|
|
@ -66,23 +66,115 @@ static void add_push_key(u8 **scriptp, const struct pubkey *key) |
|
|
|
add_push_bytes(scriptp, key->key, pubkey_len(key)); |
|
|
|
} |
|
|
|
|
|
|
|
/* Stolen direct from bitcoin/src/script/sign.cpp:
|
|
|
|
// Copyright (c) 2009-2010 Satoshi Nakamoto
|
|
|
|
// Copyright (c) 2009-2014 The Bitcoin Core developers
|
|
|
|
// Distributed under the MIT software license, see the accompanying
|
|
|
|
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
|
|
|
*/ |
|
|
|
static bool IsValidSignatureEncoding(const unsigned char sig[], size_t len) |
|
|
|
{ |
|
|
|
// Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
|
|
|
|
// * total-length: 1-byte length descriptor of everything that follows,
|
|
|
|
// excluding the sighash byte.
|
|
|
|
// * R-length: 1-byte length descriptor of the R value that follows.
|
|
|
|
// * R: arbitrary-length big-endian encoded R value. It must use the shortest
|
|
|
|
// possible encoding for a positive integers (which means no null bytes at
|
|
|
|
// the start, except a single one when the next byte has its highest bit set).
|
|
|
|
// * S-length: 1-byte length descriptor of the S value that follows.
|
|
|
|
// * S: arbitrary-length big-endian encoded S value. The same rules apply.
|
|
|
|
// * sighash: 1-byte value indicating what data is hashed (not part of the DER
|
|
|
|
// signature)
|
|
|
|
|
|
|
|
// Minimum and maximum size constraints.
|
|
|
|
if (len < 9) return false; |
|
|
|
if (len > 73) return false; |
|
|
|
|
|
|
|
// A signature is of type 0x30 (compound).
|
|
|
|
if (sig[0] != 0x30) return false; |
|
|
|
|
|
|
|
// Make sure the length covers the entire signature.
|
|
|
|
if (sig[1] != len - 3) return false; |
|
|
|
|
|
|
|
// Extract the length of the R element.
|
|
|
|
unsigned int lenR = sig[3]; |
|
|
|
|
|
|
|
// Make sure the length of the S element is still inside the signature.
|
|
|
|
if (5 + lenR >= len) return false; |
|
|
|
|
|
|
|
// Extract the length of the S element.
|
|
|
|
unsigned int lenS = sig[5 + lenR]; |
|
|
|
|
|
|
|
// Verify that the length of the signature matches the sum of the length
|
|
|
|
// of the elements.
|
|
|
|
if ((size_t)(lenR + lenS + 7) != len) return false; |
|
|
|
|
|
|
|
// Check whether the R element is an integer.
|
|
|
|
if (sig[2] != 0x02) return false; |
|
|
|
|
|
|
|
// Zero-length integers are not allowed for R.
|
|
|
|
if (lenR == 0) return false; |
|
|
|
|
|
|
|
// Negative numbers are not allowed for R.
|
|
|
|
if (sig[4] & 0x80) return false; |
|
|
|
|
|
|
|
// Null bytes at the start of R are not allowed, unless R would
|
|
|
|
// otherwise be interpreted as a negative number.
|
|
|
|
if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false; |
|
|
|
|
|
|
|
// Check whether the S element is an integer.
|
|
|
|
if (sig[lenR + 4] != 0x02) return false; |
|
|
|
|
|
|
|
// Zero-length integers are not allowed for S.
|
|
|
|
if (lenS == 0) return false; |
|
|
|
|
|
|
|
// Negative numbers are not allowed for S.
|
|
|
|
if (sig[lenR + 6] & 0x80) return false; |
|
|
|
|
|
|
|
// Null bytes at the start of S are not allowed, unless S would otherwise be
|
|
|
|
// interpreted as a negative number.
|
|
|
|
if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false; |
|
|
|
|
|
|
|
return true; |
|
|
|
} |
|
|
|
|
|
|
|
/* DER encode a value, return length used. */ |
|
|
|
static size_t der_encode_val(const u8 *val, u8 *der) |
|
|
|
{ |
|
|
|
size_t len = 0; |
|
|
|
|
|
|
|
der[len++] = 0x2; /* value type. */ |
|
|
|
/* Add zero byte if it would otherwise be signed. */ |
|
|
|
if (val[0] & 0x80) { |
|
|
|
der[len++] = 33; /* value length */ |
|
|
|
der[len++] = 0; |
|
|
|
} else |
|
|
|
der[len++] = 32; /* value length */ |
|
|
|
|
|
|
|
memcpy(der + len, val, 32); |
|
|
|
return len + 32; |
|
|
|
} |
|
|
|
|
|
|
|
/* Bitcoin wants DER encoding. */ |
|
|
|
static void add_push_sig(u8 **scriptp, const struct signature *sig) |
|
|
|
static void add_push_sig(u8 **scriptp, const struct bitcoin_signature *sig) |
|
|
|
{ |
|
|
|
u8 der[2 + 2 + sizeof(sig->r) + 2 + sizeof(sig->s)]; |
|
|
|
u8 der[2 + 2 + 1 + sizeof(sig->sig.r) + 2 + 1 + sizeof(sig->sig.s) + 1]; |
|
|
|
size_t len = 0; |
|
|
|
|
|
|
|
der[len++] = 0x30; /* Type */ |
|
|
|
der[len++] = 0; /* Total length after this: fill it at end. */ |
|
|
|
|
|
|
|
der[0] = 0x30; /* Type */ |
|
|
|
der[1] = sizeof(der) - 2; /* Total length */ |
|
|
|
len += der_encode_val(sig->sig.r, der + len); |
|
|
|
len += der_encode_val(sig->sig.s, der + len); |
|
|
|
|
|
|
|
der[2] = 0x2; /* r value type. */ |
|
|
|
der[3] = sizeof(sig->r); /* r length */ |
|
|
|
memcpy(der+4, sig->r, sizeof(sig->r)); |
|
|
|
/* Fix up total length */ |
|
|
|
der[1] = len - 2; |
|
|
|
|
|
|
|
der[4 + sizeof(sig->r)] = 0x2; /* s value type. */ |
|
|
|
der[4 + sizeof(sig->r) + 1] = sizeof(sig->s); /* s value length. */ |
|
|
|
memcpy(der+4+sizeof(sig->r)+2, sig->s, sizeof(sig->s)); |
|
|
|
/* Append sighash type */ |
|
|
|
der[len++] = sig->stype; |
|
|
|
|
|
|
|
add_push_bytes(scriptp, der, sizeof(der)); |
|
|
|
assert(IsValidSignatureEncoding(der, len)); |
|
|
|
add_push_bytes(scriptp, der, len); |
|
|
|
} |
|
|
|
|
|
|
|
/* FIXME: permute? */ |
|
|
@ -155,7 +247,7 @@ u8 *scriptpubkey_pay_to_pubkeyhash(const tal_t *ctx, |
|
|
|
|
|
|
|
u8 *scriptsig_pay_to_pubkeyhash(const tal_t *ctx, |
|
|
|
const struct pubkey *key, |
|
|
|
const struct signature *sig) |
|
|
|
const struct bitcoin_signature *sig) |
|
|
|
{ |
|
|
|
u8 *script = tal_arr(ctx, u8, 0); |
|
|
|
|
|
|
@ -166,8 +258,8 @@ u8 *scriptsig_pay_to_pubkeyhash(const tal_t *ctx, |
|
|
|
} |
|
|
|
|
|
|
|
u8 *scriptsig_p2sh_2of2(const tal_t *ctx, |
|
|
|
const struct signature *sig1, |
|
|
|
const struct signature *sig2, |
|
|
|
const struct bitcoin_signature *sig1, |
|
|
|
const struct bitcoin_signature *sig2, |
|
|
|
const struct pubkey *key1, |
|
|
|
const struct pubkey *key2) |
|
|
|
{ |
|
|
|