@bitgo/wasm-utxo 1.7.0 → 1.8.0

package/dist/esm/test/fixedScript/{verifySignature.js → signAndVerifySignature.js}

@@ -1,10 +1,23 @@
 import assert from "node:assert";
 import * as utxolib from "@bitgo/utxo-lib";
-import { fixedScriptWallet, BIP32 } from "../../js/index.js";
-import { loadPsbtFixture, loadWalletKeysFromFixture, getPsbtBuffer, loadReplayProtectionKeyFromFixture, } from "./fixtureUtil.js";
+import { BIP32 } from "../../js/index.js";
+import { loadPsbtFixture, loadWalletKeysFromFixture, getBitGoPsbt, loadReplayProtectionKeyFromFixture, } from "./fixtureUtil.js";
+/**
+ * Load xprivs from a fixture
+ * @param fixture - The test fixture
+ * @returns The xprivs for user, backup, and bitgo keys
+ */
+function loadXprivsFromFixture(fixture) {
+    const [userXpriv, backupXpriv, bitgoXpriv] = fixture.walletKeys.map((xprv) => BIP32.fromBase58(xprv));
+    return {
+        user: userXpriv,
+        backup: backupXpriv,
+        bitgo: bitgoXpriv,
+    };
+}
 /**
  * Get expected signature state for an input based on type and signing stage
- * @param inputType - The type of input (e.g., "p2shP2pk", "p2trMusig2")
+ * @param inputType - The type of input (e.g., "p2shP2pk", "p2trMusig2", "taprootKeyPathSpend")
  * @param signatureStage - The signing stage (unsigned, halfsigned, fullsigned)
  * @returns Expected signature state for replay protection OR multi-key signatures
  */
@@ -59,9 +72,10 @@ function verifyInputSignatures(bitgoPsbt, parsed, rootWalletKeys, replayProtecti
     const hasUserSig = bitgoPsbt.verifySignature(inputIndex, rootWalletKeys.userKey());
     const hasBackupSig = bitgoPsbt.verifySignature(inputIndex, rootWalletKeys.backupKey());
     const hasBitGoSig = bitgoPsbt.verifySignature(inputIndex, rootWalletKeys.bitgoKey());
-    assert.strictEqual(hasUserSig, expectedSignatures.user, `Input ${inputIndex} user key signature mismatch`);
-    assert.strictEqual(hasBackupSig, expectedSignatures.backup, `Input ${inputIndex} backup key signature mismatch`);
-    assert.strictEqual(hasBitGoSig, expectedSignatures.bitgo, `Input ${inputIndex} BitGo key signature mismatch`);
+    const scriptType = parsed.inputs[inputIndex].scriptType;
+    assert.strictEqual(hasUserSig, expectedSignatures.user, `Input ${inputIndex} user key signature mismatch type=${scriptType}`);
+    assert.strictEqual(hasBackupSig, expectedSignatures.backup, `Input ${inputIndex} backup key signature mismatch type=${scriptType}`);
+    assert.strictEqual(hasBitGoSig, expectedSignatures.bitgo, `Input ${inputIndex} BitGo key signature mismatch type=${scriptType}`);
 }
 /**
  * Helper to verify signatures for all inputs in a PSBT
@@ -79,6 +93,71 @@ function verifyAllInputSignatures(bitgoPsbt, fixture, rootWalletKeys, replayProt
         verifyInputSignatures(bitgoPsbt, parsed, rootWalletKeys, replayProtectionKey, index, getExpectedSignatures(input.type, signatureStage));
     });
 }
+function signInputAndVerify(bitgoPsbt, index, key, keyName, inputType) {
+    bitgoPsbt.sign(index, key);
+    assert.strictEqual(bitgoPsbt.verifySignature(index, key), true, `Input ${index} signature mismatch key=${keyName} type=${inputType}`);
+}
+/**
+ * Sign all inputs in a PSBT according to the signature stage
+ * @param bitgoPsbt - The PSBT to sign
+ * @param rootWalletKeys - Wallet keys for parsing the transaction
+ * @param xprivs - The xprivs to use for signing
+ * @param replayProtectionKey - The ECPair for signing replay protection (p2shP2pk) inputs
+ */
+function signAllInputs(bitgoPsbt, rootWalletKeys, xprivs, replayProtectionKey) {
+    // Parse transaction to get input types
+    const parsed = bitgoPsbt.parseTransactionWithWalletKeys(rootWalletKeys, {
+        publicKeys: [replayProtectionKey],
+    });
+    // Generate MuSig2 nonces for user and backup keys (MuSig2 uses 2-of-2 with user+backup)
+    bitgoPsbt.generateMusig2Nonces(xprivs.user);
+    bitgoPsbt.generateMusig2Nonces(xprivs.bitgo);
+    // First pass: sign with user key (skip p2shP2pk inputs)
+    parsed.inputs.forEach((input, index) => {
+        switch (input.scriptType) {
+            case "p2shP2pk":
+                break;
+            default:
+                signInputAndVerify(bitgoPsbt, index, xprivs.user, "user", input.scriptType);
+                break;
+        }
+    });
+    // Second pass: sign with appropriate second key
+    parsed.inputs.forEach((input, index) => {
+        switch (input.scriptType) {
+            case "p2shP2pk":
+                signInputAndVerify(bitgoPsbt, index, replayProtectionKey, "replayProtection", input.scriptType);
+                break;
+            case "p2trMusig2ScriptPath":
+                // MuSig2 script path inputs use backup key for second signature
+                signInputAndVerify(bitgoPsbt, index, xprivs.backup, "backup", input.scriptType);
+                break;
+            default:
+                // Regular multisig uses bitgo key
+                signInputAndVerify(bitgoPsbt, index, xprivs.bitgo, "bitgo", input.scriptType);
+                break;
+        }
+    });
+}
+/**
+ * Run tests for a fixture: load PSBT, verify, sign, and verify again
+ * @param fixture - The test fixture
+ * @param networkName - The network name for deserializing the PSBT
+ * @param rootWalletKeys - Wallet keys for verification
+ * @param replayProtectionKey - Key for replay protection inputs
+ * @param xprivs - The xprivs to use for signing
+ * @param signatureStage - The current signing stage
+ */
+function runTestsForFixture(fixture, networkName, rootWalletKeys, replayProtectionKey, xprivs, signatureStage) {
+    // Load PSBT from fixture
+    const bitgoPsbt = getBitGoPsbt(fixture, networkName);
+    // Verify current state
+    verifyAllInputSignatures(bitgoPsbt, fixture, rootWalletKeys, replayProtectionKey, signatureStage);
+    // Sign inputs (if not already fully signed)
+    if (signatureStage !== "unsigned") {
+        signAllInputs(bitgoPsbt, rootWalletKeys, xprivs, replayProtectionKey);
+    }
+}
 describe("verifySignature", function () {
     const supportedNetworks = utxolib.getNetworkList().filter((network) => {
         return (utxolib.isMainnet(network) &&
@@ -93,65 +172,65 @@ describe("verifySignature", function () {
         describe(`network: ${networkName}`, function () {
             let rootWalletKeys;
             let replayProtectionKey;
+            let xprivs;
             let unsignedFixture;
             let halfsignedFixture;
             let fullsignedFixture;
-            let unsignedBitgoPsbt;
-            let halfsignedBitgoPsbt;
-            let fullsignedBitgoPsbt;
             before(function () {
                 unsignedFixture = loadPsbtFixture(networkName, "unsigned");
                 halfsignedFixture = loadPsbtFixture(networkName, "halfsigned");
                 fullsignedFixture = loadPsbtFixture(networkName, "fullsigned");
                 rootWalletKeys = loadWalletKeysFromFixture(fullsignedFixture);
                 replayProtectionKey = loadReplayProtectionKeyFromFixture(fullsignedFixture);
-                unsignedBitgoPsbt = fixedScriptWallet.BitGoPsbt.fromBytes(getPsbtBuffer(unsignedFixture), networkName);
-                halfsignedBitgoPsbt = fixedScriptWallet.BitGoPsbt.fromBytes(getPsbtBuffer(halfsignedFixture), networkName);
-                fullsignedBitgoPsbt = fixedScriptWallet.BitGoPsbt.fromBytes(getPsbtBuffer(fullsignedFixture), networkName);
+                xprivs = loadXprivsFromFixture(fullsignedFixture);
             });
             describe("unsigned PSBT", function () {
-                it("should return false for unsigned inputs", function () {
-                    verifyAllInputSignatures(unsignedBitgoPsbt, unsignedFixture, rootWalletKeys, replayProtectionKey, "unsigned");
+                it("should return false for unsigned inputs, then sign and verify", function () {
+                    runTestsForFixture(unsignedFixture, networkName, rootWalletKeys, replayProtectionKey, xprivs, "unsigned");
                 });
             });
             describe("half-signed PSBT", function () {
-                it("should return true for signed xpubs and false for unsigned", function () {
-                    verifyAllInputSignatures(halfsignedBitgoPsbt, halfsignedFixture, rootWalletKeys, replayProtectionKey, "halfsigned");
+                it("should return true for signed xpubs and false for unsigned, then sign and verify", function () {
+                    runTestsForFixture(halfsignedFixture, networkName, rootWalletKeys, replayProtectionKey, xprivs, "halfsigned");
                 });
             });
             describe("fully signed PSBT", function () {
                 it("should have 2 signatures (2-of-3 multisig)", function () {
-                    verifyAllInputSignatures(fullsignedBitgoPsbt, fullsignedFixture, rootWalletKeys, replayProtectionKey, "fullsigned");
+                    runTestsForFixture(fullsignedFixture, networkName, rootWalletKeys, replayProtectionKey, xprivs, "fullsigned");
                 });
             });
             describe("error handling", function () {
                 it("should throw error for out of bounds input index", function () {
+                    const psbt = getBitGoPsbt(fullsignedFixture, networkName);
                     assert.throws(() => {
-                        fullsignedBitgoPsbt.verifySignature(999, rootWalletKeys.userKey());
+                        psbt.verifySignature(999, rootWalletKeys.userKey());
                     }, (error) => {
                         return error.message.includes("Input index 999 out of bounds");
                     }, "Should throw error for out of bounds input index");
                 });
                 it("should throw error for invalid xpub", function () {
+                    const psbt = getBitGoPsbt(fullsignedFixture, networkName);
                     assert.throws(() => {
-                        fullsignedBitgoPsbt.verifySignature(0, "invalid-xpub");
+                        psbt.verifySignature(0, "invalid-xpub");
                     }, (error) => {
                         return error.message.includes("Invalid");
                     }, "Should throw error for invalid xpub");
                 });
                 it("should return false for xpub not in derivation path", function () {
+                    const psbt = getBitGoPsbt(fullsignedFixture, networkName);
                     // Create a different xpub that's not in the wallet
                     // Use a proper 32-byte seed (256 bits)
                     const differentSeed = Buffer.alloc(32, 0xaa); // 32 bytes filled with 0xaa
                     const differentKey = BIP32.fromSeed(differentSeed);
                     const differentXpub = differentKey.neutered();
-                    const result = fullsignedBitgoPsbt.verifySignature(0, differentXpub);
+                    const result = psbt.verifySignature(0, differentXpub);
                     assert.strictEqual(result, false, "Should return false for xpub not in PSBT derivation paths");
                 });
                 it("should verify signature with raw public key (Uint8Array)", function () {
+                    const psbt = getBitGoPsbt(fullsignedFixture, networkName);
                     // Verify that xpub-based verification works
                     const userKey = rootWalletKeys.userKey();
-                    const hasXpubSig = fullsignedBitgoPsbt.verifySignature(0, userKey);
+                    const hasXpubSig = psbt.verifySignature(0, userKey);
                     // This test specifically checks that raw public key verification works
                     // We test the underlying WASM API by ensuring both xpub and raw pubkey
                     // calls reach the correct methods
@@ -160,23 +239,25 @@ describe("verifySignature", function () {
                     const randomKey = BIP32.fromSeed(randomSeed);
                     const randomPubkey = randomKey.publicKey;
                     // This should return false (no signature for this key)
-                    const result = fullsignedBitgoPsbt.verifySignature(0, randomPubkey);
+                    const result = psbt.verifySignature(0, randomPubkey);
                     assert.strictEqual(result, false, "Should return false for public key not in PSBT");
                     // Verify the xpub check still works (regression test)
                     assert.strictEqual(hasXpubSig, true, "Should still verify with xpub");
                 });
                 it("should return false for raw public key with no signature", function () {
+                    const psbt = getBitGoPsbt(fullsignedFixture, networkName);
                     // Create a random public key that's not in the PSBT
                     const randomSeed = Buffer.alloc(32, 0xbb);
                     const randomKey = BIP32.fromSeed(randomSeed);
                     const randomPubkey = randomKey.publicKey;
-                    const result = fullsignedBitgoPsbt.verifySignature(0, randomPubkey);
+                    const result = psbt.verifySignature(0, randomPubkey);
                     assert.strictEqual(result, false, "Should return false for public key not in PSBT signatures");
                 });
                 it("should throw error for invalid key length", function () {
+                    const psbt = getBitGoPsbt(fullsignedFixture, networkName);
                     const invalidKey = Buffer.alloc(31); // Invalid length (should be 32 for private key or 33 for public key)
                     assert.throws(() => {
-                        fullsignedBitgoPsbt.verifySignature(0, invalidKey);
+                        psbt.verifySignature(0, invalidKey);
                     }, (error) => {
                         return error.message.includes("Invalid key length");
                     }, "Should throw error for invalid key length");

package/dist/esm/test/fixedScript/walletKeys.util.d.ts

@@ -0,0 +1,12 @@
+import * as utxolib from "@bitgo/utxo-lib";
+import type { Triple } from "../../js/triple.js";
+/**
+ * Convert utxolib BIP32 keys to WASM wallet keys format (Triple<string>)
+ */
+export declare function toWasmWalletKeys(keys: [utxolib.BIP32Interface, utxolib.BIP32Interface, utxolib.BIP32Interface]): Triple<string>;
+/**
+ * Get standard replay protection configuration
+ */
+export declare function getStandardReplayProtection(): {
+    outputScripts: Uint8Array[];
+};

package/dist/esm/test/fixedScript/walletKeys.util.js

@@ -0,0 +1,17 @@
+/**
+ * Convert utxolib BIP32 keys to WASM wallet keys format (Triple<string>)
+ */
+export function toWasmWalletKeys(keys) {
+    return [
+        keys[0].neutered().toBase58(),
+        keys[1].neutered().toBase58(),
+        keys[2].neutered().toBase58(),
+    ];
+}
+/**
+ * Get standard replay protection configuration
+ */
+export function getStandardReplayProtection() {
+    const replayProtectionScript = Buffer.from("a91420b37094d82a513451ff0ccd9db23aba05bc5ef387", "hex");
+    return { outputScripts: [replayProtectionScript] };
+}