Don't allow uncompressed pks in witness addresses

[stevenroose]

Solves #427.

[codecov-commenter]

Codecov Report

Merging #428 into master will increase coverage by 0.54%.
The diff coverage is 63.15%.

@@            Coverage Diff             @@
##           master     #428      +/-   ##
==========================================
+ Coverage   85.64%   86.19%   +0.54%     
==========================================
  Files          39       39              
  Lines        7446     7402      -44     
==========================================
+ Hits         6377     6380       +3     
+ Misses       1069     1022      -47     

Impacted Files	Coverage Δ
src/util/address.rs	85.37% <63.15%> (-0.15%)	⬇️
src/util/mod.rs	0.00% <0.00%> (ø)
src/network/mod.rs	0.00% <0.00%> (ø)
src/util/psbt/error.rs	0.00% <0.00%> (ø)
src/consensus/encode.rs	89.21% <0.00%> (ø)
src/blockdata/script.rs	78.88% <0.00%> (+0.14%)	⬆️
src/util/amount.rs	90.76% <0.00%> (+0.35%)	⬆️
src/blockdata/transaction.rs	94.74% <0.00%> (+0.75%)	⬆️
src/util/bip158.rs	93.78% <0.00%> (+0.78%)	⬆️
... and 3 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 31a5760...ed9bf41. Read the comment docs.

[sgeisler]

Looks good. Kinda annoying to have to return a Result, but it's probably not worth the hassle to re-engineer the whole key API again 😅.

[stevenroose]

Updated, fixed the typo and put the format and typo change in a separate commit.

[junderw]

LGTM

What about p2wsh?

We decided to parse the witnessScript and run a quick check to see if any chunks are 65 bytes starting with a 0x04, and if there are any we check if it is a valid secp256k1 point. Then error if it is a valid point.

There is probably near 0% chance of some useful data being 65 bytes and starting with 0x04, so maybe even checking for a valid key is overkill.

Thoughts?

[stevenroose]

What about p2wsh?

Hmm, I'm a bit reluctant to parse scripts, to be honest. Perhaps this can be considered in a separate PR? I think this PRs change is quite straightforward, so I'd prefer to just merge it. If we want to do something for p2wsh, I think it might benefit from a discussion on IRC or so.

[junderw]

sounds fair enough.

Related: blockdata::Script.to_v0_p2wsh method should also check before hashing.

[yancyribbens]

I agree with @sgeisler that it's unfortunate to need to return a Result. It would be better if the type system didn't allow a uncompressed key to be passed to p2wpkh() imo. That would also avoid needing to check explicitly for !pk.compressed.

[sgeisler]

@yancyribbens it's a tricky trade-off. We could have a PrivateKey trait with the implementations CompressedPK and MaybeCompressedPK and implement everything generically around the trait. But the added complexity might not be worth it. And it would be a separate PR anyway imo. So I'd like to see this one merged first and then maybe explore ways to fix the underlying problem.

[yancyribbens]

@sgeisler I agree that the current PR solves the issue. It would be nice to see either using trait bounds or possibly wrapping in a enum? Either way, I agree it's probably a fair amount of work that might not be worth doing for this PR but possibly could be a followup PR.

[apoelstra]

Yeah, I think this approach is fine.

We'll need to revisit compressedness in a bit anyway when we have Taproot keys, and we can consider API changes then.