script.py
1 #!/usr/bin/env python3 2 # Copyright (c) 2015-2022 The Bitcoin Core developers 3 # Distributed under the MIT software license, see the accompanying 4 # file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 """Functionality to build scripts, as well as signature hash functions. 6 7 This file is modified from python-bitcoinlib. 8 """ 9 10 from collections import namedtuple 11 import unittest 12 13 from .key import TaggedHash, tweak_add_pubkey, compute_xonly_pubkey 14 15 from .messages import ( 16 CTransaction, 17 CTxOut, 18 hash256, 19 ser_string, 20 sha256, 21 ) 22 23 from .crypto.ripemd160 import ripemd160 24 25 MAX_SCRIPT_ELEMENT_SIZE = 520 26 MAX_SCRIPT_SIZE = 10000 27 MAX_PUBKEYS_PER_MULTI_A = 999 28 LOCKTIME_THRESHOLD = 500000000 29 ANNEX_TAG = 0x50 30 31 LEAF_VERSION_TAPSCRIPT = 0xc0 32 33 def hash160(s): 34 return ripemd160(sha256(s)) 35 36 def bn2vch(v): 37 """Convert number to bitcoin-specific little endian format.""" 38 # We need v.bit_length() bits, plus a sign bit for every nonzero number. 39 n_bits = v.bit_length() + (v != 0) 40 # The number of bytes for that is: 41 n_bytes = (n_bits + 7) // 8 42 # Convert number to absolute value + sign in top bit. 43 encoded_v = 0 if v == 0 else abs(v) | ((v < 0) << (n_bytes * 8 - 1)) 44 # Serialize to bytes 45 return encoded_v.to_bytes(n_bytes, 'little') 46 47 class CScriptOp(int): 48 """A single script opcode""" 49 __slots__ = () 50 51 @staticmethod 52 def encode_op_pushdata(d): 53 """Encode a PUSHDATA op, returning bytes""" 54 if len(d) < 0x4c: 55 return b'' + bytes([len(d)]) + d # OP_PUSHDATA 56 elif len(d) <= 0xff: 57 return b'\x4c' + bytes([len(d)]) + d # OP_PUSHDATA1 58 elif len(d) <= 0xffff: 59 return b'\x4d' + len(d).to_bytes(2, "little") + d # OP_PUSHDATA2 60 elif len(d) <= 0xffffffff: 61 return b'\x4e' + len(d).to_bytes(4, "little") + d # OP_PUSHDATA4 62 else: 63 raise ValueError("Data too long to encode in a PUSHDATA op") 64 65 @staticmethod 66 def encode_op_n(n): 67 """Encode a small integer op, returning an opcode""" 68 if not (0 <= n <= 16): 69 raise ValueError('Integer must be in range 0 <= n <= 16, got %d' % n) 70 71 if n == 0: 72 return OP_0 73 else: 74 return CScriptOp(OP_1 + n - 1) 75 76 def decode_op_n(self): 77 """Decode a small integer opcode, returning an integer""" 78 if self == OP_0: 79 return 0 80 81 if not (self == OP_0 or OP_1 <= self <= OP_16): 82 raise ValueError('op %r is not an OP_N' % self) 83 84 return int(self - OP_1 + 1) 85 86 def is_small_int(self): 87 """Return true if the op pushes a small integer to the stack""" 88 if 0x51 <= self <= 0x60 or self == 0: 89 return True 90 else: 91 return False 92 93 def __str__(self): 94 return repr(self) 95 96 def __repr__(self): 97 if self in OPCODE_NAMES: 98 return OPCODE_NAMES[self] 99 else: 100 return 'CScriptOp(0x%x)' % self 101 102 def __new__(cls, n): 103 try: 104 return _opcode_instances[n] 105 except IndexError: 106 assert len(_opcode_instances) == n 107 _opcode_instances.append(super().__new__(cls, n)) 108 return _opcode_instances[n] 109 110 OPCODE_NAMES: dict[CScriptOp, str] = {} 111 _opcode_instances: list[CScriptOp] = [] 112 113 # Populate opcode instance table 114 for n in range(0xff + 1): 115 CScriptOp(n) 116 117 118 # push value 119 OP_0 = CScriptOp(0x00) 120 OP_FALSE = OP_0 121 OP_PUSHDATA1 = CScriptOp(0x4c) 122 OP_PUSHDATA2 = CScriptOp(0x4d) 123 OP_PUSHDATA4 = CScriptOp(0x4e) 124 OP_1NEGATE = CScriptOp(0x4f) 125 OP_RESERVED = CScriptOp(0x50) 126 OP_1 = CScriptOp(0x51) 127 OP_TRUE = OP_1 128 OP_2 = CScriptOp(0x52) 129 OP_3 = CScriptOp(0x53) 130 OP_4 = CScriptOp(0x54) 131 OP_5 = CScriptOp(0x55) 132 OP_6 = CScriptOp(0x56) 133 OP_7 = CScriptOp(0x57) 134 OP_8 = CScriptOp(0x58) 135 OP_9 = CScriptOp(0x59) 136 OP_10 = CScriptOp(0x5a) 137 OP_11 = CScriptOp(0x5b) 138 OP_12 = CScriptOp(0x5c) 139 OP_13 = CScriptOp(0x5d) 140 OP_14 = CScriptOp(0x5e) 141 OP_15 = CScriptOp(0x5f) 142 OP_16 = CScriptOp(0x60) 143 144 # control 145 OP_NOP = CScriptOp(0x61) 146 OP_VER = CScriptOp(0x62) 147 OP_IF = CScriptOp(0x63) 148 OP_NOTIF = CScriptOp(0x64) 149 OP_VERIF = CScriptOp(0x65) 150 OP_VERNOTIF = CScriptOp(0x66) 151 OP_ELSE = CScriptOp(0x67) 152 OP_ENDIF = CScriptOp(0x68) 153 OP_VERIFY = CScriptOp(0x69) 154 OP_RETURN = CScriptOp(0x6a) 155 156 # stack ops 157 OP_TOALTSTACK = CScriptOp(0x6b) 158 OP_FROMALTSTACK = CScriptOp(0x6c) 159 OP_2DROP = CScriptOp(0x6d) 160 OP_2DUP = CScriptOp(0x6e) 161 OP_3DUP = CScriptOp(0x6f) 162 OP_2OVER = CScriptOp(0x70) 163 OP_2ROT = CScriptOp(0x71) 164 OP_2SWAP = CScriptOp(0x72) 165 OP_IFDUP = CScriptOp(0x73) 166 OP_DEPTH = CScriptOp(0x74) 167 OP_DROP = CScriptOp(0x75) 168 OP_DUP = CScriptOp(0x76) 169 OP_NIP = CScriptOp(0x77) 170 OP_OVER = CScriptOp(0x78) 171 OP_PICK = CScriptOp(0x79) 172 OP_ROLL = CScriptOp(0x7a) 173 OP_ROT = CScriptOp(0x7b) 174 OP_SWAP = CScriptOp(0x7c) 175 OP_TUCK = CScriptOp(0x7d) 176 177 # splice ops 178 OP_CAT = CScriptOp(0x7e) 179 OP_SUBSTR = CScriptOp(0x7f) 180 OP_LEFT = CScriptOp(0x80) 181 OP_RIGHT = CScriptOp(0x81) 182 OP_SIZE = CScriptOp(0x82) 183 184 # bit logic 185 OP_INVERT = CScriptOp(0x83) 186 OP_AND = CScriptOp(0x84) 187 OP_OR = CScriptOp(0x85) 188 OP_XOR = CScriptOp(0x86) 189 OP_EQUAL = CScriptOp(0x87) 190 OP_EQUALVERIFY = CScriptOp(0x88) 191 OP_RESERVED1 = CScriptOp(0x89) 192 OP_RESERVED2 = CScriptOp(0x8a) 193 194 # numeric 195 OP_1ADD = CScriptOp(0x8b) 196 OP_1SUB = CScriptOp(0x8c) 197 OP_2MUL = CScriptOp(0x8d) 198 OP_2DIV = CScriptOp(0x8e) 199 OP_NEGATE = CScriptOp(0x8f) 200 OP_ABS = CScriptOp(0x90) 201 OP_NOT = CScriptOp(0x91) 202 OP_0NOTEQUAL = CScriptOp(0x92) 203 204 OP_ADD = CScriptOp(0x93) 205 OP_SUB = CScriptOp(0x94) 206 OP_MUL = CScriptOp(0x95) 207 OP_DIV = CScriptOp(0x96) 208 OP_MOD = CScriptOp(0x97) 209 OP_LSHIFT = CScriptOp(0x98) 210 OP_RSHIFT = CScriptOp(0x99) 211 212 OP_BOOLAND = CScriptOp(0x9a) 213 OP_BOOLOR = CScriptOp(0x9b) 214 OP_NUMEQUAL = CScriptOp(0x9c) 215 OP_NUMEQUALVERIFY = CScriptOp(0x9d) 216 OP_NUMNOTEQUAL = CScriptOp(0x9e) 217 OP_LESSTHAN = CScriptOp(0x9f) 218 OP_GREATERTHAN = CScriptOp(0xa0) 219 OP_LESSTHANOREQUAL = CScriptOp(0xa1) 220 OP_GREATERTHANOREQUAL = CScriptOp(0xa2) 221 OP_MIN = CScriptOp(0xa3) 222 OP_MAX = CScriptOp(0xa4) 223 224 OP_WITHIN = CScriptOp(0xa5) 225 226 # crypto 227 OP_RIPEMD160 = CScriptOp(0xa6) 228 OP_SHA1 = CScriptOp(0xa7) 229 OP_SHA256 = CScriptOp(0xa8) 230 OP_HASH160 = CScriptOp(0xa9) 231 OP_HASH256 = CScriptOp(0xaa) 232 OP_CODESEPARATOR = CScriptOp(0xab) 233 OP_CHECKSIG = CScriptOp(0xac) 234 OP_CHECKSIGVERIFY = CScriptOp(0xad) 235 OP_CHECKMULTISIG = CScriptOp(0xae) 236 OP_CHECKMULTISIGVERIFY = CScriptOp(0xaf) 237 238 # expansion 239 OP_NOP1 = CScriptOp(0xb0) 240 OP_CHECKLOCKTIMEVERIFY = CScriptOp(0xb1) 241 OP_CHECKSEQUENCEVERIFY = CScriptOp(0xb2) 242 OP_NOP4 = CScriptOp(0xb3) 243 OP_NOP5 = CScriptOp(0xb4) 244 OP_NOP6 = CScriptOp(0xb5) 245 OP_NOP7 = CScriptOp(0xb6) 246 OP_NOP8 = CScriptOp(0xb7) 247 OP_NOP9 = CScriptOp(0xb8) 248 OP_NOP10 = CScriptOp(0xb9) 249 250 # BIP 342 opcodes (Tapscript) 251 OP_CHECKSIGADD = CScriptOp(0xba) 252 253 OP_INVALIDOPCODE = CScriptOp(0xff) 254 255 OPCODE_NAMES.update({ 256 OP_0: 'OP_0', 257 OP_PUSHDATA1: 'OP_PUSHDATA1', 258 OP_PUSHDATA2: 'OP_PUSHDATA2', 259 OP_PUSHDATA4: 'OP_PUSHDATA4', 260 OP_1NEGATE: 'OP_1NEGATE', 261 OP_RESERVED: 'OP_RESERVED', 262 OP_1: 'OP_1', 263 OP_2: 'OP_2', 264 OP_3: 'OP_3', 265 OP_4: 'OP_4', 266 OP_5: 'OP_5', 267 OP_6: 'OP_6', 268 OP_7: 'OP_7', 269 OP_8: 'OP_8', 270 OP_9: 'OP_9', 271 OP_10: 'OP_10', 272 OP_11: 'OP_11', 273 OP_12: 'OP_12', 274 OP_13: 'OP_13', 275 OP_14: 'OP_14', 276 OP_15: 'OP_15', 277 OP_16: 'OP_16', 278 OP_NOP: 'OP_NOP', 279 OP_VER: 'OP_VER', 280 OP_IF: 'OP_IF', 281 OP_NOTIF: 'OP_NOTIF', 282 OP_VERIF: 'OP_VERIF', 283 OP_VERNOTIF: 'OP_VERNOTIF', 284 OP_ELSE: 'OP_ELSE', 285 OP_ENDIF: 'OP_ENDIF', 286 OP_VERIFY: 'OP_VERIFY', 287 OP_RETURN: 'OP_RETURN', 288 OP_TOALTSTACK: 'OP_TOALTSTACK', 289 OP_FROMALTSTACK: 'OP_FROMALTSTACK', 290 OP_2DROP: 'OP_2DROP', 291 OP_2DUP: 'OP_2DUP', 292 OP_3DUP: 'OP_3DUP', 293 OP_2OVER: 'OP_2OVER', 294 OP_2ROT: 'OP_2ROT', 295 OP_2SWAP: 'OP_2SWAP', 296 OP_IFDUP: 'OP_IFDUP', 297 OP_DEPTH: 'OP_DEPTH', 298 OP_DROP: 'OP_DROP', 299 OP_DUP: 'OP_DUP', 300 OP_NIP: 'OP_NIP', 301 OP_OVER: 'OP_OVER', 302 OP_PICK: 'OP_PICK', 303 OP_ROLL: 'OP_ROLL', 304 OP_ROT: 'OP_ROT', 305 OP_SWAP: 'OP_SWAP', 306 OP_TUCK: 'OP_TUCK', 307 OP_CAT: 'OP_CAT', 308 OP_SUBSTR: 'OP_SUBSTR', 309 OP_LEFT: 'OP_LEFT', 310 OP_RIGHT: 'OP_RIGHT', 311 OP_SIZE: 'OP_SIZE', 312 OP_INVERT: 'OP_INVERT', 313 OP_AND: 'OP_AND', 314 OP_OR: 'OP_OR', 315 OP_XOR: 'OP_XOR', 316 OP_EQUAL: 'OP_EQUAL', 317 OP_EQUALVERIFY: 'OP_EQUALVERIFY', 318 OP_RESERVED1: 'OP_RESERVED1', 319 OP_RESERVED2: 'OP_RESERVED2', 320 OP_1ADD: 'OP_1ADD', 321 OP_1SUB: 'OP_1SUB', 322 OP_2MUL: 'OP_2MUL', 323 OP_2DIV: 'OP_2DIV', 324 OP_NEGATE: 'OP_NEGATE', 325 OP_ABS: 'OP_ABS', 326 OP_NOT: 'OP_NOT', 327 OP_0NOTEQUAL: 'OP_0NOTEQUAL', 328 OP_ADD: 'OP_ADD', 329 OP_SUB: 'OP_SUB', 330 OP_MUL: 'OP_MUL', 331 OP_DIV: 'OP_DIV', 332 OP_MOD: 'OP_MOD', 333 OP_LSHIFT: 'OP_LSHIFT', 334 OP_RSHIFT: 'OP_RSHIFT', 335 OP_BOOLAND: 'OP_BOOLAND', 336 OP_BOOLOR: 'OP_BOOLOR', 337 OP_NUMEQUAL: 'OP_NUMEQUAL', 338 OP_NUMEQUALVERIFY: 'OP_NUMEQUALVERIFY', 339 OP_NUMNOTEQUAL: 'OP_NUMNOTEQUAL', 340 OP_LESSTHAN: 'OP_LESSTHAN', 341 OP_GREATERTHAN: 'OP_GREATERTHAN', 342 OP_LESSTHANOREQUAL: 'OP_LESSTHANOREQUAL', 343 OP_GREATERTHANOREQUAL: 'OP_GREATERTHANOREQUAL', 344 OP_MIN: 'OP_MIN', 345 OP_MAX: 'OP_MAX', 346 OP_WITHIN: 'OP_WITHIN', 347 OP_RIPEMD160: 'OP_RIPEMD160', 348 OP_SHA1: 'OP_SHA1', 349 OP_SHA256: 'OP_SHA256', 350 OP_HASH160: 'OP_HASH160', 351 OP_HASH256: 'OP_HASH256', 352 OP_CODESEPARATOR: 'OP_CODESEPARATOR', 353 OP_CHECKSIG: 'OP_CHECKSIG', 354 OP_CHECKSIGVERIFY: 'OP_CHECKSIGVERIFY', 355 OP_CHECKMULTISIG: 'OP_CHECKMULTISIG', 356 OP_CHECKMULTISIGVERIFY: 'OP_CHECKMULTISIGVERIFY', 357 OP_NOP1: 'OP_NOP1', 358 OP_CHECKLOCKTIMEVERIFY: 'OP_CHECKLOCKTIMEVERIFY', 359 OP_CHECKSEQUENCEVERIFY: 'OP_CHECKSEQUENCEVERIFY', 360 OP_NOP4: 'OP_NOP4', 361 OP_NOP5: 'OP_NOP5', 362 OP_NOP6: 'OP_NOP6', 363 OP_NOP7: 'OP_NOP7', 364 OP_NOP8: 'OP_NOP8', 365 OP_NOP9: 'OP_NOP9', 366 OP_NOP10: 'OP_NOP10', 367 OP_CHECKSIGADD: 'OP_CHECKSIGADD', 368 OP_INVALIDOPCODE: 'OP_INVALIDOPCODE', 369 }) 370 371 class CScriptInvalidError(Exception): 372 """Base class for CScript exceptions""" 373 pass 374 375 class CScriptTruncatedPushDataError(CScriptInvalidError): 376 """Invalid pushdata due to truncation""" 377 def __init__(self, msg, data): 378 self.data = data 379 super().__init__(msg) 380 381 382 # This is used, eg, for blockchain heights in coinbase scripts (bip34) 383 class CScriptNum: 384 __slots__ = ("value",) 385 386 def __init__(self, d=0): 387 self.value = d 388 389 @staticmethod 390 def encode(obj): 391 r = bytearray(0) 392 if obj.value == 0: 393 return bytes(r) 394 neg = obj.value < 0 395 absvalue = -obj.value if neg else obj.value 396 while (absvalue): 397 r.append(absvalue & 0xff) 398 absvalue >>= 8 399 if r[-1] & 0x80: 400 r.append(0x80 if neg else 0) 401 elif neg: 402 r[-1] |= 0x80 403 return bytes([len(r)]) + r 404 405 @staticmethod 406 def decode(vch): 407 result = 0 408 # We assume valid push_size and minimal encoding 409 value = vch[1:] 410 if len(value) == 0: 411 return result 412 for i, byte in enumerate(value): 413 result |= int(byte) << 8 * i 414 if value[-1] >= 0x80: 415 # Mask for all but the highest result bit 416 num_mask = (2**(len(value) * 8) - 1) >> 1 417 result &= num_mask 418 result *= -1 419 return result 420 421 422 class CScript(bytes): 423 """Serialized script 424 425 A bytes subclass, so you can use this directly whenever bytes are accepted. 426 Note that this means that indexing does *not* work - you'll get an index by 427 byte rather than opcode. This format was chosen for efficiency so that the 428 general case would not require creating a lot of little CScriptOP objects. 429 430 iter(script) however does iterate by opcode. 431 """ 432 __slots__ = () 433 434 @classmethod 435 def __coerce_instance(cls, other): 436 # Coerce other into bytes 437 if isinstance(other, CScriptOp): 438 other = bytes([other]) 439 elif isinstance(other, CScriptNum): 440 if (other.value == 0): 441 other = bytes([CScriptOp(OP_0)]) 442 else: 443 other = CScriptNum.encode(other) 444 elif isinstance(other, int): 445 if 0 <= other <= 16: 446 other = bytes([CScriptOp.encode_op_n(other)]) 447 elif other == -1: 448 other = bytes([OP_1NEGATE]) 449 else: 450 other = CScriptOp.encode_op_pushdata(bn2vch(other)) 451 elif isinstance(other, (bytes, bytearray)): 452 other = CScriptOp.encode_op_pushdata(other) 453 return other 454 455 def __add__(self, other): 456 # add makes no sense for a CScript() 457 raise NotImplementedError 458 459 def join(self, iterable): 460 # join makes no sense for a CScript() 461 raise NotImplementedError 462 463 def __new__(cls, value=b''): 464 if isinstance(value, bytes) or isinstance(value, bytearray): 465 return super().__new__(cls, value) 466 else: 467 def coerce_iterable(iterable): 468 for instance in iterable: 469 yield cls.__coerce_instance(instance) 470 # Annoyingly on both python2 and python3 bytes.join() always 471 # returns a bytes instance even when subclassed. 472 return super().__new__(cls, b''.join(coerce_iterable(value))) 473 474 def raw_iter(self): 475 """Raw iteration 476 477 Yields tuples of (opcode, data, sop_idx) so that the different possible 478 PUSHDATA encodings can be accurately distinguished, as well as 479 determining the exact opcode byte indexes. (sop_idx) 480 """ 481 i = 0 482 while i < len(self): 483 sop_idx = i 484 opcode = CScriptOp(self[i]) 485 i += 1 486 487 if opcode > OP_PUSHDATA4: 488 yield (opcode, None, sop_idx) 489 else: 490 datasize = None 491 pushdata_type = None 492 if opcode < OP_PUSHDATA1: 493 pushdata_type = 'PUSHDATA(%d)' % opcode 494 datasize = opcode 495 496 elif opcode == OP_PUSHDATA1: 497 pushdata_type = 'PUSHDATA1' 498 if i >= len(self): 499 raise CScriptInvalidError('PUSHDATA1: missing data length') 500 datasize = self[i] 501 i += 1 502 503 elif opcode == OP_PUSHDATA2: 504 pushdata_type = 'PUSHDATA2' 505 if i + 1 >= len(self): 506 raise CScriptInvalidError('PUSHDATA2: missing data length') 507 datasize = self[i] + (self[i + 1] << 8) 508 i += 2 509 510 elif opcode == OP_PUSHDATA4: 511 pushdata_type = 'PUSHDATA4' 512 if i + 3 >= len(self): 513 raise CScriptInvalidError('PUSHDATA4: missing data length') 514 datasize = self[i] + (self[i + 1] << 8) + (self[i + 2] << 16) + (self[i + 3] << 24) 515 i += 4 516 517 else: 518 assert False # shouldn't happen 519 520 data = bytes(self[i:i + datasize]) 521 522 # Check for truncation 523 if len(data) < datasize: 524 raise CScriptTruncatedPushDataError('%s: truncated data' % pushdata_type, data) 525 526 i += datasize 527 528 yield (opcode, data, sop_idx) 529 530 def __iter__(self): 531 """'Cooked' iteration 532 533 Returns either a CScriptOP instance, an integer, or bytes, as 534 appropriate. 535 536 See raw_iter() if you need to distinguish the different possible 537 PUSHDATA encodings. 538 """ 539 for (opcode, data, sop_idx) in self.raw_iter(): 540 if data is not None: 541 yield data 542 else: 543 opcode = CScriptOp(opcode) 544 545 if opcode.is_small_int(): 546 yield opcode.decode_op_n() 547 else: 548 yield CScriptOp(opcode) 549 550 def __repr__(self): 551 def _repr(o): 552 if isinstance(o, bytes): 553 return "x('%s')" % o.hex() 554 else: 555 return repr(o) 556 557 ops = [] 558 i = iter(self) 559 while True: 560 op = None 561 try: 562 op = _repr(next(i)) 563 except CScriptTruncatedPushDataError as err: 564 op = '%s...<ERROR: %s>' % (_repr(err.data), err) 565 break 566 except CScriptInvalidError as err: 567 op = '<ERROR: %s>' % err 568 break 569 except StopIteration: 570 break 571 finally: 572 if op is not None: 573 ops.append(op) 574 575 return "CScript([%s])" % ', '.join(ops) 576 577 def GetSigOpCount(self, fAccurate): 578 """Get the SigOp count. 579 580 fAccurate - Accurately count CHECKMULTISIG, see BIP16 for details. 581 582 Note that this is consensus-critical. 583 """ 584 n = 0 585 lastOpcode = OP_INVALIDOPCODE 586 for (opcode, data, sop_idx) in self.raw_iter(): 587 if opcode in (OP_CHECKSIG, OP_CHECKSIGVERIFY): 588 n += 1 589 elif opcode in (OP_CHECKMULTISIG, OP_CHECKMULTISIGVERIFY): 590 if fAccurate and (OP_1 <= lastOpcode <= OP_16): 591 n += lastOpcode.decode_op_n() 592 else: 593 n += 20 594 lastOpcode = opcode 595 return n 596 597 def IsWitnessProgram(self): 598 """A witness program is any valid CScript that consists of a 1-byte 599 push opcode followed by a data push between 2 and 40 bytes.""" 600 return ((4 <= len(self) <= 42) and 601 (self[0] == OP_0 or (OP_1 <= self[0] <= OP_16)) and 602 (self[1] + 2 == len(self))) 603 604 605 SIGHASH_DEFAULT = 0 # Taproot-only default, semantics same as SIGHASH_ALL 606 SIGHASH_ALL = 1 607 SIGHASH_NONE = 2 608 SIGHASH_SINGLE = 3 609 SIGHASH_ANYONECANPAY = 0x80 610 611 def FindAndDelete(script, sig): 612 """Consensus critical, see FindAndDelete() in Satoshi codebase""" 613 r = b'' 614 last_sop_idx = sop_idx = 0 615 skip = True 616 for (opcode, data, sop_idx) in script.raw_iter(): 617 if not skip: 618 r += script[last_sop_idx:sop_idx] 619 last_sop_idx = sop_idx 620 if script[sop_idx:sop_idx + len(sig)] == sig: 621 skip = True 622 else: 623 skip = False 624 if not skip: 625 r += script[last_sop_idx:] 626 return CScript(r) 627 628 def LegacySignatureMsg(script, txTo, inIdx, hashtype): 629 """Preimage of the signature hash, if it exists. 630 631 Returns either (None, err) to indicate error (which translates to sighash 1), 632 or (msg, None). 633 """ 634 635 if inIdx >= len(txTo.vin): 636 return (None, "inIdx %d out of range (%d)" % (inIdx, len(txTo.vin))) 637 txtmp = CTransaction(txTo) 638 639 for txin in txtmp.vin: 640 txin.scriptSig = b'' 641 txtmp.vin[inIdx].scriptSig = FindAndDelete(script, CScript([OP_CODESEPARATOR])) 642 643 if (hashtype & 0x1f) == SIGHASH_NONE: 644 txtmp.vout = [] 645 646 for i in range(len(txtmp.vin)): 647 if i != inIdx: 648 txtmp.vin[i].nSequence = 0 649 650 elif (hashtype & 0x1f) == SIGHASH_SINGLE: 651 outIdx = inIdx 652 if outIdx >= len(txtmp.vout): 653 return (None, "outIdx %d out of range (%d)" % (outIdx, len(txtmp.vout))) 654 655 tmp = txtmp.vout[outIdx] 656 txtmp.vout = [] 657 for _ in range(outIdx): 658 txtmp.vout.append(CTxOut(-1)) 659 txtmp.vout.append(tmp) 660 661 for i in range(len(txtmp.vin)): 662 if i != inIdx: 663 txtmp.vin[i].nSequence = 0 664 665 if hashtype & SIGHASH_ANYONECANPAY: 666 tmp = txtmp.vin[inIdx] 667 txtmp.vin = [] 668 txtmp.vin.append(tmp) 669 670 s = txtmp.serialize_without_witness() 671 s += hashtype.to_bytes(4, "little") 672 673 return (s, None) 674 675 def LegacySignatureHash(*args, **kwargs): 676 """Consensus-correct SignatureHash 677 678 Returns (hash, err) to precisely match the consensus-critical behavior of 679 the SIGHASH_SINGLE bug. (inIdx is *not* checked for validity) 680 """ 681 682 HASH_ONE = b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' 683 msg, err = LegacySignatureMsg(*args, **kwargs) 684 if msg is None: 685 return (HASH_ONE, err) 686 else: 687 return (hash256(msg), err) 688 689 def sign_input_legacy(tx, input_index, input_scriptpubkey, privkey, sighash_type=SIGHASH_ALL): 690 """Add legacy ECDSA signature for a given transaction input. Note that the signature 691 is prepended to the scriptSig field, i.e. additional data pushes necessary for more 692 complex spends than P2PK (e.g. pubkey for P2PKH) can be already set before.""" 693 (sighash, err) = LegacySignatureHash(input_scriptpubkey, tx, input_index, sighash_type) 694 assert err is None 695 der_sig = privkey.sign_ecdsa(sighash) 696 tx.vin[input_index].scriptSig = bytes(CScript([der_sig + bytes([sighash_type])])) + tx.vin[input_index].scriptSig 697 698 def sign_input_segwitv0(tx, input_index, input_scriptpubkey, input_amount, privkey, sighash_type=SIGHASH_ALL): 699 """Add segwitv0 ECDSA signature for a given transaction input. Note that the signature 700 is inserted at the bottom of the witness stack, i.e. additional witness data 701 needed (e.g. pubkey for P2WPKH) can already be set before.""" 702 sighash = SegwitV0SignatureHash(input_scriptpubkey, tx, input_index, sighash_type, input_amount) 703 der_sig = privkey.sign_ecdsa(sighash) 704 tx.wit.vtxinwit[input_index].scriptWitness.stack.insert(0, der_sig + bytes([sighash_type])) 705 706 # TODO: Allow cached hashPrevouts/hashSequence/hashOutputs to be provided. 707 # Performance optimization probably not necessary for python tests, however. 708 # Note that this corresponds to sigversion == 1 in EvalScript, which is used 709 # for version 0 witnesses. 710 def SegwitV0SignatureMsg(script, txTo, inIdx, hashtype, amount): 711 ZERO_HASH = bytes([0]*32) 712 713 hashPrevouts = ZERO_HASH 714 hashSequence = ZERO_HASH 715 hashOutputs = ZERO_HASH 716 717 if not (hashtype & SIGHASH_ANYONECANPAY): 718 serialize_prevouts = bytes() 719 for i in txTo.vin: 720 serialize_prevouts += i.prevout.serialize() 721 hashPrevouts = hash256(serialize_prevouts) 722 723 if (not (hashtype & SIGHASH_ANYONECANPAY) and (hashtype & 0x1f) != SIGHASH_SINGLE and (hashtype & 0x1f) != SIGHASH_NONE): 724 serialize_sequence = bytes() 725 for i in txTo.vin: 726 serialize_sequence += i.nSequence.to_bytes(4, "little") 727 hashSequence = hash256(serialize_sequence) 728 729 if ((hashtype & 0x1f) != SIGHASH_SINGLE and (hashtype & 0x1f) != SIGHASH_NONE): 730 serialize_outputs = bytes() 731 for o in txTo.vout: 732 serialize_outputs += o.serialize() 733 hashOutputs = hash256(serialize_outputs) 734 elif ((hashtype & 0x1f) == SIGHASH_SINGLE and inIdx < len(txTo.vout)): 735 serialize_outputs = txTo.vout[inIdx].serialize() 736 hashOutputs = hash256(serialize_outputs) 737 738 ss = bytes() 739 ss += txTo.version.to_bytes(4, "little") 740 ss += hashPrevouts 741 ss += hashSequence 742 ss += txTo.vin[inIdx].prevout.serialize() 743 ss += ser_string(script) 744 ss += amount.to_bytes(8, "little", signed=True) 745 ss += txTo.vin[inIdx].nSequence.to_bytes(4, "little") 746 ss += hashOutputs 747 ss += txTo.nLockTime.to_bytes(4, "little") 748 ss += hashtype.to_bytes(4, "little") 749 return ss 750 751 def SegwitV0SignatureHash(*args, **kwargs): 752 return hash256(SegwitV0SignatureMsg(*args, **kwargs)) 753 754 class TestFrameworkScript(unittest.TestCase): 755 def test_bn2vch(self): 756 self.assertEqual(bn2vch(0), bytes([])) 757 self.assertEqual(bn2vch(1), bytes([0x01])) 758 self.assertEqual(bn2vch(-1), bytes([0x81])) 759 self.assertEqual(bn2vch(0x7F), bytes([0x7F])) 760 self.assertEqual(bn2vch(-0x7F), bytes([0xFF])) 761 self.assertEqual(bn2vch(0x80), bytes([0x80, 0x00])) 762 self.assertEqual(bn2vch(-0x80), bytes([0x80, 0x80])) 763 self.assertEqual(bn2vch(0xFF), bytes([0xFF, 0x00])) 764 self.assertEqual(bn2vch(-0xFF), bytes([0xFF, 0x80])) 765 self.assertEqual(bn2vch(0x100), bytes([0x00, 0x01])) 766 self.assertEqual(bn2vch(-0x100), bytes([0x00, 0x81])) 767 self.assertEqual(bn2vch(0x7FFF), bytes([0xFF, 0x7F])) 768 self.assertEqual(bn2vch(-0x8000), bytes([0x00, 0x80, 0x80])) 769 self.assertEqual(bn2vch(-0x7FFFFF), bytes([0xFF, 0xFF, 0xFF])) 770 self.assertEqual(bn2vch(0x80000000), bytes([0x00, 0x00, 0x00, 0x80, 0x00])) 771 self.assertEqual(bn2vch(-0x80000000), bytes([0x00, 0x00, 0x00, 0x80, 0x80])) 772 self.assertEqual(bn2vch(0xFFFFFFFF), bytes([0xFF, 0xFF, 0xFF, 0xFF, 0x00])) 773 self.assertEqual(bn2vch(123456789), bytes([0x15, 0xCD, 0x5B, 0x07])) 774 self.assertEqual(bn2vch(-54321), bytes([0x31, 0xD4, 0x80])) 775 776 def test_cscriptnum_encoding(self): 777 # round-trip negative and multi-byte CScriptNums 778 values = [0, 1, -1, -2, 127, 128, -255, 256, (1 << 15) - 1, -(1 << 16), (1 << 24) - 1, (1 << 31), 1 - (1 << 32), 1 << 40, 1500, -1500] 779 for value in values: 780 self.assertEqual(CScriptNum.decode(CScriptNum.encode(CScriptNum(value))), value) 781 782 def test_legacy_sigopcount(self): 783 # test repeated single sig ops 784 for n_ops in range(1, 100, 10): 785 for singlesig_op in (OP_CHECKSIG, OP_CHECKSIGVERIFY): 786 singlesigs_script = CScript([singlesig_op]*n_ops) 787 self.assertEqual(singlesigs_script.GetSigOpCount(fAccurate=False), n_ops) 788 self.assertEqual(singlesigs_script.GetSigOpCount(fAccurate=True), n_ops) 789 # test multisig op (including accurate counting, i.e. BIP16) 790 for n in range(1, 16+1): 791 for multisig_op in (OP_CHECKMULTISIG, OP_CHECKMULTISIGVERIFY): 792 multisig_script = CScript([CScriptOp.encode_op_n(n), multisig_op]) 793 self.assertEqual(multisig_script.GetSigOpCount(fAccurate=False), 20) 794 self.assertEqual(multisig_script.GetSigOpCount(fAccurate=True), n) 795 796 def BIP341_sha_prevouts(txTo): 797 return sha256(b"".join(i.prevout.serialize() for i in txTo.vin)) 798 799 def BIP341_sha_amounts(spent_utxos): 800 return sha256(b"".join(u.nValue.to_bytes(8, "little", signed=True) for u in spent_utxos)) 801 802 def BIP341_sha_scriptpubkeys(spent_utxos): 803 return sha256(b"".join(ser_string(u.scriptPubKey) for u in spent_utxos)) 804 805 def BIP341_sha_sequences(txTo): 806 return sha256(b"".join(i.nSequence.to_bytes(4, "little") for i in txTo.vin)) 807 808 def BIP341_sha_outputs(txTo): 809 return sha256(b"".join(o.serialize() for o in txTo.vout)) 810 811 def TaprootSignatureMsg(txTo, spent_utxos, hash_type, input_index=0, *, scriptpath=False, leaf_script=None, codeseparator_pos=-1, annex=None, leaf_ver=LEAF_VERSION_TAPSCRIPT): 812 assert (len(txTo.vin) == len(spent_utxos)) 813 assert (input_index < len(txTo.vin)) 814 out_type = SIGHASH_ALL if hash_type == 0 else hash_type & 3 815 in_type = hash_type & SIGHASH_ANYONECANPAY 816 spk = spent_utxos[input_index].scriptPubKey 817 ss = bytes([0, hash_type]) # epoch, hash_type 818 ss += txTo.version.to_bytes(4, "little") 819 ss += txTo.nLockTime.to_bytes(4, "little") 820 if in_type != SIGHASH_ANYONECANPAY: 821 ss += BIP341_sha_prevouts(txTo) 822 ss += BIP341_sha_amounts(spent_utxos) 823 ss += BIP341_sha_scriptpubkeys(spent_utxos) 824 ss += BIP341_sha_sequences(txTo) 825 if out_type == SIGHASH_ALL: 826 ss += BIP341_sha_outputs(txTo) 827 spend_type = 0 828 if annex is not None: 829 spend_type |= 1 830 if scriptpath: 831 spend_type |= 2 832 ss += bytes([spend_type]) 833 if in_type == SIGHASH_ANYONECANPAY: 834 ss += txTo.vin[input_index].prevout.serialize() 835 ss += spent_utxos[input_index].nValue.to_bytes(8, "little", signed=True) 836 ss += ser_string(spk) 837 ss += txTo.vin[input_index].nSequence.to_bytes(4, "little") 838 else: 839 ss += input_index.to_bytes(4, "little") 840 if (spend_type & 1): 841 ss += sha256(ser_string(annex)) 842 if out_type == SIGHASH_SINGLE: 843 if input_index < len(txTo.vout): 844 ss += sha256(txTo.vout[input_index].serialize()) 845 else: 846 ss += bytes(0 for _ in range(32)) 847 if scriptpath: 848 ss += TaggedHash("TapLeaf", bytes([leaf_ver]) + ser_string(leaf_script)) 849 ss += bytes([0]) 850 ss += codeseparator_pos.to_bytes(4, "little", signed=False) 851 assert len(ss) == 175 - (in_type == SIGHASH_ANYONECANPAY) * 49 - (out_type != SIGHASH_ALL and out_type != SIGHASH_SINGLE) * 32 + (annex is not None) * 32 + scriptpath * 37 852 return ss 853 854 def TaprootSignatureHash(*args, **kwargs): 855 return TaggedHash("TapSighash", TaprootSignatureMsg(*args, **kwargs)) 856 857 def taproot_tree_helper(scripts): 858 if len(scripts) == 0: 859 return ([], bytes()) 860 if len(scripts) == 1: 861 # One entry: treat as a leaf 862 script = scripts[0] 863 assert not callable(script) 864 if isinstance(script, list): 865 return taproot_tree_helper(script) 866 assert isinstance(script, tuple) 867 version = LEAF_VERSION_TAPSCRIPT 868 name = script[0] 869 code = script[1] 870 if len(script) == 3: 871 version = script[2] 872 assert version & 1 == 0 873 assert isinstance(code, bytes) 874 h = TaggedHash("TapLeaf", bytes([version]) + ser_string(code)) 875 if name is None: 876 return ([], h) 877 return ([(name, version, code, bytes(), h)], h) 878 elif len(scripts) == 2 and callable(scripts[1]): 879 # Two entries, and the right one is a function 880 left, left_h = taproot_tree_helper(scripts[0:1]) 881 right_h = scripts[1](left_h) 882 left = [(name, version, script, control + right_h, leaf) for name, version, script, control, leaf in left] 883 right = [] 884 else: 885 # Two or more entries: descend into each side 886 split_pos = len(scripts) // 2 887 left, left_h = taproot_tree_helper(scripts[0:split_pos]) 888 right, right_h = taproot_tree_helper(scripts[split_pos:]) 889 left = [(name, version, script, control + right_h, leaf) for name, version, script, control, leaf in left] 890 right = [(name, version, script, control + left_h, leaf) for name, version, script, control, leaf in right] 891 if right_h < left_h: 892 right_h, left_h = left_h, right_h 893 h = TaggedHash("TapBranch", left_h + right_h) 894 return (left + right, h) 895 896 # A TaprootInfo object has the following fields: 897 # - scriptPubKey: the scriptPubKey (witness v1 CScript) 898 # - internal_pubkey: the internal pubkey (32 bytes) 899 # - negflag: whether the pubkey in the scriptPubKey was negated from internal_pubkey+tweak*G (bool). 900 # - tweak: the tweak (32 bytes) 901 # - leaves: a dict of name -> TaprootLeafInfo objects for all known leaves 902 # - merkle_root: the script tree's Merkle root, or bytes() if no leaves are present 903 TaprootInfo = namedtuple("TaprootInfo", "scriptPubKey,internal_pubkey,negflag,tweak,leaves,merkle_root,output_pubkey") 904 905 # A TaprootLeafInfo object has the following fields: 906 # - script: the leaf script (CScript or bytes) 907 # - version: the leaf version (0xc0 for BIP342 tapscript) 908 # - merklebranch: the merkle branch to use for this leaf (32*N bytes) 909 TaprootLeafInfo = namedtuple("TaprootLeafInfo", "script,version,merklebranch,leaf_hash") 910 911 def taproot_construct(pubkey, scripts=None, treat_internal_as_infinity=False): 912 """Construct a tree of Taproot spending conditions 913 914 pubkey: a 32-byte xonly pubkey for the internal pubkey (bytes) 915 scripts: a list of items; each item is either: 916 - a (name, CScript or bytes, leaf version) tuple 917 - a (name, CScript or bytes) tuple (defaulting to leaf version 0xc0) 918 - another list of items (with the same structure) 919 - a list of two items; the first of which is an item itself, and the 920 second is a function. The function takes as input the Merkle root of the 921 first item, and produces a (fictitious) partner to hash with. 922 923 Returns: a TaprootInfo object 924 """ 925 if scripts is None: 926 scripts = [] 927 928 ret, h = taproot_tree_helper(scripts) 929 tweak = TaggedHash("TapTweak", pubkey + h) 930 if treat_internal_as_infinity: 931 tweaked, negated = compute_xonly_pubkey(tweak) 932 else: 933 tweaked, negated = tweak_add_pubkey(pubkey, tweak) 934 leaves = dict((name, TaprootLeafInfo(script, version, merklebranch, leaf)) for name, version, script, merklebranch, leaf in ret) 935 return TaprootInfo(CScript([OP_1, tweaked]), pubkey, negated + 0, tweak, leaves, h, tweaked) 936 937 def is_op_success(o): 938 return o == 0x50 or o == 0x62 or o == 0x89 or o == 0x8a or o == 0x8d or o == 0x8e or (o >= 0x7e and o <= 0x81) or (o >= 0x83 and o <= 0x86) or (o >= 0x95 and o <= 0x99) or (o >= 0xbb and o <= 0xfe)