bitcoinrb 0.6.0 → 1.0.0

data/lib/bitcoin/message_sign.rb

@@ -0,0 +1,47 @@
+module Bitcoin
+
+  module MessageSign
+
+    class Error < StandardError; end
+
+    module_function
+
+    # Sign a message.
+    # @param [Bitcoin::Key] key Private key to sign with.
+    # @param [String] message The message to sign.
+    # @return [String] Signature, base64 encoded.
+    def sign_message(key, message, prefix: Bitcoin.chain_params.message_magic)
+      digest = message_hash(message, prefix: prefix)
+      compact_sig = key.sign_compact(digest)
+      Base64.strict_encode64(compact_sig)
+    end
+
+    # Verify a signed message.
+    # @param [String] address Signer's bitcoin address, it must refer to a public key.
+    # @param [String] signature The signature in base64 format.
+    # @param [String] message The message that was signed.
+    # @return [Boolean] Verification result.
+    def verify_message(address, signature, message, prefix: Bitcoin.chain_params.message_magic)
+      validate_address!(address)
+      sig = Base64.decode64(signature)
+      raise ArgumentError, 'Invalid signature length' unless sig.bytesize == Bitcoin::Key::COMPACT_SIGNATURE_SIZE
+      digest = message_hash(message, prefix: prefix)
+      pubkey = Bitcoin::Key.recover_compact(digest, sig)
+      return false unless pubkey
+      pubkey.to_p2pkh == address
+    end
+
+    # Hashes a message for signing and verification.
+    def message_hash(message, prefix: Bitcoin.chain_params.message_magic)
+      Bitcoin.double_sha256(Bitcoin.pack_var_string(prefix) << Bitcoin.pack_var_string(message))
+    end
+
+    def validate_address!(address)
+      raise ArgumentError, 'Invalid address' unless Bitcoin.valid_address?(address)
+      script = Bitcoin::Script.parse_from_addr(address)
+      raise ArgumentError, 'Address has no key' unless script.p2pkh?
+    end
+
+    private_class_method :validate_address!
+  end
+end

data/lib/bitcoin/payments/payment.pb.rb

@@ -17,7 +17,7 @@ module Bitcoin
       end
 
       def transactions
-        @values[:transactions].map{|raw_tx|Bitcoin::Tx.parse_from_payload(raw_tx)}
+        @values[:transactions].map{|raw_tx|Bitcoin::Tx.parse_from_payload(raw_tx, strict: true)}
       end
 
     end

data/lib/bitcoin/psbt/input.rb

@@ -44,7 +44,7 @@ module Bitcoin
           when PSBT_IN_TYPES[:non_witness_utxo]
             raise ArgumentError, 'Invalid non-witness utxo typed key.' unless key_len == 1
             raise ArgumentError, 'Duplicate Key, input non-witness utxo already provided.' if input.non_witness_utxo
-            input.non_witness_utxo = Bitcoin::Tx.parse_from_payload(value)
+            input.non_witness_utxo = Bitcoin::Tx.parse_from_payload(value, strict: true)
           when PSBT_IN_TYPES[:witness_utxo]
             raise ArgumentError, 'Invalid input witness utxo typed key.' unless key_len == 1
             raise ArgumentError, 'Duplicate Key, input witness utxo already provided.' if input.witness_utxo

data/lib/bitcoin/psbt/tx.rb

@@ -74,7 +74,7 @@ module Bitcoin
           when PSBT_GLOBAL_TYPES[:unsigned_tx]
             raise ArgumentError, 'Invalid global transaction typed key.' unless key_len == 1
             raise ArgumentError, 'Duplicate Key, unsigned tx already provided.' if partial_tx.tx
-            partial_tx.tx = Bitcoin::Tx.parse_from_payload(value, non_witness: true)
+            partial_tx.tx = Bitcoin::Tx.parse_from_payload(value, non_witness: true, strict: true)
             partial_tx.tx.in.each do |tx_in|
               raise ArgumentError, 'Unsigned tx does not have empty scriptSigs and scriptWitnesses.' if !tx_in.script_sig.empty? || !tx_in.script_witness.empty?
             end
@@ -162,6 +162,15 @@ module Bitcoin
         Base64.strict_encode64(to_payload)
       end
 
+      # Store the PSBT to a file.
+      # @param [String] path File path to store.
+      def to_file(path)
+        raise ArgumentError, 'The file already exists' if File.exist?(path)
+        File.open(path, 'w') do |f|
+          f.write(to_payload)
+        end
+      end
+
       # update input key-value maps.
       # @param [Bitcoin::Tx] prev_tx previous tx reference by input.
       # @param [Bitcoin::Script] redeem_script redeem script to set input.

data/lib/bitcoin/psbt.rb

@@ -31,6 +31,14 @@ module Bitcoin
       s << Bitcoin.pack_var_int(value.bytesize) << value
       s
     end
+
+    # Load PSBT from file.
+    # @param [String] path File path of PSBT.
+    # @return [Bitcoin::PSBT::Tx] PSBT object.
+    def load_from_file(path)
+      raise ArgumentError, 'File not found' unless File.exist?(path)
+      Bitcoin::PSBT::Tx.parse_from_payload(File.read(path))
+    end
   end
 
 end

data/lib/bitcoin/rpc/request_handler.rb

@@ -49,7 +49,7 @@ module Bitcoin
       # Returns connected peer information.
       def getpeerinfo
         node.pool.peers.map do |peer|
-          local_addr = "#{peer.remote_version.remote_addr.ip}:18333"
+          local_addr = "#{peer.remote_version.remote_addr.addr_string}:18333"
           {
             id: peer.id,
             addr: "#{peer.host}:#{peer.port}",
@@ -75,7 +75,7 @@ module Bitcoin
 
       # broadcast transaction
       def sendrawtransaction(hex_tx)
-        tx = Bitcoin::Tx.parse_from_payload(hex_tx.htb)
+        tx = Bitcoin::Tx.parse_from_payload(hex_tx.htb, strict: true)
         # TODO check wether tx is valid
         node.broadcast(tx)
         tx.txid
@@ -84,7 +84,7 @@ module Bitcoin
       # decode tx data.
       def decoderawtransaction(hex_tx)
         begin
-          Bitcoin::Tx.parse_from_payload(hex_tx.htb).to_h
+          Bitcoin::Tx.parse_from_payload(hex_tx.htb, strict: true ).to_h
         rescue Exception
           raise ArgumentError.new('TX decode failed')
         end

data/lib/bitcoin/script/script.rb

@@ -21,7 +21,7 @@ module Bitcoin
 
     # generate P2WPKH script
     def self.to_p2wpkh(pubkey_hash)
-      new << WITNESS_VERSION << pubkey_hash
+      new << WITNESS_VERSION_V0 << pubkey_hash
     end
 
     # generate m of n multisig p2sh script
@@ -52,7 +52,7 @@ module Bitcoin
     end
 
     # generate m of n multisig script
-    # @param [String] m the number of signatures required for multisig
+    # @param [Integer] m the number of signatures required for multisig
     # @param [Array] pubkeys array of public keys that compose multisig
     # @return [Script] multisig script.
     def self.to_multisig_script(m, pubkeys, sort: false)
@@ -64,7 +64,7 @@ module Bitcoin
     # @param [Script] redeem_script target redeem script
     # @param [Script] p2wsh script
     def self.to_p2wsh(redeem_script)
-      new << WITNESS_VERSION << redeem_script.to_sha256
+      new << WITNESS_VERSION_V0 << redeem_script.to_sha256
     end
 
     # generate script from string.
@@ -87,17 +87,21 @@ module Bitcoin
     def self.parse_from_addr(addr)
       begin
         segwit_addr = Bech32::SegwitAddr.new(addr)
-        raise 'Invalid hrp.' unless Bitcoin.chain_params.bech32_hrp == segwit_addr.hrp
+        raise ArgumentError, 'Invalid address.' unless Bitcoin.chain_params.bech32_hrp == segwit_addr.hrp
         Bitcoin::Script.parse_from_payload(segwit_addr.to_script_pubkey.htb)
       rescue Exception => e
+        begin
         hex, addr_version = Bitcoin.decode_base58_address(addr)
+        rescue
+          raise ArgumentError, 'Invalid address.'
+        end
         case addr_version
         when Bitcoin.chain_params.address_version
           Bitcoin::Script.to_p2pkh(hex)
         when Bitcoin.chain_params.p2sh_version
           Bitcoin::Script.to_p2sh(hex)
         else
-          throw e
+          raise ArgumentError, 'Invalid address.'
         end
       end
     end
@@ -145,7 +149,7 @@ module Bitcoin
     end
 
     # Output script payload.
-    # @param [Boolean] length_prefixed Flag whether the length of the pyrode should be given at the beginning.(default: false)
+    # @param [Boolean] length_prefixed Flag whether the length of the payload should be given at the beginning.(default: false)
     # @return [String] payload
     def to_payload(length_prefixed = false)
       p = chunks.join
@@ -177,27 +181,40 @@ module Bitcoin
 
     # check whether standard script.
     def standard?
-      p2pkh? | p2sh? | p2wpkh? | p2wsh? | multisig? | standard_op_return?
+      p2pkh? | p2sh? | p2wpkh? | p2wsh? | p2tr? | multisig? | standard_op_return?
     end
 
-    # whether this script is a P2PKH format script.
+    # Check whether this script is a P2PKH format script.
+    # @return [Boolean] if P2PKH return true, otherwise false
     def p2pkh?
       return false unless chunks.size == 5
       [OP_DUP, OP_HASH160, OP_EQUALVERIFY, OP_CHECKSIG] ==
           (chunks[0..1]+ chunks[3..4]).map(&:ord) && chunks[2].bytesize == 21
     end
 
-    # whether this script is a P2WPKH format script.
+    # Check whether this script is a P2WPKH format script.
+    # @return [Boolean] if P2WPKH return true, otherwise false
     def p2wpkh?
       return false unless chunks.size == 2
-      chunks[0].ord == WITNESS_VERSION && chunks[1].bytesize == 21
+      chunks[0].ord == WITNESS_VERSION_V0 && chunks[1].bytesize == 21
     end
 
+    # Check whether this script is a P2WPSH format script.
+    # @return [Boolean] if P2WPSH return true, otherwise false
     def p2wsh?
       return false unless chunks.size == 2
-      chunks[0].ord == WITNESS_VERSION && chunks[1].bytesize == 33
+      chunks[0].ord == WITNESS_VERSION_V0 && chunks[1].bytesize == 33
+    end
+
+    # Check whether this script is a P2TR format script.
+    # @return [Boolean] if P2TR return true, otherwise false
+    def p2tr?
+      return false unless chunks.size == 2
+      chunks[0].ord == WITNESS_VERSION_V1 && chunks[1].bytesize == 33
     end
 
+    # Check whether this script is a P2SH format script.
+    # @return [Boolean] if P2SH return true, otherwise false
     def p2sh?
       return false unless chunks.size == 3
       OP_HASH160 == chunks[0].ord && OP_EQUAL == chunks[2].ord && chunks[1].bytesize == 21
@@ -498,7 +515,7 @@ module Bitcoin
     end
 
     def ==(other)
-      return false unless other
+      return false unless other.is_a?(Script)
       chunks == other.chunks
     end
 

data/lib/bitcoin/script/script_interpreter.rb

@@ -3,6 +3,7 @@ module Bitcoin
   class ScriptInterpreter
 
     include Bitcoin::Opcodes
+    using Bitcoin::Ext::ArrayExt
 
     attr_reader :stack
     attr_reader :debug
@@ -55,6 +56,8 @@ module Bitcoin
         version, program = script_pubkey.witness_data
         stack_copy = stack.dup
         return false unless verify_witness_program(witness, version, program, false)
+        # Bypass the cleanstack check at the end. The actual stack is obviously not clean for witness programs.
+        stack.resize!(1, Script.encode_number(0))
       end
 
       # Additional validation for spend-to-script-hash transactions
@@ -160,9 +163,9 @@ module Bitcoin
             end
             return set_error(SCRIPT_ERR_STACK_SIZE) if stack.size > MAX_STACK_SIZE
             need_evaluate = true
+          elsif flag?(SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION)
+            return set_error(SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION)
           end
-
-          return set_error(SCRIPT_ERR_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION) if flag?(SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_TAPROOT_VERSION)
           return true unless need_evaluate
         end
       elsif flag?(SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAM)
@@ -697,7 +700,7 @@ module Bitcoin
       begin
         path_len = (control.bytesize - TAPROOT_CONTROL_BASE_SIZE) / TAPROOT_CONTROL_NODE_SIZE
         xonly_pubkey = control[1...TAPROOT_CONTROL_BASE_SIZE]
-        p = Bitcoin::Key.new(pubkey: "02#{xonly_pubkey.bth}", key_type: Key::TYPES[:compressed])
+        p = Bitcoin::Key.from_xonly_pubkey(xonly_pubkey.bth)
         k = leaf_hash
         path_len.times do |i|
           pos = (TAPROOT_CONTROL_BASE_SIZE + TAPROOT_CONTROL_NODE_SIZE * i)

data/lib/bitcoin/script/tx_checker.rb

@@ -56,11 +56,9 @@ module Bitcoin
 
       return set_error(SCRIPT_ERR_SCHNORR_SIG_HASHTYPE) unless (hash_type <= 0x03 || (hash_type >= 0x81 && hash_type <= 0x83))
 
-      opts[:prevouts] = prevouts
-
       begin
-        sighash = tx.sighash_for_input(input_index, opts: opts, hash_type: hash_type, sig_version: sig_version)
-        key = Key.new(pubkey: "02#{pubkey}", key_type: Key::TYPES[:compressed])
+        sighash = tx.sighash_for_input(input_index, opts: opts, hash_type: hash_type, sig_version: sig_version, prevouts: prevouts)
+        key = Key.from_xonly_pubkey(pubkey)
         key.verify(sig, sighash, algo: :schnorr)
       rescue ArgumentError
         return set_error(SCRIPT_ERR_SCHNORR_SIG_HASHTYPE)

data/lib/bitcoin/secp256k1/native.rb

@@ -4,8 +4,8 @@
 module Bitcoin
   module Secp256k1
 
-    # binding for secp256k1 (https://github.com/bitcoin/bitcoin/tree/v0.14.2/src/secp256k1)
-    # tag: v0.14.2
+    # binding for secp256k1 (https://github.com/bitcoin-core/secp256k1/)
+    # commit: efad3506a8937162e8010f5839fdf3771dfcf516
     # this is not included by default, to enable set shared object path to ENV['SECP256K1_LIB_PATH']
     # for linux, ENV['SECP256K1_LIB_PATH'] = '/usr/local/lib/libsecp256k1.so'
     # for mac,
@@ -54,6 +54,10 @@ module Bitcoin
         attach_function(:secp256k1_schnorrsig_verify, [:pointer, :pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_keypair_create, [:pointer, :pointer, :pointer], :int)
         attach_function(:secp256k1_xonly_pubkey_parse, [:pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ecdsa_sign_recoverable, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ecdsa_recoverable_signature_serialize_compact, [:pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ecdsa_recover, [:pointer, :pointer, :pointer, :pointer], :int)
+        attach_function(:secp256k1_ecdsa_recoverable_signature_parse_compact, [:pointer, :pointer, :pointer, :int], :int)
       end
 
       def with_context(flags: (SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN))
@@ -116,6 +120,52 @@ module Bitcoin
         end
       end
 
+      # Sign data with compact format.
+      # @param [String] data a data to be signed with binary format
+      # @param [String] privkey a private key using sign with hex format
+      # @return [Array[signature, recovery id]]
+      def sign_compact(data, privkey)
+        with_context do |context|
+          sig = FFI::MemoryPointer.new(:uchar, 65)
+          hash =FFI::MemoryPointer.new(:uchar, data.bytesize).put_bytes(0, data)
+          priv_key = privkey.htb
+          sec_key = FFI::MemoryPointer.new(:uchar, priv_key.bytesize).put_bytes(0, priv_key)
+          result = secp256k1_ecdsa_sign_recoverable(context, sig, hash, sec_key, nil, nil)
+          raise 'secp256k1_ecdsa_sign_recoverable failed.' if result == 0
+
+          output = FFI::MemoryPointer.new(:uchar, 64)
+          rec = FFI::MemoryPointer.new(:uint64)
+          result = secp256k1_ecdsa_recoverable_signature_serialize_compact(context, output, rec, sig)
+          raise 'secp256k1_ecdsa_recoverable_signature_serialize_compact failed.' unless result == 1
+
+          raw_sig = output.read_string(64)
+          [ECDSA::Signature.new(raw_sig[0...32].bti, raw_sig[32..-1].bti), rec.read(:int)]
+        end
+      end
+
+      # Recover public key from compact signature.
+      # @param [String] data message digest using signature.
+      # @param [String] signature signature with binary format.
+      # @param [Integer] rec recovery id.
+      # @param [Boolean] compressed whether compressed public key or not.
+      # @return [Bitcoin::Key] Recovered public key.
+      def recover_compact(data, signature, rec, compressed)
+        with_context do |context|
+          sig = FFI::MemoryPointer.new(:uchar, 65)
+          input = FFI::MemoryPointer.new(:uchar, 64).put_bytes(0, signature[1..-1])
+          result = secp256k1_ecdsa_recoverable_signature_parse_compact(context, sig, input, rec)
+          raise 'secp256k1_ecdsa_recoverable_signature_parse_compact failed.' unless result == 1
+
+          pubkey = FFI::MemoryPointer.new(:uchar, 64)
+          msg = FFI::MemoryPointer.new(:uchar, data.bytesize).put_bytes(0, data)
+          result = secp256k1_ecdsa_recover(context, pubkey, sig, msg)
+          raise 'secp256k1_ecdsa_recover failed.' unless result == 1
+
+          pubkey = serialize_pubkey_internal(context, pubkey.read_string(64), compressed)
+          Bitcoin::Key.new(pubkey: pubkey, compressed: compressed)
+        end
+      end
+
       # verify signature
       # @param [String] data a data with binary format.
       # @param [String] sig signature data with binary format
@@ -194,18 +244,7 @@ module Bitcoin
         internal_pubkey = FFI::MemoryPointer.new(:uchar, 64)
         result = secp256k1_ec_pubkey_create(context, internal_pubkey, privkey.htb)
         raise 'error creating pubkey' unless result
-
-        pubkey = FFI::MemoryPointer.new(:uchar, 65)
-        pubkey_len = FFI::MemoryPointer.new(:uint64)
-        result = if compressed
-                   pubkey_len.put_uint64(0, 33)
-                   secp256k1_ec_pubkey_serialize(context, pubkey, pubkey_len, internal_pubkey, SECP256K1_EC_COMPRESSED)
-                 else
-                   pubkey_len.put_uint64(0, 65)
-                   secp256k1_ec_pubkey_serialize(context, pubkey, pubkey_len, internal_pubkey, SECP256K1_EC_UNCOMPRESSED)
-                 end
-        raise 'error serialize pubkey' unless result || pubkey_len.read_uint64 > 0
-        pubkey.read_string(pubkey_len.read_uint64).bth
+        serialize_pubkey_internal(context, internal_pubkey, compressed)
       end
 
       def sign_ecdsa(data, privkey, extra_entropy)
@@ -282,6 +321,21 @@ module Bitcoin
         end
       end
 
+      # Serialize public key.
+      def serialize_pubkey_internal(context, pubkey_input, compressed)
+        pubkey = FFI::MemoryPointer.new(:uchar, 65)
+        pubkey_len = FFI::MemoryPointer.new(:uint64)
+        result = if compressed
+                   pubkey_len.put_uint64(0, 33)
+                   secp256k1_ec_pubkey_serialize(context, pubkey, pubkey_len, pubkey_input, SECP256K1_EC_COMPRESSED)
+                 else
+                   pubkey_len.put_uint64(0, 65)
+                   secp256k1_ec_pubkey_serialize(context, pubkey, pubkey_len, pubkey_input, SECP256K1_EC_UNCOMPRESSED)
+                 end
+        raise 'error serialize pubkey' unless result || pubkey_len.read_uint64 > 0
+        pubkey.read_string(pubkey_len.read_uint64).bth
+      end
+
     end
   end
 end

data/lib/bitcoin/secp256k1/ruby.rb

@@ -43,14 +43,14 @@ module Bitcoin
 
       # sign data.
       # @param [String] data a data to be signed with binary format
-      # @param [String] privkey a private key using sign
+      # @param [String] privkey a private key using sign with hex format
       # @param [String] extra_entropy a extra entropy with binary format for rfc6979
       # @param [Symbol] algo signature algorithm. ecdsa(default) or schnorr.
       # @return [String] signature data with binary format
       def sign_data(data, privkey, extra_entropy = nil, algo: :ecdsa)
         case algo
         when :ecdsa
-          sign_ecdsa(data, privkey, extra_entropy)
+          sign_ecdsa(data, privkey, extra_entropy)&.first
         when :schnorr
           sign_schnorr(data, privkey, extra_entropy)
         else
@@ -58,6 +58,31 @@ module Bitcoin
         end
       end
 
+      # Sign data with compact format.
+      # @param [String] data a data to be signed with binary format
+      # @param [String] privkey a private key using sign with hex format
+      # @return [Array[signature, recovery id]]
+      def sign_compact(data, privkey)
+        sig, rec = sign_ecdsa(data, privkey, nil)
+        [ECDSA::Format::SignatureDerString.decode(sig), rec]
+      end
+
+      # Recover public key from compact signature.
+      # @param [String] data message digest using signature.
+      # @param [String] signature signature with binary format.
+      # @param [Integer] rec recovery id.
+      # @param [Boolean] compressed whether compressed public key or not.
+      # @return [Bitcoin::Key] Recovered public key.
+      def recover_compact(data, signature, rec, compressed)
+        r = ECDSA::Format::IntegerOctetString.decode(signature[1...33])
+        s = ECDSA::Format::IntegerOctetString.decode(signature[33..-1])
+        ECDSA.recover_public_key(Bitcoin::Secp256k1::GROUP, data, ECDSA::Signature.new(r, s)).each do |p|
+          if p.y & 1 == rec
+            return Bitcoin::Key.from_point(p, compressed: compressed)
+          end
+        end
+      end
+
       # verify signature using public key
       # @param [String] data a SHA-256 message digest with binary format
       # @param [String] sig a signature for +data+ with binary format
@@ -113,11 +138,14 @@ module Bitcoin
         r = point_field.mod(r_point.x)
         return nil if r.zero?
 
+        rec = r_point.y & 1
+
         e = ECDSA.normalize_digest(data, GROUP.bit_length)
         s = point_field.mod(point_field.inverse(nonce) * (e + r * private_key))
 
         if s > (GROUP.order / 2) # convert low-s
           s = GROUP.order - s
+          rec ^= 1
         end
 
         return nil if s.zero?
@@ -125,7 +153,7 @@ module Bitcoin
         signature = ECDSA::Signature.new(r, s).to_der
         public_key = Bitcoin::Key.new(priv_key: privkey.bth).pubkey
         raise 'Creation of signature failed.' unless Bitcoin::Secp256k1::Ruby.verify_sig(data, signature, public_key)
-        signature
+        [signature, rec]
       end
 
       def sign_schnorr(data, privkey, aux_rand)

data/lib/bitcoin/sighash_generator.rb

@@ -62,6 +62,7 @@ module Bitcoin
 
       def generate(tx, input_index, hash_type, opts)
         amount = opts[:amount]
+        raise ArgumentError, 'segwit sighash requires amount.' unless amount
         output_script = opts[:script_code]
         skip_separator_index = opts[:skip_separator_index]
         hash_prevouts = Bitcoin.double_sha256(tx.inputs.map{|i|i.out_point.to_payload}.join)

data/lib/bitcoin/taproot/leaf_node.rb

@@ -0,0 +1,23 @@
+module Bitcoin
+  module Taproot
+    class LeafNode
+
+      attr_reader :script, :leaf_ver
+
+      # Initialize
+      # @param [Bitcoin::Script] script Locking script
+      # @param [Integer] leaf_ver The leaf version of this script.
+      def initialize(script, leaf_ver = Bitcoin::TAPROOT_LEAF_TAPSCRIPT)
+        raise Taproot::Error, 'script must be Bitcoin::Script object' unless script.is_a?(Bitcoin::Script)
+        @script = script
+        @leaf_ver = leaf_ver
+      end
+
+      # Calculate leaf hash.
+      # @return [String] leaf hash.
+      def leaf_hash
+        @hash_value ||= Bitcoin.tagged_hash('TapLeaf', [leaf_ver].pack('C') + Bitcoin.pack_var_string(script.to_payload))
+      end
+    end
+  end
+end