2023-01-23 10:31:54 -08:00
|
|
|
// Copyright (c) 2018-2023 The Zcash developers
|
2018-07-17 09:36:38 -07:00
|
|
|
// Distributed under the MIT software license, see the accompanying
|
2019-07-18 07:16:09 -07:00
|
|
|
// file COPYING or https://www.opensource.org/licenses/mit-license.php .
|
2018-07-17 09:36:38 -07:00
|
|
|
|
|
|
|
|
#include "transaction_builder.h"
|
|
|
|
|
|
|
|
|
|
#include "main.h"
|
2020-07-07 18:23:03 -07:00
|
|
|
#include "proof_verifier.h"
|
2018-07-30 03:03:29 -07:00
|
|
|
#include "pubkey.h"
|
2018-10-30 13:12:40 -07:00
|
|
|
#include "rpc/protocol.h"
|
2018-07-30 03:03:29 -07:00
|
|
|
#include "script/sign.h"
|
2018-10-22 15:51:11 -07:00
|
|
|
#include "util/moneystr.h"
|
2020-06-18 20:10:19 -07:00
|
|
|
#include "zcash/Note.hpp"
|
2018-07-17 09:36:38 -07:00
|
|
|
|
|
|
|
|
#include <librustzcash.h>
|
2020-07-31 07:15:04 -07:00
|
|
|
#include <rust/ed25519.h>
|
2018-07-17 09:36:38 -07:00
|
|
|
|
2022-02-11 15:41:35 -08:00
|
|
|
uint256 ProduceZip244SignatureHash(
|
|
|
|
|
const CTransaction& tx,
|
2022-03-22 20:19:39 -07:00
|
|
|
const std::vector<CTxOut>& allPrevOutputs,
|
2022-02-11 15:41:35 -08:00
|
|
|
const orchard::UnauthorizedBundle& orchardBundle)
|
|
|
|
|
{
|
|
|
|
|
uint256 dataToBeSigned;
|
2022-03-22 20:19:39 -07:00
|
|
|
PrecomputedTransactionData local(tx, allPrevOutputs);
|
2022-02-11 15:41:35 -08:00
|
|
|
if (!zcash_builder_zip244_shielded_signature_digest(
|
|
|
|
|
local.preTx.release(),
|
|
|
|
|
orchardBundle.inner.get(),
|
|
|
|
|
dataToBeSigned.begin()))
|
|
|
|
|
{
|
|
|
|
|
throw std::logic_error("ZIP 225 signature hash failed");
|
|
|
|
|
}
|
|
|
|
|
return dataToBeSigned;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
namespace orchard {
|
|
|
|
|
|
|
|
|
|
Builder::Builder(
|
|
|
|
|
bool spendsEnabled,
|
|
|
|
|
bool outputsEnabled,
|
|
|
|
|
uint256 anchor) : inner(nullptr, orchard_builder_free)
|
|
|
|
|
{
|
2022-02-23 09:20:11 -08:00
|
|
|
inner.reset(orchard_builder_new(spendsEnabled, outputsEnabled, anchor.IsNull() ? nullptr : anchor.begin()));
|
2022-02-11 15:41:35 -08:00
|
|
|
}
|
|
|
|
|
|
2022-03-08 11:19:04 -08:00
|
|
|
bool Builder::AddSpend(orchard::SpendInfo spendInfo)
|
|
|
|
|
{
|
|
|
|
|
if (!inner) {
|
|
|
|
|
throw std::logic_error("orchard::Builder has already been used");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (orchard_builder_add_spend(
|
|
|
|
|
inner.get(),
|
|
|
|
|
spendInfo.inner.release()))
|
|
|
|
|
{
|
|
|
|
|
hasActions = true;
|
|
|
|
|
return true;
|
|
|
|
|
} else {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-11 15:41:35 -08:00
|
|
|
void Builder::AddOutput(
|
|
|
|
|
const std::optional<uint256>& ovk,
|
|
|
|
|
const libzcash::OrchardRawAddress& to,
|
|
|
|
|
CAmount value,
|
2022-02-16 05:21:47 -08:00
|
|
|
const std::optional<std::array<unsigned char, ZC_MEMO_SIZE>>& memo)
|
2022-02-11 15:41:35 -08:00
|
|
|
{
|
|
|
|
|
if (!inner) {
|
|
|
|
|
throw std::logic_error("orchard::Builder has already been used");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
orchard_builder_add_recipient(
|
|
|
|
|
inner.get(),
|
|
|
|
|
ovk.has_value() ? ovk->begin() : nullptr,
|
|
|
|
|
to.inner.get(),
|
|
|
|
|
value,
|
2022-02-16 05:21:47 -08:00
|
|
|
memo.has_value() ? memo->data() : nullptr);
|
2022-02-23 09:20:11 -08:00
|
|
|
|
|
|
|
|
hasActions = true;
|
2022-02-11 15:41:35 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::optional<UnauthorizedBundle> Builder::Build() {
|
|
|
|
|
if (!inner) {
|
|
|
|
|
throw std::logic_error("orchard::Builder has already been used");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
auto bundle = orchard_builder_build(inner.release());
|
|
|
|
|
if (bundle == nullptr) {
|
|
|
|
|
return std::nullopt;
|
|
|
|
|
} else {
|
|
|
|
|
return UnauthorizedBundle(bundle);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::optional<OrchardBundle> UnauthorizedBundle::ProveAndSign(
|
2022-03-08 11:19:04 -08:00
|
|
|
const std::vector<libzcash::OrchardSpendingKey>& keys,
|
2022-02-11 15:41:35 -08:00
|
|
|
uint256 sighash)
|
|
|
|
|
{
|
|
|
|
|
if (!inner) {
|
|
|
|
|
throw std::logic_error("orchard::UnauthorizedBundle has already been used");
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-08 11:19:04 -08:00
|
|
|
std::vector<const OrchardSpendingKeyPtr*> pKeys;
|
|
|
|
|
for (const auto& key : keys) {
|
|
|
|
|
pKeys.push_back(key.inner.get());
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-11 15:41:35 -08:00
|
|
|
auto authorizedBundle = orchard_unauthorized_bundle_prove_and_sign(
|
2022-03-08 11:19:04 -08:00
|
|
|
inner.release(), pKeys.data(), pKeys.size(), sighash.begin());
|
2022-02-11 15:41:35 -08:00
|
|
|
if (authorizedBundle == nullptr) {
|
|
|
|
|
return std::nullopt;
|
|
|
|
|
} else {
|
|
|
|
|
return OrchardBundle(authorizedBundle);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
} // namespace orchard
|
|
|
|
|
|
2018-07-17 09:36:38 -07:00
|
|
|
SpendDescriptionInfo::SpendDescriptionInfo(
|
2018-07-30 06:26:29 -07:00
|
|
|
libzcash::SaplingExpandedSpendingKey expsk,
|
2018-07-17 09:36:38 -07:00
|
|
|
libzcash::SaplingNote note,
|
|
|
|
|
uint256 anchor,
|
2018-08-01 09:41:36 -07:00
|
|
|
SaplingWitness witness) : expsk(expsk), note(note), anchor(anchor), witness(witness)
|
2018-07-17 09:36:38 -07:00
|
|
|
{
|
|
|
|
|
librustzcash_sapling_generate_r(alpha.begin());
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-25 18:25:10 -07:00
|
|
|
std::optional<OutputDescription> OutputDescriptionInfo::Build(rust::Box<sapling::Prover>& ctx) {
|
2019-05-17 09:39:30 -07:00
|
|
|
auto cmu = this->note.cmu();
|
|
|
|
|
if (!cmu) {
|
2020-10-20 17:44:15 -07:00
|
|
|
return std::nullopt;
|
2019-05-17 09:39:30 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
libzcash::SaplingNotePlaintext notePlaintext(this->note, this->memo);
|
|
|
|
|
|
|
|
|
|
auto res = notePlaintext.encrypt(this->note.pk_d);
|
|
|
|
|
if (!res) {
|
2020-10-20 17:44:15 -07:00
|
|
|
return std::nullopt;
|
2019-05-17 09:39:30 -07:00
|
|
|
}
|
2020-10-20 16:39:23 -07:00
|
|
|
auto enc = res.value();
|
2019-05-17 09:39:30 -07:00
|
|
|
auto encryptor = enc.second;
|
|
|
|
|
|
|
|
|
|
libzcash::SaplingPaymentAddress address(this->note.d, this->note.pk_d);
|
|
|
|
|
CDataStream ss(SER_NETWORK, PROTOCOL_VERSION);
|
|
|
|
|
ss << address;
|
2022-08-25 18:25:10 -07:00
|
|
|
std::array<unsigned char, 43> addressBytes;
|
|
|
|
|
std::move(ss.begin(), ss.end(), addressBytes.begin());
|
2019-05-17 09:39:30 -07:00
|
|
|
|
2022-08-25 18:25:10 -07:00
|
|
|
std::array<unsigned char, 32> cvBytes;
|
2019-05-17 09:39:30 -07:00
|
|
|
OutputDescription odesc;
|
2020-06-17 13:53:12 -07:00
|
|
|
uint256 rcm = this->note.rcm();
|
2022-08-25 18:25:10 -07:00
|
|
|
if (!ctx->create_output_proof(
|
|
|
|
|
encryptor.get_esk().GetRawBytes(),
|
|
|
|
|
addressBytes,
|
|
|
|
|
rcm.GetRawBytes(),
|
2019-05-17 09:39:30 -07:00
|
|
|
this->note.value(),
|
2022-08-25 18:25:10 -07:00
|
|
|
cvBytes,
|
|
|
|
|
odesc.zkproof)) {
|
2020-10-20 17:44:15 -07:00
|
|
|
return std::nullopt;
|
2019-05-17 09:39:30 -07:00
|
|
|
}
|
|
|
|
|
|
2022-08-25 18:25:10 -07:00
|
|
|
odesc.cv = uint256::FromRawBytes(cvBytes);
|
2019-05-17 09:39:30 -07:00
|
|
|
odesc.cmu = *cmu;
|
|
|
|
|
odesc.ephemeralKey = encryptor.get_epk();
|
|
|
|
|
odesc.encCiphertext = enc.first;
|
|
|
|
|
|
|
|
|
|
libzcash::SaplingOutgoingPlaintext outPlaintext(this->note.pk_d, encryptor.get_esk());
|
|
|
|
|
odesc.outCiphertext = outPlaintext.encrypt(
|
|
|
|
|
this->ovk,
|
|
|
|
|
odesc.cv,
|
|
|
|
|
odesc.cmu,
|
|
|
|
|
encryptor);
|
|
|
|
|
|
|
|
|
|
return odesc;
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-09 00:40:06 -07:00
|
|
|
JSDescription JSDescriptionInfo::BuildDeterministic(
|
|
|
|
|
bool computeProof,
|
|
|
|
|
uint256 *esk // payment disclosure
|
|
|
|
|
) {
|
|
|
|
|
JSDescription jsdesc;
|
|
|
|
|
jsdesc.vpub_old = vpub_old;
|
|
|
|
|
jsdesc.vpub_new = vpub_new;
|
|
|
|
|
jsdesc.anchor = anchor;
|
|
|
|
|
|
|
|
|
|
std::array<libzcash::SproutNote, ZC_NUM_JS_OUTPUTS> notes;
|
|
|
|
|
jsdesc.proof = ZCJoinSplit::prove(
|
|
|
|
|
inputs,
|
|
|
|
|
outputs,
|
|
|
|
|
notes,
|
|
|
|
|
jsdesc.ciphertexts,
|
|
|
|
|
jsdesc.ephemeralKey,
|
|
|
|
|
joinSplitPubKey,
|
|
|
|
|
jsdesc.randomSeed,
|
|
|
|
|
jsdesc.macs,
|
|
|
|
|
jsdesc.nullifiers,
|
|
|
|
|
jsdesc.commitments,
|
|
|
|
|
vpub_old,
|
|
|
|
|
vpub_new,
|
|
|
|
|
anchor,
|
|
|
|
|
computeProof,
|
|
|
|
|
esk // payment disclosure
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
return jsdesc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
JSDescription JSDescriptionInfo::BuildRandomized(
|
|
|
|
|
std::array<size_t, ZC_NUM_JS_INPUTS>& inputMap,
|
|
|
|
|
std::array<size_t, ZC_NUM_JS_OUTPUTS>& outputMap,
|
|
|
|
|
bool computeProof,
|
|
|
|
|
uint256 *esk, // payment disclosure
|
|
|
|
|
std::function<int(int)> gen
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
// Randomize the order of the inputs and outputs
|
|
|
|
|
inputMap = {0, 1};
|
|
|
|
|
outputMap = {0, 1};
|
|
|
|
|
|
|
|
|
|
assert(gen);
|
|
|
|
|
|
|
|
|
|
MappedShuffle(inputs.begin(), inputMap.begin(), ZC_NUM_JS_INPUTS, gen);
|
|
|
|
|
MappedShuffle(outputs.begin(), outputMap.begin(), ZC_NUM_JS_OUTPUTS, gen);
|
|
|
|
|
|
|
|
|
|
return BuildDeterministic(computeProof, esk);
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-30 13:12:40 -07:00
|
|
|
TransactionBuilderResult::TransactionBuilderResult(const CTransaction& tx) : maybeTx(tx) {}
|
|
|
|
|
|
|
|
|
|
TransactionBuilderResult::TransactionBuilderResult(const std::string& error) : maybeError(error) {}
|
|
|
|
|
|
2021-12-28 08:30:02 -08:00
|
|
|
bool TransactionBuilderResult::IsTx() { return maybeTx.has_value(); }
|
2018-10-30 13:12:40 -07:00
|
|
|
|
2021-12-28 08:30:02 -08:00
|
|
|
bool TransactionBuilderResult::IsError() { return maybeError.has_value(); }
|
2018-10-30 13:12:40 -07:00
|
|
|
|
|
|
|
|
CTransaction TransactionBuilderResult::GetTxOrThrow() {
|
2021-12-28 08:30:02 -08:00
|
|
|
if (maybeTx.has_value()) {
|
2020-10-20 16:39:23 -07:00
|
|
|
return maybeTx.value();
|
2018-10-30 13:12:40 -07:00
|
|
|
} else {
|
|
|
|
|
throw JSONRPCError(RPC_WALLET_ERROR, "Failed to build transaction: " + GetError());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::string TransactionBuilderResult::GetError() {
|
2021-12-28 08:30:02 -08:00
|
|
|
if (maybeError.has_value()) {
|
2020-10-20 16:39:23 -07:00
|
|
|
return maybeError.value();
|
2018-10-30 13:12:40 -07:00
|
|
|
} else {
|
|
|
|
|
// This can only happen if isTx() is true in which case we should not call getError()
|
|
|
|
|
throw std::runtime_error("getError() was called in TransactionBuilderResult, but the result was not initialized as an error.");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-17 09:36:38 -07:00
|
|
|
TransactionBuilder::TransactionBuilder(
|
2018-07-27 00:49:43 -07:00
|
|
|
const Consensus::Params& consensusParams,
|
2018-07-30 03:03:29 -07:00
|
|
|
int nHeight,
|
2022-02-11 15:41:35 -08:00
|
|
|
std::optional<uint256> orchardAnchor,
|
2022-05-24 15:50:53 -07:00
|
|
|
const CKeyStore* keystore,
|
|
|
|
|
const CCoinsViewCache* coinsView,
|
2018-10-12 17:36:26 -07:00
|
|
|
CCriticalSection* cs_coinsView) :
|
|
|
|
|
consensusParams(consensusParams),
|
|
|
|
|
nHeight(nHeight),
|
|
|
|
|
keystore(keystore),
|
|
|
|
|
coinsView(coinsView),
|
2022-04-28 15:37:42 -07:00
|
|
|
cs_coinsView(cs_coinsView),
|
|
|
|
|
orchardAnchor(orchardAnchor)
|
2018-07-17 09:36:38 -07:00
|
|
|
{
|
2022-05-19 08:30:17 -07:00
|
|
|
mtx = CreateNewContextualCMutableTransaction(
|
|
|
|
|
consensusParams, nHeight,
|
|
|
|
|
!orchardAnchor.has_value() && nPreferredTxVersion < ZIP225_MIN_TX_VERSION);
|
2022-02-23 09:20:11 -08:00
|
|
|
|
|
|
|
|
// Ignore the Orchard anchor if we can't use it yet.
|
|
|
|
|
if (orchardAnchor.has_value() && mtx.nVersion >= ZIP225_MIN_TX_VERSION) {
|
2022-02-11 15:41:35 -08:00
|
|
|
orchardBuilder = orchard::Builder(true, true, orchardAnchor.value());
|
|
|
|
|
}
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
2019-02-28 10:19:36 -08:00
|
|
|
// This exception is thrown in certain scenarios when building JoinSplits fails.
|
2019-03-19 11:55:55 -07:00
|
|
|
struct JSDescException : public std::exception
|
2019-02-28 10:19:36 -08:00
|
|
|
{
|
2019-03-19 11:55:55 -07:00
|
|
|
JSDescException (const std::string msg_) : msg(msg_) {}
|
2019-02-28 10:19:36 -08:00
|
|
|
|
|
|
|
|
const char* what() { return msg.c_str(); }
|
|
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
std::string msg;
|
|
|
|
|
};
|
|
|
|
|
|
2019-07-30 00:16:37 -07:00
|
|
|
void TransactionBuilder::SetExpiryHeight(uint32_t nExpiryHeight)
|
|
|
|
|
{
|
2019-08-05 11:57:10 -07:00
|
|
|
if (nExpiryHeight < nHeight || nExpiryHeight <= 0 || nExpiryHeight >= TX_EXPIRY_HEIGHT_THRESHOLD) {
|
2019-08-02 15:01:20 -07:00
|
|
|
throw new std::runtime_error("TransactionBuilder::SetExpiryHeight: invalid expiry height");
|
|
|
|
|
}
|
2019-08-05 11:57:10 -07:00
|
|
|
mtx.nExpiryHeight = nExpiryHeight;
|
2019-07-30 00:16:37 -07:00
|
|
|
}
|
|
|
|
|
|
2022-03-14 10:52:57 -07:00
|
|
|
bool TransactionBuilder::SupportsOrchard() const {
|
|
|
|
|
return orchardBuilder.has_value();
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-28 15:37:42 -07:00
|
|
|
std::optional<uint256> TransactionBuilder::GetOrchardAnchor() const {
|
|
|
|
|
return orchardAnchor;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2022-03-08 11:19:04 -08:00
|
|
|
bool TransactionBuilder::AddOrchardSpend(
|
|
|
|
|
libzcash::OrchardSpendingKey sk,
|
|
|
|
|
orchard::SpendInfo spendInfo)
|
|
|
|
|
{
|
|
|
|
|
if (!orchardBuilder.has_value()) {
|
|
|
|
|
// Try to give a useful error.
|
|
|
|
|
if (!(jsInputs.empty() && jsOutputs.empty())) {
|
|
|
|
|
throw std::runtime_error("TransactionBuilder cannot spend Orchard notes in a Sprout transaction");
|
|
|
|
|
} else if (mtx.nVersion < ZIP225_MIN_TX_VERSION) {
|
|
|
|
|
throw std::runtime_error("TransactionBuilder cannot spend Orchard notes before NU5 activation");
|
|
|
|
|
} else {
|
|
|
|
|
throw std::runtime_error("TransactionBuilder cannot spend Orchard notes without Orchard anchor");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
auto fromAddr = spendInfo.FromAddress();
|
|
|
|
|
auto value = spendInfo.Value();
|
|
|
|
|
auto res = orchardBuilder.value().AddSpend(std::move(spendInfo));
|
|
|
|
|
if (res) {
|
|
|
|
|
orchardSpendingKeys.push_back(sk);
|
|
|
|
|
if (!firstOrchardSpendAddr.has_value()) {
|
|
|
|
|
firstOrchardSpendAddr = fromAddr;
|
|
|
|
|
}
|
|
|
|
|
valueBalanceOrchard += value;
|
|
|
|
|
}
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-11 15:41:35 -08:00
|
|
|
void TransactionBuilder::AddOrchardOutput(
|
|
|
|
|
const std::optional<uint256>& ovk,
|
|
|
|
|
const libzcash::OrchardRawAddress& to,
|
|
|
|
|
CAmount value,
|
2022-02-16 05:21:47 -08:00
|
|
|
const std::optional<std::array<unsigned char, ZC_MEMO_SIZE>>& memo)
|
2022-02-11 15:41:35 -08:00
|
|
|
{
|
|
|
|
|
if (!orchardBuilder.has_value()) {
|
2022-02-23 09:20:11 -08:00
|
|
|
// Try to give a useful error.
|
|
|
|
|
if (!(jsInputs.empty() && jsOutputs.empty())) {
|
|
|
|
|
throw std::runtime_error("TransactionBuilder cannot add Orchard output to Sprout transaction");
|
|
|
|
|
} else if (mtx.nVersion < ZIP225_MIN_TX_VERSION) {
|
|
|
|
|
throw std::runtime_error("TransactionBuilder cannot add Orchard output before NU5 activation");
|
|
|
|
|
} else {
|
|
|
|
|
throw std::runtime_error("TransactionBuilder cannot add Orchard output without Orchard anchor");
|
|
|
|
|
}
|
2022-02-11 15:41:35 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
orchardBuilder.value().AddOutput(ovk, to, value, memo);
|
|
|
|
|
valueBalanceOrchard -= value;
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-31 09:15:37 -07:00
|
|
|
void TransactionBuilder::AddSaplingSpend(
|
2018-07-30 06:26:29 -07:00
|
|
|
libzcash::SaplingExpandedSpendingKey expsk,
|
2018-07-17 09:36:38 -07:00
|
|
|
libzcash::SaplingNote note,
|
|
|
|
|
uint256 anchor,
|
2018-08-01 09:41:36 -07:00
|
|
|
SaplingWitness witness)
|
2018-07-27 00:46:38 -07:00
|
|
|
{
|
2018-11-07 20:38:14 -08:00
|
|
|
// Sanity check: cannot add Sapling spend to pre-Sapling transaction
|
|
|
|
|
if (mtx.nVersion < SAPLING_TX_VERSION) {
|
|
|
|
|
throw std::runtime_error("TransactionBuilder cannot add Sapling spend to pre-Sapling transaction");
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-27 00:46:38 -07:00
|
|
|
// Consistency check: all anchors must equal the first one
|
2018-10-31 09:15:37 -07:00
|
|
|
if (spends.size() > 0 && spends[0].anchor != anchor) {
|
|
|
|
|
throw JSONRPCError(RPC_WALLET_ERROR, "Anchor does not match previously-added Sapling spends.");
|
2018-07-27 00:46:38 -07:00
|
|
|
}
|
|
|
|
|
|
2018-07-30 06:26:29 -07:00
|
|
|
spends.emplace_back(expsk, note, anchor, witness);
|
2021-06-29 13:40:26 -07:00
|
|
|
mtx.valueBalanceSapling += note.value();
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void TransactionBuilder::AddSaplingOutput(
|
2018-09-18 15:22:50 -07:00
|
|
|
uint256 ovk,
|
2018-07-17 09:36:38 -07:00
|
|
|
libzcash::SaplingPaymentAddress to,
|
|
|
|
|
CAmount value,
|
2018-07-27 00:49:43 -07:00
|
|
|
std::array<unsigned char, ZC_MEMO_SIZE> memo)
|
|
|
|
|
{
|
2018-11-07 20:38:14 -08:00
|
|
|
// Sanity check: cannot add Sapling output to pre-Sapling transaction
|
|
|
|
|
if (mtx.nVersion < SAPLING_TX_VERSION) {
|
|
|
|
|
throw std::runtime_error("TransactionBuilder cannot add Sapling output to pre-Sapling transaction");
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-02 02:45:02 -07:00
|
|
|
libzcash::Zip212Enabled zip_212_enabled = libzcash::Zip212Enabled::BeforeZip212;
|
2020-07-02 08:24:03 -07:00
|
|
|
// We use nHeight = chainActive.Height() + 1 since the output will be included in the next block
|
2021-12-28 08:30:02 -08:00
|
|
|
if (consensusParams.NetworkUpgradeActive(nHeight, Consensus::UPGRADE_CANOPY)) {
|
2020-07-02 02:45:02 -07:00
|
|
|
zip_212_enabled = libzcash::Zip212Enabled::AfterZip212;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
auto note = libzcash::SaplingNote(to, value, zip_212_enabled);
|
2018-09-18 15:22:50 -07:00
|
|
|
outputs.emplace_back(ovk, note, memo);
|
2021-06-29 13:40:26 -07:00
|
|
|
mtx.valueBalanceSapling -= value;
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
2018-10-12 17:36:26 -07:00
|
|
|
void TransactionBuilder::AddSproutInput(
|
|
|
|
|
libzcash::SproutSpendingKey sk,
|
|
|
|
|
libzcash::SproutNote note,
|
|
|
|
|
SproutWitness witness)
|
|
|
|
|
{
|
2021-08-23 14:49:42 -07:00
|
|
|
CheckOrSetUsingSprout();
|
|
|
|
|
|
2018-10-12 17:36:26 -07:00
|
|
|
// Consistency check: all anchors must equal the first one
|
|
|
|
|
if (!jsInputs.empty()) {
|
|
|
|
|
if (jsInputs[0].witness.root() != witness.root()) {
|
|
|
|
|
throw JSONRPCError(RPC_WALLET_ERROR, "Anchor does not match previously-added Sprout spends.");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
jsInputs.emplace_back(witness, note, sk);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void TransactionBuilder::AddSproutOutput(
|
|
|
|
|
libzcash::SproutPaymentAddress to,
|
|
|
|
|
CAmount value,
|
|
|
|
|
std::array<unsigned char, ZC_MEMO_SIZE> memo)
|
|
|
|
|
{
|
2021-08-23 14:49:42 -07:00
|
|
|
CheckOrSetUsingSprout();
|
|
|
|
|
|
2018-10-12 17:36:26 -07:00
|
|
|
libzcash::JSOutput jsOutput(to, value);
|
|
|
|
|
jsOutput.memo = memo;
|
|
|
|
|
jsOutputs.push_back(jsOutput);
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-30 03:03:29 -07:00
|
|
|
void TransactionBuilder::AddTransparentInput(COutPoint utxo, CScript scriptPubKey, CAmount value)
|
|
|
|
|
{
|
|
|
|
|
if (keystore == nullptr) {
|
|
|
|
|
throw std::runtime_error("Cannot add transparent inputs to a TransactionBuilder without a keystore");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mtx.vin.emplace_back(utxo);
|
2022-01-22 18:37:10 -08:00
|
|
|
tIns.emplace_back(value, scriptPubKey);
|
2018-07-30 03:03:29 -07:00
|
|
|
}
|
|
|
|
|
|
2020-02-21 07:45:03 -08:00
|
|
|
void TransactionBuilder::AddTransparentOutput(const CTxDestination& to, CAmount value)
|
2018-07-30 03:03:29 -07:00
|
|
|
{
|
|
|
|
|
if (!IsValidDestination(to)) {
|
2018-10-31 09:15:37 -07:00
|
|
|
throw JSONRPCError(RPC_INVALID_ADDRESS_OR_KEY, "Invalid output address, not a valid taddr.");
|
2018-07-30 03:03:29 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CScript scriptPubKey = GetScriptForDestination(to);
|
|
|
|
|
CTxOut out(value, scriptPubKey);
|
|
|
|
|
mtx.vout.push_back(out);
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-30 04:52:48 -07:00
|
|
|
void TransactionBuilder::SetFee(CAmount fee)
|
|
|
|
|
{
|
|
|
|
|
this->fee = fee;
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-19 16:00:13 -08:00
|
|
|
// TODO: remove support for transparent change?
|
|
|
|
|
void TransactionBuilder::SendChangeTo(
|
|
|
|
|
const libzcash::RecipientAddress& changeAddr,
|
|
|
|
|
const uint256& ovk) {
|
2020-10-20 17:44:15 -07:00
|
|
|
tChangeAddr = std::nullopt;
|
2022-02-23 09:20:11 -08:00
|
|
|
orchardChangeAddr = std::nullopt;
|
2020-10-20 17:44:15 -07:00
|
|
|
saplingChangeAddr = std::nullopt;
|
2022-01-19 16:00:13 -08:00
|
|
|
sproutChangeAddr = std::nullopt;
|
2018-07-30 04:36:42 -07:00
|
|
|
|
2023-04-04 13:26:39 -07:00
|
|
|
examine(changeAddr, match {
|
2022-01-19 16:00:13 -08:00
|
|
|
[&](const CKeyID& keyId) {
|
|
|
|
|
tChangeAddr = keyId;
|
|
|
|
|
},
|
|
|
|
|
[&](const CScriptID& scriptId) {
|
|
|
|
|
tChangeAddr = scriptId;
|
|
|
|
|
},
|
|
|
|
|
[&](const libzcash::SaplingPaymentAddress& changeDest) {
|
|
|
|
|
saplingChangeAddr = std::make_pair(ovk, changeDest);
|
2022-02-23 09:20:11 -08:00
|
|
|
},
|
|
|
|
|
[&](const libzcash::OrchardRawAddress& changeDest) {
|
|
|
|
|
orchardChangeAddr = std::make_pair(ovk, changeDest);
|
2022-01-19 16:00:13 -08:00
|
|
|
}
|
2023-04-04 13:26:39 -07:00
|
|
|
});
|
2022-01-19 16:00:13 -08:00
|
|
|
}
|
2018-07-30 04:36:42 -07:00
|
|
|
|
2022-01-19 16:00:13 -08:00
|
|
|
void TransactionBuilder::SendChangeToSprout(const libzcash::SproutPaymentAddress& zaddr) {
|
|
|
|
|
tChangeAddr = std::nullopt;
|
2022-02-23 09:20:11 -08:00
|
|
|
orchardChangeAddr = std::nullopt;
|
2020-10-20 17:44:15 -07:00
|
|
|
saplingChangeAddr = std::nullopt;
|
2022-01-19 16:00:13 -08:00
|
|
|
sproutChangeAddr = zaddr;
|
2018-07-30 04:36:42 -07:00
|
|
|
}
|
|
|
|
|
|
2018-10-30 13:12:40 -07:00
|
|
|
TransactionBuilderResult TransactionBuilder::Build()
|
2018-07-17 09:36:38 -07:00
|
|
|
{
|
2018-07-30 03:03:29 -07:00
|
|
|
//
|
|
|
|
|
// Consistency checks
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
// Valid change
|
2022-02-11 15:41:35 -08:00
|
|
|
CAmount change = mtx.valueBalanceSapling + valueBalanceOrchard - fee;
|
2018-10-12 17:36:26 -07:00
|
|
|
for (auto jsInput : jsInputs) {
|
|
|
|
|
change += jsInput.note.value();
|
|
|
|
|
}
|
|
|
|
|
for (auto jsOutput : jsOutputs) {
|
|
|
|
|
change -= jsOutput.value;
|
|
|
|
|
}
|
2018-07-30 03:03:29 -07:00
|
|
|
for (auto tIn : tIns) {
|
2022-01-22 18:37:10 -08:00
|
|
|
change += tIn.nValue;
|
2018-07-30 03:03:29 -07:00
|
|
|
}
|
|
|
|
|
for (auto tOut : mtx.vout) {
|
|
|
|
|
change -= tOut.nValue;
|
|
|
|
|
}
|
|
|
|
|
if (change < 0) {
|
2023-04-19 15:25:40 -07:00
|
|
|
return TransactionBuilderResult(
|
|
|
|
|
strprintf("Change cannot be negative: %s", DisplayMoney(change)));
|
2018-07-30 03:03:29 -07:00
|
|
|
}
|
|
|
|
|
|
2018-07-30 04:36:42 -07:00
|
|
|
//
|
|
|
|
|
// Change output
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
if (change > 0) {
|
|
|
|
|
// Send change to the specified change address. If no change address
|
2019-03-19 11:55:55 -07:00
|
|
|
// was set, send change to the first Sapling address given as input
|
|
|
|
|
// if any; otherwise the first Sprout address given as input.
|
|
|
|
|
// (A t-address can only be used as the change address if explicitly set.)
|
2022-02-23 09:20:11 -08:00
|
|
|
if (orchardChangeAddr) {
|
|
|
|
|
AddOrchardOutput(orchardChangeAddr->first, orchardChangeAddr->second, change, std::nullopt);
|
|
|
|
|
} else if (saplingChangeAddr) {
|
2018-10-12 17:36:26 -07:00
|
|
|
AddSaplingOutput(saplingChangeAddr->first, saplingChangeAddr->second, change);
|
|
|
|
|
} else if (sproutChangeAddr) {
|
2020-10-20 16:39:23 -07:00
|
|
|
AddSproutOutput(sproutChangeAddr.value(), change);
|
2018-07-30 04:36:42 -07:00
|
|
|
} else if (tChangeAddr) {
|
|
|
|
|
// tChangeAddr has already been validated.
|
2018-10-31 09:15:37 -07:00
|
|
|
AddTransparentOutput(tChangeAddr.value(), change);
|
2022-03-08 11:19:04 -08:00
|
|
|
} else if (firstOrchardSpendAddr.has_value()) {
|
|
|
|
|
auto ovk = orchardSpendingKeys[0].ToFullViewingKey().ToInternalOutgoingViewingKey();
|
|
|
|
|
AddOrchardOutput(ovk, firstOrchardSpendAddr.value(), change, std::nullopt);
|
2018-07-30 04:36:42 -07:00
|
|
|
} else if (!spends.empty()) {
|
2018-07-30 06:26:29 -07:00
|
|
|
auto fvk = spends[0].expsk.full_viewing_key();
|
2018-07-30 04:36:42 -07:00
|
|
|
auto note = spends[0].note;
|
|
|
|
|
libzcash::SaplingPaymentAddress changeAddr(note.d, note.pk_d);
|
2018-09-13 14:04:00 -07:00
|
|
|
AddSaplingOutput(fvk.ovk, changeAddr, change);
|
2018-10-12 17:36:26 -07:00
|
|
|
} else if (!jsInputs.empty()) {
|
|
|
|
|
auto changeAddr = jsInputs[0].key.address();
|
|
|
|
|
AddSproutOutput(changeAddr, change);
|
2018-07-30 04:36:42 -07:00
|
|
|
} else {
|
2018-10-30 13:12:40 -07:00
|
|
|
return TransactionBuilderResult("Could not determine change address");
|
2018-07-30 04:36:42 -07:00
|
|
|
}
|
|
|
|
|
}
|
2018-07-30 03:03:29 -07:00
|
|
|
|
2022-02-11 15:41:35 -08:00
|
|
|
//
|
|
|
|
|
// Orchard
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
std::optional<orchard::UnauthorizedBundle> orchardBundle;
|
2022-02-23 09:20:11 -08:00
|
|
|
if (orchardBuilder.has_value() && orchardBuilder->HasActions()) {
|
2022-02-11 15:41:35 -08:00
|
|
|
auto bundle = orchardBuilder->Build();
|
|
|
|
|
if (bundle.has_value()) {
|
|
|
|
|
orchardBundle = std::move(bundle);
|
|
|
|
|
} else {
|
|
|
|
|
return TransactionBuilderResult("Failed to build Orchard bundle");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-30 03:03:29 -07:00
|
|
|
//
|
|
|
|
|
// Sapling spends and outputs
|
|
|
|
|
//
|
|
|
|
|
|
2022-08-25 18:25:10 -07:00
|
|
|
auto ctx = sapling::init_prover();
|
2018-07-17 09:36:38 -07:00
|
|
|
|
|
|
|
|
// Create Sapling SpendDescriptions
|
|
|
|
|
for (auto spend : spends) {
|
2020-02-26 11:49:34 -08:00
|
|
|
auto cm = spend.note.cmu();
|
2018-07-17 09:36:38 -07:00
|
|
|
auto nf = spend.note.nullifier(
|
2018-07-30 06:26:29 -07:00
|
|
|
spend.expsk.full_viewing_key(), spend.witness.position());
|
2019-01-30 03:12:15 -08:00
|
|
|
if (!cm || !nf) {
|
|
|
|
|
return TransactionBuilderResult("Spend is invalid");
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CDataStream ss(SER_NETWORK, PROTOCOL_VERSION);
|
|
|
|
|
ss << spend.witness.path();
|
2022-08-25 18:25:10 -07:00
|
|
|
std::array<unsigned char, 1065> witness;
|
|
|
|
|
std::move(ss.begin(), ss.end(), witness.begin());
|
2018-07-17 09:36:38 -07:00
|
|
|
|
2022-08-25 18:25:10 -07:00
|
|
|
std::array<unsigned char, 32> cv;
|
|
|
|
|
std::array<unsigned char, 32> rk;
|
2018-07-17 09:36:38 -07:00
|
|
|
SpendDescription sdesc;
|
2020-06-17 13:53:12 -07:00
|
|
|
uint256 rcm = spend.note.rcm();
|
2022-08-25 18:25:10 -07:00
|
|
|
if (!ctx->create_spend_proof(
|
|
|
|
|
spend.expsk.full_viewing_key().ak.GetRawBytes(),
|
|
|
|
|
spend.expsk.nsk.GetRawBytes(),
|
|
|
|
|
spend.note.d,
|
|
|
|
|
rcm.GetRawBytes(),
|
|
|
|
|
spend.alpha.GetRawBytes(),
|
2018-07-27 00:49:43 -07:00
|
|
|
spend.note.value(),
|
2022-08-25 18:25:10 -07:00
|
|
|
spend.anchor.GetRawBytes(),
|
|
|
|
|
witness,
|
|
|
|
|
cv,
|
|
|
|
|
rk,
|
|
|
|
|
sdesc.zkproof)) {
|
2018-10-30 13:12:40 -07:00
|
|
|
return TransactionBuilderResult("Spend proof failed");
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
2022-08-25 18:25:10 -07:00
|
|
|
sdesc.cv = uint256::FromRawBytes(cv);
|
|
|
|
|
sdesc.rk = uint256::FromRawBytes(rk);
|
2018-07-17 09:36:38 -07:00
|
|
|
sdesc.anchor = spend.anchor;
|
|
|
|
|
sdesc.nullifier = *nf;
|
|
|
|
|
mtx.vShieldedSpend.push_back(sdesc);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create Sapling OutputDescriptions
|
|
|
|
|
for (auto output : outputs) {
|
2019-05-17 09:39:30 -07:00
|
|
|
// Check this out here as well to provide better logging.
|
|
|
|
|
if (!output.note.cmu()) {
|
2019-01-30 03:12:15 -08:00
|
|
|
return TransactionBuilderResult("Output is invalid");
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
2019-05-17 09:39:30 -07:00
|
|
|
auto odesc = output.Build(ctx);
|
|
|
|
|
if (!odesc) {
|
|
|
|
|
return TransactionBuilderResult("Failed to create output description");
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
2020-10-20 16:39:23 -07:00
|
|
|
mtx.vShieldedOutput.push_back(odesc.value());
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
2018-10-12 17:36:26 -07:00
|
|
|
//
|
|
|
|
|
// Sprout JoinSplits
|
|
|
|
|
//
|
|
|
|
|
|
2022-06-06 15:17:07 -07:00
|
|
|
ed25519::SigningKey joinSplitPrivKey;
|
|
|
|
|
ed25519::generate_keypair(joinSplitPrivKey, mtx.joinSplitPubKey);
|
2018-10-12 17:36:26 -07:00
|
|
|
|
|
|
|
|
// Create Sprout JSDescriptions
|
|
|
|
|
if (!jsInputs.empty() || !jsOutputs.empty()) {
|
2019-02-28 10:19:36 -08:00
|
|
|
try {
|
|
|
|
|
CreateJSDescriptions();
|
2019-03-19 11:55:55 -07:00
|
|
|
} catch (JSDescException e) {
|
2019-02-28 10:19:36 -08:00
|
|
|
return TransactionBuilderResult(e.what());
|
2018-10-12 17:36:26 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-30 03:03:29 -07:00
|
|
|
//
|
|
|
|
|
// Signatures
|
|
|
|
|
//
|
|
|
|
|
|
2018-07-17 09:36:38 -07:00
|
|
|
auto consensusBranchId = CurrentEpochBranchId(nHeight, consensusParams);
|
|
|
|
|
|
|
|
|
|
// Empty output script.
|
|
|
|
|
uint256 dataToBeSigned;
|
|
|
|
|
try {
|
2022-02-11 15:41:35 -08:00
|
|
|
if (orchardBundle.has_value()) {
|
|
|
|
|
// Orchard is only usable with v5+ transactions.
|
2022-03-22 20:19:39 -07:00
|
|
|
dataToBeSigned = ProduceZip244SignatureHash(mtx, tIns, orchardBundle.value());
|
2022-02-11 15:41:35 -08:00
|
|
|
} else {
|
|
|
|
|
CScript scriptCode;
|
builder: Use correct `PrecomputedTransactionData` for transparent sigs
Before merging 4.7.0-rc1 into the nu5-consensus branch, we were in a
split state:
- 4.7.0-rc1 included Orchard support in the transaction builder, which
required special handling of Orchard bundles when computing sighashes.
The `PrecomputedTransactionData` structure could be shared, because
its digests were only relevant to transparent signatures (as shielded
signatures signed the txid directly even in shielding transactions).
- nu5-consensus included the changes to ZIP 244, which required passing
around a `PrecomputedTransactionData` that contained the set of all
transparent inputs being spent, because shielding transactions now also
need to commit to transparent inputs.
In the merge commit, we incorrectly handled the resolution: we correctly
derived a fresh `PrecomputedTransactionData` when signing the Orchard
bundle, but we reused the `PrecomputedTransactionData` that was
previously derived before checking whether or not we even had an Orchard
bundle, for transparent inputs. This meant that its commitments didn't
commit to the Orchard bundle, and so transparent signatures on
transactions with Orchard bundles would fail to verify.
Incidentally, this is the exact inverse of a bug we encounted while
implementing the ZIP 244 changes on the nu5-consensus branch: we were
correctly computing the transparent sighash, but we were relying on the
initial `TxDigests` derived within `PrecomputedTransactionData` for the
Orchard sighash, even though we were actively rewriting the transaction
to include the Orchard bundle. The fix there was similarly to re-compute
the `TxDigests` before computing the sighash.
2022-03-23 11:27:12 -07:00
|
|
|
const PrecomputedTransactionData txdata(mtx, tIns);
|
2022-03-22 19:25:33 -07:00
|
|
|
dataToBeSigned = SignatureHash(scriptCode, mtx, NOT_AN_INPUT, SIGHASH_ALL, 0, consensusBranchId, txdata);
|
2022-02-11 15:41:35 -08:00
|
|
|
}
|
2022-03-28 12:44:07 -07:00
|
|
|
} catch (std::ios_base::failure ex) {
|
|
|
|
|
return TransactionBuilderResult("Could not construct signature hash: " + std::string(ex.what()));
|
2018-07-17 09:36:38 -07:00
|
|
|
} catch (std::logic_error ex) {
|
2019-01-30 03:12:15 -08:00
|
|
|
return TransactionBuilderResult("Could not construct signature hash: " + std::string(ex.what()));
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
|
|
|
|
|
2022-02-11 15:41:35 -08:00
|
|
|
if (orchardBundle.has_value()) {
|
2022-03-08 11:19:04 -08:00
|
|
|
auto authorizedBundle = orchardBundle.value().ProveAndSign(
|
|
|
|
|
orchardSpendingKeys, dataToBeSigned);
|
2022-02-11 15:41:35 -08:00
|
|
|
if (authorizedBundle.has_value()) {
|
|
|
|
|
mtx.orchardBundle = authorizedBundle.value();
|
|
|
|
|
} else {
|
|
|
|
|
return TransactionBuilderResult("Failed to create Orchard proof or signatures");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-17 09:36:38 -07:00
|
|
|
// Create Sapling spendAuth and binding signatures
|
|
|
|
|
for (size_t i = 0; i < spends.size(); i++) {
|
|
|
|
|
librustzcash_sapling_spend_sig(
|
2018-07-30 06:26:29 -07:00
|
|
|
spends[i].expsk.ask.begin(),
|
2018-07-17 09:36:38 -07:00
|
|
|
spends[i].alpha.begin(),
|
|
|
|
|
dataToBeSigned.begin(),
|
|
|
|
|
mtx.vShieldedSpend[i].spendAuthSig.data());
|
|
|
|
|
}
|
2022-08-25 18:25:10 -07:00
|
|
|
ctx->binding_sig(
|
2021-06-29 13:40:26 -07:00
|
|
|
mtx.valueBalanceSapling,
|
2022-08-25 18:25:10 -07:00
|
|
|
dataToBeSigned.GetRawBytes(),
|
|
|
|
|
mtx.bindingSig);
|
2018-07-30 03:03:29 -07:00
|
|
|
|
2018-10-12 17:36:26 -07:00
|
|
|
// Create Sprout joinSplitSig
|
2022-06-06 15:17:07 -07:00
|
|
|
ed25519::sign(
|
|
|
|
|
joinSplitPrivKey,
|
|
|
|
|
{dataToBeSigned.begin(), 32},
|
|
|
|
|
mtx.joinSplitSig);
|
2018-10-12 17:36:26 -07:00
|
|
|
|
|
|
|
|
// Sanity check Sprout joinSplitSig
|
2022-06-06 15:17:07 -07:00
|
|
|
if (!ed25519::verify(
|
|
|
|
|
mtx.joinSplitPubKey,
|
|
|
|
|
mtx.joinSplitSig,
|
|
|
|
|
{dataToBeSigned.begin(), 32}))
|
2018-10-12 17:36:26 -07:00
|
|
|
{
|
|
|
|
|
return TransactionBuilderResult("Sprout joinSplitSig sanity check failed");
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-30 03:03:29 -07:00
|
|
|
// Transparent signatures
|
|
|
|
|
CTransaction txNewConst(mtx);
|
builder: Use correct `PrecomputedTransactionData` for transparent sigs
Before merging 4.7.0-rc1 into the nu5-consensus branch, we were in a
split state:
- 4.7.0-rc1 included Orchard support in the transaction builder, which
required special handling of Orchard bundles when computing sighashes.
The `PrecomputedTransactionData` structure could be shared, because
its digests were only relevant to transparent signatures (as shielded
signatures signed the txid directly even in shielding transactions).
- nu5-consensus included the changes to ZIP 244, which required passing
around a `PrecomputedTransactionData` that contained the set of all
transparent inputs being spent, because shielding transactions now also
need to commit to transparent inputs.
In the merge commit, we incorrectly handled the resolution: we correctly
derived a fresh `PrecomputedTransactionData` when signing the Orchard
bundle, but we reused the `PrecomputedTransactionData` that was
previously derived before checking whether or not we even had an Orchard
bundle, for transparent inputs. This meant that its commitments didn't
commit to the Orchard bundle, and so transparent signatures on
transactions with Orchard bundles would fail to verify.
Incidentally, this is the exact inverse of a bug we encounted while
implementing the ZIP 244 changes on the nu5-consensus branch: we were
correctly computing the transparent sighash, but we were relying on the
initial `TxDigests` derived within `PrecomputedTransactionData` for the
Orchard sighash, even though we were actively rewriting the transaction
to include the Orchard bundle. The fix there was similarly to re-compute
the `TxDigests` before computing the sighash.
2022-03-23 11:27:12 -07:00
|
|
|
const PrecomputedTransactionData txdata(txNewConst, tIns);
|
2018-07-30 03:03:29 -07:00
|
|
|
for (int nIn = 0; nIn < mtx.vin.size(); nIn++) {
|
|
|
|
|
auto tIn = tIns[nIn];
|
|
|
|
|
SignatureData sigdata;
|
|
|
|
|
bool signSuccess = ProduceSignature(
|
|
|
|
|
TransactionSignatureCreator(
|
2022-01-22 18:37:10 -08:00
|
|
|
keystore, &txNewConst, txdata, nIn, tIn.nValue, SIGHASH_ALL),
|
2018-07-30 03:03:29 -07:00
|
|
|
tIn.scriptPubKey, sigdata, consensusBranchId);
|
|
|
|
|
|
|
|
|
|
if (!signSuccess) {
|
2018-10-30 13:12:40 -07:00
|
|
|
return TransactionBuilderResult("Failed to sign transaction");
|
2018-07-30 03:03:29 -07:00
|
|
|
} else {
|
|
|
|
|
UpdateTransaction(mtx, nIn, sigdata);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-30 13:12:40 -07:00
|
|
|
return TransactionBuilderResult(CTransaction(mtx));
|
2018-07-17 09:36:38 -07:00
|
|
|
}
|
2018-10-12 17:36:26 -07:00
|
|
|
|
2021-08-23 14:49:42 -07:00
|
|
|
void TransactionBuilder::CheckOrSetUsingSprout()
|
|
|
|
|
{
|
2022-02-11 15:41:35 -08:00
|
|
|
if (orchardBuilder.has_value()) {
|
|
|
|
|
throw JSONRPCError(RPC_WALLET_ERROR, "Can't use Sprout with a v5 transaction.");
|
2021-08-23 14:49:42 -07:00
|
|
|
} else {
|
|
|
|
|
// Switch if necessary to a Sprout-supporting transaction format.
|
2022-02-11 15:41:35 -08:00
|
|
|
auto txVersionInfo = CurrentTxVersionInfo(consensusParams, nHeight, true);
|
2021-08-23 14:49:42 -07:00
|
|
|
mtx.nVersionGroupId = txVersionInfo.nVersionGroupId;
|
|
|
|
|
mtx.nVersion = txVersionInfo.nVersion;
|
2022-01-07 18:59:12 -08:00
|
|
|
mtx.nConsensusBranchId = std::nullopt;
|
2021-08-23 14:49:42 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-28 10:19:36 -08:00
|
|
|
void TransactionBuilder::CreateJSDescriptions()
|
2018-10-12 17:36:26 -07:00
|
|
|
{
|
|
|
|
|
// Copy jsInputs and jsOutputs to more flexible containers
|
|
|
|
|
std::deque<libzcash::JSInput> jsInputsDeque;
|
|
|
|
|
for (auto jsInput : jsInputs) {
|
|
|
|
|
jsInputsDeque.push_back(jsInput);
|
|
|
|
|
}
|
|
|
|
|
std::deque<libzcash::JSOutput> jsOutputsDeque;
|
|
|
|
|
for (auto jsOutput : jsOutputs) {
|
|
|
|
|
jsOutputsDeque.push_back(jsOutput);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If we have no Sprout shielded inputs, then we do the simpler more-leaky
|
|
|
|
|
// process where we just create outputs directly. We save the chaining logic,
|
|
|
|
|
// at the expense of leaking the sums of pairs of output values in vpub_old.
|
|
|
|
|
if (jsInputs.empty()) {
|
|
|
|
|
// Create joinsplits, where each output represents a zaddr recipient.
|
|
|
|
|
while (jsOutputsDeque.size() > 0) {
|
|
|
|
|
// Default array entries are dummy inputs and outputs
|
|
|
|
|
std::array<libzcash::JSInput, ZC_NUM_JS_INPUTS> vjsin;
|
|
|
|
|
std::array<libzcash::JSOutput, ZC_NUM_JS_OUTPUTS> vjsout;
|
|
|
|
|
uint64_t vpub_old = 0;
|
|
|
|
|
|
|
|
|
|
for (int n = 0; n < ZC_NUM_JS_OUTPUTS && jsOutputsDeque.size() > 0; n++) {
|
|
|
|
|
vjsout[n] = jsOutputsDeque.front();
|
|
|
|
|
jsOutputsDeque.pop_front();
|
|
|
|
|
|
|
|
|
|
// Funds are removed from the value pool and enter the private pool
|
|
|
|
|
vpub_old += vjsout[n].value;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::array<size_t, ZC_NUM_JS_INPUTS> inputMap;
|
|
|
|
|
std::array<size_t, ZC_NUM_JS_OUTPUTS> outputMap;
|
|
|
|
|
CreateJSDescription(vpub_old, 0, vjsin, vjsout, inputMap, outputMap);
|
|
|
|
|
}
|
2019-02-28 10:19:36 -08:00
|
|
|
return;
|
2018-10-12 17:36:26 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// At this point, we are guaranteed to have at least one input note.
|
|
|
|
|
// Use address of first input note as the temporary change address.
|
|
|
|
|
auto changeKey = jsInputsDeque.front().key;
|
|
|
|
|
auto changeAddress = changeKey.address();
|
|
|
|
|
|
|
|
|
|
CAmount jsChange = 0; // this is updated after each joinsplit
|
|
|
|
|
int changeOutputIndex = -1; // this is updated after each joinsplit if jsChange > 0
|
|
|
|
|
bool vpubOldProcessed = false; // updated when vpub_old for taddr inputs is set in first joinsplit
|
|
|
|
|
bool vpubNewProcessed = false; // updated when vpub_new for miner fee and taddr outputs is set in last joinsplit
|
|
|
|
|
|
|
|
|
|
CAmount valueOut = 0;
|
|
|
|
|
for (auto jsInput : jsInputs) {
|
|
|
|
|
valueOut += jsInput.note.value();
|
|
|
|
|
}
|
|
|
|
|
for (auto jsOutput : jsOutputs) {
|
|
|
|
|
valueOut -= jsOutput.value;
|
|
|
|
|
}
|
|
|
|
|
CAmount vpubOldTarget = valueOut < 0 ? -valueOut : 0;
|
|
|
|
|
CAmount vpubNewTarget = valueOut > 0 ? valueOut : 0;
|
|
|
|
|
|
|
|
|
|
// Keep track of treestate within this transaction
|
2016-05-06 11:47:12 -07:00
|
|
|
boost::unordered_map<uint256, SproutMerkleTree, SaltedTxidHasher> intermediates;
|
2018-10-12 17:36:26 -07:00
|
|
|
std::vector<uint256> previousCommitments;
|
|
|
|
|
|
|
|
|
|
while (!vpubNewProcessed) {
|
|
|
|
|
// Default array entries are dummy inputs and outputs
|
|
|
|
|
std::array<libzcash::JSInput, ZC_NUM_JS_INPUTS> vjsin;
|
|
|
|
|
std::array<libzcash::JSOutput, ZC_NUM_JS_OUTPUTS> vjsout;
|
|
|
|
|
uint64_t vpub_old = 0;
|
|
|
|
|
uint64_t vpub_new = 0;
|
|
|
|
|
|
|
|
|
|
// Set vpub_old in the first joinsplit
|
|
|
|
|
if (!vpubOldProcessed) {
|
|
|
|
|
vpub_old += vpubOldTarget; // funds flowing from public pool
|
|
|
|
|
vpubOldProcessed = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CAmount jsInputValue = 0;
|
|
|
|
|
uint256 jsAnchor;
|
|
|
|
|
|
|
|
|
|
JSDescription prevJoinSplit;
|
|
|
|
|
|
|
|
|
|
// Keep track of previous JoinSplit and its commitments
|
2019-06-16 04:39:05 -07:00
|
|
|
if (mtx.vJoinSplit.size() > 0) {
|
|
|
|
|
prevJoinSplit = mtx.vJoinSplit.back();
|
2018-10-12 17:36:26 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If there is no change, the chain has terminated so we can reset the tracked treestate.
|
2019-06-16 04:39:05 -07:00
|
|
|
if (jsChange == 0 && mtx.vJoinSplit.size() > 0) {
|
2018-10-12 17:36:26 -07:00
|
|
|
intermediates.clear();
|
|
|
|
|
previousCommitments.clear();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Consume change as the first input of the JoinSplit.
|
|
|
|
|
//
|
|
|
|
|
if (jsChange > 0) {
|
|
|
|
|
// Update tree state with previous joinsplit
|
|
|
|
|
SproutMerkleTree tree;
|
|
|
|
|
{
|
2019-05-07 11:02:54 -07:00
|
|
|
// assert that coinsView is not null
|
|
|
|
|
assert(coinsView);
|
|
|
|
|
// We do not check cs_coinView because we do not set this in testing
|
|
|
|
|
// assert(cs_coinsView);
|
2018-10-12 17:36:26 -07:00
|
|
|
LOCK(cs_coinsView);
|
|
|
|
|
auto it = intermediates.find(prevJoinSplit.anchor);
|
|
|
|
|
if (it != intermediates.end()) {
|
|
|
|
|
tree = it->second;
|
|
|
|
|
} else if (!coinsView->GetSproutAnchorAt(prevJoinSplit.anchor, tree)) {
|
2019-03-19 11:55:55 -07:00
|
|
|
throw JSDescException("Could not find previous JoinSplit anchor");
|
2018-10-12 17:36:26 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
assert(changeOutputIndex != -1);
|
|
|
|
|
assert(changeOutputIndex < prevJoinSplit.commitments.size());
|
2020-10-20 17:44:15 -07:00
|
|
|
std::optional<SproutWitness> changeWitness;
|
2018-10-12 17:36:26 -07:00
|
|
|
int n = 0;
|
|
|
|
|
for (const uint256& commitment : prevJoinSplit.commitments) {
|
|
|
|
|
tree.append(commitment);
|
|
|
|
|
previousCommitments.push_back(commitment);
|
|
|
|
|
if (!changeWitness && changeOutputIndex == n++) {
|
|
|
|
|
changeWitness = tree.witness();
|
|
|
|
|
} else if (changeWitness) {
|
2020-10-20 16:39:23 -07:00
|
|
|
changeWitness.value().append(commitment);
|
2018-10-12 17:36:26 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
assert(changeWitness.has_value());
|
|
|
|
|
jsAnchor = tree.root();
|
|
|
|
|
intermediates.insert(std::make_pair(tree.root(), tree)); // chained js are interstitial (found in between block boundaries)
|
|
|
|
|
|
|
|
|
|
// Decrypt the change note's ciphertext to retrieve some data we need
|
|
|
|
|
ZCNoteDecryption decryptor(changeKey.receiving_key());
|
2020-07-09 01:20:06 -07:00
|
|
|
auto hSig = ZCJoinSplit::h_sig(
|
|
|
|
|
prevJoinSplit.randomSeed,
|
|
|
|
|
prevJoinSplit.nullifiers,
|
|
|
|
|
mtx.joinSplitPubKey);
|
2018-10-12 17:36:26 -07:00
|
|
|
try {
|
|
|
|
|
auto plaintext = libzcash::SproutNotePlaintext::decrypt(
|
|
|
|
|
decryptor,
|
|
|
|
|
prevJoinSplit.ciphertexts[changeOutputIndex],
|
|
|
|
|
prevJoinSplit.ephemeralKey,
|
|
|
|
|
hSig,
|
|
|
|
|
(unsigned char)changeOutputIndex);
|
|
|
|
|
|
|
|
|
|
auto note = plaintext.note(changeAddress);
|
2020-10-20 16:39:23 -07:00
|
|
|
vjsin[0] = libzcash::JSInput(changeWitness.value(), note, changeKey);
|
2018-10-12 17:36:26 -07:00
|
|
|
|
|
|
|
|
jsInputValue += plaintext.value();
|
|
|
|
|
|
|
|
|
|
LogPrint("zrpcunsafe", "spending change (amount=%s)\n", FormatMoney(plaintext.value()));
|
|
|
|
|
|
|
|
|
|
} catch (const std::exception& e) {
|
2019-03-19 11:55:55 -07:00
|
|
|
throw JSDescException("Error decrypting output note of previous JoinSplit");
|
2018-10-12 17:36:26 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Consume spendable non-change notes
|
|
|
|
|
//
|
|
|
|
|
for (int n = (jsChange > 0) ? 1 : 0; n < ZC_NUM_JS_INPUTS && jsInputsDeque.size() > 0; n++) {
|
|
|
|
|
auto jsInput = jsInputsDeque.front();
|
|
|
|
|
jsInputsDeque.pop_front();
|
|
|
|
|
|
|
|
|
|
// Add history of previous commitments to witness
|
|
|
|
|
if (jsChange > 0) {
|
|
|
|
|
for (const uint256& commitment : previousCommitments) {
|
|
|
|
|
jsInput.witness.append(commitment);
|
|
|
|
|
}
|
|
|
|
|
if (jsAnchor != jsInput.witness.root()) {
|
2019-03-19 11:55:55 -07:00
|
|
|
throw JSDescException("Witness for spendable note does not have same anchor as change input");
|
2018-10-12 17:36:26 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The jsAnchor is null if this JoinSplit is at the start of a new chain
|
|
|
|
|
if (jsAnchor.IsNull()) {
|
|
|
|
|
jsAnchor = jsInput.witness.root();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
jsInputValue += jsInput.note.value();
|
|
|
|
|
vjsin[n] = jsInput;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Find recipient to transfer funds to
|
|
|
|
|
libzcash::JSOutput recipient;
|
|
|
|
|
if (jsOutputsDeque.size() > 0) {
|
|
|
|
|
recipient = jsOutputsDeque.front();
|
|
|
|
|
jsOutputsDeque.pop_front();
|
|
|
|
|
}
|
|
|
|
|
// `recipient` is now either a valid recipient, or a dummy output with value = 0
|
|
|
|
|
|
|
|
|
|
// Reset change
|
|
|
|
|
jsChange = 0;
|
|
|
|
|
CAmount outAmount = recipient.value;
|
|
|
|
|
|
|
|
|
|
// Set vpub_new in the last joinsplit (when there are no more notes to spend or zaddr outputs to satisfy)
|
|
|
|
|
if (jsOutputsDeque.empty() && jsInputsDeque.empty()) {
|
|
|
|
|
assert(!vpubNewProcessed);
|
|
|
|
|
if (jsInputValue < vpubNewTarget) {
|
2019-03-19 11:55:55 -07:00
|
|
|
throw JSDescException(strprintf("Insufficient funds for vpub_new %s", FormatMoney(vpubNewTarget)));
|
2018-10-12 17:36:26 -07:00
|
|
|
}
|
|
|
|
|
outAmount += vpubNewTarget;
|
|
|
|
|
vpub_new += vpubNewTarget; // funds flowing back to public pool
|
|
|
|
|
vpubNewProcessed = true;
|
|
|
|
|
jsChange = jsInputValue - outAmount;
|
|
|
|
|
assert(jsChange >= 0);
|
|
|
|
|
} else {
|
|
|
|
|
// This is not the last joinsplit, so compute change and any amount still due to the recipient
|
|
|
|
|
if (jsInputValue > outAmount) {
|
|
|
|
|
jsChange = jsInputValue - outAmount;
|
|
|
|
|
} else if (outAmount > jsInputValue) {
|
|
|
|
|
// Any amount due is owed to the recipient. Let the miners fee get paid first.
|
|
|
|
|
CAmount due = outAmount - jsInputValue;
|
|
|
|
|
libzcash::JSOutput recipientDue(recipient.addr, due);
|
|
|
|
|
recipientDue.memo = recipient.memo;
|
|
|
|
|
jsOutputsDeque.push_front(recipientDue);
|
|
|
|
|
|
|
|
|
|
// reduce the amount being sent right now to the value of all inputs
|
|
|
|
|
recipient.value = jsInputValue;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// create output for recipient
|
|
|
|
|
assert(ZC_NUM_JS_OUTPUTS == 2); // If this changes, the logic here will need to be adjusted
|
|
|
|
|
vjsout[0] = recipient;
|
|
|
|
|
|
|
|
|
|
// create output for any change
|
|
|
|
|
if (jsChange > 0) {
|
|
|
|
|
vjsout[1] = libzcash::JSOutput(changeAddress, jsChange);
|
|
|
|
|
|
|
|
|
|
LogPrint("zrpcunsafe", "generating note for change (amount=%s)\n", FormatMoney(jsChange));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::array<size_t, ZC_NUM_JS_INPUTS> inputMap;
|
|
|
|
|
std::array<size_t, ZC_NUM_JS_OUTPUTS> outputMap;
|
|
|
|
|
CreateJSDescription(vpub_old, vpub_new, vjsin, vjsout, inputMap, outputMap);
|
|
|
|
|
|
|
|
|
|
if (jsChange > 0) {
|
|
|
|
|
changeOutputIndex = -1;
|
|
|
|
|
for (size_t i = 0; i < outputMap.size(); i++) {
|
|
|
|
|
if (outputMap[i] == 1) {
|
|
|
|
|
changeOutputIndex = i;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
assert(changeOutputIndex != -1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void TransactionBuilder::CreateJSDescription(
|
|
|
|
|
uint64_t vpub_old,
|
|
|
|
|
uint64_t vpub_new,
|
|
|
|
|
std::array<libzcash::JSInput, ZC_NUM_JS_INPUTS> vjsin,
|
|
|
|
|
std::array<libzcash::JSOutput, ZC_NUM_JS_OUTPUTS> vjsout,
|
|
|
|
|
std::array<size_t, ZC_NUM_JS_INPUTS>& inputMap,
|
|
|
|
|
std::array<size_t, ZC_NUM_JS_OUTPUTS>& outputMap)
|
|
|
|
|
{
|
2019-05-08 20:32:04 -07:00
|
|
|
LogPrint("zrpcunsafe", "CreateJSDescription: creating joinsplit at index %d (vpub_old=%s, vpub_new=%s, in[0]=%s, in[1]=%s, out[0]=%s, out[1]=%s)\n",
|
2019-06-16 04:39:05 -07:00
|
|
|
mtx.vJoinSplit.size(),
|
2018-10-12 17:36:26 -07:00
|
|
|
FormatMoney(vpub_old), FormatMoney(vpub_new),
|
|
|
|
|
FormatMoney(vjsin[0].note.value()), FormatMoney(vjsin[1].note.value()),
|
|
|
|
|
FormatMoney(vjsout[0].value), FormatMoney(vjsout[1].value));
|
|
|
|
|
|
|
|
|
|
uint256 esk; // payment disclosure - secret
|
|
|
|
|
|
|
|
|
|
// Generate the proof, this can take over a minute.
|
2019-09-16 05:10:54 -07:00
|
|
|
assert(mtx.fOverwintered && (mtx.nVersion >= SAPLING_TX_VERSION));
|
2020-07-09 00:40:06 -07:00
|
|
|
JSDescription jsdesc = JSDescriptionInfo(
|
2018-10-12 17:36:26 -07:00
|
|
|
mtx.joinSplitPubKey,
|
|
|
|
|
vjsin[0].witness.root(),
|
|
|
|
|
vjsin,
|
|
|
|
|
vjsout,
|
2020-07-09 00:40:06 -07:00
|
|
|
vpub_old,
|
|
|
|
|
vpub_new
|
|
|
|
|
).BuildRandomized(
|
2018-10-12 17:36:26 -07:00
|
|
|
inputMap,
|
|
|
|
|
outputMap,
|
|
|
|
|
true, //!this->testmode,
|
|
|
|
|
&esk); // parameter expects pointer to esk, so pass in address
|
|
|
|
|
|
|
|
|
|
{
|
2020-07-07 18:23:03 -07:00
|
|
|
auto verifier = ProofVerifier::Strict();
|
2020-07-07 18:48:29 -07:00
|
|
|
if (!verifier.VerifySprout(jsdesc, mtx.joinSplitPubKey)) {
|
2018-10-12 17:36:26 -07:00
|
|
|
throw std::runtime_error("error verifying joinsplit");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-16 04:39:05 -07:00
|
|
|
mtx.vJoinSplit.push_back(jsdesc);
|
2018-10-12 17:36:26 -07:00
|
|
|
|
|
|
|
|
// TODO: Sprout payment disclosure
|
|
|
|
|
}
|
