wallet: Enforce security boundary in ScriptForOutput

yyforyongyu · yyforyongyu · commit 0f526b59081e · 2025-11-05T17:46:36.000+08:00
The ScriptForOutput function previously returned a
`waddrmgr.ManagedPubKeyAddress`. This interface includes a `PrivKey()`
method, which meant that a component designed for managing public
address information (the AddressManager) was leaking an object that
could be used to access private keys. This is a leaky abstraction and
violates the principle of separation of concerns.

This commit refactors ScriptForOutput to return the more general
`waddrmgr.ManagedAddress` interface instead. This interface does not
provide access to private key material.

This change enforces a clean architectural boundary between the
AddressManager (responsible for public data) and the Signer (responsible
for private key operations). The Signer is now the sole component
responsible for retrieving and using private keys, which is its intended
role. This improves the security posture and clarity of the API.
diff --git a/wallet/address_manager.go b/wallet/address_manager.go
@@ -41,11 +41,9 @@ var (
 	ErrImportedAccountNoAddrGen = errors.New("addresses cannot be " +
 		"generated for the default imported account")
 
-	// ErrNotPubKeyAddress is an error returned when a function requires a
-	// public key address, but a different type of address is provided.
-	ErrNotPubKeyAddress = errors.New(
-		"address is not a p2wkh or np2wkh address",
-	)
+	// ErrUnableToExtractAddress is returned when an address cannot be
+	// extracted from a pkscript.
+	ErrUnableToExtractAddress = errors.New("unable to extract address")
 
 	// errStopIteration is a special error used to stop the iteration in
 	// ForEachAccountAddress.
@@ -65,7 +63,7 @@ type AddressProperty struct {
 // Script represents the script information required to spend a UTXO.
 type Script struct {
 	// Addr is the managed address of the UTXO.
-	Addr waddrmgr.ManagedPubKeyAddress
+	Addr waddrmgr.ManagedAddress
 
 	// WitnessProgram is the witness program of the UTXO.
 	WitnessProgram []byte
@@ -691,20 +689,28 @@ func (w *Wallet) ImportTaprootScript(_ context.Context,
 //   - The operation is dominated by the database lookup for the address, which
 //     is typically fast (O(log N) or O(1) with indexing). The script
 //     generation is a constant-time operation.
-func (w *Wallet) ScriptForOutput(_ context.Context, output wire.TxOut) (
+func (w *Wallet) ScriptForOutput(ctx context.Context, output wire.TxOut) (
 	Script, error) {
 
-	// First make sure we can sign for the input by making sure the script
-	// in the UTXO belongs to our wallet and we have the private key for it.
-	walletAddr, err := w.fetchOutputAddr(output.PkScript)
+	// First, we'll extract the address from the output's pkScript.
+	addr := extractAddrFromPKScript(output.PkScript, w.chainParams)
+	if addr == nil {
+		return Script{}, fmt.Errorf("%w: from pkscript %x",
+			ErrUnableToExtractAddress, output.PkScript)
+	}
+
+	// We'll then use the address to look up the managed address from the
+	// database.
+	managedAddr, err := w.AddressInfo(ctx, addr)
 	if err != nil {
-		return Script{}, err
+		return Script{}, fmt.Errorf("unable to get address info "+
+			"for %s: %w", addr.String(), err)
 	}
 
-	pubKeyAddr, ok := walletAddr.(waddrmgr.ManagedPubKeyAddress)
+	pubKeyAddr, ok := managedAddr.(waddrmgr.ManagedPubKeyAddress)
 	if !ok {
-		return Script{}, fmt.Errorf("%w: %s", ErrNotPubKeyAddress,
-			walletAddr.Address())
+		return Script{}, fmt.Errorf("%w: addr %s",
+			ErrNotPubKeyAddress, managedAddr.Address())
 	}
 
 	var (
@@ -715,7 +721,7 @@ func (w *Wallet) ScriptForOutput(_ context.Context, output wire.TxOut) (
 	switch {
 	// If we're spending p2wkh output nested within a p2sh output, then
 	// we'll need to attach a sigScript in addition to witness data.
-	case walletAddr.AddrType() == waddrmgr.NestedWitnessPubKey:
+	case managedAddr.AddrType() == waddrmgr.NestedWitnessPubKey:
 		pubKey := pubKeyAddr.PubKey()
 		pubKeyHash := btcutil.Hash160(pubKey.SerializeCompressed())
 
@@ -753,7 +759,7 @@ func (w *Wallet) ScriptForOutput(_ context.Context, output wire.TxOut) (
 	}
 
 	return Script{
-		Addr:           pubKeyAddr,
+		Addr:           managedAddr,
 		WitnessProgram: witnessProgram,
 		RedeemScript:   sigScript,
 	}, nil
diff --git a/wallet/deprecated.go b/wallet/deprecated.go
@@ -3,6 +3,7 @@ package wallet
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/btcsuite/btcd/btcutil"
 	"github.com/btcsuite/btcd/chaincfg/chainhash"
@@ -167,7 +168,14 @@ func (w *Wallet) ScriptForOutputDeprecated(output *wire.TxOut) (
 		return nil, nil, nil, err
 	}
 
-	return script.Addr, script.WitnessProgram, script.RedeemScript, nil
+	addr := script.Addr
+	pubKeyAddr, ok := addr.(waddrmgr.ManagedPubKeyAddress)
+	if !ok {
+		return nil, nil, nil, fmt.Errorf("%w: addr %s",
+			ErrNotPubKeyAddress, addr.Address())
+	}
+
+	return pubKeyAddr, script.WitnessProgram, script.RedeemScript, nil
 }
 
 // ComputeInputScript generates a complete InputScript for the passed
