plan: Append witness script for P2WSH in Plan::satisfy()

evanlinjin · claude · evanlinjin · commit 962bcc28a515 · 2026-02-03T05:42:49.000Z
Fix Plan::satisfy() to correctly append the witnessScript as the final witness stack element for P2WSH descriptor types (Wsh, WshSortedMulti, ShWsh, ShWshSortedMulti). Previously, these types were incorrectly grouped with Wpkh and Tr, which don't require a trailing witness script. This caused transactions built using Plan::satisfy() to fail validation with "Witness program hash mismatch" when broadcast. The fix separates the descriptor type handling: - Wpkh/Tr: return stack as-is (no witness script needed) - Wsh/WshSortedMulti: append witness script, empty script_sig - ShWpkh: return stack with unsigned_script_sig (no witness script) - ShWsh/ShWshSortedMulti: append witness script and unsigned_script_sig Closes #896 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/plan.rs b/src/plan.rs
@@ -292,11 +292,24 @@ impl Plan {
                     })
                     .into_script(),
             ),
-            DescriptorType::Wpkh
-            | DescriptorType::Wsh
-            | DescriptorType::WshSortedMulti
-            | DescriptorType::Tr => (stack, ScriptBuf::new()),
-            DescriptorType::ShWsh | DescriptorType::ShWshSortedMulti | DescriptorType::ShWpkh => {
+            DescriptorType::Wpkh | DescriptorType::Tr => (stack, ScriptBuf::new()),
+            DescriptorType::Wsh | DescriptorType::WshSortedMulti => {
+                let mut stack = stack;
+                let witness_script = self
+                    .descriptor
+                    .explicit_script()
+                    .expect("descriptor is wsh");
+                stack.push(witness_script.into_bytes());
+                (stack, ScriptBuf::new())
+            }
+            DescriptorType::ShWpkh => (stack, self.descriptor.unsigned_script_sig()),
+            DescriptorType::ShWsh | DescriptorType::ShWshSortedMulti => {
+                let mut stack = stack;
+                let witness_script = self
+                    .descriptor
+                    .explicit_script()
+                    .expect("descriptor is sh-wsh");
+                stack.push(witness_script.into_bytes());
                 (stack, self.descriptor.unsigned_script_sig())
             }
         })
@@ -1154,4 +1167,114 @@ mod test {
         assert!(psbt_input.redeem_script.is_none(), "Redeem script present");
         assert_eq!(psbt_input.bip32_derivation.len(), 2, "Unexpected number of bip32_derivation");
     }
+
+    #[test]
+    fn test_plan_satisfy_wsh() {
+        use std::collections::BTreeMap;
+
+        use bitcoin::secp256k1::{self, Secp256k1};
+
+        let secp = Secp256k1::new();
+        // Generate a key from deterministic secret key
+        let sk =
+            secp256k1::SecretKey::from_slice(&b"sally was a secret key, she said"[..]).unwrap();
+        let pk = bitcoin::PublicKey::new(secp256k1::PublicKey::from_secret_key(&secp, &sk));
+        let msg = secp256k1::Message::from_digest_slice(&b"michael was a message, amusingly"[..])
+            .expect("32 bytes");
+        let sig = secp.sign_ecdsa(&msg, &sk);
+        let ecdsa_sig = bitcoin::ecdsa::Signature {
+            signature: sig,
+            sighash_type: bitcoin::sighash::EcdsaSighashType::All,
+        };
+
+        // Create a wsh(pk(key)) descriptor - simple single key
+        let desc_str = format!("wsh(pk({}))", pk);
+        let desc = Descriptor::<DefiniteDescriptorKey>::from_str(&desc_str).unwrap();
+
+        // Get the witness script for comparison
+        let witness_script = desc.explicit_script().expect("wsh has explicit script");
+
+        // Create the DefiniteDescriptorKey for the satisfier and DescriptorPublicKey for assets
+        let pk_str = pk.to_string();
+        let definite_key = DefiniteDescriptorKey::from_str(&pk_str).unwrap();
+        let descriptor_key = DescriptorPublicKey::from_str(&pk_str).unwrap();
+
+        // Create a BTreeMap satisfier with the signature
+        let mut sig_map: BTreeMap<DefiniteDescriptorKey, bitcoin::ecdsa::Signature> =
+            BTreeMap::new();
+        sig_map.insert(definite_key, ecdsa_sig);
+
+        // Create assets and get a plan
+        let assets = Assets::new().add(descriptor_key);
+        let plan = desc.plan(&assets).expect("plan should succeed");
+
+        // Call plan.satisfy() with the signature satisfier
+        let (witness, script_sig) = plan.satisfy(&sig_map).expect("satisfy should succeed");
+
+        // For native P2WSH:
+        // - script_sig should be empty
+        // - witness should contain [signature, witness_script]
+        assert!(script_sig.is_empty(), "P2WSH script_sig should be empty");
+        assert_eq!(witness.len(), 2, "P2WSH witness should have 2 elements (sig + witness_script)");
+        assert_eq!(
+            witness.last().unwrap(),
+            &witness_script.into_bytes(),
+            "Last witness element should be the witness script"
+        );
+    }
+
+    #[test]
+    fn test_plan_satisfy_sh_wsh() {
+        use std::collections::BTreeMap;
+
+        use bitcoin::secp256k1::{self, Secp256k1};
+
+        let secp = Secp256k1::new();
+        let sk =
+            secp256k1::SecretKey::from_slice(&b"sally was a secret key, she said"[..]).unwrap();
+        let pk = bitcoin::PublicKey::new(secp256k1::PublicKey::from_secret_key(&secp, &sk));
+        let msg = secp256k1::Message::from_digest_slice(&b"michael was a message, amusingly"[..])
+            .expect("32 bytes");
+        let sig = secp.sign_ecdsa(&msg, &sk);
+        let ecdsa_sig = bitcoin::ecdsa::Signature {
+            signature: sig,
+            sighash_type: bitcoin::sighash::EcdsaSighashType::All,
+        };
+
+        // Create a sh(wsh(pk(key))) descriptor
+        let desc_str = format!("sh(wsh(pk({})))", pk);
+        let desc = Descriptor::<DefiniteDescriptorKey>::from_str(&desc_str).unwrap();
+
+        // Get the witness script (inner script of the wsh)
+        let witness_script = desc.explicit_script().expect("sh-wsh has explicit script");
+
+        // Create the DefiniteDescriptorKey for the satisfier and DescriptorPublicKey for assets
+        let pk_str = pk.to_string();
+        let definite_key = DefiniteDescriptorKey::from_str(&pk_str).unwrap();
+        let descriptor_key = DescriptorPublicKey::from_str(&pk_str).unwrap();
+
+        let mut sig_map: BTreeMap<DefiniteDescriptorKey, bitcoin::ecdsa::Signature> =
+            BTreeMap::new();
+        sig_map.insert(definite_key, ecdsa_sig);
+
+        let assets = Assets::new().add(descriptor_key);
+        let plan = desc.plan(&assets).expect("plan should succeed");
+
+        let (witness, script_sig) = plan.satisfy(&sig_map).expect("satisfy should succeed");
+
+        // For P2SH-P2WSH:
+        // - script_sig should contain the P2WSH script (witness script hash)
+        // - witness should contain [signature, witness_script]
+        assert!(!script_sig.is_empty(), "P2SH-P2WSH script_sig should not be empty");
+        assert_eq!(
+            witness.len(),
+            2,
+            "P2SH-P2WSH witness should have 2 elements (sig + witness_script)"
+        );
+        assert_eq!(
+            witness.last().unwrap(),
+            &witness_script.into_bytes(),
+            "Last witness element should be the witness script"
+        );
+    }
 }
