silent_payments_receive/

detected.rs

//! Detected Silent Payment output with spend key derivation.
//!
//! [`DetectedOutput`] represents a matched output from transaction scanning.
//! It contains all metadata needed for UTXO tracking and spending:
//! outpoint, amount, script_pubkey, optional label index, and the private
//! tweak needed to derive the spending key.
//!
//! # Security
//!
//! The `tweak` field is private. Spend key derivation is exposed via
//! [`DetectedOutput::derive_spend_key`], which returns a `SecretKey`
//! that the caller **must** erase after use (SEC-01).

use bitcoin::secp256k1::{Scalar, Secp256k1, SecretKey};
use bitcoin::{Amount, OutPoint, ScriptBuf, XOnlyPublicKey};

use crate::error::ReceiveError;
use silent_payments_core::keys::SpendSecretKey;

/// A Silent Payment output detected during transaction scanning.
///
/// Created by [`crate::BlockScanner::scan_transaction`] when an output matches
/// the receiver's keys (with or without a label).
///
/// # Spending
///
/// Call [`derive_spend_key`](DetectedOutput::derive_spend_key) with the
/// receiver's spend secret key to obtain the tweaked private key for
/// signing. The returned `SecretKey` **must** be erased after use.
#[derive(Debug, Clone)]
pub struct DetectedOutput {
    /// The outpoint (txid:vout) identifying this output.
    pub outpoint: OutPoint,
    /// The output amount in satoshis.
    pub amount: Amount,
    /// The output's scriptPubKey (P2TR).
    pub script_pubkey: ScriptBuf,
    /// The tweak scalar t_k (includes label_tweak if labeled).
    /// Private to prevent accidental exposure of secret material.
    tweak: SecretKey,
    /// The label index if this output matched via a labeled address.
    pub label: Option<u32>,
}

impl DetectedOutput {
    /// Create a new detected output.
    pub fn new(
        outpoint: OutPoint,
        amount: Amount,
        script_pubkey: ScriptBuf,
        tweak: SecretKey,
        label: Option<u32>,
    ) -> Self {
        Self {
            outpoint,
            amount,
            script_pubkey,
            tweak,
            label,
        }
    }

    /// Derive the tweaked private key for spending this output.
    ///
    /// Computes `spend_key = b_spend + tweak` where the tweak already
    /// includes the label scalar if the output was received via a
    /// labeled address.
    ///
    /// # Security (SEC-01)
    ///
    /// The returned `SecretKey` contains the full spending private key.
    /// The caller **must** erase it via `non_secure_erase()` after signing.
    ///
    /// # Errors
    ///
    /// Returns [`ReceiveError::SpendKeyDerivation`] if:
    /// - The tweak addition overflows the curve order
    /// - The derived public key does not match the output script
    pub fn derive_spend_key(
        &self,
        spend_secret: &SpendSecretKey,
        secp: &Secp256k1<bitcoin::secp256k1::All>,
    ) -> Result<SecretKey, ReceiveError> {
        // Convert SecretKey tweak to Scalar for add_tweak
        let tweak_scalar = Scalar::from_be_bytes(self.tweak.secret_bytes())
            .map_err(|_| ReceiveError::SpendKeyDerivation("tweak scalar is zero".into()))?;

        // spend_key = b_spend + tweak
        let spend_key = spend_secret
            .as_inner()
            .add_tweak(&tweak_scalar)
            .map_err(|e| ReceiveError::SpendKeyDerivation(format!("tweak addition failed: {e}")))?;

        // Verify the derived pubkey matches the output script's x-only key
        let (derived_xonly, _parity) = spend_key.public_key(secp).x_only_public_key();

        // Extract x-only key from the P2TR script (bytes 2..34)
        let script_bytes = self.script_pubkey.as_bytes();
        if script_bytes.len() >= 34 {
            let expected_xonly = XOnlyPublicKey::from_slice(&script_bytes[2..34]).map_err(|e| {
                ReceiveError::SpendKeyDerivation(format!("invalid x-only key in script: {e}"))
            })?;

            if derived_xonly != expected_xonly {
                return Err(ReceiveError::SpendKeyDerivation(format!(
                    "derived key {derived_xonly} does not match output key {expected_xonly}"
                )));
            }
        }

        Ok(spend_key)
    }

    /// Access the tweak scalar for advanced use (e.g., PSBT Phase 3).
    pub fn tweak_secret_key(&self) -> &SecretKey {
        &self.tweak
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use bitcoin::key::TweakedPublicKey;
    use bitcoin::secp256k1::{Secp256k1, SecretKey};
    use silent_payments_core::keys::SpendSecretKey;

    // Known valid secret key bytes
    const SPEND_SK_BYTES: [u8; 32] = [
        0x93, 0xf5, 0xed, 0x90, 0x7a, 0xd5, 0xb2, 0xbd, 0xbb, 0xdc, 0xb5, 0xd9, 0x11, 0x6e, 0xbc,
        0x0a, 0x4e, 0x1f, 0x92, 0xf9, 0x10, 0xd5, 0x26, 0x02, 0x37, 0xfa, 0x45, 0xa9, 0x40, 0x8a,
        0xad, 0x16,
    ];

    const TWEAK_BYTES: [u8; 32] = [
        0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e,
        0x1f, 0x20,
    ];

    #[test]
    fn derive_spend_key_produces_valid_key() {
        let secp = Secp256k1::new();
        let spend_sk = SpendSecretKey::from_slice(&SPEND_SK_BYTES).unwrap();
        let tweak = SecretKey::from_slice(&TWEAK_BYTES).unwrap();

        // Compute what the output script should be
        let tweak_scalar = Scalar::from_be_bytes(TWEAK_BYTES).unwrap();
        let expected_spend_key = spend_sk.as_inner().add_tweak(&tweak_scalar).unwrap();
        let (expected_xonly, _) = expected_spend_key.public_key(&secp).x_only_public_key();

        // Build the P2TR script from the expected key
        let tweaked_pk = TweakedPublicKey::dangerous_assume_tweaked(expected_xonly);
        let script = ScriptBuf::new_p2tr_tweaked(tweaked_pk);

        let detected = DetectedOutput::new(
            OutPoint::null(),
            Amount::from_sat(100_000),
            script,
            tweak,
            None,
        );

        let derived = detected.derive_spend_key(&spend_sk, &secp).unwrap();

        // The derived key should match our expected computation
        let (derived_xonly, _) = derived.public_key(&secp).x_only_public_key();
        assert_eq!(derived_xonly, expected_xonly);
    }

    #[test]
    fn derive_spend_key_fails_on_script_mismatch() {
        let secp = Secp256k1::new();
        let spend_sk = SpendSecretKey::from_slice(&SPEND_SK_BYTES).unwrap();
        let tweak = SecretKey::from_slice(&TWEAK_BYTES).unwrap();

        // Use a different key for the script (will not match)
        let wrong_sk = SecretKey::from_slice(&[0x42; 32]).unwrap();
        let (wrong_xonly, _) = wrong_sk.public_key(&secp).x_only_public_key();
        let tweaked_pk = TweakedPublicKey::dangerous_assume_tweaked(wrong_xonly);
        let script = ScriptBuf::new_p2tr_tweaked(tweaked_pk);

        let detected = DetectedOutput::new(
            OutPoint::null(),
            Amount::from_sat(100_000),
            script,
            tweak,
            None,
        );

        let result = detected.derive_spend_key(&spend_sk, &secp);
        assert!(
            matches!(result, Err(ReceiveError::SpendKeyDerivation(_))),
            "should fail with script mismatch, got: {:?}",
            result
        );
    }

    #[test]
    fn tweak_secret_key_accessor() {
        let tweak = SecretKey::from_slice(&TWEAK_BYTES).unwrap();
        let detected = DetectedOutput::new(
            OutPoint::null(),
            Amount::from_sat(50_000),
            ScriptBuf::new(),
            tweak,
            Some(1),
        );

        assert_eq!(detected.tweak_secret_key().secret_bytes(), TWEAK_BYTES);
        assert_eq!(detected.label, Some(1));
    }

    #[test]
    fn new_sets_all_fields_correctly() {
        let tweak = SecretKey::from_slice(&TWEAK_BYTES).unwrap();
        let outpoint = OutPoint::null();
        let amount = Amount::from_sat(42_000);
        let script = ScriptBuf::new();

        let detected = DetectedOutput::new(outpoint, amount, script.clone(), tweak, Some(5));

        assert_eq!(detected.outpoint, outpoint);
        assert_eq!(detected.amount, amount);
        assert_eq!(detected.script_pubkey, script);
        assert_eq!(detected.label, Some(5));
    }
}