrange(100000)]))) 1031 random.shuffle(scripts) 1032 tap = taproot_construct(pubs[0], scripts) 1033 common = { 1034 "hashtype": hashtype, 1035 "key": secs[1], 1036 "tap": tap, 1037 } 1038 # Test that MAX_SCRIPT_ELEMENT_SIZE byte stack element inputs are valid, but not one more (and 80 bytes is standard but 81 is not). 1039 add_spender(spenders, "tapscript/inputmaxlimit", leaf="t0", **common, standard=False, inputs=[getter("sign"), random.randbytes(MAX_SCRIPT_ELEMENT_SIZE)], failure={"inputs": [getter("sign"), random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1)]}, **ERR_PUSH_SIZE) 1040 add_spender(spenders, "tapscript/input80limit", leaf="t0", **common, inputs=[getter("sign"), random.randbytes(80)]) 1041 add_spender(spenders, "tapscript/input81limit", leaf="t0", **common, standard=False, inputs=[getter("sign"), random.randbytes(81)]) 1042 # Test that OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY cause failure, but OP_CHECKSIG and OP_CHECKSIGVERIFY work. 1043 add_spender(spenders, "tapscript/disabled_checkmultisig", leaf="t1", **common, **SINGLE_SIG, failure={"leaf": "t3"}, **ERR_TAPSCRIPT_CHECKMULTISIG) 1044 add_spender(spenders, "tapscript/disabled_checkmultisigverify", leaf="t2", **common, **SINGLE_SIG, failure={"leaf": "t4"}, **ERR_TAPSCRIPT_CHECKMULTISIG) 1045 # Test that OP_IF and OP_NOTIF do not accept non-0x01 as truth value (the MINIMALIF rule is consensus in Tapscript) 1046 add_spender(spenders, "tapscript/minimalif", leaf="t5", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x02']}, **ERR_TAPSCRIPT_MINIMALIF) 1047 add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x03']}, **ERR_TAPSCRIPT_MINIMALIF) 1048 add_spender(spenders, "tapscript/minimalif", leaf="t5", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0001']}, **ERR_TAPSCRIPT_MINIMALIF) 1049 add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0100']}, **ERR_TAPSCRIPT_MINIMALIF) 1050 # Test that 1-byte public keys (which are unknown) are acceptable but nonstandard with unrelated signatures, but 0-byte public keys are not valid. 1051 add_spender(spenders, "tapscript/unkpk/checksig", leaf="t16", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t7"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1052 add_spender(spenders, "tapscript/unkpk/checksigadd", leaf="t17", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t10"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1053 add_spender(spenders, "tapscript/unkpk/checksigverify", leaf="t18", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t8"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1054 # Test that 33-byte public keys (which are unknown) are acceptable but nonstandard with valid signatures, but normal pubkeys are not valid in that case. 1055 add_spender(spenders, "tapscript/oldpk/checksig", leaf="t30", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t1"}, **ERR_SCHNORR_SIG) 1056 add_spender(spenders, "tapscript/oldpk/checksigadd", leaf="t31", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t2"}, **ERR_SCHNORR_SIG) 1057 add_spender(spenders, "tapscript/oldpk/checksigverify", leaf="t32", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t28"}, **ERR_SCHNORR_SIG) 1058 # Test that 0-byte public keys are not acceptable. 1059 add_spender(spenders, "tapscript/emptypk/checksig", leaf="t1", **SINGLE_SIG, **common, failure={"leaf": "t7"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1060 add_spender(spenders, "tapscript/emptypk/checksigverify", leaf="t2", **SINGLE_SIG, **common, failure={"leaf": "t8"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1061 add_spender(spenders, "tapscript/emptypk/checksigadd", leaf="t9", **SINGLE_SIG, **common, failure={"leaf": "t10"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1062 add_spender(spenders, "tapscript/emptypk/checksigadd", leaf="t35", standard=False, **SINGLE_SIG, **common, failure={"leaf": "t10"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1063 # Test that OP_CHECKSIGADD results are as expected 1064 add_spender(spenders, "tapscript/checksigaddresults", leaf="t28", **SINGLE_SIG, **common, failure={"leaf": "t27"}, **ERR_SCRIPT_NUM) 1065 add_spender(spenders, "tapscript/checksigaddoversize", leaf="t29", **SINGLE_SIG, **common, failure={"leaf": "t27"}, **ERR_SCRIPT_NUM) 1066 # Test that OP_CHECKSIGADD requires 3 stack elements. 1067 add_spender(spenders, "tapscript/checksigadd3args", leaf="t9", **SINGLE_SIG, **common, failure={"leaf": "t11"}, **ERR_INVALID_STACK_OPERATION) 1068 # Test that empty signatures do not cause script failure in OP_CHECKSIG and OP_CHECKSIGADD (but do fail with empty pubkey, and do fail OP_CHECKSIGVERIFY) 1069 add_spender(spenders, "tapscript/emptysigs/checksig", leaf="t12", **common, inputs=[b'', getter("sign")], failure={"leaf": "t13"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1070 add_spender(spenders, "tapscript/emptysigs/nochecksigverify", leaf="t12", **common, inputs=[b'', getter("sign")], failure={"leaf": "t20"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1071 add_spender(spenders, "tapscript/emptysigs/checksigadd", leaf="t14", **common, inputs=[b'', getter("sign")], failure={"leaf": "t15"}, **ERR_TAPSCRIPT_EMPTY_PUBKEY) 1072 # Test that scripts over 10000 bytes (and over 201 non-push ops) are acceptable. 1073 add_spender(spenders, "tapscript/no10000limit", leaf="t19", **SINGLE_SIG, **common) 1074 # Test that a stack size of 1000 elements is permitted, but 1001 isn't. 1075 add_spender(spenders, "tapscript/1000stack", leaf="t21", **SINGLE_SIG, **common, failure={"leaf": "t22"}, **ERR_STACK_SIZE) 1076 # Test that an input stack size of 1000 elements is permitted, but 1001 isn't. 1077 add_spender(spenders, "tapscript/1000inputs", leaf="t23", **common, inputs=[getter("sign")] + [b'' for _ in range(999)], failure={"leaf": "t24", "inputs": [getter("sign")] + [b'' for _ in range(1000)]}, **ERR_STACK_SIZE) 1078 # Test that pushing a MAX_SCRIPT_ELEMENT_SIZE byte stack element is valid, but one longer is not. 1079 add_spender(spenders, "tapscript/pushmaxlimit", leaf="t25", **common, **SINGLE_SIG, failure={"leaf": "t26"}, **ERR_PUSH_SIZE) 1080 # Test that 999-of-999 multisig works (but 1000-of-1000 triggers stack size limits) 1081 add_spender(spenders, "tapscript/bigmulti", leaf="t33", **common, inputs=big_spend_inputs, num=999, failure={"leaf": "t34", "num": 1000}, **ERR_STACK_SIZE) 1082 # Test that the CLEANSTACK rule is consensus critical in tapscript 1083 add_spender(spenders, "tapscript/cleanstack", leaf="t36", tap=tap, inputs=[b'\x01'], failure={"inputs": [b'\x01', b'\x01']}, **ERR_CLEANSTACK) 1084 1085 # == Test for sigops ratio limit == 1086 1087 # Given a number n, and a public key pk, functions that produce a (CScript, sigops). Each script takes as 1088 # input a valid signature with the passed pk followed by a dummy push of bytes that are to be dropped, and 1089 # will execute sigops signature checks. 1090 SIGOPS_RATIO_SCRIPTS = [ 1091 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIG. 1092 lambda n, pk: (CScript([OP_DROP, pk] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_CHECKSIG]), n + 1), 1093 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIGVERIFY. 1094 lambda n, pk: (CScript([OP_DROP, pk, OP_0, OP_IF, OP_2DUP, OP_CHECKSIGVERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_2, OP_SWAP, OP_CHECKSIGADD, OP_3, OP_EQUAL]), n + 1), 1095 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIG. 1096 lambda n, pk: (CScript([random.randbytes(220), OP_2DROP, pk, OP_1, OP_NOTIF, OP_2DUP, OP_CHECKSIG, OP_VERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_4, OP_SWAP, OP_CHECKSIGADD, OP_5, OP_EQUAL]), n + 1), 1097 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIGADD. 1098 lambda n, pk: (CScript([OP_DROP, pk, OP_1, OP_IF, OP_ELSE, OP_2DUP, OP_6, OP_SWAP, OP_CHECKSIGADD, OP_7, OP_EQUALVERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_8, OP_SWAP, OP_CHECKSIGADD, OP_9, OP_EQUAL]), n + 1), 1099 # n+1 OP_CHECKSIGs, but also one OP_CHECKSIG with an empty signature. 1100 lambda n, pk: (CScript([OP_DROP, OP_0, pk, OP_CHECKSIG, OP_NOT, OP_VERIFY, pk] + [OP_2DUP, OP_CHECKSIG, OP_VERIFY] * n + [OP_CHECKSIG]), n + 1), 1101 # n OP_CHECKSIGADDs and 1 OP_CHECKSIG, but also an OP_CHECKSIGADD with an empty signature. 1102 lambda n, pk: (CScript([OP_DROP, OP_0, OP_10, pk, OP_CHECKSIGADD, OP_10, OP_EQUALVERIFY, pk] + [OP_2DUP, OP_16, OP_SWAP, OP_CHECKSIGADD, b'\x11', OP_EQUALVERIFY] * n + [OP_CHECKSIG]), n + 1), 1103 ] 1104 for annex in [None, bytes([ANNEX_TAG]) + random.randbytes(random.randrange(1000))]: 1105 for hashtype in [SIGHASH_DEFAULT, SIGHASH_ALL]: 1106 for pubkey in [pubs[1], random.randbytes(random.choice([x for x in range(2, 81) if x != 32]))]: 1107 for fn_num, fn in enumerate(SIGOPS_RATIO_SCRIPTS): 1108 merkledepth = random.randrange(129) 1109 1110 1111 def predict_sigops_ratio(n, dummy_size): 1112 """Predict whether spending fn(n, pubkey) with dummy_size will pass the ratio test.""" 1113 script, sigops = fn(n, pubkey) 1114 # Predict the size of the witness for a given choice of n 1115 stacklen_size = 1 1116 sig_size = 64 + (hashtype != SIGHASH_DEFAULT) 1117 siglen_size = 1 1118 dummylen_size = 1 + 2 * (dummy_size >= 253) 1119 script_size = len(script) 1120 scriptlen_size = 1 + 2 * (script_size >= 253) 1121 control_size = 33 + 32 * merkledepth 1122 controllen_size = 1 + 2 * (control_size >= 253) 1123 annex_size = 0 if annex is None else len(annex) 1124 annexlen_size = 0 if annex is None else 1 + 2 * (annex_size >= 253) 1125 witsize = stacklen_size + sig_size + siglen_size + dummy_size + dummylen_size + script_size + scriptlen_size + control_size + controllen_size + annex_size + annexlen_size 1126 # sigops ratio test 1127 return witsize + 50 >= 50 * sigops 1128 # Make sure n is high enough that with empty dummy, the script is not valid 1129 n = 0 1130 while predict_sigops_ratio(n, 0): 1131 n += 1 1132 # But allow picking a bit higher still 1133 n += random.randrange(5) 1134 # Now pick dummy size *just* large enough that the overall construction passes 1135 dummylen = 0 1136 while not predict_sigops_ratio(n, dummylen): 1137 dummylen += 1 1138 scripts = [("s", fn(n, pubkey)[0])] 1139 for _ in range(merkledepth): 1140 scripts = [scripts, random.choice(PARTNER_MERKLE_FN)] 1141 tap = taproot_construct(pubs[0], scripts) 1142 standard = annex is None and dummylen <= 80 and len(pubkey) == 32 1143 add_spender(spenders, "tapscript/sigopsratio_%i" % fn_num, tap=tap, leaf="s", annex=annex, hashtype=hashtype, key=secs[1], inputs=[getter("sign"), random.randbytes(dummylen)], standard=standard, failure={"inputs": [getter("sign"), random.randbytes(dummylen - 1)]}, **ERR_TAPSCRIPT_VALIDATION_WEIGHT) 1144 1145 # Future leaf versions 1146 for leafver in range(0, 0x100, 2): 1147 if leafver == LEAF_VERSION_TAPSCRIPT or leafver == ANNEX_TAG: 1148 # Skip the defined LEAF_VERSION_TAPSCRIPT, and the ANNEX_TAG which is not usable as leaf version 1149 continue 1150 scripts = [ 1151 ("bare_c0", CScript([OP_NOP])), 1152 ("bare_unkver", CScript([OP_NOP]), leafver), 1153 ("return_c0", CScript([OP_RETURN])), 1154 ("return_unkver", CScript([OP_RETURN]), leafver), 1155 ("undecodable_c0", CScript([OP_PUSHDATA1])), 1156 ("undecodable_unkver", CScript([OP_PUSHDATA1]), leafver), 1157 ("bigpush_c0", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP])), 1158 ("bigpush_unkver", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP]), leafver), 1159 ("1001push_c0", CScript([OP_0] * 1001)), 1160 ("1001push_unkver", CScript([OP_0] * 1001), leafver), 1161 ] 1162 random.shuffle(scripts) 1163 tap = taproot_construct(pubs[0], scripts) 1164 add_spender(spenders, "unkver/bare", standard=False, tap=tap, leaf="bare_unkver", failure={"leaf": "bare_c0"}, **ERR_CLEANSTACK) 1165 add_spender(spenders, "unkver/return", standard=False, tap=tap, leaf="return_unkver", failure={"leaf": "return_c0"}, **ERR_OP_RETURN) 1166 add_spender(spenders, "unkver/undecodable", standard=False, tap=tap, leaf="undecodable_unkver", failure={"leaf": "undecodable_c0"}, **ERR_BAD_OPCODE) 1167 add_spender(spenders, "unkver/bigpush", standard=False, tap=tap, leaf="bigpush_unkver", failure={"leaf": "bigpush_c0"}, **ERR_PUSH_SIZE) 1168 add_spender(spenders, "unkver/1001push", standard=False, tap=tap, leaf="1001push_unkver", failure={"leaf": "1001push_c0"}, **ERR_STACK_SIZE) 1169 add_spender(spenders, "unkver/1001inputs", standard=False, tap=tap, leaf="bare_unkver", inputs=[b'']*1001, failure={"leaf": "bare_c0"}, **ERR_STACK_SIZE) 1170 1171 # OP_SUCCESSx tests. 1172 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 1173 for opval in range(76, 0x100): 1174 opcode = CScriptOp(opval) 1175 if not is_op_success(opcode): 1176 continue 1177 scripts = [ 1178 ("bare_success", CScript([opcode])), 1179 ("bare_nop", CScript([OP_NOP])), 1180 ("unexecif_success", CScript([OP_0, OP_IF, opcode, OP_ENDIF])), 1181 ("unexecif_nop", CScript([OP_0, OP_IF, OP_NOP, OP_ENDIF])), 1182 ("return_success", CScript([OP_RETURN, opcode])), 1183 ("return_nop", CScript([OP_RETURN, OP_NOP])), 1184 ("undecodable_success", CScript([opcode, OP_PUSHDATA1])), 1185 ("undecodable_nop", CScript([OP_NOP, OP_PUSHDATA1])), 1186 ("undecodable_bypassed_success", CScript([OP_PUSHDATA1, OP_2, opcode])), 1187 ("bigpush_success", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, opcode])), 1188 ("bigpush_nop", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, OP_NOP])), 1189 ("1001push_success", CScript([OP_0] * 1001 + [opcode])), 1190 ("1001push_nop", CScript([OP_0] * 1001 + [OP_NOP])), 1191 ] 1192 random.shuffle(scripts) 1193 tap = taproot_construct(pubs[0], scripts) 1194 add_spender(spenders, "opsuccess/bare", standard=False, tap=tap, leaf="bare_success", failure={"leaf": "bare_nop"}, **ERR_CLEANSTACK) 1195 add_spender(spenders, "opsuccess/unexecif", standard=False, tap=tap, leaf="unexecif_success", failure={"leaf": "unexecif_nop"}, **ERR_CLEANSTACK) 1196 add_spender(spenders, "opsuccess/return", standard=False, tap=tap, leaf="return_success", failure={"leaf": "return_nop"}, **ERR_OP_RETURN) 1197 add_spender(spenders, "opsuccess/undecodable", standard=False, tap=tap, leaf="undecodable_success", failure={"leaf": "undecodable_nop"}, **ERR_BAD_OPCODE) 1198 add_spender(spenders, "opsuccess/undecodable_bypass", standard=False, tap=tap, leaf="undecodable_success", failure={"leaf": "undecodable_bypassed_success"}, **ERR_BAD_OPCODE) 1199 add_spender(spenders, "opsuccess/bigpush", standard=False, tap=tap, leaf="bigpush_success", failure={"leaf": "bigpush_nop"}, **ERR_PUSH_SIZE) 1200 add_spender(spenders, "opsuccess/1001push", standard=False, tap=tap, leaf="1001push_success", failure={"leaf": "1001push_nop"}, **ERR_STACK_SIZE) 1201 add_spender(spenders, "opsuccess/1001inputs", standard=False, tap=tap, leaf="bare_success", inputs=[b'']*1001, failure={"leaf": "bare_nop"}, **ERR_STACK_SIZE) 1202 1203 # Non-OP_SUCCESSx (verify that those aren't accidentally treated as OP_SUCCESSx) 1204 for opval in range(0, 0x100): 1205 opcode = CScriptOp(opval) 1206 if is_op_success(opcode): 1207 continue 1208 scripts = [ 1209 ("normal", CScript([OP_RETURN, opcode] + [OP_NOP] * 75)), 1210 ("op_success", CScript([OP_RETURN, CScriptOp(0x50)])) 1211 ] 1212 tap = taproot_construct(pubs[0], scripts) 1213 add_spender(spenders, "alwaysvalid/notsuccessx", tap=tap, leaf="op_success", inputs=[], standard=False, failure={"leaf": "normal"}) # err_msg differs based on opcode 1214 1215 # == Test case for https://github.com/bitcoin/bitcoin/issues/24765 == 1216 1217 zero_fn = lambda h: bytes([0 for _ in range(32)]) 1218 tap = taproot_construct(pubs[0], [("leaf", CScript([pubs[1], OP_CHECKSIG, pubs[1], OP_CHECKSIGADD, OP_2, OP_EQUAL])), zero_fn]) 1219 add_spender(spenders, "case24765", tap=tap, leaf="leaf", inputs=[getter("sign"), getter("sign")], key=secs[1], no_fail=True) 1220 1221 # == Legacy tests == 1222 1223 # Also add a few legacy spends into the mix, so that transactions which combine taproot and pre-taproot spends get tested too. 1224 for compressed in [False, True]: 1225 eckey1, pubkey1 = generate_keypair(compressed=compressed) 1226 eckey2, _ = generate_keypair(compressed=compressed) 1227 for p2sh in [False, True]: 1228 for witv0 in [False, True]: 1229 for hashtype in VALID_SIGHASHES_ECDSA + [random.randrange(0x04, 0x80), random.randrange(0x84, 0x100)]: 1230 standard = (hashtype in VALID_SIGHASHES_ECDSA) and (compressed or not witv0) 1231 add_spender(spenders, "legacy/pk-wrongkey", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, script=key_to_p2pk_script(pubkey1), **SINGLE_SIG, key=eckey1, failure={"key": eckey2}, sigops_weight=4-3*witv0, **ERR_EVAL_FALSE) 1232 add_spender(spenders, "legacy/pkh-sighashflip", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, pkh=pubkey1, key=eckey1, **SIGHASH_BITFLIP, sigops_weight=4-3*witv0, **ERR_EVAL_FALSE) 1233 1234 # Verify that OP_CHECKSIGADD wasn't accidentally added to pre-taproot validation logic. 1235 for p2sh in [False, True]: 1236 for witv0 in [False, True]: 1237 for hashtype in VALID_SIGHASHES_ECDSA + [random.randrange(0x04, 0x80), random.randrange(0x84, 0x100)]: 1238 standard = hashtype in VALID_SIGHASHES_ECDSA and (p2sh or witv0) 1239 add_spender(spenders, "compat/nocsa", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, script=CScript([OP_IF, OP_11, pubkey1, OP_CHECKSIGADD, OP_12, OP_EQUAL, OP_ELSE, pubkey1, OP_CHECKSIG, OP_ENDIF]), key=eckey1, sigops_weight=4-3*witv0, inputs=[getter("sign"), b''], failure={"inputs": [getter("sign"), b'\x01']}, **ERR_BAD_OPCODE) 1240 1241 # == sighash caching tests == 1242 1243 # Sighash caching in legacy. 1244 for p2sh in [False, True]: 1245 for witv0 in [False, True]: 1246 eckey1, pubkey1 = generate_keypair(compressed=compressed) 1247 for _ in range(10): 1248 # Construct a script with 20 checksig operations (10 sighash types, each 2 times), 1249 # randomly ordered and interleaved with 4 OP_CODESEPARATORS. 1250 ops = [1, 2, 3, 0x21, 0x42, 0x63, 0x81, 0x83, 0xe1, 0xc2, -1, -1] * 2 1251 # Make sure no OP_CODESEPARATOR appears last. 1252 while True: 1253 random.shuffle(ops) 1254 if ops[-1] != -1: 1255 break 1256 script = [pubkey1] 1257 inputs = [] 1258 codeseps = -1 1259 for pos, op in enumerate(ops): 1260 if op == -1: 1261 codeseps += 1 1262 script.append(OP_CODESEPARATOR) 1263 elif pos + 1 != len(ops): 1264 script += [OP_TUCK, OP_CHECKSIGVERIFY] 1265 inputs.append(getter("sign", codesepnum=codeseps, hashtype=op)) 1266 else: 1267 script += [OP_CHECKSIG] 1268 inputs.append(getter("sign", codesepnum=codeseps, hashtype=op)) 1269 inputs.reverse() 1270 script = CScript(script) 1271 add_spender(spenders, "sighashcache/legacy", p2sh=p2sh, witv0=witv0, standard=False, script=script, inputs=inputs, key=eckey1, sigops_weight=12*8*(4-3*witv0), no_fail=True) 1272 1273 # Sighash caching in tapscript. 1274 for _ in range(10): 1275 # Construct a script with 700 checksig operations (7 sighash types, each 100 times), 1276 # randomly ordered and interleaved with 100 OP_CODESEPARATORS. 1277 ops = [0, 1, 2, 3, 0x81, 0x82, 0x83, -1] * 100 1278 # Make sure no OP_CODESEPARATOR appears last. 1279 while True: 1280 random.shuffle(ops) 1281 if ops[-1] != -1: 1282 break 1283 script = [pubs[1]] 1284 inputs = [] 1285 opcount = 1 1286 codeseppos = 0xffffffff 1287 for pos, op in enumerate(ops): 1288 if op == -1: 1289 codeseppos = opcount 1290 opcount += 1 1291 script.append(OP_CODESEPARATOR) 1292 elif pos + 1 != len(ops): 1293 opcount += 2 1294 script += [OP_TUCK, OP_CHECKSIGVERIFY] 1295 inputs.append(getter("sign", codeseppos=codeseppos, hashtype=op)) 1296 else: 1297 opcount += 1 1298 script += [OP_CHECKSIG] 1299 inputs.append(getter("sign", codeseppos=codeseppos, hashtype=op)) 1300 inputs.reverse() 1301 script = CScript(script) 1302 tap = taproot_construct(pubs[0], [("leaf", script)]) 1303 add_spender(spenders, "sighashcache/taproot", tap=tap, leaf="leaf", inputs=inputs, standard=True, key=secs[1], no_fail=True) 1304 1305 return spenders 1306 1307 1308 def spenders_taproot_nonstandard(): 1309 """Spenders for testing that post-activation Taproot rules may be nonstandard.""" 1310 1311 spenders = [] 1312 1313 sec = generate_privkey() 1314 pub, _ = compute_xonly_pubkey(sec) 1315 scripts = [ 1316 ("future_leaf", CScript([pub, OP_CHECKSIG]), 0xc2), 1317 ("op_success", CScript([pub, OP_CHECKSIG, OP_0, OP_IF, CScriptOp(0x50), OP_ENDIF])), 1318 ] 1319 tap = taproot_construct(pub, scripts) 1320 1321 # Test that features like annex, leaf versions, or OP_SUCCESS are valid but non-standard 1322 add_spender(spenders, "inactive/scriptpath_valid_unkleaf", key=sec, tap=tap, leaf="future_leaf", standard=False, inputs=[getter("sign")]) 1323 add_spender(spenders, "inactive/scriptpath_invalid_unkleaf", key=sec, tap=tap, leaf="future_leaf", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1324 add_spender(spenders, "inactive/scriptpath_valid_opsuccess", key=sec, tap=tap, leaf="op_success", standard=False, inputs=[getter("sign")]) 1325 add_spender(spenders, "inactive/scriptpath_valid_opsuccess", key=sec, tap=tap, leaf="op_success", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1326 1327 return spenders 1328 1329 def sample_spenders(): 1330 1331 # Create key(s) for output creation, as well as key and script-spends 1332 secs = [generate_privkey() for _ in range(2)] 1333 pubs = [compute_xonly_pubkey(sec)[0] for sec in secs] 1334 1335 # Create a list of scripts which will be built into a taptree 1336 scripts = [ 1337 # leaf label, followed by CScript 1338 ("2byte_push", CScript([OP_DROP, b'\xaa\xaa'])), 1339 ("nonstd_2byte_push", CScript.fromhex("4c02aaaa")), 1340 ("dummyleaf", CScript([])), 1341 ] 1342 1343 # Build TaprootInfo using scripts and appropriate pubkey for output creation 1344 tap = taproot_construct(pubs[0], scripts) 1345 1346 # Finally, add spender(s). 1347 # Each spender embodies a test with an optional failure condition. 1348 # These failure conditions allow for fine-grained success/failure 1349 # conditions that are tested randomly. 1350 spenders = [] 1351 1352 # Named comment, using first leaf from scripts, with empty string as witness data, no optional fail condition 1353 add_spender(spenders, comment="tutorial/push", tap=tap, leaf="2byte_push", inputs=[b'\x00'], no_fail=True) 1354 1355 # Spender with alternative failure tapscript via over-riding "failure" dictionary, along with the failure's expected err_msg / ERR_* 1356 add_spender(spenders, comment="tutorial/pushredux", tap=tap, leaf="2byte_push", inputs=[b'\x00'], failure={"leaf": "dummyleaf"}, **ERR_EVAL_FALSE) 1357 1358 # Spender that is non-standard but otherwise valid, with extraneous signature data from inner key for optional failure condition 1359 add_spender(spenders, comment="tutorial/nonminpush", tap=tap, leaf="nonstd_2byte_push", key=secs[0], standard=False, failure={"inputs": [getter("sign")]}, **ERR_CLEANSTACK) 1360 1361 # New scripts=[] can be defined, and rinse-repeated as necessary until the spenders list is returned for execution 1362 return spenders 1363 1364 # Consensus validation flags to use in dumps for tests with "legacy/" or "inactive/" prefix. 1365 LEGACY_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY" 1366 # Consensus validation flags to use in dumps for all other tests. 1367 TAPROOT_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY,TAPROOT" 1368 1369 def dump_json_test(tx, input_utxos, idx, success, failure): 1370 spender = input_utxos[idx].spender 1371 # Determine flags to dump 1372 flags = LEGACY_FLAGS if spender.comment.startswith("legacy/") or spender.comment.startswith("inactive/") else TAPROOT_FLAGS 1373 1374 fields = [ 1375 ("tx", tx.serialize().hex()), 1376 ("prevouts", [x.output.serialize().hex() for x in input_utxos]), 1377 ("index", idx), 1378 ("flags", flags), 1379 ("comment", spender.comment) 1380 ] 1381 1382 # The "final" field indicates that a spend should be always valid, even with more validation flags enabled 1383 # than the listed ones. Use standardness as a proxy for this (which gives a conservative underestimate). 1384 if spender.is_standard: 1385 fields.append(("final", True)) 1386 1387 def dump_witness(wit): 1388 return OrderedDict([("scriptSig", wit[0].hex()), ("witness", [x.hex() for x in wit[1]])]) 1389 if success is not None: 1390 fields.append(("success", dump_witness(success))) 1391 if failure is not None: 1392 fields.append(("failure", dump_witness(failure))) 1393 1394 # Write the dump to $TEST_DUMP_DIR/x/xyz... where x,y,z,... are the SHA1 sum of the dump (which makes the 1395 # file naming scheme compatible with fuzzing infrastructure). 1396 dump = json.dumps(OrderedDict(fields)) + ",\n" 1397 sha1 = hashlib.sha1(dump.encode("utf-8")).hexdigest() 1398 dirname = os.environ.get("TEST_DUMP_DIR", ".") + ("/%s" % sha1[0]) 1399 os.makedirs(dirname, exist_ok=True) 1400 with open(dirname + ("/%s" % sha1), 'w') as f: 1401 f.write(dump) 1402 1403 # Data type to keep track of UTXOs, where they were created, and how to spend them. 1404 UTXOData = namedtuple('UTXOData', 'outpoint,output,spender') 1405 1406 1407 class TaprootTest(BitcoinTestFramework): 1408 def add_options(self, parser): 1409 parser.add_argument("--dumptests", dest="dump_tests", default=False, action="store_true", 1410 help="Dump generated test cases to directory set by TEST_DUMP_DIR environment variable") 1411 1412 def skip_test_if_missing_module(self): 1413 self.skip_if_no_wallet() 1414 1415 def set_test_params(self): 1416 self.num_nodes = 1 1417 self.setup_clean_chain = True 1418 1419 def block_submit(self, node, txs, msg, err_msg, cb_pubkey=None, fees=0, sigops_weight=0, witness=False, accept=False): 1420 1421 # Deplete block of any non-tapscript sigops using a single additional 0-value coinbase output. 1422 # It is not impossible to fit enough tapscript sigops to hit the old 80k limit without 1423 # busting txin-level limits. We simply have to account for the p2pk outputs in all 1424 # transactions. 1425 extra_output_script = CScript(bytes([OP_CHECKSIG]*((MAX_BLOCK_SIGOPS_WEIGHT - sigops_weight) // WITNESS_SCALE_FACTOR))) 1426 1427 coinbase_tx = create_coinbase(self.lastblockheight + 1, pubkey=cb_pubkey, extra_output_script=extra_output_script, fees=fees) 1428 block = create_block(self.tip, coinbase_tx, ntime=self.lastblocktime + 1, txlist=txs) 1429 witness and add_witness_commitment(block) 1430 block.solve() 1431 block_response = node.submitblock(block.serialize().hex()) 1432 if err_msg is not None: 1433 assert block_response is not None and err_msg in block_response, "Missing error message '%s' from block response '%s': %s" % (err_msg, "(None)" if block_response is None else block_response, msg) 1434 if accept: 1435 assert node.getbestblockhash() == block.hash_hex, "Failed to accept: %s (response: %s)" % (msg, block_response) 1436 self.tip = block.hash_int 1437 self.lastblockhash = block.hash_hex 1438 self.lastblocktime += 1 1439 self.lastblockheight += 1 1440 else: 1441 assert node.getbestblockhash() == self.lastblockhash, "Failed to reject: " + msg 1442 1443 def init_blockinfo(self, node): 1444 # Initialize variables used by block_submit(). 1445 self.lastblockhash = node.getbestblockhash() 1446 self.tip = int(self.lastblockhash, 16) 1447 block = node.getblock(self.lastblockhash) 1448 self.lastblockheight = block['height'] 1449 self.lastblocktime = block['time'] 1450 1451 def test_spenders(self, node, spenders, input_counts): 1452 """Run randomized tests with a number of "spenders". 1453 1454 Steps: 1455 1) Generate an appropriate UTXO for each spender to test spend conditions 1456 2) Generate 100 random addresses of all wallet types: pkh/sh_wpkh/wpkh 1457 3) Select random number of inputs from (1) 1458 4) Select random number of addresses from (2) as outputs 1459 1460 Each spender embodies a test; in a large randomized test, it is verified 1461 that toggling the valid argument to each lambda toggles the validity of 1462 the transaction. This is accomplished by constructing transactions consisting 1463 of all valid inputs, except one invalid one. 1464 """ 1465 1466 # Construct a bunch of sPKs that send coins back to the host wallet 1467 self.log.info("- Constructing addresses for returning coins") 1468 host_spks = [] 1469 host_pubkeys = [] 1470 for i in range(16): 1471 addr = node.getnewaddress(address_type=random.choice(["legacy", "p2sh-segwit", "bech32"])) 1472 info = node.getaddressinfo(addr) 1473 spk = bytes.fromhex(info['scriptPubKey']) 1474 host_spks.append(spk) 1475 host_pubkeys.append(bytes.fromhex(info['pubkey'])) 1476 1477 self.init_blockinfo(node) 1478 1479 # Create transactions spending up to 50 of the wallet's inputs, with one output for each spender, and 1480 # one change output at the end. The transaction is constructed on the Python side to enable 1481 # having multiple outputs to the same address and outputs with no assigned address. The wallet 1482 # is then asked to sign it through signrawtransactionwithwallet, and then added to a block on the 1483 # Python side (to bypass standardness rules). 1484 self.log.info("- Creating test UTXOs...") 1485 random.shuffle(spenders) 1486 normal_utxos = [] 1487 mismatching_utxos = [] # UTXOs with input that requires mismatching output position 1488 done = 0 1489 while done < len(spenders): 1490 # Compute how many UTXOs to create with this transaction 1491 count_this_tx = min(len(spenders) - done, (len(spenders) + 4) // 5, 10000) 1492 1493 fund_tx = CTransaction() 1494 # Add the 50 highest-value inputs 1495 unspents = node.listunspent() 1496 random.shuffle(unspents) 1497 unspents.sort(key=lambda x: int(x["amount"] * 100000000), reverse=True) 1498 if len(unspents) > 50: 1499 unspents = unspents[:50] 1500 random.shuffle(unspents) 1501 balance = 0 1502 for unspent in unspents: 1503 balance += int(unspent["amount"] * 100000000) 1504 txid = int(unspent["txid"], 16) 1505 fund_tx.vin.append(CTxIn(COutPoint(txid, int(unspent["vout"])), CScript())) 1506 # Add outputs 1507 cur_progress = done / len(spenders) 1508 next_progress = (done + count_this_tx) / len(spenders) 1509 change_goal = (1.0 - 0.6 * next_progress) / (1.0 - 0.6 * cur_progress) * balance 1510 self.log.debug("Create %i UTXOs in a transaction spending %i inputs worth %.8f (sending ~%.8f to change)" % (count_this_tx, len(unspents), balance * 0.00000001, change_goal * 0.00000001)) 1511 for i in range(count_this_tx): 1512 avg = (balance - change_goal) / (count_this_tx - i) 1513 amount = int(random.randrange(int(avg*0.85 + 0.5), int(avg*1.15 + 0.5)) + 0.5) 1514 balance -= amount 1515 fund_tx.vout.append(CTxOut(amount, spenders[done + i].script)) 1516 # Add change 1517 fund_tx.vout.append(CTxOut(balance - 10000, random.choice(host_spks))) 1518 # Ask the wallet to sign 1519 fund_tx = tx_from_hex(node.signrawtransactionwithwallet(fund_tx.serialize().hex())["hex"]) 1520 # Construct UTXOData entries 1521 for i in range(count_this_tx): 1522 utxodata = UTXOData(outpoint=COutPoint(fund_tx.txid_int, i), output=fund_tx.vout[i], spender=spenders[done]) 1523 if utxodata.spender.need_vin_vout_mismatch: 1524 mismatching_utxos.append(utxodata) 1525 else: 1526 normal_utxos.append(utxodata) 1527 done += 1 1528 # Mine into a block 1529 self.block_submit(node, [fund_tx], "Funding tx", None, random.choice(host_pubkeys), 10000, MAX_BLOCK_SIGOPS_WEIGHT, True, True) 1530 1531 # Consume groups of choice(input_coins) from utxos in a tx, testing the spenders. 1532 self.log.info("- Running %i spending tests" % done) 1533 random.shuffle(normal_utxos) 1534 random.shuffle(mismatching_utxos) 1535 assert_equal(done, len(normal_utxos) + len(mismatching_utxos)) 1536 1537 left = done 1538 while left: 1539 # Construct CTransaction with random version, nLocktime 1540 tx = CTransaction() 1541 tx.version = random.choice(TX_STANDARD_VERSIONS + [0, TX_MAX_STANDARD_VERSION + 1, random.getrandbits(32)]) 1542 min_sequence = (tx.version != 1 and tx.version != 0) * 0x80000000 # The minimum sequence number to disable relative locktime 1543 if random.choice([True, False]): 1544 tx.nLockTime = random.randrange(LOCKTIME_THRESHOLD, self.lastblocktime - 7200) # all absolute locktimes in the past 1545 else: 1546 tx.nLockTime = random.randrange(self.lastblockheight + 1) # all block heights in the past 1547 1548 # Decide how many UTXOs to test with. 1549 acceptable = [n for n in input_counts if n <= left and (left - n > max(input_counts) or (left - n) in [0] + input_counts)] 1550 num_inputs = random.choice(acceptable) 1551 1552 # If we have UTXOs that require mismatching inputs/outputs left, include exactly one of those 1553 # unless there is only one normal UTXO left (as tests with mismatching UTXOs require at least one 1554 # normal UTXO to go in the first position), and we don't want to run out of normal UTXOs. 1555 input_utxos = [] 1556 while len(mismatching_utxos) and (len(input_utxos) == 0 or len(normal_utxos) == 1): 1557 input_utxos.append(mismatching_utxos.pop()) 1558 left -= 1 1559 1560 # Top up until we hit num_inputs (but include at least one normal UTXO always). 1561 for _ in range(max(1, num_inputs - len(input_utxos))): 1562 input_utxos.append(normal_utxos.pop()) 1563 left -= 1 1564 1565 # The first input cannot require a mismatching output (as there is at least one output). 1566 while True: 1567 random.shuffle(input_utxos) 1568 if not input_utxos[0].spender.need_vin_vout_mismatch: 1569 break 1570 first_mismatch_input = None 1571 for i in range(len(input_utxos)): 1572 if input_utxos[i].spender.need_vin_vout_mismatch: 1573 first_mismatch_input = i 1574 assert first_mismatch_input is None or first_mismatch_input > 0 1575 1576 # Decide fee, and add CTxIns to tx. 1577 amount = sum(utxo.output.nValue for utxo in input_utxos) 1578 fee = min(random.randrange(MIN_FEE * 2, MIN_FEE * 4), amount - DUST_LIMIT) # 10000-20000 sat fee 1579 in_value = amount - fee 1580 tx.vin = [CTxIn(outpoint=utxo.outpoint, nSequence=random.randint(min_sequence, 0xffffffff)) for utxo in input_utxos] 1581 tx.wit.vtxinwit = [CTxInWitness() for _ in range(len(input_utxos))] 1582 sigops_weight = sum(utxo.spender.sigops_weight for utxo in input_utxos) 1583 self.log.debug("Test: %s" % (", ".join(utxo.spender.comment for utxo in input_utxos))) 1584 1585 # Add 1 to 4 random outputs (but constrained by inputs that require mismatching outputs) 1586 num_outputs = random.choice(range(1, 1 + min(4, 4 if first_mismatch_input is None else first_mismatch_input))) 1587 assert in_value >= 0 and fee - num_outputs * DUST_LIMIT >= MIN_FEE 1588 for i in range(num_outputs): 1589 tx.vout.append(CTxOut()) 1590 if in_value <= DUST_LIMIT: 1591 tx.vout[-1].nValue = DUST_LIMIT 1592 elif i < num_outputs - 1: 1593 tx.vout[-1].nValue = in_value 1594 else: 1595 tx.vout[-1].nValue = random.randint(DUST_LIMIT, in_value) 1596 in_value -= tx.vout[-1].nValue 1597 tx.vout[-1].scriptPubKey = random.choice(host_spks) 1598 sigops_weight += CScript(tx.vout[-1].scriptPubKey).GetSigOpCount(False) * WITNESS_SCALE_FACTOR 1599 fee += in_value 1600 assert fee >= 0 1601 1602 # Select coinbase pubkey 1603 cb_pubkey = random.choice(host_pubkeys) 1604 sigops_weight += 1 * WITNESS_SCALE_FACTOR 1605 1606 # Precompute one satisfying and one failing scriptSig/witness for each input. 1607 input_data = [] 1608 for i in range(len(input_utxos)): 1609 fn = input_utxos[i].spender.sat_function 1610 fail = None 1611 success = fn(tx, i, [utxo.output for utxo in input_utxos], True) 1612 if not input_utxos[i].spender.no_fail: 1613 fail = fn(tx, i, [utxo.output for utxo in input_utxos], False) 1614 input_data.append((fail, success)) 1615 if self.options.dump_tests: 1616 dump_json_test(tx, input_utxos, i, success, fail) 1617 1618 # Sign each input incorrectly once on each complete signing pass, except the very last. 1619 for fail_input in list(range(len(input_utxos))) + [None]: 1620 # Skip trying to fail at spending something that can't be made to fail. 1621 if fail_input is not None and input_utxos[fail_input].spender.no_fail: 1622 continue 1623 # Expected message with each input failure, may be None(which is ignored) 1624 expected_fail_msg = None if fail_input is None else input_utxos[fail_input].spender.err_msg 1625 # Fill inputs/witnesses 1626 for i in range(len(input_utxos)): 1627 tx.vin[i].scriptSig = input_data[i][i != fail_input][0] 1628 tx.wit.vtxinwit[i].scriptWitness.stack = input_data[i][i != fail_input][1] 1629 # Submit to mempool to check standardness 1630 is_standard_tx = ( 1631 fail_input is None # Must be valid to be standard 1632 and (all(utxo.spender.is_standard for utxo in input_utxos)) # All inputs must be standard 1633 and tx.version in TX_STANDARD_VERSIONS # The tx version must be standard 1634 and not (tx.version == 3 and tx.get_vsize() > TRUC_MAX_VSIZE) # Topological standardness rules must be followed 1635 ) 1636 msg = ','.join(utxo.spender.comment + ("*" if n == fail_input else "") for n, utxo in enumerate(input_utxos)) 1637 if is_standard_tx: 1638 node.sendrawtransaction(tx.serialize().hex(), 0) 1639 assert node.getmempoolentry(tx.txid_hex) is not None, "Failed to accept into mempool: " + msg 1640 else: 1641 assert_raises_rpc_error(-26, None, node.sendrawtransaction, tx.serialize().hex(), 0) 1642 # Submit in a block 1643 self.block_submit(node, [tx], msg, witness=True, accept=fail_input is None, cb_pubkey=cb_pubkey, fees=fee, sigops_weight=sigops_weight, err_msg=expected_fail_msg) 1644 1645 if (len(spenders) - left) // 200 > (len(spenders) - left - len(input_utxos)) // 200: 1646 self.log.info(" - %i tests done" % (len(spenders) - left)) 1647 1648 assert_equal(left, 0) 1649 assert_equal(len(normal_utxos), 0) 1650 assert_equal(len(mismatching_utxos), 0) 1651 self.log.info(" - Done") 1652 1653 def gen_test_vectors(self): 1654 """Run a scenario that corresponds (and optionally produces) to BIP341 test vectors.""" 1655 1656 self.log.info("Unit test scenario...") 1657 1658 # Deterministically mine coins to OP_TRUE in block 1 1659 assert_equal(self.nodes[0].getblockcount(), 0) 1660 coinbase = CTransaction() 1661 coinbase.version = 1 1662 coinbase.vin = [CTxIn(COutPoint(0, 0xffffffff), CScript([OP_1, OP_1]), SEQUENCE_FINAL)] 1663 coinbase.vout = [CTxOut(5000000000, CScript([OP_1]))] 1664 coinbase.nLockTime = 0 1665 assert_equal(coinbase.txid_hex, "f60c73405d499a956d3162e3483c395526ef78286458a4cb17b125aa92e49b20") 1666 # Mine it 1667 block = create_block(hashprev=int(self.nodes[0].getbestblockhash(), 16), coinbase=coinbase) 1668 block.solve() 1669 self.nodes[0].submitblock(block.serialize().hex()) 1670 assert_equal(self.nodes[0].getblockcount(), 1) 1671 self.generate(self.nodes[0], COINBASE_MATURITY) 1672 1673 SEED = 317 1674 VALID_LEAF_VERS = list(range(0xc0, 0x100, 2)) + [0x66, 0x7e, 0x80, 0x84, 0x96, 0x98, 0xba, 0xbc, 0xbe] 1675 # Generate private keys 1676 prvs = [hashlib.sha256(SEED.to_bytes(2, 'big') + bytes([i])).digest() for i in range(100)] 1677 # Generate corresponding public x-only pubkeys 1678 pubs = [compute_xonly_pubkey(prv)[0] for prv in prvs] 1679 # Generate taproot objects 1680 inner_keys = [pubs[i] for i in range(7)] 1681 1682 script_lists = [ 1683 None, 1684 [("0", CScript([pubs[50], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT)], 1685 [("0", CScript([pubs[51], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT)], 1686 [("0", CScript([pubs[52], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), ("1", CScript([b"BIP341"]), VALID_LEAF_VERS[pubs[99][0] % 41])], 1687 [("0", CScript([pubs[53], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), ("1", CScript([b"Taproot"]), VALID_LEAF_VERS[pubs[99][1] % 41])], 1688 [("0", CScript([pubs[54], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), 1689 [("1", CScript([pubs[55], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), ("2", CScript([pubs[56], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT)] 1690 ], 1691 [("0", CScript([pubs[57], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), 1692 [("1", CScript([pubs[58], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), ("2", CScript([pubs[59], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT)] 1693 ], 1694 ] 1695 taps = [taproot_construct(inner_keys[i], script_lists[i]) for i in range(len(inner_keys))] 1696 1697 # Require negated taps[0] 1698 assert taps[0].negflag 1699 # Require one negated and one non-negated in taps 1 and 2. 1700 assert_not_equal(taps[1].negflag, taps[2].negflag) 1701 # Require one negated and one non-negated in taps 3 and 4. 1702 assert_not_equal(taps[3].negflag, taps[4].negflag) 1703 # Require one negated and one non-negated in taps 5 and 6. 1704 assert_not_equal(taps[5].negflag, taps[6].negflag) 1705 1706 cblks = [{leaf: get({**DEFAULT_CONTEXT, 'tap': taps[i], 'leaf': leaf}, 'controlblock') for leaf in taps[i].leaves} for i in range(7)] 1707 # Require one swapped and one unswapped in taps 3 and 4. 1708 assert_not_equal((cblks[3]['0'][33:65] < cblks[3]['1'][33:65]), (cblks[4]['0'][33:65] < cblks[4]['1'][33:65])) 1709 # Require one swapped and one unswapped in taps 5 and 6, both at the top and child level. 1710 assert_not_equal((cblks[5]['0'][33:65] < cblks[5]['1'][65:]), (cblks[6]['0'][33:65] < cblks[6]['1'][65:])) 1711 assert_not_equal((cblks[5]['1'][33:65] < cblks[5]['2'][33:65]), (cblks[6]['1'][33:65] < cblks[6]['2'][33:65])) 1712 # Require within taps 5 (and thus also 6) that one level is swapped and the other is not. 1713 assert_not_equal((cblks[5]['0'][33:65] < cblks[5]['1'][65:]), (cblks[5]['1'][33:65] < cblks[5]['2'][33:65])) 1714 1715 # Compute a deterministic set of scriptPubKeys 1716 tap_spks = [] 1717 old_spks = [] 1718 spend_info = {} 1719 # First, taproot scriptPubKeys, for the tap objects constructed above 1720 for i, tap in enumerate(taps): 1721 tap_spks.append(tap.scriptPubKey) 1722 d = {'key': prvs[i], 'tap': tap, 'mode': 'taproot'} 1723 spend_info[tap.scriptPubKey] = d 1724 # Then, a number of deterministically generated (keys 0x1,0x2,0x3) with 2x P2PKH, 1x P2WPKH spks. 1725 for i in range(1, 4): 1726 prv = ECKey() 1727 prv.set(i.to_bytes(32, 'big'), True) 1728 pub = prv.get_pubkey().get_bytes() 1729 d = {"key": prv} 1730 d["scriptcode"] = key_to_p2pkh_script(pub) 1731 d["inputs"] = [getter("sign"), pub] 1732 if i < 3: 1733 # P2PKH 1734 d['spk'] = key_to_p2pkh_script(pub) 1735 d['mode'] = 'legacy' 1736 else: 1737 # P2WPKH 1738 d['spk'] = key_to_p2wpkh_script(pub) 1739 d['mode'] = 'witv0' 1740 old_spks.append(d['spk']) 1741 spend_info[d['spk']] = d 1742 1743 # Construct a deterministic chain of transactions creating UTXOs to the test's spk's (so that they 1744 # come from distinct txids). 1745 txn = [] 1746 lasttxid = coinbase.txid_int 1747 amount = 5000000000 1748 for i, spk in enumerate(old_spks + tap_spks): 1749 val = 42000000 * (i + 7) 1750 tx = CTransaction() 1751 tx.version = 1 1752 tx.vin = [CTxIn(COutPoint(lasttxid, i & 1), CScript([]), SEQUENCE_FINAL)] 1753 tx.vout = [CTxOut(val, spk), CTxOut(amount - val, CScript([OP_1]))] 1754 if i & 1: 1755 tx.vout = list(reversed(tx.vout)) 1756 tx.nLockTime = 0 1757 amount -= val 1758 lasttxid = tx.txid_int 1759 txn.append(tx) 1760 spend_info[spk]['prevout'] = COutPoint(tx.txid_int, i & 1) 1761 spend_info[spk]['utxo'] = CTxOut(val, spk) 1762 # Mine those transactions 1763 self.init_blockinfo(self.nodes[0]) 1764 self.block_submit(self.nodes[0], txn, "Crediting txn", None, sigops_weight=10, accept=True) 1765 1766 # scriptPubKey computation 1767 tests = {"version": 1} 1768 spk_tests = tests.setdefault("scriptPubKey", []) 1769 for i, tap in enumerate(taps): 1770 test_case = {} 1771 given = test_case.setdefault("given", {}) 1772 given['internalPubkey'] = tap.internal_pubkey.hex() 1773 1774 def pr(node): 1775 if node is None: 1776 return None 1777 elif isinstance(node, tuple): 1778 return {"id": int(node[0]), "script": node[1].hex(), "leafVersion": node[2]} 1779 elif len(node) == 1: 1780 return pr(node[0]) 1781 elif len(node) == 2: 1782 return [pr(node[0]), pr(node[1])] 1783 else: 1784 assert False 1785 1786 given['scriptTree'] = pr(script_lists[i]) 1787 intermediary = test_case.setdefault("intermediary", {}) 1788 if len(tap.leaves): 1789 leafhashes = intermediary.setdefault('leafHashes', [None] * len(tap.leaves)) 1790 for leaf in tap.leaves: 1791 leafhashes[int(leaf)] = tap.leaves[leaf].leaf_hash.hex() 1792 intermediary['merkleRoot'] = tap.merkle_root.hex() if tap.merkle_root else None 1793 intermediary['tweak'] = tap.tweak.hex() 1794 intermediary['tweakedPubkey'] = tap.output_pubkey.hex() 1795 expected = test_case.setdefault("expected", {}) 1796 expected['scriptPubKey'] = tap.scriptPubKey.hex() 1797 expected['bip350Address'] = program_to_witness(1, bytes(tap.output_pubkey), True) 1798 if len(tap.leaves): 1799 control_blocks = expected.setdefault("scriptPathControlBlocks", [None] * len(tap.leaves)) 1800 for leaf in tap.leaves: 1801 ctx = {**DEFAULT_CONTEXT, 'tap': tap, 'leaf': leaf} 1802 control_blocks[int(leaf)] = get(ctx, "controlblock").hex() 1803 spk_tests.append(test_case) 1804 1805 # Construct a deterministic transaction spending all outputs created above. 1806 tx = CTransaction() 1807 tx.version = 2 1808 tx.vin = [] 1809 inputs = [] 1810 input_spks = [tap_spks[0], tap_spks[1], old_spks[0], tap_spks[2], tap_spks[5], old_spks[2], tap_spks[6], tap_spks[3], tap_spks[4]] 1811 sequences = [0, SEQUENCE_FINAL, SEQUENCE_FINAL, 0xfffffffe, 0xfffffffe, 0, 0, SEQUENCE_FINAL, SEQUENCE_FINAL] 1812 hashtypes = [SIGHASH_SINGLE, SIGHASH_SINGLE|SIGHASH_ANYONECANPAY, SIGHASH_ALL, SIGHASH_ALL, SIGHASH_DEFAULT, SIGHASH_ALL, SIGHASH_NONE, SIGHASH_NONE|SIGHASH_ANYONECANPAY, SIGHASH_ALL|SIGHASH_ANYONECANPAY] 1813 for i, spk in enumerate(input_spks): 1814 tx.vin.append(CTxIn(spend_info[spk]['prevout'], CScript(), sequences[i])) 1815 inputs.append(spend_info[spk]['utxo']) 1816 tx.vout.append(CTxOut(1000000000, old_spks[1])) 1817 tx.vout.append(CTxOut(3410000000, pubs[98])) 1818 tx.nLockTime = 500000000 1819 precomputed = { 1820 "hashAmounts": BIP341_sha_amounts(inputs), 1821 "hashPrevouts": BIP341_sha_prevouts(tx), 1822 "hashScriptPubkeys": BIP341_sha_scriptpubkeys(inputs), 1823 "hashSequences": BIP341_sha_sequences(tx), 1824 "hashOutputs": BIP341_sha_outputs(tx) 1825 } 1826 keypath_tests = tests.setdefault("keyPathSpending", []) 1827 tx_test = {} 1828 global_given = tx_test.setdefault("given", {}) 1829 global_given['rawUnsignedTx'] = tx.serialize().hex() 1830 utxos_spent = global_given.setdefault("utxosSpent", []) 1831 for i in range(len(input_spks)): 1832 utxos_spent.append({"scriptPubKey": inputs[i].scriptPubKey.hex(), "amountSats": inputs[i].nValue}) 1833 global_intermediary = tx_test.setdefault("intermediary", {}) 1834 for key in sorted(precomputed.keys()): 1835 global_intermediary[key] = precomputed[key].hex() 1836 test_list = tx_test.setdefault('inputSpending', []) 1837 for i in range(len(input_spks)): 1838 ctx = { 1839 **DEFAULT_CONTEXT, 1840 **spend_info[input_spks[i]], 1841 'tx': tx, 1842 'utxos': inputs, 1843 'idx': i, 1844 'hashtype': hashtypes[i], 1845 'deterministic': True 1846 } 1847 if ctx['mode'] == 'taproot': 1848 test_case = {} 1849 given = test_case.setdefault("given", {}) 1850 given['txinIndex'] = i 1851 given['internalPrivkey'] = get(ctx, 'key').hex() 1852 if get(ctx, "tap").merkle_root != bytes(): 1853 given['merkleRoot'] = get(ctx, "tap").merkle_root.hex() 1854 else: 1855 given['merkleRoot'] = None 1856 given['hashType'] = get(ctx, "hashtype") 1857 intermediary = test_case.setdefault("intermediary", {}) 1858 intermediary['internalPubkey'] = get(ctx, "tap").internal_pubkey.hex() 1859 intermediary['tweak'] = get(ctx, "tap").tweak.hex() 1860 intermediary['tweakedPrivkey'] = get(ctx, "key_tweaked").hex() 1861 sigmsg = get(ctx, "sigmsg") 1862 intermediary['sigMsg'] = sigmsg.hex() 1863 intermediary['precomputedUsed'] = [key for key in sorted(precomputed.keys()) if sigmsg.count(precomputed[key])] 1864 intermediary['sigHash'] = get(ctx, "sighash").hex() 1865 expected = test_case.setdefault("expected", {}) 1866 expected['witness'] = [get(ctx, "sign").hex()] 1867 test_list.append(test_case) 1868 tx.wit.vtxinwit.append(CTxInWitness()) 1869 tx.vin[i].scriptSig = CScript(flatten(get(ctx, "scriptsig"))) 1870 tx.wit.vtxinwit[i].scriptWitness.stack = flatten(get(ctx, "witness")) 1871 aux = tx_test.setdefault("auxiliary", {}) 1872 aux['fullySignedTx'] = tx.serialize().hex() 1873 keypath_tests.append(tx_test) 1874 assert_equal(hashlib.sha256(tx.serialize()).hexdigest(), "24bab662cb55a7f3bae29b559f651674c62bcc1cd442d44715c0133939107b38") 1875 # Mine the spending transaction 1876 self.block_submit(self.nodes[0], [tx], "Spending txn", None, sigops_weight=10000, accept=True, witness=True) 1877 1878 if GEN_TEST_VECTORS: 1879 print(json.dumps(tests, indent=4, sort_keys=False)) 1880 1881 def run_test(self): 1882 self.gen_test_vectors() 1883 1884 self.log.info("Post-activation tests...") 1885 1886 # New sub-tests not checking standardness can be added to consensus_spenders 1887 # to allow for increased coverage across input types. 1888 # See sample_spenders for a minimal example 1889 consensus_spenders = sample_spenders() 1890 consensus_spenders += spenders_taproot_active() 1891 self.test_spenders(self.nodes[0], consensus_spenders, input_counts=[1, 2, 2, 2, 2, 3]) 1892 1893 # Run each test twice; once in isolation, and once combined with others. Testing in isolation 1894 # means that the standardness is verified in every test (as combined transactions are only standard 1895 # when all their inputs are standard). 1896 nonstd_spenders = spenders_taproot_nonstandard() 1897 self.test_spenders(self.nodes[0], nonstd_spenders, input_counts=[1]) 1898 self.test_spenders(self.nodes[0], nonstd_spenders, input_counts=[2, 3]) 1899 1900 1901 if __name__ == '__main__': 1902 TaprootTest(__file__).main()