Add support for reading PSBTs with P2A inputs (#167)

Since P2A are spent with an empty witness stack, Bitcoin Core doesn't
bother serializing a script witness in the PSBT at all, which led us
to treat the input as not finalized.

We now immediately finalize P2A inputs included in PSBTs, since they
can be spent by anyone without a signature.

Author: t-bast

build.gradle.kts

@@ -13,7 +13,7 @@ plugins {
 val currentOs = org.gradle.internal.os.OperatingSystem.current()
 
 group = "fr.acinq.bitcoin"
-version = "0.28.0"
+version = "0.28.1"
 
 repositories {
     google()

src/commonMain/kotlin/fr/acinq/bitcoin/Script.kt

@@ -22,6 +22,7 @@ import fr.acinq.bitcoin.io.Input
 import fr.acinq.bitcoin.io.Output
 import fr.acinq.secp256k1.Hex
 import fr.acinq.secp256k1.Secp256k1
+import kotlin.jvm.JvmField
 import kotlin.jvm.JvmStatic
 
 public object Script {
@@ -525,11 +526,11 @@ public object Script {
     }
 
     /** Standard P2A (pay-to-anchor) output. */
-    @JvmStatic
+    @JvmField
     public val pay2anchor: List<ScriptElt> = listOf(OP_1, OP_PUSHDATA(ByteVector("4e73")))
 
     /** An empty witness script is used to spend [pay2anchor] outputs. */
-    @JvmStatic
+    @JvmField
     public val witnessPay2anchor: ScriptWitness = ScriptWitness.empty
 
     public fun removeSignature(script: List<ScriptElt>, signature: ByteVector): List<ScriptElt> {

src/commonMain/kotlin/fr/acinq/bitcoin/psbt/Psbt.kt

@@ -350,9 +350,9 @@ public data class Psbt(@JvmField val global: Global, @JvmField val inputs: List<
         return when (input) {
             is Input.PartiallySignedInputWithoutUtxo -> Either.Left(UpdateFailure.CannotSignInput(inputIndex, "cannot sign: input hasn't been updated with utxo data"))
             is Input.WitnessInput.PartiallySignedWitnessInput -> {
-                if (input.nonWitnessUtxo != null && input.nonWitnessUtxo!!.txid != txIn.outPoint.txid) {
+                if (input.nonWitnessUtxo != null && input.nonWitnessUtxo.txid != txIn.outPoint.txid) {
                     Either.Left(UpdateFailure.InvalidNonWitnessUtxo("non-witness utxo does not match unsigned tx input"))
-                } else if (input.nonWitnessUtxo != null && input.nonWitnessUtxo!!.txOut.size <= txIn.outPoint.index) {
+                } else if (input.nonWitnessUtxo != null && input.nonWitnessUtxo.txOut.size <= txIn.outPoint.index) {
                     Either.Left(UpdateFailure.InvalidNonWitnessUtxo("non-witness utxo index out of bounds"))
                 } else if (!Script.isNativeWitnessScript(input.txOut.publicKeyScript) && !Script.isPayToScript(input.txOut.publicKeyScript.toByteArray())) {
                     Either.Left(UpdateFailure.InvalidWitnessUtxo("witness utxo must use native segwit or P2SH embedded segwit"))
@@ -556,7 +556,7 @@ public data class Psbt(@JvmField val global: Global, @JvmField val inputs: List<
         return try {
             Transaction.correctlySpends(finalTx, utxos.toMap(), ScriptFlags.STANDARD_SCRIPT_VERIFY_FLAGS)
             Either.Right(finalTx)
-        } catch (e: Exception) {
+        } catch (_: Exception) {
             Either.Left(UpdateFailure.CannotExtractTx("extracted transaction doesn't pass standard script validation"))
         }
     }
@@ -1126,9 +1126,13 @@ public data class Psbt(@JvmField val global: Global, @JvmField val inputs: List<
             taprootInternalKey: XonlyPublicKey?,
             unknown: List<DataEntry>
         ): Input {
+            val outputIndex = txIn.outPoint.index.toInt()
             val emptied = redeemScript == null && witnessScript == null && partialSigs.isEmpty() && derivationPaths.isEmpty() && sighashType == null
             return when {
                 // @formatter:off
+                // If the input is P2A, it doesn't need any signature to be finalized, anyone can spend it.
+                witnessUtxo != null && witnessUtxo.publicKeyScript == Script.write(Script.pay2anchor).byteVector() -> Input.WitnessInput.FinalizedWitnessInput(witnessUtxo, nonWitnessUtxo, Script.witnessPay2anchor, scriptSig, ripemd160, sha256, hash160, hash256, unknown)
+                nonWitnessUtxo != null && nonWitnessUtxo.txOut[outputIndex].publicKeyScript == Script.write(Script.pay2anchor).byteVector() -> Input.WitnessInput.FinalizedWitnessInput(nonWitnessUtxo.txOut[outputIndex], nonWitnessUtxo, Script.witnessPay2anchor, scriptSig, ripemd160, sha256, hash160, hash256, unknown)
                 // If the input is finalized, it must have been emptied otherwise it's invalid.
                 witnessUtxo != null && scriptWitness != null && emptied -> Input.WitnessInput.FinalizedWitnessInput(witnessUtxo, nonWitnessUtxo, scriptWitness, scriptSig, ripemd160, sha256, hash160, hash256, unknown)
                 nonWitnessUtxo != null && scriptSig != null && emptied -> Input.NonWitnessInput.FinalizedNonWitnessInput(nonWitnessUtxo, txIn.outPoint.index.toInt(), scriptSig, ripemd160, sha256, hash160, hash256, unknown)

src/commonTest/kotlin/fr/acinq/bitcoin/psbt/PsbtTestsCommon.kt

@@ -1102,6 +1102,86 @@ class PsbtTestsCommon {
         assertNotNull(finalTx.right)
     }
 
+    @Test
+    fun `bump lightning commit tx fee from cold wallet with P2A output`() {
+        // A lightning node prepares a PSBT that spends the anchor output of a commitment transaction.
+        val lightningPsbt = run {
+            val txToBump = Transaction(3, listOf(), listOf(TxOut(0.sat(), Script.pay2anchor)), 0)
+            val lightningPsbt = Psbt(Transaction(3, listOf(TxIn(OutPoint(txToBump, 0), ByteVector.empty, 0, Script.witnessPay2anchor)), listOf(), 0))
+                .updateWitnessInput(OutPoint(txToBump, 0), txToBump.txOut[0], null, Script.pay2anchor, SIGHASH_ALL)
+            assertTrue(lightningPsbt.isRight)
+            lightningPsbt.right!!
+        }
+
+        // A cold wallet adds inputs and finalizes a transaction that bumps the fees of the commitment transaction.
+        val walletPrivKey = PrivateKey(ByteVector32("0202020202020202020202020202020202020202020202020202020202020202"))
+        val confirmedTx = Transaction(2, listOf(), listOf(TxOut(100_000.sat(), Script.pay2wpkh(walletPrivKey.publicKey()))), 0)
+        val finalTx = Psbt.join(
+            lightningPsbt,
+            Psbt(Transaction(3, listOf(TxIn(OutPoint(confirmedTx, 0), 0)), listOf(TxOut(75_000.sat(), Script.pay2wpkh(walletPrivKey.publicKey()))), 0))
+        ).flatMap {
+            it.updateWitnessInputTx(confirmedTx, 0, null, Script.pay2pkh(walletPrivKey.publicKey()))
+        }.flatMap {
+            it.sign(walletPrivKey, 1)
+        }.flatMap {
+            it.psbt.finalizeWitnessInput(0, Script.witnessPay2anchor)
+        }.flatMap {
+            it.finalizeWitnessInput(1, Script.witnessPay2wpkh(walletPrivKey.publicKey(), it.inputs[1].partialSigs.getValue(walletPrivKey.publicKey())))
+        }.flatMap {
+            it.extract()
+        }
+        assertTrue(finalTx.isRight)
+        assertNotNull(finalTx.right)
+    }
+
+    @Test
+    fun `read PSBT with P2A input`() {
+        val walletPrivKey = PrivateKey(ByteVector32("0202020202020202020202020202020202020202020202020202020202020202"))
+        val walletTx = Transaction(2, listOf(TxIn(OutPoint(TxId("75ddabb27b8845f5247975c8a5ba7c6f336c4570708ebe230caf6db5217ae858"), 2), ByteVector.empty, 0)), listOf(TxOut(100_000.sat(), Script.pay2wpkh(walletPrivKey.publicKey()))), 0)
+        val txToBump = Transaction(3, listOf(TxIn(OutPoint(TxId("0a6a357e2f7796444e02638749d9611c008b253fb55f5dc88b739b230ed0c4c3"), 1), ByteVector.empty, 0)), listOf(TxOut(0.sat(), Script.pay2anchor), TxOut(50_000.sat(), Script.pay2wpkh(walletPrivKey.publicKey()))), 0)
+        val dummyTx = Transaction(
+            version = 3,
+            txIn = listOf(
+                TxIn(OutPoint(txToBump, 0), ByteVector.empty, 0),
+                TxIn(OutPoint(walletTx, 0), ByteVector.empty, 0),
+            ),
+            txOut = listOf(
+                TxOut(90_000.sat(), Script.pay2wpkh(walletPrivKey.publicKey()))
+            ),
+            lockTime = 0
+        )
+        val psbt1 = Psbt(dummyTx)
+            .updateWitnessInput(OutPoint(walletTx, 0), walletTx.txOut[0], null, Script.pay2pkh(walletPrivKey.publicKey()))
+            .flatMap { it.updateWitnessInput(OutPoint(txToBump, 0), txToBump.txOut[0], null, null) }
+            .flatMap { it.sign(walletPrivKey, 1) }
+            .flatMap { it.psbt.finalizeWitnessInput(1, Script.witnessPay2wpkh(walletPrivKey.publicKey(), it.psbt.inputs[1].partialSigs.getValue(walletPrivKey.publicKey()))) }
+            .right
+        assertNotNull(psbt1)
+        val finalTx1 = psbt1.finalizeWitnessInput(0, Script.witnessPay2anchor).flatMap { it.extract() }.right
+        assertNotNull(finalTx1)
+        Transaction.correctlySpends(finalTx1, listOf(walletTx, txToBump), ScriptFlags.STANDARD_SCRIPT_VERIFY_FLAGS)
+
+        val psbt2 = Psbt(dummyTx)
+            .updateWitnessInput(OutPoint(walletTx, 0), walletTx.txOut[0], null, Script.pay2pkh(walletPrivKey.publicKey()))
+            .flatMap { it.updateWitnessInputTx(txToBump, 0) }
+            .flatMap { it.sign(walletPrivKey, 1) }
+            .flatMap { it.psbt.finalizeWitnessInput(1, Script.witnessPay2wpkh(walletPrivKey.publicKey(), it.psbt.inputs[1].partialSigs.getValue(walletPrivKey.publicKey()))) }
+            .right
+        assertNotNull(psbt2)
+        val finalTx2 = psbt2.finalizeWitnessInput(0, Script.witnessPay2anchor).flatMap { it.extract() }.right
+        assertNotNull(finalTx2)
+        Transaction.correctlySpends(finalTx2, listOf(walletTx, txToBump), ScriptFlags.STANDARD_SCRIPT_VERIFY_FLAGS)
+
+        // When serializing PSBTs, Bitcoin Core skips empty witnesses instead of encoding explicitly an empty witness stack.
+        // This means that it essentially reverts the finalization of the P2A output that we may have previously done.
+        // But this is fine: when reading a P2A input, we should always set its witness to an empty witness, which finalizes it.
+        listOf(psbt1, psbt2).forEach { psbt ->
+            val finalTx = Psbt.read(Psbt.write(psbt)).right?.extract()?.right
+            assertNotNull(finalTx)
+            Transaction.correctlySpends(finalTx, listOf(walletTx, txToBump), ScriptFlags.STANDARD_SCRIPT_VERIFY_FLAGS)
+        }
+    }
+
     @Test
     fun `manual coinjoin workflow`() {
         val alicePrivKey = DeterministicWallet.derivePrivateKey(masterPrivKey, KeyPath("m/0'/0'/1'")).privateKey