/* * Copyright (c) 2015 Conformal Systems LLC * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ package votingpool import ( "bytes" "fmt" "math" "sort" "strconv" "github.com/btcsuite/btcd/txscript" "github.com/btcsuite/btcd/wire" "github.com/btcsuite/btcutil" "github.com/btcsuite/btcwallet/txstore" "github.com/btcsuite/btcwallet/waddrmgr" "github.com/btcsuite/fastsha256" ) // Maximum tx size (in bytes). This should be the same as bitcoind's // MAX_STANDARD_TX_SIZE. const txMaxSize = 100000 // feeIncrement is the minimum transation fee (0.00001 BTC, measured in satoshis) // added to transactions requiring a fee. const feeIncrement = 1e3 type outputStatus byte const ( statusSuccess outputStatus = iota statusPartial statusSplit ) // OutBailmentID is the unique ID of a user's outbailment, comprising the // name of the server the user connected to, and the transaction number, // internal to that server. type OutBailmentID string // Ntxid is the normalized ID of a given bitcoin transaction, which is generated // by hashing the serialized tx with blank sig scripts on all inputs. type Ntxid string // OutputRequest represents one of the outputs (address/amount) requested by a // withdrawal, and includes information about the user's outbailment request. type OutputRequest struct { Address btcutil.Address Amount btcutil.Amount PkScript []byte // The notary server that received the outbailment request. Server string // The server-specific transaction number for the outbailment request. Transaction uint32 // cachedHash is used to cache the hash of the outBailmentID so it // only has to be calculated once. cachedHash []byte } // WithdrawalOutput represents a possibly fulfilled OutputRequest. type WithdrawalOutput struct { request OutputRequest status outputStatus // The outpoints that fulfill the OutputRequest. There will be more than one in case we // need to split the request across multiple transactions. outpoints []OutBailmentOutpoint } // OutBailmentOutpoint represents one of the outpoints created to fulfil an OutputRequest. type OutBailmentOutpoint struct { ntxid Ntxid index uint32 amount btcutil.Amount } // changeAwareTx is just a wrapper around wire.MsgTx that knows about its change // output, if any. type changeAwareTx struct { *wire.MsgTx changeIdx int32 // -1 if there's no change output. } // WithdrawalStatus contains the details of a processed withdrawal, including // the status of each requested output, the total amount of network fees and the // next input and change addresses to use in a subsequent withdrawal request. type WithdrawalStatus struct { nextInputAddr WithdrawalAddress nextChangeAddr ChangeAddress fees btcutil.Amount outputs map[OutBailmentID]*WithdrawalOutput sigs map[Ntxid]TxSigs transactions map[Ntxid]changeAwareTx } // TxSigs is list of raw signatures (one for every pubkey in the multi-sig // script) for a given transaction input. They should match the order of pubkeys // in the script and an empty RawSig should be used when the private key for a // pubkey is not known. type TxSigs [][]RawSig // RawSig represents one of the signatures included in the unlocking script of // inputs spending from P2SH UTXOs. type RawSig []byte // byAmount defines the methods needed to satisify sort.Interface to // sort a slice of OutputRequests by their amount. type byAmount []OutputRequest func (u byAmount) Len() int { return len(u) } func (u byAmount) Less(i, j int) bool { return u[i].Amount < u[j].Amount } func (u byAmount) Swap(i, j int) { u[i], u[j] = u[j], u[i] } // byOutBailmentID defines the methods needed to satisify sort.Interface to sort // a slice of OutputRequests by their outBailmentIDHash. type byOutBailmentID []OutputRequest func (s byOutBailmentID) Len() int { return len(s) } func (s byOutBailmentID) Swap(i, j int) { s[i], s[j] = s[j], s[i] } func (s byOutBailmentID) Less(i, j int) bool { return bytes.Compare(s[i].outBailmentIDHash(), s[j].outBailmentIDHash()) < 0 } func (s outputStatus) String() string { strings := map[outputStatus]string{ statusSuccess: "success", statusPartial: "partial-", statusSplit: "split", } return strings[s] } // Outputs returns a map of outbailment IDs to WithdrawalOutputs for all outputs // requested in this withdrawal. func (s *WithdrawalStatus) Outputs() map[OutBailmentID]*WithdrawalOutput { return s.outputs } // Sigs returns a map of ntxids to signature lists for every input in the tx // with that ntxid. func (s *WithdrawalStatus) Sigs() map[Ntxid]TxSigs { return s.sigs } // Fees returns the total amount of network fees included in all transactions // generated as part of a withdrawal. func (s *WithdrawalStatus) Fees() btcutil.Amount { return s.fees } // NextInputAddr returns the votingpool address that should be used as the // startAddress of subsequent withdrawals. func (s *WithdrawalStatus) NextInputAddr() WithdrawalAddress { return s.nextInputAddr } // NextChangeAddr returns the votingpool address that should be used as the // changeStart of subsequent withdrawals. func (s *WithdrawalStatus) NextChangeAddr() ChangeAddress { return s.nextChangeAddr } // String makes OutputRequest satisfy the Stringer interface. func (r OutputRequest) String() string { return fmt.Sprintf("OutputRequest %s to send %v to %s", r.outBailmentID(), r.Amount, r.Address) } func (r OutputRequest) outBailmentID() OutBailmentID { return OutBailmentID(fmt.Sprintf("%s:%d", r.Server, r.Transaction)) } // outBailmentIDHash returns a byte slice which is used when sorting // OutputRequests. func (r OutputRequest) outBailmentIDHash() []byte { if r.cachedHash != nil { return r.cachedHash } str := r.Server + strconv.Itoa(int(r.Transaction)) hasher := fastsha256.New() // hasher.Write() always returns nil as the error, so it's safe to ignore it here. _, _ = hasher.Write([]byte(str)) id := hasher.Sum(nil) r.cachedHash = id return id } func (o *WithdrawalOutput) String() string { return fmt.Sprintf("WithdrawalOutput for %s", o.request) } func (o *WithdrawalOutput) addOutpoint(outpoint OutBailmentOutpoint) { o.outpoints = append(o.outpoints, outpoint) } // Status returns the status of this WithdrawalOutput. func (o *WithdrawalOutput) Status() string { return o.status.String() } // Address returns the string representation of this WithdrawalOutput's address. func (o *WithdrawalOutput) Address() string { return o.request.Address.String() } // Outpoints returns a slice containing the OutBailmentOutpoints created to // fulfill this output. func (o *WithdrawalOutput) Outpoints() []OutBailmentOutpoint { return o.outpoints } // Amount returns the amount (in satoshis) in this OutBailmentOutpoint. func (o OutBailmentOutpoint) Amount() btcutil.Amount { return o.amount } // withdrawal holds all the state needed for Pool.Withdrawal() to do its job. type withdrawal struct { roundID uint32 status *WithdrawalStatus transactions []*withdrawalTx pendingRequests []OutputRequest eligibleInputs []Credit current *withdrawalTx } // withdrawalTxOut wraps an OutputRequest and provides a separate amount field. // It is necessary because some requests may be partially fulfilled or split // across transactions. type withdrawalTxOut struct { // Notice that in the case of a split output, the OutputRequest here will // be a copy of the original one with the amount being the remainder of the // originally requested amount minus the amounts fulfilled by other // withdrawalTxOut. The original OutputRequest, if needed, can be obtained // from WithdrawalStatus.outputs. request OutputRequest amount btcutil.Amount } // String makes withdrawalTxOut satisfy the Stringer interface. func (o *withdrawalTxOut) String() string { return fmt.Sprintf("withdrawalTxOut fulfilling %v of %s", o.amount, o.request) } func (o *withdrawalTxOut) pkScript() []byte { return o.request.PkScript } // withdrawalTx represents a transaction constructed by the withdrawal process. type withdrawalTx struct { inputs []Credit outputs []*withdrawalTxOut fee btcutil.Amount // changeOutput holds information about the change for this transaction. changeOutput *wire.TxOut } func newWithdrawalTx() *withdrawalTx { return &withdrawalTx{} } // ntxid returns the unique ID for this transaction. func (tx *withdrawalTx) ntxid() Ntxid { msgtx := tx.toMsgTx() var empty []byte for _, txin := range msgtx.TxIn { txin.SignatureScript = empty } // Ignore the error as TxSha() can't fail. sha, _ := msgtx.TxSha() return Ntxid(sha.String()) } // inputTotal returns the sum amount of all inputs in this tx. func (tx *withdrawalTx) inputTotal() (total btcutil.Amount) { for _, input := range tx.inputs { total += input.Amount() } return total } // outputTotal returns the sum amount of all outputs in this tx. It does not // include the amount for the change output, in case the tx has one. func (tx *withdrawalTx) outputTotal() (total btcutil.Amount) { for _, output := range tx.outputs { total += output.amount } return total } // hasChange returns true if this transaction has a change output. func (tx *withdrawalTx) hasChange() bool { return tx.changeOutput != nil } // toMsgTx generates a btcwire.MsgTx with this tx's inputs and outputs. func (tx *withdrawalTx) toMsgTx() *wire.MsgTx { msgtx := wire.NewMsgTx() for _, o := range tx.outputs { msgtx.AddTxOut(wire.NewTxOut(int64(o.amount), o.pkScript())) } if tx.hasChange() { msgtx.AddTxOut(tx.changeOutput) } for _, i := range tx.inputs { msgtx.AddTxIn(wire.NewTxIn(i.OutPoint(), []byte{})) } return msgtx } // addOutput adds a new output to this transaction. func (tx *withdrawalTx) addOutput(request OutputRequest) { log.Debugf("Added tx output sending %s to %s", request.Amount, request.Address) tx.outputs = append(tx.outputs, &withdrawalTxOut{request: request, amount: request.Amount}) } // removeOutput removes the last added output and returns it. func (tx *withdrawalTx) removeOutput() *withdrawalTxOut { removed := tx.outputs[len(tx.outputs)-1] tx.outputs = tx.outputs[:len(tx.outputs)-1] log.Debugf("Removed tx output sending %s to %s", removed.amount, removed.request.Address) return removed } // addInput adds a new input to this transaction. func (tx *withdrawalTx) addInput(input Credit) { log.Debugf("Added tx input with amount %v", input.Amount()) tx.inputs = append(tx.inputs, input) } // removeInput removes the last added input and returns it. func (tx *withdrawalTx) removeInput() Credit { removed := tx.inputs[len(tx.inputs)-1] tx.inputs = tx.inputs[:len(tx.inputs)-1] log.Debugf("Removed tx input with amount %v", removed.Amount()) return removed } // addChange adds a change output if there are any satoshis left after paying // all the outputs and network fees. It returns true if a change output was // added. // // This method must be called only once, and no extra inputs/outputs should be // added after it's called. Also, callsites must make sure adding a change // output won't cause the tx to exceed the size limit. func (tx *withdrawalTx) addChange(pkScript []byte) bool { tx.fee = calculateTxFee(tx) change := tx.inputTotal() - tx.outputTotal() - tx.fee log.Debugf("addChange: input total %v, output total %v, fee %v", tx.inputTotal(), tx.outputTotal(), tx.fee) if change > 0 { tx.changeOutput = wire.NewTxOut(int64(change), pkScript) log.Debugf("Added change output with amount %v", change) } return tx.hasChange() } // rollBackLastOutput will roll back the last added output and possibly remove // inputs that are no longer needed to cover the remaining outputs. The method // returns the removed output and the removed inputs, in the reverse order they // were added, if any. // // The tx needs to have two or more outputs. The case with only one output must // be handled separately (by the split output procedure). func (tx *withdrawalTx) rollBackLastOutput() ([]Credit, *withdrawalTxOut, error) { // Check precondition: At least two outputs are required in the transaction. if len(tx.outputs) < 2 { str := fmt.Sprintf("at least two outputs expected; got %d", len(tx.outputs)) return nil, nil, newError(ErrPreconditionNotMet, str, nil) } removedOutput := tx.removeOutput() var removedInputs []Credit // Continue until sum(in) < sum(out) + fee for tx.inputTotal() >= tx.outputTotal()+calculateTxFee(tx) { removedInputs = append(removedInputs, tx.removeInput()) } // Re-add the last item from removedInputs, which is the last popped input. tx.addInput(removedInputs[len(removedInputs)-1]) removedInputs = removedInputs[:len(removedInputs)-1] return removedInputs, removedOutput, nil } func newWithdrawal(roundID uint32, requests []OutputRequest, inputs []Credit, changeStart ChangeAddress) *withdrawal { outputs := make(map[OutBailmentID]*WithdrawalOutput, len(requests)) for _, request := range requests { outputs[request.outBailmentID()] = &WithdrawalOutput{request: request} } status := &WithdrawalStatus{ outputs: outputs, nextChangeAddr: changeStart, } return &withdrawal{ roundID: roundID, current: newWithdrawalTx(), pendingRequests: requests, eligibleInputs: inputs, status: status, } } // StartWithdrawal uses a fully deterministic algorithm to construct // transactions fulfilling as many of the given output requests as possible. // It returns a WithdrawalStatus containing the outpoints fulfilling the // requested outputs and a map of normalized transaction IDs (ntxid) to // signature lists (one for every private key available to this wallet) for each // of those transaction's inputs. More details about the actual algorithm can be // found at http://opentransactions.org/wiki/index.php/Startwithdrawal func (p *Pool) StartWithdrawal(roundID uint32, requests []OutputRequest, startAddress WithdrawalAddress, lastSeriesID uint32, changeStart ChangeAddress, txStore *txstore.Store, chainHeight int32, dustThreshold btcutil.Amount) ( *WithdrawalStatus, error) { eligible, err := p.getEligibleInputs(txStore, startAddress, lastSeriesID, dustThreshold, chainHeight, eligibleInputMinConfirmations) if err != nil { return nil, err } w := newWithdrawal(roundID, requests, eligible, changeStart) if err := w.fulfillRequests(); err != nil { return nil, err } w.status.sigs, err = getRawSigs(w.transactions) if err != nil { return nil, err } return w.status, nil } // popRequest removes and returns the first request from the stack of pending // requests. func (w *withdrawal) popRequest() OutputRequest { request := w.pendingRequests[0] w.pendingRequests = w.pendingRequests[1:] return request } // pushRequest adds a new request to the top of the stack of pending requests. func (w *withdrawal) pushRequest(request OutputRequest) { w.pendingRequests = append([]OutputRequest{request}, w.pendingRequests...) } // popInput removes and returns the first input from the stack of eligible // inputs. func (w *withdrawal) popInput() Credit { input := w.eligibleInputs[0] w.eligibleInputs = w.eligibleInputs[1:] return input } // pushInput adds a new input to the top of the stack of eligible inputs. // TODO: Reverse the stack semantics here as the current one generates a lot of // extra garbage since it always creates a new single-element slice and append // the rest of the items to it. func (w *withdrawal) pushInput(input Credit) { w.eligibleInputs = append([]Credit{input}, w.eligibleInputs...) } // If this returns it means we have added an output and the necessary inputs to fulfil that // output plus the required fees. It also means the tx won't reach the size limit even // after we add a change output and sign all inputs. func (w *withdrawal) fulfillNextRequest() error { request := w.popRequest() output := w.status.outputs[request.outBailmentID()] // We start with an output status of success and let the methods that deal // with special cases change it when appropriate. output.status = statusSuccess w.current.addOutput(request) if isTxTooBig(w.current) { return w.handleOversizeTx() } fee := calculateTxFee(w.current) for w.current.inputTotal() < w.current.outputTotal()+fee { if len(w.eligibleInputs) == 0 { log.Debug("Splitting last output because we don't have enough inputs") if err := w.splitLastOutput(); err != nil { return err } break } w.current.addInput(w.popInput()) fee = calculateTxFee(w.current) if isTxTooBig(w.current) { return w.handleOversizeTx() } } return nil } // handleOversizeTx handles the case when a transaction has become too // big by either rolling back an output or splitting it. func (w *withdrawal) handleOversizeTx() error { if len(w.current.outputs) > 1 { log.Debug("Rolling back last output because tx got too big") inputs, output, err := w.current.rollBackLastOutput() if err != nil { return newError(ErrWithdrawalProcessing, "failed to rollback last output", err) } for _, input := range inputs { w.pushInput(input) } w.pushRequest(output.request) } else if len(w.current.outputs) == 1 { log.Debug("Splitting last output because tx got too big...") w.pushInput(w.current.removeInput()) if err := w.splitLastOutput(); err != nil { return err } } else { return newError(ErrPreconditionNotMet, "Oversize tx must have at least one output", nil) } return w.finalizeCurrentTx() } // finalizeCurrentTx finalizes the transaction in w.current, moves it to the // list of finalized transactions and replaces w.current with a new empty // transaction. func (w *withdrawal) finalizeCurrentTx() error { log.Debug("Finalizing current transaction") tx := w.current if len(tx.outputs) == 0 { log.Debug("Current transaction has no outputs, doing nothing") return nil } pkScript, err := txscript.PayToAddrScript(w.status.nextChangeAddr.addr) if err != nil { return newError(ErrWithdrawalProcessing, "failed to generate pkScript for change address", err) } if tx.addChange(pkScript) { var err error w.status.nextChangeAddr, err = nextChangeAddress(w.status.nextChangeAddr) if err != nil { return newError(ErrWithdrawalProcessing, "failed to get next change address", err) } } ntxid := tx.ntxid() for i, txOut := range tx.outputs { outputStatus := w.status.outputs[txOut.request.outBailmentID()] outputStatus.addOutpoint( OutBailmentOutpoint{ntxid: ntxid, index: uint32(i), amount: txOut.amount}) } // Check that WithdrawalOutput entries with status==success have the sum of // their outpoint amounts matching the requested amount. for _, txOut := range tx.outputs { // Look up the original request we received because txOut.request may // represent a split request and thus have a different amount from the // original one. outputStatus := w.status.outputs[txOut.request.outBailmentID()] origRequest := outputStatus.request amtFulfilled := btcutil.Amount(0) for _, outpoint := range outputStatus.outpoints { amtFulfilled += outpoint.amount } if outputStatus.status == statusSuccess && amtFulfilled != origRequest.Amount { msg := fmt.Sprintf("%s was not completely fulfilled; only %v fulfilled", origRequest, amtFulfilled) return newError(ErrWithdrawalProcessing, msg, nil) } } w.transactions = append(w.transactions, tx) w.current = newWithdrawalTx() return nil } // maybeDropRequests will check the total amount we have in eligible inputs and drop // requested outputs (in descending amount order) if we don't have enough to // fulfill them all. For every dropped output request we update its entry in // w.status.outputs with the status string set to statusPartial. func (w *withdrawal) maybeDropRequests() { inputAmount := btcutil.Amount(0) for _, input := range w.eligibleInputs { inputAmount += input.Amount() } outputAmount := btcutil.Amount(0) for _, request := range w.pendingRequests { outputAmount += request.Amount } sort.Sort(sort.Reverse(byAmount(w.pendingRequests))) for inputAmount < outputAmount { request := w.popRequest() log.Infof("Not fulfilling request to send %v to %v; not enough credits.", request.Amount, request.Address) outputAmount -= request.Amount w.status.outputs[request.outBailmentID()].status = statusPartial } } func (w *withdrawal) fulfillRequests() error { w.maybeDropRequests() if len(w.pendingRequests) == 0 { return nil } // Sort outputs by outBailmentID (hash(server ID, tx #)) sort.Sort(byOutBailmentID(w.pendingRequests)) for len(w.pendingRequests) > 0 { if err := w.fulfillNextRequest(); err != nil { return err } tx := w.current if len(w.eligibleInputs) == 0 && tx.inputTotal() <= tx.outputTotal()+calculateTxFee(tx) { // We don't have more eligible inputs and all the inputs in the // current tx have been spent. break } } if err := w.finalizeCurrentTx(); err != nil { return err } // TODO: Update w.status.nextInputAddr. Not yet implemented as in some // conditions we need to know about un-thawed series. w.status.transactions = make(map[Ntxid]changeAwareTx, len(w.transactions)) for _, tx := range w.transactions { w.status.updateStatusFor(tx) w.status.fees += tx.fee msgtx := tx.toMsgTx() changeIdx := -1 if tx.hasChange() { // When withdrawalTx has a change, we know it will be the last entry // in the generated MsgTx. changeIdx = len(msgtx.TxOut) - 1 } w.status.transactions[tx.ntxid()] = changeAwareTx{ MsgTx: msgtx, changeIdx: int32(changeIdx), } } return nil } func (w *withdrawal) splitLastOutput() error { if len(w.current.outputs) == 0 { return newError(ErrPreconditionNotMet, "splitLastOutput requires current tx to have at least 1 output", nil) } tx := w.current output := tx.outputs[len(tx.outputs)-1] log.Debugf("Splitting tx output for %s", output.request) origAmount := output.amount spentAmount := tx.outputTotal() + calculateTxFee(tx) - output.amount // This is how much we have left after satisfying all outputs except the last // one. IOW, all we have left for the last output, so we set that as the // amount of the tx's last output. unspentAmount := tx.inputTotal() - spentAmount output.amount = unspentAmount log.Debugf("Updated output amount to %v", output.amount) // Create a new OutputRequest with the amount being the difference between // the original amount and what was left in the tx output above. request := output.request newRequest := OutputRequest{ Server: request.Server, Transaction: request.Transaction, Address: request.Address, PkScript: request.PkScript, Amount: origAmount - output.amount} w.pushRequest(newRequest) log.Debugf("Created a new pending output request with amount %v", newRequest.Amount) w.status.outputs[request.outBailmentID()].status = statusPartial return nil } func (s *WithdrawalStatus) updateStatusFor(tx *withdrawalTx) { for _, output := range s.outputs { if len(output.outpoints) > 1 { output.status = statusSplit } // TODO: Update outputs with status=='partial-'. For this we need an API // that gives us the amount of credits in a given series. // http://opentransactions.org/wiki/index.php/Update_Status } } // getRawSigs iterates over the inputs of each transaction given, constructing the // raw signatures for them using the private keys available to us. // It returns a map of ntxids to signature lists. func getRawSigs(transactions []*withdrawalTx) (map[Ntxid]TxSigs, error) { sigs := make(map[Ntxid]TxSigs) for _, tx := range transactions { txSigs := make(TxSigs, len(tx.inputs)) msgtx := tx.toMsgTx() ntxid := tx.ntxid() for inputIdx, input := range tx.inputs { creditAddr := input.Address() redeemScript := creditAddr.redeemScript() series := creditAddr.series() // The order of the raw signatures in the signature script must match the // order of the public keys in the redeem script, so we sort the public keys // here using the same API used to sort them in the redeem script and use // series.getPrivKeyFor() to lookup the corresponding private keys. pubKeys, err := branchOrder(series.publicKeys, creditAddr.Branch()) if err != nil { return nil, err } txInSigs := make([]RawSig, len(pubKeys)) for i, pubKey := range pubKeys { var sig RawSig privKey, err := series.getPrivKeyFor(pubKey) if err != nil { return nil, err } if privKey != nil { childKey, err := privKey.Child(uint32(creditAddr.Index())) if err != nil { return nil, newError(ErrKeyChain, "failed to derive private key", err) } ecPrivKey, err := childKey.ECPrivKey() if err != nil { return nil, newError(ErrKeyChain, "failed to obtain ECPrivKey", err) } log.Debugf("Generating raw sig for input %d of tx %s with privkey of %s", inputIdx, ntxid, pubKey.String()) sig, err = txscript.RawTxInSignature( msgtx, inputIdx, redeemScript, txscript.SigHashAll, ecPrivKey) if err != nil { return nil, newError(ErrRawSigning, "failed to generate raw signature", err) } } else { log.Debugf("Not generating raw sig for input %d of %s because private key "+ "for %s is not available: %v", inputIdx, ntxid, pubKey.String(), err) sig = []byte{} } txInSigs[i] = sig } txSigs[inputIdx] = txInSigs } sigs[ntxid] = txSigs } return sigs, nil } // SignTx signs every input of the given MsgTx by looking up (on the addr // manager) the redeem script for each of them and constructing the signature // script using that and the given raw signatures. // This function must be called with the manager unlocked. func SignTx(msgtx *wire.MsgTx, sigs TxSigs, mgr *waddrmgr.Manager, store *txstore.Store) error { credits, err := store.FindPreviousCredits(btcutil.NewTx(msgtx)) for i, credit := range credits { if err = signMultiSigUTXO(mgr, msgtx, i, credit.TxOut().PkScript, sigs[i]); err != nil { return err } } return nil } // getRedeemScript returns the redeem script for the given P2SH address. It must // be called with the manager unlocked. func getRedeemScript(mgr *waddrmgr.Manager, addr *btcutil.AddressScriptHash) ([]byte, error) { address, err := mgr.Address(addr) if err != nil { return nil, err } return address.(waddrmgr.ManagedScriptAddress).Script() } // signMultiSigUTXO signs the P2SH UTXO with the given index by constructing a // script containing all given signatures plus the redeem (multi-sig) script. The // redeem script is obtained by looking up the address of the given P2SH pkScript // on the address manager. // The order of the signatures must match that of the public keys in the multi-sig // script as OP_CHECKMULTISIG expects that. // This function must be called with the manager unlocked. func signMultiSigUTXO(mgr *waddrmgr.Manager, tx *wire.MsgTx, idx int, pkScript []byte, sigs []RawSig) error { class, addresses, _, err := txscript.ExtractPkScriptAddrs(pkScript, mgr.ChainParams()) if err != nil { return newError(ErrTxSigning, "unparseable pkScript", err) } if class != txscript.ScriptHashTy { return newError(ErrTxSigning, fmt.Sprintf("pkScript is not P2SH: %s", class), nil) } redeemScript, err := getRedeemScript(mgr, addresses[0].(*btcutil.AddressScriptHash)) if err != nil { return newError(ErrTxSigning, "unable to retrieve redeem script", err) } class, _, nRequired, err := txscript.ExtractPkScriptAddrs(redeemScript, mgr.ChainParams()) if err != nil { return newError(ErrTxSigning, "unparseable redeem script", err) } if class != txscript.MultiSigTy { return newError(ErrTxSigning, fmt.Sprintf("redeem script is not multi-sig: %v", class), nil) } if len(sigs) < nRequired { errStr := fmt.Sprintf("not enough signatures; need %d but got only %d", nRequired, len(sigs)) return newError(ErrTxSigning, errStr, nil) } // Construct the unlocking script. // Start with an OP_0 because of the bug in bitcoind, then add nRequired signatures. unlockingScript := txscript.NewScriptBuilder().AddOp(txscript.OP_FALSE) for _, sig := range sigs[:nRequired] { unlockingScript.AddData(sig) } // Combine the redeem script and the unlocking script to get the actual signature script. sigScript := unlockingScript.AddData(redeemScript) script, err := sigScript.Script() if err != nil { return newError(ErrTxSigning, "error building sigscript", err) } tx.TxIn[idx].SignatureScript = script if err := validateSigScript(tx, idx, pkScript); err != nil { return err } return nil } // validateSigScripts executes the signature script of the tx input with the // given index, returning an error if it fails. func validateSigScript(msgtx *wire.MsgTx, idx int, pkScript []byte) error { txIn := msgtx.TxIn[idx] engine, err := txscript.NewScript( txIn.SignatureScript, pkScript, idx, msgtx, txscript.StandardVerifyFlags) if err != nil { return newError(ErrTxSigning, "cannot create script engine", err) } if err = engine.Execute(); err != nil { return newError(ErrTxSigning, "cannot validate tx signature", err) } return nil } // calculateTxFee calculates the expected network fees for a given tx. We use // a variable instead of a function so that it can be replaced in tests. var calculateTxFee = func(tx *withdrawalTx) btcutil.Amount { return btcutil.Amount(1+calculateTxSize(tx)/1000) * feeIncrement } // isTxTooBig returns true if the size (in bytes) of the given tx is greater // than or equal to txMaxSize. It is defined as a variable so it can be // replaced for testing purposes. var isTxTooBig = func(tx *withdrawalTx) bool { // In bitcoind a tx is considered standard only if smaller than // MAX_STANDARD_TX_SIZE; that's why we consider anything >= txMaxSize to // be too big. return calculateTxSize(tx) >= txMaxSize } // calculateTxSize returns an estimate of the serialized size (in bytes) of the // given transaction. It assumes all tx inputs are P2SH multi-sig. We use a // variable instead of a function so that it can be replaced in tests. var calculateTxSize = func(tx *withdrawalTx) int { msgtx := tx.toMsgTx() // Assume that there will always be a change output, for simplicity. We // simulate that by simply copying the first output as all we care about is // the size of its serialized form, which should be the same for all of them // as they're either P2PKH or P2SH.. if !tx.hasChange() { msgtx.AddTxOut(msgtx.TxOut[0]) } // Craft a SignatureScript with dummy signatures for every input in this tx // so that we can use msgtx.SerializeSize() to get its size and don't need // to rely on estimations. for i, txin := range msgtx.TxIn { // 1 byte for the OP_FALSE opcode, then 73+1 bytes for each signature // with their OP_DATA opcode and finally the redeem script + 1 byte // for its OP_PUSHDATA opcode and N bytes for the redeem script's size. // Notice that we use 73 as the signature length as that's the maximum // length they may have: // https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm addr := tx.inputs[i].Address() redeemScriptLen := len(addr.redeemScript()) n := wire.VarIntSerializeSize(uint64(redeemScriptLen)) sigScriptLen := 1 + (74 * int(addr.series().reqSigs)) + redeemScriptLen + 1 + n txin.SignatureScript = bytes.Repeat([]byte{1}, sigScriptLen) } return msgtx.SerializeSize() } func nextChangeAddress(a ChangeAddress) (ChangeAddress, error) { index := a.index seriesID := a.seriesID if index == math.MaxUint32 { index = 0 seriesID++ } else { index++ } addr, err := a.pool.ChangeAddress(seriesID, index) return *addr, err }