Merge bitcoin/bitcoin#22558: psbt: Taproot fields for PSBT

b80de4c test: Test signing psbts without explicitly having scripts (Andrew Chow)
a73b568 wallet: also search taproot pubkeys in FillPSBT (Andrew Chow)
6cff827 sign: Use sigdata taproot spenddata when signing (Andrew Chow)
5f12fe3 psbt: Implement merge for Taproot fields (Andrew Chow)
1ece9a3 psbt, test: Check for taproot fields in taproot psbt test (Andrew Chow)
496a1bb taproot: Use pre-existing signatures if available (Andrew Chow)
0ad21e7 tests: Test taproot fields for PSBT (Andrew Chow)
103c6fd psbt: Remove non_witness_utxo for segwit v1+ (Andrew Chow)
7dccdd3 Implement decodepsbt for Taproot fields (Andrew Chow)
ac77475 Fill PSBT Taproot output data to/from SignatureData (Andrew Chow)
25b6ae4 Assert that TaprootBuilder is Finalized during GetSpendData (Andrew Chow)
3ae5b6a Store TaprootBuilder in SigningProviders instead of TaprootSpendData (Andrew Chow)
4d1223e Fetch key origins for Taproot keys (Andrew Chow)
52e3f2f Fill PSBT Taproot input data to/from SignatureData (Andrew Chow)
05e2cc9 Implement de/ser of PSBT's Taproot fields (Andrew Chow)
d557eff Add serialization methods to XOnlyPubKey (Andrew Chow)
d43923c Add TaprootBuilder::GetTreeTuples (Andrew Chow)
ce91120 Move individual KeyOriginInfo de/ser to separate function (Andrew Chow)

Pull request description:

  Implements the Taproot fields for PSBT described in [BIP 371](https://github.com/bitcoin/bips/blob/master/bip-0371.mediawiki).

ACKs for top commit:
  laanwj:
    Code review ACK b80de4c

Tree-SHA512: 50b79bb44f353c9ec2ef4c98aac08a81eba560987e5264a5684caa370e9c4e7a8255c06747fc47749511be45b32d01492e015f92b82be8d22bc8bf192073bd26

Author: laanwj

src/psbt.cpp

@@ -113,6 +113,24 @@ void PSBTInput::FillSignatureData(SignatureData& sigdata) const
     for (const auto& key_pair : hd_keypaths) {
         sigdata.misc_pubkeys.emplace(key_pair.first.GetID(), key_pair);
     }
+    if (!m_tap_key_sig.empty()) {
+        sigdata.taproot_key_path_sig = m_tap_key_sig;
+    }
+    for (const auto& [pubkey_leaf, sig] : m_tap_script_sigs) {
+        sigdata.taproot_script_sigs.emplace(pubkey_leaf, sig);
+    }
+    if (!m_tap_internal_key.IsNull()) {
+        sigdata.tr_spenddata.internal_key = m_tap_internal_key;
+    }
+    if (!m_tap_merkle_root.IsNull()) {
+        sigdata.tr_spenddata.merkle_root = m_tap_merkle_root;
+    }
+    for (const auto& [leaf_script, control_block] : m_tap_scripts) {
+        sigdata.tr_spenddata.scripts.emplace(leaf_script, control_block);
+    }
+    for (const auto& [pubkey, leaf_origin] : m_tap_bip32_paths) {
+        sigdata.taproot_misc_pubkeys.emplace(pubkey, leaf_origin);
+    }
 }
 
 void PSBTInput::FromSignatureData(const SignatureData& sigdata)
@@ -142,13 +160,30 @@ void PSBTInput::FromSignatureData(const SignatureData& sigdata)
     for (const auto& entry : sigdata.misc_pubkeys) {
         hd_keypaths.emplace(entry.second);
     }
+    if (!sigdata.taproot_key_path_sig.empty()) {
+        m_tap_key_sig = sigdata.taproot_key_path_sig;
+    }
+    for (const auto& [pubkey_leaf, sig] : sigdata.taproot_script_sigs) {
+        m_tap_script_sigs.emplace(pubkey_leaf, sig);
+    }
+    if (!sigdata.tr_spenddata.internal_key.IsNull()) {
+        m_tap_internal_key = sigdata.tr_spenddata.internal_key;
+    }
+    if (!sigdata.tr_spenddata.merkle_root.IsNull()) {
+        m_tap_merkle_root = sigdata.tr_spenddata.merkle_root;
+    }
+    for (const auto& [leaf_script, control_block] : sigdata.tr_spenddata.scripts) {
+        m_tap_scripts.emplace(leaf_script, control_block);
+    }
+    for (const auto& [pubkey, leaf_origin] : sigdata.taproot_misc_pubkeys) {
+        m_tap_bip32_paths.emplace(pubkey, leaf_origin);
+    }
 }
 
 void PSBTInput::Merge(const PSBTInput& input)
 {
     if (!non_witness_utxo && input.non_witness_utxo) non_witness_utxo = input.non_witness_utxo;
     if (witness_utxo.IsNull() && !input.witness_utxo.IsNull()) {
-        // TODO: For segwit v1, we will want to clear out the non-witness utxo when setting a witness one. For v0 and non-segwit, this is not safe
         witness_utxo = input.witness_utxo;
     }
 
@@ -159,11 +194,17 @@ void PSBTInput::Merge(const PSBTInput& input)
     hash256_preimages.insert(input.hash256_preimages.begin(), input.hash256_preimages.end());
     hd_keypaths.insert(input.hd_keypaths.begin(), input.hd_keypaths.end());
     unknown.insert(input.unknown.begin(), input.unknown.end());
+    m_tap_script_sigs.insert(input.m_tap_script_sigs.begin(), input.m_tap_script_sigs.end());
+    m_tap_scripts.insert(input.m_tap_scripts.begin(), input.m_tap_scripts.end());
+    m_tap_bip32_paths.insert(input.m_tap_bip32_paths.begin(), input.m_tap_bip32_paths.end());
 
     if (redeem_script.empty() && !input.redeem_script.empty()) redeem_script = input.redeem_script;
     if (witness_script.empty() && !input.witness_script.empty()) witness_script = input.witness_script;
     if (final_script_sig.empty() && !input.final_script_sig.empty()) final_script_sig = input.final_script_sig;
     if (final_script_witness.IsNull() && !input.final_script_witness.IsNull()) final_script_witness = input.final_script_witness;
+    if (m_tap_key_sig.empty() && !input.m_tap_key_sig.empty()) m_tap_key_sig = input.m_tap_key_sig;
+    if (m_tap_internal_key.IsNull() && !input.m_tap_internal_key.IsNull()) m_tap_internal_key = input.m_tap_internal_key;
+    if (m_tap_merkle_root.IsNull() && !input.m_tap_merkle_root.IsNull()) m_tap_merkle_root = input.m_tap_merkle_root;
 }
 
 void PSBTOutput::FillSignatureData(SignatureData& sigdata) const
@@ -177,6 +218,15 @@ void PSBTOutput::FillSignatureData(SignatureData& sigdata) const
     for (const auto& key_pair : hd_keypaths) {
         sigdata.misc_pubkeys.emplace(key_pair.first.GetID(), key_pair);
     }
+    if (m_tap_tree.has_value() && m_tap_internal_key.IsFullyValid()) {
+        TaprootSpendData spenddata = m_tap_tree->GetSpendData();
+
+        sigdata.tr_spenddata.internal_key = m_tap_internal_key;
+        sigdata.tr_spenddata.Merge(spenddata);
+    }
+    for (const auto& [pubkey, leaf_origin] : m_tap_bip32_paths) {
+        sigdata.taproot_misc_pubkeys.emplace(pubkey, leaf_origin);
+    }
 }
 
 void PSBTOutput::FromSignatureData(const SignatureData& sigdata)
@@ -190,6 +240,15 @@ void PSBTOutput::FromSignatureData(const SignatureData& sigdata)
     for (const auto& entry : sigdata.misc_pubkeys) {
         hd_keypaths.emplace(entry.second);
     }
+    if (!sigdata.tr_spenddata.internal_key.IsNull()) {
+        m_tap_internal_key = sigdata.tr_spenddata.internal_key;
+    }
+    if (sigdata.tr_builder.has_value()) {
+        m_tap_tree = sigdata.tr_builder;
+    }
+    for (const auto& [pubkey, leaf_origin] : sigdata.taproot_misc_pubkeys) {
+        m_tap_bip32_paths.emplace(pubkey, leaf_origin);
+    }
 }
 
 bool PSBTOutput::IsNull() const
@@ -201,9 +260,12 @@ void PSBTOutput::Merge(const PSBTOutput& output)
 {
     hd_keypaths.insert(output.hd_keypaths.begin(), output.hd_keypaths.end());
     unknown.insert(output.unknown.begin(), output.unknown.end());
+    m_tap_bip32_paths.insert(output.m_tap_bip32_paths.begin(), output.m_tap_bip32_paths.end());
 
     if (redeem_script.empty() && !output.redeem_script.empty()) redeem_script = output.redeem_script;
     if (witness_script.empty() && !output.witness_script.empty()) witness_script = output.witness_script;
+    if (m_tap_internal_key.IsNull() && !output.m_tap_internal_key.IsNull()) m_tap_internal_key = output.m_tap_internal_key;
+    if (m_tap_tree.has_value() && !output.m_tap_tree.has_value()) m_tap_tree = output.m_tap_tree;
 }
 bool PSBTInputSigned(const PSBTInput& input)
 {
@@ -313,10 +375,11 @@ bool SignPSBTInput(const SigningProvider& provider, PartiallySignedTransaction&
     input.FromSignatureData(sigdata);
 
     // If we have a witness signature, put a witness UTXO.
-    // TODO: For segwit v1, we should remove the non_witness_utxo
     if (sigdata.witness) {
         input.witness_utxo = utxo;
-        // input.non_witness_utxo = nullptr;
+        // We can remove the non_witness_utxo if and only if there are no non-segwit or segwit v0
+        // inputs in this transaction. Since this requires inspecting the entire transaction, this
+        // is something for the caller to deal with (i.e. FillPSBT).
     }
 
     // Fill in the missing info