Merge rust-bitcoin/rust-bitcoin#722: Allow specifing a raw TapLeafHash in sighash computation

RCasatta · RCasatta · commit e511670e4314 · 2021-12-29T18:08:45.000+01:00
2959e04 Allow specifing a raw `TapLeafHash` in sighash computation (Alekos Filini) Pull request description: Still need to add some tests but the code should be ready for review. Please let me know if you have better ideas for the enum naming. --- Instead of always requiring the full raw script and leaf version, allow just specifying a raw leaf hash to the sighash computation functions. This is very useful when dealing with PSBTs, because the `PSBT_IN_TAP_BIP32_DERIVATION` field only maps a public key to a leaf hash, so a signer could just take it and produce a signature with it rathern than having to jump through hoops to recover the full raw script. ACKs for top commit: sanket1729: Tested locally. ACK 2959e04. Reviewed range-diff with 5aa1d02 apoelstra: ACK 2959e04 Tree-SHA512: 830be0b8382ac59b73e6481f61ec1effdcd32859c04382e6cd5a43ac689d6e528f9a8b27c026ee81f5d5b59d2e3c397f9c271145e001ff2dc4815764fc21a2c6
diff --git a/src/util/sighash.rs b/src/util/sighash.rs
@@ -94,10 +94,11 @@ pub enum Prevouts<'u> {
 const KEY_VERSION_0: u8 = 0u8;
 
 /// Information related to the script path spending
+///
+/// This can be hashed into a [`TapLeafHash`].
 #[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug)]
 pub struct ScriptPath<'s> {
     script: &'s Script,
-    code_separator_pos: u32,
     leaf_version: LeafVersion,
 }
 
@@ -220,16 +221,30 @@ impl<'u> Prevouts<'u> {
 
 impl<'s> ScriptPath<'s> {
     /// Create a new ScriptPath structure
-    pub fn new(script: &'s Script, code_separator_pos: u32, leaf_version: LeafVersion) -> Self {
+    pub fn new(script: &'s Script, leaf_version: LeafVersion) -> Self {
         ScriptPath {
             script,
-            code_separator_pos,
             leaf_version,
         }
     }
-    /// Create a new ScriptPath structure using default values for `code_separator_pos` and `leaf_version`
+    /// Create a new ScriptPath structure using default leaf version value
     pub fn with_defaults(script: &'s Script) -> Self {
-        Self::new(script, 0xFFFFFFFFu32, LeafVersion::default())
+        Self::new(script, LeafVersion::default())
+    }
+    /// Compute the leaf hash
+    pub fn leaf_hash(&self) -> TapLeafHash {
+        let mut enc = TapLeafHash::engine();
+
+        self.leaf_version.as_u8().consensus_encode(&mut enc).expect("Writing to hash enging should never fail");
+        self.script.consensus_encode(&mut enc).expect("Writing to hash enging should never fail");
+
+        TapLeafHash::from_engine(enc)
+    }
+}
+
+impl<'s> From<ScriptPath<'s>> for TapLeafHash {
+    fn from(script_path: ScriptPath<'s>) -> TapLeafHash {
+        script_path.leaf_hash()
     }
 }
 
@@ -298,7 +313,7 @@ impl<R: Deref<Target = Transaction>> SigHashCache<R> {
         input_index: usize,
         prevouts: &Prevouts,
         annex: Option<Annex>,
-        script_path: Option<ScriptPath>,
+        leaf_hash_code_separator: Option<(TapLeafHash, u32)>,
         sighash_type: SchnorrSigHashType,
     ) -> Result<(), Error> {
         prevouts.check_all(&self.tx)?;
@@ -350,7 +365,7 @@ impl<R: Deref<Target = Transaction>> SigHashCache<R> {
         if annex.is_some() {
             spend_type |= 1u8;
         }
-        if script_path.is_some() {
+        if leaf_hash_code_separator.is_some() {
             spend_type |= 2u8;
         }
         spend_type.consensus_encode(&mut writer)?;
@@ -412,17 +427,7 @@ impl<R: Deref<Target = Transaction>> SigHashCache<R> {
         //         ss += TaggedHash("TapLeaf", bytes([leaf_ver]) + ser_string(script))
         //         ss += bytes([0])
         //         ss += struct.pack("<i", codeseparator_pos)
-        if let Some(ScriptPath {
-            script,
-            leaf_version,
-            code_separator_pos,
-        }) = script_path
-        {
-            let mut enc = TapLeafHash::engine();
-            leaf_version.as_u8().consensus_encode(&mut enc)?;
-            script.consensus_encode(&mut enc)?;
-            let hash = TapLeafHash::from_engine(enc);
-
+        if let Some((hash, code_separator_pos)) = leaf_hash_code_separator {
             hash.into_inner().consensus_encode(&mut writer)?;
             KEY_VERSION_0.consensus_encode(&mut writer)?;
             code_separator_pos.consensus_encode(&mut writer)?;
@@ -437,7 +442,7 @@ impl<R: Deref<Target = Transaction>> SigHashCache<R> {
         input_index: usize,
         prevouts: &Prevouts,
         annex: Option<Annex>,
-        script_path: Option<ScriptPath>,
+        leaf_hash_code_separator: Option<(TapLeafHash, u32)>,
         sighash_type: SchnorrSigHashType,
     ) -> Result<TapSighashHash, Error> {
         let mut enc = TapSighashHash::engine();
@@ -446,7 +451,49 @@ impl<R: Deref<Target = Transaction>> SigHashCache<R> {
             input_index,
             prevouts,
             annex,
-            script_path,
+            leaf_hash_code_separator,
+            sighash_type,
+        )?;
+        Ok(TapSighashHash::from_engine(enc))
+    }
+
+    /// Compute the BIP341 sighash for a key spend
+    pub fn taproot_key_spend_signature_hash(
+        &mut self,
+        input_index: usize,
+        prevouts: &Prevouts,
+        sighash_type: SchnorrSigHashType,
+    ) -> Result<TapSighashHash, Error> {
+        let mut enc = TapSighashHash::engine();
+        self.taproot_encode_signing_data_to(
+            &mut enc,
+            input_index,
+            prevouts,
+            None,
+            None,
+            sighash_type,
+        )?;
+        Ok(TapSighashHash::from_engine(enc))
+    }
+
+    /// Compute the BIP341 sighash for a script spend
+    ///
+    /// Assumes the default `OP_CODESEPARATOR` position of `0xFFFFFFFF`. Custom values can be
+    /// provided through the more fine-grained API of [`SigHashCache::taproot_encode_signing_data_to`].
+    pub fn taproot_script_spend_signature_hash<S: Into<TapLeafHash>>(
+        &mut self,
+        input_index: usize,
+        prevouts: &Prevouts,
+        leaf_hash: S,
+        sighash_type: SchnorrSigHashType,
+    ) -> Result<TapSighashHash, Error> {
+        let mut enc = TapSighashHash::engine();
+        self.taproot_encode_signing_data_to(
+            &mut enc,
+            input_index,
+            prevouts,
+            None,
+            Some((leaf_hash.into(), 0xFFFFFFFF)),
             sighash_type,
         )?;
         Ok(TapSighashHash::from_engine(enc))
@@ -703,7 +750,7 @@ mod tests {
     use consensus::deserialize;
     use hashes::hex::FromHex;
     use hashes::{Hash, HashEngine};
-    use util::sighash::{Annex, Error, Prevouts, ScriptPath, SigHashCache};
+    use util::sighash::{Annex, Error, Prevouts, ScriptPath, SigHashCache, TapLeafHash};
     use util::taproot::TapSighashHash;
     use {Script, Transaction, TxIn, TxOut};
 
@@ -728,55 +775,55 @@ mod tests {
             "01365724000000000023542156b39dab4f8f3508e0432cfb41fab110170acaa2d4c42539cb90a4dc7c093bc500",
             0,
             "33ca0ebfb4a945eeee9569fc0f5040221275f88690b7f8592ada88ce3bdf6703",
-            SchnorrSigHashType::Default, None,None,
+            SchnorrSigHashType::Default, None, None, None
         );
 
         test_taproot_sighash(
             "0200000002fff49be59befe7566050737910f6ccdc5e749c7f8860ddc140386463d88c5ad0f3000000002cf68eb4a3d67f9d4c079249f7e4f27b8854815cb1ed13842d4fbf395f9e217fd605ee24090100000065235d9203f458520000000000160014b6d48333bb13b4c644e57c43a9a26df3a44b785e58020000000000001976a914eea9461a9e1e3f765d3af3e726162e0229fe3eb688ac58020000000000001976a9143a8869c9f2b5ea1d4ff3aeeb6a8fb2fffb1ad5fe88ac0ad7125c",
             "02591f220000000000225120f25ad35583ea31998d968871d7de1abd2a52f6fe4178b54ea158274806ff4ece48fb310000000000225120f25ad35583ea31998d968871d7de1abd2a52f6fe4178b54ea158274806ff4ece",
             1,
             "626ab955d58c9a8a600a0c580549d06dc7da4e802eb2a531f62a588e430967a8",
-            SchnorrSigHashType::All, None,None,
+            SchnorrSigHashType::All, None, None, None
         );
 
         test_taproot_sighash(
             "0200000001350005f65aa830ced2079df348e2d8c2bdb4f10e2dde6a161d8a07b40d1ad87dae000000001611d0d603d9dc0e000000000017a914459b6d7d6bbb4d8837b4bf7e9a4556f952da2f5c8758020000000000001976a9141dd70e1299ffc2d5b51f6f87de9dfe9398c33cbb88ac58020000000000001976a9141dd70e1299ffc2d5b51f6f87de9dfe9398c33cbb88aca71c1f4f",
             "01c4811000000000002251201bf9297d0a2968ae6693aadd0fa514717afefd218087a239afb7418e2d22e65c",
             0,
             "dfa9437f9c9a1d1f9af271f79f2f5482f287cdb0d2e03fa92c8a9b216cc6061c",
-            SchnorrSigHashType::AllPlusAnyoneCanPay, None,None,
+            SchnorrSigHashType::AllPlusAnyoneCanPay, None, None, None
         );
 
         test_taproot_sighash(
             "020000000185bed1a6da2bffbd60ec681a1bfb71c5111d6395b99b3f8b2bf90167111bcb18f5010000007c83ace802ded24a00000000001600142c4698f9f7a773866879755aa78c516fb332af8e5802000000000000160014d38639dfbac4259323b98a472405db0c461b31fa61073747",
             "0144c84d0000000000225120e3f2107989c88e67296ab2faca930efa2e3a5bd3ff0904835a11c9e807458621",
             0,
             "3129de36a5d05fff97ffca31eb75fcccbbbc27b3147a7a36a9e4b45d8b625067",
-            SchnorrSigHashType::None, None,None,
+            SchnorrSigHashType::None, None, None, None
         );
 
         test_taproot_sighash(
             "eb93dbb901028c8515589dac980b6e7f8e4088b77ed866ca0d6d210a7218b6fd0f6b22dd6d7300000000eb4740a9047efc0e0000000000160014913da2128d8fcf292b3691db0e187414aa1783825802000000000000160014913da2128d8fcf292b3691db0e187414aa178382580200000000000017a9143dd27f01c6f7ef9bb9159937b17f17065ed01a0c875802000000000000160014d7630e19df70ada9905ede1722b800c0005f246641000000",
             "013fed110000000000225120eb536ae8c33580290630fc495046e998086a64f8f33b93b07967d9029b265c55",
             0,
             "2441e8b0e063a2083ee790f14f2045022f07258ddde5ee01de543c9e789d80ae",
-            SchnorrSigHashType::NonePlusAnyoneCanPay, None,None,
+            SchnorrSigHashType::NonePlusAnyoneCanPay, None, None, None
         );
 
         test_taproot_sighash(
             "02000000017836b409a5fed32211407e44b971591f2032053f14701fb5b3a30c0ff382f2cc9c0100000061ac55f60288fb5600000000001976a9144ea02f6f182b082fb6ce47e36bbde390b6a41b5088ac58020000000000001976a9144ea02f6f182b082fb6ce47e36bbde390b6a41b5088ace4000000",
             "01efa558000000000022512007071ea3dc7e331b0687d0193d1e6d6ed10e645ef36f10ef8831d5e522ac9e80",
             0,
             "30239345177cadd0e3ea413d49803580abb6cb27971b481b7788a78d35117a88",
-            SchnorrSigHashType::Single, None,None,
+            SchnorrSigHashType::Single, None, None, None
         );
 
         test_taproot_sighash(
             "0100000001aa6deae89d5e0aaca58714fc76ef6f3c8284224888089232d4e663843ed3ab3eae010000008b6657a60450cb4c0000000000160014a3d42b5413ef0c0701c4702f3cd7d4df222c147058020000000000001976a91430b4ed8723a4ee8992aa2c8814cfe5c3ad0ab9d988ac5802000000000000160014365b1166a6ed0a5e8e9dff17a6d00bbb43454bc758020000000000001976a914bc98c51a84fe7fad5dc380eb8b39586eff47241688ac4f313247",
             "0107af4e00000000002251202c36d243dfc06cb56a248e62df27ecba7417307511a81ae61aa41c597a929c69",
             0,
             "bf9c83f26c6dd16449e4921f813f551c4218e86f2ec906ca8611175b41b566df",
-            SchnorrSigHashType::SinglePlusAnyoneCanPay, None,None,
+            SchnorrSigHashType::SinglePlusAnyoneCanPay, None, None, None
         );
     }
 
@@ -790,6 +837,7 @@ mod tests {
             SchnorrSigHashType::SinglePlusAnyoneCanPay,
             Some("507b979802e62d397acb29f56743a791894b99372872fc5af06a4f6e8d242d0615cda53062bb20e6ec79756fe39183f0c128adfe85559a8fa042b042c018aa8010143799e44f0893c40e1e"),
             None,
+            None,
         );
     }
 
@@ -803,6 +851,21 @@ mod tests {
             SchnorrSigHashType::All,
             None,
             Some("20cc4e1107aea1d170c5ff5b6817e1303010049724fb3caa7941792ea9d29b3e2bacab"),
+            None,
+        );
+    }
+
+    #[test]
+    fn test_sighashes_with_script_path_raw_hash() {
+        test_taproot_sighash(
+            "020000000189fc651483f9296b906455dd939813bf086b1bbe7c77635e157c8e14ae29062195010000004445b5c7044561320000000000160014331414dbdada7fb578f700f38fb69995fc9b5ab958020000000000001976a914268db0a8104cc6d8afd91233cc8b3d1ace8ac3ef88ac580200000000000017a914ec00dcb368d6a693e11986d265f659d2f59e8be2875802000000000000160014c715799a49a0bae3956df9c17cb4440a673ac0df6f010000",
+            "011bec34000000000022512028055142ea437db73382e991861446040b61dd2185c4891d7daf6893d79f7182",
+            0,
+            "d66de5274a60400c7b08c86ba6b7f198f40660079edf53aca89d2a9501317f2e",
+            SchnorrSigHashType::All,
+            None,
+            None,
+            Some("15a2530514e399f8b5cf0b3d3112cf5b289eaa3e308ba2071b58392fdc6da68a"),
         );
     }
 
@@ -816,6 +879,7 @@ mod tests {
             SchnorrSigHashType::All,
             Some("50a6272b470e1460e3332ade7bb14b81671c564fb6245761bd5bd531394b28860e0b3808ab229fb51791fb6ae6fa82d915b2efb8f6df83ae1f5ab3db13e30928875e2a22b749d89358de481f19286cd4caa792ce27f9559082d227a731c5486882cc707f83da361c51b7aadd9a0cf68fe7480c410fa137b454482d9a1ebf0f96d760b4d61426fc109c6e8e99a508372c45caa7b000a41f8251305da3f206c1849985ba03f3d9592832b4053afbd23ab25d0465df0bc25a36c223aacf8e04ec736a418c72dc319e4da3e972e349713ca600965e7c665f2090d5a70e241ac164115a1f5639f28b1773327715ca307ace64a2de7f0e3df70a2ffee3857689f909c0dad46d8a20fa373a4cc6eed6d4c9806bf146f0d76baae1"),
             Some("7520ab9160dd8299dc1367659be3e8f66781fe440d52940c7f8d314a89b9f2698d406ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6ead6eadac"),
+            None,
         );
     }
 
@@ -888,6 +952,7 @@ mod tests {
         sighash_type: SchnorrSigHashType,
         annex_hex: Option<&str>,
         script_hex: Option<&str>,
+        script_leaf_hash: Option<&str>,
     ) {
         let tx_bytes = Vec::from_hex(tx_hex).unwrap();
         let tx: Transaction = deserialize(&tx_bytes).unwrap();
@@ -902,14 +967,18 @@ mod tests {
             None => None,
         };
 
-        let script_inner;
-        let script_path = match script_hex {
-            Some(script_hex) => {
-                script_inner = Script::from_hex(script_hex).unwrap();
-                Some(ScriptPath::with_defaults(&script_inner))
+        let leaf_hash =  match (script_hex, script_leaf_hash) {
+            (Some(script_hex), _) => {
+                let script_inner = Script::from_hex(script_hex).unwrap();
+                Some(ScriptPath::with_defaults(&script_inner).leaf_hash())
             }
-            None => None,
+            (_, Some(script_leaf_hash)) => {
+                Some(TapLeafHash::from_hex(script_leaf_hash).unwrap())
+            }
+            _ => None,
         };
+        // All our tests use the default `0xFFFFFFFF` codeseparator value
+        let leaf_hash = leaf_hash.map(|lh| (lh, 0xFFFFFFFF));
 
         let prevouts = if sighash_type.split_anyonecanpay_flag().1 && tx_bytes[0] % 2 == 0 {
             // for anyonecanpay the `Prevouts::All` variant is good anyway, but sometimes we want to
@@ -922,7 +991,7 @@ mod tests {
         let mut sig_hash_cache = SigHashCache::new(&tx);
 
         let hash = sig_hash_cache
-            .taproot_signature_hash(input_index, &prevouts, annex, script_path, sighash_type)
+            .taproot_signature_hash(input_index, &prevouts, annex, leaf_hash, sighash_type)
             .unwrap();
         let expected = Vec::from_hex(expected_hash).unwrap();
         assert_eq!(expected, hash.into_inner());
