Bitcoin Core  27.99.0
P2P Digital Currency
script_tests.cpp
Go to the documentation of this file.
1 // Copyright (c) 2011-2022 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #include <test/data/script_tests.json.h>
6 #include <test/data/bip341_wallet_vectors.json.h>
7 
8 #include <common/system.h>
9 #include <core_io.h>
10 #include <key.h>
11 #include <rpc/util.h>
12 #include <script/script.h>
13 #include <script/script_error.h>
14 #include <script/sigcache.h>
15 #include <script/sign.h>
16 #include <script/signingprovider.h>
17 #include <script/solver.h>
18 #include <streams.h>
19 #include <test/util/json.h>
20 #include <test/util/random.h>
21 #include <test/util/setup_common.h>
23 #include <util/fs.h>
24 #include <util/strencodings.h>
25 
26 #include <cstdint>
27 #include <fstream>
28 #include <string>
29 #include <vector>
30 
31 #include <boost/test/unit_test.hpp>
32 
33 #include <univalue.h>
34 
35 // Uncomment if you want to output updated JSON tests.
36 // #define UPDATE_JSON_TESTS
37 
38 static const unsigned int gFlags = SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_STRICTENC;
39 
40 unsigned int ParseScriptFlags(std::string strFlags);
41 std::string FormatScriptFlags(unsigned int flags);
42 
44 {
46  const char *name;
47 };
48 
50  {SCRIPT_ERR_OK, "OK"},
51  {SCRIPT_ERR_UNKNOWN_ERROR, "UNKNOWN_ERROR"},
52  {SCRIPT_ERR_EVAL_FALSE, "EVAL_FALSE"},
53  {SCRIPT_ERR_OP_RETURN, "OP_RETURN"},
54  {SCRIPT_ERR_SCRIPT_SIZE, "SCRIPT_SIZE"},
55  {SCRIPT_ERR_PUSH_SIZE, "PUSH_SIZE"},
56  {SCRIPT_ERR_OP_COUNT, "OP_COUNT"},
57  {SCRIPT_ERR_STACK_SIZE, "STACK_SIZE"},
58  {SCRIPT_ERR_SIG_COUNT, "SIG_COUNT"},
59  {SCRIPT_ERR_PUBKEY_COUNT, "PUBKEY_COUNT"},
60  {SCRIPT_ERR_VERIFY, "VERIFY"},
61  {SCRIPT_ERR_EQUALVERIFY, "EQUALVERIFY"},
62  {SCRIPT_ERR_CHECKMULTISIGVERIFY, "CHECKMULTISIGVERIFY"},
63  {SCRIPT_ERR_CHECKSIGVERIFY, "CHECKSIGVERIFY"},
64  {SCRIPT_ERR_NUMEQUALVERIFY, "NUMEQUALVERIFY"},
65  {SCRIPT_ERR_BAD_OPCODE, "BAD_OPCODE"},
66  {SCRIPT_ERR_DISABLED_OPCODE, "DISABLED_OPCODE"},
67  {SCRIPT_ERR_INVALID_STACK_OPERATION, "INVALID_STACK_OPERATION"},
68  {SCRIPT_ERR_INVALID_ALTSTACK_OPERATION, "INVALID_ALTSTACK_OPERATION"},
69  {SCRIPT_ERR_UNBALANCED_CONDITIONAL, "UNBALANCED_CONDITIONAL"},
70  {SCRIPT_ERR_NEGATIVE_LOCKTIME, "NEGATIVE_LOCKTIME"},
71  {SCRIPT_ERR_UNSATISFIED_LOCKTIME, "UNSATISFIED_LOCKTIME"},
72  {SCRIPT_ERR_SIG_HASHTYPE, "SIG_HASHTYPE"},
73  {SCRIPT_ERR_SIG_DER, "SIG_DER"},
74  {SCRIPT_ERR_MINIMALDATA, "MINIMALDATA"},
75  {SCRIPT_ERR_SIG_PUSHONLY, "SIG_PUSHONLY"},
76  {SCRIPT_ERR_SIG_HIGH_S, "SIG_HIGH_S"},
77  {SCRIPT_ERR_SIG_NULLDUMMY, "SIG_NULLDUMMY"},
78  {SCRIPT_ERR_PUBKEYTYPE, "PUBKEYTYPE"},
79  {SCRIPT_ERR_CLEANSTACK, "CLEANSTACK"},
80  {SCRIPT_ERR_MINIMALIF, "MINIMALIF"},
81  {SCRIPT_ERR_SIG_NULLFAIL, "NULLFAIL"},
82  {SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS, "DISCOURAGE_UPGRADABLE_NOPS"},
83  {SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM, "DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM"},
84  {SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH, "WITNESS_PROGRAM_WRONG_LENGTH"},
85  {SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY, "WITNESS_PROGRAM_WITNESS_EMPTY"},
86  {SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH, "WITNESS_PROGRAM_MISMATCH"},
87  {SCRIPT_ERR_WITNESS_MALLEATED, "WITNESS_MALLEATED"},
88  {SCRIPT_ERR_WITNESS_MALLEATED_P2SH, "WITNESS_MALLEATED_P2SH"},
89  {SCRIPT_ERR_WITNESS_UNEXPECTED, "WITNESS_UNEXPECTED"},
90  {SCRIPT_ERR_WITNESS_PUBKEYTYPE, "WITNESS_PUBKEYTYPE"},
91  {SCRIPT_ERR_OP_CODESEPARATOR, "OP_CODESEPARATOR"},
92  {SCRIPT_ERR_SIG_FINDANDDELETE, "SIG_FINDANDDELETE"},
93 };
94 
95 static std::string FormatScriptError(ScriptError_t err)
96 {
97  for (const auto& se : script_errors)
98  if (se.err == err)
99  return se.name;
100  BOOST_ERROR("Unknown scripterror enumeration value, update script_errors in script_tests.cpp.");
101  return "";
102 }
103 
104 static ScriptError_t ParseScriptError(const std::string& name)
105 {
106  for (const auto& se : script_errors)
107  if (se.name == name)
108  return se.err;
109  BOOST_ERROR("Unknown scripterror \"" << name << "\" in test description");
111 }
112 
113 BOOST_FIXTURE_TEST_SUITE(script_tests, BasicTestingSetup)
114 
115 void DoTest(const CScript& scriptPubKey, const CScript& scriptSig, const CScriptWitness& scriptWitness, uint32_t flags, const std::string& message, int scriptError, CAmount nValue = 0)
116 {
117  bool expect = (scriptError == SCRIPT_ERR_OK);
121  }
122  ScriptError err;
123  const CTransaction txCredit{BuildCreditingTransaction(scriptPubKey, nValue)};
124  CMutableTransaction tx = BuildSpendingTransaction(scriptSig, scriptWitness, txCredit);
125  CMutableTransaction tx2 = tx;
126  BOOST_CHECK_MESSAGE(VerifyScript(scriptSig, scriptPubKey, &scriptWitness, flags, MutableTransactionSignatureChecker(&tx, 0, txCredit.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err) == expect, message);
127  BOOST_CHECK_MESSAGE(err == scriptError, FormatScriptError(err) + " where " + FormatScriptError((ScriptError_t)scriptError) + " expected: " + message);
128 
129  // Verify that removing flags from a passing test or adding flags to a failing test does not change the result.
130  for (int i = 0; i < 16; ++i) {
131  uint32_t extra_flags(InsecureRandBits(16));
132  uint32_t combined_flags{expect ? (flags & ~extra_flags) : (flags | extra_flags)};
133  // Weed out some invalid flag combinations.
134  if (combined_flags & SCRIPT_VERIFY_CLEANSTACK && ~combined_flags & (SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS)) continue;
135  if (combined_flags & SCRIPT_VERIFY_WITNESS && ~combined_flags & SCRIPT_VERIFY_P2SH) continue;
136  BOOST_CHECK_MESSAGE(VerifyScript(scriptSig, scriptPubKey, &scriptWitness, combined_flags, MutableTransactionSignatureChecker(&tx, 0, txCredit.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err) == expect, message + strprintf(" (with flags %x)", combined_flags));
137  }
138 }
139 
140 void static NegateSignatureS(std::vector<unsigned char>& vchSig) {
141  // Parse the signature.
142  std::vector<unsigned char> r, s;
143  r = std::vector<unsigned char>(vchSig.begin() + 4, vchSig.begin() + 4 + vchSig[3]);
144  s = std::vector<unsigned char>(vchSig.begin() + 6 + vchSig[3], vchSig.begin() + 6 + vchSig[3] + vchSig[5 + vchSig[3]]);
145 
146  // Really ugly to implement mod-n negation here, but it would be feature creep to expose such functionality from libsecp256k1.
147  static const unsigned char order[33] = {
148  0x00,
149  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
150  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
151  0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
152  0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
153  };
154  while (s.size() < 33) {
155  s.insert(s.begin(), 0x00);
156  }
157  int carry = 0;
158  for (int p = 32; p >= 1; p--) {
159  int n = (int)order[p] - s[p] - carry;
160  s[p] = (n + 256) & 0xFF;
161  carry = (n < 0);
162  }
163  assert(carry == 0);
164  if (s.size() > 1 && s[0] == 0 && s[1] < 0x80) {
165  s.erase(s.begin());
166  }
167 
168  // Reconstruct the signature.
169  vchSig.clear();
170  vchSig.push_back(0x30);
171  vchSig.push_back(4 + r.size() + s.size());
172  vchSig.push_back(0x02);
173  vchSig.push_back(r.size());
174  vchSig.insert(vchSig.end(), r.begin(), r.end());
175  vchSig.push_back(0x02);
176  vchSig.push_back(s.size());
177  vchSig.insert(vchSig.end(), s.begin(), s.end());
178 }
179 
180 namespace
181 {
182 const unsigned char vchKey0[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1};
183 const unsigned char vchKey1[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0};
184 const unsigned char vchKey2[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0};
185 
186 struct KeyData
187 {
188  CKey key0, key0C, key1, key1C, key2, key2C;
189  CPubKey pubkey0, pubkey0C, pubkey0H;
190  CPubKey pubkey1, pubkey1C;
191  CPubKey pubkey2, pubkey2C;
192 
193  KeyData()
194  {
195  key0.Set(vchKey0, vchKey0 + 32, false);
196  key0C.Set(vchKey0, vchKey0 + 32, true);
197  pubkey0 = key0.GetPubKey();
198  pubkey0H = key0.GetPubKey();
199  pubkey0C = key0C.GetPubKey();
200  *const_cast<unsigned char*>(pubkey0H.data()) = 0x06 | (pubkey0H[64] & 1);
201 
202  key1.Set(vchKey1, vchKey1 + 32, false);
203  key1C.Set(vchKey1, vchKey1 + 32, true);
204  pubkey1 = key1.GetPubKey();
205  pubkey1C = key1C.GetPubKey();
206 
207  key2.Set(vchKey2, vchKey2 + 32, false);
208  key2C.Set(vchKey2, vchKey2 + 32, true);
209  pubkey2 = key2.GetPubKey();
210  pubkey2C = key2C.GetPubKey();
211  }
212 };
213 
214 enum class WitnessMode {
215  NONE,
216  PKH,
217  SH
218 };
219 
220 class TestBuilder
221 {
222 private:
224  CScript script;
226  CScript redeemscript;
228  CScript witscript;
229  CScriptWitness scriptWitness;
230  CTransactionRef creditTx;
231  CMutableTransaction spendTx;
232  bool havePush{false};
233  std::vector<unsigned char> push;
234  std::string comment;
235  uint32_t flags;
236  int scriptError{SCRIPT_ERR_OK};
237  CAmount nValue;
238 
239  void DoPush()
240  {
241  if (havePush) {
242  spendTx.vin[0].scriptSig << push;
243  havePush = false;
244  }
245  }
246 
247  void DoPush(const std::vector<unsigned char>& data)
248  {
249  DoPush();
250  push = data;
251  havePush = true;
252  }
253 
254 public:
255  TestBuilder(const CScript& script_, const std::string& comment_, uint32_t flags_, bool P2SH = false, WitnessMode wm = WitnessMode::NONE, int witnessversion = 0, CAmount nValue_ = 0) : script(script_), comment(comment_), flags(flags_), nValue(nValue_)
256  {
257  CScript scriptPubKey = script;
258  if (wm == WitnessMode::PKH) {
259  uint160 hash;
260  CHash160().Write(Span{script}.subspan(1)).Finalize(hash);
261  script = CScript() << OP_DUP << OP_HASH160 << ToByteVector(hash) << OP_EQUALVERIFY << OP_CHECKSIG;
262  scriptPubKey = CScript() << witnessversion << ToByteVector(hash);
263  } else if (wm == WitnessMode::SH) {
264  witscript = scriptPubKey;
265  uint256 hash;
266  CSHA256().Write(witscript.data(), witscript.size()).Finalize(hash.begin());
267  scriptPubKey = CScript() << witnessversion << ToByteVector(hash);
268  }
269  if (P2SH) {
270  redeemscript = scriptPubKey;
271  scriptPubKey = CScript() << OP_HASH160 << ToByteVector(CScriptID(redeemscript)) << OP_EQUAL;
272  }
273  creditTx = MakeTransactionRef(BuildCreditingTransaction(scriptPubKey, nValue));
274  spendTx = BuildSpendingTransaction(CScript(), CScriptWitness(), *creditTx);
275  }
276 
277  TestBuilder& ScriptError(ScriptError_t err)
278  {
279  scriptError = err;
280  return *this;
281  }
282 
283  TestBuilder& Opcode(const opcodetype& _op)
284  {
285  DoPush();
286  spendTx.vin[0].scriptSig << _op;
287  return *this;
288  }
289 
290  TestBuilder& Num(int num)
291  {
292  DoPush();
293  spendTx.vin[0].scriptSig << num;
294  return *this;
295  }
296 
297  TestBuilder& Push(const std::string& hex)
298  {
299  DoPush(ParseHex(hex));
300  return *this;
301  }
302 
303  TestBuilder& Push(const CScript& _script)
304  {
305  DoPush(std::vector<unsigned char>(_script.begin(), _script.end()));
306  return *this;
307  }
308 
309  TestBuilder& PushSig(const CKey& key, int nHashType = SIGHASH_ALL, unsigned int lenR = 32, unsigned int lenS = 32, SigVersion sigversion = SigVersion::BASE, CAmount amount = 0)
310  {
311  uint256 hash = SignatureHash(script, spendTx, 0, nHashType, amount, sigversion);
312  std::vector<unsigned char> vchSig, r, s;
313  uint32_t iter = 0;
314  do {
315  key.Sign(hash, vchSig, false, iter++);
316  if ((lenS == 33) != (vchSig[5 + vchSig[3]] == 33)) {
317  NegateSignatureS(vchSig);
318  }
319  r = std::vector<unsigned char>(vchSig.begin() + 4, vchSig.begin() + 4 + vchSig[3]);
320  s = std::vector<unsigned char>(vchSig.begin() + 6 + vchSig[3], vchSig.begin() + 6 + vchSig[3] + vchSig[5 + vchSig[3]]);
321  } while (lenR != r.size() || lenS != s.size());
322  vchSig.push_back(static_cast<unsigned char>(nHashType));
323  DoPush(vchSig);
324  return *this;
325  }
326 
327  TestBuilder& PushWitSig(const CKey& key, CAmount amount = -1, int nHashType = SIGHASH_ALL, unsigned int lenR = 32, unsigned int lenS = 32, SigVersion sigversion = SigVersion::WITNESS_V0)
328  {
329  if (amount == -1)
330  amount = nValue;
331  return PushSig(key, nHashType, lenR, lenS, sigversion, amount).AsWit();
332  }
333 
334  TestBuilder& Push(const CPubKey& pubkey)
335  {
336  DoPush(std::vector<unsigned char>(pubkey.begin(), pubkey.end()));
337  return *this;
338  }
339 
340  TestBuilder& PushRedeem()
341  {
342  DoPush(std::vector<unsigned char>(redeemscript.begin(), redeemscript.end()));
343  return *this;
344  }
345 
346  TestBuilder& PushWitRedeem()
347  {
348  DoPush(std::vector<unsigned char>(witscript.begin(), witscript.end()));
349  return AsWit();
350  }
351 
352  TestBuilder& EditPush(unsigned int pos, const std::string& hexin, const std::string& hexout)
353  {
354  assert(havePush);
355  std::vector<unsigned char> datain = ParseHex(hexin);
356  std::vector<unsigned char> dataout = ParseHex(hexout);
357  assert(pos + datain.size() <= push.size());
358  BOOST_CHECK_MESSAGE(std::vector<unsigned char>(push.begin() + pos, push.begin() + pos + datain.size()) == datain, comment);
359  push.erase(push.begin() + pos, push.begin() + pos + datain.size());
360  push.insert(push.begin() + pos, dataout.begin(), dataout.end());
361  return *this;
362  }
363 
364  TestBuilder& DamagePush(unsigned int pos)
365  {
366  assert(havePush);
367  assert(pos < push.size());
368  push[pos] ^= 1;
369  return *this;
370  }
371 
372  TestBuilder& Test()
373  {
374  TestBuilder copy = *this; // Make a copy so we can rollback the push.
375  DoPush();
376  DoTest(creditTx->vout[0].scriptPubKey, spendTx.vin[0].scriptSig, scriptWitness, flags, comment, scriptError, nValue);
377  *this = copy;
378  return *this;
379  }
380 
381  TestBuilder& AsWit()
382  {
383  assert(havePush);
384  scriptWitness.stack.push_back(push);
385  havePush = false;
386  return *this;
387  }
388 
389  UniValue GetJSON()
390  {
391  DoPush();
392  UniValue array(UniValue::VARR);
393  if (!scriptWitness.stack.empty()) {
395  for (unsigned i = 0; i < scriptWitness.stack.size(); i++) {
396  wit.push_back(HexStr(scriptWitness.stack[i]));
397  }
398  wit.push_back(ValueFromAmount(nValue));
399  array.push_back(wit);
400  }
401  array.push_back(FormatScript(spendTx.vin[0].scriptSig));
402  array.push_back(FormatScript(creditTx->vout[0].scriptPubKey));
403  array.push_back(FormatScriptFlags(flags));
404  array.push_back(FormatScriptError((ScriptError_t)scriptError));
405  array.push_back(comment);
406  return array;
407  }
408 
409  std::string GetComment() const
410  {
411  return comment;
412  }
413 };
414 
415 std::string JSONPrettyPrint(const UniValue& univalue)
416 {
417  std::string ret = univalue.write(4);
418  // Workaround for libunivalue pretty printer, which puts a space between commas and newlines
419  size_t pos = 0;
420  while ((pos = ret.find(" \n", pos)) != std::string::npos) {
421  ret.replace(pos, 2, "\n");
422  pos++;
423  }
424  return ret;
425 }
426 } // namespace
427 
428 BOOST_AUTO_TEST_CASE(script_build)
429 {
430  const KeyData keys;
431 
432  std::vector<TestBuilder> tests;
433 
434  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
435  "P2PK", 0
436  ).PushSig(keys.key0));
437  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
438  "P2PK, bad sig", 0
439  ).PushSig(keys.key0).DamagePush(10).ScriptError(SCRIPT_ERR_EVAL_FALSE));
440 
441  tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey1C.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
442  "P2PKH", 0
443  ).PushSig(keys.key1).Push(keys.pubkey1C));
444  tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey2C.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
445  "P2PKH, bad pubkey", 0
446  ).PushSig(keys.key2).Push(keys.pubkey2C).DamagePush(5).ScriptError(SCRIPT_ERR_EQUALVERIFY));
447 
448  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
449  "P2PK anyonecanpay", 0
450  ).PushSig(keys.key1, SIGHASH_ALL | SIGHASH_ANYONECANPAY));
451  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
452  "P2PK anyonecanpay marked with normal hashtype", 0
453  ).PushSig(keys.key1, SIGHASH_ALL | SIGHASH_ANYONECANPAY).EditPush(70, "81", "01").ScriptError(SCRIPT_ERR_EVAL_FALSE));
454 
455  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C) << OP_CHECKSIG,
456  "P2SH(P2PK)", SCRIPT_VERIFY_P2SH, true
457  ).PushSig(keys.key0).PushRedeem());
458  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C) << OP_CHECKSIG,
459  "P2SH(P2PK), bad redeemscript", SCRIPT_VERIFY_P2SH, true
460  ).PushSig(keys.key0).PushRedeem().DamagePush(10).ScriptError(SCRIPT_ERR_EVAL_FALSE));
461 
462  tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey0.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
463  "P2SH(P2PKH)", SCRIPT_VERIFY_P2SH, true
464  ).PushSig(keys.key0).Push(keys.pubkey0).PushRedeem());
465  tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey1.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
466  "P2SH(P2PKH), bad sig but no VERIFY_P2SH", 0, true
467  ).PushSig(keys.key0).DamagePush(10).PushRedeem());
468  tests.push_back(TestBuilder(CScript() << OP_DUP << OP_HASH160 << ToByteVector(keys.pubkey1.GetID()) << OP_EQUALVERIFY << OP_CHECKSIG,
469  "P2SH(P2PKH), bad sig", SCRIPT_VERIFY_P2SH, true
470  ).PushSig(keys.key0).DamagePush(10).PushRedeem().ScriptError(SCRIPT_ERR_EQUALVERIFY));
471 
472  tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
473  "3-of-3", 0
474  ).Num(0).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2));
475  tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
476  "3-of-3, 2 sigs", 0
477  ).Num(0).PushSig(keys.key0).PushSig(keys.key1).Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
478 
479  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
480  "P2SH(2-of-3)", SCRIPT_VERIFY_P2SH, true
481  ).Num(0).PushSig(keys.key1).PushSig(keys.key2).PushRedeem());
482  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
483  "P2SH(2-of-3), 1 sig", SCRIPT_VERIFY_P2SH, true
484  ).Num(0).PushSig(keys.key1).Num(0).PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
485 
486  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
487  "P2PK with too much R padding but no DERSIG", 0
488  ).PushSig(keys.key1, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000"));
489  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
490  "P2PK with too much R padding", SCRIPT_VERIFY_DERSIG
491  ).PushSig(keys.key1, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").ScriptError(SCRIPT_ERR_SIG_DER));
492  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
493  "P2PK with too much S padding but no DERSIG", 0
494  ).PushSig(keys.key1, SIGHASH_ALL).EditPush(1, "44", "45").EditPush(37, "20", "2100"));
495  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
496  "P2PK with too much S padding", SCRIPT_VERIFY_DERSIG
497  ).PushSig(keys.key1, SIGHASH_ALL).EditPush(1, "44", "45").EditPush(37, "20", "2100").ScriptError(SCRIPT_ERR_SIG_DER));
498  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
499  "P2PK with too little R padding but no DERSIG", 0
500  ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220"));
501  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
502  "P2PK with too little R padding", SCRIPT_VERIFY_DERSIG
503  ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
504  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG << OP_NOT,
505  "P2PK NOT with bad sig with too much R padding but no DERSIG", 0
506  ).PushSig(keys.key2, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").DamagePush(10));
507  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG << OP_NOT,
508  "P2PK NOT with bad sig with too much R padding", SCRIPT_VERIFY_DERSIG
509  ).PushSig(keys.key2, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").DamagePush(10).ScriptError(SCRIPT_ERR_SIG_DER));
510  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG << OP_NOT,
511  "P2PK NOT with too much R padding but no DERSIG", 0
512  ).PushSig(keys.key2, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").ScriptError(SCRIPT_ERR_EVAL_FALSE));
513  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG << OP_NOT,
514  "P2PK NOT with too much R padding", SCRIPT_VERIFY_DERSIG
515  ).PushSig(keys.key2, SIGHASH_ALL, 31, 32).EditPush(1, "43021F", "44022000").ScriptError(SCRIPT_ERR_SIG_DER));
516 
517  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
518  "BIP66 example 1, without DERSIG", 0
519  ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220"));
520  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
521  "BIP66 example 1, with DERSIG", SCRIPT_VERIFY_DERSIG
522  ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
523  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
524  "BIP66 example 2, without DERSIG", 0
525  ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_EVAL_FALSE));
526  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
527  "BIP66 example 2, with DERSIG", SCRIPT_VERIFY_DERSIG
528  ).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
529  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
530  "BIP66 example 3, without DERSIG", 0
531  ).Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
532  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
533  "BIP66 example 3, with DERSIG", SCRIPT_VERIFY_DERSIG
534  ).Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
535  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
536  "BIP66 example 4, without DERSIG", 0
537  ).Num(0));
538  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
539  "BIP66 example 4, with DERSIG", SCRIPT_VERIFY_DERSIG
540  ).Num(0));
541  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
542  "BIP66 example 5, without DERSIG", 0
543  ).Num(1).ScriptError(SCRIPT_ERR_EVAL_FALSE));
544  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG,
545  "BIP66 example 5, with DERSIG", SCRIPT_VERIFY_DERSIG
546  ).Num(1).ScriptError(SCRIPT_ERR_SIG_DER));
547  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
548  "BIP66 example 6, without DERSIG", 0
549  ).Num(1));
550  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1C) << OP_CHECKSIG << OP_NOT,
551  "BIP66 example 6, with DERSIG", SCRIPT_VERIFY_DERSIG
552  ).Num(1).ScriptError(SCRIPT_ERR_SIG_DER));
553  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
554  "BIP66 example 7, without DERSIG", 0
555  ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").PushSig(keys.key2));
556  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
557  "BIP66 example 7, with DERSIG", SCRIPT_VERIFY_DERSIG
558  ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").PushSig(keys.key2).ScriptError(SCRIPT_ERR_SIG_DER));
559  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
560  "BIP66 example 8, without DERSIG", 0
561  ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").PushSig(keys.key2).ScriptError(SCRIPT_ERR_EVAL_FALSE));
562  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
563  "BIP66 example 8, with DERSIG", SCRIPT_VERIFY_DERSIG
564  ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").PushSig(keys.key2).ScriptError(SCRIPT_ERR_SIG_DER));
565  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
566  "BIP66 example 9, without DERSIG", 0
567  ).Num(0).Num(0).PushSig(keys.key2, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_EVAL_FALSE));
568  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
569  "BIP66 example 9, with DERSIG", SCRIPT_VERIFY_DERSIG
570  ).Num(0).Num(0).PushSig(keys.key2, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
571  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
572  "BIP66 example 10, without DERSIG", 0
573  ).Num(0).Num(0).PushSig(keys.key2, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220"));
574  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
575  "BIP66 example 10, with DERSIG", SCRIPT_VERIFY_DERSIG
576  ).Num(0).Num(0).PushSig(keys.key2, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").ScriptError(SCRIPT_ERR_SIG_DER));
577  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
578  "BIP66 example 11, without DERSIG", 0
579  ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
580  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG,
581  "BIP66 example 11, with DERSIG", SCRIPT_VERIFY_DERSIG
582  ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").Num(0).ScriptError(SCRIPT_ERR_EVAL_FALSE));
583  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
584  "BIP66 example 12, without DERSIG", 0
585  ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").Num(0));
586  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_2 << OP_CHECKMULTISIG << OP_NOT,
587  "BIP66 example 12, with DERSIG", SCRIPT_VERIFY_DERSIG
588  ).Num(0).PushSig(keys.key1, SIGHASH_ALL, 33, 32).EditPush(1, "45022100", "440220").Num(0));
589  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
590  "P2PK with multi-byte hashtype, without DERSIG", 0
591  ).PushSig(keys.key2, SIGHASH_ALL).EditPush(70, "01", "0101"));
592  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
593  "P2PK with multi-byte hashtype, with DERSIG", SCRIPT_VERIFY_DERSIG
594  ).PushSig(keys.key2, SIGHASH_ALL).EditPush(70, "01", "0101").ScriptError(SCRIPT_ERR_SIG_DER));
595 
596  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
597  "P2PK with high S but no LOW_S", 0
598  ).PushSig(keys.key2, SIGHASH_ALL, 32, 33));
599  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
600  "P2PK with high S", SCRIPT_VERIFY_LOW_S
601  ).PushSig(keys.key2, SIGHASH_ALL, 32, 33).ScriptError(SCRIPT_ERR_SIG_HIGH_S));
602 
603  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG,
604  "P2PK with hybrid pubkey but no STRICTENC", 0
605  ).PushSig(keys.key0, SIGHASH_ALL));
606  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG,
607  "P2PK with hybrid pubkey", SCRIPT_VERIFY_STRICTENC
608  ).PushSig(keys.key0, SIGHASH_ALL).ScriptError(SCRIPT_ERR_PUBKEYTYPE));
609  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG << OP_NOT,
610  "P2PK NOT with hybrid pubkey but no STRICTENC", 0
611  ).PushSig(keys.key0, SIGHASH_ALL).ScriptError(SCRIPT_ERR_EVAL_FALSE));
612  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG << OP_NOT,
613  "P2PK NOT with hybrid pubkey", SCRIPT_VERIFY_STRICTENC
614  ).PushSig(keys.key0, SIGHASH_ALL).ScriptError(SCRIPT_ERR_PUBKEYTYPE));
615  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG << OP_NOT,
616  "P2PK NOT with invalid hybrid pubkey but no STRICTENC", 0
617  ).PushSig(keys.key0, SIGHASH_ALL).DamagePush(10));
618  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0H) << OP_CHECKSIG << OP_NOT,
619  "P2PK NOT with invalid hybrid pubkey", SCRIPT_VERIFY_STRICTENC
620  ).PushSig(keys.key0, SIGHASH_ALL).DamagePush(10).ScriptError(SCRIPT_ERR_PUBKEYTYPE));
621  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey0H) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
622  "1-of-2 with the second 1 hybrid pubkey and no STRICTENC", 0
623  ).Num(0).PushSig(keys.key1, SIGHASH_ALL));
624  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey0H) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
625  "1-of-2 with the second 1 hybrid pubkey", SCRIPT_VERIFY_STRICTENC
626  ).Num(0).PushSig(keys.key1, SIGHASH_ALL));
627  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0H) << OP_2 << OP_CHECKMULTISIG,
628  "1-of-2 with the first 1 hybrid pubkey", SCRIPT_VERIFY_STRICTENC
629  ).Num(0).PushSig(keys.key1, SIGHASH_ALL).ScriptError(SCRIPT_ERR_PUBKEYTYPE));
630 
631  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
632  "P2PK with undefined hashtype but no STRICTENC", 0
633  ).PushSig(keys.key1, 5));
634  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
635  "P2PK with undefined hashtype", SCRIPT_VERIFY_STRICTENC
636  ).PushSig(keys.key1, 5).ScriptError(SCRIPT_ERR_SIG_HASHTYPE));
637  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG << OP_NOT,
638  "P2PK NOT with invalid sig and undefined hashtype but no STRICTENC", 0
639  ).PushSig(keys.key1, 5).DamagePush(10));
640  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG << OP_NOT,
641  "P2PK NOT with invalid sig and undefined hashtype", SCRIPT_VERIFY_STRICTENC
642  ).PushSig(keys.key1, 5).DamagePush(10).ScriptError(SCRIPT_ERR_SIG_HASHTYPE));
643 
644  tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
645  "3-of-3 with nonzero dummy but no NULLDUMMY", 0
646  ).Num(1).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2));
647  tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG,
648  "3-of-3 with nonzero dummy", SCRIPT_VERIFY_NULLDUMMY
649  ).Num(1).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2).ScriptError(SCRIPT_ERR_SIG_NULLDUMMY));
650  tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG << OP_NOT,
651  "3-of-3 NOT with invalid sig and nonzero dummy but no NULLDUMMY", 0
652  ).Num(1).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2).DamagePush(10));
653  tests.push_back(TestBuilder(CScript() << OP_3 << ToByteVector(keys.pubkey0C) << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey2C) << OP_3 << OP_CHECKMULTISIG << OP_NOT,
654  "3-of-3 NOT with invalid sig with nonzero dummy", SCRIPT_VERIFY_NULLDUMMY
655  ).Num(1).PushSig(keys.key0).PushSig(keys.key1).PushSig(keys.key2).DamagePush(10).ScriptError(SCRIPT_ERR_SIG_NULLDUMMY));
656 
657  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
658  "2-of-2 with two identical keys and sigs pushed using OP_DUP but no SIGPUSHONLY", 0
659  ).Num(0).PushSig(keys.key1).Opcode(OP_DUP));
660  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
661  "2-of-2 with two identical keys and sigs pushed using OP_DUP", SCRIPT_VERIFY_SIGPUSHONLY
662  ).Num(0).PushSig(keys.key1).Opcode(OP_DUP).ScriptError(SCRIPT_ERR_SIG_PUSHONLY));
663  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
664  "P2SH(P2PK) with non-push scriptSig but no P2SH or SIGPUSHONLY", 0, true
665  ).PushSig(keys.key2).Opcode(OP_NOP8).PushRedeem());
666  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
667  "P2PK with non-push scriptSig but with P2SH validation", 0
668  ).PushSig(keys.key2).Opcode(OP_NOP8));
669  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
670  "P2SH(P2PK) with non-push scriptSig but no SIGPUSHONLY", SCRIPT_VERIFY_P2SH, true
671  ).PushSig(keys.key2).Opcode(OP_NOP8).PushRedeem().ScriptError(SCRIPT_ERR_SIG_PUSHONLY));
672  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey2C) << OP_CHECKSIG,
673  "P2SH(P2PK) with non-push scriptSig but not P2SH", SCRIPT_VERIFY_SIGPUSHONLY, true
674  ).PushSig(keys.key2).Opcode(OP_NOP8).PushRedeem().ScriptError(SCRIPT_ERR_SIG_PUSHONLY));
675  tests.push_back(TestBuilder(CScript() << OP_2 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey1C) << OP_2 << OP_CHECKMULTISIG,
676  "2-of-2 with two identical keys and sigs pushed", SCRIPT_VERIFY_SIGPUSHONLY
677  ).Num(0).PushSig(keys.key1).PushSig(keys.key1));
678  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
679  "P2PK with unnecessary input but no CLEANSTACK", SCRIPT_VERIFY_P2SH
680  ).Num(11).PushSig(keys.key0));
681  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
682  "P2PK with unnecessary input", SCRIPT_VERIFY_CLEANSTACK | SCRIPT_VERIFY_P2SH
683  ).Num(11).PushSig(keys.key0).ScriptError(SCRIPT_ERR_CLEANSTACK));
684  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
685  "P2SH with unnecessary input but no CLEANSTACK", SCRIPT_VERIFY_P2SH, true
686  ).Num(11).PushSig(keys.key0).PushRedeem());
687  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
688  "P2SH with unnecessary input", SCRIPT_VERIFY_CLEANSTACK | SCRIPT_VERIFY_P2SH, true
689  ).Num(11).PushSig(keys.key0).PushRedeem().ScriptError(SCRIPT_ERR_CLEANSTACK));
690  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
691  "P2SH with CLEANSTACK", SCRIPT_VERIFY_CLEANSTACK | SCRIPT_VERIFY_P2SH, true
692  ).PushSig(keys.key0).PushRedeem());
693 
694  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
695  "Basic P2WSH", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
696  0, 1).PushWitSig(keys.key0).PushWitRedeem());
697  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
698  "Basic P2WPKH", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH,
699  0, 1).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit());
700  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
701  "Basic P2SH(P2WSH)", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
702  0, 1).PushWitSig(keys.key0).PushWitRedeem().PushRedeem());
703  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
704  "Basic P2SH(P2WPKH)", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH,
705  0, 1).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().PushRedeem());
706  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
707  "Basic P2WSH with the wrong key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH
708  ).PushWitSig(keys.key0).PushWitRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
709  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
710  "Basic P2WPKH with the wrong key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH
711  ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit().ScriptError(SCRIPT_ERR_EVAL_FALSE));
712  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
713  "Basic P2SH(P2WSH) with the wrong key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH
714  ).PushWitSig(keys.key0).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
715  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
716  "Basic P2SH(P2WPKH) with the wrong key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH
717  ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit().PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
718  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
719  "Basic P2WSH with the wrong key but no WITNESS", SCRIPT_VERIFY_P2SH, false, WitnessMode::SH
720  ).PushWitSig(keys.key0).PushWitRedeem());
721  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
722  "Basic P2WPKH with the wrong key but no WITNESS", SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH
723  ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit());
724  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1) << OP_CHECKSIG,
725  "Basic P2SH(P2WSH) with the wrong key but no WITNESS", SCRIPT_VERIFY_P2SH, true, WitnessMode::SH
726  ).PushWitSig(keys.key0).PushWitRedeem().PushRedeem());
727  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
728  "Basic P2SH(P2WPKH) with the wrong key but no WITNESS", SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH
729  ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit().PushRedeem());
730  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
731  "Basic P2WSH with wrong value", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
732  0, 0).PushWitSig(keys.key0, 1).PushWitRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
733  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
734  "Basic P2WPKH with wrong value", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH,
735  0, 0).PushWitSig(keys.key0, 1).Push(keys.pubkey0).AsWit().ScriptError(SCRIPT_ERR_EVAL_FALSE));
736  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
737  "Basic P2SH(P2WSH) with wrong value", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
738  0, 0).PushWitSig(keys.key0, 1).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
739  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
740  "Basic P2SH(P2WPKH) with wrong value", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH,
741  0, 0).PushWitSig(keys.key0, 1).Push(keys.pubkey0).AsWit().PushRedeem().ScriptError(SCRIPT_ERR_EVAL_FALSE));
742 
743  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
744  "P2WPKH with future witness version", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH |
745  SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM, false, WitnessMode::PKH, 1
746  ).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().ScriptError(SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM));
747  {
748  CScript witscript = CScript() << ToByteVector(keys.pubkey0);
749  uint256 hash;
750  CSHA256().Write(witscript.data(), witscript.size()).Finalize(hash.begin());
751  std::vector<unsigned char> hashBytes = ToByteVector(hash);
752  hashBytes.pop_back();
753  tests.push_back(TestBuilder(CScript() << OP_0 << hashBytes,
754  "P2WPKH with wrong witness program length", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false
755  ).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().ScriptError(SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH));
756  }
757  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
758  "P2WSH with empty witness", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH
760  {
761  CScript witscript = CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG;
762  tests.push_back(TestBuilder(witscript,
763  "P2WSH with witness program mismatch", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH
764  ).PushWitSig(keys.key0).Push(witscript).DamagePush(0).AsWit().ScriptError(SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH));
765  }
766  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
767  "P2WPKH with witness program mismatch", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH
768  ).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().Push("0").AsWit().ScriptError(SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH));
769  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
770  "P2WPKH with non-empty scriptSig", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::PKH
771  ).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().Num(11).ScriptError(SCRIPT_ERR_WITNESS_MALLEATED));
772  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey1),
773  "P2SH(P2WPKH) with superfluous push in scriptSig", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::PKH
774  ).PushWitSig(keys.key0).Push(keys.pubkey1).AsWit().Num(11).PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_MALLEATED_P2SH));
775  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
776  "P2PK with witness", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH
777  ).PushSig(keys.key0).Push("0").AsWit().ScriptError(SCRIPT_ERR_WITNESS_UNEXPECTED));
778 
779  // Compressed keys should pass SCRIPT_VERIFY_WITNESS_PUBKEYTYPE
780  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C) << OP_CHECKSIG,
781  "Basic P2WSH with compressed key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
782  0, 1).PushWitSig(keys.key0C).PushWitRedeem());
783  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C),
784  "Basic P2WPKH with compressed key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::PKH,
785  0, 1).PushWitSig(keys.key0C).Push(keys.pubkey0C).AsWit());
786  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C) << OP_CHECKSIG,
787  "Basic P2SH(P2WSH) with compressed key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
788  0, 1).PushWitSig(keys.key0C).PushWitRedeem().PushRedeem());
789  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0C),
790  "Basic P2SH(P2WPKH) with compressed key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::PKH,
791  0, 1).PushWitSig(keys.key0C).Push(keys.pubkey0C).AsWit().PushRedeem());
792 
793  // Testing uncompressed key in witness with SCRIPT_VERIFY_WITNESS_PUBKEYTYPE
794  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
795  "Basic P2WSH", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
796  0, 1).PushWitSig(keys.key0).PushWitRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
797  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
798  "Basic P2WPKH", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::PKH,
799  0, 1).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
800  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0) << OP_CHECKSIG,
801  "Basic P2SH(P2WSH)", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
802  0, 1).PushWitSig(keys.key0).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
803  tests.push_back(TestBuilder(CScript() << ToByteVector(keys.pubkey0),
804  "Basic P2SH(P2WPKH)", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::PKH,
805  0, 1).PushWitSig(keys.key0).Push(keys.pubkey0).AsWit().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
806 
807  // P2WSH 1-of-2 multisig with compressed keys
808  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
809  "P2WSH CHECKMULTISIG with compressed keys", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
810  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem());
811  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
812  "P2SH(P2WSH) CHECKMULTISIG with compressed keys", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
813  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem().PushRedeem());
814  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
815  "P2WSH CHECKMULTISIG with compressed keys", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
816  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem());
817  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
818  "P2SH(P2WSH) CHECKMULTISIG with compressed keys", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
819  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem().PushRedeem());
820 
821  // P2WSH 1-of-2 multisig with first key uncompressed
822  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
823  "P2WSH CHECKMULTISIG with first key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
824  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0).PushWitRedeem());
825  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
826  "P2SH(P2WSH) CHECKMULTISIG first key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
827  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0).PushWitRedeem().PushRedeem());
828  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
829  "P2WSH CHECKMULTISIG with first key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
830  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0).PushWitRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
831  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
832  "P2SH(P2WSH) CHECKMULTISIG with first key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
833  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
834  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
835  "P2WSH CHECKMULTISIG with first key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
836  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem());
837  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
838  "P2SH(P2WSH) CHECKMULTISIG with first key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
839  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem().PushRedeem());
840  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
841  "P2WSH CHECKMULTISIG with first key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
842  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
843  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1C) << ToByteVector(keys.pubkey0) << OP_2 << OP_CHECKMULTISIG,
844  "P2SH(P2WSH) CHECKMULTISIG with first key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
845  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1C).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
846  // P2WSH 1-of-2 multisig with second key uncompressed
847  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
848  "P2WSH CHECKMULTISIG with second key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
849  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem());
850  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
851  "P2SH(P2WSH) CHECKMULTISIG second key uncompressed and signing with the first key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
852  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem().PushRedeem());
853  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
854  "P2WSH CHECKMULTISIG with second key uncompressed and signing with the first key should pass as the uncompressed key is not used", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
855  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem());
856  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
857  "P2SH(P2WSH) CHECKMULTISIG with second key uncompressed and signing with the first key should pass as the uncompressed key is not used", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
858  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key0C).PushWitRedeem().PushRedeem());
859  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
860  "P2WSH CHECKMULTISIG with second key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, false, WitnessMode::SH,
861  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1).PushWitRedeem());
862  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
863  "P2SH(P2WSH) CHECKMULTISIG with second key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH, true, WitnessMode::SH,
864  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1).PushWitRedeem().PushRedeem());
865  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
866  "P2WSH CHECKMULTISIG with second key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, false, WitnessMode::SH,
867  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1).PushWitRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
868  tests.push_back(TestBuilder(CScript() << OP_1 << ToByteVector(keys.pubkey1) << ToByteVector(keys.pubkey0C) << OP_2 << OP_CHECKMULTISIG,
869  "P2SH(P2WSH) CHECKMULTISIG with second key uncompressed and signing with the second key", SCRIPT_VERIFY_WITNESS | SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS_PUBKEYTYPE, true, WitnessMode::SH,
870  0, 1).Push(CScript()).AsWit().PushWitSig(keys.key1).PushWitRedeem().PushRedeem().ScriptError(SCRIPT_ERR_WITNESS_PUBKEYTYPE));
871 
872  std::set<std::string> tests_set;
873 
874  {
875  UniValue json_tests = read_json(json_tests::script_tests);
876 
877  for (unsigned int idx = 0; idx < json_tests.size(); idx++) {
878  const UniValue& tv = json_tests[idx];
879  tests_set.insert(JSONPrettyPrint(tv.get_array()));
880  }
881  }
882 
883 #ifdef UPDATE_JSON_TESTS
884  std::string strGen;
885 #endif
886  for (TestBuilder& test : tests) {
887  test.Test();
888  std::string str = JSONPrettyPrint(test.GetJSON());
889 #ifdef UPDATE_JSON_TESTS
890  strGen += str + ",\n";
891 #else
892  if (tests_set.count(str) == 0) {
893  BOOST_CHECK_MESSAGE(false, "Missing auto script_valid test: " + test.GetComment());
894  }
895 #endif
896  }
897 
898 #ifdef UPDATE_JSON_TESTS
899  FILE* file = fsbridge::fopen("script_tests.json.gen", "w");
900  fputs(strGen.c_str(), file);
901  fclose(file);
902 #endif
903 }
904 
905 BOOST_AUTO_TEST_CASE(script_json_test)
906 {
907  // Read tests from test/data/script_tests.json
908  // Format is an array of arrays
909  // Inner arrays are [ ["wit"..., nValue]?, "scriptSig", "scriptPubKey", "flags", "expected_scripterror" ]
910  // ... where scriptSig and scriptPubKey are stringified
911  // scripts.
912  // If a witness is given, then the last value in the array should be the
913  // amount (nValue) to use in the crediting tx
914  UniValue tests = read_json(json_tests::script_tests);
915 
916  for (unsigned int idx = 0; idx < tests.size(); idx++) {
917  const UniValue& test = tests[idx];
918  std::string strTest = test.write();
919  CScriptWitness witness;
920  CAmount nValue = 0;
921  unsigned int pos = 0;
922  if (test.size() > 0 && test[pos].isArray()) {
923  unsigned int i=0;
924  for (i = 0; i < test[pos].size()-1; i++) {
925  witness.stack.push_back(ParseHex(test[pos][i].get_str()));
926  }
927  nValue = AmountFromValue(test[pos][i]);
928  pos++;
929  }
930  if (test.size() < 4 + pos) // Allow size > 3; extra stuff ignored (useful for comments)
931  {
932  if (test.size() != 1) {
933  BOOST_ERROR("Bad test: " << strTest);
934  }
935  continue;
936  }
937  std::string scriptSigString = test[pos++].get_str();
938  CScript scriptSig = ParseScript(scriptSigString);
939  std::string scriptPubKeyString = test[pos++].get_str();
940  CScript scriptPubKey = ParseScript(scriptPubKeyString);
941  unsigned int scriptflags = ParseScriptFlags(test[pos++].get_str());
942  int scriptError = ParseScriptError(test[pos++].get_str());
943 
944  DoTest(scriptPubKey, scriptSig, witness, scriptflags, strTest, scriptError, nValue);
945  }
946 }
947 
948 BOOST_AUTO_TEST_CASE(script_PushData)
949 {
950  // Check that PUSHDATA1, PUSHDATA2, and PUSHDATA4 create the same value on
951  // the stack as the 1-75 opcodes do.
952  static const unsigned char direct[] = { 1, 0x5a };
953  static const unsigned char pushdata1[] = { OP_PUSHDATA1, 1, 0x5a };
954  static const unsigned char pushdata2[] = { OP_PUSHDATA2, 1, 0, 0x5a };
955  static const unsigned char pushdata4[] = { OP_PUSHDATA4, 1, 0, 0, 0, 0x5a };
956 
957  ScriptError err;
958  std::vector<std::vector<unsigned char> > directStack;
959  BOOST_CHECK(EvalScript(directStack, CScript(direct, direct + sizeof(direct)), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
960  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
961 
962  std::vector<std::vector<unsigned char> > pushdata1Stack;
963  BOOST_CHECK(EvalScript(pushdata1Stack, CScript(pushdata1, pushdata1 + sizeof(pushdata1)), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
964  BOOST_CHECK(pushdata1Stack == directStack);
965  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
966 
967  std::vector<std::vector<unsigned char> > pushdata2Stack;
968  BOOST_CHECK(EvalScript(pushdata2Stack, CScript(pushdata2, pushdata2 + sizeof(pushdata2)), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
969  BOOST_CHECK(pushdata2Stack == directStack);
970  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
971 
972  std::vector<std::vector<unsigned char> > pushdata4Stack;
973  BOOST_CHECK(EvalScript(pushdata4Stack, CScript(pushdata4, pushdata4 + sizeof(pushdata4)), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
974  BOOST_CHECK(pushdata4Stack == directStack);
975  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
976 
977  const std::vector<unsigned char> pushdata1_trunc{OP_PUSHDATA1, 1};
978  const std::vector<unsigned char> pushdata2_trunc{OP_PUSHDATA2, 1, 0};
979  const std::vector<unsigned char> pushdata4_trunc{OP_PUSHDATA4, 1, 0, 0, 0};
980 
981  std::vector<std::vector<unsigned char>> stack_ignore;
982  BOOST_CHECK(!EvalScript(stack_ignore, CScript(pushdata1_trunc.begin(), pushdata1_trunc.end()), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
984  BOOST_CHECK(!EvalScript(stack_ignore, CScript(pushdata2_trunc.begin(), pushdata2_trunc.end()), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
986  BOOST_CHECK(!EvalScript(stack_ignore, CScript(pushdata4_trunc.begin(), pushdata4_trunc.end()), SCRIPT_VERIFY_P2SH, BaseSignatureChecker(), SigVersion::BASE, &err));
988 }
989 
990 BOOST_AUTO_TEST_CASE(script_cltv_truncated)
991 {
992  const auto script_cltv_trunc = CScript() << OP_CHECKLOCKTIMEVERIFY;
993 
994  std::vector<std::vector<unsigned char>> stack_ignore;
995  ScriptError err;
998 }
999 
1000 static CScript
1001 sign_multisig(const CScript& scriptPubKey, const std::vector<CKey>& keys, const CTransaction& transaction)
1002 {
1003  uint256 hash = SignatureHash(scriptPubKey, transaction, 0, SIGHASH_ALL, 0, SigVersion::BASE);
1004 
1005  CScript result;
1006  //
1007  // NOTE: CHECKMULTISIG has an unfortunate bug; it requires
1008  // one extra item on the stack, before the signatures.
1009  // Putting OP_0 on the stack is the workaround;
1010  // fixing the bug would mean splitting the block chain (old
1011  // clients would not accept new CHECKMULTISIG transactions,
1012  // and vice-versa)
1013  //
1014  result << OP_0;
1015  for (const CKey &key : keys)
1016  {
1017  std::vector<unsigned char> vchSig;
1018  BOOST_CHECK(key.Sign(hash, vchSig));
1019  vchSig.push_back((unsigned char)SIGHASH_ALL);
1020  result << vchSig;
1021  }
1022  return result;
1023 }
1024 static CScript
1025 sign_multisig(const CScript& scriptPubKey, const CKey& key, const CTransaction& transaction)
1026 {
1027  std::vector<CKey> keys;
1028  keys.push_back(key);
1029  return sign_multisig(scriptPubKey, keys, transaction);
1030 }
1031 
1032 BOOST_AUTO_TEST_CASE(script_CHECKMULTISIG12)
1033 {
1034  ScriptError err;
1035  CKey key1 = GenerateRandomKey();
1036  CKey key2 = GenerateRandomKey(/*compressed=*/false);
1037  CKey key3 = GenerateRandomKey();
1038 
1039  CScript scriptPubKey12;
1040  scriptPubKey12 << OP_1 << ToByteVector(key1.GetPubKey()) << ToByteVector(key2.GetPubKey()) << OP_2 << OP_CHECKMULTISIG;
1041 
1042  const CTransaction txFrom12{BuildCreditingTransaction(scriptPubKey12)};
1044 
1045  CScript goodsig1 = sign_multisig(scriptPubKey12, key1, CTransaction(txTo12));
1046  BOOST_CHECK(VerifyScript(goodsig1, scriptPubKey12, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo12, 0, txFrom12.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1047  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1048  txTo12.vout[0].nValue = 2;
1049  BOOST_CHECK(!VerifyScript(goodsig1, scriptPubKey12, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo12, 0, txFrom12.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1050  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1051 
1052  CScript goodsig2 = sign_multisig(scriptPubKey12, key2, CTransaction(txTo12));
1053  BOOST_CHECK(VerifyScript(goodsig2, scriptPubKey12, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo12, 0, txFrom12.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1054  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1055 
1056  CScript badsig1 = sign_multisig(scriptPubKey12, key3, CTransaction(txTo12));
1057  BOOST_CHECK(!VerifyScript(badsig1, scriptPubKey12, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo12, 0, txFrom12.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1058  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1059 }
1060 
1061 BOOST_AUTO_TEST_CASE(script_CHECKMULTISIG23)
1062 {
1063  ScriptError err;
1064  CKey key1 = GenerateRandomKey();
1065  CKey key2 = GenerateRandomKey(/*compressed=*/false);
1066  CKey key3 = GenerateRandomKey();
1067  CKey key4 = GenerateRandomKey(/*compressed=*/false);
1068 
1069  CScript scriptPubKey23;
1070  scriptPubKey23 << OP_2 << ToByteVector(key1.GetPubKey()) << ToByteVector(key2.GetPubKey()) << ToByteVector(key3.GetPubKey()) << OP_3 << OP_CHECKMULTISIG;
1071 
1072  const CTransaction txFrom23{BuildCreditingTransaction(scriptPubKey23)};
1074 
1075  std::vector<CKey> keys;
1076  keys.push_back(key1); keys.push_back(key2);
1077  CScript goodsig1 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1078  BOOST_CHECK(VerifyScript(goodsig1, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1079  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1080 
1081  keys.clear();
1082  keys.push_back(key1); keys.push_back(key3);
1083  CScript goodsig2 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1084  BOOST_CHECK(VerifyScript(goodsig2, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1085  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1086 
1087  keys.clear();
1088  keys.push_back(key2); keys.push_back(key3);
1089  CScript goodsig3 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1090  BOOST_CHECK(VerifyScript(goodsig3, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1091  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1092 
1093  keys.clear();
1094  keys.push_back(key2); keys.push_back(key2); // Can't reuse sig
1095  CScript badsig1 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1096  BOOST_CHECK(!VerifyScript(badsig1, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1097  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1098 
1099  keys.clear();
1100  keys.push_back(key2); keys.push_back(key1); // sigs must be in correct order
1101  CScript badsig2 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1102  BOOST_CHECK(!VerifyScript(badsig2, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1103  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1104 
1105  keys.clear();
1106  keys.push_back(key3); keys.push_back(key2); // sigs must be in correct order
1107  CScript badsig3 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1108  BOOST_CHECK(!VerifyScript(badsig3, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1109  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1110 
1111  keys.clear();
1112  keys.push_back(key4); keys.push_back(key2); // sigs must match pubkeys
1113  CScript badsig4 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1114  BOOST_CHECK(!VerifyScript(badsig4, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1115  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1116 
1117  keys.clear();
1118  keys.push_back(key1); keys.push_back(key4); // sigs must match pubkeys
1119  CScript badsig5 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1120  BOOST_CHECK(!VerifyScript(badsig5, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1121  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_EVAL_FALSE, ScriptErrorString(err));
1122 
1123  keys.clear(); // Must have signatures
1124  CScript badsig6 = sign_multisig(scriptPubKey23, keys, CTransaction(txTo23));
1125  BOOST_CHECK(!VerifyScript(badsig6, scriptPubKey23, nullptr, gFlags, MutableTransactionSignatureChecker(&txTo23, 0, txFrom23.vout[0].nValue, MissingDataBehavior::ASSERT_FAIL), &err));
1126  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_INVALID_STACK_OPERATION, ScriptErrorString(err));
1127 }
1128 
1129 /* Wrapper around ProduceSignature to combine two scriptsigs */
1130 SignatureData CombineSignatures(const CTxOut& txout, const CMutableTransaction& tx, const SignatureData& scriptSig1, const SignatureData& scriptSig2)
1131 {
1132  SignatureData data;
1133  data.MergeSignatureData(scriptSig1);
1134  data.MergeSignatureData(scriptSig2);
1136  return data;
1137 }
1138 
1139 BOOST_AUTO_TEST_CASE(script_combineSigs)
1140 {
1141  // Test the ProduceSignature's ability to combine signatures function
1142  FillableSigningProvider keystore;
1143  std::vector<CKey> keys;
1144  std::vector<CPubKey> pubkeys;
1145  for (int i = 0; i < 3; i++)
1146  {
1147  CKey key = GenerateRandomKey(/*compressed=*/i%2 == 1);
1148  keys.push_back(key);
1149  pubkeys.push_back(key.GetPubKey());
1150  BOOST_CHECK(keystore.AddKey(key));
1151  }
1152 
1155  CScript& scriptPubKey = txFrom.vout[0].scriptPubKey;
1156  SignatureData scriptSig;
1157 
1158  SignatureData empty;
1159  SignatureData combined = CombineSignatures(txFrom.vout[0], txTo, empty, empty);
1160  BOOST_CHECK(combined.scriptSig.empty());
1161 
1162  // Single signature case:
1163  SignatureData dummy;
1164  BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy)); // changes scriptSig
1165  scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1166  combined = CombineSignatures(txFrom.vout[0], txTo, scriptSig, empty);
1167  BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1168  combined = CombineSignatures(txFrom.vout[0], txTo, empty, scriptSig);
1169  BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1170  SignatureData scriptSigCopy = scriptSig;
1171  // Signing again will give a different, valid signature:
1172  SignatureData dummy_b;
1173  BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy_b));
1174  scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1175  combined = CombineSignatures(txFrom.vout[0], txTo, scriptSigCopy, scriptSig);
1176  BOOST_CHECK(combined.scriptSig == scriptSigCopy.scriptSig || combined.scriptSig == scriptSig.scriptSig);
1177 
1178  // P2SH, single-signature case:
1179  CScript pkSingle; pkSingle << ToByteVector(keys[0].GetPubKey()) << OP_CHECKSIG;
1180  BOOST_CHECK(keystore.AddCScript(pkSingle));
1181  scriptPubKey = GetScriptForDestination(ScriptHash(pkSingle));
1182  SignatureData dummy_c;
1183  BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy_c));
1184  scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1185  combined = CombineSignatures(txFrom.vout[0], txTo, scriptSig, empty);
1186  BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1187  combined = CombineSignatures(txFrom.vout[0], txTo, empty, scriptSig);
1188  BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1189  scriptSigCopy = scriptSig;
1190  SignatureData dummy_d;
1191  BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy_d));
1192  scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1193  combined = CombineSignatures(txFrom.vout[0], txTo, scriptSigCopy, scriptSig);
1194  BOOST_CHECK(combined.scriptSig == scriptSigCopy.scriptSig || combined.scriptSig == scriptSig.scriptSig);
1195 
1196  // Hardest case: Multisig 2-of-3
1197  scriptPubKey = GetScriptForMultisig(2, pubkeys);
1198  BOOST_CHECK(keystore.AddCScript(scriptPubKey));
1199  SignatureData dummy_e;
1200  BOOST_CHECK(SignSignature(keystore, CTransaction(txFrom), txTo, 0, SIGHASH_ALL, dummy_e));
1201  scriptSig = DataFromTransaction(txTo, 0, txFrom.vout[0]);
1202  combined = CombineSignatures(txFrom.vout[0], txTo, scriptSig, empty);
1203  BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1204  combined = CombineSignatures(txFrom.vout[0], txTo, empty, scriptSig);
1205  BOOST_CHECK(combined.scriptSig == scriptSig.scriptSig);
1206 
1207  // A couple of partially-signed versions:
1208  std::vector<unsigned char> sig1;
1209  uint256 hash1 = SignatureHash(scriptPubKey, txTo, 0, SIGHASH_ALL, 0, SigVersion::BASE);
1210  BOOST_CHECK(keys[0].Sign(hash1, sig1));
1211  sig1.push_back(SIGHASH_ALL);
1212  std::vector<unsigned char> sig2;
1213  uint256 hash2 = SignatureHash(scriptPubKey, txTo, 0, SIGHASH_NONE, 0, SigVersion::BASE);
1214  BOOST_CHECK(keys[1].Sign(hash2, sig2));
1215  sig2.push_back(SIGHASH_NONE);
1216  std::vector<unsigned char> sig3;
1217  uint256 hash3 = SignatureHash(scriptPubKey, txTo, 0, SIGHASH_SINGLE, 0, SigVersion::BASE);
1218  BOOST_CHECK(keys[2].Sign(hash3, sig3));
1219  sig3.push_back(SIGHASH_SINGLE);
1220 
1221  // Not fussy about order (or even existence) of placeholders or signatures:
1222  CScript partial1a = CScript() << OP_0 << sig1 << OP_0;
1223  CScript partial1b = CScript() << OP_0 << OP_0 << sig1;
1224  CScript partial2a = CScript() << OP_0 << sig2;
1225  CScript partial2b = CScript() << sig2 << OP_0;
1226  CScript partial3a = CScript() << sig3;
1227  CScript partial3b = CScript() << OP_0 << OP_0 << sig3;
1228  CScript partial3c = CScript() << OP_0 << sig3 << OP_0;
1229  CScript complete12 = CScript() << OP_0 << sig1 << sig2;
1230  CScript complete13 = CScript() << OP_0 << sig1 << sig3;
1231  CScript complete23 = CScript() << OP_0 << sig2 << sig3;
1232  SignatureData partial1_sigs;
1233  partial1_sigs.signatures.emplace(keys[0].GetPubKey().GetID(), SigPair(keys[0].GetPubKey(), sig1));
1234  SignatureData partial2_sigs;
1235  partial2_sigs.signatures.emplace(keys[1].GetPubKey().GetID(), SigPair(keys[1].GetPubKey(), sig2));
1236  SignatureData partial3_sigs;
1237  partial3_sigs.signatures.emplace(keys[2].GetPubKey().GetID(), SigPair(keys[2].GetPubKey(), sig3));
1238 
1239  combined = CombineSignatures(txFrom.vout[0], txTo, partial1_sigs, partial1_sigs);
1240  BOOST_CHECK(combined.scriptSig == partial1a);
1241  combined = CombineSignatures(txFrom.vout[0], txTo, partial1_sigs, partial2_sigs);
1242  BOOST_CHECK(combined.scriptSig == complete12);
1243  combined = CombineSignatures(txFrom.vout[0], txTo, partial2_sigs, partial1_sigs);
1244  BOOST_CHECK(combined.scriptSig == complete12);
1245  combined = CombineSignatures(txFrom.vout[0], txTo, partial1_sigs, partial2_sigs);
1246  BOOST_CHECK(combined.scriptSig == complete12);
1247  combined = CombineSignatures(txFrom.vout[0], txTo, partial3_sigs, partial1_sigs);
1248  BOOST_CHECK(combined.scriptSig == complete13);
1249  combined = CombineSignatures(txFrom.vout[0], txTo, partial2_sigs, partial3_sigs);
1250  BOOST_CHECK(combined.scriptSig == complete23);
1251  combined = CombineSignatures(txFrom.vout[0], txTo, partial3_sigs, partial2_sigs);
1252  BOOST_CHECK(combined.scriptSig == complete23);
1253  combined = CombineSignatures(txFrom.vout[0], txTo, partial3_sigs, partial3_sigs);
1254  BOOST_CHECK(combined.scriptSig == partial3c);
1255 }
1256 
1257 BOOST_AUTO_TEST_CASE(script_standard_push)
1258 {
1259  ScriptError err;
1260  for (int i=0; i<67000; i++) {
1261  CScript script;
1262  script << i;
1263  BOOST_CHECK_MESSAGE(script.IsPushOnly(), "Number " << i << " is not pure push.");
1264  BOOST_CHECK_MESSAGE(VerifyScript(script, CScript() << OP_1, nullptr, SCRIPT_VERIFY_MINIMALDATA, BaseSignatureChecker(), &err), "Number " << i << " push is not minimal data.");
1265  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1266  }
1267 
1268  for (unsigned int i=0; i<=MAX_SCRIPT_ELEMENT_SIZE; i++) {
1269  std::vector<unsigned char> data(i, '\111');
1270  CScript script;
1271  script << data;
1272  BOOST_CHECK_MESSAGE(script.IsPushOnly(), "Length " << i << " is not pure push.");
1273  BOOST_CHECK_MESSAGE(VerifyScript(script, CScript() << OP_1, nullptr, SCRIPT_VERIFY_MINIMALDATA, BaseSignatureChecker(), &err), "Length " << i << " push is not minimal data.");
1274  BOOST_CHECK_MESSAGE(err == SCRIPT_ERR_OK, ScriptErrorString(err));
1275  }
1276 }
1277 
1278 BOOST_AUTO_TEST_CASE(script_IsPushOnly_on_invalid_scripts)
1279 {
1280  // IsPushOnly returns false when given a script containing only pushes that
1281  // are invalid due to truncation. IsPushOnly() is consensus critical
1282  // because P2SH evaluation uses it, although this specific behavior should
1283  // not be consensus critical as the P2SH evaluation would fail first due to
1284  // the invalid push. Still, it doesn't hurt to test it explicitly.
1285  static const unsigned char direct[] = { 1 };
1286  BOOST_CHECK(!CScript(direct, direct+sizeof(direct)).IsPushOnly());
1287 }
1288 
1289 BOOST_AUTO_TEST_CASE(script_GetScriptAsm)
1290 {
1291  BOOST_CHECK_EQUAL("OP_CHECKLOCKTIMEVERIFY", ScriptToAsmStr(CScript() << OP_NOP2, true));
1292  BOOST_CHECK_EQUAL("OP_CHECKLOCKTIMEVERIFY", ScriptToAsmStr(CScript() << OP_CHECKLOCKTIMEVERIFY, true));
1293  BOOST_CHECK_EQUAL("OP_CHECKLOCKTIMEVERIFY", ScriptToAsmStr(CScript() << OP_NOP2));
1294  BOOST_CHECK_EQUAL("OP_CHECKLOCKTIMEVERIFY", ScriptToAsmStr(CScript() << OP_CHECKLOCKTIMEVERIFY));
1295 
1296  std::string derSig("304502207fa7a6d1e0ee81132a269ad84e68d695483745cde8b541e3bf630749894e342a022100c1f7ab20e13e22fb95281a870f3dcf38d782e53023ee313d741ad0cfbc0c5090");
1297  std::string pubKey("03b0da749730dc9b4b1f4a14d6902877a92541f5368778853d9c4a0cb7802dcfb2");
1298  std::vector<unsigned char> vchPubKey = ToByteVector(ParseHex(pubKey));
1299 
1300  BOOST_CHECK_EQUAL(derSig + "00 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "00")) << vchPubKey, true));
1301  BOOST_CHECK_EQUAL(derSig + "80 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "80")) << vchPubKey, true));
1302  BOOST_CHECK_EQUAL(derSig + "[ALL] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "01")) << vchPubKey, true));
1303  BOOST_CHECK_EQUAL(derSig + "[NONE] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "02")) << vchPubKey, true));
1304  BOOST_CHECK_EQUAL(derSig + "[SINGLE] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "03")) << vchPubKey, true));
1305  BOOST_CHECK_EQUAL(derSig + "[ALL|ANYONECANPAY] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "81")) << vchPubKey, true));
1306  BOOST_CHECK_EQUAL(derSig + "[NONE|ANYONECANPAY] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "82")) << vchPubKey, true));
1307  BOOST_CHECK_EQUAL(derSig + "[SINGLE|ANYONECANPAY] " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "83")) << vchPubKey, true));
1308 
1309  BOOST_CHECK_EQUAL(derSig + "00 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "00")) << vchPubKey));
1310  BOOST_CHECK_EQUAL(derSig + "80 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "80")) << vchPubKey));
1311  BOOST_CHECK_EQUAL(derSig + "01 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "01")) << vchPubKey));
1312  BOOST_CHECK_EQUAL(derSig + "02 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "02")) << vchPubKey));
1313  BOOST_CHECK_EQUAL(derSig + "03 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "03")) << vchPubKey));
1314  BOOST_CHECK_EQUAL(derSig + "81 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "81")) << vchPubKey));
1315  BOOST_CHECK_EQUAL(derSig + "82 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "82")) << vchPubKey));
1316  BOOST_CHECK_EQUAL(derSig + "83 " + pubKey, ScriptToAsmStr(CScript() << ToByteVector(ParseHex(derSig + "83")) << vchPubKey));
1317 }
1318 
1319 static CScript ScriptFromHex(const std::string& str)
1320 {
1321  std::vector<unsigned char> data = ParseHex(str);
1322  return CScript(data.begin(), data.end());
1323 }
1324 
1325 BOOST_AUTO_TEST_CASE(script_FindAndDelete)
1326 {
1327  // Exercise the FindAndDelete functionality
1328  CScript s;
1329  CScript d;
1330  CScript expect;
1331 
1332  s = CScript() << OP_1 << OP_2;
1333  d = CScript(); // delete nothing should be a no-op
1334  expect = s;
1335  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 0);
1336  BOOST_CHECK(s == expect);
1337 
1338  s = CScript() << OP_1 << OP_2 << OP_3;
1339  d = CScript() << OP_2;
1340  expect = CScript() << OP_1 << OP_3;
1341  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 1);
1342  BOOST_CHECK(s == expect);
1343 
1344  s = CScript() << OP_3 << OP_1 << OP_3 << OP_3 << OP_4 << OP_3;
1345  d = CScript() << OP_3;
1346  expect = CScript() << OP_1 << OP_4;
1347  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 4);
1348  BOOST_CHECK(s == expect);
1349 
1350  s = ScriptFromHex("0302ff03"); // PUSH 0x02ff03 onto stack
1351  d = ScriptFromHex("0302ff03");
1352  expect = CScript();
1353  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 1);
1354  BOOST_CHECK(s == expect);
1355 
1356  s = ScriptFromHex("0302ff030302ff03"); // PUSH 0x2ff03 PUSH 0x2ff03
1357  d = ScriptFromHex("0302ff03");
1358  expect = CScript();
1359  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 2);
1360  BOOST_CHECK(s == expect);
1361 
1362  s = ScriptFromHex("0302ff030302ff03");
1363  d = ScriptFromHex("02");
1364  expect = s; // FindAndDelete matches entire opcodes
1365  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 0);
1366  BOOST_CHECK(s == expect);
1367 
1368  s = ScriptFromHex("0302ff030302ff03");
1369  d = ScriptFromHex("ff");
1370  expect = s;
1371  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 0);
1372  BOOST_CHECK(s == expect);
1373 
1374  // This is an odd edge case: strip of the push-three-bytes
1375  // prefix, leaving 02ff03 which is push-two-bytes:
1376  s = ScriptFromHex("0302ff030302ff03");
1377  d = ScriptFromHex("03");
1378  expect = CScript() << ParseHex("ff03") << ParseHex("ff03");
1379  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 2);
1380  BOOST_CHECK(s == expect);
1381 
1382  // Byte sequence that spans multiple opcodes:
1383  s = ScriptFromHex("02feed5169"); // PUSH(0xfeed) OP_1 OP_VERIFY
1384  d = ScriptFromHex("feed51");
1385  expect = s;
1386  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 0); // doesn't match 'inside' opcodes
1387  BOOST_CHECK(s == expect);
1388 
1389  s = ScriptFromHex("02feed5169"); // PUSH(0xfeed) OP_1 OP_VERIFY
1390  d = ScriptFromHex("02feed51");
1391  expect = ScriptFromHex("69");
1392  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 1);
1393  BOOST_CHECK(s == expect);
1394 
1395  s = ScriptFromHex("516902feed5169");
1396  d = ScriptFromHex("feed51");
1397  expect = s;
1398  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 0);
1399  BOOST_CHECK(s == expect);
1400 
1401  s = ScriptFromHex("516902feed5169");
1402  d = ScriptFromHex("02feed51");
1403  expect = ScriptFromHex("516969");
1404  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 1);
1405  BOOST_CHECK(s == expect);
1406 
1407  s = CScript() << OP_0 << OP_0 << OP_1 << OP_1;
1408  d = CScript() << OP_0 << OP_1;
1409  expect = CScript() << OP_0 << OP_1; // FindAndDelete is single-pass
1410  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 1);
1411  BOOST_CHECK(s == expect);
1412 
1413  s = CScript() << OP_0 << OP_0 << OP_1 << OP_0 << OP_1 << OP_1;
1414  d = CScript() << OP_0 << OP_1;
1415  expect = CScript() << OP_0 << OP_1; // FindAndDelete is single-pass
1416  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 2);
1417  BOOST_CHECK(s == expect);
1418 
1419  // Another weird edge case:
1420  // End with invalid push (not enough data)...
1421  s = ScriptFromHex("0003feed");
1422  d = ScriptFromHex("03feed"); // ... can remove the invalid push
1423  expect = ScriptFromHex("00");
1424  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 1);
1425  BOOST_CHECK(s == expect);
1426 
1427  s = ScriptFromHex("0003feed");
1428  d = ScriptFromHex("00");
1429  expect = ScriptFromHex("03feed");
1430  BOOST_CHECK_EQUAL(FindAndDelete(s, d), 1);
1431  BOOST_CHECK(s == expect);
1432 }
1433 
1434 BOOST_AUTO_TEST_CASE(script_HasValidOps)
1435 {
1436  // Exercise the HasValidOps functionality
1437  CScript script;
1438  script = ScriptFromHex("76a9141234567890abcdefa1a2a3a4a5a6a7a8a9a0aaab88ac"); // Normal script
1439  BOOST_CHECK(script.HasValidOps());
1440  script = ScriptFromHex("76a914ff34567890abcdefa1a2a3a4a5a6a7a8a9a0aaab88ac");
1441  BOOST_CHECK(script.HasValidOps());
1442  script = ScriptFromHex("ff88ac"); // Script with OP_INVALIDOPCODE explicit
1443  BOOST_CHECK(!script.HasValidOps());
1444  script = ScriptFromHex("88acc0"); // Script with undefined opcode
1445  BOOST_CHECK(!script.HasValidOps());
1446 }
1447 
1448 static CMutableTransaction TxFromHex(const std::string& str)
1449 {
1451  SpanReader{ParseHex(str)} >> TX_NO_WITNESS(tx);
1452  return tx;
1453 }
1454 
1455 static std::vector<CTxOut> TxOutsFromJSON(const UniValue& univalue)
1456 {
1457  assert(univalue.isArray());
1458  std::vector<CTxOut> prevouts;
1459  for (size_t i = 0; i < univalue.size(); ++i) {
1460  CTxOut txout;
1461  SpanReader{ParseHex(univalue[i].get_str())} >> txout;
1462  prevouts.push_back(std::move(txout));
1463  }
1464  return prevouts;
1465 }
1466 
1468 {
1469  assert(univalue.isArray());
1470  CScriptWitness scriptwitness;
1471  for (size_t i = 0; i < univalue.size(); ++i) {
1472  auto bytes = ParseHex(univalue[i].get_str());
1473  scriptwitness.stack.push_back(std::move(bytes));
1474  }
1475  return scriptwitness;
1476 }
1477 
1478 static std::vector<unsigned int> AllConsensusFlags()
1479 {
1480  std::vector<unsigned int> ret;
1481 
1482  for (unsigned int i = 0; i < 128; ++i) {
1483  unsigned int flag = 0;
1484  if (i & 1) flag |= SCRIPT_VERIFY_P2SH;
1485  if (i & 2) flag |= SCRIPT_VERIFY_DERSIG;
1486  if (i & 4) flag |= SCRIPT_VERIFY_NULLDUMMY;
1487  if (i & 8) flag |= SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY;
1488  if (i & 16) flag |= SCRIPT_VERIFY_CHECKSEQUENCEVERIFY;
1489  if (i & 32) flag |= SCRIPT_VERIFY_WITNESS;
1490  if (i & 64) flag |= SCRIPT_VERIFY_TAPROOT;
1491 
1492  // SCRIPT_VERIFY_WITNESS requires SCRIPT_VERIFY_P2SH
1493  if (flag & SCRIPT_VERIFY_WITNESS && !(flag & SCRIPT_VERIFY_P2SH)) continue;
1494  // SCRIPT_VERIFY_TAPROOT requires SCRIPT_VERIFY_WITNESS
1495  if (flag & SCRIPT_VERIFY_TAPROOT && !(flag & SCRIPT_VERIFY_WITNESS)) continue;
1496 
1497  ret.push_back(flag);
1498  }
1499 
1500  return ret;
1501 }
1502 
1504 static const std::vector<unsigned int> ALL_CONSENSUS_FLAGS = AllConsensusFlags();
1505 
1506 static void AssetTest(const UniValue& test)
1507 {
1508  BOOST_CHECK(test.isObject());
1509 
1510  CMutableTransaction mtx = TxFromHex(test["tx"].get_str());
1511  const std::vector<CTxOut> prevouts = TxOutsFromJSON(test["prevouts"]);
1512  BOOST_CHECK(prevouts.size() == mtx.vin.size());
1513  size_t idx = test["index"].getInt<int64_t>();
1514  uint32_t test_flags{ParseScriptFlags(test["flags"].get_str())};
1515  bool fin = test.exists("final") && test["final"].get_bool();
1516 
1517  if (test.exists("success")) {
1518  mtx.vin[idx].scriptSig = ScriptFromHex(test["success"]["scriptSig"].get_str());
1519  mtx.vin[idx].scriptWitness = ScriptWitnessFromJSON(test["success"]["witness"]);
1520  CTransaction tx(mtx);
1522  txdata.Init(tx, std::vector<CTxOut>(prevouts));
1523  CachingTransactionSignatureChecker txcheck(&tx, idx, prevouts[idx].nValue, true, txdata);
1524 
1525  for (const auto flags : ALL_CONSENSUS_FLAGS) {
1526  // "final": true tests are valid for all flags. Others are only valid with flags that are
1527  // a subset of test_flags.
1528  if (fin || ((flags & test_flags) == flags)) {
1529  bool ret = VerifyScript(tx.vin[idx].scriptSig, prevouts[idx].scriptPubKey, &tx.vin[idx].scriptWitness, flags, txcheck, nullptr);
1530  BOOST_CHECK(ret);
1531  }
1532  }
1533  }
1534 
1535  if (test.exists("failure")) {
1536  mtx.vin[idx].scriptSig = ScriptFromHex(test["failure"]["scriptSig"].get_str());
1537  mtx.vin[idx].scriptWitness = ScriptWitnessFromJSON(test["failure"]["witness"]);
1538  CTransaction tx(mtx);
1540  txdata.Init(tx, std::vector<CTxOut>(prevouts));
1541  CachingTransactionSignatureChecker txcheck(&tx, idx, prevouts[idx].nValue, true, txdata);
1542 
1543  for (const auto flags : ALL_CONSENSUS_FLAGS) {
1544  // If a test is supposed to fail with test_flags, it should also fail with any superset thereof.
1545  if ((flags & test_flags) == test_flags) {
1546  bool ret = VerifyScript(tx.vin[idx].scriptSig, prevouts[idx].scriptPubKey, &tx.vin[idx].scriptWitness, flags, txcheck, nullptr);
1547  BOOST_CHECK(!ret);
1548  }
1549  }
1550  }
1551 }
1552 
1553 BOOST_AUTO_TEST_CASE(script_assets_test)
1554 {
1555  // See src/test/fuzz/script_assets_test_minimizer.cpp for information on how to generate
1556  // the script_assets_test.json file used by this test.
1557 
1558  const char* dir = std::getenv("DIR_UNIT_TEST_DATA");
1559  BOOST_WARN_MESSAGE(dir != nullptr, "Variable DIR_UNIT_TEST_DATA unset, skipping script_assets_test");
1560  if (dir == nullptr) return;
1561  auto path = fs::path(dir) / "script_assets_test.json";
1562  bool exists = fs::exists(path);
1563  BOOST_WARN_MESSAGE(exists, "File $DIR_UNIT_TEST_DATA/script_assets_test.json not found, skipping script_assets_test");
1564  if (!exists) return;
1565  std::ifstream file{path};
1566  BOOST_CHECK(file.is_open());
1567  file.seekg(0, std::ios::end);
1568  size_t length = file.tellg();
1569  file.seekg(0, std::ios::beg);
1570  std::string data(length, '\0');
1571  file.read(data.data(), data.size());
1572  UniValue tests = read_json(data);
1573  BOOST_CHECK(tests.isArray());
1574  BOOST_CHECK(tests.size() > 0);
1575 
1576  for (size_t i = 0; i < tests.size(); i++) {
1577  AssetTest(tests[i]);
1578  }
1579  file.close();
1580 }
1581 
1582 BOOST_AUTO_TEST_CASE(bip341_keypath_test_vectors)
1583 {
1584  UniValue tests;
1585  tests.read(json_tests::bip341_wallet_vectors);
1586 
1587  const auto& vectors = tests["keyPathSpending"];
1588 
1589  for (const auto& vec : vectors.getValues()) {
1590  auto txhex = ParseHex(vec["given"]["rawUnsignedTx"].get_str());
1592  SpanReader{txhex} >> TX_WITH_WITNESS(tx);
1593  std::vector<CTxOut> utxos;
1594  for (const auto& utxo_spent : vec["given"]["utxosSpent"].getValues()) {
1595  auto script_bytes = ParseHex(utxo_spent["scriptPubKey"].get_str());
1596  CScript script{script_bytes.begin(), script_bytes.end()};
1597  CAmount amount{utxo_spent["amountSats"].getInt<int>()};
1598  utxos.emplace_back(amount, script);
1599  }
1600 
1602  txdata.Init(tx, std::vector<CTxOut>{utxos}, true);
1603 
1605  BOOST_CHECK_EQUAL(HexStr(txdata.m_spent_amounts_single_hash), vec["intermediary"]["hashAmounts"].get_str());
1606  BOOST_CHECK_EQUAL(HexStr(txdata.m_outputs_single_hash), vec["intermediary"]["hashOutputs"].get_str());
1607  BOOST_CHECK_EQUAL(HexStr(txdata.m_prevouts_single_hash), vec["intermediary"]["hashPrevouts"].get_str());
1608  BOOST_CHECK_EQUAL(HexStr(txdata.m_spent_scripts_single_hash), vec["intermediary"]["hashScriptPubkeys"].get_str());
1609  BOOST_CHECK_EQUAL(HexStr(txdata.m_sequences_single_hash), vec["intermediary"]["hashSequences"].get_str());
1610 
1611  for (const auto& input : vec["inputSpending"].getValues()) {
1612  int txinpos = input["given"]["txinIndex"].getInt<int>();
1613  int hashtype = input["given"]["hashType"].getInt<int>();
1614 
1615  // Load key.
1616  auto privkey = ParseHex(input["given"]["internalPrivkey"].get_str());
1617  CKey key;
1618  key.Set(privkey.begin(), privkey.end(), true);
1619 
1620  // Load Merkle root.
1621  uint256 merkle_root;
1622  if (!input["given"]["merkleRoot"].isNull()) {
1623  merkle_root = uint256{ParseHex(input["given"]["merkleRoot"].get_str())};
1624  }
1625 
1626  // Compute and verify (internal) public key.
1627  XOnlyPubKey pubkey{key.GetPubKey()};
1628  BOOST_CHECK_EQUAL(HexStr(pubkey), input["intermediary"]["internalPubkey"].get_str());
1629 
1630  // Sign and verify signature.
1631  FlatSigningProvider provider;
1632  provider.keys[key.GetPubKey().GetID()] = key;
1633  MutableTransactionSignatureCreator creator(tx, txinpos, utxos[txinpos].nValue, &txdata, hashtype);
1634  std::vector<unsigned char> signature;
1635  BOOST_CHECK(creator.CreateSchnorrSig(provider, signature, pubkey, nullptr, &merkle_root, SigVersion::TAPROOT));
1636  BOOST_CHECK_EQUAL(HexStr(signature), input["expected"]["witness"][0].get_str());
1637 
1638  // We can't observe the tweak used inside the signing logic, so verify by recomputing it.
1639  BOOST_CHECK_EQUAL(HexStr(pubkey.ComputeTapTweakHash(merkle_root.IsNull() ? nullptr : &merkle_root)), input["intermediary"]["tweak"].get_str());
1640 
1641  // We can't observe the sighash used inside the signing logic, so verify by recomputing it.
1642  ScriptExecutionData sed;
1643  sed.m_annex_init = true;
1644  sed.m_annex_present = false;
1645  uint256 sighash;
1646  BOOST_CHECK(SignatureHashSchnorr(sighash, sed, tx, txinpos, hashtype, SigVersion::TAPROOT, txdata, MissingDataBehavior::FAIL));
1647  BOOST_CHECK_EQUAL(HexStr(sighash), input["intermediary"]["sigHash"].get_str());
1648 
1649  // To verify the sigmsg, hash the expected sigmsg, and compare it with the (expected) sighash.
1650  BOOST_CHECK_EQUAL(HexStr((HashWriter{HASHER_TAPSIGHASH} << Span{ParseHex(input["intermediary"]["sigMsg"].get_str())}).GetSHA256()), input["intermediary"]["sigHash"].get_str());
1651  }
1652 
1653  }
1654 }
1655 
1656 BOOST_AUTO_TEST_CASE(compute_tapbranch)
1657 {
1658  uint256 hash1 = uint256S("8ad69ec7cf41c2a4001fd1f738bf1e505ce2277acdcaa63fe4765192497f47a7");
1659  uint256 hash2 = uint256S("f224a923cd0021ab202ab139cc56802ddb92dcfc172b9212261a539df79a112a");
1660  uint256 result = uint256S("a64c5b7b943315f9b805d7a7296bedfcfd08919270a1f7a1466e98f8693d8cd9");
1661  BOOST_CHECK_EQUAL(ComputeTapbranchHash(hash1, hash2), result);
1662 }
1663 
1664 BOOST_AUTO_TEST_CASE(compute_tapleaf)
1665 {
1666  const uint8_t script[6] = {'f','o','o','b','a','r'};
1667  uint256 tlc0 = uint256S("edbc10c272a1215dcdcc11d605b9027b5ad6ed97cd45521203f136767b5b9c06");
1668  uint256 tlc2 = uint256S("8b5c4f90ae6bf76e259dbef5d8a59df06359c391b59263741b25eca76451b27a");
1669 
1670  BOOST_CHECK_EQUAL(ComputeTapleafHash(0xc0, Span(script)), tlc0);
1671  BOOST_CHECK_EQUAL(ComputeTapleafHash(0xc2, Span(script)), tlc2);
1672 }
1673 
CScript GetScriptForDestination(const CTxDestination &dest)
Generate a Bitcoin scriptPubKey for the given CTxDestination.
int64_t CAmount
Amount in satoshis (Can be negative)
Definition: amount.h:12
int ret
static CAmount AmountFromValue(const UniValue &value)
Definition: bitcoin-tx.cpp:555
int flags
Definition: bitcoin-tx.cpp:530
A hasher class for Bitcoin's 160-bit hash (SHA-256 + RIPEMD-160).
Definition: hash.h:49
void Finalize(Span< unsigned char > output)
Definition: hash.h:55
CHash160 & Write(Span< const unsigned char > input)
Definition: hash.h:62
An encapsulated private key.
Definition: key.h:33
bool Sign(const uint256 &hash, std::vector< unsigned char > &vchSig, bool grind=true, uint32_t test_case=0) const
Create a DER-serialized signature.
Definition: key.cpp:214
CPubKey GetPubKey() const
Compute the public key from a private key.
Definition: key.cpp:188
void Set(const T pbegin, const T pend, bool fCompressedIn)
Initialize using begin and end iterators to byte data.
Definition: key.h:99
An encapsulated public key.
Definition: pubkey.h:34
const unsigned char * end() const
Definition: pubkey.h:115
CKeyID GetID() const
Get the KeyID of this public key (hash of its serialization)
Definition: pubkey.h:164
const unsigned char * begin() const
Definition: pubkey.h:114
const unsigned char * data() const
Definition: pubkey.h:113
A hasher class for SHA-256.
Definition: sha256.h:14
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: sha256.cpp:728
CSHA256 & Write(const unsigned char *data, size_t len)
Definition: sha256.cpp:702
Serialized script, used inside transaction inputs and outputs.
Definition: script.h:414
bool IsPushOnly(const_iterator pc) const
Called by IsStandardTx and P2SH/BIP62 VerifyScript (which makes it consensus-critical).
Definition: script.cpp:242
bool HasValidOps() const
Check if the script contains valid OP_CODES.
Definition: script.cpp:276
A reference to a CScript: the Hash160 of its serialization.
Definition: script.h:583
The basic transaction that is broadcasted on the network and contained in blocks.
Definition: transaction.h:296
const std::vector< CTxIn > vin
Definition: transaction.h:306
An output of a transaction.
Definition: transaction.h:150
CScript scriptPubKey
Definition: transaction.h:153
CAmount nValue
Definition: transaction.h:152
Fillable signing provider that keeps keys in an address->secret map.
virtual bool AddCScript(const CScript &redeemScript)
virtual bool AddKey(const CKey &key)
A writer stream (for serialization) that computes a 256-bit hash.
Definition: hash.h:101
A signature creator for transactions.
Definition: sign.h:40
bool CreateSchnorrSig(const SigningProvider &provider, std::vector< unsigned char > &sig, const XOnlyPubKey &pubkey, const uint256 *leaf_hash, const uint256 *merkle_root, SigVersion sigversion) const override
Definition: sign.cpp:62
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:98
Minimal stream for reading from an existing byte array by Span.
Definition: streams.h:101
const std::string & get_str() const
bool isArray() const
Definition: univalue.h:85
@ VARR
Definition: univalue.h:24
std::string write(unsigned int prettyIndent=0, unsigned int indentLevel=0) const
size_t size() const
Definition: univalue.h:71
bool read(std::string_view raw)
Int getInt() const
Definition: univalue.h:138
const UniValue & get_array() const
bool exists(const std::string &key) const
Definition: univalue.h:77
bool get_bool() const
bool isObject() const
Definition: univalue.h:86
constexpr bool IsNull() const
Definition: uint256.h:42
constexpr unsigned char * begin()
Definition: uint256.h:68
Path class wrapper to block calls to the fs::path(std::string) implicit constructor and the fs::path:...
Definition: fs.h:33
bool empty() const
Definition: prevector.h:300
size_type size() const
Definition: prevector.h:296
value_type * data()
Definition: prevector.h:532
iterator begin()
Definition: prevector.h:304
iterator end()
Definition: prevector.h:306
void push_back(const T &value)
Definition: prevector.h:443
160-bit opaque blob.
Definition: uint256.h:95
256-bit opaque blob.
Definition: uint256.h:106
CScript ParseScript(const std::string &s)
Definition: core_read.cpp:61
std::string FormatScript(const CScript &script)
Definition: core_write.cpp:39
std::string ScriptToAsmStr(const CScript &script, const bool fAttemptSighashDecode=false)
Create the assembly string representation of a CScript object.
Definition: core_write.cpp:98
UniValue ValueFromAmount(const CAmount amount)
Definition: core_write.cpp:26
BOOST_AUTO_TEST_SUITE_END()
bool SignatureHashSchnorr(uint256 &hash_out, ScriptExecutionData &execdata, const T &tx_to, uint32_t in_pos, uint8_t hash_type, SigVersion sigversion, const PrecomputedTransactionData &cache, MissingDataBehavior mdb)
int FindAndDelete(CScript &script, const CScript &b)
uint256 ComputeTapleafHash(uint8_t leaf_version, Span< const unsigned char > script)
Compute the BIP341 tapleaf hash from leaf version & script.
uint256 SignatureHash(const CScript &scriptCode, const T &txTo, unsigned int nIn, int nHashType, const CAmount &amount, SigVersion sigversion, const PrecomputedTransactionData *cache)
uint256 ComputeTapbranchHash(Span< const unsigned char > a, Span< const unsigned char > b)
Compute the BIP341 tapbranch hash from two branches.
bool EvalScript(std::vector< std::vector< unsigned char > > &stack, const CScript &script, unsigned int flags, const BaseSignatureChecker &checker, SigVersion sigversion, ScriptExecutionData &execdata, ScriptError *serror)
bool VerifyScript(const CScript &scriptSig, const CScript &scriptPubKey, const CScriptWitness *witness, unsigned int flags, const BaseSignatureChecker &checker, ScriptError *serror)
const HashWriter HASHER_TAPSIGHASH
Hasher with tag "TapSighash" pre-fed to it.
SigVersion
Definition: interpreter.h:191
@ TAPROOT
Witness v1 with 32-byte program, not BIP16 P2SH-wrapped, key path spending; see BIP 341.
@ BASE
Bare scripts and BIP16 P2SH-wrapped redeemscripts.
@ WITNESS_V0
Witness v0 (P2WPKH and P2WSH); see BIP 141.
GenericTransactionSignatureChecker< CMutableTransaction > MutableTransactionSignatureChecker
Definition: interpreter.h:307
@ SCRIPT_VERIFY_NULLDUMMY
Definition: interpreter.h:64
@ SCRIPT_VERIFY_P2SH
Definition: interpreter.h:49
@ SCRIPT_VERIFY_SIGPUSHONLY
Definition: interpreter.h:67
@ SCRIPT_VERIFY_WITNESS
Definition: interpreter.h:108
@ SCRIPT_VERIFY_LOW_S
Definition: interpreter.h:61
@ SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY
Definition: interpreter.h:99
@ SCRIPT_VERIFY_WITNESS_PUBKEYTYPE
Definition: interpreter.h:126
@ SCRIPT_VERIFY_TAPROOT
Definition: interpreter.h:134
@ SCRIPT_VERIFY_STRICTENC
Definition: interpreter.h:54
@ SCRIPT_VERIFY_DERSIG
Definition: interpreter.h:57
@ SCRIPT_VERIFY_CLEANSTACK
Definition: interpreter.h:94
@ SCRIPT_VERIFY_MINIMALDATA
Definition: interpreter.h:73
@ SCRIPT_VERIFY_CHECKSEQUENCEVERIFY
Definition: interpreter.h:104
@ SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM
Definition: interpreter.h:112
@ SIGHASH_ANYONECANPAY
Definition: interpreter.h:33
@ SIGHASH_DEFAULT
Taproot only; implied when sighash byte is missing, and equivalent to SIGHASH_ALL.
Definition: interpreter.h:35
@ SIGHASH_ALL
Definition: interpreter.h:30
@ SIGHASH_NONE
Definition: interpreter.h:31
@ SIGHASH_SINGLE
Definition: interpreter.h:32
@ ASSERT_FAIL
Abort execution through assertion failure (for consensus code)
@ FAIL
Just act as if the signature was invalid.
UniValue read_json(const std::string &jsondata)
Definition: json.cpp:12
CKey GenerateRandomKey(bool compressed) noexcept
Definition: key.cpp:372
@ NONE
Definition: logging.h:40
static bool exists(const path &p)
Definition: fs.h:89
FILE * fopen(const fs::path &p, const char *mode)
Definition: fs.cpp:26
std::pair< opcodetype, std::vector< unsigned char > > Opcode
Definition: miniscript.h:184
#define BOOST_CHECK_EQUAL(v1, v2)
Definition: object.cpp:18
#define BOOST_CHECK(expr)
Definition: object.cpp:17
static constexpr TransactionSerParams TX_NO_WITNESS
Definition: transaction.h:196
static constexpr TransactionSerParams TX_WITH_WITNESS
Definition: transaction.h:195
static CTransactionRef MakeTransactionRef(Tx &&txIn)
Definition: transaction.h:424
std::shared_ptr< const CTransaction > CTransactionRef
Definition: transaction.h:423
const char * name
Definition: rest.cpp:50
static const unsigned int MAX_SCRIPT_ELEMENT_SIZE
Definition: script.h:27
std::vector< unsigned char > ToByteVector(const T &in)
Definition: script.h:66
opcodetype
Script opcodes.
Definition: script.h:73
@ OP_2
Definition: script.h:84
@ OP_PUSHDATA4
Definition: script.h:79
@ OP_CHECKMULTISIG
Definition: script.h:191
@ OP_CHECKSIG
Definition: script.h:189
@ OP_CHECKLOCKTIMEVERIFY
Definition: script.h:196
@ OP_NOT
Definition: script.h:157
@ OP_EQUAL
Definition: script.h:145
@ OP_4
Definition: script.h:86
@ OP_DUP
Definition: script.h:124
@ OP_NOP2
Definition: script.h:197
@ OP_NOP8
Definition: script.h:204
@ OP_HASH160
Definition: script.h:186
@ OP_1
Definition: script.h:82
@ OP_PUSHDATA1
Definition: script.h:77
@ OP_3
Definition: script.h:85
@ OP_PUSHDATA2
Definition: script.h:78
@ OP_0
Definition: script.h:75
@ OP_EQUALVERIFY
Definition: script.h:146
std::string ScriptErrorString(const ScriptError serror)
enum ScriptError_t ScriptError
ScriptError_t
Definition: script_error.h:12
@ SCRIPT_ERR_OP_CODESEPARATOR
Definition: script_error.h:82
@ SCRIPT_ERR_SIG_PUSHONLY
Definition: script_error.h:48
@ SCRIPT_ERR_OP_COUNT
Definition: script_error.h:21
@ SCRIPT_ERR_EVAL_FALSE
Definition: script_error.h:15
@ SCRIPT_ERR_NUMEQUALVERIFY
Definition: script_error.h:31
@ SCRIPT_ERR_VERIFY
Definition: script_error.h:27
@ SCRIPT_ERR_DISABLED_OPCODE
Definition: script_error.h:35
@ SCRIPT_ERR_INVALID_ALTSTACK_OPERATION
Definition: script_error.h:37
@ SCRIPT_ERR_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM
Definition: script_error.h:58
@ SCRIPT_ERR_SCRIPT_SIZE
Definition: script_error.h:19
@ SCRIPT_ERR_UNKNOWN_ERROR
Definition: script_error.h:14
@ SCRIPT_ERR_WITNESS_PROGRAM_WRONG_LENGTH
Definition: script_error.h:64
@ SCRIPT_ERR_SIG_HASHTYPE
Definition: script_error.h:45
@ SCRIPT_ERR_MINIMALDATA
Definition: script_error.h:47
@ SCRIPT_ERR_CHECKSIGVERIFY
Definition: script_error.h:30
@ SCRIPT_ERR_STACK_SIZE
Definition: script_error.h:22
@ SCRIPT_ERR_WITNESS_MALLEATED_P2SH
Definition: script_error.h:68
@ SCRIPT_ERR_WITNESS_MALLEATED
Definition: script_error.h:67
@ SCRIPT_ERR_DISCOURAGE_UPGRADABLE_NOPS
Definition: script_error.h:57
@ SCRIPT_ERR_EQUALVERIFY
Definition: script_error.h:28
@ SCRIPT_ERR_INVALID_STACK_OPERATION
Definition: script_error.h:36
@ SCRIPT_ERR_SIG_COUNT
Definition: script_error.h:23
@ SCRIPT_ERR_SIG_HIGH_S
Definition: script_error.h:49
@ SCRIPT_ERR_SIG_DER
Definition: script_error.h:46
@ SCRIPT_ERR_WITNESS_UNEXPECTED
Definition: script_error.h:69
@ SCRIPT_ERR_NEGATIVE_LOCKTIME
Definition: script_error.h:41
@ SCRIPT_ERR_WITNESS_PROGRAM_MISMATCH
Definition: script_error.h:66
@ SCRIPT_ERR_OP_RETURN
Definition: script_error.h:16
@ SCRIPT_ERR_PUSH_SIZE
Definition: script_error.h:20
@ SCRIPT_ERR_SIG_NULLFAIL
Definition: script_error.h:54
@ SCRIPT_ERR_OK
Definition: script_error.h:13
@ SCRIPT_ERR_SIG_NULLDUMMY
Definition: script_error.h:50
@ SCRIPT_ERR_PUBKEYTYPE
Definition: script_error.h:51
@ SCRIPT_ERR_CHECKMULTISIGVERIFY
Definition: script_error.h:29
@ SCRIPT_ERR_UNSATISFIED_LOCKTIME
Definition: script_error.h:42
@ SCRIPT_ERR_WITNESS_PUBKEYTYPE
Definition: script_error.h:70
@ SCRIPT_ERR_SIG_FINDANDDELETE
Definition: script_error.h:83
@ SCRIPT_ERR_BAD_OPCODE
Definition: script_error.h:34
@ SCRIPT_ERR_PUBKEY_COUNT
Definition: script_error.h:24
@ SCRIPT_ERR_WITNESS_PROGRAM_WITNESS_EMPTY
Definition: script_error.h:65
@ SCRIPT_ERR_CLEANSTACK
Definition: script_error.h:52
@ SCRIPT_ERR_UNBALANCED_CONDITIONAL
Definition: script_error.h:38
@ SCRIPT_ERR_MINIMALIF
Definition: script_error.h:53
static std::string FormatScriptError(ScriptError_t err)
static void NegateSignatureS(std::vector< unsigned char > &vchSig)
static ScriptError_t ParseScriptError(const std::string &name)
static CScript ScriptFromHex(const std::string &str)
SignatureData CombineSignatures(const CTxOut &txout, const CMutableTransaction &tx, const SignatureData &scriptSig1, const SignatureData &scriptSig2)
static ScriptErrorDesc script_errors[]
static CMutableTransaction TxFromHex(const std::string &str)
void DoTest(const CScript &scriptPubKey, const CScript &scriptSig, const CScriptWitness &scriptWitness, uint32_t flags, const std::string &message, int scriptError, CAmount nValue=0)
static void AssetTest(const UniValue &test)
static CScript sign_multisig(const CScript &scriptPubKey, const std::vector< CKey > &keys, const CTransaction &transaction)
unsigned int ParseScriptFlags(std::string strFlags)
static std::vector< unsigned int > AllConsensusFlags()
BOOST_AUTO_TEST_CASE(script_build)
std::string FormatScriptFlags(unsigned int flags)
static const unsigned int gFlags
static CScriptWitness ScriptWitnessFromJSON(const UniValue &univalue)
static std::vector< CTxOut > TxOutsFromJSON(const UniValue &univalue)
static const std::vector< unsigned int > ALL_CONSENSUS_FLAGS
Precomputed list of all valid combinations of consensus-relevant script validation flags.
bool ProduceSignature(const SigningProvider &provider, const BaseSignatureCreator &creator, const CScript &fromPubKey, SignatureData &sigdata)
Produce a script signature using a generic signature creator.
Definition: sign.cpp:499
static bool GetPubKey(const SigningProvider &provider, const SignatureData &sigdata, const CKeyID &address, CPubKey &pubkey)
Definition: sign.cpp:109
SignatureData DataFromTransaction(const CMutableTransaction &tx, unsigned int nIn, const CTxOut &txout)
Extract signature data from a transaction input, and insert it.
Definition: sign.cpp:607
bool SignSignature(const SigningProvider &provider, const CScript &fromPubKey, CMutableTransaction &txTo, unsigned int nIn, const CAmount &amount, int nHashType, SignatureData &sig_data)
Produce a satisfying script (scriptSig or witness).
Definition: sign.cpp:694
std::pair< CPubKey, std::vector< unsigned char > > SigPair
Definition: sign.h:63
const SigningProvider & DUMMY_SIGNING_PROVIDER
CScript GetScriptForMultisig(int nRequired, const std::vector< CPubKey > &keys)
Generate a multisig script.
Definition: solver.cpp:214
Span(T *, EndOrSize) -> Span< T >
std::vector< Byte > ParseHex(std::string_view hex_str)
Like TryParseHex, but returns an empty vector on invalid input.
Definition: strencodings.h:65
Basic testing setup.
Definition: setup_common.h:52
A mutable version of CTransaction.
Definition: transaction.h:378
std::vector< CTxOut > vout
Definition: transaction.h:380
std::vector< CTxIn > vin
Definition: transaction.h:379
std::vector< std::vector< unsigned char > > stack
Definition: script.h:569
std::map< CKeyID, CKey > keys
A type to represent integers in the type system.
Definition: lintrans.h:13
void Init(const T &tx, std::vector< CTxOut > &&spent_outputs, bool force=false)
Initialize this PrecomputedTransactionData with transaction data.
bool m_bip341_taproot_ready
Whether the 5 fields above are initialized.
Definition: interpreter.h:163
ScriptError_t err
const char * name
bool m_annex_present
Whether an annex is present.
Definition: interpreter.h:213
bool m_annex_init
Whether m_annex_present and (when needed) m_annex_hash are initialized.
Definition: interpreter.h:211
void MergeSignatureData(SignatureData sigdata)
Definition: sign.cpp:678
std::map< CKeyID, SigPair > signatures
BIP 174 style partial signatures for the input. May contain all signatures necessary for producing a ...
Definition: sign.h:77
CScript scriptSig
The scriptSig of an input. Contains complete signatures or the traditional partial signatures format.
Definition: sign.h:71
static uint64_t InsecureRandBits(int bits)
Definition: random.h:55
#define strprintf
Format arguments and return the string or write to given std::ostream (see tinyformat::format doc for...
Definition: tinyformat.h:1162
CMutableTransaction BuildSpendingTransaction(const CScript &scriptSig, const CScriptWitness &scriptWitness, const CTransaction &txCredit)
CMutableTransaction BuildCreditingTransaction(const CScript &scriptPubKey, int nValue)
uint256 uint256S(const char *str)
Definition: uint256.h:119
#define expect(bit)
std::string HexStr(const Span< const uint8_t > s)
Convert a span of bytes to a lower-case hexadecimal string.
assert(!tx.IsCoinBase())