ledger: sign MuSig2

This adds support handling public nonces and partial signatures.

Author: Sjors

hwilib/devices/ledger.py

@@ -40,7 +40,7 @@
     LegacyClient,
     TransportClient,
 )
-from .ledger_bitcoin.client_base import ApduException
+from .ledger_bitcoin.client_base import ApduException, MusigPubNonce, MusigPartialSignature
 from .ledger_bitcoin.exception import NotSupportedError
 from .ledger_bitcoin.wallet import (
     MultisigWallet,
@@ -372,31 +372,54 @@ def process_origin(origin: KeyOriginInfo) -> None:
                     if not is_wit:
                         psbt_in.witness_utxo = None
 
-            input_sigs = self.client.sign_psbt(psbt2, wallet, wallet_hmac)
+            res = self.client.sign_psbt(psbt2, wallet, wallet_hmac)
 
-            for idx, yielded in input_sigs:
+            for idx, yielded in res:
                 psbt_in = psbt2.inputs[idx]
 
-                utxo = None
-                if psbt_in.witness_utxo:
-                    utxo = psbt_in.witness_utxo
-                if psbt_in.non_witness_utxo:
-                    assert psbt_in.prev_out is not None
-                    utxo = psbt_in.non_witness_utxo.vout[psbt_in.prev_out]
-                assert utxo is not None
+                if isinstance(yielded, MusigPubNonce):
+                    psbt_key = (
+                        yielded.participant_pubkey,
+                        yielded.aggregate_pubkey,
+                        yielded.tapleaf_hash
+                    )
+
+                    assert len(yielded.aggregate_pubkey) == 33
 
-                is_wit, wit_ver, _ = utxo.is_witness()
+                    psbt_in.musig2_pub_nonces[psbt_key] = yielded.pubnonce
+                elif isinstance(yielded, MusigPartialSignature):
+                    psbt_key = (
+                        yielded.participant_pubkey,
+                        yielded.aggregate_pubkey,
+                        yielded.tapleaf_hash
+                    )
 
-                if is_wit and wit_ver >= 1:
-                    # TODO: Deal with script path signatures
-                    # For now, assume key path signature
-                    psbt_in.tap_key_sig = yielded.signature
+                    psbt_in.musig2_partial_sigs[psbt_key] = yielded.partial_signature
                 else:
-                    psbt_in.partial_sigs[yielded.pubkey] = yielded.signature
+                    utxo = None
+                    if psbt_in.witness_utxo:
+                        utxo = psbt_in.witness_utxo
+                    if psbt_in.non_witness_utxo:
+                        assert psbt_in.prev_out is not None
+                        utxo = psbt_in.non_witness_utxo.vout[psbt_in.prev_out]
+                    assert utxo is not None
+
+                    is_wit, wit_ver, _ = utxo.is_witness()
+
+                    if is_wit and wit_ver >= 1:
+                        if yielded.tapleaf_hash is None:
+                            psbt_in.tap_key_sig = yielded.signature
+                        else:
+                            psbt_in.tap_script_sigs[(yielded.pubkey, yielded.tapleaf_hash)] = yielded.signature
+
+                    else:
+                        psbt_in.partial_sigs[yielded.pubkey] = yielded.signature
 
         # Extract the sigs from psbt2 and put them into tx
         for sig_in, psbt_in in zip(psbt2.inputs, psbt.inputs):
             psbt_in.partial_sigs.update(sig_in.partial_sigs)
+            psbt_in.musig2_pub_nonces.update(sig_in.musig2_pub_nonces)
+            psbt_in.musig2_partial_sigs.update(sig_in.musig2_partial_sigs)
             psbt_in.tap_script_sigs.update(sig_in.tap_script_sigs)
             if len(sig_in.tap_key_sig) != 0 and len(psbt_in.tap_key_sig) == 0:
                 psbt_in.tap_key_sig = sig_in.tap_key_sig

hwilib/devices/ledger_bitcoin/client.py

@@ -4,8 +4,8 @@
 
 from .command_builder import BitcoinCommandBuilder, BitcoinInsType
 from ...common import Chain
-from .client_command import ClientCommandInterpreter
-from .client_base import Client, PartialSignature, SignPsbtYieldedObject, TransportClient
+from .client_command import ClientCommandInterpreter, CCMD_YIELD_MUSIG_PARTIALSIGNATURE_TAG, CCMD_YIELD_MUSIG_PUBNONCE_TAG
+from .client_base import Client, MusigPartialSignature, MusigPubNonce, PartialSignature, SignPsbtYieldedObject, TransportClient
 from .client_legacy import LegacyClient
 from .errors import UnknownDeviceError
 from .exception import DeviceException, NotSupportedError
@@ -51,18 +51,55 @@ def _make_partial_signature(pubkey_augm: bytes, signature: bytes) -> PartialSign
 def _decode_signpsbt_yielded_value(res: bytes) -> Tuple[int, SignPsbtYieldedObject]:
     res_buffer = BytesIO(res)
     input_index_or_tag = read_varint(res_buffer)
+    if input_index_or_tag == CCMD_YIELD_MUSIG_PUBNONCE_TAG:
+        input_index = read_varint(res_buffer)
+        pubnonce = res_buffer.read(66)
+        participant_pk = res_buffer.read(33)
+        aggregate_pubkey = res_buffer.read(33)
+        tapleaf_hash = res_buffer.read()
+        if len(tapleaf_hash) == 0:
+            tapleaf_hash = None
+
+        return (
+            input_index,
+            MusigPubNonce(
+                participant_pubkey=participant_pk,
+                aggregate_pubkey=aggregate_pubkey,
+                tapleaf_hash=tapleaf_hash,
+                pubnonce=pubnonce
+            )
+        )
+    elif input_index_or_tag == CCMD_YIELD_MUSIG_PARTIALSIGNATURE_TAG:
+        input_index = read_varint(res_buffer)
+        partial_signature = res_buffer.read(32)
+        participant_pk = res_buffer.read(33)
+        aggregate_pubkey = res_buffer.read(33)
+        tapleaf_hash = res_buffer.read()
+        if len(tapleaf_hash) == 0:
+            tapleaf_hash = None
+
+        return (
+            input_index,
+            MusigPartialSignature(
+                participant_pubkey=participant_pk,
+                aggregate_pubkey=aggregate_pubkey,
+                tapleaf_hash=tapleaf_hash,
+                partial_signature=partial_signature
+            )
+        )
+    else:
+        # other values follow an encoding without an explicit tag, where the
+        # first element is the input index. All the signature types are implemented
+        # by the PartialSignature type (not to be confused with the musig Partial Signature).
+        input_index = input_index_or_tag
 
-    # values follow an encoding without an explicit tag, where the
-    # first element is the input index. All the signature types are implemented
-    # by the PartialSignature type (not to be confused with the musig Partial Signature).
-    input_index = input_index_or_tag
+        pubkey_augm_len = read_uint(res_buffer, 8)
+        pubkey_augm = res_buffer.read(pubkey_augm_len)
 
-    pubkey_augm_len = read_uint(res_buffer, 8)
-    pubkey_augm = res_buffer.read(pubkey_augm_len)
+        signature = res_buffer.read()
 
-    signature = res_buffer.read()
+        return((input_index, _make_partial_signature(pubkey_augm, signature)))
 
-    return((input_index, _make_partial_signature(pubkey_augm, signature)))
 
 def read_uint(buf: BytesIO,
               bit_len: int,

hwilib/devices/ledger_bitcoin/client_base.py

@@ -65,7 +65,42 @@ class PartialSignature:
     tapleaf_hash: Optional[bytes] = None
 
 
-SignPsbtYieldedObject = Union[PartialSignature]
+@dataclass(frozen=True)
+class MusigPubNonce:
+    """Represents a pubnonce returned by sign_psbt during the first round of a Musig2 signing session.
+
+    It always contains
+    - the participant_pubkey, a 33-byte compressed pubkey;
+    - aggregate_pubkey, the 33-byte compressed pubkey key that is the aggregate of all the participant
+      pubkeys, with the necessary tweaks; its x-only version is the key present in the Script;
+    - the 66-byte pubnonce.
+
+    The tapleaf_hash is also filled if signing for a tapscript; `None` otherwise.
+    """
+    participant_pubkey: bytes
+    aggregate_pubkey: bytes
+    tapleaf_hash: Optional[bytes]
+    pubnonce: bytes
+
+
+@dataclass(frozen=True)
+class MusigPartialSignature:
+    """Represents a partial signature returned by sign_psbt during the second round of a Musig2 signing session.
+
+    It always contains
+    - the participant_pubkey, a 33-byte compressed pubkey;
+    - aggregate_pubkey, the 33-byte compressed pubkey key that is the aggregate of all the participant
+      pubkeys, with the necessary tweaks; its x-only version is the key present in the Script;
+    - the partial_signature, the 32-byte partial signature for this participant.
+
+    The tapleaf_hash is also filled if signing for a tapscript; `None` otherwise
+    """
+    participant_pubkey: bytes
+    aggregate_pubkey: bytes
+    tapleaf_hash: Optional[bytes]
+    partial_signature: bytes
+
+SignPsbtYieldedObject = Union[PartialSignature, MusigPubNonce, MusigPartialSignature]
 
 class Client:
     def __init__(self, transport_client: TransportClient, chain: Chain = Chain.MAIN) -> None:

hwilib/devices/ledger_bitcoin/client_command.py

@@ -46,6 +46,8 @@ class ClientCommandCode(IntEnum):
     GET_MERKLE_LEAF_INDEX = 0x42
     GET_MORE_ELEMENTS = 0xA0
 
+CCMD_YIELD_MUSIG_PUBNONCE_TAG = 0xFFFFFFFF
+CCMD_YIELD_MUSIG_PARTIALSIGNATURE_TAG = 0xFFFFFFFE
 
 class ClientCommand:
     def execute(self, request: bytes) -> bytes:
@@ -350,7 +352,7 @@ def add_known_mapping(self, mapping: Mapping[bytes, bytes]) -> None:
         of a mapping of bytes to bytes.
 
         Adds the Merkle tree of the list of keys, and the Merkle tree of the list of corresponding
-        values, with the same semantics as the `add_known_list` applied separately to the two lists. 
+        values, with the same semantics as the `add_known_list` applied separately to the two lists.
 
         Parameters
         ----------