feature_taproot.py
1 #!/usr/bin/env python3 2 # Copyright (c) 2019-present The Bitcoin Core developers 3 # Distributed under the MIT software license, see the accompanying 4 # file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 # Test Taproot softfork (BIPs 340-342) 6 7 from test_framework.blocktools import ( 8 COINBASE_MATURITY, 9 create_coinbase, 10 create_block, 11 add_witness_commitment, 12 MAX_BLOCK_SIGOPS_WEIGHT, 13 ) 14 from test_framework.messages import ( 15 COutPoint, 16 CTransaction, 17 CTxIn, 18 CTxInWitness, 19 CTxOut, 20 SEQUENCE_FINAL, 21 tx_from_hex, 22 TX_MAX_STANDARD_VERSION, 23 WITNESS_SCALE_FACTOR, 24 ) 25 from test_framework.script import ( 26 ANNEX_TAG, 27 BIP341_sha_amounts, 28 BIP341_sha_outputs, 29 BIP341_sha_prevouts, 30 BIP341_sha_scriptpubkeys, 31 BIP341_sha_sequences, 32 CScript, 33 CScriptNum, 34 CScriptOp, 35 hash256, 36 LEAF_VERSION_TAPSCRIPT, 37 LegacySignatureMsg, 38 LOCKTIME_THRESHOLD, 39 MAX_SCRIPT_ELEMENT_SIZE, 40 OP_0, 41 OP_1, 42 OP_2, 43 OP_3, 44 OP_4, 45 OP_5, 46 OP_6, 47 OP_7, 48 OP_8, 49 OP_9, 50 OP_10, 51 OP_11, 52 OP_12, 53 OP_16, 54 OP_2DROP, 55 OP_2DUP, 56 OP_CHECKMULTISIG, 57 OP_CHECKMULTISIGVERIFY, 58 OP_CHECKSIG, 59 OP_CHECKSIGADD, 60 OP_CHECKSIGVERIFY, 61 OP_CODESEPARATOR, 62 OP_DROP, 63 OP_DUP, 64 OP_ELSE, 65 OP_ENDIF, 66 OP_EQUAL, 67 OP_EQUALVERIFY, 68 OP_IF, 69 OP_NOP, 70 OP_NOT, 71 OP_NOTIF, 72 OP_PUSHDATA1, 73 OP_RETURN, 74 OP_SWAP, 75 OP_TUCK, 76 OP_VERIFY, 77 SIGHASH_DEFAULT, 78 SIGHASH_ALL, 79 SIGHASH_NONE, 80 SIGHASH_SINGLE, 81 SIGHASH_ANYONECANPAY, 82 SegwitV0SignatureMsg, 83 TaggedHash, 84 TaprootSignatureMsg, 85 is_op_success, 86 taproot_construct, 87 ) 88 from test_framework.script_util import ( 89 key_to_p2pk_script, 90 key_to_p2pkh_script, 91 key_to_p2wpkh_script, 92 keyhash_to_p2pkh_script, 93 script_to_p2sh_script, 94 script_to_p2wsh_script, 95 ) 96 from test_framework.test_framework import BitcoinTestFramework 97 from test_framework.util import ( 98 assert_not_equal, 99 assert_raises_rpc_error, 100 assert_equal, 101 ) 102 from test_framework.wallet_util import generate_keypair 103 from test_framework.key import ( 104 generate_privkey, 105 compute_xonly_pubkey, 106 sign_schnorr, 107 tweak_add_privkey, 108 ECKey, 109 ) 110 from test_framework.crypto import secp256k1 111 from test_framework.address import ( 112 hash160, 113 program_to_witness, 114 ) 115 from collections import OrderedDict, namedtuple 116 import json 117 import hashlib 118 import os 119 import random 120 121 # Whether or not to output generated test vectors, in JSON format. 122 GEN_TEST_VECTORS = False 123 124 # === Framework for building spending transactions. === 125 # 126 # The computation is represented as a "context" dict, whose entries store potentially-unevaluated expressions that 127 # refer to lower-level ones. By overwriting these expression, many aspects - both high and low level - of the signing 128 # process can be overridden. 129 # 130 # Specifically, a context object is a dict that maps names to compositions of: 131 # - values 132 # - lists of values 133 # - callables which, when fed the context object as argument, produce any of these 134 # 135 # The DEFAULT_CONTEXT object specifies a standard signing process, with many overridable knobs. 136 # 137 # The get(ctx, name) function can evaluate a name, and cache its result in the context. 138 # getter(name) can be used to construct a callable that evaluates name. For example: 139 # 140 # ctx1 = {**DEFAULT_CONTEXT, inputs=[getter("sign"), b'\x01']} 141 # 142 # creates a context where the script inputs are a signature plus the bytes 0x01. 143 # 144 # override(expr, name1=expr1, name2=expr2, ...) can be used to cause an expression to be evaluated in a selectively 145 # modified context. For example: 146 # 147 # ctx2 = {**DEFAULT_CONTEXT, sighash=override(default_sighash, hashtype=SIGHASH_DEFAULT)} 148 # 149 # creates a context ctx2 where the sighash is modified to use hashtype=SIGHASH_DEFAULT. This differs from 150 # 151 # ctx3 = {**DEFAULT_CONTEXT, hashtype=SIGHASH_DEFAULT} 152 # 153 # in that ctx3 will globally use hashtype=SIGHASH_DEFAULT (including in the hashtype byte appended to the signature) 154 # while ctx2 only uses the modified hashtype inside the sighash calculation. 155 156 def deep_eval(ctx, expr): 157 """Recursively replace any callables c in expr (including inside lists) with c(ctx).""" 158 while callable(expr): 159 expr = expr(ctx) 160 if isinstance(expr, list): 161 expr = [deep_eval(ctx, x) for x in expr] 162 return expr 163 164 # Data type to represent fully-evaluated expressions in a context dict (so we can avoid reevaluating them). 165 Final = namedtuple("Final", "value") 166 167 def get(ctx, name): 168 """Evaluate name in context ctx.""" 169 assert name in ctx, "Missing '%s' in context" % name 170 expr = ctx[name] 171 if not isinstance(expr, Final): 172 # Evaluate and cache the result. 173 expr = Final(deep_eval(ctx, expr)) 174 ctx[name] = expr 175 return expr.value 176 177 def getter(name, **kwargs): 178 """Return a callable that evaluates name in its passed context.""" 179 return lambda ctx: get({**ctx, **kwargs}, name) 180 181 def override(expr, **kwargs): 182 """Return a callable that evaluates expr in a modified context.""" 183 return lambda ctx: deep_eval({**ctx, **kwargs}, expr) 184 185 # === Implementations for the various default expressions in DEFAULT_CONTEXT === 186 187 def default_hashtype(ctx): 188 """Default expression for "hashtype": SIGHASH_DEFAULT for taproot, SIGHASH_ALL otherwise.""" 189 mode = get(ctx, "mode") 190 if mode == "taproot": 191 return SIGHASH_DEFAULT 192 else: 193 return SIGHASH_ALL 194 195 def default_tapleaf(ctx): 196 """Default expression for "tapleaf": looking up leaf in tap[2].""" 197 return get(ctx, "tap").leaves[get(ctx, "leaf")] 198 199 def default_script_taproot(ctx): 200 """Default expression for "script_taproot": tapleaf.script.""" 201 return get(ctx, "tapleaf").script 202 203 def default_leafversion(ctx): 204 """Default expression for "leafversion": tapleaf.version""" 205 return get(ctx, "tapleaf").version 206 207 def default_negflag(ctx): 208 """Default expression for "negflag": tap.negflag.""" 209 return get(ctx, "tap").negflag 210 211 def default_pubkey_internal(ctx): 212 """Default expression for "pubkey_internal": tap.internal_pubkey.""" 213 return get(ctx, "tap").internal_pubkey 214 215 def default_merklebranch(ctx): 216 """Default expression for "merklebranch": tapleaf.merklebranch.""" 217 return get(ctx, "tapleaf").merklebranch 218 219 def default_controlblock(ctx): 220 """Default expression for "controlblock": combine leafversion, negflag, pubkey_internal, merklebranch.""" 221 return bytes([get(ctx, "leafversion") + get(ctx, "negflag")]) + get(ctx, "pubkey_internal") + get(ctx, "merklebranch") 222 223 def default_scriptcode_suffix(ctx): 224 """Default expression for "scriptcode_suffix", the actually used portion of the scriptcode.""" 225 scriptcode = get(ctx, "scriptcode") 226 codesepnum = get(ctx, "codesepnum") 227 if codesepnum == -1: 228 return scriptcode 229 codeseps = 0 230 for (opcode, data, sop_idx) in scriptcode.raw_iter(): 231 if opcode == OP_CODESEPARATOR: 232 if codeseps == codesepnum: 233 return CScript(scriptcode[sop_idx+1:]) 234 codeseps += 1 235 assert False 236 237 def default_sigmsg(ctx): 238 """Default expression for "sigmsg": depending on mode, compute BIP341, BIP143, or legacy sigmsg.""" 239 tx = get(ctx, "tx") 240 idx = get(ctx, "idx") 241 hashtype = get(ctx, "hashtype_actual") 242 mode = get(ctx, "mode") 243 if mode == "taproot": 244 # BIP341 signature hash 245 utxos = get(ctx, "utxos") 246 annex = get(ctx, "annex") 247 if get(ctx, "leaf") is not None: 248 codeseppos = get(ctx, "codeseppos") 249 leaf_ver = get(ctx, "leafversion") 250 script = get(ctx, "script_taproot") 251 return TaprootSignatureMsg(tx, utxos, hashtype, idx, scriptpath=True, leaf_script=script, leaf_ver=leaf_ver, codeseparator_pos=codeseppos, annex=annex) 252 else: 253 return TaprootSignatureMsg(tx, utxos, hashtype, idx, scriptpath=False, annex=annex) 254 elif mode == "witv0": 255 # BIP143 signature hash 256 scriptcode = get(ctx, "scriptcode_suffix") 257 utxos = get(ctx, "utxos") 258 return SegwitV0SignatureMsg(scriptcode, tx, idx, hashtype, utxos[idx].nValue) 259 else: 260 # Pre-segwit signature hash 261 scriptcode = get(ctx, "scriptcode_suffix") 262 return LegacySignatureMsg(scriptcode, tx, idx, hashtype)[0] 263 264 def default_sighash(ctx): 265 """Default expression for "sighash": depending on mode, compute tagged hash or dsha256 of sigmsg.""" 266 msg = get(ctx, "sigmsg") 267 mode = get(ctx, "mode") 268 if mode == "taproot": 269 return TaggedHash("TapSighash", msg) 270 else: 271 if msg is None: 272 return (1).to_bytes(32, 'little') 273 else: 274 return hash256(msg) 275 276 def default_tweak(ctx): 277 """Default expression for "tweak": None if a leaf is specified, tap[0] otherwise.""" 278 if get(ctx, "leaf") is None: 279 return get(ctx, "tap").tweak 280 return None 281 282 def default_key_tweaked(ctx): 283 """Default expression for "key_tweaked": key if tweak is None, tweaked with it otherwise.""" 284 key = get(ctx, "key") 285 tweak = get(ctx, "tweak") 286 if tweak is None: 287 return key 288 else: 289 return tweak_add_privkey(key, tweak) 290 291 def default_signature(ctx): 292 """Default expression for "signature": BIP340 signature or ECDSA signature depending on mode.""" 293 sighash = get(ctx, "sighash") 294 deterministic = get(ctx, "deterministic") 295 if get(ctx, "mode") == "taproot": 296 key = get(ctx, "key_tweaked") 297 flip_r = get(ctx, "flag_flip_r") 298 flip_p = get(ctx, "flag_flip_p") 299 aux = bytes([0] * 32) 300 if not deterministic: 301 aux = random.getrandbits(256).to_bytes(32, 'big') 302 return sign_schnorr(key, sighash, flip_r=flip_r, flip_p=flip_p, aux=aux) 303 else: 304 key = get(ctx, "key") 305 return key.sign_ecdsa(sighash, rfc6979=deterministic) 306 307 def default_hashtype_actual(ctx): 308 """Default expression for "hashtype_actual": hashtype, unless mismatching SIGHASH_SINGLE in taproot.""" 309 hashtype = get(ctx, "hashtype") 310 mode = get(ctx, "mode") 311 if mode != "taproot": 312 return hashtype 313 idx = get(ctx, "idx") 314 tx = get(ctx, "tx") 315 if hashtype & 3 == SIGHASH_SINGLE and idx >= len(tx.vout): 316 return (hashtype & ~3) | SIGHASH_NONE 317 return hashtype 318 319 def default_bytes_hashtype(ctx): 320 """Default expression for "bytes_hashtype": bytes([hashtype_actual]) if not 0, b"" otherwise.""" 321 mode = get(ctx, "mode") 322 hashtype_actual = get(ctx, "hashtype_actual") 323 if mode != "taproot" or hashtype_actual != 0: 324 return bytes([hashtype_actual]) 325 else: 326 return bytes() 327 328 def default_sign(ctx): 329 """Default expression for "sign": concatenation of signature and bytes_hashtype.""" 330 return get(ctx, "signature") + get(ctx, "bytes_hashtype") 331 332 def default_inputs_keypath(ctx): 333 """Default expression for "inputs_keypath": a signature.""" 334 return [get(ctx, "sign")] 335 336 def default_witness_taproot(ctx): 337 """Default expression for "witness_taproot", consisting of inputs, script, control block, and annex as needed.""" 338 annex = get(ctx, "annex") 339 suffix_annex = [] 340 if annex is not None: 341 suffix_annex = [annex] 342 if get(ctx, "leaf") is None: 343 return get(ctx, "inputs_keypath") + suffix_annex 344 else: 345 return get(ctx, "inputs") + [bytes(get(ctx, "script_taproot")), get(ctx, "controlblock")] + suffix_annex 346 347 def default_witness_witv0(ctx): 348 """Default expression for "witness_witv0", consisting of inputs and witness script, as needed.""" 349 script = get(ctx, "script_witv0") 350 inputs = get(ctx, "inputs") 351 if script is None: 352 return inputs 353 else: 354 return inputs + [script] 355 356 def default_witness(ctx): 357 """Default expression for "witness", delegating to "witness_taproot" or "witness_witv0" as needed.""" 358 mode = get(ctx, "mode") 359 if mode == "taproot": 360 return get(ctx, "witness_taproot") 361 elif mode == "witv0": 362 return get(ctx, "witness_witv0") 363 else: 364 return [] 365 366 def default_scriptsig(ctx): 367 """Default expression for "scriptsig", consisting of inputs and redeemscript, as needed.""" 368 scriptsig = [] 369 mode = get(ctx, "mode") 370 if mode == "legacy": 371 scriptsig = get(ctx, "inputs") 372 redeemscript = get(ctx, "script_p2sh") 373 if redeemscript is not None: 374 scriptsig += [bytes(redeemscript)] 375 return scriptsig 376 377 # The default context object. 378 DEFAULT_CONTEXT = { 379 # == The main expressions to evaluate. Only override these for unusual or invalid spends. == 380 # The overall witness stack, as a list of bytes objects. 381 "witness": default_witness, 382 # The overall scriptsig, as a list of CScript objects (to be concatenated) and bytes objects (to be pushed) 383 "scriptsig": default_scriptsig, 384 385 # == Expressions you'll generally only override for intentionally invalid spends. == 386 # The witness stack for spending a taproot output. 387 "witness_taproot": default_witness_taproot, 388 # The witness stack for spending a P2WPKH/P2WSH output. 389 "witness_witv0": default_witness_witv0, 390 # The script inputs for a taproot key path spend. 391 "inputs_keypath": default_inputs_keypath, 392 # The actual hashtype to use (usually equal to hashtype, but in taproot SIGHASH_SINGLE is not always allowed). 393 "hashtype_actual": default_hashtype_actual, 394 # The bytes object for a full signature (including hashtype byte, if needed). 395 "bytes_hashtype": default_bytes_hashtype, 396 # A full script signature (bytes including hashtype, if needed) 397 "sign": default_sign, 398 # An ECDSA or Schnorr signature (excluding hashtype byte). 399 "signature": default_signature, 400 # The 32-byte tweaked key (equal to key for script path spends, or key+tweak for key path spends). 401 "key_tweaked": default_key_tweaked, 402 # The tweak to use (None for script path spends, the actual tweak for key path spends). 403 "tweak": default_tweak, 404 # The part of the scriptcode after the last executed OP_CODESEPARATOR. 405 "scriptcode_suffix": default_scriptcode_suffix, 406 # The sigmsg value (preimage of sighash) 407 "sigmsg": default_sigmsg, 408 # The sighash value (32 bytes) 409 "sighash": default_sighash, 410 # The information about the chosen script path spend (TaprootLeafInfo object). 411 "tapleaf": default_tapleaf, 412 # The script to push, and include in the sighash, for a taproot script path spend. 413 "script_taproot": default_script_taproot, 414 # The internal pubkey for a taproot script path spend (32 bytes). 415 "pubkey_internal": default_pubkey_internal, 416 # The negation flag of the internal pubkey for a taproot script path spend. 417 "negflag": default_negflag, 418 # The leaf version to include in the sighash (this does not affect the one in the control block). 419 "leafversion": default_leafversion, 420 # The Merkle path to include in the control block for a script path spend. 421 "merklebranch": default_merklebranch, 422 # The control block to push for a taproot script path spend. 423 "controlblock": default_controlblock, 424 # Whether to produce signatures with invalid P sign (Schnorr signatures only). 425 "flag_flip_p": False, 426 # Whether to produce signatures with invalid R sign (Schnorr signatures only). 427 "flag_flip_r": False, 428 429 # == Parameters that can be changed without invalidating, but do have a default: == 430 # The hashtype (as an integer). 431 "hashtype": default_hashtype, 432 # The annex (only when mode=="taproot"). 433 "annex": None, 434 # The codeseparator position (only when mode=="taproot"). 435 "codeseppos": 0xffffffff, 436 # Which OP_CODESEPARATOR is the last executed one in the script (in legacy/P2SH/P2WSH). 437 "codesepnum": -1, 438 # The redeemscript to add to the scriptSig (if P2SH; None implies not P2SH). 439 "script_p2sh": None, 440 # The script to add to the witness in (if P2WSH; None implies P2WPKH) 441 "script_witv0": None, 442 # The leaf to use in taproot spends (if script path spend; None implies key path spend). 443 "leaf": None, 444 # The input arguments to provide to the executed script 445 "inputs": [], 446 # Use deterministic signing nonces 447 "deterministic": False, 448 449 # == Parameters to be set before evaluation: == 450 # - mode: what spending style to use ("taproot", "witv0", or "legacy"). 451 # - key: the (untweaked) private key to sign with (ECKey object for ECDSA, 32 bytes for Schnorr). 452 # - tap: the TaprootInfo object (see taproot_construct; needed in mode=="taproot"). 453 # - tx: the transaction to sign. 454 # - utxos: the UTXOs being spent (needed in mode=="witv0" and mode=="taproot"). 455 # - idx: the input position being signed. 456 # - scriptcode: the scriptcode to include in legacy and witv0 sighashes. 457 } 458 459 def flatten(lst): 460 ret = [] 461 for elem in lst: 462 if isinstance(elem, list): 463 ret += flatten(elem) 464 else: 465 ret.append(elem) 466 return ret 467 468 469 def spend(tx, idx, utxos, **kwargs): 470 """Sign transaction input idx of tx, provided utxos is the list of outputs being spent. 471 472 Additional arguments may be provided that override any aspect of the signing process. 473 See DEFAULT_CONTEXT above for what can be overridden, and what must be provided. 474 """ 475 476 ctx = {**DEFAULT_CONTEXT, "tx":tx, "idx":idx, "utxos":utxos, **kwargs} 477 478 def to_script(elem): 479 """If fed a CScript, return it; if fed bytes, return a CScript that pushes it.""" 480 if isinstance(elem, CScript): 481 return elem 482 else: 483 return CScript([elem]) 484 485 scriptsig_list = flatten(get(ctx, "scriptsig")) 486 scriptsig = CScript(b"".join(bytes(to_script(elem)) for elem in scriptsig_list)) 487 witness_stack = flatten(get(ctx, "witness")) 488 return (scriptsig, witness_stack) 489 490 491 # === Spender objects === 492 # 493 # Each spender is a tuple of: 494 # - A scriptPubKey which is to be spent from (CScript) 495 # - A comment describing the test (string) 496 # - Whether the spending (on itself) is expected to be standard (bool) 497 # - A tx-signing lambda returning (scriptsig, witness_stack), taking as inputs: 498 # - A transaction to sign (CTransaction) 499 # - An input position (int) 500 # - The spent UTXOs by this transaction (list of CTxOut) 501 # - Whether to produce a valid spend (bool) 502 # - A string with an expected error message for failure case if known 503 # - The (pre-taproot) sigops weight consumed by a successful spend 504 # - Whether this spend cannot fail 505 # - Whether this test demands being placed in a txin with no corresponding txout (for testing SIGHASH_SINGLE behavior) 506 507 Spender = namedtuple("Spender", "script,comment,is_standard,sat_function,err_msg,sigops_weight,no_fail,need_vin_vout_mismatch") 508 509 510 def make_spender(comment, *, tap=None, witv0=False, script=None, pkh=None, p2sh=False, spk_mutate_pre_p2sh=None, failure=None, standard=True, err_msg=None, sigops_weight=0, need_vin_vout_mismatch=False, **kwargs): 511 """Helper for constructing Spender objects using the context signing framework. 512 513 * tap: a TaprootInfo object (see taproot_construct), for Taproot spends (cannot be combined with pkh, witv0, or script) 514 * witv0: boolean indicating the use of witness v0 spending (needs one of script or pkh) 515 * script: the actual script executed (for bare/P2WSH/P2SH spending) 516 * pkh: the public key for P2PKH or P2WPKH spending 517 * p2sh: whether the output is P2SH wrapper (this is supported even for Taproot, where it makes the output unencumbered) 518 * spk_mutate_pre_psh: a callable to be applied to the script (before potentially P2SH-wrapping it) 519 * failure: a dict of entries to override in the context when intentionally failing to spend (if None, no_fail will be set) 520 * standard: whether the (valid version of) spending is expected to be standard 521 * err_msg: a string with an expected error message for failure (or None, if not cared about) 522 * sigops_weight: the pre-taproot sigops weight consumed by a successful spend 523 * need_vin_vout_mismatch: whether this test requires being tested in a transaction input that has no corresponding 524 transaction output. 525 """ 526 527 conf = dict() 528 529 # Compute scriptPubKey and set useful defaults based on the inputs. 530 if witv0: 531 assert tap is None 532 conf["mode"] = "witv0" 533 if pkh is not None: 534 # P2WPKH 535 assert script is None 536 pubkeyhash = hash160(pkh) 537 spk = key_to_p2wpkh_script(pkh) 538 conf["scriptcode"] = keyhash_to_p2pkh_script(pubkeyhash) 539 conf["script_witv0"] = None 540 conf["inputs"] = [getter("sign"), pkh] 541 elif script is not None: 542 # P2WSH 543 spk = script_to_p2wsh_script(script) 544 conf["scriptcode"] = script 545 conf["script_witv0"] = script 546 else: 547 assert False 548 elif tap is None: 549 conf["mode"] = "legacy" 550 if pkh is not None: 551 # P2PKH 552 assert script is None 553 pubkeyhash = hash160(pkh) 554 spk = keyhash_to_p2pkh_script(pubkeyhash) 555 conf["scriptcode"] = spk 556 conf["inputs"] = [getter("sign"), pkh] 557 elif script is not None: 558 # bare 559 spk = script 560 conf["scriptcode"] = script 561 else: 562 assert False 563 else: 564 assert script is None 565 conf["mode"] = "taproot" 566 conf["tap"] = tap 567 spk = tap.scriptPubKey 568 569 if spk_mutate_pre_p2sh is not None: 570 spk = spk_mutate_pre_p2sh(spk) 571 572 if p2sh: 573 # P2SH wrapper can be combined with anything else 574 conf["script_p2sh"] = spk 575 spk = script_to_p2sh_script(spk) 576 577 conf = {**conf, **kwargs} 578 579 def sat_fn(tx, idx, utxos, valid): 580 if valid: 581 return spend(tx, idx, utxos, **conf) 582 else: 583 assert failure is not None 584 return spend(tx, idx, utxos, **{**conf, **failure}) 585 586 return Spender(script=spk, comment=comment, is_standard=standard, sat_function=sat_fn, err_msg=err_msg, sigops_weight=sigops_weight, no_fail=failure is None, need_vin_vout_mismatch=need_vin_vout_mismatch) 587 588 def add_spender(spenders, *args, **kwargs): 589 """Make a spender using make_spender, and add it to spenders.""" 590 spenders.append(make_spender(*args, **kwargs)) 591 592 # === Helpers for the test === 593 594 def random_checksig_style(pubkey): 595 """Creates a random CHECKSIG* tapscript that would succeed with only the valid signature on witness stack.""" 596 opcode = random.choice([OP_CHECKSIG, OP_CHECKSIGVERIFY, OP_CHECKSIGADD]) 597 if opcode == OP_CHECKSIGVERIFY: 598 ret = CScript([pubkey, opcode, OP_1]) 599 elif opcode == OP_CHECKSIGADD: 600 num = random.choice([0, 0x7fffffff, -0x7fffffff]) 601 ret = CScript([num, pubkey, opcode, num + 1, OP_EQUAL]) 602 else: 603 ret = CScript([pubkey, opcode]) 604 return bytes(ret) 605 606 def bitflipper(expr): 607 """Return a callable that evaluates expr and returns it with a random bitflip.""" 608 def fn(ctx): 609 sub = deep_eval(ctx, expr) 610 assert isinstance(sub, bytes) 611 return (int.from_bytes(sub, 'little') ^ (1 << random.randrange(len(sub) * 8))).to_bytes(len(sub), 'little') 612 return fn 613 614 def zero_appender(expr): 615 """Return a callable that evaluates expr and returns it with a zero added.""" 616 return lambda ctx: deep_eval(ctx, expr) + b"\x00" 617 618 def byte_popper(expr): 619 """Return a callable that evaluates expr and returns it with its last byte removed.""" 620 return lambda ctx: deep_eval(ctx, expr)[:-1] 621 622 # Expected error strings 623 624 ERR_SCHNORR_SIG_SIZE = {"err_msg": "Invalid Schnorr signature size"} 625 ERR_SCHNORR_SIG_HASHTYPE = {"err_msg": "Invalid Schnorr signature hash type"} 626 ERR_SCHNORR_SIG = {"err_msg": "Invalid Schnorr signature"} 627 ERR_OP_RETURN = {"err_msg": "OP_RETURN was encountered"} 628 ERR_TAPROOT_WRONG_CONTROL_SIZE = {"err_msg": "Invalid Taproot control block size"} 629 ERR_WITNESS_PROGRAM_MISMATCH = {"err_msg": "Witness program hash mismatch"} 630 ERR_PUSH_SIZE = {"err_msg": "Push value size limit exceeded"} 631 ERR_DISABLED_OPCODE = {"err_msg": "Attempted to use a disabled opcode"} 632 ERR_TAPSCRIPT_CHECKMULTISIG = {"err_msg": "OP_CHECKMULTISIG(VERIFY) is not available in tapscript"} 633 ERR_TAPSCRIPT_MINIMALIF = {"err_msg": "OP_IF/NOTIF argument must be minimal in tapscript"} 634 ERR_PUBKEYTYPE = {"err_msg": "Public key is neither compressed or uncompressed"} 635 ERR_STACK_SIZE = {"err_msg": "Stack size limit exceeded"} 636 ERR_CLEANSTACK = {"err_msg": "Stack size must be exactly one after execution"} 637 ERR_INVALID_STACK_OPERATION = {"err_msg": "Operation not valid with the current stack size"} 638 ERR_TAPSCRIPT_VALIDATION_WEIGHT = {"err_msg": "Too much signature validation relative to witness weight"} 639 ERR_BAD_OPCODE = {"err_msg": "Opcode missing or not understood"} 640 ERR_EVAL_FALSE = {"err_msg": "Script evaluated without error but finished with a false/empty top stack element"} 641 ERR_WITNESS_PROGRAM_WITNESS_EMPTY = {"err_msg": "Witness program was passed an empty witness"} 642 ERR_CHECKSIGVERIFY = {"err_msg": "Script failed an OP_CHECKSIGVERIFY operation"} 643 644 VALID_SIGHASHES_ECDSA = [ 645 SIGHASH_ALL, 646 SIGHASH_NONE, 647 SIGHASH_SINGLE, 648 SIGHASH_ANYONECANPAY + SIGHASH_ALL, 649 SIGHASH_ANYONECANPAY + SIGHASH_NONE, 650 SIGHASH_ANYONECANPAY + SIGHASH_SINGLE 651 ] 652 653 VALID_SIGHASHES_TAPROOT = [SIGHASH_DEFAULT] + VALID_SIGHASHES_ECDSA 654 655 VALID_SIGHASHES_TAPROOT_SINGLE = [ 656 SIGHASH_SINGLE, 657 SIGHASH_ANYONECANPAY + SIGHASH_SINGLE 658 ] 659 660 VALID_SIGHASHES_TAPROOT_NO_SINGLE = [h for h in VALID_SIGHASHES_TAPROOT if h not in VALID_SIGHASHES_TAPROOT_SINGLE] 661 662 SIGHASH_BITFLIP = {"failure": {"sighash": bitflipper(default_sighash)}} 663 SIG_POP_BYTE = {"failure": {"sign": byte_popper(default_sign)}} 664 SINGLE_SIG = {"inputs": [getter("sign")]} 665 SIG_ADD_ZERO = {"failure": {"sign": zero_appender(default_sign)}} 666 667 DUST_LIMIT = 600 668 MIN_FEE = 50000 669 670 TX_STANDARD_VERSIONS = [1, 2, TX_MAX_STANDARD_VERSION] 671 TRUC_MAX_VSIZE = 10000 # test doesn't cover in-mempool spends, so only this limit is hit 672 673 # === Actual test cases === 674 675 676 def spenders_taproot_active(): 677 """Return a list of Spenders for testing post-Taproot activation behavior.""" 678 679 secs = [generate_privkey() for _ in range(8)] 680 pubs = [compute_xonly_pubkey(sec)[0] for sec in secs] 681 682 spenders = [] 683 684 # == Tests for BIP340 signature validation. == 685 # These are primarily tested through the test vectors implemented in libsecp256k1, and in src/tests/key_tests.cpp. 686 # Some things are tested programmatically as well here. 687 688 tap = taproot_construct(pubs[0]) 689 # Test with key with bit flipped. 690 add_spender(spenders, "sig/key", tap=tap, key=secs[0], failure={"key_tweaked": bitflipper(default_key_tweaked)}, **ERR_SCHNORR_SIG) 691 # Test with sighash with bit flipped. 692 add_spender(spenders, "sig/sighash", tap=tap, key=secs[0], failure={"sighash": bitflipper(default_sighash)}, **ERR_SCHNORR_SIG) 693 # Test with invalid R sign. 694 add_spender(spenders, "sig/flip_r", tap=tap, key=secs[0], failure={"flag_flip_r": True}, **ERR_SCHNORR_SIG) 695 # Test with invalid P sign. 696 add_spender(spenders, "sig/flip_p", tap=tap, key=secs[0], failure={"flag_flip_p": True}, **ERR_SCHNORR_SIG) 697 # Test with signature with bit flipped. 698 add_spender(spenders, "sig/bitflip", tap=tap, key=secs[0], failure={"signature": bitflipper(default_signature)}, **ERR_SCHNORR_SIG) 699 700 # == Test involving an internal public key not on the curve == 701 702 # X-only public keys are 32 bytes, but not every 32-byte array is a valid public key; only 703 # around 50% of them are. This does not affect users using correct software; these "keys" have 704 # no corresponding private key, and thus will never appear as output of key 705 # generation/derivation/tweaking. 706 # 707 # Using an invalid public key as P2TR output key makes the UTXO unspendable. Revealing an 708 # invalid public key as internal key in a P2TR script path spend also makes the spend invalid. 709 # These conditions are explicitly spelled out in BIP341. 710 # 711 # It is however hard to create test vectors for this, because it involves "guessing" how a 712 # hypothetical incorrect implementation deals with an obviously-invalid condition, and making 713 # sure that guessed behavior (accepting it in certain condition) doesn't occur. 714 # 715 # The test case added here tries to detect a very specific bug a verifier could have: if they 716 # don't verify whether or not a revealed internal public key in a script path spend is valid, 717 # and (correctly) implement output_key == tweak(internal_key, tweakval) but (incorrectly) treat 718 # tweak(invalid_key, tweakval) as equal the public key corresponding to private key tweakval. 719 # This may seem like a far-fetched edge condition to test for, but in fact, the BIP341 wallet 720 # pseudocode did exactly that (but obviously only triggerable by someone invoking the tweaking 721 # function with an invalid public key, which shouldn't happen). 722 723 # Generate an invalid public key 724 while True: 725 invalid_pub = random.randbytes(32) 726 if not secp256k1.GE.is_valid_x(int.from_bytes(invalid_pub, 'big')): 727 break 728 729 # Implement a test case that detects validation logic which maps invalid public keys to the 730 # point at infinity in the tweaking logic. 731 tap = taproot_construct(invalid_pub, [("true", CScript([OP_1]))], treat_internal_as_infinity=True) 732 add_spender(spenders, "output/invalid_x", tap=tap, key_tweaked=tap.tweak, failure={"leaf": "true", "inputs": []}, **ERR_WITNESS_PROGRAM_MISMATCH) 733 734 # Do the same thing without invalid point, to make sure there is no mistake in the test logic. 735 tap = taproot_construct(pubs[0], [("true", CScript([OP_1]))]) 736 add_spender(spenders, "output/invalid_x_mock", tap=tap, key=secs[0], leaf="true", inputs=[]) 737 738 # == Tests for signature hashing == 739 740 # Run all tests once with no annex, and once with a valid random annex. 741 for annex in [None, lambda _: bytes([ANNEX_TAG]) + random.randbytes(random.randrange(0, 250))]: 742 # Non-empty annex is non-standard 743 no_annex = annex is None 744 745 # Sighash mutation tests (test all sighash combinations) 746 for hashtype in VALID_SIGHASHES_TAPROOT: 747 common = {"annex": annex, "hashtype": hashtype, "standard": no_annex} 748 749 # Pure pubkey 750 tap = taproot_construct(pubs[0]) 751 add_spender(spenders, "sighash/purepk", tap=tap, key=secs[0], **common, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 752 753 # Pubkey/P2PK script combination 754 scripts = [("s0", CScript(random_checksig_style(pubs[1])))] 755 tap = taproot_construct(pubs[0], scripts) 756 add_spender(spenders, "sighash/keypath_hashtype_%x" % hashtype, tap=tap, key=secs[0], **common, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 757 add_spender(spenders, "sighash/scriptpath_hashtype_%x" % hashtype, tap=tap, leaf="s0", key=secs[1], **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 758 759 # Test SIGHASH_SINGLE behavior in combination with mismatching outputs 760 if hashtype in VALID_SIGHASHES_TAPROOT_SINGLE: 761 add_spender(spenders, "sighash/keypath_hashtype_mis_%x" % hashtype, tap=tap, key=secs[0], annex=annex, standard=no_annex, hashtype_actual=random.choice(VALID_SIGHASHES_TAPROOT_NO_SINGLE), failure={"hashtype_actual": hashtype}, **ERR_SCHNORR_SIG_HASHTYPE, need_vin_vout_mismatch=True) 762 add_spender(spenders, "sighash/scriptpath_hashtype_mis_%x" % hashtype, tap=tap, leaf="s0", key=secs[1], annex=annex, standard=no_annex, hashtype_actual=random.choice(VALID_SIGHASHES_TAPROOT_NO_SINGLE), **SINGLE_SIG, failure={"hashtype_actual": hashtype}, **ERR_SCHNORR_SIG_HASHTYPE, need_vin_vout_mismatch=True) 763 764 # Test OP_CODESEPARATOR impact on sighashing. 765 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 766 common = {"annex": annex, "hashtype": hashtype, "standard": no_annex} 767 scripts = [ 768 ("pk_codesep", CScript(random_checksig_style(pubs[1]) + bytes([OP_CODESEPARATOR]))), # codesep after checksig 769 ("codesep_pk", CScript(bytes([OP_CODESEPARATOR]) + random_checksig_style(pubs[1]))), # codesep before checksig 770 ("branched_codesep", CScript([random.randbytes(random.randrange(2, 511)), OP_DROP, OP_IF, OP_CODESEPARATOR, pubs[0], OP_ELSE, OP_CODESEPARATOR, pubs[1], OP_ENDIF, OP_CHECKSIG])), # branch dependent codesep 771 # Note that the first data push in the "branched_codesep" script has the purpose of 772 # randomizing the sighash, both by varying script size and content. In order to 773 # avoid MINIMALDATA script verification errors caused by not-minimal-encoded data 774 # pushes (e.g. `OP_PUSH1 1` instead of `OP_1`), we set a minimum data size of 2 bytes. 775 ] 776 random.shuffle(scripts) 777 tap = taproot_construct(pubs[0], scripts) 778 add_spender(spenders, "sighash/pk_codesep", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 779 add_spender(spenders, "sighash/codesep_pk", tap=tap, leaf="codesep_pk", key=secs[1], codeseppos=0, **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 780 add_spender(spenders, "sighash/branched_codesep/left", tap=tap, leaf="branched_codesep", key=secs[0], codeseppos=3, **common, inputs=[getter("sign"), b'\x01'], **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 781 add_spender(spenders, "sighash/branched_codesep/right", tap=tap, leaf="branched_codesep", key=secs[1], codeseppos=6, **common, inputs=[getter("sign"), b''], **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 782 add_spender(spenders, "sighash/codesep_pk_wrongpos1", tap=tap, leaf="codesep_pk", key=secs[1], codeseppos=0, **common, **SINGLE_SIG, failure={"codeseppos": 1}, **ERR_SCHNORR_SIG) 783 add_spender(spenders, "sighash/codesep_pk_wrongpos2", tap=tap, leaf="codesep_pk", key=secs[1], codeseppos=0, **common, **SINGLE_SIG, failure={"codeseppos": 0xfffffffe}, **ERR_SCHNORR_SIG) 784 785 # Reusing the scripts above, test that various features affect the sighash. 786 add_spender(spenders, "sighash/annex", tap=tap, leaf="pk_codesep", key=secs[1], hashtype=hashtype, standard=False, **SINGLE_SIG, annex=bytes([ANNEX_TAG]), failure={"sighash": override(default_sighash, annex=None)}, **ERR_SCHNORR_SIG) 787 add_spender(spenders, "sighash/script", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, script_taproot=tap.leaves["codesep_pk"].script)}, **ERR_SCHNORR_SIG) 788 add_spender(spenders, "sighash/leafver", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, leafversion=random.choice([x & 0xFE for x in range(0x100) if x & 0xFE != LEAF_VERSION_TAPSCRIPT]))}, **ERR_SCHNORR_SIG) 789 add_spender(spenders, "sighash/scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, leaf=None)}, **ERR_SCHNORR_SIG) 790 add_spender(spenders, "sighash/keypath", tap=tap, key=secs[0], **common, failure={"sighash": override(default_sighash, leaf="pk_codesep")}, **ERR_SCHNORR_SIG) 791 792 # Test that invalid hashtypes don't work, both in key path and script path spends 793 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 794 for invalid_hashtype in [x for x in range(0x100) if x not in VALID_SIGHASHES_TAPROOT]: 795 add_spender(spenders, "sighash/keypath_unk_hashtype_%x" % invalid_hashtype, tap=tap, key=secs[0], hashtype=hashtype, failure={"hashtype": invalid_hashtype}, **ERR_SCHNORR_SIG_HASHTYPE) 796 add_spender(spenders, "sighash/scriptpath_unk_hashtype_%x" % invalid_hashtype, tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=hashtype, failure={"hashtype": invalid_hashtype}, **ERR_SCHNORR_SIG_HASHTYPE) 797 798 # Test that hashtype 0 cannot have a hashtype byte, and 1 must have one. 799 add_spender(spenders, "sighash/hashtype0_byte_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_DEFAULT])}, **ERR_SCHNORR_SIG_HASHTYPE) 800 add_spender(spenders, "sighash/hashtype0_byte_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_DEFAULT])}, **ERR_SCHNORR_SIG_HASHTYPE) 801 add_spender(spenders, "sighash/hashtype1_byte_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SCHNORR_SIG) 802 add_spender(spenders, "sighash/hashtype1_byte_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SCHNORR_SIG) 803 # Test that hashtype 0 and hashtype 1 cannot be transmuted into each other. 804 add_spender(spenders, "sighash/hashtype0to1_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_ALL])}, **ERR_SCHNORR_SIG) 805 add_spender(spenders, "sighash/hashtype0to1_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_ALL])}, **ERR_SCHNORR_SIG) 806 add_spender(spenders, "sighash/hashtype1to0_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SCHNORR_SIG) 807 add_spender(spenders, "sighash/hashtype1to0_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SCHNORR_SIG) 808 809 # Test aspects of signatures with unusual lengths 810 for hashtype in [SIGHASH_DEFAULT, random.choice(VALID_SIGHASHES_TAPROOT)]: 811 scripts = [ 812 ("csv", CScript([pubs[2], OP_CHECKSIGVERIFY, OP_1])), 813 ("cs_pos", CScript([pubs[2], OP_CHECKSIG])), 814 ("csa_pos", CScript([OP_0, pubs[2], OP_CHECKSIGADD, OP_1, OP_EQUAL])), 815 ("cs_neg", CScript([pubs[2], OP_CHECKSIG, OP_NOT])), 816 ("csa_neg", CScript([OP_2, pubs[2], OP_CHECKSIGADD, OP_2, OP_EQUAL])) 817 ] 818 random.shuffle(scripts) 819 tap = taproot_construct(pubs[3], scripts) 820 # Empty signatures 821 add_spender(spenders, "siglen/empty_keypath", tap=tap, key=secs[3], hashtype=hashtype, failure={"sign": b""}, **ERR_SCHNORR_SIG_SIZE) 822 add_spender(spenders, "siglen/empty_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_CHECKSIGVERIFY) 823 add_spender(spenders, "siglen/empty_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_EVAL_FALSE) 824 add_spender(spenders, "siglen/empty_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_EVAL_FALSE) 825 add_spender(spenders, "siglen/empty_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random.randbytes(random.randrange(1, 63))}, **ERR_SCHNORR_SIG_SIZE) 826 add_spender(spenders, "siglen/empty_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random.randbytes(random.randrange(66, 100))}, **ERR_SCHNORR_SIG_SIZE) 827 # Appending a zero byte to signatures invalidates them 828 add_spender(spenders, "siglen/padzero_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 829 add_spender(spenders, "siglen/padzero_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 830 add_spender(spenders, "siglen/padzero_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 831 add_spender(spenders, "siglen/padzero_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 832 add_spender(spenders, "siglen/padzero_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 833 add_spender(spenders, "siglen/padzero_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SCHNORR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG_SIZE)) 834 # Removing the last byte from signatures invalidates them 835 add_spender(spenders, "siglen/popbyte_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 836 add_spender(spenders, "siglen/popbyte_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 837 add_spender(spenders, "siglen/popbyte_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 838 add_spender(spenders, "siglen/popbyte_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 839 add_spender(spenders, "siglen/popbyte_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 840 add_spender(spenders, "siglen/popbyte_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SCHNORR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SCHNORR_SIG)) 841 # Verify that an invalid signature is not allowed, not even when the CHECKSIG* is expected to fail. 842 add_spender(spenders, "siglen/invalid_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SCHNORR_SIG) 843 add_spender(spenders, "siglen/invalid_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SCHNORR_SIG) 844 845 # == Test that BIP341 spending only applies to witness version 1, program length 32, no P2SH == 846 847 for p2sh in [False, True]: 848 for witver in range(1, 17): 849 for witlen in [20, 31, 32, 33]: 850 def mutate(spk): 851 prog = spk[2:] 852 assert len(prog) == 32 853 if witlen < 32: 854 prog = prog[0:witlen] 855 elif witlen > 32: 856 prog += bytes([0 for _ in range(witlen - 32)]) 857 return CScript([CScriptOp.encode_op_n(witver), prog]) 858 scripts = [("s0", CScript([pubs[0], OP_CHECKSIG])), ("dummy", CScript([OP_RETURN]))] 859 tap = taproot_construct(pubs[1], scripts) 860 if not p2sh and witver == 1 and witlen == 32: 861 add_spender(spenders, "applic/keypath", p2sh=p2sh, spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[1], **SIGHASH_BITFLIP, **ERR_SCHNORR_SIG) 862 add_spender(spenders, "applic/scriptpath", p2sh=p2sh, leaf="s0", spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[0], **SINGLE_SIG, failure={"leaf": "dummy"}, **ERR_OP_RETURN) 863 else: 864 add_spender(spenders, "applic/keypath", p2sh=p2sh, spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[1], standard=False) 865 add_spender(spenders, "applic/scriptpath", p2sh=p2sh, leaf="s0", spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[0], **SINGLE_SIG, standard=False) 866 867 # == Test various aspects of BIP341 spending paths == 868 869 # A set of functions that compute the hashing partner in a Merkle tree, designed to exercise 870 # edge cases. This relies on the taproot_construct feature that a lambda can be passed in 871 # instead of a subtree, to compute the partner to be hashed with. 872 PARTNER_MERKLE_FN = [ 873 # Combine with itself 874 lambda h: h, 875 # Combine with hash 0 876 lambda h: bytes([0 for _ in range(32)]), 877 # Combine with hash 2^256-1 878 lambda h: bytes([0xff for _ in range(32)]), 879 # Combine with itself-1 (BE) 880 lambda h: (int.from_bytes(h, 'big') - 1).to_bytes(32, 'big'), 881 # Combine with itself+1 (BE) 882 lambda h: (int.from_bytes(h, 'big') + 1).to_bytes(32, 'big'), 883 # Combine with itself-1 (LE) 884 lambda h: (int.from_bytes(h, 'little') - 1).to_bytes(32, 'big'), 885 # Combine with itself+1 (LE) 886 lambda h: (int.from_bytes(h, 'little') + 1).to_bytes(32, 'little'), 887 # Combine with random bitflipped version of self. 888 lambda h: (int.from_bytes(h, 'little') ^ (1 << random.randrange(256))).to_bytes(32, 'little') 889 ] 890 # Start with a tree of that has depth 1 for "128deep" and depth 2 for "129deep". 891 scripts = [("128deep", CScript([pubs[0], OP_CHECKSIG])), [("129deep", CScript([pubs[0], OP_CHECKSIG])), random.choice(PARTNER_MERKLE_FN)]] 892 # Add 127 nodes on top of that tree, so that "128deep" and "129deep" end up at their designated depths. 893 for _ in range(127): 894 scripts = [scripts, random.choice(PARTNER_MERKLE_FN)] 895 tap = taproot_construct(pubs[0], scripts) 896 # Test that spends with a depth of 128 work, but 129 doesn't (even with a tree with weird Merkle branches in it). 897 add_spender(spenders, "spendpath/merklelimit", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"leaf": "129deep"}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 898 # Test that flipping the negation bit invalidates spends. 899 add_spender(spenders, "spendpath/negflag", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"negflag": lambda ctx: 1 - default_negflag(ctx)}, **ERR_WITNESS_PROGRAM_MISMATCH) 900 # Test that bitflips in the Merkle branch invalidate it. 901 add_spender(spenders, "spendpath/bitflipmerkle", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"merklebranch": bitflipper(default_merklebranch)}, **ERR_WITNESS_PROGRAM_MISMATCH) 902 # Test that bitflips in the internal pubkey invalidate it. 903 add_spender(spenders, "spendpath/bitflippubkey", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"pubkey_internal": bitflipper(default_pubkey_internal)}, **ERR_WITNESS_PROGRAM_MISMATCH) 904 # Test that empty witnesses are invalid. 905 add_spender(spenders, "spendpath/emptywit", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"witness": []}, **ERR_WITNESS_PROGRAM_WITNESS_EMPTY) 906 # Test that adding garbage to the control block invalidates it. 907 add_spender(spenders, "spendpath/padlongcontrol", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_controlblock(ctx) + random.randbytes(random.randrange(1, 32))}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 908 # Test that truncating the control block invalidates it. 909 add_spender(spenders, "spendpath/trunclongcontrol", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:random.randrange(1, 32)]}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 910 911 scripts = [("s", CScript([pubs[0], OP_CHECKSIG]))] 912 tap = taproot_construct(pubs[1], scripts) 913 # Test that adding garbage to the control block invalidates it. 914 add_spender(spenders, "spendpath/padshortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_controlblock(ctx) + random.randbytes(random.randrange(1, 32))}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 915 # Test that truncating the control block invalidates it. 916 add_spender(spenders, "spendpath/truncshortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:random.randrange(1, 32)]}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 917 # Test that truncating the control block to 1 byte ("-1 Merkle length") invalidates it 918 add_spender(spenders, "spendpath/trunc1shortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:1]}, **ERR_TAPROOT_WRONG_CONTROL_SIZE) 919 920 # == Test BIP342 edge cases == 921 922 csa_low_val = random.randrange(0, 17) # Within range for OP_n 923 csa_low_result = csa_low_val + 1 924 925 csa_high_val = random.randrange(17, 100) if random.getrandbits(1) else random.randrange(-100, -1) # Outside OP_n range 926 csa_high_result = csa_high_val + 1 927 928 OVERSIZE_NUMBER = 2**31 929 assert_equal(len(CScriptNum.encode(CScriptNum(OVERSIZE_NUMBER))), 6) 930 assert_equal(len(CScriptNum.encode(CScriptNum(OVERSIZE_NUMBER-1))), 5) 931 932 big_choices = [] 933 big_scriptops = [] 934 for i in range(1000): 935 r = random.randrange(len(pubs)) 936 big_choices.append(r) 937 big_scriptops += [pubs[r], OP_CHECKSIGVERIFY] 938 939 940 def big_spend_inputs(ctx): 941 """Helper function to construct the script input for t33/t34 below.""" 942 # Instead of signing 999 times, precompute signatures for every (key, hashtype) combination 943 sigs = {} 944 for ht in VALID_SIGHASHES_TAPROOT: 945 for k in range(len(pubs)): 946 sigs[(k, ht)] = override(default_sign, hashtype=ht, key=secs[k])(ctx) 947 num = get(ctx, "num") 948 return [sigs[(big_choices[i], random.choice(VALID_SIGHASHES_TAPROOT))] for i in range(num - 1, -1, -1)] 949 950 # Various BIP342 features 951 scripts = [ 952 # 0) drop stack element and OP_CHECKSIG 953 ("t0", CScript([OP_DROP, pubs[1], OP_CHECKSIG])), 954 # 1) normal OP_CHECKSIG 955 ("t1", CScript([pubs[1], OP_CHECKSIG])), 956 # 2) normal OP_CHECKSIGVERIFY 957 ("t2", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1])), 958 # 3) Hypothetical OP_CHECKMULTISIG script that takes a single sig as input 959 ("t3", CScript([OP_0, OP_SWAP, OP_1, pubs[1], OP_1, OP_CHECKMULTISIG])), 960 # 4) Hypothetical OP_CHECKMULTISIGVERIFY script that takes a single sig as input 961 ("t4", CScript([OP_0, OP_SWAP, OP_1, pubs[1], OP_1, OP_CHECKMULTISIGVERIFY, OP_1])), 962 # 5) OP_IF script that needs a true input 963 ("t5", CScript([OP_IF, pubs[1], OP_CHECKSIG, OP_ELSE, OP_RETURN, OP_ENDIF])), 964 # 6) OP_NOTIF script that needs a true input 965 ("t6", CScript([OP_NOTIF, OP_RETURN, OP_ELSE, pubs[1], OP_CHECKSIG, OP_ENDIF])), 966 # 7) OP_CHECKSIG with an empty key 967 ("t7", CScript([OP_0, OP_CHECKSIG])), 968 # 8) OP_CHECKSIGVERIFY with an empty key 969 ("t8", CScript([OP_0, OP_CHECKSIGVERIFY, OP_1])), 970 # 9) normal OP_CHECKSIGADD that also ensures return value is correct 971 ("t9", CScript([csa_low_val, pubs[1], OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 972 # 10) OP_CHECKSIGADD with empty key 973 ("t10", CScript([csa_low_val, OP_0, OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 974 # 11) OP_CHECKSIGADD with missing counter stack element 975 ("t11", CScript([pubs[1], OP_CHECKSIGADD, OP_1, OP_EQUAL])), 976 # 12) OP_CHECKSIG that needs invalid signature 977 ("t12", CScript([pubs[1], OP_CHECKSIGVERIFY, pubs[0], OP_CHECKSIG, OP_NOT])), 978 # 13) OP_CHECKSIG with empty key that needs invalid signature 979 ("t13", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_CHECKSIG, OP_NOT])), 980 # 14) OP_CHECKSIGADD that needs invalid signature 981 ("t14", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, pubs[0], OP_CHECKSIGADD, OP_NOT])), 982 # 15) OP_CHECKSIGADD with empty key that needs invalid signature 983 ("t15", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_0, OP_CHECKSIGADD, OP_NOT])), 984 # 16) OP_CHECKSIG with unknown pubkey type 985 ("t16", CScript([OP_1, OP_CHECKSIG])), 986 # 17) OP_CHECKSIGADD with unknown pubkey type 987 ("t17", CScript([OP_0, OP_1, OP_CHECKSIGADD])), 988 # 18) OP_CHECKSIGVERIFY with unknown pubkey type 989 ("t18", CScript([OP_1, OP_CHECKSIGVERIFY, OP_1])), 990 # 19) script longer than 10000 bytes and over 201 non-push opcodes 991 ("t19", CScript([OP_0, OP_0, OP_2DROP] * 10001 + [pubs[1], OP_CHECKSIG])), 992 # 20) OP_CHECKSIGVERIFY with empty key 993 ("t20", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_0, OP_CHECKSIGVERIFY, OP_1])), 994 # 21) Script that grows the stack to 1000 elements 995 ("t21", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1] + [OP_DUP] * 999 + [OP_DROP] * 999)), 996 # 22) Script that grows the stack to 1001 elements 997 ("t22", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1] + [OP_DUP] * 1000 + [OP_DROP] * 1000)), 998 # 23) Script that expects an input stack of 1000 elements 999 ("t23", CScript([OP_DROP] * 999 + [pubs[1], OP_CHECKSIG])), 1000 # 24) Script that expects an input stack of 1001 elements 1001 ("t24", CScript([OP_DROP] * 1000 + [pubs[1], OP_CHECKSIG])), 1002 # 25) Script that pushes a MAX_SCRIPT_ELEMENT_SIZE-bytes element 1003 ("t25", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE), OP_DROP, pubs[1], OP_CHECKSIG])), 1004 # 26) Script that pushes a (MAX_SCRIPT_ELEMENT_SIZE+1)-bytes element 1005 ("t26", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, pubs[1], OP_CHECKSIG])), 1006 # 27) CHECKSIGADD that must fail because numeric argument number is >4 bytes 1007 ("t27", CScript([CScriptNum(OVERSIZE_NUMBER), pubs[1], OP_CHECKSIGADD])), 1008 # 28) Pushes random CScriptNum value, checks OP_CHECKSIGADD result 1009 ("t28", CScript([csa_high_val, pubs[1], OP_CHECKSIGADD, csa_high_result, OP_EQUAL])), 1010 # 29) CHECKSIGADD that succeeds with proper sig because numeric argument number is <=4 bytes 1011 ("t29", CScript([CScriptNum(OVERSIZE_NUMBER-1), pubs[1], OP_CHECKSIGADD])), 1012 # 30) Variant of t1 with "normal" 33-byte pubkey 1013 ("t30", CScript([b'\x03' + pubs[1], OP_CHECKSIG])), 1014 # 31) Variant of t2 with "normal" 33-byte pubkey 1015 ("t31", CScript([b'\x02' + pubs[1], OP_CHECKSIGVERIFY, OP_1])), 1016 # 32) Variant of t28 with "normal" 33-byte pubkey 1017 ("t32", CScript([csa_high_val, b'\x03' + pubs[1], OP_CHECKSIGADD, csa_high_result, OP_EQUAL])), 1018 # 33) 999-of-999 multisig 1019 ("t33", CScript(big_scriptops[:1998] + [OP_1])), 1020 # 34) 1000-of-1000 multisig 1021 ("t34", CScript(big_scriptops[:2000] + [OP_1])), 1022 # 35) Variant of t9 that uses a non-minimally encoded input arg 1023 ("t35", CScript([bytes([csa_low_val]), pubs[1], OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 1024 # 36) Empty script 1025 ("t36", CScript([])), 1026 ] 1027 # Add many dummies to test huge trees 1028 for j in range(100000): 1029 scripts.append((None, CScript([OP_RETURN, random.randrange(100000)]))) 1030 random.shuffle(scripts) 1031 tap = taproot_construct(pubs[0], scripts) 1032 common = { 1033 "hashtype": hashtype, 1034 "key": secs[1], 1035 "tap": tap, 1036 } 1037 # Test that MAX_SCRIPT_ELEMENT_SIZE byte stack element inputs are valid, but not one more (and 80 bytes is standard but 81 is not). 1038 add_spender(spenders, "tapscript/inputmaxlimit", leaf="t0", **common, standard=False, inputs=[getter("sign"), random.randbytes(MAX_SCRIPT_ELEMENT_SIZE)], failure={"inputs": [getter("sign"), random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1)]}, **ERR_PUSH_SIZE) 1039 add_spender(spenders, "tapscript/input80limit", leaf="t0", **common, inputs=[getter("sign"), random.randbytes(80)]) 1040 add_spender(spenders, "tapscript/input81limit", leaf="t0", **common, standard=False, inputs=[getter("sign"), random.randbytes(81)]) 1041 # Test that OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY cause failure, but OP_CHECKSIG and OP_CHECKSIGVERIFY work. 1042 add_spender(spenders, "tapscript/disabled_checkmultisig", leaf="t1", **common, **SINGLE_SIG, failure={"leaf": "t3"}, **ERR_TAPSCRIPT_CHECKMULTISIG) 1043 add_spender(spenders, "tapscript/disabled_checkmultisigverify", leaf="t2", **common, **SINGLE_SIG, failure={"leaf": "t4"}, **ERR_TAPSCRIPT_CHECKMULTISIG) 1044 # Test that OP_IF and OP_NOTIF do not accept non-0x01 as truth value (the MINIMALIF rule is consensus in Tapscript) 1045 add_spender(spenders, "tapscript/minimalif", leaf="t5", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x02']}, **ERR_TAPSCRIPT_MINIMALIF) 1046 add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x03']}, **ERR_TAPSCRIPT_MINIMALIF) 1047 add_spender(spenders, "tapscript/minimalif", leaf="t5", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0001']}, **ERR_TAPSCRIPT_MINIMALIF) 1048 add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0100']}, **ERR_TAPSCRIPT_MINIMALIF) 1049 # Test that 1-byte public keys (which are unknown) are acceptable but nonstandard with unrelated signatures, but 0-byte public keys are not valid. 1050 add_spender(spenders, "tapscript/unkpk/checksig", leaf="t16", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t7"}, **ERR_PUBKEYTYPE) 1051 add_spender(spenders, "tapscript/unkpk/checksigadd", leaf="t17", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t10"}, **ERR_PUBKEYTYPE) 1052 add_spender(spenders, "tapscript/unkpk/checksigverify", leaf="t18", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t8"}, **ERR_PUBKEYTYPE) 1053 # Test that 33-byte public keys (which are unknown) are acceptable but nonstandard with valid signatures, but normal pubkeys are not valid in that case. 1054 add_spender(spenders, "tapscript/oldpk/checksig", leaf="t30", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t1"}, **ERR_SCHNORR_SIG) 1055 add_spender(spenders, "tapscript/oldpk/checksigadd", leaf="t31", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t2"}, **ERR_SCHNORR_SIG) 1056 add_spender(spenders, "tapscript/oldpk/checksigverify", leaf="t32", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t28"}, **ERR_SCHNORR_SIG) 1057 # Test that 0-byte public keys are not acceptable. 1058 add_spender(spenders, "tapscript/emptypk/checksig", leaf="t1", **SINGLE_SIG, **common, failure={"leaf": "t7"}, **ERR_PUBKEYTYPE) 1059 add_spender(spenders, "tapscript/emptypk/checksigverify", leaf="t2", **SINGLE_SIG, **common, failure={"leaf": "t8"}, **ERR_PUBKEYTYPE) 1060 add_spender(spenders, "tapscript/emptypk/checksigadd", leaf="t9", **SINGLE_SIG, **common, failure={"leaf": "t10"}, **ERR_PUBKEYTYPE) 1061 add_spender(spenders, "tapscript/emptypk/checksigadd", leaf="t35", standard=False, **SINGLE_SIG, **common, failure={"leaf": "t10"}, **ERR_PUBKEYTYPE) 1062 # Test that OP_CHECKSIGADD results are as expected 1063 add_spender(spenders, "tapscript/checksigaddresults", leaf="t28", **SINGLE_SIG, **common, failure={"leaf": "t27"}, err_msg="unknown error") 1064 add_spender(spenders, "tapscript/checksigaddoversize", leaf="t29", **SINGLE_SIG, **common, failure={"leaf": "t27"}, err_msg="unknown error") 1065 # Test that OP_CHECKSIGADD requires 3 stack elements. 1066 add_spender(spenders, "tapscript/checksigadd3args", leaf="t9", **SINGLE_SIG, **common, failure={"leaf": "t11"}, **ERR_INVALID_STACK_OPERATION) 1067 # Test that empty signatures do not cause script failure in OP_CHECKSIG and OP_CHECKSIGADD (but do fail with empty pubkey, and do fail OP_CHECKSIGVERIFY) 1068 add_spender(spenders, "tapscript/emptysigs/checksig", leaf="t12", **common, inputs=[b'', getter("sign")], failure={"leaf": "t13"}, **ERR_PUBKEYTYPE) 1069 add_spender(spenders, "tapscript/emptysigs/nochecksigverify", leaf="t12", **common, inputs=[b'', getter("sign")], failure={"leaf": "t20"}, **ERR_PUBKEYTYPE) 1070 add_spender(spenders, "tapscript/emptysigs/checksigadd", leaf="t14", **common, inputs=[b'', getter("sign")], failure={"leaf": "t15"}, **ERR_PUBKEYTYPE) 1071 # Test that scripts over 10000 bytes (and over 201 non-push ops) are acceptable. 1072 add_spender(spenders, "tapscript/no10000limit", leaf="t19", **SINGLE_SIG, **common) 1073 # Test that a stack size of 1000 elements is permitted, but 1001 isn't. 1074 add_spender(spenders, "tapscript/1000stack", leaf="t21", **SINGLE_SIG, **common, failure={"leaf": "t22"}, **ERR_STACK_SIZE) 1075 # Test that an input stack size of 1000 elements is permitted, but 1001 isn't. 1076 add_spender(spenders, "tapscript/1000inputs", leaf="t23", **common, inputs=[getter("sign")] + [b'' for _ in range(999)], failure={"leaf": "t24", "inputs": [getter("sign")] + [b'' for _ in range(1000)]}, **ERR_STACK_SIZE) 1077 # Test that pushing a MAX_SCRIPT_ELEMENT_SIZE byte stack element is valid, but one longer is not. 1078 add_spender(spenders, "tapscript/pushmaxlimit", leaf="t25", **common, **SINGLE_SIG, failure={"leaf": "t26"}, **ERR_PUSH_SIZE) 1079 # Test that 999-of-999 multisig works (but 1000-of-1000 triggers stack size limits) 1080 add_spender(spenders, "tapscript/bigmulti", leaf="t33", **common, inputs=big_spend_inputs, num=999, failure={"leaf": "t34", "num": 1000}, **ERR_STACK_SIZE) 1081 # Test that the CLEANSTACK rule is consensus critical in tapscript 1082 add_spender(spenders, "tapscript/cleanstack", leaf="t36", tap=tap, inputs=[b'\x01'], failure={"inputs": [b'\x01', b'\x01']}, **ERR_CLEANSTACK) 1083 1084 # == Test for sigops ratio limit == 1085 1086 # Given a number n, and a public key pk, functions that produce a (CScript, sigops). Each script takes as 1087 # input a valid signature with the passed pk followed by a dummy push of bytes that are to be dropped, and 1088 # will execute sigops signature checks. 1089 SIGOPS_RATIO_SCRIPTS = [ 1090 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIG. 1091 lambda n, pk: (CScript([OP_DROP, pk] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_CHECKSIG]), n + 1), 1092 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIGVERIFY. 1093 lambda n, pk: (CScript([OP_DROP, pk, OP_0, OP_IF, OP_2DUP, OP_CHECKSIGVERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_2, OP_SWAP, OP_CHECKSIGADD, OP_3, OP_EQUAL]), n + 1), 1094 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIG. 1095 lambda n, pk: (CScript([random.randbytes(220), OP_2DROP, pk, OP_1, OP_NOTIF, OP_2DUP, OP_CHECKSIG, OP_VERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_4, OP_SWAP, OP_CHECKSIGADD, OP_5, OP_EQUAL]), n + 1), 1096 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIGADD. 1097 lambda n, pk: (CScript([OP_DROP, pk, OP_1, OP_IF, OP_ELSE, OP_2DUP, OP_6, OP_SWAP, OP_CHECKSIGADD, OP_7, OP_EQUALVERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_8, OP_SWAP, OP_CHECKSIGADD, OP_9, OP_EQUAL]), n + 1), 1098 # n+1 OP_CHECKSIGs, but also one OP_CHECKSIG with an empty signature. 1099 lambda n, pk: (CScript([OP_DROP, OP_0, pk, OP_CHECKSIG, OP_NOT, OP_VERIFY, pk] + [OP_2DUP, OP_CHECKSIG, OP_VERIFY] * n + [OP_CHECKSIG]), n + 1), 1100 # n OP_CHECKSIGADDs and 1 OP_CHECKSIG, but also an OP_CHECKSIGADD with an empty signature. 1101 lambda n, pk: (CScript([OP_DROP, OP_0, OP_10, pk, OP_CHECKSIGADD, OP_10, OP_EQUALVERIFY, pk] + [OP_2DUP, OP_16, OP_SWAP, OP_CHECKSIGADD, b'\x11', OP_EQUALVERIFY] * n + [OP_CHECKSIG]), n + 1), 1102 ] 1103 for annex in [None, bytes([ANNEX_TAG]) + random.randbytes(random.randrange(1000))]: 1104 for hashtype in [SIGHASH_DEFAULT, SIGHASH_ALL]: 1105 for pubkey in [pubs[1], random.randbytes(random.choice([x for x in range(2, 81) if x != 32]))]: 1106 for fn_num, fn in enumerate(SIGOPS_RATIO_SCRIPTS): 1107 merkledepth = random.randrange(129) 1108 1109 1110 def predict_sigops_ratio(n, dummy_size): 1111 """Predict whether spending fn(n, pubkey) with dummy_size will pass the ratio test.""" 1112 script, sigops = fn(n, pubkey) 1113 # Predict the size of the witness for a given choice of n 1114 stacklen_size = 1 1115 sig_size = 64 + (hashtype != SIGHASH_DEFAULT) 1116 siglen_size = 1 1117 dummylen_size = 1 + 2 * (dummy_size >= 253) 1118 script_size = len(script) 1119 scriptlen_size = 1 + 2 * (script_size >= 253) 1120 control_size = 33 + 32 * merkledepth 1121 controllen_size = 1 + 2 * (control_size >= 253) 1122 annex_size = 0 if annex is None else len(annex) 1123 annexlen_size = 0 if annex is None else 1 + 2 * (annex_size >= 253) 1124 witsize = stacklen_size + sig_size + siglen_size + dummy_size + dummylen_size + script_size + scriptlen_size + control_size + controllen_size + annex_size + annexlen_size 1125 # sigops ratio test 1126 return witsize + 50 >= 50 * sigops 1127 # Make sure n is high enough that with empty dummy, the script is not valid 1128 n = 0 1129 while predict_sigops_ratio(n, 0): 1130 n += 1 1131 # But allow picking a bit higher still 1132 n += random.randrange(5) 1133 # Now pick dummy size *just* large enough that the overall construction passes 1134 dummylen = 0 1135 while not predict_sigops_ratio(n, dummylen): 1136 dummylen += 1 1137 scripts = [("s", fn(n, pubkey)[0])] 1138 for _ in range(merkledepth): 1139 scripts = [scripts, random.choice(PARTNER_MERKLE_FN)] 1140 tap = taproot_construct(pubs[0], scripts) 1141 standard = annex is None and dummylen <= 80 and len(pubkey) == 32 1142 add_spender(spenders, "tapscript/sigopsratio_%i" % fn_num, tap=tap, leaf="s", annex=annex, hashtype=hashtype, key=secs[1], inputs=[getter("sign"), random.randbytes(dummylen)], standard=standard, failure={"inputs": [getter("sign"), random.randbytes(dummylen - 1)]}, **ERR_TAPSCRIPT_VALIDATION_WEIGHT) 1143 1144 # Future leaf versions 1145 for leafver in range(0, 0x100, 2): 1146 if leafver == LEAF_VERSION_TAPSCRIPT or leafver == ANNEX_TAG: 1147 # Skip the defined LEAF_VERSION_TAPSCRIPT, and the ANNEX_TAG which is not usable as leaf version 1148 continue 1149 scripts = [ 1150 ("bare_c0", CScript([OP_NOP])), 1151 ("bare_unkver", CScript([OP_NOP]), leafver), 1152 ("return_c0", CScript([OP_RETURN])), 1153 ("return_unkver", CScript([OP_RETURN]), leafver), 1154 ("undecodable_c0", CScript([OP_PUSHDATA1])), 1155 ("undecodable_unkver", CScript([OP_PUSHDATA1]), leafver), 1156 ("bigpush_c0", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP])), 1157 ("bigpush_unkver", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP]), leafver), 1158 ("1001push_c0", CScript([OP_0] * 1001)), 1159 ("1001push_unkver", CScript([OP_0] * 1001), leafver), 1160 ] 1161 random.shuffle(scripts) 1162 tap = taproot_construct(pubs[0], scripts) 1163 add_spender(spenders, "unkver/bare", standard=False, tap=tap, leaf="bare_unkver", failure={"leaf": "bare_c0"}, **ERR_CLEANSTACK) 1164 add_spender(spenders, "unkver/return", standard=False, tap=tap, leaf="return_unkver", failure={"leaf": "return_c0"}, **ERR_OP_RETURN) 1165 add_spender(spenders, "unkver/undecodable", standard=False, tap=tap, leaf="undecodable_unkver", failure={"leaf": "undecodable_c0"}, **ERR_BAD_OPCODE) 1166 add_spender(spenders, "unkver/bigpush", standard=False, tap=tap, leaf="bigpush_unkver", failure={"leaf": "bigpush_c0"}, **ERR_PUSH_SIZE) 1167 add_spender(spenders, "unkver/1001push", standard=False, tap=tap, leaf="1001push_unkver", failure={"leaf": "1001push_c0"}, **ERR_STACK_SIZE) 1168 add_spender(spenders, "unkver/1001inputs", standard=False, tap=tap, leaf="bare_unkver", inputs=[b'']*1001, failure={"leaf": "bare_c0"}, **ERR_STACK_SIZE) 1169 1170 # OP_SUCCESSx tests. 1171 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 1172 for opval in range(76, 0x100): 1173 opcode = CScriptOp(opval) 1174 if not is_op_success(opcode): 1175 continue 1176 scripts = [ 1177 ("bare_success", CScript([opcode])), 1178 ("bare_nop", CScript([OP_NOP])), 1179 ("unexecif_success", CScript([OP_0, OP_IF, opcode, OP_ENDIF])), 1180 ("unexecif_nop", CScript([OP_0, OP_IF, OP_NOP, OP_ENDIF])), 1181 ("return_success", CScript([OP_RETURN, opcode])), 1182 ("return_nop", CScript([OP_RETURN, OP_NOP])), 1183 ("undecodable_success", CScript([opcode, OP_PUSHDATA1])), 1184 ("undecodable_nop", CScript([OP_NOP, OP_PUSHDATA1])), 1185 ("undecodable_bypassed_success", CScript([OP_PUSHDATA1, OP_2, opcode])), 1186 ("bigpush_success", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, opcode])), 1187 ("bigpush_nop", CScript([random.randbytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, OP_NOP])), 1188 ("1001push_success", CScript([OP_0] * 1001 + [opcode])), 1189 ("1001push_nop", CScript([OP_0] * 1001 + [OP_NOP])), 1190 ] 1191 random.shuffle(scripts) 1192 tap = taproot_construct(pubs[0], scripts) 1193 add_spender(spenders, "opsuccess/bare", standard=False, tap=tap, leaf="bare_success", failure={"leaf": "bare_nop"}, **ERR_CLEANSTACK) 1194 add_spender(spenders, "opsuccess/unexecif", standard=False, tap=tap, leaf="unexecif_success", failure={"leaf": "unexecif_nop"}, **ERR_CLEANSTACK) 1195 add_spender(spenders, "opsuccess/return", standard=False, tap=tap, leaf="return_success", failure={"leaf": "return_nop"}, **ERR_OP_RETURN) 1196 add_spender(spenders, "opsuccess/undecodable", standard=False, tap=tap, leaf="undecodable_success", failure={"leaf": "undecodable_nop"}, **ERR_BAD_OPCODE) 1197 add_spender(spenders, "opsuccess/undecodable_bypass", standard=False, tap=tap, leaf="undecodable_success", failure={"leaf": "undecodable_bypassed_success"}, **ERR_BAD_OPCODE) 1198 add_spender(spenders, "opsuccess/bigpush", standard=False, tap=tap, leaf="bigpush_success", failure={"leaf": "bigpush_nop"}, **ERR_PUSH_SIZE) 1199 add_spender(spenders, "opsuccess/1001push", standard=False, tap=tap, leaf="1001push_success", failure={"leaf": "1001push_nop"}, **ERR_STACK_SIZE) 1200 add_spender(spenders, "opsuccess/1001inputs", standard=False, tap=tap, leaf="bare_success", inputs=[b'']*1001, failure={"leaf": "bare_nop"}, **ERR_STACK_SIZE) 1201 1202 # Non-OP_SUCCESSx (verify that those aren't accidentally treated as OP_SUCCESSx) 1203 for opval in range(0, 0x100): 1204 opcode = CScriptOp(opval) 1205 if is_op_success(opcode): 1206 continue 1207 scripts = [ 1208 ("normal", CScript([OP_RETURN, opcode] + [OP_NOP] * 75)), 1209 ("op_success", CScript([OP_RETURN, CScriptOp(0x50)])) 1210 ] 1211 tap = taproot_construct(pubs[0], scripts) 1212 add_spender(spenders, "alwaysvalid/notsuccessx", tap=tap, leaf="op_success", inputs=[], standard=False, failure={"leaf": "normal"}) # err_msg differs based on opcode 1213 1214 # == Test case for https://github.com/bitcoin/bitcoin/issues/24765 == 1215 1216 zero_fn = lambda h: bytes([0 for _ in range(32)]) 1217 tap = taproot_construct(pubs[0], [("leaf", CScript([pubs[1], OP_CHECKSIG, pubs[1], OP_CHECKSIGADD, OP_2, OP_EQUAL])), zero_fn]) 1218 add_spender(spenders, "case24765", tap=tap, leaf="leaf", inputs=[getter("sign"), getter("sign")], key=secs[1], no_fail=True) 1219 1220 # == Legacy tests == 1221 1222 # Also add a few legacy spends into the mix, so that transactions which combine taproot and pre-taproot spends get tested too. 1223 for compressed in [False, True]: 1224 eckey1, pubkey1 = generate_keypair(compressed=compressed) 1225 eckey2, _ = generate_keypair(compressed=compressed) 1226 for p2sh in [False, True]: 1227 for witv0 in [False, True]: 1228 for hashtype in VALID_SIGHASHES_ECDSA + [random.randrange(0x04, 0x80), random.randrange(0x84, 0x100)]: 1229 standard = (hashtype in VALID_SIGHASHES_ECDSA) and (compressed or not witv0) 1230 add_spender(spenders, "legacy/pk-wrongkey", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, script=key_to_p2pk_script(pubkey1), **SINGLE_SIG, key=eckey1, failure={"key": eckey2}, sigops_weight=4-3*witv0, **ERR_EVAL_FALSE) 1231 add_spender(spenders, "legacy/pkh-sighashflip", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, pkh=pubkey1, key=eckey1, **SIGHASH_BITFLIP, sigops_weight=4-3*witv0, **ERR_EVAL_FALSE) 1232 1233 # Verify that OP_CHECKSIGADD wasn't accidentally added to pre-taproot validation logic. 1234 for p2sh in [False, True]: 1235 for witv0 in [False, True]: 1236 for hashtype in VALID_SIGHASHES_ECDSA + [random.randrange(0x04, 0x80), random.randrange(0x84, 0x100)]: 1237 standard = hashtype in VALID_SIGHASHES_ECDSA and (p2sh or witv0) 1238 add_spender(spenders, "compat/nocsa", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, script=CScript([OP_IF, OP_11, pubkey1, OP_CHECKSIGADD, OP_12, OP_EQUAL, OP_ELSE, pubkey1, OP_CHECKSIG, OP_ENDIF]), key=eckey1, sigops_weight=4-3*witv0, inputs=[getter("sign"), b''], failure={"inputs": [getter("sign"), b'\x01']}, **ERR_BAD_OPCODE) 1239 1240 # == sighash caching tests == 1241 1242 # Sighash caching in legacy. 1243 for p2sh in [False, True]: 1244 for witv0 in [False, True]: 1245 eckey1, pubkey1 = generate_keypair(compressed=compressed) 1246 for _ in range(10): 1247 # Construct a script with 20 checksig operations (10 sighash types, each 2 times), 1248 # randomly ordered and interleaved with 4 OP_CODESEPARATORS. 1249 ops = [1, 2, 3, 0x21, 0x42, 0x63, 0x81, 0x83, 0xe1, 0xc2, -1, -1] * 2 1250 # Make sure no OP_CODESEPARATOR appears last. 1251 while True: 1252 random.shuffle(ops) 1253 if ops[-1] != -1: 1254 break 1255 script = [pubkey1] 1256 inputs = [] 1257 codeseps = -1 1258 for pos, op in enumerate(ops): 1259 if op == -1: 1260 codeseps += 1 1261 script.append(OP_CODESEPARATOR) 1262 elif pos + 1 != len(ops): 1263 script += [OP_TUCK, OP_CHECKSIGVERIFY] 1264 inputs.append(getter("sign", codesepnum=codeseps, hashtype=op)) 1265 else: 1266 script += [OP_CHECKSIG] 1267 inputs.append(getter("sign", codesepnum=codeseps, hashtype=op)) 1268 inputs.reverse() 1269 script = CScript(script) 1270 add_spender(spenders, "sighashcache/legacy", p2sh=p2sh, witv0=witv0, standard=False, script=script, inputs=inputs, key=eckey1, sigops_weight=12*8*(4-3*witv0), no_fail=True) 1271 1272 # Sighash caching in tapscript. 1273 for _ in range(10): 1274 # Construct a script with 700 checksig operations (7 sighash types, each 100 times), 1275 # randomly ordered and interleaved with 100 OP_CODESEPARATORS. 1276 ops = [0, 1, 2, 3, 0x81, 0x82, 0x83, -1] * 100 1277 # Make sure no OP_CODESEPARATOR appears last. 1278 while True: 1279 random.shuffle(ops) 1280 if ops[-1] != -1: 1281 break 1282 script = [pubs[1]] 1283 inputs = [] 1284 opcount = 1 1285 codeseppos = 0xffffffff 1286 for pos, op in enumerate(ops): 1287 if op == -1: 1288 codeseppos = opcount 1289 opcount += 1 1290 script.append(OP_CODESEPARATOR) 1291 elif pos + 1 != len(ops): 1292 opcount += 2 1293 script += [OP_TUCK, OP_CHECKSIGVERIFY] 1294 inputs.append(getter("sign", codeseppos=codeseppos, hashtype=op)) 1295 else: 1296 opcount += 1 1297 script += [OP_CHECKSIG] 1298 inputs.append(getter("sign", codeseppos=codeseppos, hashtype=op)) 1299 inputs.reverse() 1300 script = CScript(script) 1301 tap = taproot_construct(pubs[0], [("leaf", script)]) 1302 add_spender(spenders, "sighashcache/taproot", tap=tap, leaf="leaf", inputs=inputs, standard=True, key=secs[1], no_fail=True) 1303 1304 return spenders 1305 1306 1307 def spenders_taproot_nonstandard(): 1308 """Spenders for testing that post-activation Taproot rules may be nonstandard.""" 1309 1310 spenders = [] 1311 1312 sec = generate_privkey() 1313 pub, _ = compute_xonly_pubkey(sec) 1314 scripts = [ 1315 ("future_leaf", CScript([pub, OP_CHECKSIG]), 0xc2), 1316 ("op_success", CScript([pub, OP_CHECKSIG, OP_0, OP_IF, CScriptOp(0x50), OP_ENDIF])), 1317 ] 1318 tap = taproot_construct(pub, scripts) 1319 1320 # Test that features like annex, leaf versions, or OP_SUCCESS are valid but non-standard 1321 add_spender(spenders, "inactive/scriptpath_valid_unkleaf", key=sec, tap=tap, leaf="future_leaf", standard=False, inputs=[getter("sign")]) 1322 add_spender(spenders, "inactive/scriptpath_invalid_unkleaf", key=sec, tap=tap, leaf="future_leaf", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1323 add_spender(spenders, "inactive/scriptpath_valid_opsuccess", key=sec, tap=tap, leaf="op_success", standard=False, inputs=[getter("sign")]) 1324 add_spender(spenders, "inactive/scriptpath_valid_opsuccess", key=sec, tap=tap, leaf="op_success", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1325 1326 return spenders 1327 1328 def sample_spenders(): 1329 1330 # Create key(s) for output creation, as well as key and script-spends 1331 secs = [generate_privkey() for _ in range(2)] 1332 pubs = [compute_xonly_pubkey(sec)[0] for sec in secs] 1333 1334 # Create a list of scripts which will be built into a taptree 1335 scripts = [ 1336 # leaf label, followed by CScript 1337 ("2byte_push", CScript([OP_DROP, b'\xaa\xaa'])), 1338 ("nonstd_2byte_push", CScript.fromhex("4c02aaaa")), 1339 ("dummyleaf", CScript([])), 1340 ] 1341 1342 # Build TaprootInfo using scripts and appropriate pubkey for output creation 1343 tap = taproot_construct(pubs[0], scripts) 1344 1345 # Finally, add spender(s). 1346 # Each spender embodies a test with an optional failure condition. 1347 # These failure conditions allow for fine-grained success/failure 1348 # conditions that are tested randomly. 1349 spenders = [] 1350 1351 # Named comment, using first leaf from scripts, with empty string as witness data, no optional fail condition 1352 add_spender(spenders, comment="tutorial/push", tap=tap, leaf="2byte_push", inputs=[b'\x00'], no_fail=True) 1353 1354 # Spender with alternative failure tapscript via over-riding "failure" dictionary, along with the failure's expected err_msg / ERR_* 1355 add_spender(spenders, comment="tutorial/pushredux", tap=tap, leaf="2byte_push", inputs=[b'\x00'], failure={"leaf": "dummyleaf"}, **ERR_EVAL_FALSE) 1356 1357 # Spender that is non-standard but otherwise valid, with extraneous signature data from inner key for optional failure condition 1358 add_spender(spenders, comment="tutorial/nonminpush", tap=tap, leaf="nonstd_2byte_push", key=secs[0], standard=False, failure={"inputs": [getter("sign")]}, **ERR_CLEANSTACK) 1359 1360 # New scripts=[] can be defined, and rinse-repeated as necessary until the spenders list is returned for execution 1361 return spenders 1362 1363 # Consensus validation flags to use in dumps for tests with "legacy/" or "inactive/" prefix. 1364 LEGACY_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY" 1365 # Consensus validation flags to use in dumps for all other tests. 1366 TAPROOT_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY,TAPROOT" 1367 1368 def dump_json_test(tx, input_utxos, idx, success, failure): 1369 spender = input_utxos[idx].spender 1370 # Determine flags to dump 1371 flags = LEGACY_FLAGS if spender.comment.startswith("legacy/") or spender.comment.startswith("inactive/") else TAPROOT_FLAGS 1372 1373 fields = [ 1374 ("tx", tx.serialize().hex()), 1375 ("prevouts", [x.output.serialize().hex() for x in input_utxos]), 1376 ("index", idx), 1377 ("flags", flags), 1378 ("comment", spender.comment) 1379 ] 1380 1381 # The "final" field indicates that a spend should be always valid, even with more validation flags enabled 1382 # than the listed ones. Use standardness as a proxy for this (which gives a conservative underestimate). 1383 if spender.is_standard: 1384 fields.append(("final", True)) 1385 1386 def dump_witness(wit): 1387 return OrderedDict([("scriptSig", wit[0].hex()), ("witness", [x.hex() for x in wit[1]])]) 1388 if success is not None: 1389 fields.append(("success", dump_witness(success))) 1390 if failure is not None: 1391 fields.append(("failure", dump_witness(failure))) 1392 1393 # Write the dump to $TEST_DUMP_DIR/x/xyz... where x,y,z,... are the SHA1 sum of the dump (which makes the 1394 # file naming scheme compatible with fuzzing infrastructure). 1395 dump = json.dumps(OrderedDict(fields)) + ",\n" 1396 sha1 = hashlib.sha1(dump.encode("utf-8")).hexdigest() 1397 dirname = os.environ.get("TEST_DUMP_DIR", ".") + ("/%s" % sha1[0]) 1398 os.makedirs(dirname, exist_ok=True) 1399 with open(dirname + ("/%s" % sha1), 'w') as f: 1400 f.write(dump) 1401 1402 # Data type to keep track of UTXOs, where they were created, and how to spend them. 1403 UTXOData = namedtuple('UTXOData', 'outpoint,output,spender') 1404 1405 1406 class TaprootTest(BitcoinTestFramework): 1407 def add_options(self, parser): 1408 parser.add_argument("--dumptests", dest="dump_tests", default=False, action="store_true", 1409 help="Dump generated test cases to directory set by TEST_DUMP_DIR environment variable") 1410 1411 def skip_test_if_missing_module(self): 1412 self.skip_if_no_wallet() 1413 1414 def set_test_params(self): 1415 self.num_nodes = 1 1416 self.setup_clean_chain = True 1417 1418 def block_submit(self, node, txs, msg, err_msg, cb_pubkey=None, fees=0, sigops_weight=0, witness=False, accept=False): 1419 1420 # Deplete block of any non-tapscript sigops using a single additional 0-value coinbase output. 1421 # It is not impossible to fit enough tapscript sigops to hit the old 80k limit without 1422 # busting txin-level limits. We simply have to account for the p2pk outputs in all 1423 # transactions. 1424 extra_output_script = CScript(bytes([OP_CHECKSIG]*((MAX_BLOCK_SIGOPS_WEIGHT - sigops_weight) // WITNESS_SCALE_FACTOR))) 1425 1426 coinbase_tx = create_coinbase(self.lastblockheight + 1, pubkey=cb_pubkey, extra_output_script=extra_output_script, fees=fees) 1427 block = create_block(self.tip, coinbase_tx, self.lastblocktime + 1, txlist=txs) 1428 witness and add_witness_commitment(block) 1429 block.solve() 1430 block_response = node.submitblock(block.serialize().hex()) 1431 if err_msg is not None: 1432 assert block_response is not None and err_msg in block_response, "Missing error message '%s' from block response '%s': %s" % (err_msg, "(None)" if block_response is None else block_response, msg) 1433 if accept: 1434 assert node.getbestblockhash() == block.hash_hex, "Failed to accept: %s (response: %s)" % (msg, block_response) 1435 self.tip = block.hash_int 1436 self.lastblockhash = block.hash_hex 1437 self.lastblocktime += 1 1438 self.lastblockheight += 1 1439 else: 1440 assert node.getbestblockhash() == self.lastblockhash, "Failed to reject: " + msg 1441 1442 def init_blockinfo(self, node): 1443 # Initialize variables used by block_submit(). 1444 self.lastblockhash = node.getbestblockhash() 1445 self.tip = int(self.lastblockhash, 16) 1446 block = node.getblock(self.lastblockhash) 1447 self.lastblockheight = block['height'] 1448 self.lastblocktime = block['time'] 1449 1450 def test_spenders(self, node, spenders, input_counts): 1451 """Run randomized tests with a number of "spenders". 1452 1453 Steps: 1454 1) Generate an appropriate UTXO for each spender to test spend conditions 1455 2) Generate 100 random addresses of all wallet types: pkh/sh_wpkh/wpkh 1456 3) Select random number of inputs from (1) 1457 4) Select random number of addresses from (2) as outputs 1458 1459 Each spender embodies a test; in a large randomized test, it is verified 1460 that toggling the valid argument to each lambda toggles the validity of 1461 the transaction. This is accomplished by constructing transactions consisting 1462 of all valid inputs, except one invalid one. 1463 """ 1464 1465 # Construct a bunch of sPKs that send coins back to the host wallet 1466 self.log.info("- Constructing addresses for returning coins") 1467 host_spks = [] 1468 host_pubkeys = [] 1469 for i in range(16): 1470 addr = node.getnewaddress(address_type=random.choice(["legacy", "p2sh-segwit", "bech32"])) 1471 info = node.getaddressinfo(addr) 1472 spk = bytes.fromhex(info['scriptPubKey']) 1473 host_spks.append(spk) 1474 host_pubkeys.append(bytes.fromhex(info['pubkey'])) 1475 1476 self.init_blockinfo(node) 1477 1478 # Create transactions spending up to 50 of the wallet's inputs, with one output for each spender, and 1479 # one change output at the end. The transaction is constructed on the Python side to enable 1480 # having multiple outputs to the same address and outputs with no assigned address. The wallet 1481 # is then asked to sign it through signrawtransactionwithwallet, and then added to a block on the 1482 # Python side (to bypass standardness rules). 1483 self.log.info("- Creating test UTXOs...") 1484 random.shuffle(spenders) 1485 normal_utxos = [] 1486 mismatching_utxos = [] # UTXOs with input that requires mismatching output position 1487 done = 0 1488 while done < len(spenders): 1489 # Compute how many UTXOs to create with this transaction 1490 count_this_tx = min(len(spenders) - done, (len(spenders) + 4) // 5, 10000) 1491 1492 fund_tx = CTransaction() 1493 # Add the 50 highest-value inputs 1494 unspents = node.listunspent() 1495 random.shuffle(unspents) 1496 unspents.sort(key=lambda x: int(x["amount"] * 100000000), reverse=True) 1497 if len(unspents) > 50: 1498 unspents = unspents[:50] 1499 random.shuffle(unspents) 1500 balance = 0 1501 for unspent in unspents: 1502 balance += int(unspent["amount"] * 100000000) 1503 txid = int(unspent["txid"], 16) 1504 fund_tx.vin.append(CTxIn(COutPoint(txid, int(unspent["vout"])), CScript())) 1505 # Add outputs 1506 cur_progress = done / len(spenders) 1507 next_progress = (done + count_this_tx) / len(spenders) 1508 change_goal = (1.0 - 0.6 * next_progress) / (1.0 - 0.6 * cur_progress) * balance 1509 self.log.debug("Create %i UTXOs in a transaction spending %i inputs worth %.8f (sending ~%.8f to change)" % (count_this_tx, len(unspents), balance * 0.00000001, change_goal * 0.00000001)) 1510 for i in range(count_this_tx): 1511 avg = (balance - change_goal) / (count_this_tx - i) 1512 amount = int(random.randrange(int(avg*0.85 + 0.5), int(avg*1.15 + 0.5)) + 0.5) 1513 balance -= amount 1514 fund_tx.vout.append(CTxOut(amount, spenders[done + i].script)) 1515 # Add change 1516 fund_tx.vout.append(CTxOut(balance - 10000, random.choice(host_spks))) 1517 # Ask the wallet to sign 1518 fund_tx = tx_from_hex(node.signrawtransactionwithwallet(fund_tx.serialize().hex())["hex"]) 1519 # Construct UTXOData entries 1520 for i in range(count_this_tx): 1521 utxodata = UTXOData(outpoint=COutPoint(fund_tx.txid_int, i), output=fund_tx.vout[i], spender=spenders[done]) 1522 if utxodata.spender.need_vin_vout_mismatch: 1523 mismatching_utxos.append(utxodata) 1524 else: 1525 normal_utxos.append(utxodata) 1526 done += 1 1527 # Mine into a block 1528 self.block_submit(node, [fund_tx], "Funding tx", None, random.choice(host_pubkeys), 10000, MAX_BLOCK_SIGOPS_WEIGHT, True, True) 1529 1530 # Consume groups of choice(input_coins) from utxos in a tx, testing the spenders. 1531 self.log.info("- Running %i spending tests" % done) 1532 random.shuffle(normal_utxos) 1533 random.shuffle(mismatching_utxos) 1534 assert done == len(normal_utxos) + len(mismatching_utxos) 1535 1536 left = done 1537 while left: 1538 # Construct CTransaction with random version, nLocktime 1539 tx = CTransaction() 1540 tx.version = random.choice(TX_STANDARD_VERSIONS + [0, TX_MAX_STANDARD_VERSION + 1, random.getrandbits(32)]) 1541 min_sequence = (tx.version != 1 and tx.version != 0) * 0x80000000 # The minimum sequence number to disable relative locktime 1542 if random.choice([True, False]): 1543 tx.nLockTime = random.randrange(LOCKTIME_THRESHOLD, self.lastblocktime - 7200) # all absolute locktimes in the past 1544 else: 1545 tx.nLockTime = random.randrange(self.lastblockheight + 1) # all block heights in the past 1546 1547 # Decide how many UTXOs to test with. 1548 acceptable = [n for n in input_counts if n <= left and (left - n > max(input_counts) or (left - n) in [0] + input_counts)] 1549 num_inputs = random.choice(acceptable) 1550 1551 # If we have UTXOs that require mismatching inputs/outputs left, include exactly one of those 1552 # unless there is only one normal UTXO left (as tests with mismatching UTXOs require at least one 1553 # normal UTXO to go in the first position), and we don't want to run out of normal UTXOs. 1554 input_utxos = [] 1555 while len(mismatching_utxos) and (len(input_utxos) == 0 or len(normal_utxos) == 1): 1556 input_utxos.append(mismatching_utxos.pop()) 1557 left -= 1 1558 1559 # Top up until we hit num_inputs (but include at least one normal UTXO always). 1560 for _ in range(max(1, num_inputs - len(input_utxos))): 1561 input_utxos.append(normal_utxos.pop()) 1562 left -= 1 1563 1564 # The first input cannot require a mismatching output (as there is at least one output). 1565 while True: 1566 random.shuffle(input_utxos) 1567 if not input_utxos[0].spender.need_vin_vout_mismatch: 1568 break 1569 first_mismatch_input = None 1570 for i in range(len(input_utxos)): 1571 if input_utxos[i].spender.need_vin_vout_mismatch: 1572 first_mismatch_input = i 1573 assert first_mismatch_input is None or first_mismatch_input > 0 1574 1575 # Decide fee, and add CTxIns to tx. 1576 amount = sum(utxo.output.nValue for utxo in input_utxos) 1577 fee = min(random.randrange(MIN_FEE * 2, MIN_FEE * 4), amount - DUST_LIMIT) # 10000-20000 sat fee 1578 in_value = amount - fee 1579 tx.vin = [CTxIn(outpoint=utxo.outpoint, nSequence=random.randint(min_sequence, 0xffffffff)) for utxo in input_utxos] 1580 tx.wit.vtxinwit = [CTxInWitness() for _ in range(len(input_utxos))] 1581 sigops_weight = sum(utxo.spender.sigops_weight for utxo in input_utxos) 1582 self.log.debug("Test: %s" % (", ".join(utxo.spender.comment for utxo in input_utxos))) 1583 1584 # Add 1 to 4 random outputs (but constrained by inputs that require mismatching outputs) 1585 num_outputs = random.choice(range(1, 1 + min(4, 4 if first_mismatch_input is None else first_mismatch_input))) 1586 assert in_value >= 0 and fee - num_outputs * DUST_LIMIT >= MIN_FEE 1587 for i in range(num_outputs): 1588 tx.vout.append(CTxOut()) 1589 if in_value <= DUST_LIMIT: 1590 tx.vout[-1].nValue = DUST_LIMIT 1591 elif i < num_outputs - 1: 1592 tx.vout[-1].nValue = in_value 1593 else: 1594 tx.vout[-1].nValue = random.randint(DUST_LIMIT, in_value) 1595 in_value -= tx.vout[-1].nValue 1596 tx.vout[-1].scriptPubKey = random.choice(host_spks) 1597 sigops_weight += CScript(tx.vout[-1].scriptPubKey).GetSigOpCount(False) * WITNESS_SCALE_FACTOR 1598 fee += in_value 1599 assert fee >= 0 1600 1601 # Select coinbase pubkey 1602 cb_pubkey = random.choice(host_pubkeys) 1603 sigops_weight += 1 * WITNESS_SCALE_FACTOR 1604 1605 # Precompute one satisfying and one failing scriptSig/witness for each input. 1606 input_data = [] 1607 for i in range(len(input_utxos)): 1608 fn = input_utxos[i].spender.sat_function 1609 fail = None 1610 success = fn(tx, i, [utxo.output for utxo in input_utxos], True) 1611 if not input_utxos[i].spender.no_fail: 1612 fail = fn(tx, i, [utxo.output for utxo in input_utxos], False) 1613 input_data.append((fail, success)) 1614 if self.options.dump_tests: 1615 dump_json_test(tx, input_utxos, i, success, fail) 1616 1617 # Sign each input incorrectly once on each complete signing pass, except the very last. 1618 for fail_input in list(range(len(input_utxos))) + [None]: 1619 # Skip trying to fail at spending something that can't be made to fail. 1620 if fail_input is not None and input_utxos[fail_input].spender.no_fail: 1621 continue 1622 # Expected message with each input failure, may be None(which is ignored) 1623 expected_fail_msg = None if fail_input is None else input_utxos[fail_input].spender.err_msg 1624 # Fill inputs/witnesses 1625 for i in range(len(input_utxos)): 1626 tx.vin[i].scriptSig = input_data[i][i != fail_input][0] 1627 tx.wit.vtxinwit[i].scriptWitness.stack = input_data[i][i != fail_input][1] 1628 # Submit to mempool to check standardness 1629 is_standard_tx = ( 1630 fail_input is None # Must be valid to be standard 1631 and (all(utxo.spender.is_standard for utxo in input_utxos)) # All inputs must be standard 1632 and tx.version in TX_STANDARD_VERSIONS # The tx version must be standard 1633 and not (tx.version == 3 and tx.get_vsize() > TRUC_MAX_VSIZE) # Topological standardness rules must be followed 1634 ) 1635 msg = ','.join(utxo.spender.comment + ("*" if n == fail_input else "") for n, utxo in enumerate(input_utxos)) 1636 if is_standard_tx: 1637 node.sendrawtransaction(tx.serialize().hex(), 0) 1638 assert node.getmempoolentry(tx.txid_hex) is not None, "Failed to accept into mempool: " + msg 1639 else: 1640 assert_raises_rpc_error(-26, None, node.sendrawtransaction, tx.serialize().hex(), 0) 1641 # Submit in a block 1642 self.block_submit(node, [tx], msg, witness=True, accept=fail_input is None, cb_pubkey=cb_pubkey, fees=fee, sigops_weight=sigops_weight, err_msg=expected_fail_msg) 1643 1644 if (len(spenders) - left) // 200 > (len(spenders) - left - len(input_utxos)) // 200: 1645 self.log.info(" - %i tests done" % (len(spenders) - left)) 1646 1647 assert left == 0 1648 assert len(normal_utxos) == 0 1649 assert len(mismatching_utxos) == 0 1650 self.log.info(" - Done") 1651 1652 def gen_test_vectors(self): 1653 """Run a scenario that corresponds (and optionally produces) to BIP341 test vectors.""" 1654 1655 self.log.info("Unit test scenario...") 1656 1657 # Deterministically mine coins to OP_TRUE in block 1 1658 assert_equal(self.nodes[0].getblockcount(), 0) 1659 coinbase = CTransaction() 1660 coinbase.version = 1 1661 coinbase.vin = [CTxIn(COutPoint(0, 0xffffffff), CScript([OP_1, OP_1]), SEQUENCE_FINAL)] 1662 coinbase.vout = [CTxOut(5000000000, CScript([OP_1]))] 1663 coinbase.nLockTime = 0 1664 assert coinbase.txid_hex == "f60c73405d499a956d3162e3483c395526ef78286458a4cb17b125aa92e49b20" 1665 # Mine it 1666 block = create_block(hashprev=int(self.nodes[0].getbestblockhash(), 16), coinbase=coinbase) 1667 block.solve() 1668 self.nodes[0].submitblock(block.serialize().hex()) 1669 assert_equal(self.nodes[0].getblockcount(), 1) 1670 self.generate(self.nodes[0], COINBASE_MATURITY) 1671 1672 SEED = 317 1673 VALID_LEAF_VERS = list(range(0xc0, 0x100, 2)) + [0x66, 0x7e, 0x80, 0x84, 0x96, 0x98, 0xba, 0xbc, 0xbe] 1674 # Generate private keys 1675 prvs = [hashlib.sha256(SEED.to_bytes(2, 'big') + bytes([i])).digest() for i in range(100)] 1676 # Generate corresponding public x-only pubkeys 1677 pubs = [compute_xonly_pubkey(prv)[0] for prv in prvs] 1678 # Generate taproot objects 1679 inner_keys = [pubs[i] for i in range(7)] 1680 1681 script_lists = [ 1682 None, 1683 [("0", CScript([pubs[50], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT)], 1684 [("0", CScript([pubs[51], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT)], 1685 [("0", CScript([pubs[52], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), ("1", CScript([b"BIP341"]), VALID_LEAF_VERS[pubs[99][0] % 41])], 1686 [("0", CScript([pubs[53], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), ("1", CScript([b"Taproot"]), VALID_LEAF_VERS[pubs[99][1] % 41])], 1687 [("0", CScript([pubs[54], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), 1688 [("1", CScript([pubs[55], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), ("2", CScript([pubs[56], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT)] 1689 ], 1690 [("0", CScript([pubs[57], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), 1691 [("1", CScript([pubs[58], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT), ("2", CScript([pubs[59], OP_CHECKSIG]), LEAF_VERSION_TAPSCRIPT)] 1692 ], 1693 ] 1694 taps = [taproot_construct(inner_keys[i], script_lists[i]) for i in range(len(inner_keys))] 1695 1696 # Require negated taps[0] 1697 assert taps[0].negflag 1698 # Require one negated and one non-negated in taps 1 and 2. 1699 assert_not_equal(taps[1].negflag, taps[2].negflag) 1700 # Require one negated and one non-negated in taps 3 and 4. 1701 assert_not_equal(taps[3].negflag, taps[4].negflag) 1702 # Require one negated and one non-negated in taps 5 and 6. 1703 assert_not_equal(taps[5].negflag, taps[6].negflag) 1704 1705 cblks = [{leaf: get({**DEFAULT_CONTEXT, 'tap': taps[i], 'leaf': leaf}, 'controlblock') for leaf in taps[i].leaves} for i in range(7)] 1706 # Require one swapped and one unswapped in taps 3 and 4. 1707 assert_not_equal((cblks[3]['0'][33:65] < cblks[3]['1'][33:65]), (cblks[4]['0'][33:65] < cblks[4]['1'][33:65])) 1708 # Require one swapped and one unswapped in taps 5 and 6, both at the top and child level. 1709 assert_not_equal((cblks[5]['0'][33:65] < cblks[5]['1'][65:]), (cblks[6]['0'][33:65] < cblks[6]['1'][65:])) 1710 assert_not_equal((cblks[5]['1'][33:65] < cblks[5]['2'][33:65]), (cblks[6]['1'][33:65] < cblks[6]['2'][33:65])) 1711 # Require within taps 5 (and thus also 6) that one level is swapped and the other is not. 1712 assert_not_equal((cblks[5]['0'][33:65] < cblks[5]['1'][65:]), (cblks[5]['1'][33:65] < cblks[5]['2'][33:65])) 1713 1714 # Compute a deterministic set of scriptPubKeys 1715 tap_spks = [] 1716 old_spks = [] 1717 spend_info = {} 1718 # First, taproot scriptPubKeys, for the tap objects constructed above 1719 for i, tap in enumerate(taps): 1720 tap_spks.append(tap.scriptPubKey) 1721 d = {'key': prvs[i], 'tap': tap, 'mode': 'taproot'} 1722 spend_info[tap.scriptPubKey] = d 1723 # Then, a number of deterministically generated (keys 0x1,0x2,0x3) with 2x P2PKH, 1x P2WPKH spks. 1724 for i in range(1, 4): 1725 prv = ECKey() 1726 prv.set(i.to_bytes(32, 'big'), True) 1727 pub = prv.get_pubkey().get_bytes() 1728 d = {"key": prv} 1729 d["scriptcode"] = key_to_p2pkh_script(pub) 1730 d["inputs"] = [getter("sign"), pub] 1731 if i < 3: 1732 # P2PKH 1733 d['spk'] = key_to_p2pkh_script(pub) 1734 d['mode'] = 'legacy' 1735 else: 1736 # P2WPKH 1737 d['spk'] = key_to_p2wpkh_script(pub) 1738 d['mode'] = 'witv0' 1739 old_spks.append(d['spk']) 1740 spend_info[d['spk']] = d 1741 1742 # Construct a deterministic chain of transactions creating UTXOs to the test's spk's (so that they 1743 # come from distinct txids). 1744 txn = [] 1745 lasttxid = coinbase.txid_int 1746 amount = 5000000000 1747 for i, spk in enumerate(old_spks + tap_spks): 1748 val = 42000000 * (i + 7) 1749 tx = CTransaction() 1750 tx.version = 1 1751 tx.vin = [CTxIn(COutPoint(lasttxid, i & 1), CScript([]), SEQUENCE_FINAL)] 1752 tx.vout = [CTxOut(val, spk), CTxOut(amount - val, CScript([OP_1]))] 1753 if i & 1: 1754 tx.vout = list(reversed(tx.vout)) 1755 tx.nLockTime = 0 1756 amount -= val 1757 lasttxid = tx.txid_int 1758 txn.append(tx) 1759 spend_info[spk]['prevout'] = COutPoint(tx.txid_int, i & 1) 1760 spend_info[spk]['utxo'] = CTxOut(val, spk) 1761 # Mine those transactions 1762 self.init_blockinfo(self.nodes[0]) 1763 self.block_submit(self.nodes[0], txn, "Crediting txn", None, sigops_weight=10, accept=True) 1764 1765 # scriptPubKey computation 1766 tests = {"version": 1} 1767 spk_tests = tests.setdefault("scriptPubKey", []) 1768 for i, tap in enumerate(taps): 1769 test_case = {} 1770 given = test_case.setdefault("given", {}) 1771 given['internalPubkey'] = tap.internal_pubkey.hex() 1772 1773 def pr(node): 1774 if node is None: 1775 return None 1776 elif isinstance(node, tuple): 1777 return {"id": int(node[0]), "script": node[1].hex(), "leafVersion": node[2]} 1778 elif len(node) == 1: 1779 return pr(node[0]) 1780 elif len(node) == 2: 1781 return [pr(node[0]), pr(node[1])] 1782 else: 1783 assert False 1784 1785 given['scriptTree'] = pr(script_lists[i]) 1786 intermediary = test_case.setdefault("intermediary", {}) 1787 if len(tap.leaves): 1788 leafhashes = intermediary.setdefault('leafHashes', [None] * len(tap.leaves)) 1789 for leaf in tap.leaves: 1790 leafhashes[int(leaf)] = tap.leaves[leaf].leaf_hash.hex() 1791 intermediary['merkleRoot'] = tap.merkle_root.hex() if tap.merkle_root else None 1792 intermediary['tweak'] = tap.tweak.hex() 1793 intermediary['tweakedPubkey'] = tap.output_pubkey.hex() 1794 expected = test_case.setdefault("expected", {}) 1795 expected['scriptPubKey'] = tap.scriptPubKey.hex() 1796 expected['bip350Address'] = program_to_witness(1, bytes(tap.output_pubkey), True) 1797 if len(tap.leaves): 1798 control_blocks = expected.setdefault("scriptPathControlBlocks", [None] * len(tap.leaves)) 1799 for leaf in tap.leaves: 1800 ctx = {**DEFAULT_CONTEXT, 'tap': tap, 'leaf': leaf} 1801 control_blocks[int(leaf)] = get(ctx, "controlblock").hex() 1802 spk_tests.append(test_case) 1803 1804 # Construct a deterministic transaction spending all outputs created above. 1805 tx = CTransaction() 1806 tx.version = 2 1807 tx.vin = [] 1808 inputs = [] 1809 input_spks = [tap_spks[0], tap_spks[1], old_spks[0], tap_spks[2], tap_spks[5], old_spks[2], tap_spks[6], tap_spks[3], tap_spks[4]] 1810 sequences = [0, SEQUENCE_FINAL, SEQUENCE_FINAL, 0xfffffffe, 0xfffffffe, 0, 0, SEQUENCE_FINAL, SEQUENCE_FINAL] 1811 hashtypes = [SIGHASH_SINGLE, SIGHASH_SINGLE|SIGHASH_ANYONECANPAY, SIGHASH_ALL, SIGHASH_ALL, SIGHASH_DEFAULT, SIGHASH_ALL, SIGHASH_NONE, SIGHASH_NONE|SIGHASH_ANYONECANPAY, SIGHASH_ALL|SIGHASH_ANYONECANPAY] 1812 for i, spk in enumerate(input_spks): 1813 tx.vin.append(CTxIn(spend_info[spk]['prevout'], CScript(), sequences[i])) 1814 inputs.append(spend_info[spk]['utxo']) 1815 tx.vout.append(CTxOut(1000000000, old_spks[1])) 1816 tx.vout.append(CTxOut(3410000000, pubs[98])) 1817 tx.nLockTime = 500000000 1818 precomputed = { 1819 "hashAmounts": BIP341_sha_amounts(inputs), 1820 "hashPrevouts": BIP341_sha_prevouts(tx), 1821 "hashScriptPubkeys": BIP341_sha_scriptpubkeys(inputs), 1822 "hashSequences": BIP341_sha_sequences(tx), 1823 "hashOutputs": BIP341_sha_outputs(tx) 1824 } 1825 keypath_tests = tests.setdefault("keyPathSpending", []) 1826 tx_test = {} 1827 global_given = tx_test.setdefault("given", {}) 1828 global_given['rawUnsignedTx'] = tx.serialize().hex() 1829 utxos_spent = global_given.setdefault("utxosSpent", []) 1830 for i in range(len(input_spks)): 1831 utxos_spent.append({"scriptPubKey": inputs[i].scriptPubKey.hex(), "amountSats": inputs[i].nValue}) 1832 global_intermediary = tx_test.setdefault("intermediary", {}) 1833 for key in sorted(precomputed.keys()): 1834 global_intermediary[key] = precomputed[key].hex() 1835 test_list = tx_test.setdefault('inputSpending', []) 1836 for i in range(len(input_spks)): 1837 ctx = { 1838 **DEFAULT_CONTEXT, 1839 **spend_info[input_spks[i]], 1840 'tx': tx, 1841 'utxos': inputs, 1842 'idx': i, 1843 'hashtype': hashtypes[i], 1844 'deterministic': True 1845 } 1846 if ctx['mode'] == 'taproot': 1847 test_case = {} 1848 given = test_case.setdefault("given", {}) 1849 given['txinIndex'] = i 1850 given['internalPrivkey'] = get(ctx, 'key').hex() 1851 if get(ctx, "tap").merkle_root != bytes(): 1852 given['merkleRoot'] = get(ctx, "tap").merkle_root.hex() 1853 else: 1854 given['merkleRoot'] = None 1855 given['hashType'] = get(ctx, "hashtype") 1856 intermediary = test_case.setdefault("intermediary", {}) 1857 intermediary['internalPubkey'] = get(ctx, "tap").internal_pubkey.hex() 1858 intermediary['tweak'] = get(ctx, "tap").tweak.hex() 1859 intermediary['tweakedPrivkey'] = get(ctx, "key_tweaked").hex() 1860 sigmsg = get(ctx, "sigmsg") 1861 intermediary['sigMsg'] = sigmsg.hex() 1862 intermediary['precomputedUsed'] = [key for key in sorted(precomputed.keys()) if sigmsg.count(precomputed[key])] 1863 intermediary['sigHash'] = get(ctx, "sighash").hex() 1864 expected = test_case.setdefault("expected", {}) 1865 expected['witness'] = [get(ctx, "sign").hex()] 1866 test_list.append(test_case) 1867 tx.wit.vtxinwit.append(CTxInWitness()) 1868 tx.vin[i].scriptSig = CScript(flatten(get(ctx, "scriptsig"))) 1869 tx.wit.vtxinwit[i].scriptWitness.stack = flatten(get(ctx, "witness")) 1870 aux = tx_test.setdefault("auxiliary", {}) 1871 aux['fullySignedTx'] = tx.serialize().hex() 1872 keypath_tests.append(tx_test) 1873 assert_equal(hashlib.sha256(tx.serialize()).hexdigest(), "24bab662cb55a7f3bae29b559f651674c62bcc1cd442d44715c0133939107b38") 1874 # Mine the spending transaction 1875 self.block_submit(self.nodes[0], [tx], "Spending txn", None, sigops_weight=10000, accept=True, witness=True) 1876 1877 if GEN_TEST_VECTORS: 1878 print(json.dumps(tests, indent=4, sort_keys=False)) 1879 1880 def run_test(self): 1881 self.gen_test_vectors() 1882 1883 self.log.info("Post-activation tests...") 1884 1885 # New sub-tests not checking standardness can be added to consensus_spenders 1886 # to allow for increased coverage across input types. 1887 # See sample_spenders for a minimal example 1888 consensus_spenders = sample_spenders() 1889 consensus_spenders += spenders_taproot_active() 1890 self.test_spenders(self.nodes[0], consensus_spenders, input_counts=[1, 2, 2, 2, 2, 3]) 1891 1892 # Run each test twice; once in isolation, and once combined with others. Testing in isolation 1893 # means that the standardness is verified in every test (as combined transactions are only standard 1894 # when all their inputs are standard). 1895 nonstd_spenders = spenders_taproot_nonstandard() 1896 self.test_spenders(self.nodes[0], nonstd_spenders, input_counts=[1]) 1897 self.test_spenders(self.nodes[0], nonstd_spenders, input_counts=[2, 3]) 1898 1899 1900 if __name__ == '__main__': 1901 TaprootTest(__file__).main()