[Draft] BIP322 Implementation

[rajarshimaitra]

Ref #159

This is a draft implementation of the BIP322 generic message signer using Bitcoin scripts.

There are a lot of rough edges to iron out. Looking for generic approach comments. The approach might be completely wrong, as it only reflects my own understanding after reading the BIP.

So far the signer can only validate message and message_challenge given the signature (of type Legacy/Simple/Full).

A simple test case for these three types of signature validation included.

Looking for comments to figure out the rest of the required details.

[sanket1729]

Did not review the test. I think we should first focus on the BIP322Validtor struct which should only have msg, sig, and scriipt_pubkey.

Then, we can use the interpreter to automatically infer the descriptor. Look at from_txdata function.

The last step is correct where we interpret the descriptor.

Let us try to fix the above in this iteration.

Next, we can focus on extending to height and age and using satisfy API for signing logic.

[sanket1729]

We cannot use crate:: because that will cause rustc 1.29 to fail.

[rajarshimaitra]

Using super:: instead.

[sanket1729]

I think we should use const instead of static.

[sanket1729]

It would be great if we have a test similar to https://github.com/rust-bitcoin/rust-bitcoin/pull/259/files to verify the value is computed correctly

[rajarshimaitra]

Done..

[sanket1729]

A more expressive doc comment

[rajarshimaitra]

Done..

[sanket1729]

Would be great to derive all possible things that we can derive.

[rajarshimaitra]

There's not much to drive here as InterpreterError only derives debug.

rust-miniscript/src/interpreter/error.rs

Lines 20 to 21 in 86a63d8

	#[derive(Debug)]
	pub enum Error {

[sanket1729]

I think we should consume the message instead of the new allocation.

[rajarshimaitra]

Done..

[sanket1729]

I don't like that the addr variable for the descriptor. See detailed comment later for the suggestion of BIP322Validator struct

[rajarshimaitra]

renaming addr to mesage_challenge.

Message challenge can be two things. Either descriptor or a Script structure. Throughout the logic currently, we are simply using descriptor.script_pubkey() to derive the message challenge script. We can as well use a script_pubkey directly here as no descriptor specific functionality is used anywhere. But I think it's better to keep the descriptor here to make the API easier for complex challenge scripts. Otherwise, lib users need to construct the script. Also, we can use the descriptor in the future if such functionality is required.

Will update if that's not acceptable for other reasons.

[sanket1729]

I have made a comment to BIP322 to make this always 2 and it was positively received. I think we should keep it always 2.

[rajarshimaitra]

Done..

[sanket1729]

This should take a satisfier as an argument and should call satisfy to fill the witness and script sig.

[sanket1729]

This should also take in the age and height as arguments instead of hard coded zeeros

[rajarshimaitra]

Changing to_sign to empty_to_sign.

The purpose of this function is to create an empty to_sign transaction template, which then can be filled with the correct signature depending upon the BIP322Signature types. Which is currently happening inside the validate() function here.

rust-miniscript/src/bip322.rs

Lines 180 to 211 in c740598

	Bip322Signature::Full(to_sign) => self.tx_validation(to_sign),
	// If Simple Signature is provided, the resulting `to_sign` Tx will be computed
	Bip322Signature::Simple(witness) => {
	// create empty to_sign transaction
	let mut to_sign = self.to_sign();
	to_sign.input[0].witness = witness.to_owned();
	self.tx_validation(&to_sign)
	}
	// Legacy Signature can only be used to validate against P2PKH message_challenge
	Bip322Signature::Legacy(sig, pubkey) => {
	if !self.message_challenge.script_pubkey().is_p2pkh() {
	return Err(BIP322Error::InternalError("Legacy style signature is only applicable for P2PKH message_challenge".to_string()));
	} else {
	let mut sig_ser = sig.serialize_der()[..].to_vec();
	// By default SigHashType is ALL
	sig_ser.push(SigHashType::All as u8);
	let script_sig = Builder::new()
	.push_slice(&sig_ser[..])
	.push_key(&pubkey)
	.into_script();
	let mut to_sign = self.to_sign();
	to_sign.input[0].script_sig = script_sig;
	self.tx_validation(&to_sign)

Here we are mutating the empty to_sign transaction with corresponding signatures. Which can be done with a satisfier too. But because a Bip322Signature::Full type signature will contain the entire to_sign transaction itself (which I think will be most of the cases, the other two cases are rather simplistic and more specific so can be hardcoded easily), using a separate satisfier to create the same to_sign feels like more roundabout than necessary.

Bip322Signer probably needs to use a satisfier in some way, but we can flesh that detail out later.

For age and height, I think it's better to provide these values in the validator structure itself. Though I am not sure if I have applied these values correctly in the empty_to_spend creation, please check.

[sanket1729]

We should reproduce the errors states from the BIP. This should return Result<(T, S), BIP322Error> where BIP322Error should either be Inconclusive(..) or Invalid(..)

[rajarshimaitra]

Is it possible to somehow derive these error types from the IterpreterErrors?

Also if I understand it right, neither to_spend nor to_sign transactions are supposed to be mined. They are not validated against the chain. So what the purpose of T and S here and how the validator is supposed to validate Time and Age of an unmined transaction? Also, what does it mean to have a signature against a message only valid "after x time"? These are not transactions, but simple generic messages.

[rajarshimaitra]

Updated with changes. This is ready for the next review.