New PSBT global keys

[dr-orlovsky]

Based/depends on #470

Part of epic #473

[stevenroose]

You also forgot to implement Map::get_pairs to do the serialization part.

Some unit tests that add some roundtrips of some PSBTs with the new keys would also be appreciated.

[apoelstra]

needs rebase

[dr-orlovsky]

Rebased and addressed @stevenroose comments. NB: this is based on #470, which also had review comments (they are addressed now, but #470 needs to be merged first)

[sanket1729]

nit: has wrong length

[sanket1729]

The BIP only specifies versions for Testnet, is it safe to use the same for Signet and Regtest

[apoelstra]

I think it's reasonable for now. Regtest copies a lot of values from testnet.

[sanket1729]

Can the from_slice() only fail if size is incorrect?
It looks like https://github.com/bitcoin-core/secp256k1/blob/9e5939d2848df5508e3a6eb038273b28d255248c/src/secp256k1.c#L550-L559 can fail if there is overflow or if secret key is zero.

[dr-orlovsky]

Fixed in the other branch and now fine after the rebase

[apoelstra]

Can you squash these commits together? It's not too long to read, and it's a bit harder to review because you make changes that are later modified.

[justinmoon]

I think this breaks PSBT serialization.

The impl_psbtmap_consensus_encoding macro calls Global::get_pairs which needs to be updated after you removed version and xpub values from Global::unknown and put them in their own fields.

Here's a failing test.

Otherwise it looks great!

[dr-orlovsky]

@justinmoon you are right, and even more: we need to do a proper merge according to BIP174 rules and resolve conflicts. Working on the change

[dr-orlovsky]

@apoelstra squashed old commits; new commits are on top and they do not change previous code but splits added functionality into logical blocks for review simplification

In general, it was not that trivial to do the merge procedure and key pair export; there were two questions which I do not know the right answer for, but proposing what I think will work the best:

1. What to do when two PSBTs global xpub match by value, but not derivation/key source? Spec says that it's up to an implementation to decide, so we have to decide :)
2. Do we need to serialize default 0 version, or just ignore this case? If we will serialize, this will break test vectors; if not, it may break roundtrips if the original PSBT contained explicit 0-version global key

My current implementation:

1. Uses special multi-step algorithm described here: 8b672c3#diff-2581ef26b841ed4069017f0e46e1393216bf6b413302ae34f248105526c8755bR137-R164
2. Does not serialize default 0 version as a separate key.

[apoelstra]

1. I'm happy with what you've done. I would've gone even simpler and just taken the lexicograpically first one :) but you're right that probably "longest first" is likely to do the right thing in realistic conflict scenarios.
2. Agreed, we'll just break round-tripping (and will have to add extra canonicalization to our fuzztests)

[justinmoon]

This will cause runtime error. ret is a vec with length 0, so you can't use vec[0..4]

[dr-orlovsky]

Very good point, thank you. Fixed

[stevenroose]

You seem to have some Rust v1.29 compilation error in the ordering algorithm.

[dr-orlovsky]

@stevenroose @apoelstra 1.29 fixed for all commit history. It's extremely stupid with borrow checks and making it compiling required an unnecessary clone; I have tried everything else and it simply was not working with 1.29 :(

[apoelstra]

nit: the correct term is "commutative"

[dr-orlovsky]

Fixed

[apoelstra]

ack 794c5196a0eb4ec635a35cf09708ff8da6a00d28

[apoelstra]

ack 794c5196a0eb4ec635a35cf09708ff8da6a00d28

[stevenroose]

utACK d1ace733e0de532707df7140ee5be1eb3faedbe0

[stevenroose]

Largest here means just by ordering the bytes, right? So 0xdeadbeef wins from 0xbeadbeef? This is a bit arbitrary. But I suppose I can agree that it's better to do something then to error.

[dr-orlovsky]

Correct. Actually since fingerprint is [u8; 4] and not u32 I assume it uses little-endian comparison. And yes, this is arbitrary

[stevenroose]

nit: I'd perhaps rephrase "choose largest pingerprint using binary ordering" because this suggests that the fingerprint "size" might have real meaning :p

[stevenroose]

@apoelstra you "approved" a different commit than the hash you mention inside the approve message. Can you confirm you meant to ack d1ace73?

[stevenroose]

Left a bunch of nits. I didn't want to make them to not hold up the MR, but since your CI fails and you need to push changes anyway, I thought I'd leave them anyway.

[stevenroose]

nit: There's no need to do this. It's probably microscopically more efficient to leave it self.

[dr-orlovsky]

This is not about efficiency, this is required by compiler, otherwise we get

error[E0631]: type mismatch in function arguments
   --> src/util/psbt/map/global.rs:182:71
    |
182 |                         (fp, deriv.len(), deriv.into_iter().rposition(ChildNumber::is_normal))
    |                                                                       ^^^^^^^^^^^^^^^^^^^^^^ expected signature of `fn(&ChildNumber) -> _`
    | 
   ::: src/util/bip32.rs:129:5
    |
129 |     pub fn is_normal(self) -> bool {
    |     ------------------------------ found signature of `fn(ChildNumber) -> _`

basically you need &self in order to be able to use the functions inside the iterators

[apoelstra]

you can just add .cloned() on the iterator before .rposition. Or .copied() in Rust 1.36. But what you did here is fine.

[stevenroose]

nit: There's no need to do this. It's probably microscopically more efficient to leave it self.

[dr-orlovsky]

Same as above

[stevenroose]

this can be for n in &derivation without the index. Or even

derivation.for_each(|n| ret.extend(&u32_to_array_le(n.into())));

[dr-orlovsky]

No, it can't be: there is no iter() for Derivation. You can only use derivation.into_iter()

[stevenroose]

nit: I think cmp::max(self.version, other.version) reads better; but very much a nit :)

[stevenroose]

nit: I'd perhaps rephrase "choose largest pingerprint using binary ordering" because this suggests that the fingerprint "size" might have real meaning :p

[stevenroose]

nit: Put on same line as string as long as it doesn't exceed 100 width :)

[stevenroose]

nit: This exceeds 100 characters, right? how about putting the encode::Error::ParseFailed on the same line as .map_err?

[stevenroose]

nit: I think you can actually do

let mut fingerprint = Fingerprint::default();
decoder.read_exact(&mut fingerprint[..])?;

but I'm not 100% sure

[dr-orlovsky]

You can't: there is no IndexMut impl for Fingerprint

[dr-orlovsky]

Had to rebase since it had conflicts with merged #530 and had a failed fuzz tests. Also used this opportunity to address @stevenroose nits. Will need a re-ACK from you guys, @apoelstra, @stevenroose

[sgeisler]

I think by and large this PR is in a good state. I'm still not super happy with the merge logic, it seems way too convoluted, reasoning about it was somewhat hard and I'm not sure it's entirely consistent. But since many reviewed so far and didn't take issue with it I'd be fine with it since the BIP didn't specify to detect such inconsistencies afaik. @apoelstra, what do you think, keep polishing or merge?

[sgeisler]

I found some logic bugs which is probably a good indicator to add some tests for the newly added logic.

[apoelstra]

ack 7f5c279