finalizer: BIP174 compliance + sighash/signature-size validation#79
finalizer: BIP174 compliance + sighash/signature-size validation#79evanlinjin wants to merge 4 commits into
Conversation
**BIP174:** All other data except the UTXO and unknown fields (including PSBT_IN_PROPRIETARY fields the Input Finalizer does not understand) in the input key-value map should be cleared from the PSBT.
Finalization can now fail for reasons miniscript does not model, so `finalize_input` and `FinalizeMap` return a dedicated `FinalizeError` instead of `miniscript::Error`. The finalizer now rejects an input when: - a signature's sighash type disagrees with the declared `PSBT_IN_SIGHASH_TYPE` (mandated by BIP174); - no type is declared yet a signature is neither DEFAULT nor ALL; - a satisfied schnorr witness is larger than the plan committed to (e.g. a 65-byte SIGHASH_ALL sig where 64-byte DEFAULT was planned), which would make the transaction undershoot its target feerate and risk being unbroadcastable. BREAKING CHANGE: `Finalizer::finalize_input`, `FinalizeMap`, and `FinalizeMap::results` now use `FinalizeError` in place of `miniscript::Error`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add tests for the two sighash checks `finalize_input` now performs: `SighashMismatch` (declared PSBT_IN_SIGHASH_TYPE disagrees with the signature) and `SighashNotAllowed` (no type declared, signature is neither DEFAULT nor ALL). `SignatureTooLarge` is left uncovered: it is only reachable in release builds, since in debug miniscript's `satisfy_self` panics on a `debug_assert!` of the signature size before the check is reached. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
| let mut psbt_in_sighashes = { | ||
| let partial_sigs = psbt_in.partial_sigs.values().map(|s| s.sighash_type as u32); | ||
| let tap_key_sig = psbt_in.tap_key_sig.iter().map(|s| s.sighash_type as u32); | ||
| let tap_script_sigs = psbt_in | ||
| .tap_script_sigs | ||
| .values() | ||
| .map(|s| s.sighash_type as u32); | ||
| partial_sigs.chain(tap_key_sig).chain(tap_script_sigs) | ||
| }; |
There was a problem hiding this comment.
Why would an input have partial_sigs and tap_script_sigs? Shouldn't that be an error? I think we should check the sighashes in an "ad hoc" fasihon, for each kind of signature, and avoid reducing them to the same thing.
There was a problem hiding this comment.
I don't think the finalizer should reject every invalid state a PSBT can represent. It's job is to produce a correct final witness.
I think we should check the sighashes in an "ad hoc" fasihon, for each kind of signature, and avoid reducing them to the same thing.
A per-kind check would literally do the exact same thing though.
| } | ||
| if !stack.is_empty() { | ||
| psbt_input.final_script_witness = Some(Witness::from_slice(&stack)); | ||
| } else if let Some(sighash_mismatch) = psbt_in_sighashes.find(|&t| t > 0x01 /*ALL*/) { |
There was a problem hiding this comment.
There is a PsbtSighashFlag::ALL for 0x01.
There was a problem hiding this comment.
That type doesn't exist in the version of bitcoin/miniscript we are using here.
| if let Placeholder::SchnorrSigPk(_, _, size) | ||
| | Placeholder::SchnorrSigPkHash(_, _, size) = temp | ||
| { | ||
| // Only a witness *larger* than the plan is dangerous. |
There was a problem hiding this comment.
How should a recovery mechanism look like in the case we want to save the extra sats? Should we return an enum here with "Finalized, NotFinalized, Overshoot" or something similar? Should we compare the target fee rate and inner fee rate at the end of the tx creation process and rewind if they don't match?
There was a problem hiding this comment.
Interesting question. I think we should reserve this PR purely for safety. Everything else can be tackled in separate PRs. Could you create a ticket? Thanks!
evanlinjin
force-pushed
the
fix/input-signer-preserve-unknown-fields
branch
from
d7f6d63 to
7129486
Compare
2 participants
Description
Hardens
Finalizerto follow BIP174 more closely and refuse to emit a transaction that would be malformed or unsafe to broadcast. The finalizer now validates signatures before assembling the final witness/scriptSig, and reports failures through a dedicatedFinalizeErrorinstead of leakingminiscript::Error.More context here: #74 (comment)
What changed:
unknownandproprietary.SighashMismatch— a signature's sighash type disagrees with the input's declaredPSBT_IN_SIGHASH_TYPE. Mandated by BIP174.SighashNotAllowed— noPSBT_IN_SIGHASH_TYPEis declared, yet a signature uses neitherDEFAULTnorALL. Stricter-than-spec safeguard against silently changing signing semantics.SignatureTooLarge— a satisfied schnorr witness is larger than the size the spendingPlancommitted to (e.g. a 65-byteSIGHASH_ALLsig where 64-byteSIGHASH_DEFAULTwas planned). Because the plan's weight/feerate estimate derives from the committed size, a heavier witness makes the tx undershoot its target feerate and risk being unbroadcastable. Only the larger direction is rejected; a smaller witness merely overpays and is allowed.FinalizeError—finalize_input/FinalizeMapnow returnFinalizeError, modelling the failures above plusSatisfaction(miniscript::Error).Notes to the reviewers
SignatureTooLargeis intentionally not unit-tested: it is only reachable in release builds. In debug, miniscript'ssatisfy_selfhits adebug_assert!on the signature size and panics before our check runs - an upstream bug.Out of scope, for follow-up:
TODOin code). An upstream change could give ECDSA placeholders a committed size to capture low-R grinding fee savings safely.debug_assert→ recoverable-error fix.Changelog notice
Before submitting