psbt: validate pubkeys in MuSig2 pubnonce/partial sig deserialization

[tboy1337]

The previous fix for invalid MuSig2 pubkeys (#34010) only
addressed the PSBT_IN_MUSIG2_PARTICIPANT_PUBKEYS field. However, the
PSBT_IN_MUSIG2_PUB_NONCE and PSBT_IN_MUSIG2_PARTIAL_SIG fields also
deserialize pubkeys without validation, which could lead to crashes when
invalid pubkeys are processed.

This commit adds validation to the DeserializeMuSig2ParticipantDataIdentifier
function to ensure all pubkeys in MuSig2 pubnonce and partial signature
fields are fully valid elliptic curve points.

The fix:

• Validates both aggregate and participant pubkeys in MuSig2 pubnonce and
  partial signature deserialization
• Throws std::ios_base::failure with descriptive error messages for invalid
  pubkeys
• Prevents potential crashes from invalid elliptic curve points
• Maintains backward compatibility for valid PSBTs

This completes the fix for issues #33999 and #34201.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/34219.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	rkrux, w0xlt, darosior

If your review is incorrectly listed, please copy-paste <!--meta-tag:bot-skip--> into the comment that the bot should ignore.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #34725 (Fix a PSBT serialization roundtrip issue by darosior)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[maflcko]

Please squash your commits according to https://github.com/bitcoin/bitcoin/blob/master/CONTRIBUTING.md#squashing-commits

Also, you'll have to add tests

[maflcko]

Your added function test passes even before your changes, so this is not a regression test for the code change. Likely, it doesn't add any test coverage. All of this looks LLM generated.

If you want to add tests, that is fine, but you'll have to explain and show what coverage they are adding.

If you want to fix something, this is fine, but you'll have to add a regression test that fails before the changes, and passes after them: https://en.wikipedia.org/wiki/Regression_testing

[rkrux]

Concept ACK 6a1e362

Thanks for raising this PR, these checks for the aggregate and participant pubkeys in the MuSig2 pubnonce and partial signatures PSBT keys seem fine to me.
BIP Reference: https://github.com/bitcoin/bips/blob/master/bip-0373.mediawiki

In the absence of this fix, such invalid PSBTs get parsed successfully with empty participant and aggregate pubkeys that might later cause some flow (eg: signing) to crash like the earlier fuzz crashes found out.

I used the following code to generate cases that I have suggested in the inline comments.

Makeshift code to generate invalid PSBTs

diff --git a/test/functional/rpc_psbt.py b/test/functional/rpc_psbt.py
index cc443f6a7c..9d30d571ff 100755
--- a/test/functional/rpc_psbt.py
+++ b/test/functional/rpc_psbt.py
@@ -407,6 +407,31 @@ class PSBTTest(BitcoinTestFramework):
         self.log.info("PSBT parameter handling test completed successfully")
 
     def run_test(self):
+        encoded_psbts = [
+            "",
+        ]
+        old_key = None
+        value = None
+        new_key = None
+        for encoded in encoded_psbts:
+            decoded = PSBT.from_base64(encoded)
+            for k, v in decoded.i[0].map.items():
+                if type(k) == bytes and k.hex().startswith('1b'):
+                    old_key = k
+                    value = v
+
+                if old_key:
+                    hex = old_key.hex()
+                    new_hex = hex[0:2] + randbytes(33).hex() + hex[68:]
+                    new_key = bytes.fromhex(new_hex)
+                    break
+
+            del decoded.i[0].map[old_key]
+            decoded.i[0].map[new_key] = value
+            invalid_psbt = decoded.to_base64()
+            print(invalid_psbt)
+        return
+
         # Create and fund a raw tx for sending 10 BTC
         psbtx1 = self.nodes[0].walletcreatefundedpsbt([], {self.nodes[2].getnewaddress():10})['psbt']

[rkrux]

lgtm ACK f51665b

Thanks for incorporating the suggestions, I verified the added rpc_psbt.json test cases are indeed those that I suggested in #34219 (comment).

[w0xlt]

ACK f51665b

[darosior]

utACK f51665b

[fanquake]

Backported to 30.x in #34689.

[darosior]

For what it's worth another argument against IsFullyValid is that it needlessly slows down discovery of interesting inputs in fuzzing. Both because the check takes longer, but more importantly because it's a cryptographic check that's harder to pass.