1 // Copyright (c) 2009-2020 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4
5 #include <psbt.h>
6
7 #include <util/check.h>
8 #include <util/strencodings.h>
9
10
PartiallySignedTransaction(const CMutableTransaction & tx)11 PartiallySignedTransaction::PartiallySignedTransaction(const CMutableTransaction& tx) : tx(tx)
12 {
13 inputs.resize(tx.vin.size());
14 outputs.resize(tx.vout.size());
15 }
16
IsNull() const17 bool PartiallySignedTransaction::IsNull() const
18 {
19 return !tx && inputs.empty() && outputs.empty() && unknown.empty();
20 }
21
Merge(const PartiallySignedTransaction & psbt)22 bool PartiallySignedTransaction::Merge(const PartiallySignedTransaction& psbt)
23 {
24 // Prohibited to merge two PSBTs over different transactions
25 if (tx->GetHash() != psbt.tx->GetHash()) {
26 return false;
27 }
28
29 for (unsigned int i = 0; i < inputs.size(); ++i) {
30 inputs[i].Merge(psbt.inputs[i]);
31 }
32 for (unsigned int i = 0; i < outputs.size(); ++i) {
33 outputs[i].Merge(psbt.outputs[i]);
34 }
35 unknown.insert(psbt.unknown.begin(), psbt.unknown.end());
36
37 return true;
38 }
39
AddInput(const CTxIn & txin,PSBTInput & psbtin)40 bool PartiallySignedTransaction::AddInput(const CTxIn& txin, PSBTInput& psbtin)
41 {
42 if (std::find(tx->vin.begin(), tx->vin.end(), txin) != tx->vin.end()) {
43 return false;
44 }
45 tx->vin.push_back(txin);
46 psbtin.partial_sigs.clear();
47 psbtin.final_script_sig.clear();
48 psbtin.final_script_witness.SetNull();
49 inputs.push_back(psbtin);
50 return true;
51 }
52
AddOutput(const CTxOut & txout,const PSBTOutput & psbtout)53 bool PartiallySignedTransaction::AddOutput(const CTxOut& txout, const PSBTOutput& psbtout)
54 {
55 tx->vout.push_back(txout);
56 outputs.push_back(psbtout);
57 return true;
58 }
59
GetInputUTXO(CTxOut & utxo,int input_index) const60 bool PartiallySignedTransaction::GetInputUTXO(CTxOut& utxo, int input_index) const
61 {
62 const PSBTInput& input = inputs[input_index];
63 uint32_t prevout_index = tx->vin[input_index].prevout.n;
64 if (input.non_witness_utxo) {
65 if (prevout_index >= input.non_witness_utxo->vout.size()) {
66 return false;
67 }
68 if (input.non_witness_utxo->GetHash() != tx->vin[input_index].prevout.hash) {
69 return false;
70 }
71 utxo = input.non_witness_utxo->vout[prevout_index];
72 } else if (!input.witness_utxo.IsNull()) {
73 utxo = input.witness_utxo;
74 } else {
75 return false;
76 }
77 return true;
78 }
79
IsNull() const80 bool PSBTInput::IsNull() const
81 {
82 return !non_witness_utxo && witness_utxo.IsNull() && partial_sigs.empty() && unknown.empty() && hd_keypaths.empty() && redeem_script.empty() && witness_script.empty();
83 }
84
FillSignatureData(SignatureData & sigdata) const85 void PSBTInput::FillSignatureData(SignatureData& sigdata) const
86 {
87 if (!final_script_sig.empty()) {
88 sigdata.scriptSig = final_script_sig;
89 sigdata.complete = true;
90 }
91 if (!final_script_witness.IsNull()) {
92 sigdata.scriptWitness = final_script_witness;
93 sigdata.complete = true;
94 }
95 if (sigdata.complete) {
96 return;
97 }
98
99 sigdata.signatures.insert(partial_sigs.begin(), partial_sigs.end());
100 if (!redeem_script.empty()) {
101 sigdata.redeem_script = redeem_script;
102 }
103 if (!witness_script.empty()) {
104 sigdata.witness_script = witness_script;
105 }
106 for (const auto& key_pair : hd_keypaths) {
107 sigdata.misc_pubkeys.emplace(key_pair.first.GetID(), key_pair);
108 }
109 }
110
FromSignatureData(const SignatureData & sigdata)111 void PSBTInput::FromSignatureData(const SignatureData& sigdata)
112 {
113 if (sigdata.complete) {
114 partial_sigs.clear();
115 hd_keypaths.clear();
116 redeem_script.clear();
117 witness_script.clear();
118
119 if (!sigdata.scriptSig.empty()) {
120 final_script_sig = sigdata.scriptSig;
121 }
122 if (!sigdata.scriptWitness.IsNull()) {
123 final_script_witness = sigdata.scriptWitness;
124 }
125 return;
126 }
127
128 partial_sigs.insert(sigdata.signatures.begin(), sigdata.signatures.end());
129 if (redeem_script.empty() && !sigdata.redeem_script.empty()) {
130 redeem_script = sigdata.redeem_script;
131 }
132 if (witness_script.empty() && !sigdata.witness_script.empty()) {
133 witness_script = sigdata.witness_script;
134 }
135 for (const auto& entry : sigdata.misc_pubkeys) {
136 hd_keypaths.emplace(entry.second);
137 }
138 }
139
Merge(const PSBTInput & input)140 void PSBTInput::Merge(const PSBTInput& input)
141 {
142 if (!non_witness_utxo && input.non_witness_utxo) non_witness_utxo = input.non_witness_utxo;
143 if (witness_utxo.IsNull() && !input.witness_utxo.IsNull()) {
144 // TODO: For segwit v1, we will want to clear out the non-witness utxo when setting a witness one. For v0 and non-segwit, this is not safe
145 witness_utxo = input.witness_utxo;
146 }
147
148 partial_sigs.insert(input.partial_sigs.begin(), input.partial_sigs.end());
149 hd_keypaths.insert(input.hd_keypaths.begin(), input.hd_keypaths.end());
150 unknown.insert(input.unknown.begin(), input.unknown.end());
151
152 if (redeem_script.empty() && !input.redeem_script.empty()) redeem_script = input.redeem_script;
153 if (witness_script.empty() && !input.witness_script.empty()) witness_script = input.witness_script;
154 if (final_script_sig.empty() && !input.final_script_sig.empty()) final_script_sig = input.final_script_sig;
155 if (final_script_witness.IsNull() && !input.final_script_witness.IsNull()) final_script_witness = input.final_script_witness;
156 }
157
FillSignatureData(SignatureData & sigdata) const158 void PSBTOutput::FillSignatureData(SignatureData& sigdata) const
159 {
160 if (!redeem_script.empty()) {
161 sigdata.redeem_script = redeem_script;
162 }
163 if (!witness_script.empty()) {
164 sigdata.witness_script = witness_script;
165 }
166 for (const auto& key_pair : hd_keypaths) {
167 sigdata.misc_pubkeys.emplace(key_pair.first.GetID(), key_pair);
168 }
169 }
170
FromSignatureData(const SignatureData & sigdata)171 void PSBTOutput::FromSignatureData(const SignatureData& sigdata)
172 {
173 if (redeem_script.empty() && !sigdata.redeem_script.empty()) {
174 redeem_script = sigdata.redeem_script;
175 }
176 if (witness_script.empty() && !sigdata.witness_script.empty()) {
177 witness_script = sigdata.witness_script;
178 }
179 for (const auto& entry : sigdata.misc_pubkeys) {
180 hd_keypaths.emplace(entry.second);
181 }
182 }
183
IsNull() const184 bool PSBTOutput::IsNull() const
185 {
186 return redeem_script.empty() && witness_script.empty() && hd_keypaths.empty() && unknown.empty();
187 }
188
Merge(const PSBTOutput & output)189 void PSBTOutput::Merge(const PSBTOutput& output)
190 {
191 hd_keypaths.insert(output.hd_keypaths.begin(), output.hd_keypaths.end());
192 unknown.insert(output.unknown.begin(), output.unknown.end());
193
194 if (redeem_script.empty() && !output.redeem_script.empty()) redeem_script = output.redeem_script;
195 if (witness_script.empty() && !output.witness_script.empty()) witness_script = output.witness_script;
196 }
PSBTInputSigned(const PSBTInput & input)197 bool PSBTInputSigned(const PSBTInput& input)
198 {
199 return !input.final_script_sig.empty() || !input.final_script_witness.IsNull();
200 }
201
CountPSBTUnsignedInputs(const PartiallySignedTransaction & psbt)202 size_t CountPSBTUnsignedInputs(const PartiallySignedTransaction& psbt) {
203 size_t count = 0;
204 for (const auto& input : psbt.inputs) {
205 if (!PSBTInputSigned(input)) {
206 count++;
207 }
208 }
209
210 return count;
211 }
212
UpdatePSBTOutput(const SigningProvider & provider,PartiallySignedTransaction & psbt,int index)213 void UpdatePSBTOutput(const SigningProvider& provider, PartiallySignedTransaction& psbt, int index)
214 {
215 CMutableTransaction& tx = *Assert(psbt.tx);
216 const CTxOut& out = tx.vout.at(index);
217 PSBTOutput& psbt_out = psbt.outputs.at(index);
218
219 // Fill a SignatureData with output info
220 SignatureData sigdata;
221 psbt_out.FillSignatureData(sigdata);
222
223 // Construct a would-be spend of this output, to update sigdata with.
224 // Note that ProduceSignature is used to fill in metadata (not actual signatures),
225 // so provider does not need to provide any private keys (it can be a HidingSigningProvider).
226 MutableTransactionSignatureCreator creator(&tx, /* index */ 0, out.nValue, SIGHASH_ALL);
227 ProduceSignature(provider, creator, out.scriptPubKey, sigdata);
228
229 // Put redeem_script, witness_script, key paths, into PSBTOutput.
230 psbt_out.FromSignatureData(sigdata);
231 }
232
PrecomputePSBTData(const PartiallySignedTransaction & psbt)233 PrecomputedTransactionData PrecomputePSBTData(const PartiallySignedTransaction& psbt)
234 {
235 const CMutableTransaction& tx = *psbt.tx;
236 bool have_all_spent_outputs = true;
237 std::vector<CTxOut> utxos(tx.vin.size());
238 for (size_t idx = 0; idx < tx.vin.size(); ++idx) {
239 if (!psbt.GetInputUTXO(utxos[idx], idx)) have_all_spent_outputs = false;
240 }
241 PrecomputedTransactionData txdata;
242 if (have_all_spent_outputs) {
243 txdata.Init(tx, std::move(utxos), true);
244 } else {
245 txdata.Init(tx, {}, true);
246 }
247 return txdata;
248 }
249
SignPSBTInput(const SigningProvider & provider,PartiallySignedTransaction & psbt,int index,const PrecomputedTransactionData * txdata,int sighash,SignatureData * out_sigdata)250 bool SignPSBTInput(const SigningProvider& provider, PartiallySignedTransaction& psbt, int index, const PrecomputedTransactionData* txdata, int sighash, SignatureData* out_sigdata)
251 {
252 PSBTInput& input = psbt.inputs.at(index);
253 const CMutableTransaction& tx = *psbt.tx;
254
255 if (PSBTInputSigned(input)) {
256 return true;
257 }
258
259 // Fill SignatureData with input info
260 SignatureData sigdata;
261 input.FillSignatureData(sigdata);
262
263 // Get UTXO
264 bool require_witness_sig = false;
265 CTxOut utxo;
266
267 if (input.non_witness_utxo) {
268 // If we're taking our information from a non-witness UTXO, verify that it matches the prevout.
269 COutPoint prevout = tx.vin[index].prevout;
270 if (prevout.n >= input.non_witness_utxo->vout.size()) {
271 return false;
272 }
273 if (input.non_witness_utxo->GetHash() != prevout.hash) {
274 return false;
275 }
276 utxo = input.non_witness_utxo->vout[prevout.n];
277 } else if (!input.witness_utxo.IsNull()) {
278 utxo = input.witness_utxo;
279 // When we're taking our information from a witness UTXO, we can't verify it is actually data from
280 // the output being spent. This is safe in case a witness signature is produced (which includes this
281 // information directly in the hash), but not for non-witness signatures. Remember that we require
282 // a witness signature in this situation.
283 require_witness_sig = true;
284 } else {
285 return false;
286 }
287
288 sigdata.witness = false;
289 bool sig_complete;
290 if (txdata == nullptr) {
291 sig_complete = ProduceSignature(provider, DUMMY_SIGNATURE_CREATOR, utxo.scriptPubKey, sigdata);
292 } else {
293 MutableTransactionSignatureCreator creator(&tx, index, utxo.nValue, txdata, sighash);
294 sig_complete = ProduceSignature(provider, creator, utxo.scriptPubKey, sigdata);
295 }
296 // Verify that a witness signature was produced in case one was required.
297 if (require_witness_sig && !sigdata.witness) return false;
298 input.FromSignatureData(sigdata);
299
300 // If we have a witness signature, put a witness UTXO.
301 // TODO: For segwit v1, we should remove the non_witness_utxo
302 if (sigdata.witness) {
303 input.witness_utxo = utxo;
304 // input.non_witness_utxo = nullptr;
305 }
306
307 // Fill in the missing info
308 if (out_sigdata) {
309 out_sigdata->missing_pubkeys = sigdata.missing_pubkeys;
310 out_sigdata->missing_sigs = sigdata.missing_sigs;
311 out_sigdata->missing_redeem_script = sigdata.missing_redeem_script;
312 out_sigdata->missing_witness_script = sigdata.missing_witness_script;
313 }
314
315 return sig_complete;
316 }
317
FinalizePSBT(PartiallySignedTransaction & psbtx)318 bool FinalizePSBT(PartiallySignedTransaction& psbtx)
319 {
320 // Finalize input signatures -- in case we have partial signatures that add up to a complete
321 // signature, but have not combined them yet (e.g. because the combiner that created this
322 // PartiallySignedTransaction did not understand them), this will combine them into a final
323 // script.
324 bool complete = true;
325 const PrecomputedTransactionData txdata = PrecomputePSBTData(psbtx);
326 for (unsigned int i = 0; i < psbtx.tx->vin.size(); ++i) {
327 complete &= SignPSBTInput(DUMMY_SIGNING_PROVIDER, psbtx, i, &txdata, SIGHASH_ALL);
328 }
329
330 return complete;
331 }
332
FinalizeAndExtractPSBT(PartiallySignedTransaction & psbtx,CMutableTransaction & result)333 bool FinalizeAndExtractPSBT(PartiallySignedTransaction& psbtx, CMutableTransaction& result)
334 {
335 // It's not safe to extract a PSBT that isn't finalized, and there's no easy way to check
336 // whether a PSBT is finalized without finalizing it, so we just do this.
337 if (!FinalizePSBT(psbtx)) {
338 return false;
339 }
340
341 result = *psbtx.tx;
342 for (unsigned int i = 0; i < result.vin.size(); ++i) {
343 result.vin[i].scriptSig = psbtx.inputs[i].final_script_sig;
344 result.vin[i].scriptWitness = psbtx.inputs[i].final_script_witness;
345 }
346 return true;
347 }
348
CombinePSBTs(PartiallySignedTransaction & out,const std::vector<PartiallySignedTransaction> & psbtxs)349 TransactionError CombinePSBTs(PartiallySignedTransaction& out, const std::vector<PartiallySignedTransaction>& psbtxs)
350 {
351 out = psbtxs[0]; // Copy the first one
352
353 // Merge
354 for (auto it = std::next(psbtxs.begin()); it != psbtxs.end(); ++it) {
355 if (!out.Merge(*it)) {
356 return TransactionError::PSBT_MISMATCH;
357 }
358 }
359 return TransactionError::OK;
360 }
361
PSBTRoleName(PSBTRole role)362 std::string PSBTRoleName(PSBTRole role) {
363 switch (role) {
364 case PSBTRole::CREATOR: return "creator";
365 case PSBTRole::UPDATER: return "updater";
366 case PSBTRole::SIGNER: return "signer";
367 case PSBTRole::FINALIZER: return "finalizer";
368 case PSBTRole::EXTRACTOR: return "extractor";
369 // no default case, so the compiler can warn about missing cases
370 }
371 assert(false);
372 }
373
DecodeBase64PSBT(PartiallySignedTransaction & psbt,const std::string & base64_tx,std::string & error)374 bool DecodeBase64PSBT(PartiallySignedTransaction& psbt, const std::string& base64_tx, std::string& error)
375 {
376 bool invalid;
377 std::string tx_data = DecodeBase64(base64_tx, &invalid);
378 if (invalid) {
379 error = "invalid base64";
380 return false;
381 }
382 return DecodeRawPSBT(psbt, tx_data, error);
383 }
384
DecodeRawPSBT(PartiallySignedTransaction & psbt,const std::string & tx_data,std::string & error)385 bool DecodeRawPSBT(PartiallySignedTransaction& psbt, const std::string& tx_data, std::string& error)
386 {
387 CDataStream ss_data(MakeUCharSpan(tx_data), SER_NETWORK, PROTOCOL_VERSION);
388 try {
389 ss_data >> psbt;
390 if (!ss_data.empty()) {
391 error = "extra data after PSBT";
392 return false;
393 }
394 } catch (const std::exception& e) {
395 error = e.what();
396 return false;
397 }
398 return true;
399 }
400