1#!/usr/bin/env python3 2# Copyright (c) 2019-2020 The Bitcoin Core developers 3# Distributed under the MIT software license, see the accompanying 4# file COPYING or http://www.opensource.org/licenses/mit-license.php. 5# Test Taproot softfork (BIPs 340-342) 6 7from test_framework.blocktools import ( 8 create_coinbase, 9 create_block, 10 add_witness_commitment, 11 MAX_BLOCK_SIGOPS_WEIGHT, 12 NORMAL_GBT_REQUEST_PARAMS, 13 WITNESS_SCALE_FACTOR, 14) 15from test_framework.messages import ( 16 COutPoint, 17 CTransaction, 18 CTxIn, 19 CTxInWitness, 20 CTxOut, 21 ToHex, 22) 23from test_framework.script import ( 24 ANNEX_TAG, 25 CScript, 26 CScriptNum, 27 CScriptOp, 28 LEAF_VERSION_TAPSCRIPT, 29 LegacySignatureHash, 30 LOCKTIME_THRESHOLD, 31 MAX_SCRIPT_ELEMENT_SIZE, 32 OP_0, 33 OP_1, 34 OP_2, 35 OP_3, 36 OP_4, 37 OP_5, 38 OP_6, 39 OP_7, 40 OP_8, 41 OP_9, 42 OP_10, 43 OP_11, 44 OP_12, 45 OP_16, 46 OP_2DROP, 47 OP_2DUP, 48 OP_CHECKMULTISIG, 49 OP_CHECKMULTISIGVERIFY, 50 OP_CHECKSIG, 51 OP_CHECKSIGADD, 52 OP_CHECKSIGVERIFY, 53 OP_CODESEPARATOR, 54 OP_DROP, 55 OP_DUP, 56 OP_ELSE, 57 OP_ENDIF, 58 OP_EQUAL, 59 OP_EQUALVERIFY, 60 OP_HASH160, 61 OP_IF, 62 OP_NOP, 63 OP_NOT, 64 OP_NOTIF, 65 OP_PUSHDATA1, 66 OP_RETURN, 67 OP_SWAP, 68 OP_VERIFY, 69 SIGHASH_DEFAULT, 70 SIGHASH_ALL, 71 SIGHASH_NONE, 72 SIGHASH_SINGLE, 73 SIGHASH_ANYONECANPAY, 74 SegwitV0SignatureHash, 75 TaprootSignatureHash, 76 is_op_success, 77 taproot_construct, 78) 79from test_framework.test_framework import BitcoinTestFramework 80from test_framework.util import assert_raises_rpc_error, assert_equal 81from test_framework.key import generate_privkey, compute_xonly_pubkey, sign_schnorr, tweak_add_privkey, ECKey 82from test_framework.address import ( 83 hash160, 84 sha256, 85) 86from collections import OrderedDict, namedtuple 87from io import BytesIO 88import json 89import hashlib 90import os 91import random 92 93# === Framework for building spending transactions. === 94# 95# The computation is represented as a "context" dict, whose entries store potentially-unevaluated expressions that 96# refer to lower-level ones. By overwriting these expression, many aspects - both high and low level - of the signing 97# process can be overridden. 98# 99# Specifically, a context object is a dict that maps names to compositions of: 100# - values 101# - lists of values 102# - callables which, when fed the context object as argument, produce any of these 103# 104# The DEFAULT_CONTEXT object specifies a standard signing process, with many overridable knobs. 105# 106# The get(ctx, name) function can evaluate a name, and cache its result in the context. 107# getter(name) can be used to construct a callable that evaluates name. For example: 108# 109# ctx1 = {**DEFAULT_CONTEXT, inputs=[getter("sign"), b'\x01']} 110# 111# creates a context where the script inputs are a signature plus the bytes 0x01. 112# 113# override(expr, name1=expr1, name2=expr2, ...) can be used to cause an expression to be evaluated in a selectively 114# modified context. For example: 115# 116# ctx2 = {**DEFAULT_CONTEXT, sighash=override(default_sighash, hashtype=SIGHASH_DEFAULT)} 117# 118# creates a context ctx2 where the sighash is modified to use hashtype=SIGHASH_DEFAULT. This differs from 119# 120# ctx3 = {**DEFAULT_CONTEXT, hashtype=SIGHASH_DEFAULT} 121# 122# in that ctx3 will globally use hashtype=SIGHASH_DEFAULT (including in the hashtype byte appended to the signature) 123# while ctx2 only uses the modified hashtype inside the sighash calculation. 124 125def deep_eval(ctx, expr): 126 """Recursively replace any callables c in expr (including inside lists) with c(ctx).""" 127 while callable(expr): 128 expr = expr(ctx) 129 if isinstance(expr, list): 130 expr = [deep_eval(ctx, x) for x in expr] 131 return expr 132 133# Data type to represent fully-evaluated expressions in a context dict (so we can avoid reevaluating them). 134Final = namedtuple("Final", "value") 135 136def get(ctx, name): 137 """Evaluate name in context ctx.""" 138 assert name in ctx, "Missing '%s' in context" % name 139 expr = ctx[name] 140 if not isinstance(expr, Final): 141 # Evaluate and cache the result. 142 expr = Final(deep_eval(ctx, expr)) 143 ctx[name] = expr 144 return expr.value 145 146def getter(name): 147 """Return a callable that evaluates name in its passed context.""" 148 return lambda ctx: get(ctx, name) 149 150def override(expr, **kwargs): 151 """Return a callable that evaluates expr in a modified context.""" 152 return lambda ctx: deep_eval({**ctx, **kwargs}, expr) 153 154# === Implementations for the various default expressions in DEFAULT_CONTEXT === 155 156def default_hashtype(ctx): 157 """Default expression for "hashtype": SIGHASH_DEFAULT for taproot, SIGHASH_ALL otherwise.""" 158 mode = get(ctx, "mode") 159 if mode == "taproot": 160 return SIGHASH_DEFAULT 161 else: 162 return SIGHASH_ALL 163 164def default_tapleaf(ctx): 165 """Default expression for "tapleaf": looking up leaf in tap[2].""" 166 return get(ctx, "tap").leaves[get(ctx, "leaf")] 167 168def default_script_taproot(ctx): 169 """Default expression for "script_taproot": tapleaf.script.""" 170 return get(ctx, "tapleaf").script 171 172def default_leafversion(ctx): 173 """Default expression for "leafversion": tapleaf.version""" 174 return get(ctx, "tapleaf").version 175 176def default_negflag(ctx): 177 """Default expression for "negflag": tap.negflag.""" 178 return get(ctx, "tap").negflag 179 180def default_pubkey_inner(ctx): 181 """Default expression for "pubkey_inner": tap.inner_pubkey.""" 182 return get(ctx, "tap").inner_pubkey 183 184def default_merklebranch(ctx): 185 """Default expression for "merklebranch": tapleaf.merklebranch.""" 186 return get(ctx, "tapleaf").merklebranch 187 188def default_controlblock(ctx): 189 """Default expression for "controlblock": combine leafversion, negflag, pubkey_inner, merklebranch.""" 190 return bytes([get(ctx, "leafversion") + get(ctx, "negflag")]) + get(ctx, "pubkey_inner") + get(ctx, "merklebranch") 191 192def default_sighash(ctx): 193 """Default expression for "sighash": depending on mode, compute BIP341, BIP143, or legacy sighash.""" 194 tx = get(ctx, "tx") 195 idx = get(ctx, "idx") 196 hashtype = get(ctx, "hashtype_actual") 197 mode = get(ctx, "mode") 198 if mode == "taproot": 199 # BIP341 signature hash 200 utxos = get(ctx, "utxos") 201 annex = get(ctx, "annex") 202 if get(ctx, "leaf") is not None: 203 codeseppos = get(ctx, "codeseppos") 204 leaf_ver = get(ctx, "leafversion") 205 script = get(ctx, "script_taproot") 206 return TaprootSignatureHash(tx, utxos, hashtype, idx, scriptpath=True, script=script, leaf_ver=leaf_ver, codeseparator_pos=codeseppos, annex=annex) 207 else: 208 return TaprootSignatureHash(tx, utxos, hashtype, idx, scriptpath=False, annex=annex) 209 elif mode == "witv0": 210 # BIP143 signature hash 211 scriptcode = get(ctx, "scriptcode") 212 utxos = get(ctx, "utxos") 213 return SegwitV0SignatureHash(scriptcode, tx, idx, hashtype, utxos[idx].nValue) 214 else: 215 # Pre-segwit signature hash 216 scriptcode = get(ctx, "scriptcode") 217 return LegacySignatureHash(scriptcode, tx, idx, hashtype)[0] 218 219def default_tweak(ctx): 220 """Default expression for "tweak": None if a leaf is specified, tap[0] otherwise.""" 221 if get(ctx, "leaf") is None: 222 return get(ctx, "tap").tweak 223 return None 224 225def default_key_tweaked(ctx): 226 """Default expression for "key_tweaked": key if tweak is None, tweaked with it otherwise.""" 227 key = get(ctx, "key") 228 tweak = get(ctx, "tweak") 229 if tweak is None: 230 return key 231 else: 232 return tweak_add_privkey(key, tweak) 233 234def default_signature(ctx): 235 """Default expression for "signature": BIP340 signature or ECDSA signature depending on mode.""" 236 sighash = get(ctx, "sighash") 237 if get(ctx, "mode") == "taproot": 238 key = get(ctx, "key_tweaked") 239 flip_r = get(ctx, "flag_flip_r") 240 flip_p = get(ctx, "flag_flip_p") 241 return sign_schnorr(key, sighash, flip_r=flip_r, flip_p=flip_p) 242 else: 243 key = get(ctx, "key") 244 return key.sign_ecdsa(sighash) 245 246def default_hashtype_actual(ctx): 247 """Default expression for "hashtype_actual": hashtype, unless mismatching SIGHASH_SINGLE in taproot.""" 248 hashtype = get(ctx, "hashtype") 249 mode = get(ctx, "mode") 250 if mode != "taproot": 251 return hashtype 252 idx = get(ctx, "idx") 253 tx = get(ctx, "tx") 254 if hashtype & 3 == SIGHASH_SINGLE and idx >= len(tx.vout): 255 return (hashtype & ~3) | SIGHASH_NONE 256 return hashtype 257 258def default_bytes_hashtype(ctx): 259 """Default expression for "bytes_hashtype": bytes([hashtype_actual]) if not 0, b"" otherwise.""" 260 return bytes([x for x in [get(ctx, "hashtype_actual")] if x != 0]) 261 262def default_sign(ctx): 263 """Default expression for "sign": concatenation of signature and bytes_hashtype.""" 264 return get(ctx, "signature") + get(ctx, "bytes_hashtype") 265 266def default_inputs_keypath(ctx): 267 """Default expression for "inputs_keypath": a signature.""" 268 return [get(ctx, "sign")] 269 270def default_witness_taproot(ctx): 271 """Default expression for "witness_taproot", consisting of inputs, script, control block, and annex as needed.""" 272 annex = get(ctx, "annex") 273 suffix_annex = [] 274 if annex is not None: 275 suffix_annex = [annex] 276 if get(ctx, "leaf") is None: 277 return get(ctx, "inputs_keypath") + suffix_annex 278 else: 279 return get(ctx, "inputs") + [bytes(get(ctx, "script_taproot")), get(ctx, "controlblock")] + suffix_annex 280 281def default_witness_witv0(ctx): 282 """Default expression for "witness_witv0", consisting of inputs and witness script, as needed.""" 283 script = get(ctx, "script_witv0") 284 inputs = get(ctx, "inputs") 285 if script is None: 286 return inputs 287 else: 288 return inputs + [script] 289 290def default_witness(ctx): 291 """Default expression for "witness", delegating to "witness_taproot" or "witness_witv0" as needed.""" 292 mode = get(ctx, "mode") 293 if mode == "taproot": 294 return get(ctx, "witness_taproot") 295 elif mode == "witv0": 296 return get(ctx, "witness_witv0") 297 else: 298 return [] 299 300def default_scriptsig(ctx): 301 """Default expression for "scriptsig", consisting of inputs and redeemscript, as needed.""" 302 scriptsig = [] 303 mode = get(ctx, "mode") 304 if mode == "legacy": 305 scriptsig = get(ctx, "inputs") 306 redeemscript = get(ctx, "script_p2sh") 307 if redeemscript is not None: 308 scriptsig += [bytes(redeemscript)] 309 return scriptsig 310 311# The default context object. 312DEFAULT_CONTEXT = { 313 # == The main expressions to evaluate. Only override these for unusual or invalid spends. == 314 # The overall witness stack, as a list of bytes objects. 315 "witness": default_witness, 316 # The overall scriptsig, as a list of CScript objects (to be concatenated) and bytes objects (to be pushed) 317 "scriptsig": default_scriptsig, 318 319 # == Expressions you'll generally only override for intentionally invalid spends. == 320 # The witness stack for spending a taproot output. 321 "witness_taproot": default_witness_taproot, 322 # The witness stack for spending a P2WPKH/P2WSH output. 323 "witness_witv0": default_witness_witv0, 324 # The script inputs for a taproot key path spend. 325 "inputs_keypath": default_inputs_keypath, 326 # The actual hashtype to use (usually equal to hashtype, but in taproot SIGHASH_SINGLE is not always allowed). 327 "hashtype_actual": default_hashtype_actual, 328 # The bytes object for a full signature (including hashtype byte, if needed). 329 "bytes_hashtype": default_bytes_hashtype, 330 # A full script signature (bytes including hashtype, if needed) 331 "sign": default_sign, 332 # An ECDSA or Schnorr signature (excluding hashtype byte). 333 "signature": default_signature, 334 # The 32-byte tweaked key (equal to key for script path spends, or key+tweak for key path spends). 335 "key_tweaked": default_key_tweaked, 336 # The tweak to use (None for script path spends, the actual tweak for key path spends). 337 "tweak": default_tweak, 338 # The sighash value (32 bytes) 339 "sighash": default_sighash, 340 # The information about the chosen script path spend (TaprootLeafInfo object). 341 "tapleaf": default_tapleaf, 342 # The script to push, and include in the sighash, for a taproot script path spend. 343 "script_taproot": default_script_taproot, 344 # The inner pubkey for a taproot script path spend (32 bytes). 345 "pubkey_inner": default_pubkey_inner, 346 # The negation flag of the inner pubkey for a taproot script path spend. 347 "negflag": default_negflag, 348 # The leaf version to include in the sighash (this does not affect the one in the control block). 349 "leafversion": default_leafversion, 350 # The Merkle path to include in the control block for a script path spend. 351 "merklebranch": default_merklebranch, 352 # The control block to push for a taproot script path spend. 353 "controlblock": default_controlblock, 354 # Whether to produce signatures with invalid P sign (Schnorr signatures only). 355 "flag_flip_p": False, 356 # Whether to produce signatures with invalid R sign (Schnorr signatures only). 357 "flag_flip_r": False, 358 359 # == Parameters that can be changed without invalidating, but do have a default: == 360 # The hashtype (as an integer). 361 "hashtype": default_hashtype, 362 # The annex (only when mode=="taproot"). 363 "annex": None, 364 # The codeseparator position (only when mode=="taproot"). 365 "codeseppos": -1, 366 # The redeemscript to add to the scriptSig (if P2SH; None implies not P2SH). 367 "script_p2sh": None, 368 # The script to add to the witness in (if P2WSH; None implies P2WPKH) 369 "script_witv0": None, 370 # The leaf to use in taproot spends (if script path spend; None implies key path spend). 371 "leaf": None, 372 # The input arguments to provide to the executed script 373 "inputs": [], 374 375 # == Parameters to be set before evaluation: == 376 # - mode: what spending style to use ("taproot", "witv0", or "legacy"). 377 # - key: the (untweaked) private key to sign with (ECKey object for ECDSA, 32 bytes for Schnorr). 378 # - tap: the TaprootInfo object (see taproot_construct; needed in mode=="taproot"). 379 # - tx: the transaction to sign. 380 # - utxos: the UTXOs being spent (needed in mode=="witv0" and mode=="taproot"). 381 # - idx: the input position being signed. 382 # - scriptcode: the scriptcode to include in legacy and witv0 sighashes. 383} 384 385def flatten(lst): 386 ret = [] 387 for elem in lst: 388 if isinstance(elem, list): 389 ret += flatten(elem) 390 else: 391 ret.append(elem) 392 return ret 393 394def spend(tx, idx, utxos, **kwargs): 395 """Sign transaction input idx of tx, provided utxos is the list of outputs being spent. 396 397 Additional arguments may be provided that override any aspect of the signing process. 398 See DEFAULT_CONTEXT above for what can be overridden, and what must be provided. 399 """ 400 401 ctx = {**DEFAULT_CONTEXT, "tx":tx, "idx":idx, "utxos":utxos, **kwargs} 402 403 def to_script(elem): 404 """If fed a CScript, return it; if fed bytes, return a CScript that pushes it.""" 405 if isinstance(elem, CScript): 406 return elem 407 else: 408 return CScript([elem]) 409 410 scriptsig_list = flatten(get(ctx, "scriptsig")) 411 scriptsig = CScript(b"".join(bytes(to_script(elem)) for elem in scriptsig_list)) 412 witness_stack = flatten(get(ctx, "witness")) 413 return (scriptsig, witness_stack) 414 415 416# === Spender objects === 417# 418# Each spender is a tuple of: 419# - A scriptPubKey which is to be spent from (CScript) 420# - A comment describing the test (string) 421# - Whether the spending (on itself) is expected to be standard (bool) 422# - A tx-signing lambda returning (scriptsig, witness_stack), taking as inputs: 423# - A transaction to sign (CTransaction) 424# - An input position (int) 425# - The spent UTXOs by this transaction (list of CTxOut) 426# - Whether to produce a valid spend (bool) 427# - A string with an expected error message for failure case if known 428# - The (pre-taproot) sigops weight consumed by a successful spend 429# - Whether this spend cannot fail 430# - Whether this test demands being placed in a txin with no corresponding txout (for testing SIGHASH_SINGLE behavior) 431 432Spender = namedtuple("Spender", "script,comment,is_standard,sat_function,err_msg,sigops_weight,no_fail,need_vin_vout_mismatch") 433 434def make_spender(comment, *, tap=None, witv0=False, script=None, pkh=None, p2sh=False, spk_mutate_pre_p2sh=None, failure=None, standard=True, err_msg=None, sigops_weight=0, need_vin_vout_mismatch=False, **kwargs): 435 """Helper for constructing Spender objects using the context signing framework. 436 437 * tap: a TaprootInfo object (see taproot_construct), for Taproot spends (cannot be combined with pkh, witv0, or script) 438 * witv0: boolean indicating the use of witness v0 spending (needs one of script or pkh) 439 * script: the actual script executed (for bare/P2WSH/P2SH spending) 440 * pkh: the public key for P2PKH or P2WPKH spending 441 * p2sh: whether the output is P2SH wrapper (this is supported even for Taproot, where it makes the output unencumbered) 442 * spk_mutate_pre_psh: a callable to be applied to the script (before potentially P2SH-wrapping it) 443 * failure: a dict of entries to override in the context when intentionally failing to spend (if None, no_fail will be set) 444 * standard: whether the (valid version of) spending is expected to be standard 445 * err_msg: a string with an expected error message for failure (or None, if not cared about) 446 * sigops_weight: the pre-taproot sigops weight consumed by a successful spend 447 """ 448 449 conf = dict() 450 451 # Compute scriptPubKey and set useful defaults based on the inputs. 452 if witv0: 453 assert tap is None 454 conf["mode"] = "witv0" 455 if pkh is not None: 456 # P2WPKH 457 assert script is None 458 pubkeyhash = hash160(pkh) 459 spk = CScript([OP_0, pubkeyhash]) 460 conf["scriptcode"] = CScript([OP_DUP, OP_HASH160, pubkeyhash, OP_EQUALVERIFY, OP_CHECKSIG]) 461 conf["script_witv0"] = None 462 conf["inputs"] = [getter("sign"), pkh] 463 elif script is not None: 464 # P2WSH 465 spk = CScript([OP_0, sha256(script)]) 466 conf["scriptcode"] = script 467 conf["script_witv0"] = script 468 else: 469 assert False 470 elif tap is None: 471 conf["mode"] = "legacy" 472 if pkh is not None: 473 # P2PKH 474 assert script is None 475 pubkeyhash = hash160(pkh) 476 spk = CScript([OP_DUP, OP_HASH160, pubkeyhash, OP_EQUALVERIFY, OP_CHECKSIG]) 477 conf["scriptcode"] = spk 478 conf["inputs"] = [getter("sign"), pkh] 479 elif script is not None: 480 # bare 481 spk = script 482 conf["scriptcode"] = script 483 else: 484 assert False 485 else: 486 assert script is None 487 conf["mode"] = "taproot" 488 conf["tap"] = tap 489 spk = tap.scriptPubKey 490 491 if spk_mutate_pre_p2sh is not None: 492 spk = spk_mutate_pre_p2sh(spk) 493 494 if p2sh: 495 # P2SH wrapper can be combined with anything else 496 conf["script_p2sh"] = spk 497 spk = CScript([OP_HASH160, hash160(spk), OP_EQUAL]) 498 499 conf = {**conf, **kwargs} 500 501 def sat_fn(tx, idx, utxos, valid): 502 if valid: 503 return spend(tx, idx, utxos, **conf) 504 else: 505 assert failure is not None 506 return spend(tx, idx, utxos, **{**conf, **failure}) 507 508 return Spender(script=spk, comment=comment, is_standard=standard, sat_function=sat_fn, err_msg=err_msg, sigops_weight=sigops_weight, no_fail=failure is None, need_vin_vout_mismatch=need_vin_vout_mismatch) 509 510def add_spender(spenders, *args, **kwargs): 511 """Make a spender using make_spender, and add it to spenders.""" 512 spenders.append(make_spender(*args, **kwargs)) 513 514# === Helpers for the test === 515 516def random_checksig_style(pubkey): 517 """Creates a random CHECKSIG* tapscript that would succeed with only the valid signature on witness stack.""" 518 return bytes(CScript([pubkey, OP_CHECKSIG])) 519 opcode = random.choice([OP_CHECKSIG, OP_CHECKSIGVERIFY, OP_CHECKSIGADD]) 520 if (opcode == OP_CHECKSIGVERIFY): 521 ret = CScript([pubkey, opcode, OP_1]) 522 elif (opcode == OP_CHECKSIGADD): 523 num = random.choice([0, 0x7fffffff, -0x7fffffff]) 524 ret = CScript([num, pubkey, opcode, num + 1, OP_EQUAL]) 525 else: 526 ret = CScript([pubkey, opcode]) 527 return bytes(ret) 528 529def random_bytes(n): 530 """Return a random bytes object of length n.""" 531 return bytes(random.getrandbits(8) for i in range(n)) 532 533def bitflipper(expr): 534 """Return a callable that evaluates expr and returns it with a random bitflip.""" 535 def fn(ctx): 536 sub = deep_eval(ctx, expr) 537 assert isinstance(sub, bytes) 538 return (int.from_bytes(sub, 'little') ^ (1 << random.randrange(len(sub) * 8))).to_bytes(len(sub), 'little') 539 return fn 540 541def zero_appender(expr): 542 """Return a callable that evaluates expr and returns it with a zero added.""" 543 return lambda ctx: deep_eval(ctx, expr) + b"\x00" 544 545def byte_popper(expr): 546 """Return a callable that evaluates expr and returns it with its last byte removed.""" 547 return lambda ctx: deep_eval(ctx, expr)[:-1] 548 549# Expected error strings 550 551ERR_SIG_SIZE = {"err_msg": "Invalid Schnorr signature size"} 552ERR_SIG_HASHTYPE = {"err_msg": "Invalid Schnorr signature hash type"} 553ERR_SIG_SCHNORR = {"err_msg": "Invalid Schnorr signature"} 554ERR_OP_RETURN = {"err_msg": "OP_RETURN was encountered"} 555ERR_CONTROLBLOCK_SIZE = {"err_msg": "Invalid Taproot control block size"} 556ERR_WITNESS_PROGRAM_MISMATCH = {"err_msg": "Witness program hash mismatch"} 557ERR_PUSH_LIMIT = {"err_msg": "Push value size limit exceeded"} 558ERR_DISABLED_OPCODE = {"err_msg": "Attempted to use a disabled opcode"} 559ERR_TAPSCRIPT_CHECKMULTISIG = {"err_msg": "OP_CHECKMULTISIG(VERIFY) is not available in tapscript"} 560ERR_MINIMALIF = {"err_msg": "OP_IF/NOTIF argument must be minimal in tapscript"} 561ERR_UNKNOWN_PUBKEY = {"err_msg": "Public key is neither compressed or uncompressed"} 562ERR_STACK_SIZE = {"err_msg": "Stack size limit exceeded"} 563ERR_CLEANSTACK = {"err_msg": "Stack size must be exactly one after execution"} 564ERR_STACK_EMPTY = {"err_msg": "Operation not valid with the current stack size"} 565ERR_SIGOPS_RATIO = {"err_msg": "Too much signature validation relative to witness weight"} 566ERR_UNDECODABLE = {"err_msg": "Opcode missing or not understood"} 567ERR_NO_SUCCESS = {"err_msg": "Script evaluated without error but finished with a false/empty top stack element"} 568ERR_EMPTY_WITNESS = {"err_msg": "Witness program was passed an empty witness"} 569ERR_CHECKSIGVERIFY = {"err_msg": "Script failed an OP_CHECKSIGVERIFY operation"} 570 571VALID_SIGHASHES_ECDSA = [ 572 SIGHASH_ALL, 573 SIGHASH_NONE, 574 SIGHASH_SINGLE, 575 SIGHASH_ANYONECANPAY + SIGHASH_ALL, 576 SIGHASH_ANYONECANPAY + SIGHASH_NONE, 577 SIGHASH_ANYONECANPAY + SIGHASH_SINGLE 578] 579 580VALID_SIGHASHES_TAPROOT = [SIGHASH_DEFAULT] + VALID_SIGHASHES_ECDSA 581 582VALID_SIGHASHES_TAPROOT_SINGLE = [ 583 SIGHASH_SINGLE, 584 SIGHASH_ANYONECANPAY + SIGHASH_SINGLE 585] 586 587VALID_SIGHASHES_TAPROOT_NO_SINGLE = [h for h in VALID_SIGHASHES_TAPROOT if h not in VALID_SIGHASHES_TAPROOT_SINGLE] 588 589SIGHASH_BITFLIP = {"failure": {"sighash": bitflipper(default_sighash)}} 590SIG_POP_BYTE = {"failure": {"sign": byte_popper(default_sign)}} 591SINGLE_SIG = {"inputs": [getter("sign")]} 592SIG_ADD_ZERO = {"failure": {"sign": zero_appender(default_sign)}} 593 594DUST_LIMIT = 600 595MIN_FEE = 50000 596 597# === Actual test cases === 598 599 600def spenders_taproot_active(): 601 """Return a list of Spenders for testing post-Taproot activation behavior.""" 602 603 secs = [generate_privkey() for _ in range(8)] 604 pubs = [compute_xonly_pubkey(sec)[0] for sec in secs] 605 606 spenders = [] 607 608 # == Tests for BIP340 signature validation. == 609 # These are primarily tested through the test vectors implemented in libsecp256k1, and in src/tests/key_tests.cpp. 610 # Some things are tested programmatically as well here. 611 612 tap = taproot_construct(pubs[0]) 613 # Test with key with bit flipped. 614 add_spender(spenders, "sig/key", tap=tap, key=secs[0], failure={"key_tweaked": bitflipper(default_key_tweaked)}, **ERR_SIG_SCHNORR) 615 # Test with sighash with bit flipped. 616 add_spender(spenders, "sig/sighash", tap=tap, key=secs[0], failure={"sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR) 617 # Test with invalid R sign. 618 add_spender(spenders, "sig/flip_r", tap=tap, key=secs[0], failure={"flag_flip_r": True}, **ERR_SIG_SCHNORR) 619 # Test with invalid P sign. 620 add_spender(spenders, "sig/flip_p", tap=tap, key=secs[0], failure={"flag_flip_p": True}, **ERR_SIG_SCHNORR) 621 # Test with signature with bit flipped. 622 add_spender(spenders, "sig/bitflip", tap=tap, key=secs[0], failure={"signature": bitflipper(default_signature)}, **ERR_SIG_SCHNORR) 623 624 # == Tests for signature hashing == 625 626 # Run all tests once with no annex, and once with a valid random annex. 627 for annex in [None, lambda _: bytes([ANNEX_TAG]) + random_bytes(random.randrange(0, 250))]: 628 # Non-empty annex is non-standard 629 no_annex = annex is None 630 631 # Sighash mutation tests (test all sighash combinations) 632 for hashtype in VALID_SIGHASHES_TAPROOT: 633 common = {"annex": annex, "hashtype": hashtype, "standard": no_annex} 634 635 # Pure pubkey 636 tap = taproot_construct(pubs[0]) 637 add_spender(spenders, "sighash/purepk", tap=tap, key=secs[0], **common, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 638 639 # Pubkey/P2PK script combination 640 scripts = [("s0", CScript(random_checksig_style(pubs[1])))] 641 tap = taproot_construct(pubs[0], scripts) 642 add_spender(spenders, "sighash/keypath_hashtype_%x" % hashtype, tap=tap, key=secs[0], **common, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 643 add_spender(spenders, "sighash/scriptpath_hashtype_%x" % hashtype, tap=tap, leaf="s0", key=secs[1], **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 644 645 # Test SIGHASH_SINGLE behavior in combination with mismatching outputs 646 if hashtype in VALID_SIGHASHES_TAPROOT_SINGLE: 647 add_spender(spenders, "sighash/keypath_hashtype_mis_%x" % hashtype, tap=tap, key=secs[0], annex=annex, standard=no_annex, hashtype_actual=random.choice(VALID_SIGHASHES_TAPROOT_NO_SINGLE), failure={"hashtype_actual": hashtype}, **ERR_SIG_HASHTYPE, need_vin_vout_mismatch=True) 648 add_spender(spenders, "sighash/scriptpath_hashtype_mis_%x" % hashtype, tap=tap, leaf="s0", key=secs[1], annex=annex, standard=no_annex, hashtype_actual=random.choice(VALID_SIGHASHES_TAPROOT_NO_SINGLE), **SINGLE_SIG, failure={"hashtype_actual": hashtype}, **ERR_SIG_HASHTYPE, need_vin_vout_mismatch=True) 649 650 # Test OP_CODESEPARATOR impact on sighashing. 651 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 652 common = {"annex": annex, "hashtype": hashtype, "standard": no_annex} 653 scripts = [ 654 ("pk_codesep", CScript(random_checksig_style(pubs[1]) + bytes([OP_CODESEPARATOR]))), # codesep after checksig 655 ("codesep_pk", CScript(bytes([OP_CODESEPARATOR]) + random_checksig_style(pubs[1]))), # codesep before checksig 656 ("branched_codesep", CScript([random_bytes(random.randrange(511)), OP_DROP, OP_IF, OP_CODESEPARATOR, pubs[0], OP_ELSE, OP_CODESEPARATOR, pubs[1], OP_ENDIF, OP_CHECKSIG])), # branch dependent codesep 657 ] 658 random.shuffle(scripts) 659 tap = taproot_construct(pubs[0], scripts) 660 add_spender(spenders, "sighash/pk_codesep", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 661 add_spender(spenders, "sighash/codesep_pk", tap=tap, leaf="codesep_pk", key=secs[1], codeseppos=0, **common, **SINGLE_SIG, **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 662 add_spender(spenders, "sighash/branched_codesep/left", tap=tap, leaf="branched_codesep", key=secs[0], codeseppos=3, **common, inputs=[getter("sign"), b'\x01'], **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 663 add_spender(spenders, "sighash/branched_codesep/right", tap=tap, leaf="branched_codesep", key=secs[1], codeseppos=6, **common, inputs=[getter("sign"), b''], **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 664 665 # Reusing the scripts above, test that various features affect the sighash. 666 add_spender(spenders, "sighash/annex", tap=tap, leaf="pk_codesep", key=secs[1], hashtype=hashtype, standard=False, **SINGLE_SIG, annex=bytes([ANNEX_TAG]), failure={"sighash": override(default_sighash, annex=None)}, **ERR_SIG_SCHNORR) 667 add_spender(spenders, "sighash/script", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, script_taproot=tap.leaves["codesep_pk"].script)}, **ERR_SIG_SCHNORR) 668 add_spender(spenders, "sighash/leafver", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, leafversion=random.choice([x & 0xFE for x in range(0x100) if x & 0xFE != 0xC0]))}, **ERR_SIG_SCHNORR) 669 add_spender(spenders, "sighash/scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **common, **SINGLE_SIG, failure={"sighash": override(default_sighash, leaf=None)}, **ERR_SIG_SCHNORR) 670 add_spender(spenders, "sighash/keypath", tap=tap, key=secs[0], **common, failure={"sighash": override(default_sighash, leaf="pk_codesep")}, **ERR_SIG_SCHNORR) 671 672 # Test that invalid hashtypes don't work, both in key path and script path spends 673 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 674 for invalid_hashtype in [x for x in range(0x100) if x not in VALID_SIGHASHES_TAPROOT]: 675 add_spender(spenders, "sighash/keypath_unk_hashtype_%x" % invalid_hashtype, tap=tap, key=secs[0], hashtype=hashtype, failure={"hashtype": invalid_hashtype}, **ERR_SIG_HASHTYPE) 676 add_spender(spenders, "sighash/scriptpath_unk_hashtype_%x" % invalid_hashtype, tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=hashtype, failure={"hashtype": invalid_hashtype}, **ERR_SIG_HASHTYPE) 677 678 # Test that hashtype 0 cannot have a hashtype byte, and 1 must have one. 679 add_spender(spenders, "sighash/hashtype0_byte_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_DEFAULT])}, **ERR_SIG_HASHTYPE) 680 add_spender(spenders, "sighash/hashtype0_byte_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_DEFAULT])}, **ERR_SIG_HASHTYPE) 681 add_spender(spenders, "sighash/hashtype1_byte_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR) 682 add_spender(spenders, "sighash/hashtype1_byte_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR) 683 # Test that hashtype 0 and hashtype 1 cannot be transmuted into each other. 684 add_spender(spenders, "sighash/hashtype0to1_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_ALL])}, **ERR_SIG_SCHNORR) 685 add_spender(spenders, "sighash/hashtype0to1_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_DEFAULT, failure={"bytes_hashtype": bytes([SIGHASH_ALL])}, **ERR_SIG_SCHNORR) 686 add_spender(spenders, "sighash/hashtype1to0_keypath", tap=tap, key=secs[0], hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR) 687 add_spender(spenders, "sighash/hashtype1to0_scriptpath", tap=tap, leaf="pk_codesep", key=secs[1], **SINGLE_SIG, hashtype=SIGHASH_ALL, failure={"bytes_hashtype": b''}, **ERR_SIG_SCHNORR) 688 689 # Test aspects of signatures with unusual lengths 690 for hashtype in [SIGHASH_DEFAULT, random.choice(VALID_SIGHASHES_TAPROOT)]: 691 scripts = [ 692 ("csv", CScript([pubs[2], OP_CHECKSIGVERIFY, OP_1])), 693 ("cs_pos", CScript([pubs[2], OP_CHECKSIG])), 694 ("csa_pos", CScript([OP_0, pubs[2], OP_CHECKSIGADD, OP_1, OP_EQUAL])), 695 ("cs_neg", CScript([pubs[2], OP_CHECKSIG, OP_NOT])), 696 ("csa_neg", CScript([OP_2, pubs[2], OP_CHECKSIGADD, OP_2, OP_EQUAL])) 697 ] 698 random.shuffle(scripts) 699 tap = taproot_construct(pubs[3], scripts) 700 # Empty signatures 701 add_spender(spenders, "siglen/empty_keypath", tap=tap, key=secs[3], hashtype=hashtype, failure={"sign": b""}, **ERR_SIG_SIZE) 702 add_spender(spenders, "siglen/empty_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_CHECKSIGVERIFY) 703 add_spender(spenders, "siglen/empty_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_NO_SUCCESS) 704 add_spender(spenders, "siglen/empty_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, failure={"sign": b""}, **ERR_NO_SUCCESS) 705 add_spender(spenders, "siglen/empty_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random_bytes(random.randrange(1, 63))}, **ERR_SIG_SIZE) 706 add_spender(spenders, "siglen/empty_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": lambda _: random_bytes(random.randrange(66, 100))}, **ERR_SIG_SIZE) 707 # Appending a zero byte to signatures invalidates them 708 add_spender(spenders, "siglen/padzero_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 709 add_spender(spenders, "siglen/padzero_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 710 add_spender(spenders, "siglen/padzero_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 711 add_spender(spenders, "siglen/padzero_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 712 add_spender(spenders, "siglen/padzero_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 713 add_spender(spenders, "siglen/padzero_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_ADD_ZERO, **(ERR_SIG_HASHTYPE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SIZE)) 714 # Removing the last byte from signatures invalidates them 715 add_spender(spenders, "siglen/popbyte_keypath", tap=tap, key=secs[3], hashtype=hashtype, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 716 add_spender(spenders, "siglen/popbyte_csv", tap=tap, key=secs[2], leaf="csv", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 717 add_spender(spenders, "siglen/popbyte_cs", tap=tap, key=secs[2], leaf="cs_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 718 add_spender(spenders, "siglen/popbyte_csa", tap=tap, key=secs[2], leaf="csa_pos", hashtype=hashtype, **SINGLE_SIG, **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 719 add_spender(spenders, "siglen/popbyte_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 720 add_spender(spenders, "siglen/popbyte_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", **SIG_POP_BYTE, **(ERR_SIG_SIZE if hashtype == SIGHASH_DEFAULT else ERR_SIG_SCHNORR)) 721 # Verify that an invalid signature is not allowed, not even when the CHECKSIG* is expected to fail. 722 add_spender(spenders, "siglen/invalid_cs_neg", tap=tap, key=secs[2], leaf="cs_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR) 723 add_spender(spenders, "siglen/invalid_csa_neg", tap=tap, key=secs[2], leaf="csa_neg", hashtype=hashtype, **SINGLE_SIG, sign=b"", failure={"sign": default_sign, "sighash": bitflipper(default_sighash)}, **ERR_SIG_SCHNORR) 724 725 # == Test that BIP341 spending only applies to witness version 1, program length 32, no P2SH == 726 727 for p2sh in [False, True]: 728 for witver in range(1, 17): 729 for witlen in [20, 31, 32, 33]: 730 def mutate(spk): 731 prog = spk[2:] 732 assert len(prog) == 32 733 if witlen < 32: 734 prog = prog[0:witlen] 735 elif witlen > 32: 736 prog += bytes([0 for _ in range(witlen - 32)]) 737 return CScript([CScriptOp.encode_op_n(witver), prog]) 738 scripts = [("s0", CScript([pubs[0], OP_CHECKSIG])), ("dummy", CScript([OP_RETURN]))] 739 tap = taproot_construct(pubs[1], scripts) 740 if not p2sh and witver == 1 and witlen == 32: 741 add_spender(spenders, "applic/keypath", p2sh=p2sh, spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[1], **SIGHASH_BITFLIP, **ERR_SIG_SCHNORR) 742 add_spender(spenders, "applic/scriptpath", p2sh=p2sh, leaf="s0", spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[0], **SINGLE_SIG, failure={"leaf": "dummy"}, **ERR_OP_RETURN) 743 else: 744 add_spender(spenders, "applic/keypath", p2sh=p2sh, spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[1], standard=False) 745 add_spender(spenders, "applic/scriptpath", p2sh=p2sh, leaf="s0", spk_mutate_pre_p2sh=mutate, tap=tap, key=secs[0], **SINGLE_SIG, standard=False) 746 747 # == Test various aspects of BIP341 spending paths == 748 749 # A set of functions that compute the hashing partner in a Merkle tree, designed to exercise 750 # edge cases. This relies on the taproot_construct feature that a lambda can be passed in 751 # instead of a subtree, to compute the partner to be hashed with. 752 PARTNER_MERKLE_FN = [ 753 # Combine with itself 754 lambda h: h, 755 # Combine with hash 0 756 lambda h: bytes([0 for _ in range(32)]), 757 # Combine with hash 2^256-1 758 lambda h: bytes([0xff for _ in range(32)]), 759 # Combine with itself-1 (BE) 760 lambda h: (int.from_bytes(h, 'big') - 1).to_bytes(32, 'big'), 761 # Combine with itself+1 (BE) 762 lambda h: (int.from_bytes(h, 'big') + 1).to_bytes(32, 'big'), 763 # Combine with itself-1 (LE) 764 lambda h: (int.from_bytes(h, 'little') - 1).to_bytes(32, 'big'), 765 # Combine with itself+1 (LE) 766 lambda h: (int.from_bytes(h, 'little') + 1).to_bytes(32, 'little'), 767 # Combine with random bitflipped version of self. 768 lambda h: (int.from_bytes(h, 'little') ^ (1 << random.randrange(256))).to_bytes(32, 'little') 769 ] 770 # Start with a tree of that has depth 1 for "128deep" and depth 2 for "129deep". 771 scripts = [("128deep", CScript([pubs[0], OP_CHECKSIG])), [("129deep", CScript([pubs[0], OP_CHECKSIG])), random.choice(PARTNER_MERKLE_FN)]] 772 # Add 127 nodes on top of that tree, so that "128deep" and "129deep" end up at their designated depths. 773 for _ in range(127): 774 scripts = [scripts, random.choice(PARTNER_MERKLE_FN)] 775 tap = taproot_construct(pubs[0], scripts) 776 # Test that spends with a depth of 128 work, but 129 doesn't (even with a tree with weird Merkle branches in it). 777 add_spender(spenders, "spendpath/merklelimit", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"leaf": "129deep"}, **ERR_CONTROLBLOCK_SIZE) 778 # Test that flipping the negation bit invalidates spends. 779 add_spender(spenders, "spendpath/negflag", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"negflag": lambda ctx: 1 - default_negflag(ctx)}, **ERR_WITNESS_PROGRAM_MISMATCH) 780 # Test that bitflips in the Merkle branch invalidate it. 781 add_spender(spenders, "spendpath/bitflipmerkle", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"merklebranch": bitflipper(default_merklebranch)}, **ERR_WITNESS_PROGRAM_MISMATCH) 782 # Test that bitflips in the inner pubkey invalidate it. 783 add_spender(spenders, "spendpath/bitflippubkey", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"pubkey_inner": bitflipper(default_pubkey_inner)}, **ERR_WITNESS_PROGRAM_MISMATCH) 784 # Test that empty witnesses are invalid. 785 add_spender(spenders, "spendpath/emptywit", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"witness": []}, **ERR_EMPTY_WITNESS) 786 # Test that adding garbage to the control block invalidates it. 787 add_spender(spenders, "spendpath/padlongcontrol", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_controlblock(ctx) + random_bytes(random.randrange(1, 32))}, **ERR_CONTROLBLOCK_SIZE) 788 # Test that truncating the control block invalidates it. 789 add_spender(spenders, "spendpath/trunclongcontrol", tap=tap, leaf="128deep", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:random.randrange(1, 32)]}, **ERR_CONTROLBLOCK_SIZE) 790 791 scripts = [("s", CScript([pubs[0], OP_CHECKSIG]))] 792 tap = taproot_construct(pubs[1], scripts) 793 # Test that adding garbage to the control block invalidates it. 794 add_spender(spenders, "spendpath/padshortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_controlblock(ctx) + random_bytes(random.randrange(1, 32))}, **ERR_CONTROLBLOCK_SIZE) 795 # Test that truncating the control block invalidates it. 796 add_spender(spenders, "spendpath/truncshortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:random.randrange(1, 32)]}, **ERR_CONTROLBLOCK_SIZE) 797 # Test that truncating the control block to 1 byte ("-1 Merkle length") invalidates it 798 add_spender(spenders, "spendpath/trunc1shortcontrol", tap=tap, leaf="s", **SINGLE_SIG, key=secs[0], failure={"controlblock": lambda ctx: default_merklebranch(ctx)[0:1]}, **ERR_CONTROLBLOCK_SIZE) 799 800 # == Test BIP342 edge cases == 801 802 csa_low_val = random.randrange(0, 17) # Within range for OP_n 803 csa_low_result = csa_low_val + 1 804 805 csa_high_val = random.randrange(17, 100) if random.getrandbits(1) else random.randrange(-100, -1) # Outside OP_n range 806 csa_high_result = csa_high_val + 1 807 808 OVERSIZE_NUMBER = 2**31 809 assert_equal(len(CScriptNum.encode(CScriptNum(OVERSIZE_NUMBER))), 6) 810 assert_equal(len(CScriptNum.encode(CScriptNum(OVERSIZE_NUMBER-1))), 5) 811 812 big_choices = [] 813 big_scriptops = [] 814 for i in range(1000): 815 r = random.randrange(len(pubs)) 816 big_choices.append(r) 817 big_scriptops += [pubs[r], OP_CHECKSIGVERIFY] 818 819 820 def big_spend_inputs(ctx): 821 """Helper function to construct the script input for t33/t34 below.""" 822 # Instead of signing 999 times, precompute signatures for every (key, hashtype) combination 823 sigs = {} 824 for ht in VALID_SIGHASHES_TAPROOT: 825 for k in range(len(pubs)): 826 sigs[(k, ht)] = override(default_sign, hashtype=ht, key=secs[k])(ctx) 827 num = get(ctx, "num") 828 return [sigs[(big_choices[i], random.choice(VALID_SIGHASHES_TAPROOT))] for i in range(num - 1, -1, -1)] 829 830 # Various BIP342 features 831 scripts = [ 832 # 0) drop stack element and OP_CHECKSIG 833 ("t0", CScript([OP_DROP, pubs[1], OP_CHECKSIG])), 834 # 1) normal OP_CHECKSIG 835 ("t1", CScript([pubs[1], OP_CHECKSIG])), 836 # 2) normal OP_CHECKSIGVERIFY 837 ("t2", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1])), 838 # 3) Hypothetical OP_CHECKMULTISIG script that takes a single sig as input 839 ("t3", CScript([OP_0, OP_SWAP, OP_1, pubs[1], OP_1, OP_CHECKMULTISIG])), 840 # 4) Hypothetical OP_CHECKMULTISIGVERIFY script that takes a single sig as input 841 ("t4", CScript([OP_0, OP_SWAP, OP_1, pubs[1], OP_1, OP_CHECKMULTISIGVERIFY, OP_1])), 842 # 5) OP_IF script that needs a true input 843 ("t5", CScript([OP_IF, pubs[1], OP_CHECKSIG, OP_ELSE, OP_RETURN, OP_ENDIF])), 844 # 6) OP_NOTIF script that needs a true input 845 ("t6", CScript([OP_NOTIF, OP_RETURN, OP_ELSE, pubs[1], OP_CHECKSIG, OP_ENDIF])), 846 # 7) OP_CHECKSIG with an empty key 847 ("t7", CScript([OP_0, OP_CHECKSIG])), 848 # 8) OP_CHECKSIGVERIFY with an empty key 849 ("t8", CScript([OP_0, OP_CHECKSIGVERIFY, OP_1])), 850 # 9) normal OP_CHECKSIGADD that also ensures return value is correct 851 ("t9", CScript([csa_low_val, pubs[1], OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 852 # 10) OP_CHECKSIGADD with empty key 853 ("t10", CScript([csa_low_val, OP_0, OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 854 # 11) OP_CHECKSIGADD with missing counter stack element 855 ("t11", CScript([pubs[1], OP_CHECKSIGADD, OP_1, OP_EQUAL])), 856 # 12) OP_CHECKSIG that needs invalid signature 857 ("t12", CScript([pubs[1], OP_CHECKSIGVERIFY, pubs[0], OP_CHECKSIG, OP_NOT])), 858 # 13) OP_CHECKSIG with empty key that needs invalid signature 859 ("t13", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_CHECKSIG, OP_NOT])), 860 # 14) OP_CHECKSIGADD that needs invalid signature 861 ("t14", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, pubs[0], OP_CHECKSIGADD, OP_NOT])), 862 # 15) OP_CHECKSIGADD with empty key that needs invalid signature 863 ("t15", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_0, OP_CHECKSIGADD, OP_NOT])), 864 # 16) OP_CHECKSIG with unknown pubkey type 865 ("t16", CScript([OP_1, OP_CHECKSIG])), 866 # 17) OP_CHECKSIGADD with unknown pubkey type 867 ("t17", CScript([OP_0, OP_1, OP_CHECKSIGADD])), 868 # 18) OP_CHECKSIGVERIFY with unknown pubkey type 869 ("t18", CScript([OP_1, OP_CHECKSIGVERIFY, OP_1])), 870 # 19) script longer than 10000 bytes and over 201 non-push opcodes 871 ("t19", CScript([OP_0, OP_0, OP_2DROP] * 10001 + [pubs[1], OP_CHECKSIG])), 872 # 20) OP_CHECKSIGVERIFY with empty key 873 ("t20", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_0, OP_0, OP_CHECKSIGVERIFY, OP_1])), 874 # 21) Script that grows the stack to 1000 elements 875 ("t21", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1] + [OP_DUP] * 999 + [OP_DROP] * 999)), 876 # 22) Script that grows the stack to 1001 elements 877 ("t22", CScript([pubs[1], OP_CHECKSIGVERIFY, OP_1] + [OP_DUP] * 1000 + [OP_DROP] * 1000)), 878 # 23) Script that expects an input stack of 1000 elements 879 ("t23", CScript([OP_DROP] * 999 + [pubs[1], OP_CHECKSIG])), 880 # 24) Script that expects an input stack of 1001 elements 881 ("t24", CScript([OP_DROP] * 1000 + [pubs[1], OP_CHECKSIG])), 882 # 25) Script that pushes a MAX_SCRIPT_ELEMENT_SIZE-bytes element 883 ("t25", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE), OP_DROP, pubs[1], OP_CHECKSIG])), 884 # 26) Script that pushes a (MAX_SCRIPT_ELEMENT_SIZE+1)-bytes element 885 ("t26", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, pubs[1], OP_CHECKSIG])), 886 # 27) CHECKSIGADD that must fail because numeric argument number is >4 bytes 887 ("t27", CScript([CScriptNum(OVERSIZE_NUMBER), pubs[1], OP_CHECKSIGADD])), 888 # 28) Pushes random CScriptNum value, checks OP_CHECKSIGADD result 889 ("t28", CScript([csa_high_val, pubs[1], OP_CHECKSIGADD, csa_high_result, OP_EQUAL])), 890 # 29) CHECKSIGADD that succeeds with proper sig because numeric argument number is <=4 bytes 891 ("t29", CScript([CScriptNum(OVERSIZE_NUMBER-1), pubs[1], OP_CHECKSIGADD])), 892 # 30) Variant of t1 with "normal" 33-byte pubkey 893 ("t30", CScript([b'\x03' + pubs[1], OP_CHECKSIG])), 894 # 31) Variant of t2 with "normal" 33-byte pubkey 895 ("t31", CScript([b'\x02' + pubs[1], OP_CHECKSIGVERIFY, OP_1])), 896 # 32) Variant of t28 with "normal" 33-byte pubkey 897 ("t32", CScript([csa_high_val, b'\x03' + pubs[1], OP_CHECKSIGADD, csa_high_result, OP_EQUAL])), 898 # 33) 999-of-999 multisig 899 ("t33", CScript(big_scriptops[:1998] + [OP_1])), 900 # 34) 1000-of-1000 multisig 901 ("t34", CScript(big_scriptops[:2000] + [OP_1])), 902 # 35) Variant of t9 that uses a non-minimally encoded input arg 903 ("t35", CScript([bytes([csa_low_val]), pubs[1], OP_CHECKSIGADD, csa_low_result, OP_EQUAL])), 904 # 36) Empty script 905 ("t36", CScript([])), 906 ] 907 # Add many dummies to test huge trees 908 for j in range(100000): 909 scripts.append((None, CScript([OP_RETURN, random.randrange(100000)]))) 910 random.shuffle(scripts) 911 tap = taproot_construct(pubs[0], scripts) 912 common = { 913 "hashtype": hashtype, 914 "key": secs[1], 915 "tap": tap, 916 } 917 # Test that MAX_SCRIPT_ELEMENT_SIZE byte stack element inputs are valid, but not one more (and 80 bytes is standard but 81 is not). 918 add_spender(spenders, "tapscript/inputmaxlimit", leaf="t0", **common, standard=False, inputs=[getter("sign"), random_bytes(MAX_SCRIPT_ELEMENT_SIZE)], failure={"inputs": [getter("sign"), random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1)]}, **ERR_PUSH_LIMIT) 919 add_spender(spenders, "tapscript/input80limit", leaf="t0", **common, inputs=[getter("sign"), random_bytes(80)]) 920 add_spender(spenders, "tapscript/input81limit", leaf="t0", **common, standard=False, inputs=[getter("sign"), random_bytes(81)]) 921 # Test that OP_CHECKMULTISIG and OP_CHECKMULTISIGVERIFY cause failure, but OP_CHECKSIG and OP_CHECKSIGVERIFY work. 922 add_spender(spenders, "tapscript/disabled_checkmultisig", leaf="t1", **common, **SINGLE_SIG, failure={"leaf": "t3"}, **ERR_TAPSCRIPT_CHECKMULTISIG) 923 add_spender(spenders, "tapscript/disabled_checkmultisigverify", leaf="t2", **common, **SINGLE_SIG, failure={"leaf": "t4"}, **ERR_TAPSCRIPT_CHECKMULTISIG) 924 # Test that OP_IF and OP_NOTIF do not accept non-0x01 as truth value (the MINIMALIF rule is consensus in Tapscript) 925 add_spender(spenders, "tapscript/minimalif", leaf="t5", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x02']}, **ERR_MINIMALIF) 926 add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x03']}, **ERR_MINIMALIF) 927 add_spender(spenders, "tapscript/minimalif", leaf="t5", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0001']}, **ERR_MINIMALIF) 928 add_spender(spenders, "tapscript/minimalnotif", leaf="t6", **common, inputs=[getter("sign"), b'\x01'], failure={"inputs": [getter("sign"), b'\x0100']}, **ERR_MINIMALIF) 929 # Test that 1-byte public keys (which are unknown) are acceptable but nonstandard with unrelated signatures, but 0-byte public keys are not valid. 930 add_spender(spenders, "tapscript/unkpk/checksig", leaf="t16", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t7"}, **ERR_UNKNOWN_PUBKEY) 931 add_spender(spenders, "tapscript/unkpk/checksigadd", leaf="t17", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t10"}, **ERR_UNKNOWN_PUBKEY) 932 add_spender(spenders, "tapscript/unkpk/checksigverify", leaf="t18", standard=False, **common, **SINGLE_SIG, failure={"leaf": "t8"}, **ERR_UNKNOWN_PUBKEY) 933 # Test that 33-byte public keys (which are unknown) are acceptable but nonstandard with valid signatures, but normal pubkeys are not valid in that case. 934 add_spender(spenders, "tapscript/oldpk/checksig", leaf="t30", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t1"}, **ERR_SIG_SCHNORR) 935 add_spender(spenders, "tapscript/oldpk/checksigadd", leaf="t31", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t2"}, **ERR_SIG_SCHNORR) 936 add_spender(spenders, "tapscript/oldpk/checksigverify", leaf="t32", standard=False, **common, **SINGLE_SIG, sighash=bitflipper(default_sighash), failure={"leaf": "t28"}, **ERR_SIG_SCHNORR) 937 # Test that 0-byte public keys are not acceptable. 938 add_spender(spenders, "tapscript/emptypk/checksig", leaf="t1", **SINGLE_SIG, **common, failure={"leaf": "t7"}, **ERR_UNKNOWN_PUBKEY) 939 add_spender(spenders, "tapscript/emptypk/checksigverify", leaf="t2", **SINGLE_SIG, **common, failure={"leaf": "t8"}, **ERR_UNKNOWN_PUBKEY) 940 add_spender(spenders, "tapscript/emptypk/checksigadd", leaf="t9", **SINGLE_SIG, **common, failure={"leaf": "t10"}, **ERR_UNKNOWN_PUBKEY) 941 add_spender(spenders, "tapscript/emptypk/checksigadd", leaf="t35", standard=False, **SINGLE_SIG, **common, failure={"leaf": "t10"}, **ERR_UNKNOWN_PUBKEY) 942 # Test that OP_CHECKSIGADD results are as expected 943 add_spender(spenders, "tapscript/checksigaddresults", leaf="t28", **SINGLE_SIG, **common, failure={"leaf": "t27"}, err_msg="unknown error") 944 add_spender(spenders, "tapscript/checksigaddoversize", leaf="t29", **SINGLE_SIG, **common, failure={"leaf": "t27"}, err_msg="unknown error") 945 # Test that OP_CHECKSIGADD requires 3 stack elements. 946 add_spender(spenders, "tapscript/checksigadd3args", leaf="t9", **SINGLE_SIG, **common, failure={"leaf": "t11"}, **ERR_STACK_EMPTY) 947 # Test that empty signatures do not cause script failure in OP_CHECKSIG and OP_CHECKSIGADD (but do fail with empty pubkey, and do fail OP_CHECKSIGVERIFY) 948 add_spender(spenders, "tapscript/emptysigs/checksig", leaf="t12", **common, inputs=[b'', getter("sign")], failure={"leaf": "t13"}, **ERR_UNKNOWN_PUBKEY) 949 add_spender(spenders, "tapscript/emptysigs/nochecksigverify", leaf="t12", **common, inputs=[b'', getter("sign")], failure={"leaf": "t20"}, **ERR_UNKNOWN_PUBKEY) 950 add_spender(spenders, "tapscript/emptysigs/checksigadd", leaf="t14", **common, inputs=[b'', getter("sign")], failure={"leaf": "t15"}, **ERR_UNKNOWN_PUBKEY) 951 # Test that scripts over 10000 bytes (and over 201 non-push ops) are acceptable. 952 add_spender(spenders, "tapscript/no10000limit", leaf="t19", **SINGLE_SIG, **common) 953 # Test that a stack size of 1000 elements is permitted, but 1001 isn't. 954 add_spender(spenders, "tapscript/1000stack", leaf="t21", **SINGLE_SIG, **common, failure={"leaf": "t22"}, **ERR_STACK_SIZE) 955 # Test that an input stack size of 1000 elements is permitted, but 1001 isn't. 956 add_spender(spenders, "tapscript/1000inputs", leaf="t23", **common, inputs=[getter("sign")] + [b'' for _ in range(999)], failure={"leaf": "t24", "inputs": [getter("sign")] + [b'' for _ in range(1000)]}, **ERR_STACK_SIZE) 957 # Test that pushing a MAX_SCRIPT_ELEMENT_SIZE byte stack element is valid, but one longer is not. 958 add_spender(spenders, "tapscript/pushmaxlimit", leaf="t25", **common, **SINGLE_SIG, failure={"leaf": "t26"}, **ERR_PUSH_LIMIT) 959 # Test that 999-of-999 multisig works (but 1000-of-1000 triggers stack size limits) 960 add_spender(spenders, "tapscript/bigmulti", leaf="t33", **common, inputs=big_spend_inputs, num=999, failure={"leaf": "t34", "num": 1000}, **ERR_STACK_SIZE) 961 # Test that the CLEANSTACK rule is consensus critical in tapscript 962 add_spender(spenders, "tapscript/cleanstack", leaf="t36", tap=tap, inputs=[b'\x01'], failure={"inputs": [b'\x01', b'\x01']}, **ERR_CLEANSTACK) 963 964 # == Test for sigops ratio limit == 965 966 # Given a number n, and a public key pk, functions that produce a (CScript, sigops). Each script takes as 967 # input a valid signature with the passed pk followed by a dummy push of bytes that are to be dropped, and 968 # will execute sigops signature checks. 969 SIGOPS_RATIO_SCRIPTS = [ 970 # n OP_CHECKSIGVERFIYs and 1 OP_CHECKSIG. 971 lambda n, pk: (CScript([OP_DROP, pk] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_CHECKSIG]), n + 1), 972 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIGVERIFY. 973 lambda n, pk: (CScript([OP_DROP, pk, OP_0, OP_IF, OP_2DUP, OP_CHECKSIGVERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_2, OP_SWAP, OP_CHECKSIGADD, OP_3, OP_EQUAL]), n + 1), 974 # n OP_CHECKSIGVERIFYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIG. 975 lambda n, pk: (CScript([random_bytes(220), OP_2DROP, pk, OP_1, OP_NOTIF, OP_2DUP, OP_CHECKSIG, OP_VERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_4, OP_SWAP, OP_CHECKSIGADD, OP_5, OP_EQUAL]), n + 1), 976 # n OP_CHECKSIGVERFIYs and 1 OP_CHECKSIGADD, but also one unexecuted OP_CHECKSIGADD. 977 lambda n, pk: (CScript([OP_DROP, pk, OP_1, OP_IF, OP_ELSE, OP_2DUP, OP_6, OP_SWAP, OP_CHECKSIGADD, OP_7, OP_EQUALVERIFY, OP_ENDIF] + [OP_2DUP, OP_CHECKSIGVERIFY] * n + [OP_8, OP_SWAP, OP_CHECKSIGADD, OP_9, OP_EQUAL]), n + 1), 978 # n+1 OP_CHECKSIGs, but also one OP_CHECKSIG with an empty signature. 979 lambda n, pk: (CScript([OP_DROP, OP_0, pk, OP_CHECKSIG, OP_NOT, OP_VERIFY, pk] + [OP_2DUP, OP_CHECKSIG, OP_VERIFY] * n + [OP_CHECKSIG]), n + 1), 980 # n OP_CHECKSIGADDs and 1 OP_CHECKSIG, but also an OP_CHECKSIGADD with an empty signature. 981 lambda n, pk: (CScript([OP_DROP, OP_0, OP_10, pk, OP_CHECKSIGADD, OP_10, OP_EQUALVERIFY, pk] + [OP_2DUP, OP_16, OP_SWAP, OP_CHECKSIGADD, b'\x11', OP_EQUALVERIFY] * n + [OP_CHECKSIG]), n + 1), 982 ] 983 for annex in [None, bytes([ANNEX_TAG]) + random_bytes(random.randrange(1000))]: 984 for hashtype in [SIGHASH_DEFAULT, SIGHASH_ALL]: 985 for pubkey in [pubs[1], random_bytes(random.choice([x for x in range(2, 81) if x != 32]))]: 986 for fn_num, fn in enumerate(SIGOPS_RATIO_SCRIPTS): 987 merkledepth = random.randrange(129) 988 989 990 def predict_sigops_ratio(n, dummy_size): 991 """Predict whether spending fn(n, pubkey) with dummy_size will pass the ratio test.""" 992 script, sigops = fn(n, pubkey) 993 # Predict the size of the witness for a given choice of n 994 stacklen_size = 1 995 sig_size = 64 + (hashtype != SIGHASH_DEFAULT) 996 siglen_size = 1 997 dummylen_size = 1 + 2 * (dummy_size >= 253) 998 script_size = len(script) 999 scriptlen_size = 1 + 2 * (script_size >= 253) 1000 control_size = 33 + 32 * merkledepth 1001 controllen_size = 1 + 2 * (control_size >= 253) 1002 annex_size = 0 if annex is None else len(annex) 1003 annexlen_size = 0 if annex is None else 1 + 2 * (annex_size >= 253) 1004 witsize = stacklen_size + sig_size + siglen_size + dummy_size + dummylen_size + script_size + scriptlen_size + control_size + controllen_size + annex_size + annexlen_size 1005 # sigops ratio test 1006 return witsize + 50 >= 50 * sigops 1007 # Make sure n is high enough that with empty dummy, the script is not valid 1008 n = 0 1009 while predict_sigops_ratio(n, 0): 1010 n += 1 1011 # But allow picking a bit higher still 1012 n += random.randrange(5) 1013 # Now pick dummy size *just* large enough that the overall construction passes 1014 dummylen = 0 1015 while not predict_sigops_ratio(n, dummylen): 1016 dummylen += 1 1017 scripts = [("s", fn(n, pubkey)[0])] 1018 for _ in range(merkledepth): 1019 scripts = [scripts, random.choice(PARTNER_MERKLE_FN)] 1020 tap = taproot_construct(pubs[0], scripts) 1021 standard = annex is None and dummylen <= 80 and len(pubkey) == 32 1022 add_spender(spenders, "tapscript/sigopsratio_%i" % fn_num, tap=tap, leaf="s", annex=annex, hashtype=hashtype, key=secs[1], inputs=[getter("sign"), random_bytes(dummylen)], standard=standard, failure={"inputs": [getter("sign"), random_bytes(dummylen - 1)]}, **ERR_SIGOPS_RATIO) 1023 1024 # Future leaf versions 1025 for leafver in range(0, 0x100, 2): 1026 if leafver == LEAF_VERSION_TAPSCRIPT or leafver == ANNEX_TAG: 1027 # Skip the defined LEAF_VERSION_TAPSCRIPT, and the ANNEX_TAG which is not usable as leaf version 1028 continue 1029 scripts = [ 1030 ("bare_c0", CScript([OP_NOP])), 1031 ("bare_unkver", CScript([OP_NOP]), leafver), 1032 ("return_c0", CScript([OP_RETURN])), 1033 ("return_unkver", CScript([OP_RETURN]), leafver), 1034 ("undecodable_c0", CScript([OP_PUSHDATA1])), 1035 ("undecodable_unkver", CScript([OP_PUSHDATA1]), leafver), 1036 ("bigpush_c0", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP])), 1037 ("bigpush_unkver", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP]), leafver), 1038 ("1001push_c0", CScript([OP_0] * 1001)), 1039 ("1001push_unkver", CScript([OP_0] * 1001), leafver), 1040 ] 1041 random.shuffle(scripts) 1042 tap = taproot_construct(pubs[0], scripts) 1043 add_spender(spenders, "unkver/bare", standard=False, tap=tap, leaf="bare_unkver", failure={"leaf": "bare_c0"}, **ERR_CLEANSTACK) 1044 add_spender(spenders, "unkver/return", standard=False, tap=tap, leaf="return_unkver", failure={"leaf": "return_c0"}, **ERR_OP_RETURN) 1045 add_spender(spenders, "unkver/undecodable", standard=False, tap=tap, leaf="undecodable_unkver", failure={"leaf": "undecodable_c0"}, **ERR_UNDECODABLE) 1046 add_spender(spenders, "unkver/bigpush", standard=False, tap=tap, leaf="bigpush_unkver", failure={"leaf": "bigpush_c0"}, **ERR_PUSH_LIMIT) 1047 add_spender(spenders, "unkver/1001push", standard=False, tap=tap, leaf="1001push_unkver", failure={"leaf": "1001push_c0"}, **ERR_STACK_SIZE) 1048 add_spender(spenders, "unkver/1001inputs", standard=False, tap=tap, leaf="bare_unkver", inputs=[b'']*1001, failure={"leaf": "bare_c0"}, **ERR_STACK_SIZE) 1049 1050 # OP_SUCCESSx tests. 1051 hashtype = lambda _: random.choice(VALID_SIGHASHES_TAPROOT) 1052 for opval in range(76, 0x100): 1053 opcode = CScriptOp(opval) 1054 if not is_op_success(opcode): 1055 continue 1056 scripts = [ 1057 ("bare_success", CScript([opcode])), 1058 ("bare_nop", CScript([OP_NOP])), 1059 ("unexecif_success", CScript([OP_0, OP_IF, opcode, OP_ENDIF])), 1060 ("unexecif_nop", CScript([OP_0, OP_IF, OP_NOP, OP_ENDIF])), 1061 ("return_success", CScript([OP_RETURN, opcode])), 1062 ("return_nop", CScript([OP_RETURN, OP_NOP])), 1063 ("undecodable_success", CScript([opcode, OP_PUSHDATA1])), 1064 ("undecodable_nop", CScript([OP_NOP, OP_PUSHDATA1])), 1065 ("undecodable_bypassed_success", CScript([OP_PUSHDATA1, OP_2, opcode])), 1066 ("bigpush_success", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, opcode])), 1067 ("bigpush_nop", CScript([random_bytes(MAX_SCRIPT_ELEMENT_SIZE+1), OP_DROP, OP_NOP])), 1068 ("1001push_success", CScript([OP_0] * 1001 + [opcode])), 1069 ("1001push_nop", CScript([OP_0] * 1001 + [OP_NOP])), 1070 ] 1071 random.shuffle(scripts) 1072 tap = taproot_construct(pubs[0], scripts) 1073 add_spender(spenders, "opsuccess/bare", standard=False, tap=tap, leaf="bare_success", failure={"leaf": "bare_nop"}, **ERR_CLEANSTACK) 1074 add_spender(spenders, "opsuccess/unexecif", standard=False, tap=tap, leaf="unexecif_success", failure={"leaf": "unexecif_nop"}, **ERR_CLEANSTACK) 1075 add_spender(spenders, "opsuccess/return", standard=False, tap=tap, leaf="return_success", failure={"leaf": "return_nop"}, **ERR_OP_RETURN) 1076 add_spender(spenders, "opsuccess/undecodable", standard=False, tap=tap, leaf="undecodable_success", failure={"leaf": "undecodable_nop"}, **ERR_UNDECODABLE) 1077 add_spender(spenders, "opsuccess/undecodable_bypass", standard=False, tap=tap, leaf="undecodable_success", failure={"leaf": "undecodable_bypassed_success"}, **ERR_UNDECODABLE) 1078 add_spender(spenders, "opsuccess/bigpush", standard=False, tap=tap, leaf="bigpush_success", failure={"leaf": "bigpush_nop"}, **ERR_PUSH_LIMIT) 1079 add_spender(spenders, "opsuccess/1001push", standard=False, tap=tap, leaf="1001push_success", failure={"leaf": "1001push_nop"}, **ERR_STACK_SIZE) 1080 add_spender(spenders, "opsuccess/1001inputs", standard=False, tap=tap, leaf="bare_success", inputs=[b'']*1001, failure={"leaf": "bare_nop"}, **ERR_STACK_SIZE) 1081 1082 # Non-OP_SUCCESSx (verify that those aren't accidentally treated as OP_SUCCESSx) 1083 for opval in range(0, 0x100): 1084 opcode = CScriptOp(opval) 1085 if is_op_success(opcode): 1086 continue 1087 scripts = [ 1088 ("normal", CScript([OP_RETURN, opcode] + [OP_NOP] * 75)), 1089 ("op_success", CScript([OP_RETURN, CScriptOp(0x50)])) 1090 ] 1091 tap = taproot_construct(pubs[0], scripts) 1092 add_spender(spenders, "alwaysvalid/notsuccessx", tap=tap, leaf="op_success", inputs=[], standard=False, failure={"leaf": "normal"}) # err_msg differs based on opcode 1093 1094 # == Legacy tests == 1095 1096 # Also add a few legacy spends into the mix, so that transactions which combine taproot and pre-taproot spends get tested too. 1097 for compressed in [False, True]: 1098 eckey1 = ECKey() 1099 eckey1.set(generate_privkey(), compressed) 1100 pubkey1 = eckey1.get_pubkey().get_bytes() 1101 eckey2 = ECKey() 1102 eckey2.set(generate_privkey(), compressed) 1103 for p2sh in [False, True]: 1104 for witv0 in [False, True]: 1105 for hashtype in VALID_SIGHASHES_ECDSA + [random.randrange(0x04, 0x80), random.randrange(0x84, 0x100)]: 1106 standard = (hashtype in VALID_SIGHASHES_ECDSA) and (compressed or not witv0) 1107 add_spender(spenders, "legacy/pk-wrongkey", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, script=CScript([pubkey1, OP_CHECKSIG]), **SINGLE_SIG, key=eckey1, failure={"key": eckey2}, sigops_weight=4-3*witv0, **ERR_NO_SUCCESS) 1108 add_spender(spenders, "legacy/pkh-sighashflip", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, pkh=pubkey1, key=eckey1, **SIGHASH_BITFLIP, sigops_weight=4-3*witv0, **ERR_NO_SUCCESS) 1109 1110 # Verify that OP_CHECKSIGADD wasn't accidentally added to pre-taproot validation logic. 1111 for p2sh in [False, True]: 1112 for witv0 in [False, True]: 1113 for hashtype in VALID_SIGHASHES_ECDSA + [random.randrange(0x04, 0x80), random.randrange(0x84, 0x100)]: 1114 standard = hashtype in VALID_SIGHASHES_ECDSA and (p2sh or witv0) 1115 add_spender(spenders, "compat/nocsa", hashtype=hashtype, p2sh=p2sh, witv0=witv0, standard=standard, script=CScript([OP_IF, OP_11, pubkey1, OP_CHECKSIGADD, OP_12, OP_EQUAL, OP_ELSE, pubkey1, OP_CHECKSIG, OP_ENDIF]), key=eckey1, sigops_weight=4-3*witv0, inputs=[getter("sign"), b''], failure={"inputs": [getter("sign"), b'\x01']}, **ERR_UNDECODABLE) 1116 1117 return spenders 1118 1119def spenders_taproot_inactive(): 1120 """Spenders for testing that pre-activation Taproot rules don't apply.""" 1121 1122 spenders = [] 1123 1124 sec = generate_privkey() 1125 pub, _ = compute_xonly_pubkey(sec) 1126 scripts = [ 1127 ("pk", CScript([pub, OP_CHECKSIG])), 1128 ("future_leaf", CScript([pub, OP_CHECKSIG]), 0xc2), 1129 ("op_success", CScript([pub, OP_CHECKSIG, OP_0, OP_IF, CScriptOp(0x50), OP_ENDIF])), 1130 ] 1131 tap = taproot_construct(pub, scripts) 1132 1133 # Test that keypath spending is valid & non-standard, regardless of validity. 1134 add_spender(spenders, "inactive/keypath_valid", key=sec, tap=tap, standard=False) 1135 add_spender(spenders, "inactive/keypath_invalidsig", key=sec, tap=tap, standard=False, sighash=bitflipper(default_sighash)) 1136 add_spender(spenders, "inactive/keypath_empty", key=sec, tap=tap, standard=False, witness=[]) 1137 1138 # Same for scriptpath spending (and features like annex, leaf versions, or OP_SUCCESS don't change this) 1139 add_spender(spenders, "inactive/scriptpath_valid", key=sec, tap=tap, leaf="pk", standard=False, inputs=[getter("sign")]) 1140 add_spender(spenders, "inactive/scriptpath_invalidsig", key=sec, tap=tap, leaf="pk", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1141 add_spender(spenders, "inactive/scriptpath_invalidcb", key=sec, tap=tap, leaf="pk", standard=False, inputs=[getter("sign")], controlblock=bitflipper(default_controlblock)) 1142 add_spender(spenders, "inactive/scriptpath_valid_unkleaf", key=sec, tap=tap, leaf="future_leaf", standard=False, inputs=[getter("sign")]) 1143 add_spender(spenders, "inactive/scriptpath_invalid_unkleaf", key=sec, tap=tap, leaf="future_leaf", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1144 add_spender(spenders, "inactive/scriptpath_valid_opsuccess", key=sec, tap=tap, leaf="op_success", standard=False, inputs=[getter("sign")]) 1145 add_spender(spenders, "inactive/scriptpath_valid_opsuccess", key=sec, tap=tap, leaf="op_success", standard=False, inputs=[getter("sign")], sighash=bitflipper(default_sighash)) 1146 1147 return spenders 1148 1149# Consensus validation flags to use in dumps for tests with "legacy/" or "inactive/" prefix. 1150LEGACY_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY" 1151# Consensus validation flags to use in dumps for all other tests. 1152TAPROOT_FLAGS = "P2SH,DERSIG,CHECKLOCKTIMEVERIFY,CHECKSEQUENCEVERIFY,WITNESS,NULLDUMMY,TAPROOT" 1153 1154def dump_json_test(tx, input_utxos, idx, success, failure): 1155 spender = input_utxos[idx].spender 1156 # Determine flags to dump 1157 flags = LEGACY_FLAGS if spender.comment.startswith("legacy/") or spender.comment.startswith("inactive/") else TAPROOT_FLAGS 1158 1159 fields = [ 1160 ("tx", tx.serialize().hex()), 1161 ("prevouts", [x.output.serialize().hex() for x in input_utxos]), 1162 ("index", idx), 1163 ("flags", flags), 1164 ("comment", spender.comment) 1165 ] 1166 1167 # The "final" field indicates that a spend should be always valid, even with more validation flags enabled 1168 # than the listed ones. Use standardness as a proxy for this (which gives a conservative underestimate). 1169 if spender.is_standard: 1170 fields.append(("final", True)) 1171 1172 def dump_witness(wit): 1173 return OrderedDict([("scriptSig", wit[0].hex()), ("witness", [x.hex() for x in wit[1]])]) 1174 if success is not None: 1175 fields.append(("success", dump_witness(success))) 1176 if failure is not None: 1177 fields.append(("failure", dump_witness(failure))) 1178 1179 # Write the dump to $TEST_DUMP_DIR/x/xyz... where x,y,z,... are the SHA1 sum of the dump (which makes the 1180 # file naming scheme compatible with fuzzing infrastructure). 1181 dump = json.dumps(OrderedDict(fields)) + ",\n" 1182 sha1 = hashlib.sha1(dump.encode("utf-8")).hexdigest() 1183 dirname = os.environ.get("TEST_DUMP_DIR", ".") + ("/%s" % sha1[0]) 1184 os.makedirs(dirname, exist_ok=True) 1185 with open(dirname + ("/%s" % sha1), 'w', encoding="utf8") as f: 1186 f.write(dump) 1187 1188# Data type to keep track of UTXOs, where they were created, and how to spend them. 1189UTXOData = namedtuple('UTXOData', 'outpoint,output,spender') 1190 1191class TaprootTest(BitcoinTestFramework): 1192 def add_options(self, parser): 1193 parser.add_argument("--dumptests", dest="dump_tests", default=False, action="store_true", 1194 help="Dump generated test cases to directory set by TEST_DUMP_DIR environment variable") 1195 1196 def skip_test_if_missing_module(self): 1197 self.skip_if_no_wallet() 1198 1199 def set_test_params(self): 1200 self.num_nodes = 2 1201 self.setup_clean_chain = True 1202 # Node 0 has Taproot inactive, Node 1 active. 1203 self.extra_args = [["-par=1", "-vbparams=taproot:1:1"], ["-par=1"]] 1204 1205 def block_submit(self, node, txs, msg, err_msg, cb_pubkey=None, fees=0, sigops_weight=0, witness=False, accept=False): 1206 1207 # Deplete block of any non-tapscript sigops using a single additional 0-value coinbase output. 1208 # It is not impossible to fit enough tapscript sigops to hit the old 80k limit without 1209 # busting txin-level limits. We simply have to account for the p2pk outputs in all 1210 # transactions. 1211 extra_output_script = CScript([OP_CHECKSIG]*((MAX_BLOCK_SIGOPS_WEIGHT - sigops_weight) // WITNESS_SCALE_FACTOR)) 1212 1213 block = create_block(self.tip, create_coinbase(self.lastblockheight + 1, pubkey=cb_pubkey, extra_output_script=extra_output_script, fees=fees), self.lastblocktime + 1) 1214 block.set_base_version(4) 1215 for tx in txs: 1216 tx.rehash() 1217 block.vtx.append(tx) 1218 block.hashMerkleRoot = block.calc_merkle_root() 1219 witness and add_witness_commitment(block) 1220 block.rehash() 1221 block.solve() 1222 block_response = node.submitblock(block.serialize().hex()) 1223 if err_msg is not None: 1224 assert block_response is not None and err_msg in block_response, "Missing error message '%s' from block response '%s': %s" % (err_msg, "(None)" if block_response is None else block_response, msg) 1225 if (accept): 1226 assert node.getbestblockhash() == block.hash, "Failed to accept: %s (response: %s)" % (msg, block_response) 1227 self.tip = block.sha256 1228 self.lastblockhash = block.hash 1229 self.lastblocktime += 1 1230 self.lastblockheight += 1 1231 else: 1232 assert node.getbestblockhash() == self.lastblockhash, "Failed to reject: " + msg 1233 1234 def test_spenders(self, node, spenders, input_counts): 1235 """Run randomized tests with a number of "spenders". 1236 1237 Steps: 1238 1) Generate an appropriate UTXO for each spender to test spend conditions 1239 2) Generate 100 random addresses of all wallet types: pkh/sh_wpkh/wpkh 1240 3) Select random number of inputs from (1) 1241 4) Select random number of addresses from (2) as outputs 1242 1243 Each spender embodies a test; in a large randomized test, it is verified 1244 that toggling the valid argument to each lambda toggles the validity of 1245 the transaction. This is accomplished by constructing transactions consisting 1246 of all valid inputs, except one invalid one. 1247 """ 1248 1249 # Construct a bunch of sPKs that send coins back to the host wallet 1250 self.log.info("- Constructing addresses for returning coins") 1251 host_spks = [] 1252 host_pubkeys = [] 1253 for i in range(16): 1254 addr = node.getnewaddress(address_type=random.choice(["legacy", "p2sh-segwit", "bech32"])) 1255 info = node.getaddressinfo(addr) 1256 spk = bytes.fromhex(info['scriptPubKey']) 1257 host_spks.append(spk) 1258 host_pubkeys.append(bytes.fromhex(info['pubkey'])) 1259 1260 # Initialize variables used by block_submit(). 1261 self.lastblockhash = node.getbestblockhash() 1262 self.tip = int(self.lastblockhash, 16) 1263 block = node.getblock(self.lastblockhash) 1264 self.lastblockheight = block['height'] 1265 self.lastblocktime = block['time'] 1266 1267 # Create transactions spending up to 50 of the wallet's inputs, with one output for each spender, and 1268 # one change output at the end. The transaction is constructed on the Python side to enable 1269 # having multiple outputs to the same address and outputs with no assigned address. The wallet 1270 # is then asked to sign it through signrawtransactionwithwallet, and then added to a block on the 1271 # Python side (to bypass standardness rules). 1272 self.log.info("- Creating test UTXOs...") 1273 random.shuffle(spenders) 1274 normal_utxos = [] 1275 mismatching_utxos = [] # UTXOs with input that requires mismatching output position 1276 done = 0 1277 while done < len(spenders): 1278 # Compute how many UTXOs to create with this transaction 1279 count_this_tx = min(len(spenders) - done, (len(spenders) + 4) // 5, 10000) 1280 1281 fund_tx = CTransaction() 1282 # Add the 50 highest-value inputs 1283 unspents = node.listunspent() 1284 random.shuffle(unspents) 1285 unspents.sort(key=lambda x: int(x["amount"] * 100000000), reverse=True) 1286 if len(unspents) > 50: 1287 unspents = unspents[:50] 1288 random.shuffle(unspents) 1289 balance = 0 1290 for unspent in unspents: 1291 balance += int(unspent["amount"] * 100000000) 1292 txid = int(unspent["txid"], 16) 1293 fund_tx.vin.append(CTxIn(COutPoint(txid, int(unspent["vout"])), CScript())) 1294 # Add outputs 1295 cur_progress = done / len(spenders) 1296 next_progress = (done + count_this_tx) / len(spenders) 1297 change_goal = (1.0 - 0.6 * next_progress) / (1.0 - 0.6 * cur_progress) * balance 1298 self.log.debug("Create %i UTXOs in a transaction spending %i inputs worth %.8f (sending ~%.8f to change)" % (count_this_tx, len(unspents), balance * 0.00000001, change_goal * 0.00000001)) 1299 for i in range(count_this_tx): 1300 avg = (balance - change_goal) / (count_this_tx - i) 1301 amount = int(random.randrange(int(avg*0.85 + 0.5), int(avg*1.15 + 0.5)) + 0.5) 1302 balance -= amount 1303 fund_tx.vout.append(CTxOut(amount, spenders[done + i].script)) 1304 # Add change 1305 fund_tx.vout.append(CTxOut(balance - 10000, random.choice(host_spks))) 1306 # Ask the wallet to sign 1307 ss = BytesIO(bytes.fromhex(node.signrawtransactionwithwallet(ToHex(fund_tx))["hex"])) 1308 fund_tx.deserialize(ss) 1309 # Construct UTXOData entries 1310 fund_tx.rehash() 1311 for i in range(count_this_tx): 1312 utxodata = UTXOData(outpoint=COutPoint(fund_tx.sha256, i), output=fund_tx.vout[i], spender=spenders[done]) 1313 if utxodata.spender.need_vin_vout_mismatch: 1314 mismatching_utxos.append(utxodata) 1315 else: 1316 normal_utxos.append(utxodata) 1317 done += 1 1318 # Mine into a block 1319 self.block_submit(node, [fund_tx], "Funding tx", None, random.choice(host_pubkeys), 10000, MAX_BLOCK_SIGOPS_WEIGHT, True, True) 1320 1321 # Consume groups of choice(input_coins) from utxos in a tx, testing the spenders. 1322 self.log.info("- Running %i spending tests" % done) 1323 random.shuffle(normal_utxos) 1324 random.shuffle(mismatching_utxos) 1325 assert done == len(normal_utxos) + len(mismatching_utxos) 1326 1327 left = done 1328 while left: 1329 # Construct CTransaction with random nVersion, nLocktime 1330 tx = CTransaction() 1331 tx.nVersion = random.choice([1, 2, random.randint(-0x80000000, 0x7fffffff)]) 1332 min_sequence = (tx.nVersion != 1 and tx.nVersion != 0) * 0x80000000 # The minimum sequence number to disable relative locktime 1333 if random.choice([True, False]): 1334 tx.nLockTime = random.randrange(LOCKTIME_THRESHOLD, self.lastblocktime - 7200) # all absolute locktimes in the past 1335 else: 1336 tx.nLockTime = random.randrange(self.lastblockheight + 1) # all block heights in the past 1337 1338 # Decide how many UTXOs to test with. 1339 acceptable = [n for n in input_counts if n <= left and (left - n > max(input_counts) or (left - n) in [0] + input_counts)] 1340 num_inputs = random.choice(acceptable) 1341 1342 # If we have UTXOs that require mismatching inputs/outputs left, include exactly one of those 1343 # unless there is only one normal UTXO left (as tests with mismatching UTXOs require at least one 1344 # normal UTXO to go in the first position), and we don't want to run out of normal UTXOs. 1345 input_utxos = [] 1346 while len(mismatching_utxos) and (len(input_utxos) == 0 or len(normal_utxos) == 1): 1347 input_utxos.append(mismatching_utxos.pop()) 1348 left -= 1 1349 1350 # Top up until we hit num_inputs (but include at least one normal UTXO always). 1351 for _ in range(max(1, num_inputs - len(input_utxos))): 1352 input_utxos.append(normal_utxos.pop()) 1353 left -= 1 1354 1355 # The first input cannot require a mismatching output (as there is at least one output). 1356 while True: 1357 random.shuffle(input_utxos) 1358 if not input_utxos[0].spender.need_vin_vout_mismatch: 1359 break 1360 first_mismatch_input = None 1361 for i in range(len(input_utxos)): 1362 if input_utxos[i].spender.need_vin_vout_mismatch: 1363 first_mismatch_input = i 1364 assert first_mismatch_input is None or first_mismatch_input > 0 1365 1366 # Decide fee, and add CTxIns to tx. 1367 amount = sum(utxo.output.nValue for utxo in input_utxos) 1368 fee = min(random.randrange(MIN_FEE * 2, MIN_FEE * 4), amount - DUST_LIMIT) # 10000-20000 sat fee 1369 in_value = amount - fee 1370 tx.vin = [CTxIn(outpoint=utxo.outpoint, nSequence=random.randint(min_sequence, 0xffffffff)) for utxo in input_utxos] 1371 tx.wit.vtxinwit = [CTxInWitness() for _ in range(len(input_utxos))] 1372 sigops_weight = sum(utxo.spender.sigops_weight for utxo in input_utxos) 1373 self.log.debug("Test: %s" % (", ".join(utxo.spender.comment for utxo in input_utxos))) 1374 1375 # Add 1 to 4 random outputs (but constrained by inputs that require mismatching outputs) 1376 num_outputs = random.choice(range(1, 1 + min(4, 4 if first_mismatch_input is None else first_mismatch_input))) 1377 assert in_value >= 0 and fee - num_outputs * DUST_LIMIT >= MIN_FEE 1378 for i in range(num_outputs): 1379 tx.vout.append(CTxOut()) 1380 if in_value <= DUST_LIMIT: 1381 tx.vout[-1].nValue = DUST_LIMIT 1382 elif i < num_outputs - 1: 1383 tx.vout[-1].nValue = in_value 1384 else: 1385 tx.vout[-1].nValue = random.randint(DUST_LIMIT, in_value) 1386 in_value -= tx.vout[-1].nValue 1387 tx.vout[-1].scriptPubKey = random.choice(host_spks) 1388 sigops_weight += CScript(tx.vout[-1].scriptPubKey).GetSigOpCount(False) * WITNESS_SCALE_FACTOR 1389 fee += in_value 1390 assert fee >= 0 1391 1392 # Select coinbase pubkey 1393 cb_pubkey = random.choice(host_pubkeys) 1394 sigops_weight += 1 * WITNESS_SCALE_FACTOR 1395 1396 # Precompute one satisfying and one failing scriptSig/witness for each input. 1397 input_data = [] 1398 for i in range(len(input_utxos)): 1399 fn = input_utxos[i].spender.sat_function 1400 fail = None 1401 success = fn(tx, i, [utxo.output for utxo in input_utxos], True) 1402 if not input_utxos[i].spender.no_fail: 1403 fail = fn(tx, i, [utxo.output for utxo in input_utxos], False) 1404 input_data.append((fail, success)) 1405 if self.options.dump_tests: 1406 dump_json_test(tx, input_utxos, i, success, fail) 1407 1408 # Sign each input incorrectly once on each complete signing pass, except the very last. 1409 for fail_input in list(range(len(input_utxos))) + [None]: 1410 # Skip trying to fail at spending something that can't be made to fail. 1411 if fail_input is not None and input_utxos[fail_input].spender.no_fail: 1412 continue 1413 # Expected message with each input failure, may be None(which is ignored) 1414 expected_fail_msg = None if fail_input is None else input_utxos[fail_input].spender.err_msg 1415 # Fill inputs/witnesses 1416 for i in range(len(input_utxos)): 1417 tx.vin[i].scriptSig = input_data[i][i != fail_input][0] 1418 tx.wit.vtxinwit[i].scriptWitness.stack = input_data[i][i != fail_input][1] 1419 # Submit to mempool to check standardness 1420 is_standard_tx = fail_input is None and all(utxo.spender.is_standard for utxo in input_utxos) and tx.nVersion >= 1 and tx.nVersion <= 2 1421 tx.rehash() 1422 msg = ','.join(utxo.spender.comment + ("*" if n == fail_input else "") for n, utxo in enumerate(input_utxos)) 1423 if is_standard_tx: 1424 node.sendrawtransaction(tx.serialize().hex(), 0) 1425 assert node.getmempoolentry(tx.hash) is not None, "Failed to accept into mempool: " + msg 1426 else: 1427 assert_raises_rpc_error(-26, None, node.sendrawtransaction, tx.serialize().hex(), 0) 1428 # Submit in a block 1429 self.block_submit(node, [tx], msg, witness=True, accept=fail_input is None, cb_pubkey=cb_pubkey, fees=fee, sigops_weight=sigops_weight, err_msg=expected_fail_msg) 1430 1431 if (len(spenders) - left) // 200 > (len(spenders) - left - len(input_utxos)) // 200: 1432 self.log.info(" - %i tests done" % (len(spenders) - left)) 1433 1434 assert left == 0 1435 assert len(normal_utxos) == 0 1436 assert len(mismatching_utxos) == 0 1437 self.log.info(" - Done") 1438 1439 def run_test(self): 1440 # Post-taproot activation tests go first (pre-taproot tests' blocks are invalid post-taproot). 1441 self.log.info("Post-activation tests...") 1442 self.nodes[1].generate(101) 1443 self.test_spenders(self.nodes[1], spenders_taproot_active(), input_counts=[1, 2, 2, 2, 2, 3]) 1444 1445 # Transfer value of the largest 500 coins to pre-taproot node. 1446 addr = self.nodes[0].getnewaddress() 1447 1448 unsp = self.nodes[1].listunspent() 1449 unsp = sorted(unsp, key=lambda i: i['amount'], reverse=True) 1450 unsp = unsp[:500] 1451 1452 rawtx = self.nodes[1].createrawtransaction( 1453 inputs=[{ 1454 'txid': i['txid'], 1455 'vout': i['vout'] 1456 } for i in unsp], 1457 outputs={addr: sum(i['amount'] for i in unsp)} 1458 ) 1459 rawtx = self.nodes[1].signrawtransactionwithwallet(rawtx)['hex'] 1460 1461 # Mine a block with the transaction 1462 block = create_block(tmpl=self.nodes[1].getblocktemplate(NORMAL_GBT_REQUEST_PARAMS), txlist=[rawtx]) 1463 add_witness_commitment(block) 1464 block.rehash() 1465 block.solve() 1466 assert_equal(None, self.nodes[1].submitblock(block.serialize().hex())) 1467 self.sync_blocks() 1468 1469 # Pre-taproot activation tests. 1470 self.log.info("Pre-activation tests...") 1471 # Run each test twice; once in isolation, and once combined with others. Testing in isolation 1472 # means that the standardness is verified in every test (as combined transactions are only standard 1473 # when all their inputs are standard). 1474 self.test_spenders(self.nodes[0], spenders_taproot_inactive(), input_counts=[1]) 1475 self.test_spenders(self.nodes[0], spenders_taproot_inactive(), input_counts=[2, 3]) 1476 1477 1478if __name__ == '__main__': 1479 TaprootTest().main() 1480