1#!/usr/bin/env python3 2# Copyright (c) 2019-2020 The Bitcoin Core developers 3# Distributed under the MIT software license, see the accompanying 4# file COPYING or http://www.opensource.org/licenses/mit-license.php. 5# Test Taproot softfork (BIPs 340-342) 6 7from test_framework.blocktools import ( 8 COINBASE_MATURITY, 9 create_coinbase, 10 create_block, 11 add_witness_commitment, 12 MAX_BLOCK_SIGOPS_WEIGHT, 13 NORMAL_GBT_REQUEST_PARAMS, 14 WITNESS_SCALE_FACTOR, 15) 16from test_framework.messages import ( 17 COutPoint, 18 CTransaction, 19 CTxIn, 20 CTxInWitness, 21 CTxOut, 22) 23from test_framework.script import ( 24 ANNEX_TAG, 25 CScript, 26 CScriptNum, 27 CScriptOp, 28 LEAF_VERSION_TAPSCRIPT, 29 LegacySignatureHash, 30 LOCKTIME_THRESHOLD, 31 MAX_SCRIPT_ELEMENT_SIZE, 32 OP_0, 33 OP_1, 34 OP_2, 35 OP_3, 36 OP_4, 37 OP_5, 38 OP_6, 39 OP_7, 40 OP_8, 41 OP_9, 42 OP_10, 43 OP_11, 44 OP_12, 45 OP_16, 46 OP_2DROP, 47 OP_2DUP, 48 OP_CHECKMULTISIG, 49 OP_CHECKMULTISIGVERIFY, 50 OP_CHECKSIG, 51 OP_CHECKSIGADD, 52 OP_CHECKSIGVERIFY, 53 OP_CODESEPARATOR, 54 OP_DROP, 55 OP_DUP, 56 OP_ELSE, 57 OP_ENDIF, 58 OP_EQUAL, 59 OP_EQUALVERIFY, 60 OP_IF, 61 OP_NOP, 62 OP_NOT, 63 OP_NOTIF, 64 OP_PUSHDATA1, 65 OP_RETURN, 66 OP_SWAP, 67 OP_VERIFY, 68 SIGHASH_DEFAULT, 69 SIGHASH_ALL, 70 SIGHASH_NONE, 71 SIGHASH_SINGLE, 72 SIGHASH_ANYONECANPAY, 73 SegwitV0SignatureHash, 74 TaprootSignatureHash, 75 is_op_success, 76 taproot_construct, 77) 78from test_framework.script_util import ( 79 key_to_p2wpkh_script, 80 keyhash_to_p2pkh_script, 81 script_to_p2sh_script, 82 script_to_p2wsh_script, 83) 84from test_framework.test_framework import BitcoinTestFramework 85from test_framework.util import assert_raises_rpc_error, assert_equal 86from test_framework.key import generate_privkey, compute_xonly_pubkey, sign_schnorr, tweak_add_privkey, ECKey 87from test_framework.address import ( 88 hash160, 89) 90from collections import OrderedDict, namedtuple 91from io import BytesIO 92import json 93import hashlib 94import os 95import random 96 97# === Framework for building spending transactions. === 98# 99# The computation is represented as a "context" dict, whose entries store potentially-unevaluated expressions that 100# refer to lower-level ones. By overwriting these expression, many aspects - both high and low level - of the signing 101# process can be overridden. 102# 103# Specifically, a context object is a dict that maps names to compositions of: 104# - values 105# - lists of values 106# - callables which, when fed the context object as argument, produce any of these 107# 108# The DEFAULT_CONTEXT object specifies a standard signing process, with many overridable knobs. 109# 110# The get(ctx, name) function can evaluate a name, and cache its result in the context. 111# getter(name) can be used to construct a callable that evaluates name. For example: 112# 113# ctx1 = {**DEFAULT_CONTEXT, inputs=[getter("sign"), b'\x01']} 114# 115# creates a context where the script inputs are a signature plus the bytes 0x01. 116# 117# override(expr, name1=expr1, name2=expr2, ...) can be used to cause an expression to be evaluated in a selectively 118# modified context. For example: 119# 120# ctx2 = {**DEFAULT_CONTEXT, sighash=override(default_sighash, hashtype=SIGHASH_DEFAULT)} 121# 122# creates a context ctx2 where the sighash is modified to use hashtype=SIGHASH_DEFAULT. This differs from 123# 124# ctx3 = {**DEFAULT_CONTEXT, hashtype=SIGHASH_DEFAULT} 125# 126# in that ctx3 will globally use hashtype=SIGHASH_DEFAULT (including in the hashtype byte appended to the signature) 127# while ctx2 only uses the modified hashtype inside the sighash calculation. 128 129def deep_eval(ctx, expr): 130 """Recursively replace any callables c in expr (including inside lists) with c(ctx).""" 131 while callable(expr): 132 expr = expr(ctx) 133 if isinstance(expr, list): 134 expr = [deep_eval(ctx, x) for x in expr] 135 return expr 136 137# Data type to represent fully-evaluated expressions in a context dict (so we can avoid reevaluating them). 138Final = namedtuple("Final", "value") 139 140def get(ctx, name): 141 """Evaluate name in context ctx.""" 142 assert name in ctx, "Missing '%s' in context" % name 143 expr = ctx[name] 144 if not isinstance(expr, Final): 145 # Evaluate and cache the result. 146 expr = Final(deep_eval(ctx, expr)) 147 ctx[name] = expr 148 return expr.value 149 150def getter(name): 151 """Return a callable that evaluates name in its passed context.""" 152 return lambda ctx: get(ctx, name) 153 154def override(expr, **kwargs): 155 """Return a callable that evaluates expr in a modified context.""" 156 return lambda ctx: deep_eval({**ctx, **kwargs}, expr) 157 158# === Implementations for the various default expressions in DEFAULT_CONTEXT === 159 160def default_hashtype(ctx): 161 """Default expression for "hashtype": SIGHASH_DEFAULT for taproot, SIGHASH_ALL otherwise.""" 162 mode = get(ctx, "mode") 163 if mode == "taproot": 164 return SIGHASH_DEFAULT 165 else: 166 return SIGHASH_ALL 167 168def default_tapleaf(ctx): 169 """Default expression for "tapleaf": looking up leaf in tap[2].""" 170 return get(ctx, "tap").leaves[get(ctx, "leaf")] 171 172def default_script_taproot(ctx): 173 """Default expression for "script_taproot": tapleaf.script.""" 174 return get(ctx, "tapleaf").script 175 176def default_leafversion(ctx): 177 """Default expression for "leafversion": tapleaf.version""" 178 return get(ctx, "tapleaf").version 179 180def default_negflag(ctx): 181 """Default expression for "negflag": tap.negflag.""" 182 return get(ctx, "tap").negflag 183 184def default_pubkey_internal(ctx): 185 """Default expression for "pubkey_internal": tap.internal_pubkey.""" 186 return get(ctx, "tap").internal_pubkey 187 188def default_merklebranch(ctx): 189 """Default expression for "merklebranch": tapleaf.merklebranch.""" 190 return get(ctx, "tapleaf").merklebranch 191 192def default_controlblock(ctx): 193 """Default expression for "controlblock": combine leafversion, negflag, pubkey_internal, merklebranch.""" 194 return bytes([get(ctx, "leafversion") + get(ctx, "negflag")]) + get(ctx, "pubkey_internal") + get(ctx, "merklebranch") 195 196def default_sighash(ctx): 197 """Default expression for "sighash": depending on mode, compute BIP341, BIP143, or legacy sighash.""" 198 tx = get(ctx, "tx") 199 idx = get(ctx, "idx") 200 hashtype = get(ctx, "hashtype_actual") 201 mode = get(ctx, "mode") 202 if mode == "taproot": 203 # BIP341 signature hash 204 utxos = get(ctx, "utxos") 205 annex = get(ctx, "annex") 206 if get(ctx, "leaf") is not None: 207 codeseppos = get(ctx, "codeseppos") 208 leaf_ver = get(ctx, "leafversion") 209 script = get(ctx, "script_taproot") 210 return TaprootSignatureHash(tx, utxos, hashtype, idx, scriptpath=True, script=script, leaf_ver=leaf_ver, codeseparator_pos=codeseppos, annex=annex) 211 else: 212 return TaprootSignatureHash(tx, utxos, hashtype, idx, scriptpath=False, annex=annex) 213 elif mode == "witv0": 214 # BIP143 signature hash 215 scriptcode = get(ctx, "scriptcode") 216 utxos = get(ctx, "utxos") 217 return SegwitV0SignatureHash(scriptcode, tx, idx, hashtype, utxos[idx].nValue) 218 else: 219 # Pre-segwit signature hash 220 scriptcode = get(ctx, "scriptcode") 221 return LegacySignatureHash(scriptcode, tx, idx, hashtype)[0] 222 223def default_tweak(ctx): 224 """Default expression for "tweak": None if a leaf is specified, tap[0] otherwise.""" 225 if get(ctx, "leaf") is None: 226 return get(ctx, "tap").tweak 227 return None 228 229def default_key_tweaked(ctx): 230 """Default expression for "key_tweaked": key if tweak is None, tweaked with it otherwise.""" 231 key = get(ctx, "key") 232 tweak = get(ctx, "tweak") 233 if tweak is None: 234 return key 235 else: 236 return tweak_add_privkey(key, tweak) 237 238def default_signature(ctx): 239 """Default expression for "signature": BIP340 signature or ECDSA signature depending on mode.""" 240 sighash = get(ctx, "sighash") 241 if get(ctx, "mode") == "taproot": 242 key = get(ctx, "key_tweaked") 243 flip_r = get(ctx, "flag_flip_r") 244 flip_p = get(ctx, "flag_flip_p") 245 return sign_schnorr(key, sighash, flip_r=flip_r, flip_p=flip_p) 246 else: 247 key = get(ctx, "key") 248 return key.sign_ecdsa(sighash) 249 250def default_hashtype_actual(ctx): 251 """Default expression for "hashtype_actual": hashtype, unless mismatching SIGHASH_SINGLE in taproot.""" 252 hashtype = get(ctx, "hashtype") 253 mode = get(ctx, "mode") 254 if mode != "taproot": 255 return hashtype 256 idx = get(ctx, "idx") 257 tx = get(ctx, "tx") 258 if hashtype & 3 == SIGHASH_SINGLE and idx >= len(tx.vout): 259 return (hashtype & ~3) | SIGHASH_NONE 260 return hashtype 261 262def default_bytes_hashtype(ctx): 263 """Default expression for "bytes_hashtype": bytes([hashtype_actual]) if not 0, b"" otherwise.""" 264 return bytes([x for x in [get(ctx, "hashtype_actual")] if x != 0]) 265 266def default_sign(ctx): 267 """Default expression for "sign": concatenation of signature and bytes_hashtype.""" 268 return get(ctx, "signature") + get(ctx, "bytes_hashtype") 269 270def default_inputs_keypath(ctx): 271 """Default expression for "inputs_keypath": a signature.""" 272 return [get(ctx, "sign")] 273 274def default_witness_taproot(ctx): 275 """Default expression for "witness_taproot", consisting of inputs, script, control block, and annex as needed.""" 276 annex = get(ctx, "annex") 277 suffix_annex = [] 278 if annex is not None: 279 suffix_annex = [annex] 280 if get(ctx, "leaf") is None: 281 return get(ctx, "inputs_keypath") + suffix_annex 282 else: 283 return get(ctx, "inputs") + [bytes(get(ctx, "script_taproot")), get(ctx, "controlblock")] + suffix_annex 284 285def default_witness_witv0(ctx): 286 """Default expression for "witness_witv0", consisting of inputs and witness script, as needed.""" 287 script = get(ctx, "script_witv0") 288 inputs = get(ctx, "inputs") 289 if script is None: 290 return inputs 291 else: 292 return inputs + [script] 293 294def default_witness(ctx): 295 """Default expression for "witness", delegating to "witness_taproot" or "witness_witv0" as needed.""" 296 mode = get(ctx, "mode") 297 if mode == "taproot": 298 return get(ctx, "witness_taproot") 299 elif mode == "witv0": 300 return get(ctx, "witness_witv0") 301 else: 302 return [] 303 304def default_scriptsig(ctx): 305 """Default expression for "scriptsig", consisting of inputs and redeemscript, as needed.""" 306 scriptsig = [] 307 mode = get(ctx, "mode") 308 if mode == "legacy": 309 scriptsig = get(ctx, "inputs") 310 redeemscript = get(ctx, "script_p2sh") 311 if redeemscript is not None: 312 scriptsig += [bytes(redeemscript)] 313 return scriptsig 314 315# The default context object. 316DEFAULT_CONTEXT = { 317 # == The main expressions to evaluate. Only override these for unusual or invalid spends. == 318 # The overall witness stack, as a list of bytes objects. 319 "witness": default_witness, 320 # The overall scriptsig, as a list of CScript objects (to be concatenated) and bytes objects (to be pushed) 321 "scriptsig": default_scriptsig, 322 323 # == Expressions you'll generally only override for intentionally invalid spends. == 324 # The witness stack for spending a taproot output. 325 "witness_taproot": default_witness_taproot, 326 # The witness stack for spending a P2WPKH/P2WSH output. 327 "witness_witv0": default_witness_witv0, 328 # The script inputs for a taproot key path spend. 329 "inputs_keypath": default_inputs_keypath, 330 # The actual hashtype to use (usually equal to hashtype, but in taproot SIGHASH_SINGLE is not always allowed). 331 "hashtype_actual": default_hashtype_actual, 332 # The bytes object for a full signature (including hashtype byte, if needed). 333 "bytes_hashtype": default_bytes_hashtype, 334 # A full script signature (bytes including hashtype, if needed) 335 "sign": default_sign, 336 # An ECDSA or Schnorr signature (excluding hashtype byte). 337 "signature": default_signature, 338 # The 32-byte tweaked key (equal to key for script path spends, or key+tweak for key path spends). 339 "key_tweaked": default_key_tweaked, 340 # The tweak to use (None for script path spends, the actual tweak for key path spends). 341 "tweak": default_tweak, 342 # The sighash value (32 bytes) 343 "sighash": default_sighash, 344 # The information about the chosen script path spend (TaprootLeafInfo object). 345 "tapleaf": default_tapleaf, 346 # The script to push, and include in the sighash, for a taproot script path spend. 347 "script_taproot": default_script_taproot, 348 # The internal pubkey for a taproot script path spend (32 bytes). 349 "pubkey_internal": default_pubkey_internal, 350 # The negation flag of the internal pubkey for a taproot script path spend. 351 "negflag": default_negflag, 352 # The leaf version to include in the sighash (this does not affect the one in the control block). 353 "leafversion": default_leafversion, 354 # The Merkle path to include in the control block for a script path spend. 355 "merklebranch": default_merklebranch, 356 # The control block to push for a taproot script path spend. 357 "controlblock": default_controlblock, 358 # Whether to produce signatures with invalid P sign (Schnorr signatures only). 359 "flag_flip_p": False, 360 # Whether to produce signatures with invalid R sign (Schnorr signatures only). 361 "flag_flip_r": False, 362 363 # == Parameters that can be changed without invalidating, but do have a default: == 364 # The hashtype (as an integer). 365 "hashtype": default_hashtype, 366 # The annex (only when mode=="taproot"). 367 "annex": None, 368 # The codeseparator position (only when mode=="taproot"). 369 "codeseppos": -1, 370 # The redeemscript to add to the scriptSig (if P2SH; None implies not P2SH). 371 "script_p2sh": None, 372 # The script to add to the witness in (if P2WSH; None implies P2WPKH) 373 "script_witv0": None, 374 # The leaf to use in taproot spends (if script path spend; None implies key path spend). 375 "leaf": None, 376 # The input arguments to provide to the executed script 377 "inputs": [], 378 379 # == Parameters to be set before evaluation: == 380 # - mode: what spending style to use ("taproot", "witv0", or "legacy"). 381 # - key: the (untweaked) private key to sign with (ECKey object for ECDSA, 32 bytes for Schnorr). 382 # - tap: the TaprootInfo object (see taproot_construct; needed in mode=="taproot"). 383 # - tx: the transaction to sign. 384 # - utxos: the UTXOs being spent (needed in mode=="witv0" and mode=="taproot"). 385 # - idx: the input position being signed. 386 # - scriptcode: the scriptcode to include in legacy and witv0 sighashes. 387} 388 389def flatten(lst): 390 ret = [] 391 for elem in lst: 392 if isinstance(elem, list): 393 ret += flatten(elem) 394 else: 395 ret.append(elem) 396 return ret 397 398def spend(tx, idx, utxos, **kwargs): 399 """Sign transaction input idx of tx, provided utxos is the list of outputs being spent. 400 401 Additional arguments may be provided that override any aspect of the signing process. 402 See DEFAULT_CONTEXT above for what can be overridden, and what must be provided. 403 """ 404 405 ctx = {**DEFAULT_CONTEXT, "tx":tx, "idx":idx, "utxos":utxos, **kwargs} 406 407 def to_script(elem): 408 """If fed a CScript, return it; if fed bytes, return a CScript that pushes it.""" 409 if isinstance(elem, CScript): 410 return elem 411 else: 412 return CScript([elem]) 413 414 scriptsig_list = flatten(get(ctx, "scriptsig")) 415 scriptsig = CScript(b"".join(bytes(to_script(elem)) for elem in scriptsig_list)) 416 witness_stack = flatten(get(ctx, "witness")) 417 return (scriptsig, witness_stack) 418 419 420# === Spender objects === 421# 422# Each spender is a tuple of: 423# - A scriptPubKey which is to be spent from (CScript) 424# - A comment describing the test (string) 425# - Whether the spending (on itself) is expected to be standard (bool) 426# - A tx-signing lambda returning (scriptsig, witness_stack), taking as inputs: 427# - A transaction to sign (CTransaction) 428# - An input position (int) 429# - The spent UTXOs by this transaction (list of CTxOut) 430# - Whether to produce a valid spend (bool) 431# - A string with an expected error message for failure case if known 432# - The (pre-taproot) sigops weight consumed by a successful spend 433# - Whether this spend cannot fail 434# - Whether this test demands being placed in a txin with no corresponding txout (for testing SIGHASH_SINGLE behavior) 435 436Spender = namedtuple("Spender", "script,comment,is_standard,sat_function,err_msg,sigops_weight,no_fail,need_vin_vout_mismatch") 437 438def make_spender(comment, *, tap=None, witv0=False, script=None, pkh=None, p2sh=False, spk_mutate_pre_p2sh=None, failure=None, standard=True, err_msg=None, sigops_weight=0, need_vin_vout_mismatch=False, **kwargs): 439 """Helper for constructing Spender objects using the context signing framework. 440 441 * tap: a TaprootInfo object (see taproot_construct), for Taproot spends (cannot be combined with pkh, witv0, or script) 442 * witv0: boolean indicating the use of witness v0 spending (needs one of script or pkh) 443 * script: the actual script executed (for bare/P2WSH/P2SH spending) 444 * pkh: the public key for P2PKH or P2WPKH spending 445 * p2sh: whether the output is P2SH wrapper (this is supported even for Taproot, where it makes the output unencumbered) 446 * spk_mutate_pre_psh: a callable to be applied to the script (before potentially P2SH-wrapping it) 447 * failure: a dict of entries to override in the context when intentionally failing to spend (if None, no_fail will be set) 448 * standard: whether the (valid version of) spending is expected to be standard 449 * err_msg: a string with an expected error message for failure (or None, if not cared about) 450 * sigops_weight: the pre-taproot sigops weight consumed by a successful spend 451 * need_vin_vout_mismatch: whether this test requires being tested in a transaction input that has no corresponding 452 transaction output. 453 """ 454 455 conf = dict() 456 457 # Compute scriptPubKey and set useful defaults based on the inputs. 458 if witv0: 459 assert tap is None 460 conf["mode"] = "witv0" 461 if pkh is not None: 462 # P2WPKH 463 assert script is None 464 pubkeyhash = hash160(pkh) 465 spk = key_to_p2wpkh_script(pkh) 466 conf["scriptcode"] = keyhash_to_p2pkh_script(pubkeyhash) 467 conf["script_witv0"] = None 468 conf["inputs"] = [getter("sign"), pkh] 469 elif script is not None: 470 # P2WSH 471 spk = script_to_p2wsh_script(script) 472 conf["scriptcode"] = script 473 conf["script_witv0"] = script 474 else: 475 assert False 476 elif tap is None: 477 conf["mode"] = "legacy" 478 if pkh is not None: 479 # P2PKH 480 assert script is None 481 pubkeyhash = hash160(pkh) 482 spk = keyhash_to_p2pkh_script(pubkeyhash) 483 conf["scriptcode"] = spk 484 conf["inputs"] = [getter("sign"), pkh] 485 elif script is not None: 486 # bare 487 spk = script 488 conf["scriptcode"] = script 489 else: 490 assert False 491 else: 492 assert script is None 493 conf["mode"] = "taproot" 494 conf["tap"] = tap 495 spk = tap.scriptPubKey 496 497 if spk_mutate_pre_p2sh is not None: 498 spk = spk_mutate_pre_p2sh(spk) 499 500 if p2sh: 501 # P2SH wrapper can be combined with anything else 502 conf["script_p2sh"] = spk 503 spk = script_to_p2sh_script(spk) 504 505 conf = {**conf, **kwargs} 506 507 def sat_fn(tx, idx, utxos, valid): 508 if valid: 509 return spend(tx, idx, utxos, **conf) 510 else: 511 assert failure is not None 512 return spend(tx, idx, utxos, **{**conf, **failure}) 513 514 return Spender(script=spk, comment=comment, is_standard=standard, sat_function=sat_fn, err_msg=err_msg, sigops_weight=sigops_weight, no_fail=failure is None, need_vin_vout_mismatch=need_vin_vout_mismatch) 515 516def add_spender(spenders, *args, **kwargs): 517 """Make a spender using make_spender, and add it to spenders.""" 518 spenders.append(make_spender(*args, **kwargs)) 519 520# === Helpers for the test === 521 522def random_checksig_style(pubkey): 523 """Creates a random CHECKSIG* tapscript that would succeed with only the valid signature on witness stack.""" 524 opcode = random.choice([OP_CHECKSIG, OP_CHECKSIGVERIFY, OP_CHECKSIGADD]) 525 if opcode == OP_CHECKSIGVERIFY: 526 ret = CScript([pubkey, opcode, OP_1]) 527 elif opcode == OP_CHECKSIGADD: 528 num = random.choice([0, 0x7fffffff, -0x7fffffff]) 529 ret = CScript([num, pubkey, opcode, num + 1, OP_EQUAL]) 530 else: 531 ret = CScript([pubkey, opcode]) 532 return bytes(ret) 533 534def random_bytes(n): 535 """Return a random bytes object of length n.""" 536 return bytes(random.getrandbits(8) for i in range(n)) 537 538def bitflipper(expr): 539 """Return a callable that evaluates expr and returns it with a random bitflip.""" 540 def fn(ctx): 541 sub = deep_eval(ctx, expr) 542 assert isinstance(sub, bytes) 543 return (int.from_bytes(sub, 'little') ^ (1 << random.randrange(len(sub) * 8))).to_bytes(len(sub), 'little') 544 return fn 545 546def zero_appender(expr): 547 """Return a callable that evaluates expr and returns it with a zero added.""" 548 return lambda ctx: deep_eval(ctx, expr) + b"\x00" 549 550def byte_popper(expr): 551 """Return a callable that evaluates expr and returns it with its last byte removed.""" 552 return lambda ctx: deep_eval(ctx, expr)[:-1] 553 554# Expected error strings 555 556ERR_SIG_SIZE = {"err_msg": "Invalid Schnorr signature size"} 557ERR_SIG_HASHTYPE = {"err_msg": "Invalid Schnorr signature hash type"} 558ERR_SIG_SCHNORR = {"err_msg": "Invalid Schnorr signature"} 559ERR_OP_RETURN = {"err_msg": "OP_RETURN was encountered"} 560ERR_CONTROLBLOCK_SIZE = {"err_msg": "Invalid Taproot control block size"} 561ERR_WITNESS_PROGRAM_MISMATCH = {"err_msg": "Witness program hash mismatch"} 562ERR_PUSH_LIMIT = {"err_msg": "Push value size limit exceeded"} 563ERR_DISABLED_OPCODE = {"err_msg": "Attempted to use a disabled opcode"} 564ERR_TAPSCRIPT_CHECKMULTISIG = {"err_msg": "OP_CHECKMULTISIG(VERIFY) is not available in tapscript"} 565ERR_MINIMALIF = {"err_msg": "OP_IF/NOTIF argument must be minimal in tapscript"} 566ERR_UNKNOWN_PUBKEY = {"err_msg": "Public key is neither compressed or uncompressed"} 567ERR_STACK_SIZE = {"err_msg": "Stack size limit exceeded"} 568ERR_CLEANSTACK = {"err_msg": "Stack size must be exactly one after execution"} 569ERR_STACK_EMPTY = {"err_msg": "Operation not valid with the current stack size"} 570ERR_SIGOPS_RATIO = {"err_msg": "Too much signature validation relative to witness weight"} 571ERR_UNDECODABLE = {"err_msg": "Opcode missing or not understood"} 572ERR_NO_SUCCESS = {"err_msg": "Script evaluated without error but finished with a false/empty top stack element"} 573ERR_EMPTY_WITNESS = {"err_msg": "Witness program was passed an empty witness"} 574ERR_CHECKSIGVERIFY = {"err_msg": "Script failed an OP_CHECKSIGVERIFY operation"} 575 576VALID_SIGHASHES_ECDSA = [ 577 SIGHASH_ALL, 578 SIGHASH_NONE, 579 SIGHASH_SINGLE, 580 SIGHASH_ANYONECANPAY + SIGHASH_ALL, 581 SIGHASH_ANYONECANPAY + SIGHASH_NONE, 582 SIGHASH_ANYONECANPAY + SIGHASH_SINGLE 583] 584 585VALID_SIGHASHES_TAPROOT = [SIGHASH_DEFAULT] + VALID_SIGHASHES_ECDSA 586 587VALID_SIGHASHES_TAPROOT_SINGLE = [ 588 SIGHASH_SINGLE, 589 SIGHASH_ANYONECANPAY + SIGHASH_SINGLE 590] 591 592VALID_SIGHASHES_TAPROOT_NO_SINGLE = [h for h in VALID_SIGHASHES_TAPROOT if h not in VALID_SIGHASHES_TAPROOT_SINGLE] 593 594SIGHASH_BITFLIP = {"failure": {"sighash": bitflipper(default_sighash)}} 595SIG_POP_BYTE = {"failure": {"sign": byte_popper(default_sign)}} 596SINGLE_SIG = {"inputs": [getter("sign")]} 597SIG_ADD_ZERO = {"failure": {"sign": zero_appender(default_sign)}} 598 599DUST_LIMIT = 600 600MIN_FEE = 50000 601 602# === Actual test cases === 603 604 605def spenders_taproot_active(): 606 """Return a list of Spenders for testing post-Taproot activation behavior.""" 607 608 secs = [generate_privkey() for _ in range(8)] 609 pubs = [compute_xonly_pubkey(sec)[0] for sec in secs] 610 611 spenders = [] 612 613 # == Tests for BIP340 signature validation. == 614 # These are primarily tested through the test vectors implemented in libsecp256k1, and in src/tests/key_tests.cpp. 615 # Some things are tested programmatically as well here. 616 617 tap = taproot_construct(pubs[0]) 618 # Test with key with bit flipped. 619 add_spender(spenders, "sig/key", tap=tap, key=secs[0], failure={"key_tweaked": bitflipper(default_key_tweaked)}, **ERR_SIG_SCHNORR) 620 # Test with sighash with bit flipped. 621 add_spender(spenders, "sig/sighash", tap=tap, key=secs[0], failure={"sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR) 622 # Test with invalid R sign. 623 add_spender(spenders, "sig/flip_r", tap=tap, key=secs[0], failure={"flag_flip_r": True}, **ERR_SIG_SCHNORR) 624 # Test with invalid P sign. 625 add_spender(spenders, "sig/flip_p", tap=tap, key=secs[0], failure={"flag_flip_p": True}, **ERR_SIG_SCHNORR) 626 # Test with signature with bit flipped. 627 add_spender(spenders, "sig/bitflip", tap=tap, key=secs[0], failure={"signature": bitflipper(default_signature)}, **ERR_SIG_SCHNORR) 628 629 # == Tests for signature hashing == 630 631 # Run all tests once with no annex, and once with a valid random annex. 632 for annex in [None, lambda _: bytes([ANNEX_TAG]) + random_bytes(random.randrange(0, 250))]: 633 # Non-empty annex is non-standard 634 no_annex = annex is None 635 636 # Sighash mutation tests (test all sighash combinations) 637 for hashtype in VALID_SIGHASHES_TAPROOT: 638 common = {"annex": annex, "hashtype": hashtype, "standard": no_annex} 639 640 # Pure pubkey 641 tap = taproot_construct(pubs[0]) 642 add_spender(spenders, "sighash/purepk", tap=tap, key=secs[0], **common, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 643 644 # Pubkey/P2PK script combination 645 scripts = [("s0", CScript(random_checksig_style(pubs[1])))] 646 tap = taproot_construct(pubs[0], scripts) 647 add_spender(spenders, "sighash/keypath_hashtype_%x" % hashtype, tap=tap, key=secs[0], **common, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 648 add_spender(spenders, "sighash/scriptpath_hashtype_%x" % hashtype, tap=tap, leaf="s0", key=secs[1], **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 649 650 # Test SIGHASH_SINGLE behavior in combination with mismatching outputs 651 if hashtype in VALID_SIGHASHES_TAPROOT_SINGLE: 652 add_spender(spenders, "sighash/keypath_hashtype_mis_%x" % hashtype, tap=tap, key=secs[0], annex=annex, standard=no_annex, hashtype_actual=random.choice(VALID_SIGHASHES_TAPROOT_NO_SINGLE), failure={"hashtype_actual": hashtype}, **ERR_SIG_HASHTYPE, need_vin_vout_mismatch=True) 653 add_spender(spenders, "sighash/scriptpath_hashtype_mis_%x" % hashtype, tap=tap, leaf="s0", key=secs[1], annex=annex, standard=no_annex, hashtype_actual=random.choice(VALID_SIGHASHES_TAPROOT_NO_SINGLE), **SINGLE_SIG, failure={"hashtype_actual": hashtype}, **ERR_SIG_HASHTYPE, need_vin_vout_mismatch=True) 654 655 # Test OP_CODESEPARATOR impact on sighashing. 656 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 657 common = {"annex": annex, "hashtype": hashtype, "standard": no_annex} 658 scripts = [ 659 ("pk_codesep", CScript(random_checksig_style(pubs[1]) + bytes([OP_CODESEPARATOR]))), # codesep after checksig 660 ("codesep_pk", CScript(bytes([OP_CODESEPARATOR]) + random_checksig_style(pubs[1]))), # codesep before checksig 661 ("branched_codesep", CScript([random_bytes(random.randrange(511)), OP_DROP, OP_IF, OP_CODESEPARATOR, pubs[0], OP_ELSE, OP_CODESEPARATOR, pubs[1], OP_ENDIF, OP_CHECKSIG])), # branch dependent codesep 662 ] 663 random.shuffle(scripts) 664 tap = taproot_construct(pubs[0], scripts) 665 add_spender(spenders, "sighash/pk_codesep", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 666 add_spender(spenders, "sighash/codesep_pk", tap=tap, leaf="codesep_pk", key=secs[1], codeseppos=0, **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 667 add_spender(spenders, "sighash/branched_codesep/left", tap=tap, leaf="branched_codesep", key=secs[0], codeseppos=3, **common, inputs=[getter("sign"), b'\x01'], **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 668 add_spender(spenders, "sighash/branched_codesep/right", tap=tap, leaf="branched_codesep", key=secs[1], codeseppos=6, **common, inputs=[getter("sign"), b''], **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 669 670 # Reusing the scripts above, test that various features affect the sighash. 671 add_spender(spenders, "sighash/annex", tap=tap, leaf="pk_codesep", key=secs[1], hashtype=hashtype, standard=False, **SINGLE_SIG, annex=bytes([ANNEX_TAG]), failure={"sighash": override(default_sighash, annex=None)}, **ERR_SIG_SCHNORR) 672 add_spender(spenders, "sighash/script", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, script_taproot=tap.leaves["codesep_pk"].script)}, **ERR_SIG_SCHNORR) 673 add_spender(spenders, "sighash/leafver", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, leafversion=random.choice([x & 0xFE for x in range(0x100) if x & 0xFE != 0xC0]))}, **ERR_SIG_SCHNORR) 674 add_spender(spenders, "sighash/scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, leaf=None)}, **ERR_SIG_SCHNORR) 675 add_spender(spenders, "sighash/keypath", tap=tap, key=secs[0], **common, failure={"sighash": override(default_sighash, leaf="pk_codesep")}, **ERR_SIG_SCHNORR) 676 677 # Test that invalid hashtypes don't work, both in key path and script path spends 678 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 679 for invalid_hashtype in [x for x in range(0x100) if x not in VALID_SIGHASHES_TAPROOT]: 680 add_spender(spenders, "sighash/keypath_unk_hashtype_%x" % invalid_hashtype, tap=tap, key=secs[0], hashtype=hashtype, failure={"hashtype": invalid_hashtype}, **ERR_SIG_HASHTYPE) 681 add_spender(spenders, "sighash/scriptpath_unk_hashtype_%x" % invalid_hashtype, tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=hashtype, failure={"hashtype": invalid_hashtype}, **ERR_SIG_HASHTYPE) 682 683 # Test that hashtype 0 cannot have a hashtype byte, and 1 must have one. 684 add_spender(spenders, "sighash/hashtype0_byte_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_DEFAULT])}, **ERR_SIG_HASHTYPE) 685 add_spender(spenders, "sighash/hashtype0_byte_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_DEFAULT])}, **ERR_SIG_HASHTYPE) 686 add_spender(spenders, "sighash/hashtype1_byte_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR) 687 add_spender(spenders, "sighash/hashtype1_byte_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR) 688 # Test that hashtype 0 and hashtype 1 cannot be transmuted into each other. 689 add_spender(spenders, "sighash/hashtype0to1_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_ALL])}, **ERR_SIG_SCHNORR) 690 add_spender(spenders, "sighash/hashtype0to1_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_ALL])}, **ERR_SIG_SCHNORR) 691 add_spender(spenders, "sighash/hashtype1to0_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR) 692 add_spender(spenders, "sighash/hashtype1to0_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR) 693 694 # Test aspects of signatures with unusual lengths 695 for hashtype in [SIGHASH_DEFAULT, random.choice(VALID_SIGHASHES_TAPROOT)]: 696 scripts = [ 697 ("csv", CScript([pubs[2], OP_CHECKSIGVERIFY, OP_1])), 698 ("cs_pos", CScript([pubs[2], OP_CHECKSIG])), 699 ("csa_pos", CScript([OP_0, pubs[2], OP_CHECKSIGADD, OP_1, OP_EQUAL])), 700 ("cs_neg", CScript([pubs[2], OP_CHECKSIG, OP_NOT])), 701 ("csa_neg", CScript([OP_2, pubs[2], OP_CHECKSIGADD, OP_2, OP_EQUAL])) 702 ] 703 random.shuffle(scripts) 704 tap = taproot_construct(pubs[3], scripts) 705 # Empty signatures 706 add_spender(spenders, "siglen/empty_keypath", tap=tap, key=secs[3], hashtype=hashtype, failure={"sign": b""}, **ERR_SIG_SIZE) 707 add_spender(spenders, "siglen/empty_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_CHECKSIGVERIFY) 708 add_spender(spenders, "siglen/empty_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_NO_SUCCESS) 709 add_spender(spenders, "siglen/empty_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_NO_SUCCESS) 710 add_spender(spenders, "siglen/empty_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random_bytes(random.randrange(1, 63))}, **ERR_SIG_SIZE) 711 add_spender(spenders, "siglen/empty_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random_bytes(random.randrange(66, 100))}, **ERR_SIG_SIZE) 712 # Appending a zero byte to signatures invalidates them 713 add_spender(spenders, "siglen/padzero_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 714 add_spender(spenders, "siglen/padzero_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 715 add_spender(spenders, "siglen/padzero_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 716 add_spender(spenders, "siglen/padzero_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 717 add_spender(spenders, "siglen/padzero_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 718 add_spender(spenders, "siglen/padzero_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 719 # Removing the last byte from signatures invalidates them 720 add_spender(spenders, "siglen/popbyte_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 721 add_spender(spenders, "siglen/popbyte_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 722 add_spender(spenders, "siglen/popbyte_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 723 add_spender(spenders, "siglen/popbyte_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 724 add_spender(spenders, "siglen/popbyte_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 725 add_spender(spenders, "siglen/popbyte_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 726 # Verify that an invalid signature is not allowed, not even when the CHECKSIG* is expected to fail. 727 add_spender(spenders, "siglen/invalid_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR) 728 add_spender(spenders, "siglen/invalid_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR) 729 730 # == Test that BIP341 spending only applies to witness version 1, program length 32, no P2SH == 731 732 for p2sh in [False, True]: 733 for witver in range(1, 17): 734 for witlen in [20, 31, 32, 33]: 735 def mutate(spk): 736 prog = spk[2:] 737 assert len(prog) == 32 738 if witlen < 32: 739 prog = prog[0:witlen] 740 elif witlen > 32: 741 prog += bytes([0 for _ in range(witlen - 32)]) 742 return CScript([CScriptOp.encode_op_n(witver), prog]) 743 scripts = [("s0", CScript([pubs[0], OP_CHECKSIG])), ("dummy", CScript([OP_RETURN]))] 744 tap = taproot_construct(pubs[1], scripts) 745 if not p2sh and witver == 1 and witlen == 32: 746 add_spender(spenders, "applic/keypath", p2sh=p2sh, spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[1], **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 747 add_spender(spenders, "applic/scriptpath", p2sh=p2sh, leaf="s0", spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[0], **SINGLE_SIG, failure={"leaf": "dummy"}, **ERR_OP_RETURN) 748 else: 749 add_spender(spenders, "applic/keypath", p2sh=p2sh, spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[1], standard=False) 750 add_spender(spenders, "applic/scriptpath", p2sh=p2sh, leaf="s0", spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[0], **SINGLE_SIG, standard=False) 751 752 # == Test various aspects of BIP341 spending paths == 753 754 # A set of functions that compute the hashing partner in a Merkle tree, designed to exercise 755 # edge cases. This relies on the taproot_construct feature that a lambda can be passed in 756 # instead of a subtree, to compute the partner to be hashed with. 757 PARTNER_MERKLE_FN = [ 758 # Combine with itself 759 lambda h: h, 760 # Combine with hash 0 761 lambda h: bytes([0 for _ in range(32)]), 762 # Combine with hash 2^256-1 763 lambda h: bytes([0xff for _ in range(32)]), 764 # Combine with itself-1 (BE) 765 lambda h: (int.from_bytes(h, 'big') - 1).to_bytes(32, 'big'), 766 # Combine with itself+1 (BE) 767 lambda h: (int.from_bytes(h, 'big') + 1).to_bytes(32, 'big'), 768 # Combine with itself-1 (LE) 769 lambda h: (int.from_bytes(h, 'little') - 1).to_bytes(32, 'big'), 770 # Combine with itself+1 (LE) 771 lambda h: (int.from_bytes(h, 'little') + 1).to_bytes(32, 'little'), 772 # Combine with random bitflipped version of self. 773 lambda h: (int.from_bytes(h, 'little') ^ (1 << random.randrange(256))).to_bytes(32, 'little') 774 ] 775 # Start with a tree of that has depth 1 for "128deep" and depth 2 for "129deep". 776 scripts = [("128deep", CScript([pubs[0], OP_CHECKSIG])), [("129deep", CScript([pubs[0], OP_CHECKSIG])), random.choice(PARTNER_MERKLE_FN)]] 777 # Add 127 nodes on top of that tree, so that "128deep" and "129deep" end up at their designated depths. 778 for _ in range(127): 779 scripts = [scripts, random.choice(PARTNER_MERKLE_FN)] 780 tap = taproot_construct(pubs[0], scripts) 781 # Test that spends with a depth of 128 work, but 129 doesn't (even with a tree with weird Merkle branches in it). 782 add_spender(spenders, "spendpath/merklelimit", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"leaf": "129deep"}, **ERR_CONTROLBLOCK_SIZE) 783 # Test that flipping the negation bit invalidates spends. 784 add_spender(spenders, "spendpath/negflag", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"negflag": lambda ctx: 1 - default_negflag(ctx)}, **ERR_WITNESS_PROGRAM_MISMATCH) 785 # Test that bitflips in the Merkle branch invalidate it. 786 add_spender(spenders, "spendpath/bitflipmerkle", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"merklebranch": bitflipper(default_merklebranch)}, **ERR_WITNESS_PROGRAM_MISMATCH) 787 # Test that bitflips in the internal pubkey invalidate it. 788 add_spender(spenders, "spendpath/bitflippubkey", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"pubkey_internal": bitflipper(default_pubkey_internal)}, **ERR_WITNESS_PROGRAM_MISMATCH) 789 # Test that empty witnesses are invalid. 790 add_spender(spenders, "spendpath/emptywit", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"witness": []}, **ERR_EMPTY_WITNESS) 791 # Test that adding garbage to the control block invalidates it. 792 add_spender(spenders, "spendpath/padlongcontrol", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_controlblock(ctx) + random_bytes(random.randrange(1, 32))}, **ERR_CONTROLBLOCK_SIZE) 793 # Test that truncating the control block invalidates it. 794 add_spender(spenders, "spendpath/trunclongcontrol", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:random.randrange(1, 32)]}, **ERR_CONTROLBLOCK_SIZE) 795 796 scripts = [("s", CScript([pubs[0], OP_CHECKSIG]))] 797 tap = taproot_construct(pubs[1], scripts) 798 # Test that adding garbage to the control block invalidates it. 799 add_spender(spenders, "spendpath/padshortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_controlblock(ctx) + random_bytes(random.randrange(1, 32))}, **ERR_CONTROLBLOCK_SIZE) 800 # Test that truncating the control block invalidates it. 801 add_spender(spenders, "spendpath/truncshortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:random.randrange(1, 32)]}, **ERR_CONTROLBLOCK_SIZE) 802 # Test that truncating the control block to 1 byte ("-1 Merkle length") invalidates it 803 add_spender(spenders, "spendpath/trunc1shortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:1]}, **ERR_CONTROLBLOCK_SIZE) 804 805 # == Test BIP342 edge cases == 806 807 csa_low_val = random.randrange(0, 17) # Within range for OP_n 808 csa_low_result = csa_low_val + 1 809 810 csa_high_val = random.randrange(17, 100) if random.getrandbits(1) else random.randrange(-100, -1) # Outside OP_n range 811 csa_high_result = csa_high_val + 1 812 813 OVERSIZE_NUMBER = 2**31 814 assert_equal(len(CScriptNum.encode(CScriptNum(OVERSIZE_NUMBER))), 6) 815 assert_equal(len(CScriptNum.encode(CScriptNum(OVERSIZE_NUMBER-1))), 5) 816 817 big_choices = [] 818 big_scriptops = [] 819 for i in range(1000): 820 r = random.randrange(len(pubs)) 821 big_choices.append(r) 822 big_scriptops += [pubs[r], OP_CHECKSIGVERIFY] 823 824 825 def big_spend_inputs(ctx): 826 """Helper function to construct the script input for t33/t34 below.""" 827 # Instead of signing 999 times, precompute signatures for every (key, hashtype) combination 828 sigs = {} 829 for ht in VALID_SIGHASHES_TAPROOT: 830 for k in range(len(pubs)): 831 sigs[(k, ht)] = override(default_sign, hashtype=ht, key=secs[k])(ctx) 832 num = get(ctx, "num") 833 return [sigs[(big_choices[i], random.choice(VALID_SIGHASHES_TAPROOT))] for i in range(num - 1, -1, -1)] 834 835 # Various BIP342 features 836 scripts = [ 837 # 0) drop stack element and OP_CHECKSIG 838 ("t0", CScript([OP_DROP, pubs[1], OP_CHECKSIG])), 839 # 1) normal OP_CHECKSIG 840 ("t1", CScript([pubs[1], OP_CHECKSIG])), 841 # 2) normal OP_CHECKSIGVERIFY 842 ("t2", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1])), 843 # 3) Hypothetical OP_CHECKMULTISIG script that takes a single sig as input 844 ("t3", CScript([OP_0, OP_SWAP, OP_1, pubs[1], OP_1, OP_CHECKMULTISIG])), 845 # 4) Hypothetical OP_CHECKMULTISIGVERIFY script that takes a single sig as input 846 ("t4", CScript([OP_0, OP_SWAP, OP_1, pubs[1], OP_1, OP_CHECKMULTISIGVERIFY, OP_1])), 847 # 5) OP_IF script that needs a true input 848 ("t5", CScript([OP_IF, pubs[1], OP_CHECKSIG, OP_ELSE, OP_RETURN, OP_ENDIF])), 849 # 6) OP_NOTIF script that needs a true input 850 ("t6", CScript([OP_NOTIF, OP_RETURN, OP_ELSE, pubs[1], OP_CHECKSIG, OP_ENDIF])), 851 # 7) OP_CHECKSIG with an empty key 852 ("t7", CScript([OP_0, OP_CHECKSIG])), 853 # 8) OP_CHECKSIGVERIFY with an empty key 854 ("t8", CScript([OP_0, OP_CHECKSIGVERIFY, OP_1])), 855 # 9) normal OP_CHECKSIGADD that also ensures return value is correct 856 ("t9", CScript([csa_low_val, pubs[1], OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 857 # 10) OP_CHECKSIGADD with empty key 858 ("t10", CScript([csa_low_val, OP_0, OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 859 # 11) OP_CHECKSIGADD with missing counter stack element 860 ("t11", CScript([pubs[1], OP_CHECKSIGADD, OP_1, OP_EQUAL])), 861 # 12) OP_CHECKSIG that needs invalid signature 862 ("t12", CScript([pubs[1], OP_CHECKSIGVERIFY, pubs[0], OP_CHECKSIG, OP_NOT])), 863 # 13) OP_CHECKSIG with empty key that needs invalid signature 864 ("t13", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_CHECKSIG, OP_NOT])), 865 # 14) OP_CHECKSIGADD that needs invalid signature 866 ("t14", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, pubs[0], OP_CHECKSIGADD, OP_NOT])), 867 # 15) OP_CHECKSIGADD with empty key that needs invalid signature 868 ("t15", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_0, OP_CHECKSIGADD, OP_NOT])), 869 # 16) OP_CHECKSIG with unknown pubkey type 870 ("t16", CScript([OP_1, OP_CHECKSIG])), 871 # 17) OP_CHECKSIGADD with unknown pubkey type 872 ("t17", CScript([OP_0, OP_1, OP_CHECKSIGADD])), 873 # 18) OP_CHECKSIGVERIFY with unknown pubkey type 874 ("t18", CScript([OP_1, OP_CHECKSIGVERIFY, OP_1])), 875 # 19) script longer than 10000 bytes and over 201 non-push opcodes 876 ("t19", CScript([OP_0, OP_0, OP_2DROP] * 10001 + [pubs[1], OP_CHECKSIG])), 877 # 20) OP_CHECKSIGVERIFY with empty key 878 ("t20", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_0, OP_CHECKSIGVERIFY, OP_1])), 879 # 21) Script that grows the stack to 1000 elements 880 ("t21", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1] + [OP_DUP] * 999 + [OP_DROP] * 999)), 881 # 22) Script that grows the stack to 1001 elements 882 ("t22", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1] + [OP_DUP] * 1000 + [OP_DROP] * 1000)), 883 # 23) Script that expects an input stack of 1000 elements 884 ("t23", CScript([OP_DROP] * 999 + [pubs[1], OP_CHECKSIG])), 885 # 24) Script that expects an input stack of 1001 elements 886 ("t24", CScript([OP_DROP] * 1000 + [pubs[1], OP_CHECKSIG])), 887 # 25) Script that pushes a MAX_SCRIPT_ELEMENT_SIZE-bytes element 888 ("t25", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE), OP_DROP, pubs[1], OP_CHECKSIG])), 889 # 26) Script that pushes a (MAX_SCRIPT_ELEMENT_SIZE+1)-bytes element 890 ("t26", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, pubs[1], OP_CHECKSIG])), 891 # 27) CHECKSIGADD that must fail because numeric argument number is >4 bytes 892 ("t27", CScript([CScriptNum(OVERSIZE_NUMBER), pubs[1], OP_CHECKSIGADD])), 893 # 28) Pushes random CScriptNum value, checks OP_CHECKSIGADD result 894 ("t28", CScript([csa_high_val, pubs[1], OP_CHECKSIGADD, csa_high_result, OP_EQUAL])), 895 # 29) CHECKSIGADD that succeeds with proper sig because numeric argument number is <=4 bytes 896 ("t29", CScript([CScriptNum(OVERSIZE_NUMBER-1), pubs[1], OP_CHECKSIGADD])), 897 # 30) Variant of t1 with "normal" 33-byte pubkey 898 ("t30", CScript([b'\x03' + pubs[1], OP_CHECKSIG])), 899 # 31) Variant of t2 with "normal" 33-byte pubkey 900 ("t31", CScript([b'\x02' + pubs[1], OP_CHECKSIGVERIFY, OP_1])), 901 # 32) Variant of t28 with "normal" 33-byte pubkey 902 ("t32", CScript([csa_high_val, b'\x03' + pubs[1], OP_CHECKSIGADD, csa_high_result, OP_EQUAL])), 903 # 33) 999-of-999 multisig 904 ("t33", CScript(big_scriptops[:1998] + [OP_1])), 905 # 34) 1000-of-1000 multisig 906 ("t34", CScript(big_scriptops[:2000] + [OP_1])), 907 # 35) Variant of t9 that uses a non-minimally encoded input arg 908 ("t35", CScript([bytes([csa_low_val]), pubs[1], OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 909 # 36) Empty script 910 ("t36", CScript([])), 911 ] 912 # Add many dummies to test huge trees 913 for j in range(100000): 914 scripts.append((None, CScript([OP_RETURN, random.randrange(100000)]))) 915 random.shuffle(scripts) 916 tap = taproot_construct(pubs[0], scripts) 917 common = { 918 "hashtype": hashtype, 919 "key": secs[1], 920 "tap": tap, 921 } 922 # Test that MAX_SCRIPT_ELEMENT_SIZE byte stack element inputs are valid, but not one more (and 80 bytes is standard but 81 is not). 923 add_spender(spenders, "tapscript/inputmaxlimit", leaf="t0", **common, standard=False, inputs=[getter("sign"), random_bytes(MAX_SCRIPT_ELEMENT_SIZE)], failure={"inputs": [getter("sign"), random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1)]}, **ERR_PUSH_LIMIT) 924 add_spender(spenders, "tapscript/input80limit", leaf="t0", **common, inputs=[getter("sign"), random_bytes(80)]) 925 add_spender(spenders, "tapscript/input81limit", leaf="t0", **common, standard=False, inputs=[getter("sign"), random_bytes(81)]) 926 # Test that OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY cause failure, but OP_CHECKSIG and OP_CHECKSIGVERIFY work. 927 add_spender(spenders, "tapscript/disabled_checkmultisig", leaf="t1", **common, **SINGLE_SIG, failure={"leaf": "t3"}, **ERR_TAPSCRIPT_CHECKMULTISIG) 928 add_spender(spenders, "tapscript/disabled_checkmultisigverify", leaf="t2", **common, **SINGLE_SIG, failure={"leaf": "t4"}, **ERR_TAPSCRIPT_CHECKMULTISIG) 929 # Test that OP_IF and OP_NOTIF do not accept non-0x01 as truth value (the MINIMALIF rule is consensus in Tapscript) 930 add_spender(spenders, "tapscript/minimalif", leaf="t5", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x02']}, **ERR_MINIMALIF) 931 add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x03']}, **ERR_MINIMALIF) 932 add_spender(spenders, "tapscript/minimalif", leaf="t5", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0001']}, **ERR_MINIMALIF) 933 add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0100']}, **ERR_MINIMALIF) 934 # Test that 1-byte public keys (which are unknown) are acceptable but nonstandard with unrelated signatures, but 0-byte public keys are not valid. 935 add_spender(spenders, "tapscript/unkpk/checksig", leaf="t16", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t7"}, **ERR_UNKNOWN_PUBKEY) 936 add_spender(spenders, "tapscript/unkpk/checksigadd", leaf="t17", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t10"}, **ERR_UNKNOWN_PUBKEY) 937 add_spender(spenders, "tapscript/unkpk/checksigverify", leaf="t18", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t8"}, **ERR_UNKNOWN_PUBKEY) 938 # Test that 33-byte public keys (which are unknown) are acceptable but nonstandard with valid signatures, but normal pubkeys are not valid in that case. 939 add_spender(spenders, "tapscript/oldpk/checksig", leaf="t30", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t1"}, **ERR_SIG_SCHNORR) 940 add_spender(spenders, "tapscript/oldpk/checksigadd", leaf="t31", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t2"}, **ERR_SIG_SCHNORR) 941 add_spender(spenders, "tapscript/oldpk/checksigverify", leaf="t32", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t28"}, **ERR_SIG_SCHNORR) 942 # Test that 0-byte public keys are not acceptable. 943 add_spender(spenders, "tapscript/emptypk/checksig", leaf="t1", **SINGLE_SIG, **common, failure={"leaf": "t7"}, **ERR_UNKNOWN_PUBKEY) 944 add_spender(spenders, "tapscript/emptypk/checksigverify", leaf="t2", **SINGLE_SIG, **common, failure={"leaf": "t8"}, **ERR_UNKNOWN_PUBKEY) 945 add_spender(spenders, "tapscript/emptypk/checksigadd", leaf="t9", **SINGLE_SIG, **common, failure={"leaf": "t10"}, **ERR_UNKNOWN_PUBKEY) 946 add_spender(spenders, "tapscript/emptypk/checksigadd", leaf="t35", standard=False, **SINGLE_SIG, **common, failure={"leaf": "t10"}, **ERR_UNKNOWN_PUBKEY) 947 # Test that OP_CHECKSIGADD results are as expected 948 add_spender(spenders, "tapscript/checksigaddresults", leaf="t28", **SINGLE_SIG, **common, failure={"leaf": "t27"}, err_msg="unknown error") 949 add_spender(spenders, "tapscript/checksigaddoversize", leaf="t29", **SINGLE_SIG, **common, failure={"leaf": "t27"}, err_msg="unknown error") 950 # Test that OP_CHECKSIGADD requires 3 stack elements. 951 add_spender(spenders, "tapscript/checksigadd3args", leaf="t9", **SINGLE_SIG, **common, failure={"leaf": "t11"}, **ERR_STACK_EMPTY) 952 # Test that empty signatures do not cause script failure in OP_CHECKSIG and OP_CHECKSIGADD (but do fail with empty pubkey, and do fail OP_CHECKSIGVERIFY) 953 add_spender(spenders, "tapscript/emptysigs/checksig", leaf="t12", **common, inputs=[b'', getter("sign")], failure={"leaf": "t13"}, **ERR_UNKNOWN_PUBKEY) 954 add_spender(spenders, "tapscript/emptysigs/nochecksigverify", leaf="t12", **common, inputs=[b'', getter("sign")], failure={"leaf": "t20"}, **ERR_UNKNOWN_PUBKEY) 955 add_spender(spenders, "tapscript/emptysigs/checksigadd", leaf="t14", **common, inputs=[b'', getter("sign")], failure={"leaf": "t15"}, **ERR_UNKNOWN_PUBKEY) 956 # Test that scripts over 10000 bytes (and over 201 non-push ops) are acceptable. 957 add_spender(spenders, "tapscript/no10000limit", leaf="t19", **SINGLE_SIG, **common) 958 # Test that a stack size of 1000 elements is permitted, but 1001 isn't. 959 add_spender(spenders, "tapscript/1000stack", leaf="t21", **SINGLE_SIG, **common, failure={"leaf": "t22"}, **ERR_STACK_SIZE) 960 # Test that an input stack size of 1000 elements is permitted, but 1001 isn't. 961 add_spender(spenders, "tapscript/1000inputs", leaf="t23", **common, inputs=[getter("sign")] + [b'' for _ in range(999)], failure={"leaf": "t24", "inputs": [getter("sign")] + [b'' for _ in range(1000)]}, **ERR_STACK_SIZE) 962 # Test that pushing a MAX_SCRIPT_ELEMENT_SIZE byte stack element is valid, but one longer is not. 963 add_spender(spenders, "tapscript/pushmaxlimit", leaf="t25", **common, **SINGLE_SIG, failure={"leaf": "t26"}, **ERR_PUSH_LIMIT) 964 # Test that 999-of-999 multisig works (but 1000-of-1000 triggers stack size limits) 965 add_spender(spenders, "tapscript/bigmulti", leaf="t33", **common, inputs=big_spend_inputs, num=999, failure={"leaf": "t34", "num": 1000}, **ERR_STACK_SIZE) 966 # Test that the CLEANSTACK rule is consensus critical in tapscript 967 add_spender(spenders, "tapscript/cleanstack", leaf="t36", tap=tap, inputs=[b'\x01'], failure={"inputs": [b'\x01', b'\x01']}, **ERR_CLEANSTACK) 968 969 # == Test for sigops ratio limit == 970 971 # Given a number n, and a public key pk, functions that produce a (CScript, sigops). Each script takes as 972 # input a valid signature with the passed pk followed by a dummy push of bytes that are to be dropped, and 973 # will execute sigops signature checks. 974 SIGOPS_RATIO_SCRIPTS = [ 975 # n OP_CHECKSIGVERFIYs and 1 OP_CHECKSIG. 976 lambda n, pk: (CScript([OP_DROP, pk] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_CHECKSIG]), n + 1), 977 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIGVERIFY. 978 lambda n, pk: (CScript([OP_DROP, pk, OP_0, OP_IF, OP_2DUP, OP_CHECKSIGVERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_2, OP_SWAP, OP_CHECKSIGADD, OP_3, OP_EQUAL]), n + 1), 979 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIG. 980 lambda n, pk: (CScript([random_bytes(220), OP_2DROP, pk, OP_1, OP_NOTIF, OP_2DUP, OP_CHECKSIG, OP_VERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_4, OP_SWAP, OP_CHECKSIGADD, OP_5, OP_EQUAL]), n + 1), 981 # n OP_CHECKSIGVERFIYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIGADD. 982 lambda n, pk: (CScript([OP_DROP, pk, OP_1, OP_IF, OP_ELSE, OP_2DUP, OP_6, OP_SWAP, OP_CHECKSIGADD, OP_7, OP_EQUALVERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_8, OP_SWAP, OP_CHECKSIGADD, OP_9, OP_EQUAL]), n + 1), 983 # n+1 OP_CHECKSIGs, but also one OP_CHECKSIG with an empty signature. 984 lambda n, pk: (CScript([OP_DROP, OP_0, pk, OP_CHECKSIG, OP_NOT, OP_VERIFY, pk] + [OP_2DUP, OP_CHECKSIG, OP_VERIFY] * n + [OP_CHECKSIG]), n + 1), 985 # n OP_CHECKSIGADDs and 1 OP_CHECKSIG, but also an OP_CHECKSIGADD with an empty signature. 986 lambda n, pk: (CScript([OP_DROP, OP_0, OP_10, pk, OP_CHECKSIGADD, OP_10, OP_EQUALVERIFY, pk] + [OP_2DUP, OP_16, OP_SWAP, OP_CHECKSIGADD, b'\x11', OP_EQUALVERIFY] * n + [OP_CHECKSIG]), n + 1), 987 ] 988 for annex in [None, bytes([ANNEX_TAG]) + random_bytes(random.randrange(1000))]: 989 for hashtype in [SIGHASH_DEFAULT, SIGHASH_ALL]: 990 for pubkey in [pubs[1], random_bytes(random.choice([x for x in range(2, 81) if x != 32]))]: 991 for fn_num, fn in enumerate(SIGOPS_RATIO_SCRIPTS): 992 merkledepth = random.randrange(129) 993 994 995 def predict_sigops_ratio(n, dummy_size): 996 """Predict whether spending fn(n, pubkey) with dummy_size will pass the ratio test.""" 997 script, sigops = fn(n, pubkey) 998 # Predict the size of the witness for a given choice of n 999 stacklen_size = 1 1000 sig_size = 64 + (hashtype != SIGHASH_DEFAULT) 1001 siglen_size = 1 1002 dummylen_size = 1 + 2 * (dummy_size >= 253) 1003 script_size = len(script) 1004 scriptlen_size = 1 + 2 * (script_size >= 253) 1005 control_size = 33 + 32 * merkledepth 1006 controllen_size = 1 + 2 * (control_size >= 253) 1007 annex_size = 0 if annex is None else len(annex) 1008 annexlen_size = 0 if annex is None else 1 + 2 * (annex_size >= 253) 1009 witsize = stacklen_size + sig_size + siglen_size + dummy_size + dummylen_size + script_size + scriptlen_size + control_size + controllen_size + annex_size + annexlen_size 1010 # sigops ratio test 1011 return witsize + 50 >= 50 * sigops 1012 # Make sure n is high enough that with empty dummy, the script is not valid 1013 n = 0 1014 while predict_sigops_ratio(n, 0): 1015 n += 1 1016 # But allow picking a bit higher still 1017 n += random.randrange(5) 1018 # Now pick dummy size *just* large enough that the overall construction passes 1019 dummylen = 0 1020 while not predict_sigops_ratio(n, dummylen): 1021 dummylen += 1 1022 scripts = [("s", fn(n, pubkey)[0])] 1023 for _ in range(merkledepth): 1024 scripts = [scripts, random.choice(PARTNER_MERKLE_FN)] 1025 tap = taproot_construct(pubs[0], scripts) 1026 standard = annex is None and dummylen <= 80 and len(pubkey) == 32 1027 add_spender(spenders, "tapscript/sigopsratio_%i" % fn_num, tap=tap, leaf="s", annex=annex, hashtype=hashtype, key=secs[1], inputs=[getter("sign"), random_bytes(dummylen)], standard=standard, failure={"inputs": [getter("sign"), random_bytes(dummylen - 1)]}, **ERR_SIGOPS_RATIO) 1028 1029 # Future leaf versions 1030 for leafver in range(0, 0x100, 2): 1031 if leafver == LEAF_VERSION_TAPSCRIPT or leafver == ANNEX_TAG: 1032 # Skip the defined LEAF_VERSION_TAPSCRIPT, and the ANNEX_TAG which is not usable as leaf version 1033 continue 1034 scripts = [ 1035 ("bare_c0", CScript([OP_NOP])), 1036 ("bare_unkver", CScript([OP_NOP]), leafver), 1037 ("return_c0", CScript([OP_RETURN])), 1038 ("return_unkver", CScript([OP_RETURN]), leafver), 1039 ("undecodable_c0", CScript([OP_PUSHDATA1])), 1040 ("undecodable_unkver", CScript([OP_PUSHDATA1]), leafver), 1041 ("bigpush_c0", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP])), 1042 ("bigpush_unkver", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP]), leafver), 1043 ("1001push_c0", CScript([OP_0] * 1001)), 1044 ("1001push_unkver", CScript([OP_0] * 1001), leafver), 1045 ] 1046 random.shuffle(scripts) 1047 tap = taproot_construct(pubs[0], scripts) 1048 add_spender(spenders, "unkver/bare", standard=False, tap=tap, leaf="bare_unkver", failure={"leaf": "bare_c0"}, **ERR_CLEANSTACK) 1049 add_spender(spenders, "unkver/return", standard=False, tap=tap, leaf="return_unkver", failure={"leaf": "return_c0"}, **ERR_OP_RETURN) 1050 add_spender(spenders, "unkver/undecodable", standard=False, tap=tap, leaf="undecodable_unkver", failure={"leaf": "undecodable_c0"}, **ERR_UNDECODABLE) 1051 add_spender(spenders, "unkver/bigpush", standard=False, tap=tap, leaf="bigpush_unkver", failure={"leaf": "bigpush_c0"}, **ERR_PUSH_LIMIT) 1052 add_spender(spenders, "unkver/1001push", standard=False, tap=tap, leaf="1001push_unkver", failure={"leaf": "1001push_c0"}, **ERR_STACK_SIZE) 1053 add_spender(spenders, "unkver/1001inputs", standard=False, tap=tap, leaf="bare_unkver", inputs=[b'']*1001, failure={"leaf": "bare_c0"}, **ERR_STACK_SIZE) 1054 1055 # OP_SUCCESSx tests. 1056 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 1057 for opval in range(76, 0x100): 1058 opcode = CScriptOp(opval) 1059 if not is_op_success(opcode): 1060 continue 1061 scripts = [ 1062 ("bare_success", CScript([opcode])), 1063 ("bare_nop", CScript([OP_NOP])), 1064 ("unexecif_success", CScript([OP_0, OP_IF, opcode, OP_ENDIF])), 1065 ("unexecif_nop", CScript([OP_0, OP_IF, OP_NOP, OP_ENDIF])), 1066 ("return_success", CScript([OP_RETURN, opcode])), 1067 ("return_nop", CScript([OP_RETURN, OP_NOP])), 1068 ("undecodable_success", CScript([opcode, OP_PUSHDATA1])), 1069 ("undecodable_nop", CScript([OP_NOP, OP_PUSHDATA1])), 1070 ("undecodable_bypassed_success", CScript([OP_PUSHDATA1, OP_2, opcode])), 1071 ("bigpush_success", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, opcode])), 1072 ("bigpush_nop", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, OP_NOP])), 1073 ("1001push_success", CScript([OP_0] * 1001 + [opcode])), 1074 ("1001push_nop", CScript([OP_0] * 1001 + [OP_NOP])), 1075 ] 1076 random.shuffle(scripts) 1077 tap = taproot_construct(pubs[0], scripts) 1078 add_spender(spenders, "opsuccess/bare", standard=False, tap=tap, leaf="bare_success", failure={"leaf": "bare_nop"}, **ERR_CLEANSTACK) 1079 add_spender(spenders, "opsuccess/unexecif", standard=False, tap=tap, leaf="unexecif_success", failure={"leaf": "unexecif_nop"}, **ERR_CLEANSTACK) 1080 add_spender(spenders, "opsuccess/return", standard=False, tap=tap, leaf="return_success", failure={"leaf": "return_nop"}, **ERR_OP_RETURN) 1081 add_spender(spenders, "opsuccess/undecodable", standard=False, tap=tap, leaf="undecodable_success", failure={"leaf": "undecodable_nop"}, **ERR_UNDECODABLE) 1082 add_spender(spenders, "opsuccess/undecodable_bypass", standard=False, tap=tap, leaf="undecodable_success", failure={"leaf": "undecodable_bypassed_success"}, **ERR_UNDECODABLE) 1083 add_spender(spenders, "opsuccess/bigpush", standard=False, tap=tap, leaf="bigpush_success", failure={"leaf": "bigpush_nop"}, **ERR_PUSH_LIMIT) 1084 add_spender(spenders, "opsuccess/1001push", standard=False, tap=tap, leaf="1001push_success", failure={"leaf": "1001push_nop"}, **ERR_STACK_SIZE) 1085 add_spender(spenders, "opsuccess/1001inputs", standard=False, tap=tap, leaf="bare_success", inputs=[b'']*1001, failure={"leaf": "bare_nop"}, **ERR_STACK_SIZE) 1086 1087 # Non-OP_SUCCESSx (verify that those aren't accidentally treated as OP_SUCCESSx) 1088 for opval in range(0, 0x100): 1089 opcode = CScriptOp(opval) 1090 if is_op_success(opcode): 1091 continue 1092 scripts = [ 1093 ("normal", CScript([OP_RETURN, opcode] + [OP_NOP] * 75)), 1094 ("op_success", CScript([OP_RETURN, CScriptOp(0x50)])) 1095 ] 1096 tap = taproot_construct(pubs[0], scripts) 1097 add_spender(spenders, "alwaysvalid/notsuccessx", tap=tap, leaf="op_success", inputs=[], standard=False, failure={"leaf": "normal"}) # err_msg differs based on opcode 1098 1099 # == Legacy tests == 1100 1101 # Also add a few legacy spends into the mix, so that transactions which combine taproot and pre-taproot spends get tested too. 1102 for compressed in [False, True]: 1103 eckey1 = ECKey() 1104 eckey1.set(generate_privkey(), compressed) 1105 pubkey1 = eckey1.get_pubkey().get_bytes() 1106 eckey2 = ECKey() 1107 eckey2.set(generate_privkey(), compressed) 1108 for p2sh in [False, True]: 1109 for witv0 in [False, True]: 1110 for hashtype in VALID_SIGHASHES_ECDSA + [random.randrange(0x04, 0x80), random.randrange(0x84, 0x100)]: 1111 standard = (hashtype in VALID_SIGHASHES_ECDSA) and (compressed or not witv0) 1112 add_spender(spenders, "legacy/pk-wrongkey", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, script=CScript([pubkey1, OP_CHECKSIG]), **SINGLE_SIG, key=eckey1, failure={"key": eckey2}, sigops_weight=4-3*witv0, **ERR_NO_SUCCESS) 1113 add_spender(spenders, "legacy/pkh-sighashflip", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, pkh=pubkey1, key=eckey1, **SIGHASH_BITFLIP, sigops_weight=4-3*witv0, **ERR_NO_SUCCESS) 1114 1115 # Verify that OP_CHECKSIGADD wasn't accidentally added to pre-taproot validation logic. 1116 for p2sh in [False, True]: 1117 for witv0 in [False, True]: 1118 for hashtype in VALID_SIGHASHES_ECDSA + [random.randrange(0x04, 0x80), random.randrange(0x84, 0x100)]: 1119 standard = hashtype in VALID_SIGHASHES_ECDSA and (p2sh or witv0) 1120 add_spender(spenders, "compat/nocsa", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, script=CScript([OP_IF, OP_11, pubkey1, OP_CHECKSIGADD, OP_12, OP_EQUAL, OP_ELSE, pubkey1, OP_CHECKSIG, OP_ENDIF]), key=eckey1, sigops_weight=4-3*witv0, inputs=[getter("sign"), b''], failure={"inputs": [getter("sign"), b'\x01']}, **ERR_UNDECODABLE) 1121 1122 return spenders 1123 1124def spenders_taproot_inactive(): 1125 """Spenders for testing that pre-activation Taproot rules don't apply.""" 1126 1127 spenders = [] 1128 1129 sec = generate_privkey() 1130 pub, _ = compute_xonly_pubkey(sec) 1131 scripts = [ 1132 ("pk", CScript([pub, OP_CHECKSIG])), 1133 ("future_leaf", CScript([pub, OP_CHECKSIG]), 0xc2), 1134 ("op_success", CScript([pub, OP_CHECKSIG, OP_0, OP_IF, CScriptOp(0x50), OP_ENDIF])), 1135 ] 1136 tap = taproot_construct(pub, scripts) 1137 1138 # Test that keypath spending is valid & non-standard, regardless of validity. 1139 add_spender(spenders, "inactive/keypath_valid", key=sec, tap=tap, standard=False) 1140 add_spender(spenders, "inactive/keypath_invalidsig", key=sec, tap=tap, standard=False, sighash=bitflipper(default_sighash)) 1141 add_spender(spenders, "inactive/keypath_empty", key=sec, tap=tap, standard=False, witness=[]) 1142 1143 # Same for scriptpath spending (and features like annex, leaf versions, or OP_SUCCESS don't change this) 1144 add_spender(spenders, "inactive/scriptpath_valid", key=sec, tap=tap, leaf="pk", standard=False, inputs=[getter("sign")]) 1145 add_spender(spenders, "inactive/scriptpath_invalidsig", key=sec, tap=tap, leaf="pk", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1146 add_spender(spenders, "inactive/scriptpath_invalidcb", key=sec, tap=tap, leaf="pk", standard=False, inputs=[getter("sign")], controlblock=bitflipper(default_controlblock)) 1147 add_spender(spenders, "inactive/scriptpath_valid_unkleaf", key=sec, tap=tap, leaf="future_leaf", standard=False, inputs=[getter("sign")]) 1148 add_spender(spenders, "inactive/scriptpath_invalid_unkleaf", key=sec, tap=tap, leaf="future_leaf", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1149 add_spender(spenders, "inactive/scriptpath_valid_opsuccess", key=sec, tap=tap, leaf="op_success", standard=False, inputs=[getter("sign")]) 1150 add_spender(spenders, "inactive/scriptpath_valid_opsuccess", key=sec, tap=tap, leaf="op_success", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1151 1152 return spenders 1153 1154# Consensus validation flags to use in dumps for tests with "legacy/" or "inactive/" prefix. 1155LEGACY_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY" 1156# Consensus validation flags to use in dumps for all other tests. 1157TAPROOT_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY,TAPROOT" 1158 1159def dump_json_test(tx, input_utxos, idx, success, failure): 1160 spender = input_utxos[idx].spender 1161 # Determine flags to dump 1162 flags = LEGACY_FLAGS if spender.comment.startswith("legacy/") or spender.comment.startswith("inactive/") else TAPROOT_FLAGS 1163 1164 fields = [ 1165 ("tx", tx.serialize().hex()), 1166 ("prevouts", [x.output.serialize().hex() for x in input_utxos]), 1167 ("index", idx), 1168 ("flags", flags), 1169 ("comment", spender.comment) 1170 ] 1171 1172 # The "final" field indicates that a spend should be always valid, even with more validation flags enabled 1173 # than the listed ones. Use standardness as a proxy for this (which gives a conservative underestimate). 1174 if spender.is_standard: 1175 fields.append(("final", True)) 1176 1177 def dump_witness(wit): 1178 return OrderedDict([("scriptSig", wit[0].hex()), ("witness", [x.hex() for x in wit[1]])]) 1179 if success is not None: 1180 fields.append(("success", dump_witness(success))) 1181 if failure is not None: 1182 fields.append(("failure", dump_witness(failure))) 1183 1184 # Write the dump to $TEST_DUMP_DIR/x/xyz... where x,y,z,... are the SHA1 sum of the dump (which makes the 1185 # file naming scheme compatible with fuzzing infrastructure). 1186 dump = json.dumps(OrderedDict(fields)) + ",\n" 1187 sha1 = hashlib.sha1(dump.encode("utf-8")).hexdigest() 1188 dirname = os.environ.get("TEST_DUMP_DIR", ".") + ("/%s" % sha1[0]) 1189 os.makedirs(dirname, exist_ok=True) 1190 with open(dirname + ("/%s" % sha1), 'w', encoding="utf8") as f: 1191 f.write(dump) 1192 1193# Data type to keep track of UTXOs, where they were created, and how to spend them. 1194UTXOData = namedtuple('UTXOData', 'outpoint,output,spender') 1195 1196 1197class TaprootTest(BitcoinTestFramework): 1198 def add_options(self, parser): 1199 parser.add_argument("--dumptests", dest="dump_tests", default=False, action="store_true", 1200 help="Dump generated test cases to directory set by TEST_DUMP_DIR environment variable") 1201 parser.add_argument("--previous_release", dest="previous_release", default=False, action="store_true", 1202 help="Use a previous release as taproot-inactive node") 1203 1204 def skip_test_if_missing_module(self): 1205 self.skip_if_no_wallet() 1206 if self.options.previous_release: 1207 self.skip_if_no_previous_releases() 1208 1209 def set_test_params(self): 1210 self.num_nodes = 2 1211 self.setup_clean_chain = True 1212 # Node 0 has Taproot inactive, Node 1 active. 1213 self.extra_args = [["-par=1"], ["-par=1"]] 1214 if self.options.previous_release: 1215 self.wallet_names = [None, self.default_wallet_name] 1216 else: 1217 self.extra_args[0].append("-vbparams=taproot:1:1") 1218 1219 def setup_nodes(self): 1220 self.add_nodes(self.num_nodes, self.extra_args, versions=[ 1221 200100 if self.options.previous_release else None, 1222 None, 1223 ]) 1224 self.start_nodes() 1225 self.import_deterministic_coinbase_privkeys() 1226 1227 def block_submit(self, node, txs, msg, err_msg, cb_pubkey=None, fees=0, sigops_weight=0, witness=False, accept=False): 1228 1229 # Deplete block of any non-tapscript sigops using a single additional 0-value coinbase output. 1230 # It is not impossible to fit enough tapscript sigops to hit the old 80k limit without 1231 # busting txin-level limits. We simply have to account for the p2pk outputs in all 1232 # transactions. 1233 extra_output_script = CScript([OP_CHECKSIG]*((MAX_BLOCK_SIGOPS_WEIGHT - sigops_weight) // WITNESS_SCALE_FACTOR)) 1234 1235 block = create_block(self.tip, create_coinbase(self.lastblockheight + 1, pubkey=cb_pubkey, extra_output_script=extra_output_script, fees=fees), self.lastblocktime + 1) 1236 block.nVersion = 4 1237 for tx in txs: 1238 tx.rehash() 1239 block.vtx.append(tx) 1240 block.hashMerkleRoot = block.calc_merkle_root() 1241 witness and add_witness_commitment(block) 1242 block.rehash() 1243 block.solve() 1244 block_response = node.submitblock(block.serialize().hex()) 1245 if err_msg is not None: 1246 assert block_response is not None and err_msg in block_response, "Missing error message '%s' from block response '%s': %s" % (err_msg, "(None)" if block_response is None else block_response, msg) 1247 if accept: 1248 assert node.getbestblockhash() == block.hash, "Failed to accept: %s (response: %s)" % (msg, block_response) 1249 self.tip = block.sha256 1250 self.lastblockhash = block.hash 1251 self.lastblocktime += 1 1252 self.lastblockheight += 1 1253 else: 1254 assert node.getbestblockhash() == self.lastblockhash, "Failed to reject: " + msg 1255 1256 def test_spenders(self, node, spenders, input_counts): 1257 """Run randomized tests with a number of "spenders". 1258 1259 Steps: 1260 1) Generate an appropriate UTXO for each spender to test spend conditions 1261 2) Generate 100 random addresses of all wallet types: pkh/sh_wpkh/wpkh 1262 3) Select random number of inputs from (1) 1263 4) Select random number of addresses from (2) as outputs 1264 1265 Each spender embodies a test; in a large randomized test, it is verified 1266 that toggling the valid argument to each lambda toggles the validity of 1267 the transaction. This is accomplished by constructing transactions consisting 1268 of all valid inputs, except one invalid one. 1269 """ 1270 1271 # Construct a bunch of sPKs that send coins back to the host wallet 1272 self.log.info("- Constructing addresses for returning coins") 1273 host_spks = [] 1274 host_pubkeys = [] 1275 for i in range(16): 1276 addr = node.getnewaddress(address_type=random.choice(["legacy", "p2sh-segwit", "bech32"])) 1277 info = node.getaddressinfo(addr) 1278 spk = bytes.fromhex(info['scriptPubKey']) 1279 host_spks.append(spk) 1280 host_pubkeys.append(bytes.fromhex(info['pubkey'])) 1281 1282 # Initialize variables used by block_submit(). 1283 self.lastblockhash = node.getbestblockhash() 1284 self.tip = int(self.lastblockhash, 16) 1285 block = node.getblock(self.lastblockhash) 1286 self.lastblockheight = block['height'] 1287 self.lastblocktime = block['time'] 1288 1289 # Create transactions spending up to 50 of the wallet's inputs, with one output for each spender, and 1290 # one change output at the end. The transaction is constructed on the Python side to enable 1291 # having multiple outputs to the same address and outputs with no assigned address. The wallet 1292 # is then asked to sign it through signrawtransactionwithwallet, and then added to a block on the 1293 # Python side (to bypass standardness rules). 1294 self.log.info("- Creating test UTXOs...") 1295 random.shuffle(spenders) 1296 normal_utxos = [] 1297 mismatching_utxos = [] # UTXOs with input that requires mismatching output position 1298 done = 0 1299 while done < len(spenders): 1300 # Compute how many UTXOs to create with this transaction 1301 count_this_tx = min(len(spenders) - done, (len(spenders) + 4) // 5, 10000) 1302 1303 fund_tx = CTransaction() 1304 # Add the 50 highest-value inputs 1305 unspents = node.listunspent() 1306 random.shuffle(unspents) 1307 unspents.sort(key=lambda x: int(x["amount"] * 100000000), reverse=True) 1308 if len(unspents) > 50: 1309 unspents = unspents[:50] 1310 random.shuffle(unspents) 1311 balance = 0 1312 for unspent in unspents: 1313 balance += int(unspent["amount"] * 100000000) 1314 txid = int(unspent["txid"], 16) 1315 fund_tx.vin.append(CTxIn(COutPoint(txid, int(unspent["vout"])), CScript())) 1316 # Add outputs 1317 cur_progress = done / len(spenders) 1318 next_progress = (done + count_this_tx) / len(spenders) 1319 change_goal = (1.0 - 0.6 * next_progress) / (1.0 - 0.6 * cur_progress) * balance 1320 self.log.debug("Create %i UTXOs in a transaction spending %i inputs worth %.8f (sending ~%.8f to change)" % (count_this_tx, len(unspents), balance * 0.00000001, change_goal * 0.00000001)) 1321 for i in range(count_this_tx): 1322 avg = (balance - change_goal) / (count_this_tx - i) 1323 amount = int(random.randrange(int(avg*0.85 + 0.5), int(avg*1.15 + 0.5)) + 0.5) 1324 balance -= amount 1325 fund_tx.vout.append(CTxOut(amount, spenders[done + i].script)) 1326 # Add change 1327 fund_tx.vout.append(CTxOut(balance - 10000, random.choice(host_spks))) 1328 # Ask the wallet to sign 1329 ss = BytesIO(bytes.fromhex(node.signrawtransactionwithwallet(fund_tx.serialize().hex())["hex"])) 1330 fund_tx.deserialize(ss) 1331 # Construct UTXOData entries 1332 fund_tx.rehash() 1333 for i in range(count_this_tx): 1334 utxodata = UTXOData(outpoint=COutPoint(fund_tx.sha256, i), output=fund_tx.vout[i], spender=spenders[done]) 1335 if utxodata.spender.need_vin_vout_mismatch: 1336 mismatching_utxos.append(utxodata) 1337 else: 1338 normal_utxos.append(utxodata) 1339 done += 1 1340 # Mine into a block 1341 self.block_submit(node, [fund_tx], "Funding tx", None, random.choice(host_pubkeys), 10000, MAX_BLOCK_SIGOPS_WEIGHT, True, True) 1342 1343 # Consume groups of choice(input_coins) from utxos in a tx, testing the spenders. 1344 self.log.info("- Running %i spending tests" % done) 1345 random.shuffle(normal_utxos) 1346 random.shuffle(mismatching_utxos) 1347 assert done == len(normal_utxos) + len(mismatching_utxos) 1348 1349 left = done 1350 while left: 1351 # Construct CTransaction with random nVersion, nLocktime 1352 tx = CTransaction() 1353 tx.nVersion = random.choice([1, 2, random.randint(-0x80000000, 0x7fffffff)]) 1354 min_sequence = (tx.nVersion != 1 and tx.nVersion != 0) * 0x80000000 # The minimum sequence number to disable relative locktime 1355 if random.choice([True, False]): 1356 tx.nLockTime = random.randrange(LOCKTIME_THRESHOLD, self.lastblocktime - 7200) # all absolute locktimes in the past 1357 else: 1358 tx.nLockTime = random.randrange(self.lastblockheight + 1) # all block heights in the past 1359 1360 # Decide how many UTXOs to test with. 1361 acceptable = [n for n in input_counts if n <= left and (left - n > max(input_counts) or (left - n) in [0] + input_counts)] 1362 num_inputs = random.choice(acceptable) 1363 1364 # If we have UTXOs that require mismatching inputs/outputs left, include exactly one of those 1365 # unless there is only one normal UTXO left (as tests with mismatching UTXOs require at least one 1366 # normal UTXO to go in the first position), and we don't want to run out of normal UTXOs. 1367 input_utxos = [] 1368 while len(mismatching_utxos) and (len(input_utxos) == 0 or len(normal_utxos) == 1): 1369 input_utxos.append(mismatching_utxos.pop()) 1370 left -= 1 1371 1372 # Top up until we hit num_inputs (but include at least one normal UTXO always). 1373 for _ in range(max(1, num_inputs - len(input_utxos))): 1374 input_utxos.append(normal_utxos.pop()) 1375 left -= 1 1376 1377 # The first input cannot require a mismatching output (as there is at least one output). 1378 while True: 1379 random.shuffle(input_utxos) 1380 if not input_utxos[0].spender.need_vin_vout_mismatch: 1381 break 1382 first_mismatch_input = None 1383 for i in range(len(input_utxos)): 1384 if input_utxos[i].spender.need_vin_vout_mismatch: 1385 first_mismatch_input = i 1386 assert first_mismatch_input is None or first_mismatch_input > 0 1387 1388 # Decide fee, and add CTxIns to tx. 1389 amount = sum(utxo.output.nValue for utxo in input_utxos) 1390 fee = min(random.randrange(MIN_FEE * 2, MIN_FEE * 4), amount - DUST_LIMIT) # 10000-20000 sat fee 1391 in_value = amount - fee 1392 tx.vin = [CTxIn(outpoint=utxo.outpoint, nSequence=random.randint(min_sequence, 0xffffffff)) for utxo in input_utxos] 1393 tx.wit.vtxinwit = [CTxInWitness() for _ in range(len(input_utxos))] 1394 sigops_weight = sum(utxo.spender.sigops_weight for utxo in input_utxos) 1395 self.log.debug("Test: %s" % (", ".join(utxo.spender.comment for utxo in input_utxos))) 1396 1397 # Add 1 to 4 random outputs (but constrained by inputs that require mismatching outputs) 1398 num_outputs = random.choice(range(1, 1 + min(4, 4 if first_mismatch_input is None else first_mismatch_input))) 1399 assert in_value >= 0 and fee - num_outputs * DUST_LIMIT >= MIN_FEE 1400 for i in range(num_outputs): 1401 tx.vout.append(CTxOut()) 1402 if in_value <= DUST_LIMIT: 1403 tx.vout[-1].nValue = DUST_LIMIT 1404 elif i < num_outputs - 1: 1405 tx.vout[-1].nValue = in_value 1406 else: 1407 tx.vout[-1].nValue = random.randint(DUST_LIMIT, in_value) 1408 in_value -= tx.vout[-1].nValue 1409 tx.vout[-1].scriptPubKey = random.choice(host_spks) 1410 sigops_weight += CScript(tx.vout[-1].scriptPubKey).GetSigOpCount(False) * WITNESS_SCALE_FACTOR 1411 fee += in_value 1412 assert fee >= 0 1413 1414 # Select coinbase pubkey 1415 cb_pubkey = random.choice(host_pubkeys) 1416 sigops_weight += 1 * WITNESS_SCALE_FACTOR 1417 1418 # Precompute one satisfying and one failing scriptSig/witness for each input. 1419 input_data = [] 1420 for i in range(len(input_utxos)): 1421 fn = input_utxos[i].spender.sat_function 1422 fail = None 1423 success = fn(tx, i, [utxo.output for utxo in input_utxos], True) 1424 if not input_utxos[i].spender.no_fail: 1425 fail = fn(tx, i, [utxo.output for utxo in input_utxos], False) 1426 input_data.append((fail, success)) 1427 if self.options.dump_tests: 1428 dump_json_test(tx, input_utxos, i, success, fail) 1429 1430 # Sign each input incorrectly once on each complete signing pass, except the very last. 1431 for fail_input in list(range(len(input_utxos))) + [None]: 1432 # Skip trying to fail at spending something that can't be made to fail. 1433 if fail_input is not None and input_utxos[fail_input].spender.no_fail: 1434 continue 1435 # Expected message with each input failure, may be None(which is ignored) 1436 expected_fail_msg = None if fail_input is None else input_utxos[fail_input].spender.err_msg 1437 # Fill inputs/witnesses 1438 for i in range(len(input_utxos)): 1439 tx.vin[i].scriptSig = input_data[i][i != fail_input][0] 1440 tx.wit.vtxinwit[i].scriptWitness.stack = input_data[i][i != fail_input][1] 1441 # Submit to mempool to check standardness 1442 is_standard_tx = fail_input is None and all(utxo.spender.is_standard for utxo in input_utxos) and tx.nVersion >= 1 and tx.nVersion <= 2 1443 tx.rehash() 1444 msg = ','.join(utxo.spender.comment + ("*" if n == fail_input else "") for n, utxo in enumerate(input_utxos)) 1445 if is_standard_tx: 1446 node.sendrawtransaction(tx.serialize().hex(), 0) 1447 assert node.getmempoolentry(tx.hash) is not None, "Failed to accept into mempool: " + msg 1448 else: 1449 assert_raises_rpc_error(-26, None, node.sendrawtransaction, tx.serialize().hex(), 0) 1450 # Submit in a block 1451 self.block_submit(node, [tx], msg, witness=True, accept=fail_input is None, cb_pubkey=cb_pubkey, fees=fee, sigops_weight=sigops_weight, err_msg=expected_fail_msg) 1452 1453 if (len(spenders) - left) // 200 > (len(spenders) - left - len(input_utxos)) // 200: 1454 self.log.info(" - %i tests done" % (len(spenders) - left)) 1455 1456 assert left == 0 1457 assert len(normal_utxos) == 0 1458 assert len(mismatching_utxos) == 0 1459 self.log.info(" - Done") 1460 1461 def run_test(self): 1462 # Post-taproot activation tests go first (pre-taproot tests' blocks are invalid post-taproot). 1463 self.log.info("Post-activation tests...") 1464 self.nodes[1].generate(COINBASE_MATURITY + 1) 1465 self.test_spenders(self.nodes[1], spenders_taproot_active(), input_counts=[1, 2, 2, 2, 2, 3]) 1466 1467 # Re-connect nodes in case they have been disconnected 1468 self.disconnect_nodes(0, 1) 1469 self.connect_nodes(0, 1) 1470 1471 # Transfer value of the largest 500 coins to pre-taproot node. 1472 addr = self.nodes[0].getnewaddress() 1473 1474 unsp = self.nodes[1].listunspent() 1475 unsp = sorted(unsp, key=lambda i: i['amount'], reverse=True) 1476 unsp = unsp[:500] 1477 1478 rawtx = self.nodes[1].createrawtransaction( 1479 inputs=[{ 1480 'txid': i['txid'], 1481 'vout': i['vout'] 1482 } for i in unsp], 1483 outputs={addr: sum(i['amount'] for i in unsp)} 1484 ) 1485 rawtx = self.nodes[1].signrawtransactionwithwallet(rawtx)['hex'] 1486 1487 # Mine a block with the transaction 1488 block = create_block(tmpl=self.nodes[1].getblocktemplate(NORMAL_GBT_REQUEST_PARAMS), txlist=[rawtx]) 1489 add_witness_commitment(block) 1490 block.rehash() 1491 block.solve() 1492 assert_equal(None, self.nodes[1].submitblock(block.serialize().hex())) 1493 self.sync_blocks() 1494 1495 # Pre-taproot activation tests. 1496 self.log.info("Pre-activation tests...") 1497 # Run each test twice; once in isolation, and once combined with others. Testing in isolation 1498 # means that the standardness is verified in every test (as combined transactions are only standard 1499 # when all their inputs are standard). 1500 self.test_spenders(self.nodes[0], spenders_taproot_inactive(), input_counts=[1]) 1501 self.test_spenders(self.nodes[0], spenders_taproot_inactive(), input_counts=[2, 3]) 1502 1503 1504if __name__ == '__main__': 1505 TaprootTest().main() 1506