BIP-322 basic support

[kallewoof]

This PR enables support for BIP-322, the sign/verify message upgrade.

Fixes #10542.

This PR is greatly simplified and is supposed to have one or more follow-up PRs to complete functionality.

In this PR:

• signing using single key (any type)
• verifying any signed message (auto-detects BIP-322 vs legacy)

Missing features/limitations:

• proof of funds (i.e. additional inputs) support
• multisig or other custom address type support (I need feedback on how to do this; I assume some psbt thing would be good?)
• (RPC) format is restricted to SIMPLE mode now; it may eventually be LEGACY, SIMPLE, or FULL. (In some cases, it will use FULL format but this is not selectable yet.)
• timelock support

[ghost]

Concept ACK

This should fix #10542

[Sjors]

@kallewoof do you know if any other wallet implemented BIP-322 yet, so we can compare the implementation?

This is really a good time to add test vectors to the BIP (and this PR).

[Sjors]

Although SIGHASH_DEFAULT implies SIGHASH_ALL, AFAIK using SIGHASH_ALL is still possible for users who wish to waste 1 byte. So I think you need m_require_sighash_all && nHashType != SIGHASH_ALL here too.

[kallewoof]

Isn't that a malleability? Anyway, gotcha.

[Sjors]

This message implies the user can do something about it. Suggest instead: "BIP-322 Proof of Funds is not supported"

[kallewoof]

Sounds good. The intention is to actually add this functionality, but I think it should be its own PR.

[Sjors]

Why not just throw in these other cases?

[kallewoof]

Because these aren't errors? But yeah, that would be one way to return a message. I think I'd prefer to expand the returned value from simple bool to true|false|"inconclusive", but not sure that would be appreciated.

[Sjors]

Some RPCs return false as the result and an error message field. Others just throw with an error code and message. It's an error in the vague sense that the RPC failed to verify what it was asked to verify.

[kallewoof]

OK, but what about "OK_TIMELOCKED"?

[Sjors]

I'm unsure, but perhaps we should make a fresh enum BIP322VerificationResult?

[kallewoof]

Oftentimes you won't know which type it is until you finish verifying, so unifying the two types seems sensible to me.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	theStack
Concept ACK	ghost

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #26008 (wallet: cache IsMine scriptPubKeys to improve performance of descriptor wallets by achow101)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[benthecarman]

@kallewoof do you know if any other wallet implemented BIP-322 yet, so we can compare the implementation?

This is really a good time to add test vectors to the BIP (and this PR).

I have an implementation here: bitcoin-s/bitcoin-s#3823

[kallewoof]

I will make test vectors very soon. Let's compare notes at that point @benthecarman.

[benthecarman]

I will make test vectors very soon. Let's compare notes at that point @benthecarman.

Sounds good, I made some in pr if you want to try those

[kallewoof]

Yep. I will try them, once I make my own. I don't want to adjust the code to fit your test vectors, I'd rather both implementations independently passing both sets.

[luke-jr]

Would like to see BIP 322 address the distinction between the current "signer receives fund with the address" and the long-desired "signer sent a prior transaction" even if not supported by this PR.

[kallewoof]

@luke-jr I'm not sure if you're suggesting a BIP change or a code feature. If the latter, I think the ideal path forward is for you to open a pull request follow-up to this one (maybe post-merge) to do what you are requesting. If former, open a PR to the BIP?

[theStack]

Strong Concept ACK

Thanks for working on this!

[kallewoof]

There is now a WIP with test vectors in bitcoin/bips#1279 which needs to be filled in (possibly with @benthecarman's cases).

[theStack]

PR description nit:

(RPC) format is restricted to SINGLE mode now; it may eventually be LEGACY, SINGLE, OR FULL

This should likely be SIMPLE rather than SINGLE?

[theStack]

Note that HASHER_BIP322 and some other identifiers are not available yet at this commit, i.e. compiling b23186d currently fails:

...
  CXX      wallet/libbitcoin_wallet_tool_a-wallettool.o
util/message.cpp:105:41: error: use of undeclared identifier 'HASHER_BIP322'
    uint256 message_hash = (CHashWriter(HASHER_BIP322) << message).GetSHA256();
                                        ^
util/message.cpp:116:22: error: use of undeclared identifier 'DecodeTx'
    if (signature && DecodeTx(to_sign, *signature, /* try_no_witness */ true, /* try_witness */ true)) {
                     ^
util/message.cpp:120:49: error: no member named 'ERR_POF' in 'MessageVerificationResult'
            result = MessageVerificationResult::ERR_POF;
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~^
util/message.cpp:128:49: error: no member named 'ERR_INVALID' in 'MessageVerificationResult'
            result = MessageVerificationResult::ERR_INVALID;
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~^
util/message.cpp:141:57: error: no member named 'ERR_INVALID' in 'MessageVerificationResult'
            result = MessageVerificationResult::ERR_INVALID;
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~^
5 errors generated.
...

[kyranjamie]

I get this value in my implementation, yet it is not reflected in the BIP

[benma]

@kallewoof could you leave a comment explaining why you closed this PR? It is not apparent from looking at the history of this PR what the state is of BIP-322 support in Bitcoin Core.