Topic: Transaction verification in Python (with M2Crypto) (Read 3439 times)
Sent, enjoy!
[/quote]
Thanks!
12zhTAZg4R6DuV3TJpXTDE98ayFn9YL5qH
Most appreciated as I am not on exchanges and my laptop is a bit slow in mining :-)
Most appreciated as I am not on exchanges and my laptop is a bit slow in mining :-)
Sent, enjoy!
This is awesome! ^^ I'm definitely using this in my project as a guide if anything.
12zhTAZg4R6DuV3TJpXTDE98ayFn9YL5qH
Most appreciated as I am not on exchanges and my laptop is a bit slow in mining :-)
Most appreciated as I am not on exchanges and my laptop is a bit slow in mining :-)
Awesome, thank you 
If you post a bitcoin address I'll thank you with bitcoins too (when I get home, I don't take my wallet with me at work
)
If you post a bitcoin address I'll thank you with bitcoins too (when I get home, I don't take my wallet with me at work
)
Hi,
Thanks for the snippet it is greatly appreciated!
Yes, that is correct, as you already figured out bitcoin only sends the xy position of the curve, however for openssl also needs to know which curve is used and of course what type of public key it is, since this is all DER encoded I opted for recreating the DER package. As you can see I used the same key to check if it works. Although in my code I only have a dependency on openssl directly (via subprocess) and thus do away with m2crypto or any other crypto wrapper, I do have a new dependency on pyasn1 http://sourceforge.net/projects/pyasn1/ though.
The relevant part of my code:
Thanks for the snippet it is greatly appreciated!
My biggest problem was with M2Crypto: it doesn't seem to implement o2i_ECPublicKey from openssl, which is used by bitcoin to set the public key. I also looked at using pyOpenssl and pycrypto, but it looks like neither of these libraries can handle elliptic curve cryptography...
To make M2Crypto work for this I had to use some magic, which I'm really not happy about:
This string I got by making new public/private key pairs with M2Crypto and printing them out: I noticed that this part is fixed and never changes. I assume this string defines the parameters used (NID_secp256k)
To make M2Crypto work for this I had to use some magic, which I'm really not happy about:
Code:
pkey = pubkey[::-1] + "0042030a0004812b050601023dce48862a070610305630".decode("hex")
pkey = M2Crypto.EC.pub_key_from_der(pkey[::-1])
As you can see, I need to add a fixed string in order to load the public key. Without this it fails to load it and I get an exception (ValueError: Received a NULL pointer.)pkey = M2Crypto.EC.pub_key_from_der(pkey[::-1])
This string I got by making new public/private key pairs with M2Crypto and printing them out: I noticed that this part is fixed and never changes. I assume this string defines the parameters used (NID_secp256k)
Yes, that is correct, as you already figured out bitcoin only sends the xy position of the curve, however for openssl also needs to know which curve is used and of course what type of public key it is, since this is all DER encoded I opted for recreating the DER package. As you can see I used the same key to check if it works. Although in my code I only have a dependency on openssl directly (via subprocess) and thus do away with m2crypto or any other crypto wrapper, I do have a new dependency on pyasn1 http://sourceforge.net/projects/pyasn1/ though.
The relevant part of my code:
Code:
from pyasn1.codec.der import encoder
from pyasn1.type.univ import Sequence, ObjectIdentifier, BitString
# http://www.oid-info.com/get/1.2.840.10045.2.1
OID_EC_PUBLIC_KEY = "1.2.840.10045.2.1"
# http://www.oid-info.com/get/1.3.132.0.10
OID_SECP256K1 = "1.3.132.0.10"
def ec_public_key_in_der(xy_curve):
"Create the DER public key part using the XY curve values"
oid = Sequence()
oid.setComponentByPosition(0, ObjectIdentifier(OID_EC_PUBLIC_KEY))
oid.setComponentByPosition(1, ObjectIdentifier(OID_SECP256K1))
xyc = BitString("'%s'H" % xy_curve.encode('hex'))
tmp = Sequence()
tmp.setComponentByPosition(0, oid)
tmp.setComponentByPosition(1, xyc)
return(encoder.encode(tmp))
if __name__ == '__main__':
XY_CURVE = "0447d490561f396c8a9efc14486bc198884ba18379bcac2e0be2d8525134" +\
"ab742f301a9aca36606e5d29aa238a9e2993003150423df6924563642d4afe9bf4fe28"
XY_CURVE = XY_CURVE.decode('hex')
PUBLIC_KEY = "3056301006072a8648ce3d020106052b8104000a0342000447d490561f" +\
"396c8a9efc14486bc198884ba18379bcac2e0be2d8525134ab742f301a9aca36606e5d2" +\
"9aa238a9e2993003150423df6924563642d4afe9bf4fe28"
PUBLIC_KEY = PUBLIC_KEY.decode('hex')
if ec_public_key_in_der(XY_CURVE) == PUBLIC_KEY:
print(True)
else:
print(False)
from pyasn1.type.univ import Sequence, ObjectIdentifier, BitString
# http://www.oid-info.com/get/1.2.840.10045.2.1
OID_EC_PUBLIC_KEY = "1.2.840.10045.2.1"
# http://www.oid-info.com/get/1.3.132.0.10
OID_SECP256K1 = "1.3.132.0.10"
def ec_public_key_in_der(xy_curve):
"Create the DER public key part using the XY curve values"
oid = Sequence()
oid.setComponentByPosition(0, ObjectIdentifier(OID_EC_PUBLIC_KEY))
oid.setComponentByPosition(1, ObjectIdentifier(OID_SECP256K1))
xyc = BitString("'%s'H" % xy_curve.encode('hex'))
tmp = Sequence()
tmp.setComponentByPosition(0, oid)
tmp.setComponentByPosition(1, xyc)
return(encoder.encode(tmp))
if __name__ == '__main__':
XY_CURVE = "0447d490561f396c8a9efc14486bc198884ba18379bcac2e0be2d8525134" +\
"ab742f301a9aca36606e5d29aa238a9e2993003150423df6924563642d4afe9bf4fe28"
XY_CURVE = XY_CURVE.decode('hex')
PUBLIC_KEY = "3056301006072a8648ce3d020106052b8104000a0342000447d490561f" +\
"396c8a9efc14486bc198884ba18379bcac2e0be2d8525134ab742f301a9aca36606e5d2" +\
"9aa238a9e2993003150423df6924563642d4afe9bf4fe28"
PUBLIC_KEY = PUBLIC_KEY.decode('hex')
if ec_public_key_in_der(XY_CURVE) == PUBLIC_KEY:
print(True)
else:
print(False)
Hey everyone,
I've been playing around with Python and bitcoin and while there are some implementations of the network protocol floating around on the web, I haven't found anything that can parse and run scripts from transactions and verify if they're valid.
After messing around, I've made a (really horribly) script that, given two linked transactions, checks that the second transaction is allowed to redeem the referenced output from the first transaction.
This code needs structures.py which is my implementation of the (de)serialization of the various bitcoin messages.
The above script is really messy and more a quick proof-of-concept than anything else. Using it like that will be harmful for the bitcoin network as it is far from fully implemented and misses some small details.
The script checks that input 1 from this transaction is valid with the referenced transaction.
My biggest problem was with M2Crypto: it doesn't seem to implement o2i_ECPublicKey from openssl, which is used by bitcoin to set the public key. I also looked at using pyOpenssl and pycrypto, but it looks like neither of these libraries can handle elliptic curve cryptography...
To make M2Crypto work for this I had to use some magic, which I'm really not happy about:
This string I got by making new public/private key pairs with M2Crypto and printing them out: I noticed that this part is fixed and never changes. I assume this string defines the parameters used (NID_secp256k)
Anyways, I hope this is useful to someone. Feel free to use this code for anything, but keep in mind that it is horrible and needs lots of cleaning up.
And if anyone feels like improving it, go for it
Edit: I forgot to mention that this only validates standard transactions to another bitcoin address.
I've been playing around with Python and bitcoin and while there are some implementations of the network protocol floating around on the web, I haven't found anything that can parse and run scripts from transactions and verify if they're valid.
After messing around, I've made a (really horribly) script that, given two linked transactions, checks that the second transaction is allowed to redeem the referenced output from the first transaction.
Code:
import binascii
import hashlib
import M2Crypto
import structures
#Transaction 2 uses an output from Transaction 1
#Transaction 1: http://blockexplorer.com/tx/945691940e0ccd9f526ee1edd57a77ce170804915749702f5564c49b1f70f330
#Transaction 2: http://blockexplorer.com/tx/ff954e099764d192c5bb531c9c14c18c230b0c0a63f02cd168a4ea94548c890f#i325189
tx1raw= '\x01\x00\x00\x00\x02\x0f{\x7f\xb8mL\xf6F\x05\x8eA\xd3\xb0\x07\x18?\xdfysn\xd1\x9b*th\xab\xc5\xbd\x04\xb1n\x91\x00\x00\x00\x00\x8cI0F\x02!\x00\xb2\xee9\xd2\xfc\xc2\xe5TJW\xc3\x0f{NI\xcf\xb8""fm\x03O\xb9\x0e"4\x8e\x17\xe2\x8e\x0f\x02!\x00\xdb\x91\xc3\x19\x9c\xc7\xb4\x1dMz\xfc\xe0\xcc\xb4\xce\xb4$\xb9GmQ\xc0aBX=\xafS\xce\n\x9bf\x01A\x04\xc3"\x15\xa9\t0\x11\xbd\xfb\xd8-\x149\xbe\x01A\x04\xc3"\x15\xa9\t0\x11\xbd
tx1 = structures.Tx.deserialize(tx1raw)[0]
tx2 = structures.Tx.deserialize(tx2raw)[0]
#We're going to check that the first input of Tx2 is correctly redeemed
def run_script(script, stack):
while script:
opcode = ord(script.pop(0))
if opcode <= 75:
value = ""
for x in xrange(0, opcode):
value += script.pop(0)
stack.append(value)
elif opcode == 118:
#OP_DUP
stack.append(stack[-1])
elif opcode == 169:
#OP_HASH160
#The input is hashed twice: first with SHA-256 and then with RIPEMD-160.
value = stack.pop()
value = hashlib.sha256(value).digest()
ripemd = hashlib.new('ripemd160')
ripemd.update(value)
value = ripemd.digest()
stack.append(value)
elif opcode == 136:
#OP_EQUALVERIFY
v1 = stack.pop()
v2 = stack.pop()
if v1 != v2:
raise Exception()
elif opcode == 172:
#OP_CHECKSIG
#1. the public key and the signature are popped from the stack, in that order.
pubkey = stack.pop()
signature = stack.pop()
#2. A new subscript is created from the instruction from the most recent OP_CODESEPARATOR to the end of the script. If there is no OP_CODESEPARATOR the entire script becomes the subscript (hereby referred to as subScript)
#(we don't do the OP_CODESEPARATOR thing yet...)
subscript = tx1.txout[0].script
#3. the signature is deleted from subscript
subscript = subscript.replace(chr(len(signature)) + signature, "")
#4. The hashtype is removed from the last byte of the sig and stored
hashtype = signature[-1]
signature = signature[:-1]
#5. A deep copy is made of the current transaction (hereby referred to txCopy)
#(we do this by serializing and deserialing this transaction again...)
txCopy = structures.Tx.deserialize(tx2.serialize())[0]
#6. All OP_CODESEPARATORS are removed from subScript
#(we don't do this yet...)
#7. The scripts for all transaction inputs in txCopy are set to empty scripts
for txin in txCopy.txins:
txin.script = ""
#8. The script for the current transaction input in txCopy is set to subScript
#We're checking the first input
txCopy.txins[0].script = subscript
#An array of bytes is constructed from the serialized txCopy + four bytes for the hash type.
#This array is sha256 hashed twice, then the public key is used to to check the supplied
#signature against the hash.
#Load the public key. I have no idea what this magical string does...
pkey = pubkey[::-1] + "0042030a0004812b050601023dce48862a070610305630".decode("hex")
pkey = M2Crypto.EC.pub_key_from_der(pkey[::-1])
#Serialize the transaction and add the hashtype to the end as an int
txhash = txCopy.serialize() + "\x01\x00\x00\x00"
#And sha256 it twice
txhash = hashlib.sha256(hashlib.sha256(txhash).digest()).digest()
if pkey.verify_dsa_asn1(txhash, signature):
stack.append(True)
else:
stack.append(False)
stack = []
run_script(list(tx2.txins[0].script), stack)
run_script(list(tx1.txout[0].script), stack)
print stack
import hashlib
import M2Crypto
import structures
#Transaction 2 uses an output from Transaction 1
#Transaction 1: http://blockexplorer.com/tx/945691940e0ccd9f526ee1edd57a77ce170804915749702f5564c49b1f70f330
#Transaction 2: http://blockexplorer.com/tx/ff954e099764d192c5bb531c9c14c18c230b0c0a63f02cd168a4ea94548c890f#i325189
tx1raw= '\x01\x00\x00\x00\x02\x0f{\x7f\xb8mL\xf6F\x05\x8eA\xd3\xb0\x07\x18?\xdfysn\xd1\x9b*th\xab\xc5\xbd\x04\xb1n\x91\x00\x00\x00\x00\x8cI0F\x02!\x00\xb2\xee9\xd2\xfc\xc2\xe5TJW\xc3\x0f{NI\xcf\xb8""fm\x03O\xb9\x0e"4\x8e\x17\xe2\x8e\x0f\x02!\x00\xdb\x91\xc3\x19\x9c\xc7\xb4\x1dMz\xfc\xe0\xcc\xb4\xce\xb4$\xb9GmQ\xc0aBX=\xafS\xce\n\x9bf\x01A\x04\xc3"\x15\xa9\t0\x11\xbd
tx1 = structures.Tx.deserialize(tx1raw)[0]
tx2 = structures.Tx.deserialize(tx2raw)[0]
#We're going to check that the first input of Tx2 is correctly redeemed
def run_script(script, stack):
while script:
opcode = ord(script.pop(0))
if opcode <= 75:
value = ""
for x in xrange(0, opcode):
value += script.pop(0)
stack.append(value)
elif opcode == 118:
#OP_DUP
stack.append(stack[-1])
elif opcode == 169:
#OP_HASH160
#The input is hashed twice: first with SHA-256 and then with RIPEMD-160.
value = stack.pop()
value = hashlib.sha256(value).digest()
ripemd = hashlib.new('ripemd160')
ripemd.update(value)
value = ripemd.digest()
stack.append(value)
elif opcode == 136:
#OP_EQUALVERIFY
v1 = stack.pop()
v2 = stack.pop()
if v1 != v2:
raise Exception()
elif opcode == 172:
#OP_CHECKSIG
#1. the public key and the signature are popped from the stack, in that order.
pubkey = stack.pop()
signature = stack.pop()
#2. A new subscript is created from the instruction from the most recent OP_CODESEPARATOR to the end of the script. If there is no OP_CODESEPARATOR the entire script becomes the subscript (hereby referred to as subScript)
#(we don't do the OP_CODESEPARATOR thing yet...)
subscript = tx1.txout[0].script
#3. the signature is deleted from subscript
subscript = subscript.replace(chr(len(signature)) + signature, "")
#4. The hashtype is removed from the last byte of the sig and stored
hashtype = signature[-1]
signature = signature[:-1]
#5. A deep copy is made of the current transaction (hereby referred to txCopy)
#(we do this by serializing and deserialing this transaction again...)
txCopy = structures.Tx.deserialize(tx2.serialize())[0]
#6. All OP_CODESEPARATORS are removed from subScript
#(we don't do this yet...)
#7. The scripts for all transaction inputs in txCopy are set to empty scripts
for txin in txCopy.txins:
txin.script = ""
#8. The script for the current transaction input in txCopy is set to subScript
#We're checking the first input
txCopy.txins[0].script = subscript
#An array of bytes is constructed from the serialized txCopy + four bytes for the hash type.
#This array is sha256 hashed twice, then the public key is used to to check the supplied
#signature against the hash.
#Load the public key. I have no idea what this magical string does...
pkey = pubkey[::-1] + "0042030a0004812b050601023dce48862a070610305630".decode("hex")
pkey = M2Crypto.EC.pub_key_from_der(pkey[::-1])
#Serialize the transaction and add the hashtype to the end as an int
txhash = txCopy.serialize() + "\x01\x00\x00\x00"
#And sha256 it twice
txhash = hashlib.sha256(hashlib.sha256(txhash).digest()).digest()
if pkey.verify_dsa_asn1(txhash, signature):
stack.append(True)
else:
stack.append(False)
stack = []
run_script(list(tx2.txins[0].script), stack)
run_script(list(tx1.txout[0].script), stack)
print stack
This code needs structures.py which is my implementation of the (de)serialization of the various bitcoin messages.
The above script is really messy and more a quick proof-of-concept than anything else. Using it like that will be harmful for the bitcoin network as it is far from fully implemented and misses some small details.
The script checks that input 1 from this transaction is valid with the referenced transaction.
My biggest problem was with M2Crypto: it doesn't seem to implement o2i_ECPublicKey from openssl, which is used by bitcoin to set the public key. I also looked at using pyOpenssl and pycrypto, but it looks like neither of these libraries can handle elliptic curve cryptography...
To make M2Crypto work for this I had to use some magic, which I'm really not happy about:
Code:
pkey = pubkey[::-1] + "0042030a0004812b050601023dce48862a070610305630".decode("hex")
pkey = M2Crypto.EC.pub_key_from_der(pkey[::-1])
As you can see, I need to add a fixed string in order to load the public key. Without this it fails to load it and I get an exception (ValueError: Received a NULL pointer.)pkey = M2Crypto.EC.pub_key_from_der(pkey[::-1])
This string I got by making new public/private key pairs with M2Crypto and printing them out: I noticed that this part is fixed and never changes. I assume this string defines the parameters used (NID_secp256k)
Anyways, I hope this is useful to someone. Feel free to use this code for anything, but keep in mind that it is horrible and needs lots of cleaning up.
And if anyone feels like improving it, go for it
Edit: I forgot to mention that this only validates standard transactions to another bitcoin address.
Jump to: