script.py
1 #!/usr/bin/env python3 2 # Copyright (c) 2015-present The Bitcoin Core developers 3 # Distributed under the MIT software license, see the accompanying 4 # file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 """Functionality to build scripts, as well as signature hash functions. 6 7 This file is modified from python-bitcoinlib. 8 """ 9 10 from collections import namedtuple 11 import unittest 12 13 from .key import TaggedHash, tweak_add_pubkey, compute_xonly_pubkey 14 15 from .messages import ( 16 CTransaction, 17 CTxOut, 18 hash256, 19 ser_string, 20 sha256, 21 ) 22 23 from .crypto.ripemd160 import ripemd160 24 25 MAX_SCRIPT_ELEMENT_SIZE = 520 26 MAX_SCRIPT_SIZE = 10000 27 MAX_PUBKEYS_PER_MULTI_A = 999 28 LOCKTIME_THRESHOLD = 500000000 29 ANNEX_TAG = 0x50 30 31 SEQUENCE_LOCKTIME_DISABLE_FLAG = (1<<31) 32 SEQUENCE_LOCKTIME_TYPE_FLAG = (1<<22) # this means use time (0 means height) 33 SEQUENCE_LOCKTIME_GRANULARITY = 9 # this is a bit-shift 34 SEQUENCE_LOCKTIME_MASK = 0x0000ffff 35 36 LEAF_VERSION_TAPSCRIPT = 0xc0 37 38 def hash160(s): 39 return ripemd160(sha256(s)) 40 41 def bn2vch(v): 42 """Convert number to bitcoin-specific little endian format.""" 43 # We need v.bit_length() bits, plus a sign bit for every nonzero number. 44 n_bits = v.bit_length() + (v != 0) 45 # The number of bytes for that is: 46 n_bytes = (n_bits + 7) // 8 47 # Convert number to absolute value + sign in top bit. 48 encoded_v = 0 if v == 0 else abs(v) | ((v < 0) << (n_bytes * 8 - 1)) 49 # Serialize to bytes 50 return encoded_v.to_bytes(n_bytes, 'little') 51 52 class CScriptOp(int): 53 """A single script opcode""" 54 __slots__ = () 55 56 @staticmethod 57 def encode_op_pushdata(d): 58 """Encode a PUSHDATA op, returning bytes""" 59 if len(d) < 0x4c: 60 return b'' + bytes([len(d)]) + d # OP_PUSHDATA 61 elif len(d) <= 0xff: 62 return b'\x4c' + bytes([len(d)]) + d # OP_PUSHDATA1 63 elif len(d) <= 0xffff: 64 return b'\x4d' + len(d).to_bytes(2, "little") + d # OP_PUSHDATA2 65 elif len(d) <= 0xffffffff: 66 return b'\x4e' + len(d).to_bytes(4, "little") + d # OP_PUSHDATA4 67 else: 68 raise ValueError("Data too long to encode in a PUSHDATA op") 69 70 @staticmethod 71 def encode_op_n(n): 72 """Encode a small integer op, returning an opcode""" 73 if not (0 <= n <= 16): 74 raise ValueError('Integer must be in range 0 <= n <= 16, got %d' % n) 75 76 if n == 0: 77 return OP_0 78 else: 79 return CScriptOp(OP_1 + n - 1) 80 81 def decode_op_n(self): 82 """Decode a small integer opcode, returning an integer""" 83 if self == OP_0: 84 return 0 85 86 if not (self == OP_0 or OP_1 <= self <= OP_16): 87 raise ValueError('op %r is not an OP_N' % self) 88 89 return int(self - OP_1 + 1) 90 91 def is_small_int(self): 92 """Return true if the op pushes a small integer to the stack""" 93 if 0x51 <= self <= 0x60 or self == 0: 94 return True 95 else: 96 return False 97 98 def __str__(self): 99 return repr(self) 100 101 def __repr__(self): 102 if self in OPCODE_NAMES: 103 return OPCODE_NAMES[self] 104 else: 105 return 'CScriptOp(0x%x)' % self 106 107 def __new__(cls, n): 108 try: 109 return _opcode_instances[n] 110 except IndexError: 111 assert len(_opcode_instances) == n 112 _opcode_instances.append(super().__new__(cls, n)) 113 return _opcode_instances[n] 114 115 OPCODE_NAMES: dict[CScriptOp, str] = {} 116 _opcode_instances: list[CScriptOp] = [] 117 118 # Populate opcode instance table 119 for n in range(0xff + 1): 120 CScriptOp(n) 121 122 123 # push value 124 OP_0 = CScriptOp(0x00) 125 OP_FALSE = OP_0 126 OP_PUSHDATA1 = CScriptOp(0x4c) 127 OP_PUSHDATA2 = CScriptOp(0x4d) 128 OP_PUSHDATA4 = CScriptOp(0x4e) 129 OP_1NEGATE = CScriptOp(0x4f) 130 OP_RESERVED = CScriptOp(0x50) 131 OP_1 = CScriptOp(0x51) 132 OP_TRUE = OP_1 133 OP_2 = CScriptOp(0x52) 134 OP_3 = CScriptOp(0x53) 135 OP_4 = CScriptOp(0x54) 136 OP_5 = CScriptOp(0x55) 137 OP_6 = CScriptOp(0x56) 138 OP_7 = CScriptOp(0x57) 139 OP_8 = CScriptOp(0x58) 140 OP_9 = CScriptOp(0x59) 141 OP_10 = CScriptOp(0x5a) 142 OP_11 = CScriptOp(0x5b) 143 OP_12 = CScriptOp(0x5c) 144 OP_13 = CScriptOp(0x5d) 145 OP_14 = CScriptOp(0x5e) 146 OP_15 = CScriptOp(0x5f) 147 OP_16 = CScriptOp(0x60) 148 149 # control 150 OP_NOP = CScriptOp(0x61) 151 OP_VER = CScriptOp(0x62) 152 OP_IF = CScriptOp(0x63) 153 OP_NOTIF = CScriptOp(0x64) 154 OP_VERIF = CScriptOp(0x65) 155 OP_VERNOTIF = CScriptOp(0x66) 156 OP_ELSE = CScriptOp(0x67) 157 OP_ENDIF = CScriptOp(0x68) 158 OP_VERIFY = CScriptOp(0x69) 159 OP_RETURN = CScriptOp(0x6a) 160 161 # stack ops 162 OP_TOALTSTACK = CScriptOp(0x6b) 163 OP_FROMALTSTACK = CScriptOp(0x6c) 164 OP_2DROP = CScriptOp(0x6d) 165 OP_2DUP = CScriptOp(0x6e) 166 OP_3DUP = CScriptOp(0x6f) 167 OP_2OVER = CScriptOp(0x70) 168 OP_2ROT = CScriptOp(0x71) 169 OP_2SWAP = CScriptOp(0x72) 170 OP_IFDUP = CScriptOp(0x73) 171 OP_DEPTH = CScriptOp(0x74) 172 OP_DROP = CScriptOp(0x75) 173 OP_DUP = CScriptOp(0x76) 174 OP_NIP = CScriptOp(0x77) 175 OP_OVER = CScriptOp(0x78) 176 OP_PICK = CScriptOp(0x79) 177 OP_ROLL = CScriptOp(0x7a) 178 OP_ROT = CScriptOp(0x7b) 179 OP_SWAP = CScriptOp(0x7c) 180 OP_TUCK = CScriptOp(0x7d) 181 182 # splice ops 183 OP_CAT = CScriptOp(0x7e) 184 OP_SUBSTR = CScriptOp(0x7f) 185 OP_LEFT = CScriptOp(0x80) 186 OP_RIGHT = CScriptOp(0x81) 187 OP_SIZE = CScriptOp(0x82) 188 189 # bit logic 190 OP_INVERT = CScriptOp(0x83) 191 OP_AND = CScriptOp(0x84) 192 OP_OR = CScriptOp(0x85) 193 OP_XOR = CScriptOp(0x86) 194 OP_EQUAL = CScriptOp(0x87) 195 OP_EQUALVERIFY = CScriptOp(0x88) 196 OP_RESERVED1 = CScriptOp(0x89) 197 OP_RESERVED2 = CScriptOp(0x8a) 198 199 # numeric 200 OP_1ADD = CScriptOp(0x8b) 201 OP_1SUB = CScriptOp(0x8c) 202 OP_2MUL = CScriptOp(0x8d) 203 OP_2DIV = CScriptOp(0x8e) 204 OP_NEGATE = CScriptOp(0x8f) 205 OP_ABS = CScriptOp(0x90) 206 OP_NOT = CScriptOp(0x91) 207 OP_0NOTEQUAL = CScriptOp(0x92) 208 209 OP_ADD = CScriptOp(0x93) 210 OP_SUB = CScriptOp(0x94) 211 OP_MUL = CScriptOp(0x95) 212 OP_DIV = CScriptOp(0x96) 213 OP_MOD = CScriptOp(0x97) 214 OP_LSHIFT = CScriptOp(0x98) 215 OP_RSHIFT = CScriptOp(0x99) 216 217 OP_BOOLAND = CScriptOp(0x9a) 218 OP_BOOLOR = CScriptOp(0x9b) 219 OP_NUMEQUAL = CScriptOp(0x9c) 220 OP_NUMEQUALVERIFY = CScriptOp(0x9d) 221 OP_NUMNOTEQUAL = CScriptOp(0x9e) 222 OP_LESSTHAN = CScriptOp(0x9f) 223 OP_GREATERTHAN = CScriptOp(0xa0) 224 OP_LESSTHANOREQUAL = CScriptOp(0xa1) 225 OP_GREATERTHANOREQUAL = CScriptOp(0xa2) 226 OP_MIN = CScriptOp(0xa3) 227 OP_MAX = CScriptOp(0xa4) 228 229 OP_WITHIN = CScriptOp(0xa5) 230 231 # crypto 232 OP_RIPEMD160 = CScriptOp(0xa6) 233 OP_SHA1 = CScriptOp(0xa7) 234 OP_SHA256 = CScriptOp(0xa8) 235 OP_HASH160 = CScriptOp(0xa9) 236 OP_HASH256 = CScriptOp(0xaa) 237 OP_CODESEPARATOR = CScriptOp(0xab) 238 OP_CHECKSIG = CScriptOp(0xac) 239 OP_CHECKSIGVERIFY = CScriptOp(0xad) 240 OP_CHECKMULTISIG = CScriptOp(0xae) 241 OP_CHECKMULTISIGVERIFY = CScriptOp(0xaf) 242 243 # expansion 244 OP_NOP1 = CScriptOp(0xb0) 245 OP_CHECKLOCKTIMEVERIFY = CScriptOp(0xb1) 246 OP_CHECKSEQUENCEVERIFY = CScriptOp(0xb2) 247 OP_NOP4 = CScriptOp(0xb3) 248 OP_NOP5 = CScriptOp(0xb4) 249 OP_NOP6 = CScriptOp(0xb5) 250 OP_NOP7 = CScriptOp(0xb6) 251 OP_NOP8 = CScriptOp(0xb7) 252 OP_NOP9 = CScriptOp(0xb8) 253 OP_NOP10 = CScriptOp(0xb9) 254 255 # BIP 342 opcodes (Tapscript) 256 OP_CHECKSIGADD = CScriptOp(0xba) 257 258 OP_INVALIDOPCODE = CScriptOp(0xff) 259 260 OPCODE_NAMES.update({ 261 OP_0: 'OP_0', 262 OP_PUSHDATA1: 'OP_PUSHDATA1', 263 OP_PUSHDATA2: 'OP_PUSHDATA2', 264 OP_PUSHDATA4: 'OP_PUSHDATA4', 265 OP_1NEGATE: 'OP_1NEGATE', 266 OP_RESERVED: 'OP_RESERVED', 267 OP_1: 'OP_1', 268 OP_2: 'OP_2', 269 OP_3: 'OP_3', 270 OP_4: 'OP_4', 271 OP_5: 'OP_5', 272 OP_6: 'OP_6', 273 OP_7: 'OP_7', 274 OP_8: 'OP_8', 275 OP_9: 'OP_9', 276 OP_10: 'OP_10', 277 OP_11: 'OP_11', 278 OP_12: 'OP_12', 279 OP_13: 'OP_13', 280 OP_14: 'OP_14', 281 OP_15: 'OP_15', 282 OP_16: 'OP_16', 283 OP_NOP: 'OP_NOP', 284 OP_VER: 'OP_VER', 285 OP_IF: 'OP_IF', 286 OP_NOTIF: 'OP_NOTIF', 287 OP_VERIF: 'OP_VERIF', 288 OP_VERNOTIF: 'OP_VERNOTIF', 289 OP_ELSE: 'OP_ELSE', 290 OP_ENDIF: 'OP_ENDIF', 291 OP_VERIFY: 'OP_VERIFY', 292 OP_RETURN: 'OP_RETURN', 293 OP_TOALTSTACK: 'OP_TOALTSTACK', 294 OP_FROMALTSTACK: 'OP_FROMALTSTACK', 295 OP_2DROP: 'OP_2DROP', 296 OP_2DUP: 'OP_2DUP', 297 OP_3DUP: 'OP_3DUP', 298 OP_2OVER: 'OP_2OVER', 299 OP_2ROT: 'OP_2ROT', 300 OP_2SWAP: 'OP_2SWAP', 301 OP_IFDUP: 'OP_IFDUP', 302 OP_DEPTH: 'OP_DEPTH', 303 OP_DROP: 'OP_DROP', 304 OP_DUP: 'OP_DUP', 305 OP_NIP: 'OP_NIP', 306 OP_OVER: 'OP_OVER', 307 OP_PICK: 'OP_PICK', 308 OP_ROLL: 'OP_ROLL', 309 OP_ROT: 'OP_ROT', 310 OP_SWAP: 'OP_SWAP', 311 OP_TUCK: 'OP_TUCK', 312 OP_CAT: 'OP_CAT', 313 OP_SUBSTR: 'OP_SUBSTR', 314 OP_LEFT: 'OP_LEFT', 315 OP_RIGHT: 'OP_RIGHT', 316 OP_SIZE: 'OP_SIZE', 317 OP_INVERT: 'OP_INVERT', 318 OP_AND: 'OP_AND', 319 OP_OR: 'OP_OR', 320 OP_XOR: 'OP_XOR', 321 OP_EQUAL: 'OP_EQUAL', 322 OP_EQUALVERIFY: 'OP_EQUALVERIFY', 323 OP_RESERVED1: 'OP_RESERVED1', 324 OP_RESERVED2: 'OP_RESERVED2', 325 OP_1ADD: 'OP_1ADD', 326 OP_1SUB: 'OP_1SUB', 327 OP_2MUL: 'OP_2MUL', 328 OP_2DIV: 'OP_2DIV', 329 OP_NEGATE: 'OP_NEGATE', 330 OP_ABS: 'OP_ABS', 331 OP_NOT: 'OP_NOT', 332 OP_0NOTEQUAL: 'OP_0NOTEQUAL', 333 OP_ADD: 'OP_ADD', 334 OP_SUB: 'OP_SUB', 335 OP_MUL: 'OP_MUL', 336 OP_DIV: 'OP_DIV', 337 OP_MOD: 'OP_MOD', 338 OP_LSHIFT: 'OP_LSHIFT', 339 OP_RSHIFT: 'OP_RSHIFT', 340 OP_BOOLAND: 'OP_BOOLAND', 341 OP_BOOLOR: 'OP_BOOLOR', 342 OP_NUMEQUAL: 'OP_NUMEQUAL', 343 OP_NUMEQUALVERIFY: 'OP_NUMEQUALVERIFY', 344 OP_NUMNOTEQUAL: 'OP_NUMNOTEQUAL', 345 OP_LESSTHAN: 'OP_LESSTHAN', 346 OP_GREATERTHAN: 'OP_GREATERTHAN', 347 OP_LESSTHANOREQUAL: 'OP_LESSTHANOREQUAL', 348 OP_GREATERTHANOREQUAL: 'OP_GREATERTHANOREQUAL', 349 OP_MIN: 'OP_MIN', 350 OP_MAX: 'OP_MAX', 351 OP_WITHIN: 'OP_WITHIN', 352 OP_RIPEMD160: 'OP_RIPEMD160', 353 OP_SHA1: 'OP_SHA1', 354 OP_SHA256: 'OP_SHA256', 355 OP_HASH160: 'OP_HASH160', 356 OP_HASH256: 'OP_HASH256', 357 OP_CODESEPARATOR: 'OP_CODESEPARATOR', 358 OP_CHECKSIG: 'OP_CHECKSIG', 359 OP_CHECKSIGVERIFY: 'OP_CHECKSIGVERIFY', 360 OP_CHECKMULTISIG: 'OP_CHECKMULTISIG', 361 OP_CHECKMULTISIGVERIFY: 'OP_CHECKMULTISIGVERIFY', 362 OP_NOP1: 'OP_NOP1', 363 OP_CHECKLOCKTIMEVERIFY: 'OP_CHECKLOCKTIMEVERIFY', 364 OP_CHECKSEQUENCEVERIFY: 'OP_CHECKSEQUENCEVERIFY', 365 OP_NOP4: 'OP_NOP4', 366 OP_NOP5: 'OP_NOP5', 367 OP_NOP6: 'OP_NOP6', 368 OP_NOP7: 'OP_NOP7', 369 OP_NOP8: 'OP_NOP8', 370 OP_NOP9: 'OP_NOP9', 371 OP_NOP10: 'OP_NOP10', 372 OP_CHECKSIGADD: 'OP_CHECKSIGADD', 373 OP_INVALIDOPCODE: 'OP_INVALIDOPCODE', 374 }) 375 376 class CScriptInvalidError(Exception): 377 """Base class for CScript exceptions""" 378 pass 379 380 class CScriptTruncatedPushDataError(CScriptInvalidError): 381 """Invalid pushdata due to truncation""" 382 def __init__(self, msg, data): 383 self.data = data 384 super().__init__(msg) 385 386 387 # This is used, eg, for blockchain heights in coinbase scripts (bip34) 388 class CScriptNum: 389 __slots__ = ("value",) 390 391 def __init__(self, d=0): 392 self.value = d 393 394 @staticmethod 395 def encode(obj): 396 r = bytearray(0) 397 if obj.value == 0: 398 return bytes(r) 399 neg = obj.value < 0 400 absvalue = -obj.value if neg else obj.value 401 while (absvalue): 402 r.append(absvalue & 0xff) 403 absvalue >>= 8 404 if r[-1] & 0x80: 405 r.append(0x80 if neg else 0) 406 elif neg: 407 r[-1] |= 0x80 408 return bytes([len(r)]) + r 409 410 @staticmethod 411 def decode(vch): 412 result = 0 413 # We assume valid push_size and minimal encoding 414 value = vch[1:] 415 if len(value) == 0: 416 return result 417 for i, byte in enumerate(value): 418 result |= int(byte) << 8 * i 419 if value[-1] >= 0x80: 420 # Mask for all but the highest result bit 421 num_mask = (2**(len(value) * 8) - 1) >> 1 422 result &= num_mask 423 result *= -1 424 return result 425 426 427 class CScript(bytes): 428 """Serialized script 429 430 A bytes subclass, so you can use this directly whenever bytes are accepted. 431 Note that this means that indexing does *not* work - you'll get an index by 432 byte rather than opcode. This format was chosen for efficiency so that the 433 general case would not require creating a lot of little CScriptOP objects. 434 435 iter(script) however does iterate by opcode. 436 """ 437 __slots__ = () 438 439 @classmethod 440 def __coerce_instance(cls, other): 441 # Coerce other into bytes 442 if isinstance(other, CScriptOp): 443 other = bytes([other]) 444 elif isinstance(other, CScriptNum): 445 if (other.value == 0): 446 other = bytes([CScriptOp(OP_0)]) 447 else: 448 other = CScriptNum.encode(other) 449 elif isinstance(other, int): 450 if 0 <= other <= 16: 451 other = bytes([CScriptOp.encode_op_n(other)]) 452 elif other == -1: 453 other = bytes([OP_1NEGATE]) 454 else: 455 other = CScriptOp.encode_op_pushdata(bn2vch(other)) 456 elif isinstance(other, (bytes, bytearray)): 457 other = CScriptOp.encode_op_pushdata(other) 458 return other 459 460 def __add__(self, other): 461 # add makes no sense for a CScript() 462 raise NotImplementedError 463 464 def join(self, iterable): 465 # join makes no sense for a CScript() 466 raise NotImplementedError 467 468 def __new__(cls, value=b''): 469 if isinstance(value, bytes) or isinstance(value, bytearray): 470 return super().__new__(cls, value) 471 else: 472 def coerce_iterable(iterable): 473 for instance in iterable: 474 yield cls.__coerce_instance(instance) 475 # Annoyingly on both python2 and python3 bytes.join() always 476 # returns a bytes instance even when subclassed. 477 return super().__new__(cls, b''.join(coerce_iterable(value))) 478 479 def raw_iter(self): 480 """Raw iteration 481 482 Yields tuples of (opcode, data, sop_idx) so that the different possible 483 PUSHDATA encodings can be accurately distinguished, as well as 484 determining the exact opcode byte indexes. (sop_idx) 485 """ 486 i = 0 487 while i < len(self): 488 sop_idx = i 489 opcode = CScriptOp(self[i]) 490 i += 1 491 492 if opcode > OP_PUSHDATA4: 493 yield (opcode, None, sop_idx) 494 else: 495 datasize = None 496 pushdata_type = None 497 if opcode < OP_PUSHDATA1: 498 pushdata_type = 'PUSHDATA(%d)' % opcode 499 datasize = opcode 500 501 elif opcode == OP_PUSHDATA1: 502 pushdata_type = 'PUSHDATA1' 503 if i >= len(self): 504 raise CScriptInvalidError('PUSHDATA1: missing data length') 505 datasize = self[i] 506 i += 1 507 508 elif opcode == OP_PUSHDATA2: 509 pushdata_type = 'PUSHDATA2' 510 if i + 1 >= len(self): 511 raise CScriptInvalidError('PUSHDATA2: missing data length') 512 datasize = self[i] + (self[i + 1] << 8) 513 i += 2 514 515 elif opcode == OP_PUSHDATA4: 516 pushdata_type = 'PUSHDATA4' 517 if i + 3 >= len(self): 518 raise CScriptInvalidError('PUSHDATA4: missing data length') 519 datasize = self[i] + (self[i + 1] << 8) + (self[i + 2] << 16) + (self[i + 3] << 24) 520 i += 4 521 522 else: 523 assert False # shouldn't happen 524 525 data = bytes(self[i:i + datasize]) 526 527 # Check for truncation 528 if len(data) < datasize: 529 raise CScriptTruncatedPushDataError('%s: truncated data' % pushdata_type, data) 530 531 i += datasize 532 533 yield (opcode, data, sop_idx) 534 535 def __iter__(self): 536 """'Cooked' iteration 537 538 Returns either a CScriptOP instance, an integer, or bytes, as 539 appropriate. 540 541 See raw_iter() if you need to distinguish the different possible 542 PUSHDATA encodings. 543 """ 544 for (opcode, data, sop_idx) in self.raw_iter(): 545 if data is not None: 546 yield data 547 else: 548 opcode = CScriptOp(opcode) 549 550 if opcode.is_small_int(): 551 yield opcode.decode_op_n() 552 else: 553 yield CScriptOp(opcode) 554 555 def __repr__(self): 556 def _repr(o): 557 if isinstance(o, bytes): 558 return "x('%s')" % o.hex() 559 else: 560 return repr(o) 561 562 ops = [] 563 i = iter(self) 564 while True: 565 op = None 566 try: 567 op = _repr(next(i)) 568 except CScriptTruncatedPushDataError as err: 569 op = '%s...<ERROR: %s>' % (_repr(err.data), err) 570 break 571 except CScriptInvalidError as err: 572 op = '<ERROR: %s>' % err 573 break 574 except StopIteration: 575 break 576 finally: 577 if op is not None: 578 ops.append(op) 579 580 return "CScript([%s])" % ', '.join(ops) 581 582 def GetSigOpCount(self, fAccurate): 583 """Get the SigOp count. 584 585 fAccurate - Accurately count CHECKMULTISIG, see BIP16 for details. 586 587 Note that this is consensus-critical. 588 """ 589 n = 0 590 lastOpcode = OP_INVALIDOPCODE 591 for (opcode, data, sop_idx) in self.raw_iter(): 592 if opcode in (OP_CHECKSIG, OP_CHECKSIGVERIFY): 593 n += 1 594 elif opcode in (OP_CHECKMULTISIG, OP_CHECKMULTISIGVERIFY): 595 if fAccurate and (OP_1 <= lastOpcode <= OP_16): 596 n += lastOpcode.decode_op_n() 597 else: 598 n += 20 599 lastOpcode = opcode 600 return n 601 602 def IsWitnessProgram(self): 603 """A witness program is any valid CScript that consists of a 1-byte 604 push opcode followed by a data push between 2 and 40 bytes.""" 605 return ((4 <= len(self) <= 42) and 606 (self[0] == OP_0 or (OP_1 <= self[0] <= OP_16)) and 607 (self[1] + 2 == len(self))) 608 609 610 SIGHASH_DEFAULT = 0 # Taproot-only default, semantics same as SIGHASH_ALL 611 SIGHASH_ALL = 1 612 SIGHASH_NONE = 2 613 SIGHASH_SINGLE = 3 614 SIGHASH_ANYONECANPAY = 0x80 615 616 def FindAndDelete(script, sig): 617 """Consensus critical, see FindAndDelete() in Satoshi codebase""" 618 r = b'' 619 last_sop_idx = sop_idx = 0 620 skip = True 621 for (opcode, data, sop_idx) in script.raw_iter(): 622 if not skip: 623 r += script[last_sop_idx:sop_idx] 624 last_sop_idx = sop_idx 625 if script[sop_idx:sop_idx + len(sig)] == sig: 626 skip = True 627 else: 628 skip = False 629 if not skip: 630 r += script[last_sop_idx:] 631 return CScript(r) 632 633 def LegacySignatureMsg(script, txTo, inIdx, hashtype): 634 """Preimage of the signature hash, if it exists. 635 636 Returns either (None, err) to indicate error (which translates to sighash 1), 637 or (msg, None). 638 """ 639 640 if inIdx >= len(txTo.vin): 641 return (None, "inIdx %d out of range (%d)" % (inIdx, len(txTo.vin))) 642 txtmp = CTransaction(txTo) 643 644 for txin in txtmp.vin: 645 txin.scriptSig = b'' 646 txtmp.vin[inIdx].scriptSig = FindAndDelete(script, CScript([OP_CODESEPARATOR])) 647 648 if (hashtype & 0x1f) == SIGHASH_NONE: 649 txtmp.vout = [] 650 651 for i in range(len(txtmp.vin)): 652 if i != inIdx: 653 txtmp.vin[i].nSequence = 0 654 655 elif (hashtype & 0x1f) == SIGHASH_SINGLE: 656 outIdx = inIdx 657 if outIdx >= len(txtmp.vout): 658 return (None, "outIdx %d out of range (%d)" % (outIdx, len(txtmp.vout))) 659 660 tmp = txtmp.vout[outIdx] 661 txtmp.vout = [] 662 for _ in range(outIdx): 663 txtmp.vout.append(CTxOut(-1)) 664 txtmp.vout.append(tmp) 665 666 for i in range(len(txtmp.vin)): 667 if i != inIdx: 668 txtmp.vin[i].nSequence = 0 669 670 if hashtype & SIGHASH_ANYONECANPAY: 671 tmp = txtmp.vin[inIdx] 672 txtmp.vin = [] 673 txtmp.vin.append(tmp) 674 675 s = txtmp.serialize_without_witness() 676 s += hashtype.to_bytes(4, "little") 677 678 return (s, None) 679 680 def LegacySignatureHash(*args, **kwargs): 681 """Consensus-correct SignatureHash 682 683 Returns (hash, err) to precisely match the consensus-critical behavior of 684 the SIGHASH_SINGLE bug. (inIdx is *not* checked for validity) 685 """ 686 687 HASH_ONE = b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' 688 msg, err = LegacySignatureMsg(*args, **kwargs) 689 if msg is None: 690 return (HASH_ONE, err) 691 else: 692 return (hash256(msg), err) 693 694 def sign_input_legacy(tx, input_index, input_scriptpubkey, privkey, sighash_type=SIGHASH_ALL): 695 """Add legacy ECDSA signature for a given transaction input. Note that the signature 696 is prepended to the scriptSig field, i.e. additional data pushes necessary for more 697 complex spends than P2PK (e.g. pubkey for P2PKH) can be already set before.""" 698 (sighash, err) = LegacySignatureHash(input_scriptpubkey, tx, input_index, sighash_type) 699 assert err is None 700 der_sig = privkey.sign_ecdsa(sighash) 701 tx.vin[input_index].scriptSig = bytes(CScript([der_sig + bytes([sighash_type])])) + tx.vin[input_index].scriptSig 702 703 def sign_input_segwitv0(tx, input_index, input_scriptpubkey, input_amount, privkey, sighash_type=SIGHASH_ALL): 704 """Add segwitv0 ECDSA signature for a given transaction input. Note that the signature 705 is inserted at the bottom of the witness stack, i.e. additional witness data 706 needed (e.g. pubkey for P2WPKH) can already be set before.""" 707 sighash = SegwitV0SignatureHash(input_scriptpubkey, tx, input_index, sighash_type, input_amount) 708 der_sig = privkey.sign_ecdsa(sighash) 709 tx.wit.vtxinwit[input_index].scriptWitness.stack.insert(0, der_sig + bytes([sighash_type])) 710 711 # TODO: Allow cached hashPrevouts/hashSequence/hashOutputs to be provided. 712 # Performance optimization probably not necessary for python tests, however. 713 # Note that this corresponds to sigversion == 1 in EvalScript, which is used 714 # for version 0 witnesses. 715 def SegwitV0SignatureMsg(script, txTo, inIdx, hashtype, amount): 716 ZERO_HASH = bytes([0]*32) 717 718 hashPrevouts = ZERO_HASH 719 hashSequence = ZERO_HASH 720 hashOutputs = ZERO_HASH 721 722 if not (hashtype & SIGHASH_ANYONECANPAY): 723 serialize_prevouts = bytes() 724 for i in txTo.vin: 725 serialize_prevouts += i.prevout.serialize() 726 hashPrevouts = hash256(serialize_prevouts) 727 728 if (not (hashtype & SIGHASH_ANYONECANPAY) and (hashtype & 0x1f) != SIGHASH_SINGLE and (hashtype & 0x1f) != SIGHASH_NONE): 729 serialize_sequence = bytes() 730 for i in txTo.vin: 731 serialize_sequence += i.nSequence.to_bytes(4, "little") 732 hashSequence = hash256(serialize_sequence) 733 734 if ((hashtype & 0x1f) != SIGHASH_SINGLE and (hashtype & 0x1f) != SIGHASH_NONE): 735 serialize_outputs = bytes() 736 for o in txTo.vout: 737 serialize_outputs += o.serialize() 738 hashOutputs = hash256(serialize_outputs) 739 elif ((hashtype & 0x1f) == SIGHASH_SINGLE and inIdx < len(txTo.vout)): 740 serialize_outputs = txTo.vout[inIdx].serialize() 741 hashOutputs = hash256(serialize_outputs) 742 743 ss = bytes() 744 ss += txTo.version.to_bytes(4, "little") 745 ss += hashPrevouts 746 ss += hashSequence 747 ss += txTo.vin[inIdx].prevout.serialize() 748 ss += ser_string(script) 749 ss += amount.to_bytes(8, "little", signed=True) 750 ss += txTo.vin[inIdx].nSequence.to_bytes(4, "little") 751 ss += hashOutputs 752 ss += txTo.nLockTime.to_bytes(4, "little") 753 ss += hashtype.to_bytes(4, "little") 754 return ss 755 756 def SegwitV0SignatureHash(*args, **kwargs): 757 return hash256(SegwitV0SignatureMsg(*args, **kwargs)) 758 759 class TestFrameworkScript(unittest.TestCase): 760 def test_bn2vch(self): 761 self.assertEqual(bn2vch(0), bytes([])) 762 self.assertEqual(bn2vch(1), bytes([0x01])) 763 self.assertEqual(bn2vch(-1), bytes([0x81])) 764 self.assertEqual(bn2vch(0x7F), bytes([0x7F])) 765 self.assertEqual(bn2vch(-0x7F), bytes([0xFF])) 766 self.assertEqual(bn2vch(0x80), bytes([0x80, 0x00])) 767 self.assertEqual(bn2vch(-0x80), bytes([0x80, 0x80])) 768 self.assertEqual(bn2vch(0xFF), bytes([0xFF, 0x00])) 769 self.assertEqual(bn2vch(-0xFF), bytes([0xFF, 0x80])) 770 self.assertEqual(bn2vch(0x100), bytes([0x00, 0x01])) 771 self.assertEqual(bn2vch(-0x100), bytes([0x00, 0x81])) 772 self.assertEqual(bn2vch(0x7FFF), bytes([0xFF, 0x7F])) 773 self.assertEqual(bn2vch(-0x8000), bytes([0x00, 0x80, 0x80])) 774 self.assertEqual(bn2vch(-0x7FFFFF), bytes([0xFF, 0xFF, 0xFF])) 775 self.assertEqual(bn2vch(0x80000000), bytes([0x00, 0x00, 0x00, 0x80, 0x00])) 776 self.assertEqual(bn2vch(-0x80000000), bytes([0x00, 0x00, 0x00, 0x80, 0x80])) 777 self.assertEqual(bn2vch(0xFFFFFFFF), bytes([0xFF, 0xFF, 0xFF, 0xFF, 0x00])) 778 self.assertEqual(bn2vch(123456789), bytes([0x15, 0xCD, 0x5B, 0x07])) 779 self.assertEqual(bn2vch(-54321), bytes([0x31, 0xD4, 0x80])) 780 781 def test_cscriptnum_encoding(self): 782 # round-trip negative and multi-byte CScriptNums 783 values = [0, 1, -1, -2, 127, 128, -255, 256, (1 << 15) - 1, -(1 << 16), (1 << 24) - 1, (1 << 31), 1 - (1 << 32), 1 << 40, 1500, -1500] 784 for value in values: 785 self.assertEqual(CScriptNum.decode(CScriptNum.encode(CScriptNum(value))), value) 786 787 def test_legacy_sigopcount(self): 788 # test repeated single sig ops 789 for n_ops in range(1, 100, 10): 790 for singlesig_op in (OP_CHECKSIG, OP_CHECKSIGVERIFY): 791 singlesigs_script = CScript([singlesig_op]*n_ops) 792 self.assertEqual(singlesigs_script.GetSigOpCount(fAccurate=False), n_ops) 793 self.assertEqual(singlesigs_script.GetSigOpCount(fAccurate=True), n_ops) 794 # test multisig op (including accurate counting, i.e. BIP16) 795 for n in range(1, 16+1): 796 for multisig_op in (OP_CHECKMULTISIG, OP_CHECKMULTISIGVERIFY): 797 multisig_script = CScript([CScriptOp.encode_op_n(n), multisig_op]) 798 self.assertEqual(multisig_script.GetSigOpCount(fAccurate=False), 20) 799 self.assertEqual(multisig_script.GetSigOpCount(fAccurate=True), n) 800 801 def BIP341_sha_prevouts(txTo): 802 return sha256(b"".join(i.prevout.serialize() for i in txTo.vin)) 803 804 def BIP341_sha_amounts(spent_utxos): 805 return sha256(b"".join(u.nValue.to_bytes(8, "little", signed=True) for u in spent_utxos)) 806 807 def BIP341_sha_scriptpubkeys(spent_utxos): 808 return sha256(b"".join(ser_string(u.scriptPubKey) for u in spent_utxos)) 809 810 def BIP341_sha_sequences(txTo): 811 return sha256(b"".join(i.nSequence.to_bytes(4, "little") for i in txTo.vin)) 812 813 def BIP341_sha_outputs(txTo): 814 return sha256(b"".join(o.serialize() for o in txTo.vout)) 815 816 def TaprootSignatureMsg(txTo, spent_utxos, hash_type, input_index=0, *, scriptpath=False, leaf_script=None, codeseparator_pos=-1, annex=None, leaf_ver=LEAF_VERSION_TAPSCRIPT): 817 assert (len(txTo.vin) == len(spent_utxos)) 818 assert (input_index < len(txTo.vin)) 819 out_type = SIGHASH_ALL if hash_type == 0 else hash_type & 3 820 in_type = hash_type & SIGHASH_ANYONECANPAY 821 spk = spent_utxos[input_index].scriptPubKey 822 ss = bytes([0, hash_type]) # epoch, hash_type 823 ss += txTo.version.to_bytes(4, "little") 824 ss += txTo.nLockTime.to_bytes(4, "little") 825 if in_type != SIGHASH_ANYONECANPAY: 826 ss += BIP341_sha_prevouts(txTo) 827 ss += BIP341_sha_amounts(spent_utxos) 828 ss += BIP341_sha_scriptpubkeys(spent_utxos) 829 ss += BIP341_sha_sequences(txTo) 830 if out_type == SIGHASH_ALL: 831 ss += BIP341_sha_outputs(txTo) 832 spend_type = 0 833 if annex is not None: 834 spend_type |= 1 835 if scriptpath: 836 spend_type |= 2 837 ss += bytes([spend_type]) 838 if in_type == SIGHASH_ANYONECANPAY: 839 ss += txTo.vin[input_index].prevout.serialize() 840 ss += spent_utxos[input_index].nValue.to_bytes(8, "little", signed=True) 841 ss += ser_string(spk) 842 ss += txTo.vin[input_index].nSequence.to_bytes(4, "little") 843 else: 844 ss += input_index.to_bytes(4, "little") 845 if (spend_type & 1): 846 ss += sha256(ser_string(annex)) 847 if out_type == SIGHASH_SINGLE: 848 if input_index < len(txTo.vout): 849 ss += sha256(txTo.vout[input_index].serialize()) 850 else: 851 ss += bytes(0 for _ in range(32)) 852 if scriptpath: 853 ss += TaggedHash("TapLeaf", bytes([leaf_ver]) + ser_string(leaf_script)) 854 ss += bytes([0]) 855 ss += codeseparator_pos.to_bytes(4, "little", signed=False) 856 assert len(ss) == 175 - (in_type == SIGHASH_ANYONECANPAY) * 49 - (out_type != SIGHASH_ALL and out_type != SIGHASH_SINGLE) * 32 + (annex is not None) * 32 + scriptpath * 37 857 return ss 858 859 def TaprootSignatureHash(*args, **kwargs): 860 return TaggedHash("TapSighash", TaprootSignatureMsg(*args, **kwargs)) 861 862 def taproot_tree_helper(scripts): 863 if len(scripts) == 0: 864 return ([], bytes()) 865 if len(scripts) == 1: 866 # One entry: treat as a leaf 867 script = scripts[0] 868 assert not callable(script) 869 if isinstance(script, list): 870 return taproot_tree_helper(script) 871 assert isinstance(script, tuple) 872 version = LEAF_VERSION_TAPSCRIPT 873 name = script[0] 874 code = script[1] 875 if len(script) == 3: 876 version = script[2] 877 assert version & 1 == 0 878 assert isinstance(code, bytes) 879 h = TaggedHash("TapLeaf", bytes([version]) + ser_string(code)) 880 if name is None: 881 return ([], h) 882 return ([(name, version, code, bytes(), h)], h) 883 elif len(scripts) == 2 and callable(scripts[1]): 884 # Two entries, and the right one is a function 885 left, left_h = taproot_tree_helper(scripts[0:1]) 886 right_h = scripts[1](left_h) 887 left = [(name, version, script, control + right_h, leaf) for name, version, script, control, leaf in left] 888 right = [] 889 else: 890 # Two or more entries: descend into each side 891 split_pos = len(scripts) // 2 892 left, left_h = taproot_tree_helper(scripts[0:split_pos]) 893 right, right_h = taproot_tree_helper(scripts[split_pos:]) 894 left = [(name, version, script, control + right_h, leaf) for name, version, script, control, leaf in left] 895 right = [(name, version, script, control + left_h, leaf) for name, version, script, control, leaf in right] 896 if right_h < left_h: 897 right_h, left_h = left_h, right_h 898 h = TaggedHash("TapBranch", left_h + right_h) 899 return (left + right, h) 900 901 # A TaprootInfo object has the following fields: 902 # - scriptPubKey: the scriptPubKey (witness v1 CScript) 903 # - internal_pubkey: the internal pubkey (32 bytes) 904 # - negflag: whether the pubkey in the scriptPubKey was negated from internal_pubkey+tweak*G (bool). 905 # - tweak: the tweak (32 bytes) 906 # - leaves: a dict of name -> TaprootLeafInfo objects for all known leaves 907 # - merkle_root: the script tree's Merkle root, or bytes() if no leaves are present 908 TaprootInfo = namedtuple("TaprootInfo", "scriptPubKey,internal_pubkey,negflag,tweak,leaves,merkle_root,output_pubkey") 909 910 # A TaprootLeafInfo object has the following fields: 911 # - script: the leaf script (CScript or bytes) 912 # - version: the leaf version (0xc0 for BIP342 tapscript) 913 # - merklebranch: the merkle branch to use for this leaf (32*N bytes) 914 TaprootLeafInfo = namedtuple("TaprootLeafInfo", "script,version,merklebranch,leaf_hash") 915 916 def taproot_construct(pubkey, scripts=None, treat_internal_as_infinity=False): 917 """Construct a tree of Taproot spending conditions 918 919 pubkey: a 32-byte xonly pubkey for the internal pubkey (bytes) 920 scripts: a list of items; each item is either: 921 - a (name, CScript or bytes, leaf version) tuple 922 - a (name, CScript or bytes) tuple (defaulting to leaf version 0xc0) 923 - another list of items (with the same structure) 924 - a list of two items; the first of which is an item itself, and the 925 second is a function. The function takes as input the Merkle root of the 926 first item, and produces a (fictitious) partner to hash with. 927 928 Returns: a TaprootInfo object 929 """ 930 if scripts is None: 931 scripts = [] 932 933 ret, h = taproot_tree_helper(scripts) 934 tweak = TaggedHash("TapTweak", pubkey + h) 935 if treat_internal_as_infinity: 936 tweaked, negated = compute_xonly_pubkey(tweak) 937 else: 938 tweaked, negated = tweak_add_pubkey(pubkey, tweak) 939 leaves = dict((name, TaprootLeafInfo(script, version, merklebranch, leaf)) for name, version, script, merklebranch, leaf in ret) 940 return TaprootInfo(CScript([OP_1, tweaked]), pubkey, negated + 0, tweak, leaves, h, tweaked) 941 942 def is_op_success(o): 943 return o == 0x50 or o == 0x62 or o == 0x89 or o == 0x8a or o == 0x8d or o == 0x8e or (o >= 0x7e and o <= 0x81) or (o >= 0x83 and o <= 0x86) or (o >= 0x95 and o <= 0x99) or (o >= 0xbb and o <= 0xfe)