NestedMultiSign

src/ripple/protocol/Feature.h

@@ -74,7 +74,7 @@ namespace detail {
 // Feature.cpp. Because it's only used to reserve storage, and determine how
 // large to make the FeatureBitset, it MAY be larger. It MUST NOT be less than
 // the actual number of amendments. A LogicError on startup will verify this.
-static constexpr std::size_t numFeatures = 90;
+static constexpr std::size_t numFeatures = 91;
 
 /** Amendments that this server supports and the default voting behavior.
    Whether they are enabled depends on the Rules defined in the validated
@@ -378,6 +378,7 @@ extern uint256 const fixInvalidTxFlags;
 extern uint256 const featureExtendedHookState;
 extern uint256 const fixCronStacking;
 extern uint256 const fixHookAPI20251128;
+extern uint256 const featureNestedMultiSign;
 }  // namespace ripple
 
 #endif

src/ripple/protocol/impl/Feature.cpp

@@ -484,6 +484,7 @@ REGISTER_FIX    (fixInvalidTxFlags,             Supported::yes, VoteBehavior::De
 REGISTER_FEATURE(ExtendedHookState,             Supported::yes, VoteBehavior::DefaultNo);
 REGISTER_FIX    (fixCronStacking,               Supported::yes, VoteBehavior::DefaultYes);
 REGISTER_FIX    (fixHookAPI20251128,            Supported::yes, VoteBehavior::DefaultYes);
+REGISTER_FEATURE(NestedMultiSign,               Supported::yes, VoteBehavior::DefaultNo);
 
 // The following amendments are obsolete, but must remain supported
 // because they could potentially get enabled.

src/ripple/protocol/impl/InnerObjectFormats.cpp

@@ -44,8 +44,9 @@ InnerObjectFormats::InnerObjectFormats()
         sfSigner.getCode(),
         {
             {sfAccount, soeREQUIRED},
-            {sfSigningPubKey, soeREQUIRED},
-            {sfTxnSignature, soeREQUIRED},
+            {sfSigningPubKey, soeOPTIONAL},
+            {sfTxnSignature, soeOPTIONAL},
+            {sfSigners, soeOPTIONAL},
         });
 
     add(sfMajority.jsonName.c_str(),

src/ripple/protocol/impl/STTx.cpp

@@ -369,64 +369,124 @@ STTx::checkMultiSign(
     bool const fullyCanonical = (getFlags() & tfFullyCanonicalSig) ||
         (requireCanonicalSig == RequireFullyCanonicalSig::yes);
 
-    // Signers must be in sorted order by AccountID.
-    AccountID lastAccountID(beast::zero);
-
     bool const isWildcardNetwork =
         isFieldPresent(sfNetworkID) && getFieldU32(sfNetworkID) == 65535;
 
-    for (auto const& signer : signers)
-    {
-        auto const accountID = signer.getAccountID(sfAccount);
+    // Set max depth based on feature flag
+    int const maxDepth = rules.enabled(featureNestedMultiSign) ? 4 : 1;
 
-        // The account owner may not multisign for themselves.
-        if (accountID == txnAccountID)
-            return Unexpected("Invalid multisigner.");
+    // Define recursive lambda for checking signatures at any depth
+    std::function<Expected<void, std::string>(
+        STArray const&, AccountID const&, int)>
+        checkSignersArray;
 
-        // No duplicate signers allowed.
-        if (lastAccountID == accountID)
-            return Unexpected("Duplicate Signers not allowed.");
+    checkSignersArray = [&](STArray const& signersArray,
+                            AccountID const& parentAccountID,
+                            int depth) -> Expected<void, std::string> {
+        // Check depth limit
+        if (depth > maxDepth)
+            return Unexpected("Multi-signing depth limit exceeded.");
 
-        // Accounts must be in order by account ID.  No duplicates allowed.
-        if (lastAccountID > accountID)
-            return Unexpected("Unsorted Signers array.");
+        // There are well known bounds that the number of signers must be
+        // within.
+        if (signersArray.size() < minMultiSigners ||
+            signersArray.size() > maxMultiSigners(&rules))
+            return Unexpected("Invalid Signers array size.");
 
-        // The next signature must be greater than this one.
-        lastAccountID = accountID;
+        // Signers must be in sorted order by AccountID.
+        AccountID lastAccountID(beast::zero);
 
-        // Verify the signature.
-        bool validSig = false;
-        try
+        for (auto const& signer : signersArray)
         {
-            Serializer s = dataStart;
-            finishMultiSigningData(accountID, s);
+            auto const accountID = signer.getAccountID(sfAccount);
+
+            // The account owner may not multisign for themselves.
+            if (accountID == txnAccountID)
+                return Unexpected("Invalid multisigner.");
+
+            // No duplicate signers allowed.
+            if (lastAccountID == accountID)
+                return Unexpected("Duplicate Signers not allowed.");
+
+            // Accounts must be in order by account ID.  No duplicates allowed.
+            if (lastAccountID > accountID)
+                return Unexpected("Unsorted Signers array.");
 
-            auto spk = signer.getFieldVL(sfSigningPubKey);
+            // The next signature must be greater than this one.
+            lastAccountID = accountID;
 
-            if (publicKeyType(makeSlice(spk)))
+            // Check if this signer has nested signers
+            if (signer.isFieldPresent(sfSigners))
             {
-                Blob const signature = signer.getFieldVL(sfTxnSignature);
-
-                // wildcard network gets a free pass
-                validSig = isWildcardNetwork ||
-                    verify(PublicKey(makeSlice(spk)),
-                           s.slice(),
-                           makeSlice(signature),
-                           fullyCanonical);
+                // This is a nested multi-signer
+                if (maxDepth == 1)
+                {
+                    // amendment is not enabled, this is an error
+                    return Unexpected("FeatureNestedMultiSign is disabled");
+                }
+
+                // Ensure it doesn't also have signature fields
+                if (signer.isFieldPresent(sfSigningPubKey) ||
+                    signer.isFieldPresent(sfTxnSignature))
+                    return Unexpected(
+                        "Signer cannot have both nested signers and signature "
+                        "fields.");
+
+                // Recursively check nested signers
+                STArray const& nestedSigners = signer.getFieldArray(sfSigners);
+                auto result =
+                    checkSignersArray(nestedSigners, accountID, depth + 1);
+                if (!result)
+                    return result;
+            }
+            else
+            {
+                // This is a leaf node - must have signature
+                if (!signer.isFieldPresent(sfSigningPubKey) ||
+                    !signer.isFieldPresent(sfTxnSignature))
+                    return Unexpected(
+                        "Leaf signer must have SigningPubKey and "
+                        "TxnSignature.");
+
+                // Verify the signature
+                bool validSig = false;
+                try
+                {
+                    Serializer s = dataStart;
+                    finishMultiSigningData(accountID, s);
+
+                    auto spk = signer.getFieldVL(sfSigningPubKey);
+
+                    if (publicKeyType(makeSlice(spk)))
+                    {
+                        Blob const signature =
+                            signer.getFieldVL(sfTxnSignature);
+
+                        // wildcard network gets a free pass
+                        validSig = isWildcardNetwork ||
+                            verify(PublicKey(makeSlice(spk)),
+                                   s.slice(),
+                                   makeSlice(signature),
+                                   fullyCanonical);
+                    }
+                }
+                catch (std::exception const&)
+                {
+                    // We assume any problem lies with the signature.
+                    validSig = false;
+                }
+                if (!validSig)
+                    return Unexpected(
+                        std::string("Invalid signature on account ") +
+                        toBase58(accountID) + ".");
             }
         }
-        catch (std::exception const&)
-        {
-            // We assume any problem lies with the signature.
-            validSig = false;
-        }
-        if (!validSig)
-            return Unexpected(
-                std::string("Invalid signature on account ") +
-                toBase58(accountID) + ".");
-    }
-    // All signatures verified.
-    return {};
+
+        return {};
+    };
+
+    // Start the recursive check at depth 1
+    return checkSignersArray(signers, txnAccountID, 1);
 }
 
 //------------------------------------------------------------------------------

src/ripple/rpc/impl/TransactionSign.cpp

@@ -1183,12 +1183,21 @@ transactionSubmitMultiSigned(
     // The Signers array may only contain Signer objects.
     if (std::find_if_not(
             signers.begin(), signers.end(), [](STObject const& obj) {
-                return (
-                    // A Signer object always contains these fields and no
-                    // others.
-                    obj.isFieldPresent(sfAccount) &&
-                    obj.isFieldPresent(sfSigningPubKey) &&
-                    obj.isFieldPresent(sfTxnSignature) && obj.getCount() == 3);
+                if (obj.getCount() != 4 || !obj.isFieldPresent(sfAccount))
+                    return false;
+                // leaf signer
+                if (obj.isFieldPresent(sfSigningPubKey) &&
+                    obj.isFieldPresent(sfTxnSignature) &&
+                    !obj.isFieldPresent(sfSigners))
+                    return true;
+
+                // nested signer
+                if (!obj.isFieldPresent(sfSigningPubKey) &&
+                    !obj.isFieldPresent(sfTxnSignature) &&
+                    obj.isFieldPresent(sfSigners))
+                    return true;
+
+                return false;
             }) != signers.end())
     {
         return RPC::make_param_error(