Merge #301: Taproot interpreter support

be83ac7 Update Control block verification (sanket1729)
1929518 Add ToNoChecks trait (sanket1729)
8ef682f comments: clean up the comments around the "scriptcode" hack in Interpreter (Andrew Poelstra)
be5a536 Integration test fixups (sanket1729)
a9c7f41 Update interpreter API in psbt (sanket1729)
a5b0b28 Cleanup iter APIs, retintroduce examples (sanket1729)
16d0830 Remove NoChecksSchnorr (sanket1729)
6c9e436 Interpreter sighash API support, no more closures (sanket1729)
21d182a Add taproot Inner inference (sanket1729)
d3512bc Overall Iter struct so that there is no closure (sanket1729)
c28ac99 Remove mut from Interpreter type for iterator (sanket1729)
32963a0 Rework Interpreter: Prepare of tap support (sanket1729)
73cd5a8 Update to 0.28.0-rc.1 (sanket1729)

Pull request description:

  Add taproot interpreter support. This is the second to last PR for taproot miniscript support. The last PR will add some more high-level APIs for taproot psbt and integration tests.

ACKs for top commit:
  apoelstra:
    ACK be83ac7

Tree-SHA512: 2521e1c54d44540f7873ccad4111f0787d448c3ab701fbca063eeb158593ec2a3c7bcedb7e8d070da4bf90c6ae024bd07d3fc08b46262d7184a1efbf6f585807

Author: sanket1729

Cargo.toml

@@ -17,7 +17,7 @@ rand = ["bitcoin/rand"]
 
 [dependencies]
 # bitcoin = "0.27"
-bitcoin = {git = "https://github.com/rust-bitcoin/rust-bitcoin", rev = "0e2e55971275da64ceb62e8991a0a5fa962cb8b1"}
+bitcoin = "0.28.0-rc.1"
 
 [dependencies.serde]
 version = "1.0"

examples/verify_tx.rs

@@ -19,6 +19,8 @@ extern crate miniscript;
 
 use bitcoin::consensus::Decodable;
 use bitcoin::secp256k1; // secp256k1 re-exported from rust-bitcoin
+use bitcoin::util::sighash;
+use miniscript::interpreter::KeySigPair;
 use std::str::FromStr;
 
 fn main() {
@@ -83,7 +85,7 @@ fn main() {
         0xa9, 0x14, 0x92, 0x09, 0xa8, 0xf9, 0x0c, 0x58, 0x4b, 0xb5, 0x97, 0x4d, 0x58, 0x68, 0x72,
         0x49, 0xe5, 0x32, 0xde, 0x59, 0xf4, 0xbc, 0x87,
     ]);
-    let mut interpreter = miniscript::Interpreter::from_txdata(
+    let interpreter = miniscript::Interpreter::from_txdata(
         &spk_input_1,
         &transaction.input[0].script_sig,
         &transaction.input[0].witness,
@@ -105,10 +107,14 @@ fn main() {
     //    the blockchain, standardness would've required they be
     //    either valid or 0-length.
     println!("\nExample one");
-    for elem in interpreter.iter(|_, _| true) {
+    for elem in interpreter.iter_assume_sigs() {
         // Don't bother checking signatures
         match elem.expect("no evaluation error") {
-            miniscript::interpreter::SatisfiedConstraint::PublicKey { key, sig } => {
+            miniscript::interpreter::SatisfiedConstraint::PublicKey { key_sig } => {
+                // Check that the signature is ecdsa sig
+                let (key, sig) = key_sig
+                    .as_ecdsa()
+                    .expect("Expected Ecdsa sig, found schnorr sig");
                 println!("Signed with {}: {}", key, sig);
             }
             _ => {}
@@ -122,7 +128,7 @@ fn main() {
     // from the MiniscriptKey which can supplied by `to_pk_ctx` parameter. For example,
     // when calculating the script pubkey of a descriptor with xpubs, the secp context and
     // child information maybe required.
-    let mut interpreter = miniscript::Interpreter::from_txdata(
+    let interpreter = miniscript::Interpreter::from_txdata(
         &spk_input_1,
         &transaction.input[0].script_sig,
         &transaction.input[0].witness,
@@ -131,21 +137,15 @@ fn main() {
     )
     .unwrap();
 
-    // We can set the amount passed to `sighash_verify` to 0 because this is a legacy
-    // transaction and so the amount won't actually be checked by the signature
-    let vfyfn = interpreter
-        .sighash_verify(&secp, &transaction, 0, 0)
-        .expect("Can only fail in sighash single when corresponding output is not present");
-    // Restrict to sighash_all just to demonstrate how to add additional filters
-    // `&_` needed here because of https://github.com/rust-lang/rust/issues/79187
-    let vfyfn = move |pk: &_, bitcoinsig: miniscript::bitcoin::EcdsaSig| {
-        bitcoinsig.hash_ty == bitcoin::EcdsaSigHashType::All && vfyfn(pk, bitcoinsig)
-    };
+    // We can set prevouts to be empty list because this is a legacy transaction
+    // and this information is not required for sighash computation.
+    let prevouts = sighash::Prevouts::All(&[]);
 
     println!("\nExample two");
-    for elem in interpreter.iter(vfyfn) {
+    for elem in interpreter.iter(&secp, &transaction, 0, &prevouts) {
         match elem.expect("no evaluation error") {
-            miniscript::interpreter::SatisfiedConstraint::PublicKey { key, sig } => {
+            miniscript::interpreter::SatisfiedConstraint::PublicKey { key_sig } => {
+                let (key, sig) = key_sig.as_ecdsa().unwrap();
                 println!("Signed with {}: {}", key, sig);
             }
             _ => {}
@@ -156,7 +156,7 @@ fn main() {
     //    what happens given an apparently invalid script
     let secp = secp256k1::Secp256k1::new();
     let message = secp256k1::Message::from_slice(&[0x01; 32][..]).expect("32-byte hash");
-    let mut interpreter = miniscript::Interpreter::from_txdata(
+    let interpreter = miniscript::Interpreter::from_txdata(
         &spk_input_1,
         &transaction.input[0].script_sig,
         &transaction.input[0].witness,
@@ -165,10 +165,13 @@ fn main() {
     )
     .unwrap();
 
-    let iter = interpreter.iter(|pk, ecdsa_sig| {
+    let iter = interpreter.iter_custom(Box::new(|key_sig: &KeySigPair| {
+        let (pk, ecdsa_sig) = key_sig.as_ecdsa().expect("Ecdsa Sig");
         ecdsa_sig.hash_ty == bitcoin::EcdsaSigHashType::All
-            && secp.verify_ecdsa(&message, &ecdsa_sig.sig, &pk.key).is_ok()
-    });
+            && secp
+                .verify_ecdsa(&message, &ecdsa_sig.sig, &pk.inner)
+                .is_ok()
+    }));
     println!("\nExample three");
     for elem in iter {
         let error = elem.expect_err("evaluation error");

integration_test/Cargo.toml

@@ -7,6 +7,6 @@ authors = ["Steven Roose <[email protected]>", "Sanket K <sanket1729@gmail.
 miniscript = {path = "../"}
 
 # Until 0.26 support is released on rust-bitcoincore-rpc
-bitcoincore-rpc = {git = "https://github.com/sanket1729/rust-bitcoincore-rpc",rev = "ae3ad6cac0a83454f267cb7d5191f6607bb80297"}
-bitcoin = {git = "https://github.com/rust-bitcoin/rust-bitcoin", rev = "0e2e55971275da64ceb62e8991a0a5fa962cb8b1"}
+bitcoincore-rpc = {git = "https://github.com/sanket1729/rust-bitcoincore-rpc",rev = "bcc35944b3dd636cdff9710f90f8e0cfcab28f27"}
+bitcoin = "0.28.0-rc.1"
 log = "0.4"

integration_test/src/main.rs

@@ -207,7 +207,7 @@ fn main() {
         for sk in sks_reqd {
             let sig = secp.sign_ecdsa(&msg, &sk);
             let pk = pks[sks.iter().position(|&x| x == sk).unwrap()];
-            psbts[i].inputs[0].partial_sigs.insert(pk, bitcoin::EcdsaSig { sig, hash_ty: sighash_ty });
+            psbts[i].inputs[0].partial_sigs.insert(pk.inner, bitcoin::EcdsaSig { sig, hash_ty: sighash_ty });
         }
         // Add the hash preimages to the psbt
         psbts[i].inputs[0].sha256_preimages.insert(

integration_test/src/read_file.rs

@@ -60,7 +60,7 @@ fn setup_keys(
 
         let sk = secp256k1::SecretKey::from_slice(&sk[..]).expect("secret key");
         let pk = miniscript::bitcoin::PublicKey {
-            key: secp256k1::PublicKey::from_secret_key(&secp_sign, &sk),
+            inner: secp256k1::PublicKey::from_secret_key(&secp_sign, &sk),
             compressed: true,
         };
         pks.push(pk);

src/descriptor/key.rs

@@ -4,11 +4,10 @@ use bitcoin::{
     self,
     hashes::Hash,
     hashes::{hex::FromHex, HashEngine},
-    schnorr::XOnlyPublicKey,
     secp256k1,
     secp256k1::{Secp256k1, Signing},
     util::bip32,
-    XpubIdentifier,
+    XOnlyPublicKey, XpubIdentifier,
 };
 
 use {MiniscriptKey, ToPublicKey};

src/descriptor/mod.rs

@@ -1023,10 +1023,7 @@ mod tests {
         let secp = secp256k1::Secp256k1::new();
         let sk =
             secp256k1::SecretKey::from_slice(&b"sally was a secret key, she said"[..]).unwrap();
-        let pk = bitcoin::PublicKey {
-            key: secp256k1::PublicKey::from_secret_key(&secp, &sk),
-            compressed: true,
-        };
+        let pk = bitcoin::PublicKey::new(secp256k1::PublicKey::from_secret_key(&secp, &sk));
         let msg = secp256k1::Message::from_slice(&b"michael was a message, amusingly"[..])
             .expect("32 bytes");
         let sig = secp.sign_ecdsa(&msg, &sk);

src/descriptor/sortedmulti.rs

@@ -140,9 +140,9 @@ impl<Pk: MiniscriptKey, Ctx: ScriptContext> SortedMultiVec<Pk, Ctx> {
         // Sort pubkeys lexicographically according to BIP 67
         pks.sort_by(|a, b| {
             a.to_public_key()
-                .key
+                .inner
                 .serialize()
-                .partial_cmp(&b.to_public_key().key.serialize())
+                .partial_cmp(&b.to_public_key().inner.serialize())
                 .unwrap()
         });
         Terminal::Multi(self.k, pks)

src/interpreter/error.rs

@@ -13,16 +13,30 @@
 //
 
 use bitcoin::hashes::{hash160, hex::ToHex};
+use bitcoin::util::taproot;
 use bitcoin::{self, secp256k1};
 use std::{error, fmt};
 
+use super::BitcoinKey;
+
 /// Detailed Error type for Interpreter
 #[derive(Debug)]
 pub enum Error {
     /// Could not satisfy, absolute locktime not met
     AbsoluteLocktimeNotMet(u32),
+    /// Cannot Infer a taproot descriptor
+    /// Key spends cannot infer the internal key of the descriptor
+    /// Inferring script spends is possible, but is hidden nodes are currently
+    /// not supported in descriptor spec
+    CannotInferTrDescriptors,
+    /// Error parsing taproot control block
+    ControlBlockParse(taproot::TaprootError),
+    /// Tap control block(merkle proofs + tweak) verification error
+    ControlBlockVerificationError,
     /// General Interpreter error.
     CouldNotEvaluate,
+    /// EcdsaSig related error
+    EcdsaSig(bitcoin::EcdsaSigError),
     /// We expected a push (including a `OP_1` but no other numeric pushes)
     ExpectedPush,
     /// The preimage to the hash function must be exactly 32 bytes.
@@ -39,8 +53,10 @@ pub enum Error {
     InsufficientSignaturesMultiSig,
     /// Invalid Sighash type
     InvalidSchnorrSigHashType(Vec<u8>),
+    /// ecdsa Signature failed to verify
+    InvalidEcdsaSignature(bitcoin::PublicKey),
     /// Signature failed to verify
-    InvalidSignature(bitcoin::PublicKey),
+    InvalidSchnorrSignature(bitcoin::XOnlyPublicKey),
     /// Last byte of this signature isn't a standard sighash type
     NonStandardSigHash(Vec<u8>),
     /// Miniscript error
@@ -60,21 +76,29 @@ pub enum Error {
     /// Any input witness apart from sat(sig) or nsat(0) leads to
     /// this error. This is network standardness assumption and miniscript only
     /// supports standard scripts
-    PkEvaluationError(bitcoin::PublicKey),
+    // note that BitcoinKey is not exported, create a data structure to convey the same
+    // information in error
+    PkEvaluationError(PkEvalErrInner),
     /// The Public Key hash check for the given pubkey. This occurs in `PkH`
     /// node when the given key does not match to Hash in script.
     PkHashVerifyFail(hash160::Hash),
     /// Parse Error while parsing a `stack::Element::Push` as a Pubkey. Both
     /// 33 byte and 65 bytes are supported.
     PubkeyParseError,
+    /// Parse Error while parsing a `stack::Element::Push` as a XOnlyPublicKey (32 bytes)
+    XOnlyPublicKeyParseError,
     /// Could not satisfy, relative locktime not met
     RelativeLocktimeNotMet(u32),
     /// Forward-secp related errors
     Secp(secp256k1::Error),
     /// Miniscript requires the entire top level script to be satisfied.
     ScriptSatisfactionError,
+    /// Schnorr Signature error
+    SchnorrSig(bitcoin::SchnorrSigError),
     /// Errors in signature hash calculations
     SighashError(bitcoin::util::sighash::Error),
+    /// Taproot Annex Unsupported
+    TapAnnexUnsupported,
     /// An uncompressed public key was encountered in a context where it is
     /// disallowed (e.g. in a Segwit script or p2wpkh output)
     UncompressedPubkey,
@@ -92,6 +116,34 @@ pub enum Error {
     VerifyFailed,
 }
 
+/// A type of representing which keys errored during interpreter checksig evaluation
+// Note that we can't use BitcoinKey because it is not public
+#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash)]
+pub enum PkEvalErrInner {
+    /// Full Key
+    FullKey(bitcoin::PublicKey),
+    /// XOnly Key
+    XOnlyKey(bitcoin::XOnlyPublicKey),
+}
+
+impl From<BitcoinKey> for PkEvalErrInner {
+    fn from(pk: BitcoinKey) -> Self {
+        match pk {
+            BitcoinKey::Fullkey(pk) => PkEvalErrInner::FullKey(pk),
+            BitcoinKey::XOnlyPublicKey(xpk) => PkEvalErrInner::XOnlyKey(xpk),
+        }
+    }
+}
+
+impl fmt::Display for PkEvalErrInner {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            PkEvalErrInner::FullKey(pk) => pk.fmt(f),
+            PkEvalErrInner::XOnlyKey(xpk) => xpk.fmt(f),
+        }
+    }
+}
+
 #[doc(hidden)]
 impl From<secp256k1::Error> for Error {
     fn from(e: secp256k1::Error) -> Error {
@@ -106,6 +158,20 @@ impl From<bitcoin::util::sighash::Error> for Error {
     }
 }
 
+#[doc(hidden)]
+impl From<bitcoin::EcdsaSigError> for Error {
+    fn from(e: bitcoin::EcdsaSigError) -> Error {
+        Error::EcdsaSig(e)
+    }
+}
+
+#[doc(hidden)]
+impl From<bitcoin::SchnorrSigError> for Error {
+    fn from(e: bitcoin::SchnorrSigError) -> Error {
+        Error::SchnorrSig(e)
+    }
+}
+
 #[doc(hidden)]
 impl From<::Error> for Error {
     fn from(e: ::Error) -> Error {
@@ -130,6 +196,12 @@ impl fmt::Display for Error {
                 "required absolute locktime CLTV of {} blocks, not met",
                 n
             ),
+            Error::CannotInferTrDescriptors => write!(f, "Cannot infer taproot descriptors"),
+            Error::ControlBlockParse(ref e) => write!(f, "Control block parse error {}", e),
+            Error::ControlBlockVerificationError => {
+                f.write_str("Control block verification failed")
+            }
+            Error::EcdsaSig(ref s) => write!(f, "Ecdsa sig error: {}", s),
             Error::ExpectedPush => f.write_str("expected push in script"),
             Error::CouldNotEvaluate => f.write_str("Interpreter Error: Could not evaluate"),
             Error::HashPreimageLengthMismatch => f.write_str("Hash preimage should be 32 bytes"),
@@ -147,7 +219,8 @@ impl fmt::Display for Error {
                     sig.to_hex()
                 )
             }
-            Error::InvalidSignature(pk) => write!(f, "bad signature with pk {}", pk),
+            Error::InvalidEcdsaSignature(pk) => write!(f, "bad ecdsa signature with pk {}", pk),
+            Error::InvalidSchnorrSignature(pk) => write!(f, "bad schnorr signature with pk {}", pk),
             Error::NonStandardSigHash(ref sig) => {
                 write!(
                     f,
@@ -165,12 +238,15 @@ impl fmt::Display for Error {
             Error::PkEvaluationError(ref key) => write!(f, "Incorrect Signature for pk {}", key),
             Error::PkHashVerifyFail(ref hash) => write!(f, "Pubkey Hash check failed {}", hash),
             Error::PubkeyParseError => f.write_str("could not parse pubkey"),
+            Error::XOnlyPublicKeyParseError => f.write_str("could not parse x-only pubkey"),
             Error::RelativeLocktimeNotMet(n) => {
                 write!(f, "required relative locktime CSV of {} blocks, not met", n)
             }
             Error::ScriptSatisfactionError => f.write_str("Top level script must be satisfied"),
             Error::Secp(ref e) => fmt::Display::fmt(e, f),
+            Error::SchnorrSig(ref s) => write!(f, "Schnorr sig error: {}", s),
             Error::SighashError(ref e) => fmt::Display::fmt(e, f),
+            Error::TapAnnexUnsupported => f.write_str("Encountered annex element"),
             Error::UncompressedPubkey => {
                 f.write_str("uncompressed pubkey in non-legacy descriptor")
             }