1 // Copyright (c) 2009-2010 Satoshi Nakamoto
2 // Copyright (c) 2009-2016 The Bitcoin Core developers
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5
6 #include "script/sign.h"
7
8 #include "key.h"
9 #include "keystore.h"
10 #include "policy/policy.h"
11 #include "primitives/transaction.h"
12 #include "script/standard.h"
13 #include "uint256.h"
14
15 #include <boost/foreach.hpp>
16
17 using namespace std;
18
19 typedef std::vector<unsigned char> valtype;
20
TransactionSignatureCreator(const CKeyStore * keystoreIn,const CTransaction * txToIn,unsigned int nInIn,const CAmount & amountIn,int nHashTypeIn)21 TransactionSignatureCreator::TransactionSignatureCreator(const CKeyStore* keystoreIn, const CTransaction* txToIn, unsigned int nInIn, const CAmount& amountIn, int nHashTypeIn) : BaseSignatureCreator(keystoreIn), txTo(txToIn), nIn(nInIn), nHashType(nHashTypeIn), amount(amountIn), checker(txTo, nIn, amountIn) {}
22
CreateSig(std::vector<unsigned char> & vchSig,const CKeyID & address,const CScript & scriptCode,SigVersion sigversion) const23 bool TransactionSignatureCreator::CreateSig(std::vector<unsigned char>& vchSig, const CKeyID& address, const CScript& scriptCode, SigVersion sigversion) const
24 {
25 CKey key;
26 if (!keystore->GetKey(address, key))
27 return false;
28
29 // Signing with uncompressed keys is disabled in witness scripts
30 if (sigversion == SIGVERSION_WITNESS_V0 && !key.IsCompressed())
31 return false;
32
33 uint256 hash = SignatureHash(scriptCode, *txTo, nIn, nHashType, amount, sigversion);
34 if (!key.Sign(hash, vchSig))
35 return false;
36 vchSig.push_back((unsigned char)nHashType);
37 return true;
38 }
39
Sign1(const CKeyID & address,const BaseSignatureCreator & creator,const CScript & scriptCode,std::vector<valtype> & ret,SigVersion sigversion)40 static bool Sign1(const CKeyID& address, const BaseSignatureCreator& creator, const CScript& scriptCode, std::vector<valtype>& ret, SigVersion sigversion)
41 {
42 vector<unsigned char> vchSig;
43 if (!creator.CreateSig(vchSig, address, scriptCode, sigversion))
44 return false;
45 ret.push_back(vchSig);
46 return true;
47 }
48
SignN(const vector<valtype> & multisigdata,const BaseSignatureCreator & creator,const CScript & scriptCode,std::vector<valtype> & ret,SigVersion sigversion)49 static bool SignN(const vector<valtype>& multisigdata, const BaseSignatureCreator& creator, const CScript& scriptCode, std::vector<valtype>& ret, SigVersion sigversion)
50 {
51 int nSigned = 0;
52 int nRequired = multisigdata.front()[0];
53 for (unsigned int i = 1; i < multisigdata.size()-1 && nSigned < nRequired; i++)
54 {
55 const valtype& pubkey = multisigdata[i];
56 CKeyID keyID = CPubKey(pubkey).GetID();
57 if (Sign1(keyID, creator, scriptCode, ret, sigversion))
58 ++nSigned;
59 }
60 return nSigned==nRequired;
61 }
62
63 /**
64 * Sign scriptPubKey using signature made with creator.
65 * Signatures are returned in scriptSigRet (or returns false if scriptPubKey can't be signed),
66 * unless whichTypeRet is TX_SCRIPTHASH, in which case scriptSigRet is the redemption script.
67 * Returns false if scriptPubKey could not be completely satisfied.
68 */
SignStep(const BaseSignatureCreator & creator,const CScript & scriptPubKey,std::vector<valtype> & ret,txnouttype & whichTypeRet,SigVersion sigversion)69 static bool SignStep(const BaseSignatureCreator& creator, const CScript& scriptPubKey,
70 std::vector<valtype>& ret, txnouttype& whichTypeRet, SigVersion sigversion)
71 {
72 CScript scriptRet;
73 uint160 h160;
74 ret.clear();
75
76 vector<valtype> vSolutions;
77 if (!Solver(scriptPubKey, whichTypeRet, vSolutions))
78 return false;
79
80 CKeyID keyID;
81 switch (whichTypeRet)
82 {
83 case TX_NONSTANDARD:
84 case TX_NULL_DATA:
85 return false;
86 case TX_PUBKEY:
87 keyID = CPubKey(vSolutions[0]).GetID();
88 return Sign1(keyID, creator, scriptPubKey, ret, sigversion);
89 case TX_PUBKEYHASH:
90 keyID = CKeyID(uint160(vSolutions[0]));
91 if (!Sign1(keyID, creator, scriptPubKey, ret, sigversion))
92 return false;
93 else
94 {
95 CPubKey vch;
96 creator.KeyStore().GetPubKey(keyID, vch);
97 ret.push_back(ToByteVector(vch));
98 }
99 return true;
100 case TX_SCRIPTHASH:
101 if (creator.KeyStore().GetCScript(uint160(vSolutions[0]), scriptRet)) {
102 ret.push_back(std::vector<unsigned char>(scriptRet.begin(), scriptRet.end()));
103 return true;
104 }
105 return false;
106
107 case TX_MULTISIG:
108 ret.push_back(valtype()); // workaround CHECKMULTISIG bug
109 return (SignN(vSolutions, creator, scriptPubKey, ret, sigversion));
110
111 case TX_WITNESS_V0_KEYHASH:
112 ret.push_back(vSolutions[0]);
113 return true;
114
115 case TX_WITNESS_V0_SCRIPTHASH:
116 CRIPEMD160().Write(&vSolutions[0][0], vSolutions[0].size()).Finalize(h160.begin());
117 if (creator.KeyStore().GetCScript(h160, scriptRet)) {
118 ret.push_back(std::vector<unsigned char>(scriptRet.begin(), scriptRet.end()));
119 return true;
120 }
121 return false;
122
123 default:
124 return false;
125 }
126 }
127
PushAll(const vector<valtype> & values)128 static CScript PushAll(const vector<valtype>& values)
129 {
130 CScript result;
131 BOOST_FOREACH(const valtype& v, values) {
132 if (v.size() == 0) {
133 result << OP_0;
134 } else if (v.size() == 1 && v[0] >= 1 && v[0] <= 16) {
135 result << CScript::EncodeOP_N(v[0]);
136 } else {
137 result << v;
138 }
139 }
140 return result;
141 }
142
ProduceSignature(const BaseSignatureCreator & creator,const CScript & fromPubKey,SignatureData & sigdata)143 bool ProduceSignature(const BaseSignatureCreator& creator, const CScript& fromPubKey, SignatureData& sigdata)
144 {
145 CScript script = fromPubKey;
146 bool solved = true;
147 std::vector<valtype> result;
148 txnouttype whichType;
149 solved = SignStep(creator, script, result, whichType, SIGVERSION_BASE);
150 bool P2SH = false;
151 CScript subscript;
152 sigdata.scriptWitness.stack.clear();
153
154 if (solved && whichType == TX_SCRIPTHASH)
155 {
156 // Solver returns the subscript that needs to be evaluated;
157 // the final scriptSig is the signatures from that
158 // and then the serialized subscript:
159 script = subscript = CScript(result[0].begin(), result[0].end());
160 solved = solved && SignStep(creator, script, result, whichType, SIGVERSION_BASE) && whichType != TX_SCRIPTHASH;
161 P2SH = true;
162 }
163
164 if (solved && whichType == TX_WITNESS_V0_KEYHASH)
165 {
166 CScript witnessscript;
167 witnessscript << OP_DUP << OP_HASH160 << ToByteVector(result[0]) << OP_EQUALVERIFY << OP_CHECKSIG;
168 txnouttype subType;
169 solved = solved && SignStep(creator, witnessscript, result, subType, SIGVERSION_WITNESS_V0);
170 sigdata.scriptWitness.stack = result;
171 result.clear();
172 }
173 else if (solved && whichType == TX_WITNESS_V0_SCRIPTHASH)
174 {
175 CScript witnessscript(result[0].begin(), result[0].end());
176 txnouttype subType;
177 solved = solved && SignStep(creator, witnessscript, result, subType, SIGVERSION_WITNESS_V0) && subType != TX_SCRIPTHASH && subType != TX_WITNESS_V0_SCRIPTHASH && subType != TX_WITNESS_V0_KEYHASH;
178 result.push_back(std::vector<unsigned char>(witnessscript.begin(), witnessscript.end()));
179 sigdata.scriptWitness.stack = result;
180 result.clear();
181 }
182
183 if (P2SH) {
184 result.push_back(std::vector<unsigned char>(subscript.begin(), subscript.end()));
185 }
186 sigdata.scriptSig = PushAll(result);
187
188 // Test solution
189 return solved && VerifyScript(sigdata.scriptSig, fromPubKey, &sigdata.scriptWitness, STANDARD_SCRIPT_VERIFY_FLAGS, creator.Checker());
190 }
191
DataFromTransaction(const CMutableTransaction & tx,unsigned int nIn)192 SignatureData DataFromTransaction(const CMutableTransaction& tx, unsigned int nIn)
193 {
194 SignatureData data;
195 assert(tx.vin.size() > nIn);
196 data.scriptSig = tx.vin[nIn].scriptSig;
197 if (tx.wit.vtxinwit.size() > nIn) {
198 data.scriptWitness = tx.wit.vtxinwit[nIn].scriptWitness;
199 }
200 return data;
201 }
202
UpdateTransaction(CMutableTransaction & tx,unsigned int nIn,const SignatureData & data)203 void UpdateTransaction(CMutableTransaction& tx, unsigned int nIn, const SignatureData& data)
204 {
205 assert(tx.vin.size() > nIn);
206 tx.vin[nIn].scriptSig = data.scriptSig;
207 if (!data.scriptWitness.IsNull() || tx.wit.vtxinwit.size() > nIn) {
208 tx.wit.vtxinwit.resize(tx.vin.size());
209 tx.wit.vtxinwit[nIn].scriptWitness = data.scriptWitness;
210 }
211 }
212
SignSignature(const CKeyStore & keystore,const CScript & fromPubKey,CMutableTransaction & txTo,unsigned int nIn,const CAmount & amount,int nHashType)213 bool SignSignature(const CKeyStore &keystore, const CScript& fromPubKey, CMutableTransaction& txTo, unsigned int nIn, const CAmount& amount, int nHashType)
214 {
215 assert(nIn < txTo.vin.size());
216
217 CTransaction txToConst(txTo);
218 TransactionSignatureCreator creator(&keystore, &txToConst, nIn, amount, nHashType);
219
220 SignatureData sigdata;
221 bool ret = ProduceSignature(creator, fromPubKey, sigdata);
222 UpdateTransaction(txTo, nIn, sigdata);
223 return ret;
224 }
225
SignSignature(const CKeyStore & keystore,const CTransaction & txFrom,CMutableTransaction & txTo,unsigned int nIn,int nHashType)226 bool SignSignature(const CKeyStore &keystore, const CTransaction& txFrom, CMutableTransaction& txTo, unsigned int nIn, int nHashType)
227 {
228 assert(nIn < txTo.vin.size());
229 CTxIn& txin = txTo.vin[nIn];
230 assert(txin.prevout.n < txFrom.vout.size());
231 const CTxOut& txout = txFrom.vout[txin.prevout.n];
232
233 return SignSignature(keystore, txout.scriptPubKey, txTo, nIn, txout.nValue, nHashType);
234 }
235
CombineMultisig(const CScript & scriptPubKey,const BaseSignatureChecker & checker,const vector<valtype> & vSolutions,const vector<valtype> & sigs1,const vector<valtype> & sigs2,SigVersion sigversion)236 static vector<valtype> CombineMultisig(const CScript& scriptPubKey, const BaseSignatureChecker& checker,
237 const vector<valtype>& vSolutions,
238 const vector<valtype>& sigs1, const vector<valtype>& sigs2, SigVersion sigversion)
239 {
240 // Combine all the signatures we've got:
241 set<valtype> allsigs;
242 BOOST_FOREACH(const valtype& v, sigs1)
243 {
244 if (!v.empty())
245 allsigs.insert(v);
246 }
247 BOOST_FOREACH(const valtype& v, sigs2)
248 {
249 if (!v.empty())
250 allsigs.insert(v);
251 }
252
253 // Build a map of pubkey -> signature by matching sigs to pubkeys:
254 assert(vSolutions.size() > 1);
255 unsigned int nSigsRequired = vSolutions.front()[0];
256 unsigned int nPubKeys = vSolutions.size()-2;
257 map<valtype, valtype> sigs;
258 BOOST_FOREACH(const valtype& sig, allsigs)
259 {
260 for (unsigned int i = 0; i < nPubKeys; i++)
261 {
262 const valtype& pubkey = vSolutions[i+1];
263 if (sigs.count(pubkey))
264 continue; // Already got a sig for this pubkey
265
266 if (checker.CheckSig(sig, pubkey, scriptPubKey, sigversion))
267 {
268 sigs[pubkey] = sig;
269 break;
270 }
271 }
272 }
273 // Now build a merged CScript:
274 unsigned int nSigsHave = 0;
275 std::vector<valtype> result; result.push_back(valtype()); // pop-one-too-many workaround
276 for (unsigned int i = 0; i < nPubKeys && nSigsHave < nSigsRequired; i++)
277 {
278 if (sigs.count(vSolutions[i+1]))
279 {
280 result.push_back(sigs[vSolutions[i+1]]);
281 ++nSigsHave;
282 }
283 }
284 // Fill any missing with OP_0:
285 for (unsigned int i = nSigsHave; i < nSigsRequired; i++)
286 result.push_back(valtype());
287
288 return result;
289 }
290
291 namespace
292 {
293 struct Stacks
294 {
295 std::vector<valtype> script;
296 std::vector<valtype> witness;
297
Stacks__anonef9385420111::Stacks298 Stacks() {}
Stacks__anonef9385420111::Stacks299 explicit Stacks(const std::vector<valtype>& scriptSigStack_) : script(scriptSigStack_), witness() {}
Stacks__anonef9385420111::Stacks300 explicit Stacks(const SignatureData& data) : witness(data.scriptWitness.stack) {
301 EvalScript(script, data.scriptSig, SCRIPT_VERIFY_STRICTENC, BaseSignatureChecker(), SIGVERSION_BASE);
302 }
303
Output__anonef9385420111::Stacks304 SignatureData Output() const {
305 SignatureData result;
306 result.scriptSig = PushAll(script);
307 result.scriptWitness.stack = witness;
308 return result;
309 }
310 };
311 }
312
CombineSignatures(const CScript & scriptPubKey,const BaseSignatureChecker & checker,const txnouttype txType,const vector<valtype> & vSolutions,Stacks sigs1,Stacks sigs2,SigVersion sigversion)313 static Stacks CombineSignatures(const CScript& scriptPubKey, const BaseSignatureChecker& checker,
314 const txnouttype txType, const vector<valtype>& vSolutions,
315 Stacks sigs1, Stacks sigs2, SigVersion sigversion)
316 {
317 switch (txType)
318 {
319 case TX_NONSTANDARD:
320 case TX_NULL_DATA:
321 // Don't know anything about this, assume bigger one is correct:
322 if (sigs1.script.size() >= sigs2.script.size())
323 return sigs1;
324 return sigs2;
325 case TX_PUBKEY:
326 case TX_PUBKEYHASH:
327 // Signatures are bigger than placeholders or empty scripts:
328 if (sigs1.script.empty() || sigs1.script[0].empty())
329 return sigs2;
330 return sigs1;
331 case TX_WITNESS_V0_KEYHASH:
332 // Signatures are bigger than placeholders or empty scripts:
333 if (sigs1.witness.empty() || sigs1.witness[0].empty())
334 return sigs2;
335 return sigs1;
336 case TX_SCRIPTHASH:
337 if (sigs1.script.empty() || sigs1.script.back().empty())
338 return sigs2;
339 else if (sigs2.script.empty() || sigs2.script.back().empty())
340 return sigs1;
341 else
342 {
343 // Recur to combine:
344 valtype spk = sigs1.script.back();
345 CScript pubKey2(spk.begin(), spk.end());
346
347 txnouttype txType2;
348 vector<vector<unsigned char> > vSolutions2;
349 Solver(pubKey2, txType2, vSolutions2);
350 sigs1.script.pop_back();
351 sigs2.script.pop_back();
352 Stacks result = CombineSignatures(pubKey2, checker, txType2, vSolutions2, sigs1, sigs2, sigversion);
353 result.script.push_back(spk);
354 return result;
355 }
356 case TX_MULTISIG:
357 return Stacks(CombineMultisig(scriptPubKey, checker, vSolutions, sigs1.script, sigs2.script, sigversion));
358 case TX_WITNESS_V0_SCRIPTHASH:
359 if (sigs1.witness.empty() || sigs1.witness.back().empty())
360 return sigs2;
361 else if (sigs2.witness.empty() || sigs2.witness.back().empty())
362 return sigs1;
363 else
364 {
365 // Recur to combine:
366 CScript pubKey2(sigs1.witness.back().begin(), sigs1.witness.back().end());
367 txnouttype txType2;
368 vector<valtype> vSolutions2;
369 Solver(pubKey2, txType2, vSolutions2);
370 sigs1.witness.pop_back();
371 sigs1.script = sigs1.witness;
372 sigs1.witness.clear();
373 sigs2.witness.pop_back();
374 sigs2.script = sigs2.witness;
375 sigs2.witness.clear();
376 Stacks result = CombineSignatures(pubKey2, checker, txType2, vSolutions2, sigs1, sigs2, SIGVERSION_WITNESS_V0);
377 result.witness = result.script;
378 result.script.clear();
379 result.witness.push_back(valtype(pubKey2.begin(), pubKey2.end()));
380 return result;
381 }
382 default:
383 return Stacks();
384 }
385 }
386
CombineSignatures(const CScript & scriptPubKey,const BaseSignatureChecker & checker,const SignatureData & scriptSig1,const SignatureData & scriptSig2)387 SignatureData CombineSignatures(const CScript& scriptPubKey, const BaseSignatureChecker& checker,
388 const SignatureData& scriptSig1, const SignatureData& scriptSig2)
389 {
390 txnouttype txType;
391 vector<vector<unsigned char> > vSolutions;
392 Solver(scriptPubKey, txType, vSolutions);
393
394 return CombineSignatures(scriptPubKey, checker, txType, vSolutions, Stacks(scriptSig1), Stacks(scriptSig2), SIGVERSION_BASE).Output();
395 }
396
397 namespace {
398 /** Dummy signature checker which accepts all signatures. */
399 class DummySignatureChecker : public BaseSignatureChecker
400 {
401 public:
DummySignatureChecker()402 DummySignatureChecker() {}
403
CheckSig(const std::vector<unsigned char> & scriptSig,const std::vector<unsigned char> & vchPubKey,const CScript & scriptCode,SigVersion sigversion) const404 bool CheckSig(const std::vector<unsigned char>& scriptSig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
405 {
406 return true;
407 }
408 };
409 const DummySignatureChecker dummyChecker;
410 }
411
Checker() const412 const BaseSignatureChecker& DummySignatureCreator::Checker() const
413 {
414 return dummyChecker;
415 }
416
CreateSig(std::vector<unsigned char> & vchSig,const CKeyID & keyid,const CScript & scriptCode,SigVersion sigversion) const417 bool DummySignatureCreator::CreateSig(std::vector<unsigned char>& vchSig, const CKeyID& keyid, const CScript& scriptCode, SigVersion sigversion) const
418 {
419 // Create a dummy signature that is a valid DER-encoding
420 vchSig.assign(72, '\000');
421 vchSig[0] = 0x30;
422 vchSig[1] = 69;
423 vchSig[2] = 0x02;
424 vchSig[3] = 33;
425 vchSig[4] = 0x01;
426 vchSig[4 + 33] = 0x02;
427 vchSig[5 + 33] = 32;
428 vchSig[6 + 33] = 0x01;
429 vchSig[6 + 33 + 32] = SIGHASH_ALL;
430 return true;
431 }
432