bitcoin/util/
bip143.rs

1// Rust Bitcoin Library
2// Written in 2018 by
3//     Andrew Poelstra <apoelstra@wpsoftware.net>
4// To the extent possible under law, the author(s) have dedicated all
5// copyright and related and neighboring rights to this software to
6// the public domain worldwide. This software is distributed without
7// any warranty.
8//
9// You should have received a copy of the CC0 Public Domain Dedication
10// along with this software.
11// If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
12//
13
14//! BIP143 Implementation
15//!
16//! Implementation of BIP143 Segwit-style signatures. Should be sufficient
17//! to create signatures for Segwit transactions (which should be pushed into
18//! the appropriate place in the `Transaction::witness` array) or bcash
19//! signatures, which are placed in the scriptSig.
20//!
21
22use hashes::{Hash, sha256d};
23use hash_types::SigHash;
24use blockdata::script::Script;
25use blockdata::transaction::{Transaction, TxIn, SigHashType};
26use consensus::{encode, Encodable};
27
28use std::io;
29use std::ops::{Deref, DerefMut};
30
31/// Parts of a sighash which are common across inputs or signatures, and which are
32/// sufficient (in conjunction with a private key) to sign the transaction
33#[derive(Clone, PartialEq, Eq, Debug)]
34#[deprecated(since="0.24.0", note="please use `SigHashCache` instead")]
35pub struct SighashComponents {
36    tx_version: i32,
37    tx_locktime: u32,
38    /// Hash of all the previous outputs
39    pub hash_prevouts: SigHash,
40    /// Hash of all the input sequence nos
41    pub hash_sequence: SigHash,
42    /// Hash of all the outputs in this transaction
43    pub hash_outputs: SigHash,
44}
45
46#[allow(deprecated)]
47impl SighashComponents {
48    /// Compute the sighash components from an unsigned transaction and auxiliary
49    /// information about its inputs.
50    /// For the generated sighashes to be valid, no fields in the transaction may change except for
51    /// script_sig and witnesses.
52    pub fn new(tx: &Transaction) -> SighashComponents {
53        let hash_prevouts = {
54            let mut enc = SigHash::engine();
55            for txin in &tx.input {
56                txin.previous_output.consensus_encode(&mut enc).unwrap();
57            }
58            SigHash::from_engine(enc)
59        };
60
61        let hash_sequence = {
62            let mut enc = SigHash::engine();
63            for txin in &tx.input {
64                txin.sequence.consensus_encode(&mut enc).unwrap();
65            }
66            SigHash::from_engine(enc)
67        };
68
69        let hash_outputs = {
70            let mut enc = SigHash::engine();
71            for txout in &tx.output {
72                txout.consensus_encode(&mut enc).unwrap();
73            }
74            SigHash::from_engine(enc)
75        };
76
77        SighashComponents {
78            tx_version: tx.version,
79            tx_locktime: tx.lock_time,
80            hash_prevouts: hash_prevouts,
81            hash_sequence: hash_sequence,
82            hash_outputs: hash_outputs,
83        }
84    }
85
86    /// Compute the BIP143 sighash for a `SIGHASH_ALL` signature for the given
87    /// input.
88    pub fn sighash_all(&self, txin: &TxIn, script_code: &Script, value: u64) -> SigHash {
89        let mut enc = SigHash::engine();
90        self.tx_version.consensus_encode(&mut enc).unwrap();
91        self.hash_prevouts.consensus_encode(&mut enc).unwrap();
92        self.hash_sequence.consensus_encode(&mut enc).unwrap();
93        txin
94            .previous_output
95            .consensus_encode(&mut enc)
96            .unwrap();
97        script_code.consensus_encode(&mut enc).unwrap();
98        value.consensus_encode(&mut enc).unwrap();
99        txin.sequence.consensus_encode(&mut enc).unwrap();
100        self.hash_outputs.consensus_encode(&mut enc).unwrap();
101        self.tx_locktime.consensus_encode(&mut enc).unwrap();
102        1u32.consensus_encode(&mut enc).unwrap(); // hashtype
103        SigHash::from_engine(enc)
104    }
105}
106
107/// A replacement for SigHashComponents which supports all sighash modes
108pub struct SigHashCache<R: Deref<Target=Transaction>> {
109    /// Access to transaction required for various introspection
110    tx: R,
111    /// Hash of all the previous outputs, computed as required
112    hash_prevouts: Option<sha256d::Hash>,
113    /// Hash of all the input sequence nos, computed as required
114    hash_sequence: Option<sha256d::Hash>,
115    /// Hash of all the outputs in this transaction, computed as required
116    hash_outputs: Option<sha256d::Hash>,
117}
118
119impl<R: Deref<Target=Transaction>> SigHashCache<R> {
120    /// Compute the sighash components from an unsigned transaction and auxiliary
121    /// in a lazy manner when required.
122    /// For the generated sighashes to be valid, no fields in the transaction may change except for
123    /// script_sig and witnesses.
124    pub fn new(tx: R) -> Self {
125        SigHashCache {
126            tx: tx,
127            hash_prevouts: None,
128            hash_sequence: None,
129            hash_outputs: None,
130        }
131    }
132
133    /// Calculate hash for prevouts
134    pub fn hash_prevouts(&mut self) -> sha256d::Hash {
135        let hash_prevout = &mut self.hash_prevouts;
136        let input = &self.tx.input;
137        *hash_prevout.get_or_insert_with(|| {
138            let mut enc = sha256d::Hash::engine();
139            for txin in input {
140                txin.previous_output.consensus_encode(&mut enc).unwrap();
141            }
142            sha256d::Hash::from_engine(enc)
143        })
144    }
145
146    /// Calculate hash for input sequence values
147    pub fn hash_sequence(&mut self) -> sha256d::Hash {
148        let hash_sequence = &mut self.hash_sequence;
149        let input = &self.tx.input;
150        *hash_sequence.get_or_insert_with(|| {
151            let mut enc = sha256d::Hash::engine();
152            for txin in input {
153                txin.sequence.consensus_encode(&mut enc).unwrap();
154            }
155            sha256d::Hash::from_engine(enc)
156        })
157    }
158
159    /// Calculate hash for outputs
160    pub fn hash_outputs(&mut self) -> sha256d::Hash {
161        let hash_output = &mut self.hash_outputs;
162        let output = &self.tx.output;
163        *hash_output.get_or_insert_with(|| {
164            let mut enc = sha256d::Hash::engine();
165            for txout in output {
166                txout.consensus_encode(&mut enc).unwrap();
167            }
168            sha256d::Hash::from_engine(enc)
169        })
170    }
171
172    /// Encode the BIP143 signing data for any flag type into a given object implementing a
173    /// std::io::Write trait.
174    pub fn encode_signing_data_to<Write: io::Write>(
175        &mut self,
176        mut writer: Write,
177        input_index: usize,
178        script_code: &Script,
179        value: u64,
180        sighash_type: SigHashType,
181    ) -> Result<(), encode::Error> {
182        let zero_hash = sha256d::Hash::default();
183
184        let (sighash, anyone_can_pay) = sighash_type.split_anyonecanpay_flag();
185
186        self.tx.version.consensus_encode(&mut writer)?;
187
188        if !anyone_can_pay {
189            self.hash_prevouts().consensus_encode(&mut writer)?;
190        } else {
191            zero_hash.consensus_encode(&mut writer)?;
192        }
193
194        if !anyone_can_pay && sighash != SigHashType::Single && sighash != SigHashType::None {
195            self.hash_sequence().consensus_encode(&mut writer)?;
196        } else {
197            zero_hash.consensus_encode(&mut writer)?;
198        }
199
200        {
201            let txin = &self.tx.input[input_index];
202
203            txin
204                .previous_output
205                .consensus_encode(&mut writer)?;
206            script_code.consensus_encode(&mut writer)?;
207            value.consensus_encode(&mut writer)?;
208            txin.sequence.consensus_encode(&mut writer)?;
209        }
210
211        if sighash != SigHashType::Single && sighash != SigHashType::None {
212            self.hash_outputs().consensus_encode(&mut writer)?;
213        } else if sighash == SigHashType::Single && input_index < self.tx.output.len() {
214            let mut single_enc = SigHash::engine();
215            self.tx.output[input_index].consensus_encode(&mut single_enc)?;
216            SigHash::from_engine(single_enc).consensus_encode(&mut writer)?;
217        } else {
218            zero_hash.consensus_encode(&mut writer)?;
219        }
220
221        self.tx.lock_time.consensus_encode(&mut writer)?;
222        sighash_type.as_u32().consensus_encode(&mut writer)?;
223        Ok(())
224    }
225
226    /// Compute the BIP143 sighash for any flag type. See SighashComponents::sighash_all simpler
227    /// API for the most common case
228    pub fn signature_hash(
229        &mut self,
230        input_index: usize,
231        script_code: &Script,
232        value: u64,
233        sighash_type: SigHashType
234    ) -> SigHash {
235        let mut enc = SigHash::engine();
236        self.encode_signing_data_to(&mut enc, input_index, script_code, value, sighash_type)
237            .expect("engines don't error");
238        SigHash::from_engine(enc)
239    }
240}
241
242impl<R: DerefMut<Target=Transaction>> SigHashCache<R> {
243    /// When the SigHashCache is initialized with a mutable reference to a transaction instead of a
244    /// regular reference, this method is available to allow modification to the witnesses.
245    ///
246    /// This allows in-line signing such as
247    /// ```
248    /// use bitcoin::blockdata::transaction::{Transaction, SigHashType};
249    /// use bitcoin::util::bip143::SigHashCache;
250    /// use bitcoin::Script;
251    ///
252    /// let mut tx_to_sign = Transaction { version: 2, lock_time: 0, input: Vec::new(), output: Vec::new() };
253    /// let input_count = tx_to_sign.input.len();
254    ///
255    /// let mut sig_hasher = SigHashCache::new(&mut tx_to_sign);
256    /// for inp in 0..input_count {
257    ///     let prevout_script = Script::new();
258    ///     let _sighash = sig_hasher.signature_hash(inp, &prevout_script, 42, SigHashType::All);
259    ///     // ... sign the sighash
260    ///     sig_hasher.access_witness(inp).push(Vec::new());
261    /// }
262    /// ```
263    pub fn access_witness(&mut self, input_index: usize) -> &mut Vec<Vec<u8>> {
264        &mut self.tx.input[input_index].witness
265    }
266}
267
268#[cfg(test)]
269#[allow(deprecated)]
270mod tests {
271    use hash_types::SigHash;
272    use blockdata::script::Script;
273    use blockdata::transaction::Transaction;
274    use consensus::encode::deserialize;
275    use network::constants::Network;
276    use util::address::Address;
277    use util::key::PublicKey;
278    use hashes::hex::FromHex;
279    use secp256k1::{ContextFlag, Secp256k1};
280
281    use super::*;
282
283    fn p2pkh_hex(pk: &str) -> Script {
284        let pk = Vec::from_hex(pk).unwrap();
285        let secp = Secp256k1::with_caps(ContextFlag::None);
286        let pk = PublicKey::from_slice(&secp, pk.as_slice()).unwrap();
287        let witness_script = Address::new_btc().p2pkh(&secp, &pk, Network::Bitcoin).script_pubkey();
288        witness_script
289    }
290
291    fn run_test_sighash_bip143(tx: &str, script: &str, input_index: usize, value: u64, hash_type: u32, expected_result: &str) {
292        let tx: Transaction = deserialize(&Vec::<u8>::from_hex(tx).unwrap()[..]).unwrap();
293        let script = Script::from(Vec::<u8>::from_hex(script).unwrap());
294        let raw_expected = SigHash::from_hex(expected_result).unwrap();
295        let expected_result = SigHash::from_slice(&raw_expected[..]).unwrap();
296        let mut cache = SigHashCache::new(&tx);
297        let sighash_type = SigHashType::from_u32(hash_type);
298        let actual_result = cache.signature_hash(input_index, &script, value, sighash_type);
299        assert_eq!(actual_result, expected_result);
300    }
301
302    #[test]
303    fn bip143_p2wpkh() {
304        let tx = deserialize::<Transaction>(
305            &Vec::from_hex(
306                "0100000002fff7f7881a8099afa6940d42d1e7f6362bec38171ea3edf433541db4e4ad969f000000\
307                0000eeffffffef51e1b804cc89d182d279655c3aa89e815b1b309fe287d9b2b55d57b90ec68a01000000\
308                00ffffffff02202cb206000000001976a9148280b37df378db99f66f85c95a783a76ac7a6d5988ac9093\
309                510d000000001976a9143bde42dbee7e4dbe6a21b2d50ce2f0167faa815988ac11000000",
310            ).unwrap()[..],
311        ).unwrap();
312
313        let witness_script = p2pkh_hex("025476c2e83188368da1ff3e292e7acafcdb3566bb0ad253f62fc70f07aeee6357");
314        let value = 600_000_000;
315
316        let comp = SighashComponents::new(&tx);
317        assert_eq!(
318            comp,
319            SighashComponents {
320                tx_version: 1,
321                tx_locktime: 17,
322                hash_prevouts: hex_hash!(
323                    SigHash, "96b827c8483d4e9b96712b6713a7b68d6e8003a781feba36c31143470b4efd37"
324                ),
325                hash_sequence: hex_hash!(
326                    SigHash, "52b0a642eea2fb7ae638c36f6252b6750293dbe574a806984b8e4d8548339a3b"
327                ),
328                hash_outputs: hex_hash!(
329                    SigHash, "863ef3e1a92afbfdb97f31ad0fc7683ee943e9abcf2501590ff8f6551f47e5e5"
330                ),
331            }
332        );
333
334        assert_eq!(
335            comp.sighash_all(&tx.input[1], &witness_script, value),
336            hex_hash!(SigHash, "c37af31116d1b27caf68aae9e3ac82f1477929014d5b917657d0eb49478cb670")
337        );
338    }
339
340    #[test]
341    fn bip143_p2wpkh_nested_in_p2sh() {
342        let tx = deserialize::<Transaction>(
343            &Vec::from_hex(
344                "0100000001db6b1b20aa0fd7b23880be2ecbd4a98130974cf4748fb66092ac4d3ceb1a5477010000\
345                0000feffffff02b8b4eb0b000000001976a914a457b684d7f0d539a46a45bbc043f35b59d0d96388ac00\
346                08af2f000000001976a914fd270b1ee6abcaea97fea7ad0402e8bd8ad6d77c88ac92040000",
347            ).unwrap()[..],
348        ).unwrap();
349
350        let witness_script = p2pkh_hex("03ad1d8e89212f0b92c74d23bb710c00662ad1470198ac48c43f7d6f93a2a26873");
351        let value = 1_000_000_000;
352        let comp = SighashComponents::new(&tx);
353        assert_eq!(
354            comp,
355            SighashComponents {
356                tx_version: 1,
357                tx_locktime: 1170,
358                hash_prevouts: hex_hash!(
359                    SigHash, "b0287b4a252ac05af83d2dcef00ba313af78a3e9c329afa216eb3aa2a7b4613a"
360                ),
361                hash_sequence: hex_hash!(
362                    SigHash, "18606b350cd8bf565266bc352f0caddcf01e8fa789dd8a15386327cf8cabe198"
363                ),
364                hash_outputs: hex_hash!(
365                    SigHash, "de984f44532e2173ca0d64314fcefe6d30da6f8cf27bafa706da61df8a226c83"
366                ),
367            }
368        );
369
370        assert_eq!(
371            comp.sighash_all(&tx.input[0], &witness_script, value),
372            hex_hash!(SigHash, "64f3b0f4dd2bb3aa1ce8566d220cc74dda9df97d8490cc81d89d735c92e59fb6")
373        );
374    }
375
376    #[test]
377    fn bip143_p2wsh_nested_in_p2sh() {
378        let tx = deserialize::<Transaction>(
379            &Vec::from_hex(
380            "010000000136641869ca081e70f394c6948e8af409e18b619df2ed74aa106c1ca29787b96e0100000000\
381             ffffffff0200e9a435000000001976a914389ffce9cd9ae88dcc0631e88a821ffdbe9bfe2688acc0832f\
382             05000000001976a9147480a33f950689af511e6e84c138dbbd3c3ee41588ac00000000").unwrap()[..],
383        ).unwrap();
384
385        let witness_script = hex_script!(
386            "56210307b8ae49ac90a048e9b53357a2354b3334e9c8bee813ecb98e99a7e07e8c3ba32103b28f0c28\
387             bfab54554ae8c658ac5c3e0ce6e79ad336331f78c428dd43eea8449b21034b8113d703413d57761b8b\
388             9781957b8c0ac1dfe69f492580ca4195f50376ba4a21033400f6afecb833092a9a21cfdf1ed1376e58\
389             c5d1f47de74683123987e967a8f42103a6d48b1131e94ba04d9737d61acdaa1322008af9602b3b1486\
390             2c07a1789aac162102d8b661b0b3302ee2f162b09e07a55ad5dfbe673a9f01d9f0c19617681024306b\
391             56ae"
392        );
393        let value = 987654321;
394
395        let comp = SighashComponents::new(&tx);
396        assert_eq!(
397            comp,
398            SighashComponents {
399                tx_version: 1,
400                tx_locktime: 0,
401                hash_prevouts: hex_hash!(
402                    SigHash, "74afdc312af5183c4198a40ca3c1a275b485496dd3929bca388c4b5e31f7aaa0"
403                ),
404                hash_sequence: hex_hash!(
405                    SigHash, "3bb13029ce7b1f559ef5e747fcac439f1455a2ec7c5f09b72290795e70665044"
406                ),
407                hash_outputs: hex_hash!(
408                    SigHash, "bc4d309071414bed932f98832b27b4d76dad7e6c1346f487a8fdbb8eb90307cc"
409                ),
410            }
411        );
412
413        assert_eq!(
414            comp.sighash_all(&tx.input[0], &witness_script, value),
415            hex_hash!(SigHash, "185c0be5263dce5b4bb50a047973c1b6272bfbd0103a89444597dc40b248ee7c")
416        );
417    }
418    #[test]
419    fn bip143_sighash_flags() {
420        // All examples generated via Bitcoin Core RPC using signrawtransactionwithwallet
421        // with additional debug printing
422        run_test_sighash_bip143("0200000001cf309ee0839b8aaa3fbc84f8bd32e9c6357e99b49bf6a3af90308c68e762f1d70100000000feffffff0288528c61000000001600146e8d9e07c543a309dcdeba8b50a14a991a658c5be0aebb0000000000160014698d8419804a5d5994704d47947889ff7620c004db000000", "76a91462744660c6b5133ddeaacbc57d2dc2d7b14d0b0688ac", 0, 1648888940, 0x01, "0a1bc2758dbb5b3a56646f8cafbf63f410cc62b77a482f8b87552683300a7711");
423        run_test_sighash_bip143("0200000001cf309ee0839b8aaa3fbc84f8bd32e9c6357e99b49bf6a3af90308c68e762f1d70100000000feffffff0288528c61000000001600146e8d9e07c543a309dcdeba8b50a14a991a658c5be0aebb0000000000160014698d8419804a5d5994704d47947889ff7620c004db000000", "76a91462744660c6b5133ddeaacbc57d2dc2d7b14d0b0688ac", 0, 1648888940, 0x02, "3e275ac8b084f79f756dcd535bffb615cc94a685eefa244d9031eaf22e4cec12");
424        run_test_sighash_bip143("0200000001cf309ee0839b8aaa3fbc84f8bd32e9c6357e99b49bf6a3af90308c68e762f1d70100000000feffffff0288528c61000000001600146e8d9e07c543a309dcdeba8b50a14a991a658c5be0aebb0000000000160014698d8419804a5d5994704d47947889ff7620c004db000000", "76a91462744660c6b5133ddeaacbc57d2dc2d7b14d0b0688ac", 0, 1648888940, 0x03, "191a08165ffacc3ea55753b225f323c35fd00d9cc0268081a4a501921fc6ec14");
425        run_test_sighash_bip143("0200000001cf309ee0839b8aaa3fbc84f8bd32e9c6357e99b49bf6a3af90308c68e762f1d70100000000feffffff0288528c61000000001600146e8d9e07c543a309dcdeba8b50a14a991a658c5be0aebb0000000000160014698d8419804a5d5994704d47947889ff7620c004db000000", "76a91462744660c6b5133ddeaacbc57d2dc2d7b14d0b0688ac", 0, 1648888940, 0x81, "4b6b612530f94470bbbdef18f57f2990d56b239f41b8728b9a49dc8121de4559");
426        run_test_sighash_bip143("0200000001cf309ee0839b8aaa3fbc84f8bd32e9c6357e99b49bf6a3af90308c68e762f1d70100000000feffffff0288528c61000000001600146e8d9e07c543a309dcdeba8b50a14a991a658c5be0aebb0000000000160014698d8419804a5d5994704d47947889ff7620c004db000000", "76a91462744660c6b5133ddeaacbc57d2dc2d7b14d0b0688ac", 0, 1648888940, 0x82, "a7e916d3acd4bb97a21e6793828279aeab02162adf8099ea4f309af81f3d5adb");
427        run_test_sighash_bip143("0200000001cf309ee0839b8aaa3fbc84f8bd32e9c6357e99b49bf6a3af90308c68e762f1d70100000000feffffff0288528c61000000001600146e8d9e07c543a309dcdeba8b50a14a991a658c5be0aebb0000000000160014698d8419804a5d5994704d47947889ff7620c004db000000", "76a91462744660c6b5133ddeaacbc57d2dc2d7b14d0b0688ac", 0, 1648888940, 0x83, "d9276e2a48648ddb53a4aaa58314fc2b8067c13013e1913ffb67e0988ce82c78");
428    }
429}