feat(core): add PSBT signing with private key buffers

OttoAllmendinger · OttoAllmendinger · commit 57ea24319aa6 · 2025-02-18T16:59:49.000+01:00
Implement PSBT signing with raw private keys alongside xprv-based signing. Add tests to verify both signing methods. Issue: BTC-1845
diff --git a/packages/wasm-miniscript/js/index.ts b/packages/wasm-miniscript/js/index.ts
@@ -34,6 +34,7 @@ declare module "./wasm/wasm_miniscript" {
 
   interface WrapPsbt {
     signWithXprv(this: WrapPsbt, xprv: string): SignPsbtResult;
+    signWithPrv(this: WrapPsbt, prv: Buffer): SignPsbtResult;
   }
 }
 
diff --git a/packages/wasm-miniscript/src/psbt.rs b/packages/wasm-miniscript/src/psbt.rs
@@ -4,6 +4,8 @@ use crate::WrapDescriptor;
 use miniscript::bitcoin::secp256k1::Secp256k1;
 use miniscript::bitcoin::Psbt;
 use miniscript::psbt::PsbtExt;
+use miniscript::ToPublicKey;
+use std::collections::HashMap;
 use std::str::FromStr;
 use wasm_bindgen::prelude::wasm_bindgen;
 use wasm_bindgen::{JsError, JsValue};
@@ -75,6 +77,29 @@ impl WrapPsbt {
             .and_then(|r| r.try_to_js_value())
     }
 
+    #[wasm_bindgen(js_name = signWithPrv)]
+    pub fn sign_with_prv(&mut self, prv: Vec<u8>) -> Result<JsValue, JsError> {
+        let privkey = miniscript::bitcoin::PrivateKey::from_slice(
+            &prv,
+            miniscript::bitcoin::network::Network::Bitcoin,
+        )
+        .map_err(|_| JsError::new("Invalid private key"))?;
+        let mut map: HashMap<miniscript::bitcoin::PublicKey, miniscript::bitcoin::PrivateKey> =
+            std::collections::HashMap::new();
+        map.insert(privkey.public_key(&Secp256k1::new()), privkey);
+        map.insert(
+            privkey
+                .public_key(&Secp256k1::new())
+                .to_x_only_pubkey()
+                .to_public_key(),
+            privkey,
+        );
+        self.0
+            .sign(&map, &Secp256k1::new())
+            .map_err(|(_, errors)| JsError::new(&format!("{} errors: {:?}", errors.len(), errors)))
+            .and_then(|r| r.try_to_js_value())
+    }
+
     #[wasm_bindgen(js_name = finalize)]
     pub fn finalize_mut(&mut self) -> Result<(), JsError> {
         self.0
diff --git a/packages/wasm-miniscript/test/psbtFromDescriptor.ts b/packages/wasm-miniscript/test/psbtFromDescriptor.ts
@@ -1,3 +1,4 @@
+import assert from "node:assert";
 import { BIP32Interface } from "@bitgo/utxo-lib";
 import { getKey } from "@bitgo/utxo-lib/dist/src/testutil";
 
@@ -10,6 +11,10 @@ function toKeyWithPath(k: BIP32Interface, path = "*"): string {
   return k.toBase58() + "/" + path;
 }
 
+function toKeyPlain(k: Buffer): string {
+  return k.toString("hex");
+}
+
 const external = getKey("external");
 const a = getKey("a");
 const b = getKey("b");
@@ -27,6 +32,7 @@ function describeSignDescriptor(
   signSeqs: BIP32Interface[][],
 ) {
   describe(`psbt with descriptor ${name}`, function () {
+    const isTaproot = Object.keys(descriptor)[0] === "tr";
     const psbt = mockPsbtDefault({
       descriptorSelf: Descriptor.fromString(formatNode(descriptor), "derivable"),
       descriptorOther: Descriptor.fromString(
@@ -35,14 +41,39 @@ function describeSignDescriptor(
       ),
     });
 
+    function getSigResult(keys: BIP32Interface[]) {
+      return {
+        [isTaproot ? "Schnorr" : "Ecdsa"]: keys.map((key) =>
+          key.publicKey.subarray(isTaproot ? 1 : 0).toString("hex"),
+        ),
+      };
+    }
+
     signSeqs.forEach((signSeq, i) => {
-      it(`should sign ${signSeq.map((k) => getKeyName(k))}`, function () {
+      it(`should sign ${signSeq.map((k) => getKeyName(k))} xprv`, function () {
         const wrappedPsbt = toWrappedPsbt(psbt);
         signSeq.forEach((key) => {
-          wrappedPsbt.signWithXprv(key.toBase58());
+          assert.deepStrictEqual(wrappedPsbt.signWithXprv(key.toBase58()), {
+            0: getSigResult([key.derive(0)]),
+            1: getSigResult([key.derive(1)]),
+          });
         });
         wrappedPsbt.finalize();
       });
+
+      it(`should sign ${signSeq.map((k) => getKeyName(k))} prv buffer`, function () {
+        if (isTaproot) {
+          // signing with non-bip32 taproot keys is not supported apparently
+          this.skip();
+        }
+        const wrappedPsbt = toWrappedPsbt(psbt);
+        signSeq.forEach((key) => {
+          assert.deepStrictEqual(wrappedPsbt.signWithPrv(key.derive(0).privateKey), {
+            0: getSigResult([key.derive(0)]),
+            1: getSigResult([]),
+          });
+        });
+      });
     });
   });
 }
@@ -65,3 +96,18 @@ describeSignDescriptor(
   },
   [[a], [b], [c]],
 );
+
+// while we cannot sign with a derived plain xonly key, we can sign with an xprv
+describeSignDescriptor(
+  "TrWithExternalPlain",
+  {
+    tr: [
+      toKeyPlain(external.publicKey),
+      [
+        { pk: toKeyPlain(external.publicKey) },
+        { or_b: [{ pk: toKeyPlain(external.publicKey) }, { "s:pk": toKeyWithPath(a) }] },
+      ],
+    ],
+  },
+  [[a]],
+);

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ declare module "./wasm/wasm_miniscript" {`
`34`	`34`
`35`	`35`	`interface WrapPsbt {`
`36`	`36`	`signWithXprv(this: WrapPsbt, xprv: string): SignPsbtResult;`
	`37`	`+ signWithPrv(this: WrapPsbt, prv: Buffer): SignPsbtResult;`
`37`	`38`	`}`
`38`	`39`	`}`
`39`	`40`