Bitcoin Core 30.99.0
P2P Digital Currency
script_tests.cpp
Go to the documentation of this file.
1// Copyright (c) 2011-present The Bitcoin Core developers
2// Distributed under the MIT software license, see the accompanying
3// file COPYING or http://www.opensource.org/licenses/mit-license.php.
4
5#include <test/data/script_tests.json.h>
6#include <test/data/bip341_wallet_vectors.json.h>
7
8#include <common/system.h>
9#include <core_io.h>
10#include <key.h>
11#include <rpc/util.h>
12#include <script/interpreter.h>
13#include <script/script.h>
14#include <script/script_error.h>
15#include <script/sigcache.h>
16#include <script/sign.h>
18#include <script/solver.h>
19#include <streams.h>
20#include <test/util/json.h>
21#include <test/util/random.h>
24#include <util/fs.h>
25#include <util/strencodings.h>
26#include <util/string.h>
27
28#include <cstdint>
29#include <fstream>
30#include <string>
31#include <vector>
32
33#include <boost/test/unit_test.hpp>
34
35#include <secp256k1.h>
36#include <univalue.h>
37
38// Uncomment if you want to output updated JSON tests.
39// #define UPDATE_JSON_TESTS
40
41using namespace util::hex_literals;
42
44
45script_verify_flags ParseScriptFlags(std::string strFlags);
46
48{
50 const char *name;
51};
52
54 {SCRIPT_ERR_OK, "OK"},
55 {SCRIPT_ERR_UNKNOWN_ERROR, "UNKNOWN_ERROR"},
56 {SCRIPT_ERR_EVAL_FALSE, "EVAL_FALSE"},
57 {SCRIPT_ERR_OP_RETURN, "OP_RETURN"},
58 {SCRIPT_ERR_SCRIPT_SIZE, "SCRIPT_SIZE"},
59 {SCRIPT_ERR_PUSH_SIZE, "PUSH_SIZE"},
60 {SCRIPT_ERR_OP_COUNT, "OP_COUNT"},
61 {SCRIPT_ERR_STACK_SIZE, "STACK_SIZE"},
62 {SCRIPT_ERR_SIG_COUNT, "SIG_COUNT"},
63 {SCRIPT_ERR_PUBKEY_COUNT, "PUBKEY_COUNT"},
64 {SCRIPT_ERR_VERIFY, "VERIFY"},
65 {SCRIPT_ERR_EQUALVERIFY, "EQUALVERIFY"},
66 {SCRIPT_ERR_CHECKMULTISIGVERIFY, "CHECKMULTISIGVERIFY"},
67 {SCRIPT_ERR_CHECKSIGVERIFY, "CHECKSIGVERIFY"},
68 {SCRIPT_ERR_NUMEQUALVERIFY, "NUMEQUALVERIFY"},
69 {SCRIPT_ERR_BAD_OPCODE, "BAD_OPCODE"},
70 {SCRIPT_ERR_DISABLED_OPCODE, "DISABLED_OPCODE"},
71 {SCRIPT_ERR_INVALID_STACK_OPERATION, "INVALID_STACK_OPERATION"},
72 {SCRIPT_ERR_INVALID_ALTSTACK_OPERATION, "INVALID_ALTSTACK_OPERATION"},
73 {SCRIPT_ERR_UNBALANCED_CONDITIONAL, "UNBALANCED_CONDITIONAL"},
74 {SCRIPT_ERR_NEGATIVE_LOCKTIME, "NEGATIVE_LOCKTIME"},
75 {SCRIPT_ERR_UNSATISFIED_LOCKTIME, "UNSATISFIED_LOCKTIME"},
76 {SCRIPT_ERR_SIG_HASHTYPE, "SIG_HASHTYPE"},
77 {SCRIPT_ERR_SIG_DER, "SIG_DER"},
78 {SCRIPT_ERR_MINIMALDATA, "MINIMALDATA"},
79 {SCRIPT_ERR_SIG_PUSHONLY, "SIG_PUSHONLY"},
80 {SCRIPT_ERR_SIG_HIGH_S, "SIG_HIGH_S"},
81 {SCRIPT_ERR_SIG_NULLDUMMY, "SIG_NULLDUMMY"},
82 {SCRIPT_ERR_PUBKEYTYPE, "PUBKEYTYPE"},
83 {SCRIPT_ERR_CLEANSTACK, "CLEANSTACK"},
84 {SCRIPT_ERR_MINIMALIF, "MINIMALIF"},
85 {SCRIPT_ERR_SIG_NULLFAIL, "NULLFAIL"},
86 {SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS, "DISCOURAGE_UPGRADABLE_NOPS"},
87 {SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM, "DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM"},
88 {SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH, "WITNESS_PROGRAM_WRONG_LENGTH"},
89 {SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY, "WITNESS_PROGRAM_WITNESS_EMPTY"},
90 {SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH, "WITNESS_PROGRAM_MISMATCH"},
91 {SCRIPT_ERR_WITNESS_MALLEATED, "WITNESS_MALLEATED"},
92 {SCRIPT_ERR_WITNESS_MALLEATED_P2SH, "WITNESS_MALLEATED_P2SH"},
93 {SCRIPT_ERR_WITNESS_UNEXPECTED, "WITNESS_UNEXPECTED"},
94 {SCRIPT_ERR_WITNESS_PUBKEYTYPE, "WITNESS_PUBKEYTYPE"},
95 {SCRIPT_ERR_OP_CODESEPARATOR, "OP_CODESEPARATOR"},
96 {SCRIPT_ERR_SIG_FINDANDDELETE, "SIG_FINDANDDELETE"},
97};
98
100{
101 return util::Join(GetScriptFlagNames(flags), ",");
102}
103
104static std::string FormatScriptError(ScriptError_t err)
105{
106 for (const auto& se : script_errors)
107 if (se.err == err)
108 return se.name;
109 BOOST_ERROR("Unknown scripterror enumeration value, update script_errors in script_tests.cpp.");
110 return "";
111}
112
113static ScriptError_t ParseScriptError(const std::string& name)
114{
115 for (const auto& se : script_errors)
116 if (se.name == name)
117 return se.err;
118 BOOST_ERROR("Unknown scripterror \"" << name << "\" in test description");
120}
121
123void DoTest(const CScript& scriptPubKey, const CScript& scriptSig, const CScriptWitness& scriptWitness, script_verify_flags flags, const std::string& message, int scriptError, CAmount nValue = 0)
124{
125 bool expect = (scriptError == SCRIPT_ERR_OK);
129 }
130 ScriptError err;
131 const CTransaction txCredit{BuildCreditingTransaction(scriptPubKey, nValue)};
132 CMutableTransaction tx = BuildSpendingTransaction(scriptSig, scriptWitness, txCredit);
133 BOOST_CHECK_MESSAGE(VerifyScript(scriptSig, scriptPubKey, &scriptWitness, flags, MutableTransactionSignatureChecker(&tx, 0, txCredit.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err) == expect, message);
134 BOOST_CHECK_MESSAGE(err == scriptError, FormatScriptError(err) + " where " + FormatScriptError((ScriptError_t)scriptError) + " expected: " + message);
135
136 // Verify that removing flags from a passing test or adding flags to a failing test does not change the result.
137 for (int i = 0; i < 256; ++i) {
139 script_verify_flags combined_flags{expect ? (flags & ~extra_flags) : (flags | extra_flags)};
140 // Weed out some invalid flag combinations.
141 if (combined_flags & SCRIPT_VERIFY_CLEANSTACK && ~combined_flags & (SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS)) continue;
142 if (combined_flags & SCRIPT_VERIFY_WITNESS && ~combined_flags & SCRIPT_VERIFY_P2SH) continue;
143 BOOST_CHECK_MESSAGE(VerifyScript(scriptSig, scriptPubKey, &scriptWitness, combined_flags, MutableTransactionSignatureChecker(&tx, 0, txCredit.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err) == expect, message + strprintf(" (with flags %x)", combined_flags.as_int()));
144 }
145}
146}; // struct ScriptTest
147
148void static NegateSignatureS(std::vector<unsigned char>& vchSig) {
149 // Parse the signature.
150 std::vector<unsigned char> r, s;
151 r = std::vector<unsigned char>(vchSig.begin() + 4, vchSig.begin() + 4 + vchSig[3]);
152 s = std::vector<unsigned char>(vchSig.begin() + 6 + vchSig[3], vchSig.begin() + 6 + vchSig[3] + vchSig[5 + vchSig[3]]);
153
154 while (s.size() < 33) {
155 s.insert(s.begin(), 0x00);
156 }
157 assert(s[0] == 0);
158 // Perform mod-n negation of s by (ab)using libsecp256k1
159 // (note that this function is meant to be used for negating secret keys,
160 // but it works for any non-zero scalar modulo the group order, i.e. also for s)
162 assert(ret);
163
164 if (s[1] < 0x80) {
165 s.erase(s.begin());
166 }
167
168 // Reconstruct the signature.
169 vchSig.clear();
170 vchSig.push_back(0x30);
171 vchSig.push_back(4 + r.size() + s.size());
172 vchSig.push_back(0x02);
173 vchSig.push_back(r.size());
174 vchSig.insert(vchSig.end(), r.begin(), r.end());
175 vchSig.push_back(0x02);
176 vchSig.push_back(s.size());
177 vchSig.insert(vchSig.end(), s.begin(), s.end());
178}
179
180namespace
181{
182const unsigned char vchKey0[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1};
183const unsigned char vchKey1[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0};
184const unsigned char vchKey2[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0};
185
186struct KeyData
187{
188 CKey key0, key0C, key1, key1C, key2, key2C;
189 CPubKey pubkey0, pubkey0C, pubkey0H;
190 CPubKey pubkey1, pubkey1C;
191 CPubKey pubkey2, pubkey2C;
192
193 KeyData()
194 {
195 key0.Set(vchKey0, vchKey0 + 32, false);
196 key0C.Set(vchKey0, vchKey0 + 32, true);
197 pubkey0 = key0.GetPubKey();
198 pubkey0H = key0.GetPubKey();
199 pubkey0C = key0C.GetPubKey();
200 *const_cast<unsigned char*>(pubkey0H.data()) = 0x06 | (pubkey0H[64] & 1);
201
202 key1.Set(vchKey1, vchKey1 + 32, false);
203 key1C.Set(vchKey1, vchKey1 + 32, true);
204 pubkey1 = key1.GetPubKey();
205 pubkey1C = key1C.GetPubKey();
206
207 key2.Set(vchKey2, vchKey2 + 32, false);
208 key2C.Set(vchKey2, vchKey2 + 32, true);
209 pubkey2 = key2.GetPubKey();
210 pubkey2C = key2C.GetPubKey();
211 }
212};
213
214enum class WitnessMode {
215 NONE,
216 PKH,
217 SH
218};
219
220class TestBuilder
221{
222private:
226 CScript redeemscript;
228 CScript witscript;
229 CScriptWitness scriptWitness;
230 CTransactionRef creditTx;
231 CMutableTransaction spendTx;
232 bool havePush{false};
233 std::vector<unsigned char> push;
234 std::string comment;
236 int scriptError{SCRIPT_ERR_OK};
237 CAmount nValue;
238
239 void DoPush()
240 {
241 if (havePush) {
242 spendTx.vin[0].scriptSig << push;
243 havePush = false;
244 }
245 }
246
247 void DoPush(const std::vector<unsigned char>& data)
248 {
249 DoPush();
250 push = data;
251 havePush = true;
252 }
253
254public:
255 TestBuilder(const CScript& script_, const std::string& comment_, script_verify_flags flags_, bool P2SH = false, WitnessMode wm = WitnessMode::NONE, int witnessversion = 0, CAmount nValue_ = 0) : script(script_), comment(comment_), flags(flags_), nValue(nValue_)
256 {
257 CScript scriptPubKey = script;
258 if (wm == WitnessMode::PKH) {
259 uint160 hash;
260 CHash160().Write(std::span{script}.subspan(1)).Finalize(hash);
262 scriptPubKey = CScript() << witnessversion << ToByteVector(hash);
263 } else if (wm == WitnessMode::SH) {
264 witscript = scriptPubKey;
265 uint256 hash;
266 CSHA256().Write(witscript.data(), witscript.size()).Finalize(hash.begin());
267 scriptPubKey = CScript() << witnessversion << ToByteVector(hash);
268 }
269 if (P2SH) {
270 redeemscript = scriptPubKey;
271 scriptPubKey = CScript() << OP_HASH160 << ToByteVector(CScriptID(redeemscript)) << OP_EQUAL;
272 }
273 creditTx = MakeTransactionRef(BuildCreditingTransaction(scriptPubKey, nValue));
274 spendTx = BuildSpendingTransaction(CScript(), CScriptWitness(), *creditTx);
275 }
276
277 TestBuilder& ScriptError(ScriptError_t err)
278 {
279 scriptError = err;
280 return *this;
281 }
282
283 TestBuilder& Opcode(const opcodetype& _op)
284 {
285 DoPush();
286 spendTx.vin[0].scriptSig << _op;
287 return *this;
288 }
289
290 TestBuilder& Num(int num)
291 {
292 DoPush();
293 spendTx.vin[0].scriptSig << num;
294 return *this;
295 }
296
297 TestBuilder& Push(const std::string& hex)
298 {
299 DoPush(ParseHex(hex));
300 return *this;
301 }
302
303 TestBuilder& Push(const CScript& _script)
304 {
305 DoPush(std::vector<unsigned char>(_script.begin(), _script.end()));
306 return *this;
307 }
308
309 TestBuilder& PushSig(const CKey& key, int nHashType = SIGHASH_ALL, unsigned int lenR = 32, unsigned int lenS = 32, SigVersion sigversion = SigVersion::BASE, CAmount amount = 0)
310 {
311 uint256 hash = SignatureHash(script, spendTx, 0, nHashType, amount, sigversion);
312 std::vector<unsigned char> vchSig, r, s;
313 uint32_t iter = 0;
314 do {
315 key.Sign(hash, vchSig, false, iter++);
316 if ((lenS == 33) != (vchSig[5 + vchSig[3]] == 33)) {
317 NegateSignatureS(vchSig);
318 }
319 r = std::vector<unsigned char>(vchSig.begin() + 4, vchSig.begin() + 4 + vchSig[3]);
320 s = std::vector<unsigned char>(vchSig.begin() + 6 + vchSig[3], vchSig.begin() + 6 + vchSig[3] + vchSig[5 + vchSig[3]]);
321 } while (lenR != r.size() || lenS != s.size());
322 vchSig.push_back(static_cast<unsigned char>(nHashType));
323 DoPush(vchSig);
324 return *this;
325 }
326
327 TestBuilder& PushWitSig(const CKey& key, CAmount amount = -1, int nHashType = SIGHASH_ALL, unsigned int lenR = 32, unsigned int lenS = 32, SigVersion sigversion = SigVersion::WITNESS_V0)
328 {
329 if (amount == -1)
330 amount = nValue;
331 return PushSig(key, nHashType, lenR, lenS, sigversion, amount).AsWit();
332 }
333
334 TestBuilder& Push(const CPubKey& pubkey)
335 {
336 DoPush(std::vector<unsigned char>(pubkey.begin(), pubkey.end()));
337 return *this;
338 }
339
340 TestBuilder& PushRedeem()
341 {
342 DoPush(std::vector<unsigned char>(redeemscript.begin(), redeemscript.end()));
343 return *this;
344 }
345
346 TestBuilder& PushWitRedeem()
347 {
348 DoPush(std::vector<unsigned char>(witscript.begin(), witscript.end()));
349 return AsWit();
350 }
351
352 TestBuilder& EditPush(unsigned int pos, const std::string& hexin, const std::string& hexout)
353 {
354 assert(havePush);
355 std::vector<unsigned char> datain = ParseHex(hexin);
356 std::vector<unsigned char> dataout = ParseHex(hexout);
357 assert(pos + datain.size() <= push.size());
358 BOOST_CHECK_MESSAGE(std::vector<unsigned char>(push.begin() + pos, push.begin() + pos + datain.size()) == datain, comment);
359 push.erase(push.begin() + pos, push.begin() + pos + datain.size());
360 push.insert(push.begin() + pos, dataout.begin(), dataout.end());
361 return *this;
362 }
363
364 TestBuilder& DamagePush(unsigned int pos)
365 {
366 assert(havePush);
367 assert(pos < push.size());
368 push[pos] ^= 1;
369 return *this;
370 }
371
372 TestBuilder& Test(ScriptTest& test)
373 {
374 TestBuilder copy = *this; // Make a copy so we can rollback the push.
375 DoPush();
376 test.DoTest(creditTx->vout[0].scriptPubKey, spendTx.vin[0].scriptSig, scriptWitness, flags, comment, scriptError, nValue);
377 *this = copy;
378 return *this;
379 }
380
381 TestBuilder& AsWit()
382 {
383 assert(havePush);
384 scriptWitness.stack.push_back(push);
385 havePush = false;
386 return *this;
387 }
388
389 UniValue GetJSON()
390 {
391 DoPush();
393 if (!scriptWitness.stack.empty()) {
395 for (unsigned i = 0; i < scriptWitness.stack.size(); i++) {
396 wit.push_back(HexStr(scriptWitness.stack[i]));
397 }
398 wit.push_back(ValueFromAmount(nValue));
399 array.push_back(std::move(wit));
400 }
401 array.push_back(FormatScript(spendTx.vin[0].scriptSig));
402 array.push_back(FormatScript(creditTx->vout[0].scriptPubKey));
403 array.push_back(FormatScriptFlags(flags));
404 array.push_back(FormatScriptError((ScriptError_t)scriptError));
405 array.push_back(comment);
406 return array;
407 }
408
409 std::string GetComment() const
410 {
411 return comment;
412 }
413};
414
415std::string JSONPrettyPrint(const UniValue& univalue)
416{
417 std::string ret = univalue.write(4);
418 // Workaround for libunivalue pretty printer, which puts a space between commas and newlines
419 size_t pos = 0;
420 while ((pos = ret.find(" \n", pos)) != std::string::npos) {
421 ret.replace(pos, 2, "\n");
422 pos++;
423 }
424 return ret;
425}
426} // namespace
427
429
431{
432 const KeyData keys;
433
434 std::vector<TestBuilder> tests;
435
436 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
437 "P2PK", 0
438 ).PushSig(keys.key0));
439 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
440 "P2PK, bad sig", 0
441 ).PushSig(keys.key0).DamagePush(10).ScriptError(SCRIPT_ERR_EVAL_FALSE));
442
443 tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey1C.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
444 "P2PKH", 0
445 ).PushSig(keys.key1).Push(keys.pubkey1C));
446 tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey2C.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
447 "P2PKH, bad pubkey", 0
448 ).PushSig(keys.key2).Push(keys.pubkey2C).DamagePush(5).ScriptError(SCRIPT_ERR_EQUALVERIFY));
449
450 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
451 "P2PK anyonecanpay", 0
452 ).PushSig(keys.key1, SIGHASH_ALL | SIGHASH_ANYONECANPAY));
453 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
454 "P2PK anyonecanpay marked with normal hashtype", 0
455 ).PushSig(keys.key1, SIGHASH_ALL | SIGHASH_ANYONECANPAY).EditPush(70, "81", "01").ScriptError(SCRIPT_ERR_EVAL_FALSE));
456
457 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C) << OP_CHECKSIG,
458 "P2SH(P2PK)", SCRIPT_VERIFY_P2SH, true
459 ).PushSig(keys.key0).PushRedeem());
460 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C) << OP_CHECKSIG,
461 "P2SH(P2PK), bad redeemscript", SCRIPT_VERIFY_P2SH, true
462 ).PushSig(keys.key0).PushRedeem().DamagePush(10).ScriptError(SCRIPT_ERR_EVAL_FALSE));
463
464 tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey0.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
465 "P2SH(P2PKH)", SCRIPT_VERIFY_P2SH, true
466 ).PushSig(keys.key0).Push(keys.pubkey0).PushRedeem());
467 tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey1.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
468 "P2SH(P2PKH), bad sig but no VERIFY_P2SH", 0, true
469 ).PushSig(keys.key0).DamagePush(10).PushRedeem());
470 tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey1.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
471 "P2SH(P2PKH), bad sig", SCRIPT_VERIFY_P2SH, true
472 ).PushSig(keys.key0).DamagePush(10).PushRedeem().ScriptError(SCRIPT_ERR_EQUALVERIFY));
473
474 tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
475 "3-of-3", 0
476 ).Num(0).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2));
477 tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
478 "3-of-3, 2 sigs", 0
479 ).Num(0).PushSig(keys.key0).PushSig(keys.key1).Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
480
481 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
482 "P2SH(2-of-3)", SCRIPT_VERIFY_P2SH, true
483 ).Num(0).PushSig(keys.key1).PushSig(keys.key2).PushRedeem());
484 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
485 "P2SH(2-of-3), 1 sig", SCRIPT_VERIFY_P2SH, true
486 ).Num(0).PushSig(keys.key1).Num(0).PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
487
488 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
489 "P2PK with too much R padding but no DERSIG", 0
490 ).PushSig(keys.key1, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000"));
491 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
492 "P2PK with too much R padding", SCRIPT_VERIFY_DERSIG
493 ).PushSig(keys.key1, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").ScriptError(SCRIPT_ERR_SIG_DER));
494 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
495 "P2PK with too much S padding but no DERSIG", 0
496 ).PushSig(keys.key1, SIGHASH_ALL).EditPush(1, "44", "45").EditPush(37, "20", "2100"));
497 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
498 "P2PK with too much S padding", SCRIPT_VERIFY_DERSIG
499 ).PushSig(keys.key1, SIGHASH_ALL).EditPush(1, "44", "45").EditPush(37, "20", "2100").ScriptError(SCRIPT_ERR_SIG_DER));
500 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
501 "P2PK with too little R padding but no DERSIG", 0
502 ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220"));
503 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
504 "P2PK with too little R padding", SCRIPT_VERIFY_DERSIG
505 ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
506 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG << OP_NOT,
507 "P2PK NOT with bad sig with too much R padding but no DERSIG", 0
508 ).PushSig(keys.key2, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").DamagePush(10));
509 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG << OP_NOT,
510 "P2PK NOT with bad sig with too much R padding", SCRIPT_VERIFY_DERSIG
511 ).PushSig(keys.key2, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").DamagePush(10).ScriptError(SCRIPT_ERR_SIG_DER));
512 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG << OP_NOT,
513 "P2PK NOT with too much R padding but no DERSIG", 0
514 ).PushSig(keys.key2, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").ScriptError(SCRIPT_ERR_EVAL_FALSE));
515 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG << OP_NOT,
516 "P2PK NOT with too much R padding", SCRIPT_VERIFY_DERSIG
517 ).PushSig(keys.key2, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").ScriptError(SCRIPT_ERR_SIG_DER));
518
519 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
520 "BIP66 example 1, without DERSIG", 0
521 ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220"));
522 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
523 "BIP66 example 1, with DERSIG", SCRIPT_VERIFY_DERSIG
524 ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
525 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
526 "BIP66 example 2, without DERSIG", 0
527 ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_EVAL_FALSE));
528 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
529 "BIP66 example 2, with DERSIG", SCRIPT_VERIFY_DERSIG
530 ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
531 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
532 "BIP66 example 3, without DERSIG", 0
533 ).Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
534 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
535 "BIP66 example 3, with DERSIG", SCRIPT_VERIFY_DERSIG
536 ).Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
537 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
538 "BIP66 example 4, without DERSIG", 0
539 ).Num(0));
540 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
541 "BIP66 example 4, with DERSIG", SCRIPT_VERIFY_DERSIG
542 ).Num(0));
543 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
544 "BIP66 example 5, without DERSIG", 0
545 ).Num(1).ScriptError(SCRIPT_ERR_EVAL_FALSE));
546 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
547 "BIP66 example 5, with DERSIG", SCRIPT_VERIFY_DERSIG
548 ).Num(1).ScriptError(SCRIPT_ERR_SIG_DER));
549 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
550 "BIP66 example 6, without DERSIG", 0
551 ).Num(1));
552 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
553 "BIP66 example 6, with DERSIG", SCRIPT_VERIFY_DERSIG
554 ).Num(1).ScriptError(SCRIPT_ERR_SIG_DER));
555 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
556 "BIP66 example 7, without DERSIG", 0
557 ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").PushSig(keys.key2));
558 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
559 "BIP66 example 7, with DERSIG", SCRIPT_VERIFY_DERSIG
560 ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").PushSig(keys.key2).ScriptError(SCRIPT_ERR_SIG_DER));
561 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
562 "BIP66 example 8, without DERSIG", 0
563 ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").PushSig(keys.key2).ScriptError(SCRIPT_ERR_EVAL_FALSE));
564 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
565 "BIP66 example 8, with DERSIG", SCRIPT_VERIFY_DERSIG
566 ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").PushSig(keys.key2).ScriptError(SCRIPT_ERR_SIG_DER));
567 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
568 "BIP66 example 9, without DERSIG", 0
569 ).Num(0).Num(0).PushSig(keys.key2, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_EVAL_FALSE));
570 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
571 "BIP66 example 9, with DERSIG", SCRIPT_VERIFY_DERSIG
572 ).Num(0).Num(0).PushSig(keys.key2, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
573 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
574 "BIP66 example 10, without DERSIG", 0
575 ).Num(0).Num(0).PushSig(keys.key2, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220"));
576 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
577 "BIP66 example 10, with DERSIG", SCRIPT_VERIFY_DERSIG
578 ).Num(0).Num(0).PushSig(keys.key2, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
579 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
580 "BIP66 example 11, without DERSIG", 0
581 ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
582 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
583 "BIP66 example 11, with DERSIG", SCRIPT_VERIFY_DERSIG
584 ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
585 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
586 "BIP66 example 12, without DERSIG", 0
587 ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").Num(0));
588 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
589 "BIP66 example 12, with DERSIG", SCRIPT_VERIFY_DERSIG
590 ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").Num(0));
591 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
592 "P2PK with multi-byte hashtype, without DERSIG", 0
593 ).PushSig(keys.key2, SIGHASH_ALL).EditPush(70, "01", "0101"));
594 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
595 "P2PK with multi-byte hashtype, with DERSIG", SCRIPT_VERIFY_DERSIG
596 ).PushSig(keys.key2, SIGHASH_ALL).EditPush(70, "01", "0101").ScriptError(SCRIPT_ERR_SIG_DER));
597
598 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
599 "P2PK with high S but no LOW_S", 0
600 ).PushSig(keys.key2, SIGHASH_ALL, 32, 33));
601 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
602 "P2PK with high S", SCRIPT_VERIFY_LOW_S
603 ).PushSig(keys.key2, SIGHASH_ALL, 32, 33).ScriptError(SCRIPT_ERR_SIG_HIGH_S));
604
605 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG,
606 "P2PK with hybrid pubkey but no STRICTENC", 0
607 ).PushSig(keys.key0, SIGHASH_ALL));
608 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG,
609 "P2PK with hybrid pubkey", SCRIPT_VERIFY_STRICTENC
610 ).PushSig(keys.key0, SIGHASH_ALL).ScriptError(SCRIPT_ERR_PUBKEYTYPE));
611 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG << OP_NOT,
612 "P2PK NOT with hybrid pubkey but no STRICTENC", 0
613 ).PushSig(keys.key0, SIGHASH_ALL).ScriptError(SCRIPT_ERR_EVAL_FALSE));
614 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG << OP_NOT,
615 "P2PK NOT with hybrid pubkey", SCRIPT_VERIFY_STRICTENC
616 ).PushSig(keys.key0, SIGHASH_ALL).ScriptError(SCRIPT_ERR_PUBKEYTYPE));
617 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG << OP_NOT,
618 "P2PK NOT with invalid hybrid pubkey but no STRICTENC", 0
619 ).PushSig(keys.key0, SIGHASH_ALL).DamagePush(10));
620 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG << OP_NOT,
621 "P2PK NOT with invalid hybrid pubkey", SCRIPT_VERIFY_STRICTENC
622 ).PushSig(keys.key0, SIGHASH_ALL).DamagePush(10).ScriptError(SCRIPT_ERR_PUBKEYTYPE));
623 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey0H) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
624 "1-of-2 with the second 1 hybrid pubkey and no STRICTENC", 0
625 ).Num(0).PushSig(keys.key1, SIGHASH_ALL));
626 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey0H) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
627 "1-of-2 with the second 1 hybrid pubkey", SCRIPT_VERIFY_STRICTENC
628 ).Num(0).PushSig(keys.key1, SIGHASH_ALL));
629 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0H) << OP_2 << OP_CHECKMULTISIG,
630 "1-of-2 with the first 1 hybrid pubkey", SCRIPT_VERIFY_STRICTENC
631 ).Num(0).PushSig(keys.key1, SIGHASH_ALL).ScriptError(SCRIPT_ERR_PUBKEYTYPE));
632
633 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
634 "P2PK with undefined hashtype but no STRICTENC", 0
635 ).PushSig(keys.key1, 5));
636 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
637 "P2PK with undefined hashtype", SCRIPT_VERIFY_STRICTENC
638 ).PushSig(keys.key1, 5).ScriptError(SCRIPT_ERR_SIG_HASHTYPE));
639 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG << OP_NOT,
640 "P2PK NOT with invalid sig and undefined hashtype but no STRICTENC", 0
641 ).PushSig(keys.key1, 5).DamagePush(10));
642 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG << OP_NOT,
643 "P2PK NOT with invalid sig and undefined hashtype", SCRIPT_VERIFY_STRICTENC
644 ).PushSig(keys.key1, 5).DamagePush(10).ScriptError(SCRIPT_ERR_SIG_HASHTYPE));
645
646 tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
647 "3-of-3 with nonzero dummy but no NULLDUMMY", 0
648 ).Num(1).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2));
649 tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
650 "3-of-3 with nonzero dummy", SCRIPT_VERIFY_NULLDUMMY
651 ).Num(1).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2).ScriptError(SCRIPT_ERR_SIG_NULLDUMMY));
652 tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG << OP_NOT,
653 "3-of-3 NOT with invalid sig and nonzero dummy but no NULLDUMMY", 0
654 ).Num(1).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2).DamagePush(10));
655 tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG << OP_NOT,
656 "3-of-3 NOT with invalid sig with nonzero dummy", SCRIPT_VERIFY_NULLDUMMY
657 ).Num(1).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2).DamagePush(10).ScriptError(SCRIPT_ERR_SIG_NULLDUMMY));
658
659 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
660 "2-of-2 with two identical keys and sigs pushed using OP_DUP but no SIGPUSHONLY", 0
661 ).Num(0).PushSig(keys.key1).Opcode(OP_DUP));
662 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
663 "2-of-2 with two identical keys and sigs pushed using OP_DUP", SCRIPT_VERIFY_SIGPUSHONLY
664 ).Num(0).PushSig(keys.key1).Opcode(OP_DUP).ScriptError(SCRIPT_ERR_SIG_PUSHONLY));
665 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
666 "P2SH(P2PK) with non-push scriptSig but no P2SH or SIGPUSHONLY", 0, true
667 ).PushSig(keys.key2).Opcode(OP_NOP8).PushRedeem());
668 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
669 "P2PK with non-push scriptSig but with P2SH validation", 0
670 ).PushSig(keys.key2).Opcode(OP_NOP8));
671 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
672 "P2SH(P2PK) with non-push scriptSig but no SIGPUSHONLY", SCRIPT_VERIFY_P2SH, true
673 ).PushSig(keys.key2).Opcode(OP_NOP8).PushRedeem().ScriptError(SCRIPT_ERR_SIG_PUSHONLY));
674 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
675 "P2SH(P2PK) with non-push scriptSig but not P2SH", SCRIPT_VERIFY_SIGPUSHONLY, true
676 ).PushSig(keys.key2).Opcode(OP_NOP8).PushRedeem().ScriptError(SCRIPT_ERR_SIG_PUSHONLY));
677 tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
678 "2-of-2 with two identical keys and sigs pushed", SCRIPT_VERIFY_SIGPUSHONLY
679 ).Num(0).PushSig(keys.key1).PushSig(keys.key1));
680 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
681 "P2PK with unnecessary input but no CLEANSTACK", SCRIPT_VERIFY_P2SH
682 ).Num(11).PushSig(keys.key0));
683 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
684 "P2PK with unnecessary input", SCRIPT_VERIFY_CLEANSTACK | SCRIPT_VERIFY_P2SH
685 ).Num(11).PushSig(keys.key0).ScriptError(SCRIPT_ERR_CLEANSTACK));
686 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
687 "P2SH with unnecessary input but no CLEANSTACK", SCRIPT_VERIFY_P2SH, true
688 ).Num(11).PushSig(keys.key0).PushRedeem());
689 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
690 "P2SH with unnecessary input", SCRIPT_VERIFY_CLEANSTACK | SCRIPT_VERIFY_P2SH, true
691 ).Num(11).PushSig(keys.key0).PushRedeem().ScriptError(SCRIPT_ERR_CLEANSTACK));
692 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
693 "P2SH with CLEANSTACK", SCRIPT_VERIFY_CLEANSTACK | SCRIPT_VERIFY_P2SH, true
694 ).PushSig(keys.key0).PushRedeem());
695
696 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
697 "Basic P2WSH", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
698 0, 1).PushWitSig(keys.key0).PushWitRedeem());
699 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
700 "Basic P2WPKH", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH,
701 0, 1).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit());
702 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
703 "Basic P2SH(P2WSH)", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
704 0, 1).PushWitSig(keys.key0).PushWitRedeem().PushRedeem());
705 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
706 "Basic P2SH(P2WPKH)", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH,
707 0, 1).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().PushRedeem());
708 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
709 "Basic P2WSH with the wrong key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH
710 ).PushWitSig(keys.key0).PushWitRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
711 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
712 "Basic P2WPKH with the wrong key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH
713 ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit().ScriptError(SCRIPT_ERR_EVAL_FALSE));
714 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
715 "Basic P2SH(P2WSH) with the wrong key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH
716 ).PushWitSig(keys.key0).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
717 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
718 "Basic P2SH(P2WPKH) with the wrong key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH
719 ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit().PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
720 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
721 "Basic P2WSH with the wrong key but no WITNESS", SCRIPT_VERIFY_P2SH, false, WitnessMode::SH
722 ).PushWitSig(keys.key0).PushWitRedeem());
723 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
724 "Basic P2WPKH with the wrong key but no WITNESS", SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH
725 ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit());
726 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
727 "Basic P2SH(P2WSH) with the wrong key but no WITNESS", SCRIPT_VERIFY_P2SH, true, WitnessMode::SH
728 ).PushWitSig(keys.key0).PushWitRedeem().PushRedeem());
729 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
730 "Basic P2SH(P2WPKH) with the wrong key but no WITNESS", SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH
731 ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit().PushRedeem());
732 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
733 "Basic P2WSH with wrong value", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
734 0, 0).PushWitSig(keys.key0, 1).PushWitRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
735 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
736 "Basic P2WPKH with wrong value", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH,
737 0, 0).PushWitSig(keys.key0, 1).Push(keys.pubkey0).AsWit().ScriptError(SCRIPT_ERR_EVAL_FALSE));
738 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
739 "Basic P2SH(P2WSH) with wrong value", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
740 0, 0).PushWitSig(keys.key0, 1).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
741 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
742 "Basic P2SH(P2WPKH) with wrong value", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH,
743 0, 0).PushWitSig(keys.key0, 1).Push(keys.pubkey0).AsWit().PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
744
745 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
746 "P2WPKH with future witness version", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH |
748 ).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().ScriptError(SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM));
749 {
750 CScript witscript = CScript() << ToByteVector(keys.pubkey0);
751 uint256 hash;
752 CSHA256().Write(witscript.data(), witscript.size()).Finalize(hash.begin());
753 std::vector<unsigned char> hashBytes = ToByteVector(hash);
754 hashBytes.pop_back();
755 tests.push_back(TestBuilder(CScript() << OP_0 << hashBytes,
756 "P2WPKH with wrong witness program length", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false
757 ).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().ScriptError(SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH));
758 }
759 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
760 "P2WSH with empty witness", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH
762 {
763 CScript witscript = CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG;
764 tests.push_back(TestBuilder(witscript,
765 "P2WSH with witness program mismatch", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH
766 ).PushWitSig(keys.key0).Push(witscript).DamagePush(0).AsWit().ScriptError(SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH));
767 }
768 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
769 "P2WPKH with witness program mismatch", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH
770 ).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().Push("0").AsWit().ScriptError(SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH));
771 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
772 "P2WPKH with non-empty scriptSig", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH
773 ).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().Num(11).ScriptError(SCRIPT_ERR_WITNESS_MALLEATED));
774 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
775 "P2SH(P2WPKH) with superfluous push in scriptSig", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH
776 ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit().Num(11).PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_MALLEATED_P2SH));
777 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
778 "P2PK with witness", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH
779 ).PushSig(keys.key0).Push("0").AsWit().ScriptError(SCRIPT_ERR_WITNESS_UNEXPECTED));
780
781 // Compressed keys should pass SCRIPT_VERIFY_WITNESS_PUBKEYTYPE
782 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C) << OP_CHECKSIG,
783 "Basic P2WSH with compressed key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
784 0, 1).PushWitSig(keys.key0C).PushWitRedeem());
785 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C),
786 "Basic P2WPKH with compressed key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::PKH,
787 0, 1).PushWitSig(keys.key0C).Push(keys.pubkey0C).AsWit());
788 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C) << OP_CHECKSIG,
789 "Basic P2SH(P2WSH) with compressed key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
790 0, 1).PushWitSig(keys.key0C).PushWitRedeem().PushRedeem());
791 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C),
792 "Basic P2SH(P2WPKH) with compressed key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::PKH,
793 0, 1).PushWitSig(keys.key0C).Push(keys.pubkey0C).AsWit().PushRedeem());
794
795 // Testing uncompressed key in witness with SCRIPT_VERIFY_WITNESS_PUBKEYTYPE
796 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
797 "Basic P2WSH", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
798 0, 1).PushWitSig(keys.key0).PushWitRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
799 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
800 "Basic P2WPKH", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::PKH,
801 0, 1).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
802 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
803 "Basic P2SH(P2WSH)", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
804 0, 1).PushWitSig(keys.key0).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
805 tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
806 "Basic P2SH(P2WPKH)", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::PKH,
807 0, 1).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
808
809 // P2WSH 1-of-2 multisig with compressed keys
810 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
811 "P2WSH CHECKMULTISIG with compressed keys", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
812 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem());
813 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
814 "P2SH(P2WSH) CHECKMULTISIG with compressed keys", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
815 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem().PushRedeem());
816 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
817 "P2WSH CHECKMULTISIG with compressed keys", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
818 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem());
819 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
820 "P2SH(P2WSH) CHECKMULTISIG with compressed keys", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
821 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem().PushRedeem());
822
823 // P2WSH 1-of-2 multisig with first key uncompressed
824 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
825 "P2WSH CHECKMULTISIG with first key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
826 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0).PushWitRedeem());
827 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
828 "P2SH(P2WSH) CHECKMULTISIG first key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
829 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0).PushWitRedeem().PushRedeem());
830 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
831 "P2WSH CHECKMULTISIG with first key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
832 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0).PushWitRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
833 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
834 "P2SH(P2WSH) CHECKMULTISIG with first key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
835 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
836 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
837 "P2WSH CHECKMULTISIG with first key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
838 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem());
839 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
840 "P2SH(P2WSH) CHECKMULTISIG with first key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
841 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem().PushRedeem());
842 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
843 "P2WSH CHECKMULTISIG with first key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
844 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
845 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
846 "P2SH(P2WSH) CHECKMULTISIG with first key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
847 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
848 // P2WSH 1-of-2 multisig with second key uncompressed
849 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
850 "P2WSH CHECKMULTISIG with second key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
851 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem());
852 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
853 "P2SH(P2WSH) CHECKMULTISIG second key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
854 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem().PushRedeem());
855 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
856 "P2WSH CHECKMULTISIG with second key uncompressed and signing with the first key should pass as the uncompressed key is not used", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
857 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem());
858 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
859 "P2SH(P2WSH) CHECKMULTISIG with second key uncompressed and signing with the first key should pass as the uncompressed key is not used", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
860 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem().PushRedeem());
861 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
862 "P2WSH CHECKMULTISIG with second key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
863 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1).PushWitRedeem());
864 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
865 "P2SH(P2WSH) CHECKMULTISIG with second key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
866 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1).PushWitRedeem().PushRedeem());
867 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
868 "P2WSH CHECKMULTISIG with second key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
869 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1).PushWitRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
870 tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
871 "P2SH(P2WSH) CHECKMULTISIG with second key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
872 0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
873
874 std::set<std::string> tests_set;
875
876 {
877 UniValue json_tests = read_json(json_tests::script_tests);
878
879 for (unsigned int idx = 0; idx < json_tests.size(); idx++) {
880 const UniValue& tv = json_tests[idx];
881 tests_set.insert(JSONPrettyPrint(tv.get_array()));
882 }
883 }
884
885#ifdef UPDATE_JSON_TESTS
886 std::string strGen;
887#endif
888 for (TestBuilder& test : tests) {
889 test.Test(*this);
890 std::string str = JSONPrettyPrint(test.GetJSON());
891#ifdef UPDATE_JSON_TESTS
892 strGen += str + ",\n";
893#else
894 if (tests_set.count(str) == 0) {
895 BOOST_CHECK_MESSAGE(false, "Missing auto script_valid test: " + test.GetComment());
896 }
897#endif
898 }
899
900#ifdef UPDATE_JSON_TESTS
901 FILE* file = fsbridge::fopen("script_tests.json.gen", "w");
902 fputs(strGen.c_str(), file);
903 fclose(file);
904#endif
905}
906
907BOOST_AUTO_TEST_CASE(script_json_test)
908{
909 // Read tests from test/data/script_tests.json
910 // Format is an array of arrays
911 // Inner arrays are [ ["wit"..., nValue]?, "scriptSig", "scriptPubKey", "flags", "expected_scripterror" ]
912 // ... where scriptSig and scriptPubKey are stringified
913 // scripts.
914 // If a witness is given, then the last value in the array should be the
915 // amount (nValue) to use in the crediting tx
916 UniValue tests = read_json(json_tests::script_tests);
917
918 const KeyData keys;
919 for (unsigned int idx = 0; idx < tests.size(); idx++) {
920 const UniValue& test = tests[idx];
921 std::string strTest = test.write();
922 CScriptWitness witness;
923 TaprootBuilder taprootBuilder;
924 CAmount nValue = 0;
925 unsigned int pos = 0;
926 if (test.size() > 0 && test[pos].isArray()) {
927 unsigned int i=0;
928 for (i = 0; i < test[pos].size()-1; i++) {
929 auto element = test[pos][i].get_str();
930 // We use #SCRIPT# to flag a non-hex script that we can read using ParseScript
931 // Taproot script must be third from the last element in witness stack
932 static const std::string SCRIPT_FLAG{"#SCRIPT#"};
933 if (element.starts_with(SCRIPT_FLAG)) {
934 CScript script = ParseScript(element.substr(SCRIPT_FLAG.size()));
935 witness.stack.push_back(ToByteVector(script));
936 } else if (element == "#CONTROLBLOCK#") {
937 // Taproot script control block - second from the last element in witness stack
938 // If #CONTROLBLOCK# we auto-generate the control block
939 taprootBuilder.Add(/*depth=*/0, witness.stack.back(), TAPROOT_LEAF_TAPSCRIPT, /*track=*/true);
940 taprootBuilder.Finalize(XOnlyPubKey(keys.key0.GetPubKey()));
941 auto controlblocks = taprootBuilder.GetSpendData().scripts[{witness.stack.back(), TAPROOT_LEAF_TAPSCRIPT}];
942 witness.stack.push_back(*(controlblocks.begin()));
943 } else {
944 const auto witness_value{TryParseHex<unsigned char>(element)};
945 if (!witness_value.has_value()) {
946 BOOST_ERROR("Bad witness in test: " << strTest << " witness is not hex: " << element);
947 }
948 witness.stack.push_back(witness_value.value());
949 }
950 }
951 nValue = AmountFromValue(test[pos][i]);
952 pos++;
953 }
954 if (test.size() < 4 + pos) // Allow size > 3; extra stuff ignored (useful for comments)
955 {
956 if (test.size() != 1) {
957 BOOST_ERROR("Bad test: " << strTest);
958 }
959 continue;
960 }
961 std::string scriptSigString = test[pos++].get_str();
962 CScript scriptSig = ParseScript(scriptSigString);
963 std::string scriptPubKeyString = test[pos++].get_str();
964 CScript scriptPubKey;
965 // If requested, auto-generate the taproot output
966 if (scriptPubKeyString == "0x51 0x20 #TAPROOTOUTPUT#") {
967 BOOST_CHECK_MESSAGE(taprootBuilder.IsComplete(), "Failed to autogenerate Tapscript output key");
968 scriptPubKey = CScript() << OP_1 << ToByteVector(taprootBuilder.GetOutput());
969 } else {
970 scriptPubKey = ParseScript(scriptPubKeyString);
971 }
972 script_verify_flags scriptflags = ParseScriptFlags(test[pos++].get_str());
973 int scriptError = ParseScriptError(test[pos++].get_str());
974
975 DoTest(scriptPubKey, scriptSig, witness, scriptflags, strTest, scriptError, nValue);
976 }
977}
978
979BOOST_AUTO_TEST_CASE(script_PushData)
980{
981 // Check that PUSHDATA1, PUSHDATA2, and PUSHDATA4 create the same value on
982 // the stack as the 1-75 opcodes do.
983 static const unsigned char direct[] = { 1, 0x5a };
984 static const unsigned char pushdata1[] = { OP_PUSHDATA1, 1, 0x5a };
985 static const unsigned char pushdata2[] = { OP_PUSHDATA2, 1, 0, 0x5a };
986 static const unsigned char pushdata4[] = { OP_PUSHDATA4, 1, 0, 0, 0, 0x5a };
987
988 ScriptError err;
989 std::vector<std::vector<unsigned char> > directStack;
990 BOOST_CHECK(EvalScript(directStack, CScript(direct, direct + sizeof(direct)), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
991 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
992
993 std::vector<std::vector<unsigned char> > pushdata1Stack;
994 BOOST_CHECK(EvalScript(pushdata1Stack, CScript(pushdata1, pushdata1 + sizeof(pushdata1)), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
995 BOOST_CHECK(pushdata1Stack == directStack);
996 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
997
998 std::vector<std::vector<unsigned char> > pushdata2Stack;
999 BOOST_CHECK(EvalScript(pushdata2Stack, CScript(pushdata2, pushdata2 + sizeof(pushdata2)), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
1000 BOOST_CHECK(pushdata2Stack == directStack);
1001 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1002
1003 std::vector<std::vector<unsigned char> > pushdata4Stack;
1004 BOOST_CHECK(EvalScript(pushdata4Stack, CScript(pushdata4, pushdata4 + sizeof(pushdata4)), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
1005 BOOST_CHECK(pushdata4Stack == directStack);
1006 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1007
1008 const std::vector<unsigned char> pushdata1_trunc{OP_PUSHDATA1, 1};
1009 const std::vector<unsigned char> pushdata2_trunc{OP_PUSHDATA2, 1, 0};
1010 const std::vector<unsigned char> pushdata4_trunc{OP_PUSHDATA4, 1, 0, 0, 0};
1011
1012 std::vector<std::vector<unsigned char>> stack_ignore;
1013 BOOST_CHECK(!EvalScript(stack_ignore, CScript(pushdata1_trunc.begin(), pushdata1_trunc.end()), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
1015 BOOST_CHECK(!EvalScript(stack_ignore, CScript(pushdata2_trunc.begin(), pushdata2_trunc.end()), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
1017 BOOST_CHECK(!EvalScript(stack_ignore, CScript(pushdata4_trunc.begin(), pushdata4_trunc.end()), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
1019}
1020
1021BOOST_AUTO_TEST_CASE(script_cltv_truncated)
1022{
1023 const auto script_cltv_trunc = CScript() << OP_CHECKLOCKTIMEVERIFY;
1024
1025 std::vector<std::vector<unsigned char>> stack_ignore;
1026 ScriptError err;
1029}
1030
1031static CScript
1032sign_multisig(const CScript& scriptPubKey, const std::vector<CKey>& keys, const CTransaction& transaction)
1033{
1034 uint256 hash = SignatureHash(scriptPubKey, transaction, 0, SIGHASH_ALL, 0, SigVersion::BASE);
1035
1036 CScript result;
1037 //
1038 // NOTE: CHECKMULTISIG has an unfortunate bug; it requires
1039 // one extra item on the stack, before the signatures.
1040 // Putting OP_0 on the stack is the workaround;
1041 // fixing the bug would mean splitting the block chain (old
1042 // clients would not accept new CHECKMULTISIG transactions,
1043 // and vice-versa)
1044 //
1045 result << OP_0;
1046 for (const CKey &key : keys)
1047 {
1048 std::vector<unsigned char> vchSig;
1049 BOOST_CHECK(key.Sign(hash, vchSig));
1050 vchSig.push_back((unsigned char)SIGHASH_ALL);
1051 result << vchSig;
1052 }
1053 return result;
1054}
1055static CScript
1056sign_multisig(const CScript& scriptPubKey, const CKey& key, const CTransaction& transaction)
1057{
1058 std::vector<CKey> keys;
1059 keys.push_back(key);
1060 return sign_multisig(scriptPubKey, keys, transaction);
1061}
1062
1063BOOST_AUTO_TEST_CASE(script_CHECKMULTISIG12)
1064{
1065 ScriptError err;
1066 CKey key1 = GenerateRandomKey();
1067 CKey key2 = GenerateRandomKey(/*compressed=*/false);
1068 CKey key3 = GenerateRandomKey();
1069
1070 CScript scriptPubKey12;
1071 scriptPubKey12 << OP_1 << ToByteVector(key1.GetPubKey()) << ToByteVector(key2.GetPubKey()) << OP_2 << OP_CHECKMULTISIG;
1072
1073 const CTransaction txFrom12{BuildCreditingTransaction(scriptPubKey12)};
1075
1076 CScript goodsig1 = sign_multisig(scriptPubKey12, key1, CTransaction(txTo12));
1077 BOOST_CHECK(VerifyScript(goodsig1, scriptPubKey12, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo12, 0, txFrom12.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1078 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1079 txTo12.vout[0].nValue = 2;
1080 BOOST_CHECK(!VerifyScript(goodsig1, scriptPubKey12, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo12, 0, txFrom12.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1081 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1082
1083 CScript goodsig2 = sign_multisig(scriptPubKey12, key2, CTransaction(txTo12));
1084 BOOST_CHECK(VerifyScript(goodsig2, scriptPubKey12, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo12, 0, txFrom12.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1085 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1086
1087 CScript badsig1 = sign_multisig(scriptPubKey12, key3, CTransaction(txTo12));
1088 BOOST_CHECK(!VerifyScript(badsig1, scriptPubKey12, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo12, 0, txFrom12.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1089 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1090}
1091
1092BOOST_AUTO_TEST_CASE(script_CHECKMULTISIG23)
1093{
1094 ScriptError err;
1095 CKey key1 = GenerateRandomKey();
1096 CKey key2 = GenerateRandomKey(/*compressed=*/false);
1097 CKey key3 = GenerateRandomKey();
1098 CKey key4 = GenerateRandomKey(/*compressed=*/false);
1099
1100 CScript scriptPubKey23;
1101 scriptPubKey23 << OP_2 << ToByteVector(key1.GetPubKey()) << ToByteVector(key2.GetPubKey()) << ToByteVector(key3.GetPubKey()) << OP_3 << OP_CHECKMULTISIG;
1102
1103 const CTransaction txFrom23{BuildCreditingTransaction(scriptPubKey23)};
1105
1106 std::vector<CKey> keys;
1107 keys.push_back(key1); keys.push_back(key2);
1108 CScript goodsig1 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1109 BOOST_CHECK(VerifyScript(goodsig1, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1110 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1111
1112 keys.clear();
1113 keys.push_back(key1); keys.push_back(key3);
1114 CScript goodsig2 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1115 BOOST_CHECK(VerifyScript(goodsig2, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1116 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1117
1118 keys.clear();
1119 keys.push_back(key2); keys.push_back(key3);
1120 CScript goodsig3 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1121 BOOST_CHECK(VerifyScript(goodsig3, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1122 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1123
1124 keys.clear();
1125 keys.push_back(key2); keys.push_back(key2); // Can't reuse sig
1126 CScript badsig1 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1127 BOOST_CHECK(!VerifyScript(badsig1, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1128 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1129
1130 keys.clear();
1131 keys.push_back(key2); keys.push_back(key1); // sigs must be in correct order
1132 CScript badsig2 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1133 BOOST_CHECK(!VerifyScript(badsig2, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1134 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1135
1136 keys.clear();
1137 keys.push_back(key3); keys.push_back(key2); // sigs must be in correct order
1138 CScript badsig3 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1139 BOOST_CHECK(!VerifyScript(badsig3, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1140 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1141
1142 keys.clear();
1143 keys.push_back(key4); keys.push_back(key2); // sigs must match pubkeys
1144 CScript badsig4 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1145 BOOST_CHECK(!VerifyScript(badsig4, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1146 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1147
1148 keys.clear();
1149 keys.push_back(key1); keys.push_back(key4); // sigs must match pubkeys
1150 CScript badsig5 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1151 BOOST_CHECK(!VerifyScript(badsig5, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1152 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1153
1154 keys.clear(); // Must have signatures
1155 CScript badsig6 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1156 BOOST_CHECK(!VerifyScript(badsig6, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1157 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_INVALID_STACK_OPERATION, ScriptErrorString(err));
1158}
1159
1161static TxoutType GetTxoutType(const CScript& output_script)
1162{
1163 std::vector<std::vector<uint8_t>> unused;
1164 return Solver(output_script, unused);
1165}
1166
1167#define CHECK_SCRIPT_STATIC_SIZE(script, expected_size) \
1168 do { \
1169 BOOST_CHECK_EQUAL((script).size(), (expected_size)); \
1170 BOOST_CHECK_EQUAL((script).capacity(), CScriptBase::STATIC_SIZE); \
1171 BOOST_CHECK_EQUAL((script).allocated_memory(), 0); \
1172 } while (0)
1173
1174#define CHECK_SCRIPT_DYNAMIC_SIZE(script, expected_size, expected_extra) \
1175 do { \
1176 BOOST_CHECK_EQUAL((script).size(), (expected_size)); \
1177 BOOST_CHECK_EQUAL((script).capacity(), (expected_extra)); \
1178 BOOST_CHECK_EQUAL((script).allocated_memory(), (expected_extra)); \
1179 } while (0)
1180
1181BOOST_AUTO_TEST_CASE(script_size_and_capacity_test)
1182{
1184 BOOST_CHECK_EQUAL(sizeof(CScriptBase), 40);
1185 BOOST_CHECK_NE(sizeof(CScriptBase), sizeof(prevector<CScriptBase::STATIC_SIZE + 1, uint8_t>)); // CScriptBase size should be set to avoid wasting space in padding
1186 BOOST_CHECK_EQUAL(sizeof(CScript), 40);
1187 BOOST_CHECK_EQUAL(sizeof(CTxOut), 48);
1188
1189 CKey dummy_key;
1190 dummy_key.MakeNewKey(/*fCompressed=*/true);
1191 const CPubKey dummy_pubkey{dummy_key.GetPubKey()};
1192
1193 // Small OP_RETURN has direct allocation
1194 {
1195 const auto script{CScript() << OP_RETURN << std::vector<uint8_t>(10, 0xaa)};
1198 }
1199
1200 // P2WPKH has direct allocation
1201 {
1202 const auto script{GetScriptForDestination(WitnessV0KeyHash{PKHash{dummy_pubkey}})};
1205 }
1206
1207 // P2SH has direct allocation
1208 {
1210 BOOST_CHECK(script.IsPayToScriptHash());
1212 }
1213
1214 // P2PKH has direct allocation
1215 {
1216 const auto script{GetScriptForDestination(PKHash{dummy_pubkey})};
1219 }
1220
1221 // P2WSH has direct allocation
1222 {
1224 BOOST_CHECK(script.IsPayToWitnessScriptHash());
1226 }
1227
1228 // P2TR has direct allocation
1229 {
1230 const auto script{GetScriptForDestination(WitnessV1Taproot{XOnlyPubKey{dummy_pubkey}})};
1233 }
1234
1235 // Compressed P2PK has direct allocation
1236 {
1237 const auto script{GetScriptForRawPubKey(dummy_pubkey)};
1240 }
1241
1242 // Uncompressed P2PK needs extra allocation
1243 {
1244 CKey uncompressed_key;
1245 uncompressed_key.MakeNewKey(/*fCompressed=*/false);
1246 const CPubKey uncompressed_pubkey{uncompressed_key.GetPubKey()};
1247
1248 const auto script{GetScriptForRawPubKey(uncompressed_pubkey)};
1251 }
1252
1253 // Bare multisig needs extra allocation
1254 {
1255 const auto script{GetScriptForMultisig(1, std::vector{2, dummy_pubkey})};
1258 }
1259}
1260
1261/* Wrapper around ProduceSignature to combine two scriptsigs */
1262SignatureData CombineSignatures(const CTxOut& txout, const CMutableTransaction& tx, const SignatureData& scriptSig1, const SignatureData& scriptSig2)
1263{
1265 data.MergeSignatureData(scriptSig1);
1266 data.MergeSignatureData(scriptSig2);
1268 return data;
1269}
1270
1271BOOST_AUTO_TEST_CASE(script_combineSigs)
1272{
1273 // Test the ProduceSignature's ability to combine signatures function
1274 FillableSigningProvider keystore;
1275 std::vector<CKey> keys;
1276 std::vector<CPubKey> pubkeys;
1277 for (int i = 0; i < 3; i++)
1278 {
1279 CKey key = GenerateRandomKey(/*compressed=*/i%2 == 1);
1280 keys.push_back(key);
1281 pubkeys.push_back(key.GetPubKey());
1282 BOOST_CHECK(keystore.AddKey(key));
1283 }
1284
1287 CScript& scriptPubKey = txFrom.vout[0].scriptPubKey;
1288 SignatureData scriptSig;
1289
1290 SignatureData empty;
1291 SignatureData combined = CombineSignatures(txFrom.vout[0], txTo, empty, empty);
1292 BOOST_CHECK(combined.scriptSig.empty());
1293
1294 // Single signature case:
1295 SignatureData dummy;
1296 BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy)); // changes scriptSig
1297 scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1298 combined = CombineSignatures(txFrom.vout[0], txTo, scriptSig, empty);
1299 BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1300 combined = CombineSignatures(txFrom.vout[0], txTo, empty, scriptSig);
1301 BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1302 SignatureData scriptSigCopy = scriptSig;
1303 // Signing again will give a different, valid signature:
1304 SignatureData dummy_b;
1305 BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy_b));
1306 scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1307 combined = CombineSignatures(txFrom.vout[0], txTo, scriptSigCopy, scriptSig);
1308 BOOST_CHECK(combined.scriptSig == scriptSigCopy.scriptSig || combined.scriptSig == scriptSig.scriptSig);
1309
1310 // P2SH, single-signature case:
1311 CScript pkSingle; pkSingle << ToByteVector(keys[0].GetPubKey()) << OP_CHECKSIG;
1312 BOOST_CHECK(keystore.AddCScript(pkSingle));
1313 scriptPubKey = GetScriptForDestination(ScriptHash(pkSingle));
1314 SignatureData dummy_c;
1315 BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy_c));
1316 scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1317 combined = CombineSignatures(txFrom.vout[0], txTo, scriptSig, empty);
1318 BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1319 combined = CombineSignatures(txFrom.vout[0], txTo, empty, scriptSig);
1320 BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1321 scriptSigCopy = scriptSig;
1322 SignatureData dummy_d;
1323 BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy_d));
1324 scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1325 combined = CombineSignatures(txFrom.vout[0], txTo, scriptSigCopy, scriptSig);
1326 BOOST_CHECK(combined.scriptSig == scriptSigCopy.scriptSig || combined.scriptSig == scriptSig.scriptSig);
1327
1328 // Hardest case: Multisig 2-of-3
1329 scriptPubKey = GetScriptForMultisig(2, pubkeys);
1330 BOOST_CHECK(keystore.AddCScript(scriptPubKey));
1331 SignatureData dummy_e;
1332 BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy_e));
1333 scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1334 combined = CombineSignatures(txFrom.vout[0], txTo, scriptSig, empty);
1335 BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1336 combined = CombineSignatures(txFrom.vout[0], txTo, empty, scriptSig);
1337 BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1338
1339 // A couple of partially-signed versions:
1340 std::vector<unsigned char> sig1;
1341 uint256 hash1 = SignatureHash(scriptPubKey, txTo, 0, SIGHASH_ALL, 0, SigVersion::BASE);
1342 BOOST_CHECK(keys[0].Sign(hash1, sig1));
1343 sig1.push_back(SIGHASH_ALL);
1344 std::vector<unsigned char> sig2;
1345 uint256 hash2 = SignatureHash(scriptPubKey, txTo, 0, SIGHASH_NONE, 0, SigVersion::BASE);
1346 BOOST_CHECK(keys[1].Sign(hash2, sig2));
1347 sig2.push_back(SIGHASH_NONE);
1348 std::vector<unsigned char> sig3;
1349 uint256 hash3 = SignatureHash(scriptPubKey, txTo, 0, SIGHASH_SINGLE, 0, SigVersion::BASE);
1350 BOOST_CHECK(keys[2].Sign(hash3, sig3));
1351 sig3.push_back(SIGHASH_SINGLE);
1352
1353 // Not fussy about order (or even existence) of placeholders or signatures:
1354 CScript partial1a = CScript() << OP_0 << sig1 << OP_0;
1355 CScript partial1b = CScript() << OP_0 << OP_0 << sig1;
1356 CScript partial2a = CScript() << OP_0 << sig2;
1357 CScript partial2b = CScript() << sig2 << OP_0;
1358 CScript partial3a = CScript() << sig3;
1359 CScript partial3b = CScript() << OP_0 << OP_0 << sig3;
1360 CScript partial3c = CScript() << OP_0 << sig3 << OP_0;
1361 CScript complete12 = CScript() << OP_0 << sig1 << sig2;
1362 CScript complete13 = CScript() << OP_0 << sig1 << sig3;
1363 CScript complete23 = CScript() << OP_0 << sig2 << sig3;
1364 SignatureData partial1_sigs;
1365 partial1_sigs.signatures.emplace(keys[0].GetPubKey().GetID(), SigPair(keys[0].GetPubKey(), sig1));
1366 SignatureData partial2_sigs;
1367 partial2_sigs.signatures.emplace(keys[1].GetPubKey().GetID(), SigPair(keys[1].GetPubKey(), sig2));
1368 SignatureData partial3_sigs;
1369 partial3_sigs.signatures.emplace(keys[2].GetPubKey().GetID(), SigPair(keys[2].GetPubKey(), sig3));
1370
1371 combined = CombineSignatures(txFrom.vout[0], txTo, partial1_sigs, partial1_sigs);
1372 BOOST_CHECK(combined.scriptSig == partial1a);
1373 combined = CombineSignatures(txFrom.vout[0], txTo, partial1_sigs, partial2_sigs);
1374 BOOST_CHECK(combined.scriptSig == complete12);
1375 combined = CombineSignatures(txFrom.vout[0], txTo, partial2_sigs, partial1_sigs);
1376 BOOST_CHECK(combined.scriptSig == complete12);
1377 combined = CombineSignatures(txFrom.vout[0], txTo, partial1_sigs, partial2_sigs);
1378 BOOST_CHECK(combined.scriptSig == complete12);
1379 combined = CombineSignatures(txFrom.vout[0], txTo, partial3_sigs, partial1_sigs);
1380 BOOST_CHECK(combined.scriptSig == complete13);
1381 combined = CombineSignatures(txFrom.vout[0], txTo, partial2_sigs, partial3_sigs);
1382 BOOST_CHECK(combined.scriptSig == complete23);
1383 combined = CombineSignatures(txFrom.vout[0], txTo, partial3_sigs, partial2_sigs);
1384 BOOST_CHECK(combined.scriptSig == complete23);
1385 combined = CombineSignatures(txFrom.vout[0], txTo, partial3_sigs, partial3_sigs);
1386 BOOST_CHECK(combined.scriptSig == partial3c);
1387}
1388
1392BOOST_AUTO_TEST_CASE(sign_invalid_miniscript)
1393{
1394 FillableSigningProvider keystore;
1395 SignatureData sig_data;
1396 CMutableTransaction prev, curr;
1397
1398 // Create a Taproot output which contains a leaf in which a non-32 bytes push is used where a public key is expected
1399 // by the Miniscript parser. This offending Script was found by the RPC fuzzer.
1400 const auto invalid_pubkey{"173d36c8c9c9c9ffffffffffff0200000000021e1e37373721361818181818181e1e1e1e19000000000000000000b19292929292926b006c9b9b9292"_hex_u8};
1401 TaprootBuilder builder;
1402 builder.Add(0, {invalid_pubkey}, 0xc0);
1404 prev.vout.emplace_back(0, GetScriptForDestination(builder.GetOutput()));
1405 curr.vin.emplace_back(COutPoint{prev.GetHash(), 0});
1406 sig_data.tr_spenddata = builder.GetSpendData();
1407
1408 // SignSignature can fail but it shouldn't raise an exception (nor crash).
1409 BOOST_CHECK(!SignSignature(keystore, CTransaction(prev), curr, 0, SIGHASH_ALL, sig_data));
1410}
1411
1412/* P2A input should be considered signed. */
1413BOOST_AUTO_TEST_CASE(sign_paytoanchor)
1414{
1415 FillableSigningProvider keystore;
1416 SignatureData sig_data;
1417 CMutableTransaction prev, curr;
1418 prev.vout.emplace_back(0, GetScriptForDestination(PayToAnchor{}));
1419
1420 curr.vin.emplace_back(COutPoint{prev.GetHash(), 0});
1421
1422 BOOST_CHECK(SignSignature(keystore, CTransaction(prev), curr, 0, SIGHASH_ALL, sig_data));
1423}
1424
1425BOOST_AUTO_TEST_CASE(script_standard_push)
1426{
1427 ScriptError err;
1428 for (int i=0; i<67000; i++) {
1430 script << i;
1431 BOOST_CHECK_MESSAGE(script.IsPushOnly(), "Number " << i << " is not pure push.");
1432 BOOST_CHECK_MESSAGE(VerifyScript(script, CScript() << OP_1, nullptr, SCRIPT_VERIFY_MINIMALDATA, BaseSignatureChecker(), &err), "Number " << i << " push is not minimal data.");
1433 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1434 }
1435
1436 for (unsigned int i=0; i<=MAX_SCRIPT_ELEMENT_SIZE; i++) {
1437 std::vector<unsigned char> data(i, '\111');
1439 script << data;
1440 BOOST_CHECK_MESSAGE(script.IsPushOnly(), "Length " << i << " is not pure push.");
1441 BOOST_CHECK_MESSAGE(VerifyScript(script, CScript() << OP_1, nullptr, SCRIPT_VERIFY_MINIMALDATA, BaseSignatureChecker(), &err), "Length " << i << " push is not minimal data.");
1442 BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1443 }
1444}
1445
1446BOOST_AUTO_TEST_CASE(script_IsPushOnly_on_invalid_scripts)
1447{
1448 // IsPushOnly returns false when given a script containing only pushes that
1449 // are invalid due to truncation. IsPushOnly() is consensus critical
1450 // because P2SH evaluation uses it, although this specific behavior should
1451 // not be consensus critical as the P2SH evaluation would fail first due to
1452 // the invalid push. Still, it doesn't hurt to test it explicitly.
1453 static const unsigned char direct[] = { 1 };
1454 BOOST_CHECK(!CScript(direct, direct+sizeof(direct)).IsPushOnly());
1455}
1456
1457BOOST_AUTO_TEST_CASE(script_GetScriptAsm)
1458{
1459 BOOST_CHECK_EQUAL("OP_CHECKLOCKTIMEVERIFY", ScriptToAsmStr(CScript() << OP_NOP2, true));
1460 BOOST_CHECK_EQUAL("OP_CHECKLOCKTIMEVERIFY", ScriptToAsmStr(CScript() << OP_CHECKLOCKTIMEVERIFY, true));
1461 BOOST_CHECK_EQUAL("OP_CHECKLOCKTIMEVERIFY", ScriptToAsmStr(CScript() << OP_NOP2));
1462 BOOST_CHECK_EQUAL("OP_CHECKLOCKTIMEVERIFY", ScriptToAsmStr(CScript() << OP_CHECKLOCKTIMEVERIFY));
1463
1464 std::string derSig("304502207fa7a6d1e0ee81132a269ad84e68d695483745cde8b541e3bf630749894e342a022100c1f7ab20e13e22fb95281a870f3dcf38d782e53023ee313d741ad0cfbc0c5090");
1465 std::string pubKey("03b0da749730dc9b4b1f4a14d6902877a92541f5368778853d9c4a0cb7802dcfb2");
1466 std::vector<unsigned char> vchPubKey = ToByteVector(ParseHex(pubKey));
1467
1468 BOOST_CHECK_EQUAL(derSig + "00 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "00")) << vchPubKey, true));
1469 BOOST_CHECK_EQUAL(derSig + "80 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "80")) << vchPubKey, true));
1470 BOOST_CHECK_EQUAL(derSig + "[ALL] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "01")) << vchPubKey, true));
1471 BOOST_CHECK_EQUAL(derSig + "[NONE] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "02")) << vchPubKey, true));
1472 BOOST_CHECK_EQUAL(derSig + "[SINGLE] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "03")) << vchPubKey, true));
1473 BOOST_CHECK_EQUAL(derSig + "[ALL|ANYONECANPAY] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "81")) << vchPubKey, true));
1474 BOOST_CHECK_EQUAL(derSig + "[NONE|ANYONECANPAY] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "82")) << vchPubKey, true));
1475 BOOST_CHECK_EQUAL(derSig + "[SINGLE|ANYONECANPAY] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "83")) << vchPubKey, true));
1476
1477 BOOST_CHECK_EQUAL(derSig + "00 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "00")) << vchPubKey));
1478 BOOST_CHECK_EQUAL(derSig + "80 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "80")) << vchPubKey));
1479 BOOST_CHECK_EQUAL(derSig + "01 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "01")) << vchPubKey));
1480 BOOST_CHECK_EQUAL(derSig + "02 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "02")) << vchPubKey));
1481 BOOST_CHECK_EQUAL(derSig + "03 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "03")) << vchPubKey));
1482 BOOST_CHECK_EQUAL(derSig + "81 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "81")) << vchPubKey));
1483 BOOST_CHECK_EQUAL(derSig + "82 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "82")) << vchPubKey));
1484 BOOST_CHECK_EQUAL(derSig + "83 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "83")) << vchPubKey));
1485}
1486
1487template <typename T>
1488CScript ToScript(const T& byte_container)
1489{
1490 auto span{MakeUCharSpan(byte_container)};
1491 return {span.begin(), span.end()};
1492}
1493
1494BOOST_AUTO_TEST_CASE(script_byte_array_u8_vector_equivalence)
1495{
1496 const CScript scriptPubKey1 = CScript() << "04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f"_hex_v_u8 << OP_CHECKSIG;
1497 const CScript scriptPubKey2 = CScript() << "04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f"_hex << OP_CHECKSIG;
1498 BOOST_CHECK(scriptPubKey1 == scriptPubKey2);
1499}
1500
1501BOOST_AUTO_TEST_CASE(script_FindAndDelete)
1502{
1503 // Exercise the FindAndDelete functionality
1504 CScript s;
1505 CScript d;
1507
1508 s = CScript() << OP_1 << OP_2;
1509 d = CScript(); // delete nothing should be a no-op
1510 expect = s;
1512 BOOST_CHECK(s == expect);
1513
1514 s = CScript() << OP_1 << OP_2 << OP_3;
1515 d = CScript() << OP_2;
1516 expect = CScript() << OP_1 << OP_3;
1518 BOOST_CHECK(s == expect);
1519
1520 s = CScript() << OP_3 << OP_1 << OP_3 << OP_3 << OP_4 << OP_3;
1521 d = CScript() << OP_3;
1522 expect = CScript() << OP_1 << OP_4;
1524 BOOST_CHECK(s == expect);
1525
1526 s = ToScript("0302ff03"_hex); // PUSH 0x02ff03 onto stack
1527 d = ToScript("0302ff03"_hex);
1528 expect = CScript();
1530 BOOST_CHECK(s == expect);
1531
1532 s = ToScript("0302ff030302ff03"_hex); // PUSH 0x02ff03 PUSH 0x02ff03
1533 d = ToScript("0302ff03"_hex);
1534 expect = CScript();
1536 BOOST_CHECK(s == expect);
1537
1538 s = ToScript("0302ff030302ff03"_hex);
1539 d = ToScript("02"_hex);
1540 expect = s; // FindAndDelete matches entire opcodes
1542 BOOST_CHECK(s == expect);
1543
1544 s = ToScript("0302ff030302ff03"_hex);
1545 d = ToScript("ff"_hex);
1546 expect = s;
1548 BOOST_CHECK(s == expect);
1549
1550 // This is an odd edge case: strip of the push-three-bytes
1551 // prefix, leaving 02ff03 which is push-two-bytes:
1552 s = ToScript("0302ff030302ff03"_hex);
1553 d = ToScript("03"_hex);
1554 expect = CScript() << "ff03"_hex << "ff03"_hex;
1556 BOOST_CHECK(s == expect);
1557
1558 // Byte sequence that spans multiple opcodes:
1559 s = ToScript("02feed5169"_hex); // PUSH(0xfeed) OP_1 OP_VERIFY
1560 d = ToScript("feed51"_hex);
1561 expect = s;
1562 BOOST_CHECK_EQUAL(FindAndDelete(s, d), 0); // doesn't match 'inside' opcodes
1563 BOOST_CHECK(s == expect);
1564
1565 s = ToScript("02feed5169"_hex); // PUSH(0xfeed) OP_1 OP_VERIFY
1566 d = ToScript("02feed51"_hex);
1567 expect = ToScript("69"_hex);
1569 BOOST_CHECK(s == expect);
1570
1571 s = ToScript("516902feed5169"_hex);
1572 d = ToScript("feed51"_hex);
1573 expect = s;
1575 BOOST_CHECK(s == expect);
1576
1577 s = ToScript("516902feed5169"_hex);
1578 d = ToScript("02feed51"_hex);
1579 expect = ToScript("516969"_hex);
1581 BOOST_CHECK(s == expect);
1582
1583 s = CScript() << OP_0 << OP_0 << OP_1 << OP_1;
1584 d = CScript() << OP_0 << OP_1;
1585 expect = CScript() << OP_0 << OP_1; // FindAndDelete is single-pass
1587 BOOST_CHECK(s == expect);
1588
1589 s = CScript() << OP_0 << OP_0 << OP_1 << OP_0 << OP_1 << OP_1;
1590 d = CScript() << OP_0 << OP_1;
1591 expect = CScript() << OP_0 << OP_1; // FindAndDelete is single-pass
1593 BOOST_CHECK(s == expect);
1594
1595 // Another weird edge case:
1596 // End with invalid push (not enough data)...
1597 s = ToScript("0003feed"_hex);
1598 d = ToScript("03feed"_hex); // ... can remove the invalid push
1599 expect = ToScript("00"_hex);
1601 BOOST_CHECK(s == expect);
1602
1603 s = ToScript("0003feed"_hex);
1604 d = ToScript("00"_hex);
1605 expect = ToScript("03feed"_hex);
1607 BOOST_CHECK(s == expect);
1608}
1609
1610BOOST_AUTO_TEST_CASE(script_HasValidOps)
1611{
1612 // Exercise the HasValidOps functionality
1614 script = ToScript("76a9141234567890abcdefa1a2a3a4a5a6a7a8a9a0aaab88ac"_hex); // Normal script
1615 BOOST_CHECK(script.HasValidOps());
1616 script = ToScript("76a914ff34567890abcdefa1a2a3a4a5a6a7a8a9a0aaab88ac"_hex);
1617 BOOST_CHECK(script.HasValidOps());
1618 script = ToScript("ff88ac"_hex); // Script with OP_INVALIDOPCODE explicit
1619 BOOST_CHECK(!script.HasValidOps());
1620 script = ToScript("88acc0"_hex); // Script with undefined opcode
1621 BOOST_CHECK(!script.HasValidOps());
1622}
1623
1624BOOST_AUTO_TEST_CASE(bip341_keypath_test_vectors)
1625{
1627 tests.read(json_tests::bip341_wallet_vectors);
1628
1629 const auto& vectors = tests["keyPathSpending"];
1630
1631 for (const auto& vec : vectors.getValues()) {
1632 auto txhex = ParseHex(vec["given"]["rawUnsignedTx"].get_str());
1634 SpanReader{txhex} >> TX_WITH_WITNESS(tx);
1635 std::vector<CTxOut> utxos;
1636 for (const auto& utxo_spent : vec["given"]["utxosSpent"].getValues()) {
1637 auto script_bytes = ParseHex(utxo_spent["scriptPubKey"].get_str());
1638 CScript script{script_bytes.begin(), script_bytes.end()};
1639 CAmount amount{utxo_spent["amountSats"].getInt<int>()};
1640 utxos.emplace_back(amount, script);
1641 }
1642
1644 txdata.Init(tx, std::vector<CTxOut>{utxos}, true);
1645
1647 BOOST_CHECK_EQUAL(HexStr(txdata.m_spent_amounts_single_hash), vec["intermediary"]["hashAmounts"].get_str());
1648 BOOST_CHECK_EQUAL(HexStr(txdata.m_outputs_single_hash), vec["intermediary"]["hashOutputs"].get_str());
1649 BOOST_CHECK_EQUAL(HexStr(txdata.m_prevouts_single_hash), vec["intermediary"]["hashPrevouts"].get_str());
1650 BOOST_CHECK_EQUAL(HexStr(txdata.m_spent_scripts_single_hash), vec["intermediary"]["hashScriptPubkeys"].get_str());
1651 BOOST_CHECK_EQUAL(HexStr(txdata.m_sequences_single_hash), vec["intermediary"]["hashSequences"].get_str());
1652
1653 for (const auto& input : vec["inputSpending"].getValues()) {
1654 int txinpos = input["given"]["txinIndex"].getInt<int>();
1655 int hashtype = input["given"]["hashType"].getInt<int>();
1656
1657 // Load key.
1658 auto privkey = ParseHex(input["given"]["internalPrivkey"].get_str());
1659 CKey key;
1660 key.Set(privkey.begin(), privkey.end(), true);
1661
1662 // Load Merkle root.
1663 uint256 merkle_root;
1664 if (!input["given"]["merkleRoot"].isNull()) {
1665 merkle_root = uint256{ParseHex(input["given"]["merkleRoot"].get_str())};
1666 }
1667
1668 // Compute and verify (internal) public key.
1669 XOnlyPubKey pubkey{key.GetPubKey()};
1670 BOOST_CHECK_EQUAL(HexStr(pubkey), input["intermediary"]["internalPubkey"].get_str());
1671
1672 // Sign and verify signature.
1673 FlatSigningProvider provider;
1674 provider.keys[key.GetPubKey().GetID()] = key;
1675 MutableTransactionSignatureCreator creator(tx, txinpos, utxos[txinpos].nValue, &txdata, hashtype);
1676 std::vector<unsigned char> signature;
1677 BOOST_CHECK(creator.CreateSchnorrSig(provider, signature, pubkey, nullptr, &merkle_root, SigVersion::TAPROOT));
1678 BOOST_CHECK_EQUAL(HexStr(signature), input["expected"]["witness"][0].get_str());
1679
1680 // We can't observe the tweak used inside the signing logic, so verify by recomputing it.
1681 BOOST_CHECK_EQUAL(HexStr(pubkey.ComputeTapTweakHash(merkle_root.IsNull() ? nullptr : &merkle_root)), input["intermediary"]["tweak"].get_str());
1682
1683 // We can't observe the sighash used inside the signing logic, so verify by recomputing it.
1685 sed.m_annex_init = true;
1686 sed.m_annex_present = false;
1687 uint256 sighash;
1688 BOOST_CHECK(SignatureHashSchnorr(sighash, sed, tx, txinpos, hashtype, SigVersion::TAPROOT, txdata, MissingDataBehavior::FAIL));
1689 BOOST_CHECK_EQUAL(HexStr(sighash), input["intermediary"]["sigHash"].get_str());
1690
1691 // To verify the sigmsg, hash the expected sigmsg, and compare it with the (expected) sighash.
1692 BOOST_CHECK_EQUAL(HexStr((HashWriter{HASHER_TAPSIGHASH} << std::span<const uint8_t>{ParseHex(input["intermediary"]["sigMsg"].get_str())}).GetSHA256()), input["intermediary"]["sigHash"].get_str());
1693 }
1694 }
1695}
1696
1697BOOST_AUTO_TEST_CASE(compute_tapbranch)
1698{
1699 constexpr uint256 hash1{"8ad69ec7cf41c2a4001fd1f738bf1e505ce2277acdcaa63fe4765192497f47a7"};
1700 constexpr uint256 hash2{"f224a923cd0021ab202ab139cc56802ddb92dcfc172b9212261a539df79a112a"};
1701 constexpr uint256 result{"a64c5b7b943315f9b805d7a7296bedfcfd08919270a1f7a1466e98f8693d8cd9"};
1702 BOOST_CHECK_EQUAL(ComputeTapbranchHash(hash1, hash2), result);
1703}
1704
1705BOOST_AUTO_TEST_CASE(compute_tapleaf)
1706{
1707 constexpr uint8_t script[6] = {'f','o','o','b','a','r'};
1708 constexpr uint256 tlc0{"edbc10c272a1215dcdcc11d605b9027b5ad6ed97cd45521203f136767b5b9c06"};
1709 constexpr uint256 tlc2{"8b5c4f90ae6bf76e259dbef5d8a59df06359c391b59263741b25eca76451b27a"};
1710
1711 BOOST_CHECK_EQUAL(ComputeTapleafHash(0xc0, std::span(script)), tlc0);
1712 BOOST_CHECK_EQUAL(ComputeTapleafHash(0xc2, std::span(script)), tlc2);
1713}
1714
1715BOOST_AUTO_TEST_CASE(formatscriptflags)
1716{
1717 // quick check that FormatScriptFlags reports any unknown/unexpected bits
1722 BOOST_CHECK_EQUAL(FormatScriptFlags(SCRIPT_VERIFY_TAPROOT | script_verify_flags::from_int((1u<<28) | (1ull<<58))), "TAPROOT,0x400000010000000");
1724}
1725
CScript GetScriptForDestination(const CTxDestination &dest)
Generate a Bitcoin scriptPubKey for the given CTxDestination.
int64_t CAmount
Amount in satoshis (Can be negative)
Definition: amount.h:12
int ret
static CAmount AmountFromValue(const UniValue &value)
Definition: bitcoin-tx.cpp:554
int flags
Definition: bitcoin-tx.cpp:529
A hasher class for Bitcoin's 160-bit hash (SHA-256 + RIPEMD-160).
Definition: hash.h:49
CHash160 & Write(std::span< const unsigned char > input)
Definition: hash.h:62
void Finalize(std::span< unsigned char > output)
Definition: hash.h:55
An encapsulated private key.
Definition: key.h:35
bool Sign(const uint256 &hash, std::vector< unsigned char > &vchSig, bool grind=true, uint32_t test_case=0) const
Create a DER-serialized signature.
Definition: key.cpp:208
void MakeNewKey(bool fCompressed)
Generate a new private key using a cryptographic PRNG.
Definition: key.cpp:161
CPubKey GetPubKey() const
Compute the public key from a private key.
Definition: key.cpp:182
void Set(const T pbegin, const T pend, bool fCompressedIn)
Initialize using begin and end iterators to byte data.
Definition: key.h:103
An outpoint - a combination of a transaction hash and an index n into its vout.
Definition: transaction.h:29
An encapsulated public key.
Definition: pubkey.h:34
const unsigned char * data() const
Definition: pubkey.h:113
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:164
const unsigned char * end() const
Definition: pubkey.h:115
const unsigned char * begin() const
Definition: pubkey.h:114
A hasher class for SHA-256.
Definition: sha256.h:14
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: sha256.cpp:725
CSHA256 & Write(const unsigned char *data, size_t len)
Definition: sha256.cpp:699
Serialized script, used inside transaction inputs and outputs.
Definition: script.h:413
A reference to a CScript: the Hash160 of its serialization.
Definition: script.h:602
The basic transaction that is broadcasted on the network and contained in blocks.
Definition: transaction.h:296
An output of a transaction.
Definition: transaction.h:150
CScript scriptPubKey
Definition: transaction.h:153
CAmount nValue
Definition: transaction.h:152
Fillable signing provider that keeps keys in an address->secret map.
virtual bool AddCScript(const CScript &redeemScript)
virtual bool AddKey(const CKey &key)
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:101
A signature creator for transactions.
Definition: sign.h:40
bool CreateSchnorrSig(const SigningProvider &provider, std::vector< unsigned char > &sig, const XOnlyPubKey &pubkey, const uint256 *leaf_hash, const uint256 *merkle_root, SigVersion sigversion) const override
Definition: sign.cpp:62
uint64_t randbits(int bits) noexcept
Generate a random (bits)-bit integer.
Definition: random.h:204
Minimal stream for reading from an existing byte array by std::span.
Definition: streams.h:83
Utility class to construct Taproot outputs from internal key and script tree.
WitnessV1Taproot GetOutput()
Compute scriptPubKey (after Finalize()).
TaprootSpendData GetSpendData() const
Compute spending data (after Finalize()).
bool IsComplete() const
Return whether there were either no leaves, or the leaves form a Huffman tree.
TaprootBuilder & Add(int depth, std::span< const unsigned char > script, int leaf_version, bool track=true)
Add a new script at a certain depth in the tree.
TaprootBuilder & Finalize(const XOnlyPubKey &internal_key)
Finalize the construction.
const std::string & get_str() const
bool isArray() const
Definition: univalue.h:87
@ VARR
Definition: univalue.h:24
std::string write(unsigned int prettyIndent=0, unsigned int indentLevel=0) const
size_t size() const
Definition: univalue.h:71
const UniValue & get_array() const
static const XOnlyPubKey NUMS_H
Nothing Up My Sleeve point H Used as an internal key for provably disabling the key path spend see BI...
Definition: pubkey.h:239
constexpr bool IsNull() const
Definition: uint256.h:48
constexpr unsigned char * begin()
Definition: uint256.h:101
Implements a drop-in replacement for std::vector<T> which stores up to N elements directly (without h...
Definition: prevector.h:37
bool empty() const
Definition: prevector.h:259
size_type size() const
Definition: prevector.h:255
value_type * data()
Definition: prevector.h:489
iterator begin()
Definition: prevector.h:263
iterator end()
Definition: prevector.h:265
void push_back(const T &value)
Definition: prevector.h:400
static constexpr script_verify_flags from_int(value_type f)
Definition: verify_flags.h:35
160-bit opaque blob.
Definition: uint256.h:184
256-bit opaque blob.
Definition: uint256.h:196
CScript ParseScript(const std::string &s)
Definition: core_read.cpp:63
std::string FormatScript(const CScript &script)
Definition: core_write.cpp:39
std::string ScriptToAsmStr(const CScript &script, const bool fAttemptSighashDecode=false)
Create the assembly string representation of a CScript object.
Definition: core_write.cpp:98
UniValue ValueFromAmount(const CAmount amount)
Definition: core_write.cpp:26
BOOST_FIXTURE_TEST_SUITE(cuckoocache_tests, BasicTestingSetup)
Test Suite for CuckooCache.
BOOST_AUTO_TEST_SUITE_END()
std::string HexStr(const std::span< const uint8_t > s)
Convert a span of bytes to a lower-case hexadecimal string.
Definition: hex_base.cpp:29
uint256 ComputeTapbranchHash(std::span< const unsigned char > a, std::span< const unsigned char > b)
Compute the BIP341 tapbranch hash from two branches.
bool SignatureHashSchnorr(uint256 &hash_out, ScriptExecutionData &execdata, const T &tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData &cache, MissingDataBehavior mdb)
int FindAndDelete(CScript &script, const CScript &b)
uint256 ComputeTapleafHash(uint8_t leaf_version, std::span< const unsigned char > script)
Compute the BIP341 tapleaf hash from leaf version & script.
bool EvalScript(std::vector< std::vector< unsigned char > > &stack, const CScript &script, script_verify_flags flags, const BaseSignatureChecker &checker, SigVersion sigversion, ScriptExecutionData &execdata, ScriptError *serror)
uint256 SignatureHash(const CScript &scriptCode, const T &txTo, unsigned int nIn, int32_t nHashType, const CAmount &amount, SigVersion sigversion, const PrecomputedTransactionData *cache, SigHashCache *sighash_cache)
std::vector< std::string > GetScriptFlagNames(script_verify_flags flags)
bool VerifyScript(const CScript &scriptSig, const CScript &scriptPubKey, const CScriptWitness *witness, script_verify_flags flags, const BaseSignatureChecker &checker, ScriptError *serror)
const HashWriter HASHER_TAPSIGHASH
Hasher with tag "TapSighash" pre-fed to it.
static constexpr int MAX_SCRIPT_VERIFY_FLAGS_BITS
Definition: interpreter.h:154
SigVersion
Definition: interpreter.h:201
@ TAPROOT
Witness v1 with 32-byte program, not BIP16 P2SH-wrapped, key path spending; see BIP 341.
@ BASE
Bare scripts and BIP16 P2SH-wrapped redeemscripts.
@ WITNESS_V0
Witness v0 (P2WPKH and P2WSH); see BIP 141.
GenericTransactionSignatureChecker< CMutableTransaction > MutableTransactionSignatureChecker
Definition: interpreter.h:337
static constexpr uint8_t TAPROOT_LEAF_TAPSCRIPT
Definition: interpreter.h:242
@ SIGHASH_ANYONECANPAY
Definition: interpreter.h:34
@ SIGHASH_DEFAULT
Taproot only; implied when sighash byte is missing, and equivalent to SIGHASH_ALL.
Definition: interpreter.h:36
@ SIGHASH_ALL
Definition: interpreter.h:31
@ SIGHASH_NONE
Definition: interpreter.h:32
@ SIGHASH_SINGLE
Definition: interpreter.h:33
@ ASSERT_FAIL
Abort execution through assertion failure (for consensus code)
@ FAIL
Just act as if the signature was invalid.
@ SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM
UniValue read_json(std::string_view jsondata)
Definition: json.cpp:12
CKey GenerateRandomKey(bool compressed) noexcept
Definition: key.cpp:352
@ NONE
Definition: logging.h:65
FILE * fopen(const fs::path &p, const char *mode)
Definition: fs.cpp:26
std::pair< opcodetype, std::vector< unsigned char > > Opcode
Definition: miniscript.h:189
""_hex is a compile-time user-defined literal returning a std::array<std::byte>, equivalent to ParseH...
Definition: strencodings.h:384
auto Join(const C &container, const S &separator, UnaryOp unary_op)
Join all container items.
Definition: string.h:204
#define BOOST_CHECK_EQUAL(v1, v2)
Definition: object.cpp:18
#define BOOST_CHECK(expr)
Definition: object.cpp:17
static constexpr TransactionSerParams TX_WITH_WITNESS
Definition: transaction.h:195
static CTransactionRef MakeTransactionRef(Tx &&txIn)
Definition: transaction.h:424
std::shared_ptr< const CTransaction > CTransactionRef
Definition: transaction.h:423
const char * name
Definition: rest.cpp:50
static const unsigned int MAX_SCRIPT_ELEMENT_SIZE
Definition: script.h:28
opcodetype
Script opcodes.
Definition: script.h:74
@ OP_2
Definition: script.h:85
@ OP_PUSHDATA4
Definition: script.h:80
@ OP_CHECKMULTISIG
Definition: script.h:192
@ OP_CHECKSIG
Definition: script.h:190
@ OP_CHECKLOCKTIMEVERIFY
Definition: script.h:197
@ OP_NOT
Definition: script.h:158
@ OP_EQUAL
Definition: script.h:146
@ OP_4
Definition: script.h:87
@ OP_DUP
Definition: script.h:125
@ OP_NOP2
Definition: script.h:198
@ OP_NOP8
Definition: script.h:205
@ OP_HASH160
Definition: script.h:187
@ OP_1
Definition: script.h:83
@ OP_TRUE
Definition: script.h:84
@ OP_PUSHDATA1
Definition: script.h:78
@ OP_3
Definition: script.h:86
@ OP_PUSHDATA2
Definition: script.h:79
@ OP_0
Definition: script.h:76
@ OP_EQUALVERIFY
Definition: script.h:147
std::vector< unsigned char > ToByteVector(const T &in)
Definition: script.h:67
std::string ScriptErrorString(const ScriptError serror)
enum ScriptError_t ScriptError
ScriptError_t
Definition: script_error.h:12
@ SCRIPT_ERR_OP_CODESEPARATOR
Definition: script_error.h:82
@ SCRIPT_ERR_SIG_PUSHONLY
Definition: script_error.h:48
@ SCRIPT_ERR_OP_COUNT
Definition: script_error.h:21
@ SCRIPT_ERR_EVAL_FALSE
Definition: script_error.h:15
@ SCRIPT_ERR_NUMEQUALVERIFY
Definition: script_error.h:31
@ SCRIPT_ERR_VERIFY
Definition: script_error.h:27
@ SCRIPT_ERR_DISABLED_OPCODE
Definition: script_error.h:35
@ SCRIPT_ERR_INVALID_ALTSTACK_OPERATION
Definition: script_error.h:37
@ SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM
Definition: script_error.h:58
@ SCRIPT_ERR_SCRIPT_SIZE
Definition: script_error.h:19
@ SCRIPT_ERR_UNKNOWN_ERROR
Definition: script_error.h:14
@ SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH
Definition: script_error.h:64
@ SCRIPT_ERR_SIG_HASHTYPE
Definition: script_error.h:45
@ SCRIPT_ERR_MINIMALDATA
Definition: script_error.h:47
@ SCRIPT_ERR_CHECKSIGVERIFY
Definition: script_error.h:30
@ SCRIPT_ERR_STACK_SIZE
Definition: script_error.h:22
@ SCRIPT_ERR_WITNESS_MALLEATED_P2SH
Definition: script_error.h:68
@ SCRIPT_ERR_WITNESS_MALLEATED
Definition: script_error.h:67
@ SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS
Definition: script_error.h:57
@ SCRIPT_ERR_EQUALVERIFY
Definition: script_error.h:28
@ SCRIPT_ERR_INVALID_STACK_OPERATION
Definition: script_error.h:36
@ SCRIPT_ERR_SIG_COUNT
Definition: script_error.h:23
@ SCRIPT_ERR_SIG_HIGH_S
Definition: script_error.h:49
@ SCRIPT_ERR_SIG_DER
Definition: script_error.h:46
@ SCRIPT_ERR_WITNESS_UNEXPECTED
Definition: script_error.h:69
@ SCRIPT_ERR_NEGATIVE_LOCKTIME
Definition: script_error.h:41
@ SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH
Definition: script_error.h:66
@ SCRIPT_ERR_OP_RETURN
Definition: script_error.h:16
@ SCRIPT_ERR_PUSH_SIZE
Definition: script_error.h:20
@ SCRIPT_ERR_SIG_NULLFAIL
Definition: script_error.h:54
@ SCRIPT_ERR_OK
Definition: script_error.h:13
@ SCRIPT_ERR_SIG_NULLDUMMY
Definition: script_error.h:50
@ SCRIPT_ERR_PUBKEYTYPE
Definition: script_error.h:51
@ SCRIPT_ERR_CHECKMULTISIGVERIFY
Definition: script_error.h:29
@ SCRIPT_ERR_UNSATISFIED_LOCKTIME
Definition: script_error.h:42
@ SCRIPT_ERR_WITNESS_PUBKEYTYPE
Definition: script_error.h:70
@ SCRIPT_ERR_SIG_FINDANDDELETE
Definition: script_error.h:83
@ SCRIPT_ERR_BAD_OPCODE
Definition: script_error.h:34
@ SCRIPT_ERR_PUBKEY_COUNT
Definition: script_error.h:24
@ SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY
Definition: script_error.h:65
@ SCRIPT_ERR_CLEANSTACK
Definition: script_error.h:52
@ SCRIPT_ERR_UNBALANCED_CONDITIONAL
Definition: script_error.h:38
@ SCRIPT_ERR_MINIMALIF
Definition: script_error.h:53
static std::string FormatScriptError(ScriptError_t err)
static TxoutType GetTxoutType(const CScript &output_script)
Return the TxoutType of a script without exposing Solver details.
static void NegateSignatureS(std::vector< unsigned char > &vchSig)
#define CHECK_SCRIPT_STATIC_SIZE(script, expected_size)
static ScriptError_t ParseScriptError(const std::string &name)
SignatureData CombineSignatures(const CTxOut &txout, const CMutableTransaction &tx, const SignatureData &scriptSig1, const SignatureData &scriptSig2)
static ScriptErrorDesc script_errors[]
static std::string FormatScriptFlags(script_verify_flags flags)
CScript ToScript(const T &byte_container)
#define CHECK_SCRIPT_DYNAMIC_SIZE(script, expected_size, expected_extra)
static CScript sign_multisig(const CScript &scriptPubKey, const std::vector< CKey > &keys, const CTransaction &transaction)
script_verify_flags ParseScriptFlags(std::string strFlags)
BOOST_AUTO_TEST_CASE(script_build)
static const script_verify_flags gFlags
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:622
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:245
bool ProduceSignature(const SigningProvider &provider, const BaseSignatureCreator &creator, const CScript &fromPubKey, SignatureData &sigdata)
Produce a script signature using a generic signature creator.
Definition: sign.cpp:502
static bool GetPubKey(const SigningProvider &provider, const SignatureData &sigdata, const CKeyID &address, CPubKey &pubkey)
Definition: sign.cpp:109
SignatureData DataFromTransaction(const CMutableTransaction &tx, unsigned int nIn, const CTxOut &txout)
Extract signature data from a transaction input, and insert it.
Definition: sign.cpp:610
std::pair< CPubKey, std::vector< unsigned char > > SigPair
Definition: sign.h:63
const SigningProvider & DUMMY_SIGNING_PROVIDER
TxoutType Solver(const CScript &scriptPubKey, std::vector< std::vector< unsigned char > > &vSolutionsRet)
Parse a scriptPubKey and identify script type for standard scripts.
Definition: solver.cpp:141
CScript GetScriptForMultisig(int nRequired, const std::vector< CPubKey > &keys)
Generate a multisig script.
Definition: solver.cpp:218
CScript GetScriptForRawPubKey(const CPubKey &pubKey)
Generate a P2PK script for the given pubkey.
Definition: solver.cpp:213
TxoutType
Definition: solver.h:22
@ WITNESS_V1_TAPROOT
@ NULL_DATA
unspendable OP_RETURN script that carries data
@ WITNESS_V0_KEYHASH
constexpr auto MakeUCharSpan(const V &v) -> decltype(UCharSpanCast(std::span{v}))
Like the std::span constructor, but for (const) unsigned char member types only.
Definition: span.h:111
std::vector< Byte > ParseHex(std::string_view hex_str)
Like TryParseHex, but returns an empty vector on invalid input.
Definition: strencodings.h:68
Basic testing setup.
Definition: setup_common.h:64
FastRandomContext m_rng
Definition: setup_common.h:68
A mutable version of CTransaction.
Definition: transaction.h:378
std::vector< CTxOut > vout
Definition: transaction.h:380
Txid GetHash() const
Compute the hash of this CMutableTransaction.
Definition: transaction.cpp:69
std::vector< CTxIn > vin
Definition: transaction.h:379
std::vector< std::vector< unsigned char > > stack
Definition: script.h:588
std::map< CKeyID, CKey > keys
A type to represent integers in the type system.
Definition: lintrans.h:13
void Init(const T &tx, std::vector< CTxOut > &&spent_outputs, bool force=false)
Initialize this PrecomputedTransactionData with transaction data.
bool m_bip341_taproot_ready
Whether the 5 fields above are initialized.
Definition: interpreter.h:173
ScriptError_t err
const char * name
bool m_annex_present
Whether an annex is present.
Definition: interpreter.h:223
bool m_annex_init
Whether m_annex_present and (when needed) m_annex_hash are initialized.
Definition: interpreter.h:221
void DoTest(const CScript &scriptPubKey, const CScript &scriptSig, const CScriptWitness &scriptWitness, script_verify_flags flags, const std::string &message, int scriptError, CAmount nValue=0)
std::map< CKeyID, SigPair > signatures
BIP 174 style partial signatures for the input. May contain all signatures necessary for producing a ...
Definition: sign.h:77
TaprootSpendData tr_spenddata
Taproot spending data.
Definition: sign.h:75
CScript scriptSig
The scriptSig of an input. Contains complete signatures or the traditional partial signatures format.
Definition: sign.h:71
std::map< std::pair< std::vector< unsigned char >, int >, std::set< std::vector< unsigned char >, ShortestVectorFirstComparator > > scripts
Map from (script, leaf_version) to (sets of) control blocks.
#define strprintf
Format arguments and return the string or write to given std::ostream (see tinyformat::format doc for...
Definition: tinyformat.h:1172
CMutableTransaction BuildSpendingTransaction(const CScript &scriptSig, const CScriptWitness &scriptWitness, const CTransaction &txCredit)
bool SignSignature(const SigningProvider &provider, const CScript &fromPubKey, CMutableTransaction &txTo, unsigned int nIn, const CAmount &amount, int nHashType, SignatureData &sig_data)
Produce a satisfying script (scriptSig or witness).
CMutableTransaction BuildCreditingTransaction(const CScript &scriptPubKey, int nValue)
constexpr std::array tests
Definition: unitester.cpp:100
#define expect(bit)
assert(!tx.IsCoinBase())