feat: validate witness data (partial)

Author: motorina0

src/merkle.js

@@ -5,6 +5,7 @@ const buffer_1 = require('buffer');
 const bcrypto = require('./crypto');
 // todo: use varuint-bitcoin??
 const varuint = require('bip174/src/lib/converter/varint');
+// todo: find better place for these consts
 const TAP_LEAF_TAG = buffer_1.Buffer.from('TapLeaf', 'utf8');
 const TAP_BRANCH_TAG = buffer_1.Buffer.from('TapBranch', 'utf8');
 const LEAF_VERSION_TAPSCRIPT = 0xc0;

src/payments/p2tr.js

@@ -9,11 +9,19 @@ const lazy = require('./lazy');
 const bech32_1 = require('bech32');
 const OPS = bscript.OPS;
 const TAPROOT_VERSION = 0x01;
+const ANNEX_PREFIX = 0x50;
 // witness: {signature}
 // input: <>
 // output: OP_1 {pubKey}
 function p2tr(a, opts) {
-  if (!a.address && !a.output && !a.pubkey && !a.output && !a.internalPubkey)
+  if (
+    !a.address &&
+    !a.output &&
+    !a.pubkey &&
+    !a.output &&
+    !a.internalPubkey &&
+    !(a.witness && a.witness.length > 1)
+  )
     throw new TypeError('Not enough data');
   opts = Object.assign({ validate: true }, opts || {});
   (0, types_1.typeforce)(
@@ -43,7 +51,17 @@ function p2tr(a, opts) {
       data: Buffer.from(data),
     };
   });
-  // todo: clean-up withness (annex), etc
+  const _witness = lazy.value(() => {
+    if (!a.witness || !a.witness.length) return;
+    if (
+      a.witness.length >= 2 &&
+      a.witness[a.witness.length - 1][0] === ANNEX_PREFIX
+    ) {
+      // remove annex, ignored by taproot
+      return a.witness.slice(0, -1);
+    }
+    return a.witness.slice();
+  });
   const network = a.network || networks_1.bitcoin;
   const o = { name: 'p2tr', network };
   lazy.prop(o, 'address', () => {
@@ -55,6 +73,7 @@ function p2tr(a, opts) {
   lazy.prop(o, 'hash', () => {
     if (a.hash) return a.hash;
     if (a.scriptsTree) return (0, merkle_1.computeMastRoot)(a.scriptsTree);
+    // todo: compute from witness
     return null;
   });
   lazy.prop(o, 'output', () => {
@@ -65,11 +84,17 @@ function p2tr(a, opts) {
     if (a.pubkey) return a.pubkey;
     if (a.output) return a.output.slice(2);
     if (a.address) return _address().data;
-    if (a.internalPubkey) {
-      const tweakedKey = (0, types_1.tweakPublicKey)(a.internalPubkey, o.hash);
+    if (o.internalPubkey) {
+      const tweakedKey = (0, types_1.tweakPublicKey)(o.internalPubkey, o.hash);
       if (tweakedKey) return tweakedKey.x;
     }
   });
+  lazy.prop(o, 'internalPubkey', () => {
+    if (a.internalPubkey) return a.internalPubkey;
+    const witness = _witness();
+    if (witness && witness.length > 1)
+      return witness[witness.length - 1].slice(1, 33);
+  });
   lazy.prop(o, 'signature', () => {
     if (a.witness?.length !== 1) return;
     return a.witness[0];
@@ -78,6 +103,7 @@ function p2tr(a, opts) {
     // todo: not sure
   });
   lazy.prop(o, 'witness', () => {
+    if (a.witness) return a.witness;
     if (!a.signature) return;
     return [a.signature];
   });
@@ -109,7 +135,6 @@ function p2tr(a, opts) {
         throw new TypeError('Pubkey mismatch');
       else pubkey = a.output.slice(2);
     }
-    // todo: optimze o.hash?
     if (a.internalPubkey) {
       const tweakedKey = (0, types_1.tweakPublicKey)(a.internalPubkey, o.hash);
       if (tweakedKey === null)
@@ -126,13 +151,59 @@ function p2tr(a, opts) {
       const hash = (0, merkle_1.computeMastRoot)(a.scriptsTree);
       if (!a.hash.equals(hash)) throw new TypeError('Hash mismatch');
     }
-    if (a.witness) {
-      if (a.witness.length !== 1) throw new TypeError('Witness is invalid');
-      // todo: recheck
-      // if (!bscript.isCanonicalScriptSignature(a.witness[0]))
-      // throw new TypeError('Witness has invalid signature');
-      if (a.signature && !a.signature.equals(a.witness[0]))
-        throw new TypeError('Signature mismatch');
+    // todo: review cache
+    const witness = _witness();
+    if (witness && witness.length) {
+      if (witness.length === 1) {
+        // key spending
+        if (a.signature && !a.signature.equals(witness[0]))
+          throw new TypeError('Signature mismatch');
+        // todo: recheck
+        // if (!bscript.isSchnorSignature(a.pubkey, a.witness[0]))
+        // throw new TypeError('Witness has invalid signature');
+      } else {
+        // script path spending
+        const controlBlock = witness[witness.length - 1];
+        if (controlBlock.length < 33)
+          throw new TypeError(
+            `The control-block length is too small. Got ${
+              controlBlock.length
+            }, expected min 33.`,
+          );
+        if ((controlBlock.length - 33) % 32 !== 0)
+          throw new TypeError(
+            `The control-block length of ${controlBlock.length} is incorrect!`,
+          );
+        const m = (controlBlock.length - 33) / 32;
+        if (m > 128)
+          throw new TypeError(
+            `The script path is too long. Got ${m}, expected max 128.`,
+          );
+        const internalPubkey = controlBlock.slice(1, 33);
+        if (a.internalPubkey && !a.internalPubkey.equals(internalPubkey))
+          throw new TypeError('Internal pubkey mismatch');
+        const internalPubkeyPoint = (0, types_1.liftX)(internalPubkey);
+        if (!internalPubkeyPoint)
+          throw new TypeError('Invalid internalPubkey for p2tr witness');
+        const leafVersion = controlBlock[0] & 0b11111110;
+        const script = witness[witness.length - 2];
+        const tweak = (0, types_1.computeTweakFromScriptPath)(
+          controlBlock,
+          script,
+          internalPubkey,
+          m,
+          leafVersion,
+        );
+        const outputKey = (0, types_1.tweakPublicKey)(internalPubkey, tweak);
+        if (!outputKey)
+          // todo: needs test data
+          throw new TypeError('Invalid outputKey for p2tr witness');
+        if (pubkey.length && !pubkey.equals(outputKey.x))
+          throw new TypeError('Pubkey mismatch for p2tr witness');
+        const controlBlockOddParity = (controlBlock[0] & 1) === 1;
+        if (outputKey.isOdd !== controlBlockOddParity)
+          throw new Error('Incorrect parity');
+      }
     }
   }
   return Object.assign(o, a);

src/types.d.ts

@@ -1,8 +1,10 @@
 /// <reference types="node" />
+import { Buffer as NBuffer } from 'buffer';
 export declare const typeforce: any;
 export declare function isPoint(p: Buffer | number | undefined | null): boolean;
 export declare function liftX(buffer: Buffer): Buffer | null;
 export declare function tweakPublicKey(pubKey: Buffer, h: Buffer | undefined): TweakedPublicKey | null;
+export declare function computeTweakFromScriptPath(controlBlock: Buffer, script: Buffer, internalPubkey: Buffer, m: number, v: number): NBuffer;
 export declare function UInt31(value: number): boolean;
 export declare function BIP32Path(value: string): boolean;
 export declare namespace BIP32Path {

src/types.js

@@ -1,8 +1,9 @@
 'use strict';
 Object.defineProperty(exports, '__esModule', { value: true });
-exports.oneOf = exports.Null = exports.BufferN = exports.Function = exports.UInt32 = exports.UInt8 = exports.tuple = exports.maybe = exports.Hex = exports.Buffer = exports.String = exports.Boolean = exports.Array = exports.Number = exports.Hash256bit = exports.Hash160bit = exports.Buffer256bit = exports.TaprootNode = exports.TaprootLeaf = exports.Network = exports.ECPoint = exports.Satoshi = exports.Signer = exports.BIP32Path = exports.UInt31 = exports.tweakPublicKey = exports.liftX = exports.isPoint = exports.typeforce = void 0;
+exports.oneOf = exports.Null = exports.BufferN = exports.Function = exports.UInt32 = exports.UInt8 = exports.tuple = exports.maybe = exports.Hex = exports.Buffer = exports.String = exports.Boolean = exports.Array = exports.Number = exports.Hash256bit = exports.Hash160bit = exports.Buffer256bit = exports.TaprootNode = exports.TaprootLeaf = exports.Network = exports.ECPoint = exports.Satoshi = exports.Signer = exports.BIP32Path = exports.UInt31 = exports.computeTweakFromScriptPath = exports.tweakPublicKey = exports.liftX = exports.isPoint = exports.typeforce = void 0;
 const buffer_1 = require('buffer');
 const bcrypto = require('./crypto');
+const varuint = require('bip174/src/lib/converter/varint');
 // Temp, to be replaced
 // Only works because bip32 has it as dependecy. Linting will fail.
 const ecc = require('tiny-secp256k1');
@@ -62,12 +63,12 @@ function liftX(buffer) {
 }
 exports.liftX = liftX;
 const TAP_TWEAK_TAG = buffer_1.Buffer.from('TapTweak', 'utf8');
-const GROUP_ORDER = new BN(
-  buffer_1.Buffer.from(
-    'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141',
-    'hex',
-  ),
+const GROUP_ORDER = buffer_1.Buffer.from(
+  'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141',
+  'hex',
 );
+// todo: compare buffers dirrectly
+const GROUP_ORDER_BN = new BN(GROUP_ORDER);
 function tweakPublicKey(pubKey, h) {
   if (!buffer_1.Buffer.isBuffer(pubKey)) return null;
   if (pubKey.length !== 32) return null;
@@ -77,7 +78,8 @@ function tweakPublicKey(pubKey, h) {
     buffer_1.Buffer.concat(h ? [pubKey, h] : [pubKey]),
   );
   const t = new BN(tweakHash);
-  if (t.gte(GROUP_ORDER)) {
+  if (t.gte(GROUP_ORDER_BN)) {
+    // todo: add test for this case
     throw new Error('Tweak value over the SECP256K1 Order');
   }
   const P = liftX(pubKey);
@@ -89,6 +91,53 @@ function tweakPublicKey(pubKey, h) {
   };
 }
 exports.tweakPublicKey = tweakPublicKey;
+const TAP_LEAF_TAG = buffer_1.Buffer.from('TapLeaf', 'utf8');
+const TAP_BRANCH_TAG = buffer_1.Buffer.from('TapBranch', 'utf8');
+function computeTweakFromScriptPath(
+  controlBlock,
+  script,
+  internalPubkey,
+  m,
+  v,
+) {
+  const k = [];
+  const e = [];
+  const tapLeafMsg = buffer_1.Buffer.concat([
+    buffer_1.Buffer.from([v]),
+    serializeScript(script),
+  ]);
+  k[0] = bcrypto.taggedHash(TAP_LEAF_TAG, tapLeafMsg);
+  for (let j = 0; j < m; j++) {
+    e[j] = controlBlock.slice(33 + 32 * j, 65 + 32 * j);
+    if (k[j].compare(e[j]) < 0) {
+      k[j + 1] = bcrypto.taggedHash(
+        TAP_BRANCH_TAG,
+        buffer_1.Buffer.concat([k[j], e[j]]),
+      );
+    } else {
+      k[j + 1] = bcrypto.taggedHash(
+        TAP_BRANCH_TAG,
+        buffer_1.Buffer.concat([e[j], k[j]]),
+      );
+    }
+  }
+  const t = bcrypto.taggedHash(
+    TAP_TWEAK_TAG,
+    buffer_1.Buffer.concat([internalPubkey, k[m]]),
+  );
+  if (t.compare(GROUP_ORDER) >= 0) {
+    throw new Error('Over the order of secp256k1');
+  }
+  return t;
+}
+exports.computeTweakFromScriptPath = computeTweakFromScriptPath;
+// todo: move out
+function serializeScript(s) {
+  const varintLen = varuint.encodingLength(s.length);
+  const buffer = buffer_1.Buffer.allocUnsafe(varintLen); // better
+  varuint.encode(s.length, buffer);
+  return buffer_1.Buffer.concat([buffer, s]);
+}
 // todo: do not use ecc
 function pointAddScalar(P, h) {
   return ecc.pointAddScalar(P, h);