Can create Watch Only HD wallet with -hdwatchonly

[NicolasDorier]

The user creates a new wallet by running ./bitcoind -hdwatchonly=[ExtPubKey base58].

This make it possible to use methods like getnewaddress, fundrawtransaction and all normal wallet operations on a HD pubkey.

Software built on top of core which need to delegate signing operations to hardware wallet will have almost the same code as if signing was done by Core.

With the introduction of a standard for dealing with hardware wallet signing in the future, I expect that signrawtransaction will just delegate the signing to the hardware wallet.

In this way, there will be no code difference between software using third party solution for signing, and those just using core for signing.

I will use it in my own projects. My HW is giving me the ExtPubKey, and I want to use bitcoin core just for coin selection and tracking. I also did not wanted to break bunch of old code. Ping @jonasschnelli

EDIT: @saleemrashid built HW support for Bitcoin Core on https://github.com/saleemrashid/bitcoin/tree/hardware-wallet based on this PR

[jonasschnelli]

>=?

[jonasschnelli]

s/AddKey/AddWatchOnly/

[jonasschnelli]

I think returning false in case of isWatchOnly is confusing.
IMO better set the hasSecret boolean with another check of hdChain.isWatchOnly.

[NicolasDorier]

I can replace returns bool by void, and make the client responsible to test the validity of the returned Key.

But I fear that a new user would assume that DeriveNewKey always returns a valid CKey.

[jonasschnelli]

Yes. I once did a PR where we separate the key/pubkey records: #9298
I guess this would be the cleaner solution... but maybe later.

[jonasschnelli]

Concept ACK (will review in detail and test soon).
I think this is a great feature!
Together with #9662 this would allow better HWW/Cold-Storage interaction.

[laanwj]

The user create a new wallet by removing the old wallet.dat and running ./bitcoind -hdwatchonly=[ExtPubKey base58].

Instead of removing the wallet, it would also be possible to specify an alternative one with -wallet, I guess?

[luke-jr]

How does this work, considering that Core is exclusively hardened derivation right now? Or can it only watch non-Core wallets? O.o

[jonasschnelli]

How does this work, considering that Core is exclusively hardened derivation right now? Or can it only watch non-Core wallets? O.o

For the hd-watch-only default keypath, we should probably use Bip44.
This PR makes much more sense if we would have the flexible key path feature #8723

[NicolasDorier]

@luke-jr for watchonly hd I am using non hardened derivation. goal is to eventually combine with flexible path.

@laanwj yes. What I mean is that if you specify -hdwatchonly on an already existing wallet, you get an error at startup.

[NicolasDorier]

Travis error not related to this PR.

[jonasschnelli]

@NicolasDorier: I think in order to pass travis you need to add -hdwatchonly to the check doc script.

[NicolasDorier]

I added a commit to track P2PK as well. It would be the same behavior as normal wallet. However I am not sure it is the right approach as P2PK are obsolete. An attacker could disrupt service by sending a P2PK output, when the service does not expect it.

Also, what for P2WPKH ?

[NicolasDorier]

I am replicating the behavior of normal wallets, both p2pk and p2pkh are tracked.

The test is failing because I am testing wrong parameter usage, and there is no way in the test framework to assert an exception. Ping @MarcoFalke , same problem as reported by jonas on #9662

[MarcoFalke]

Is this additional optional arg required? I don't think this will ever be used.

Edit: I see you are doing it for consistency, so might be fine...

[NicolasDorier]

it is used by assert_start_raises_init_error

[MarcoFalke]

Oh, right. I missed the plural s.

[NicolasDorier]

I am at loss understanding why there is a permission denied on travis.... I thought I maybe did not had right to /dev/null, and tried to redirect stderr to stdout instead, but same problem. Any idea ?

[MarcoFalke]

Any idea

Try

chmod +x qa/rpc-tests/hdwatchonly.py

[NicolasDorier]

rebased, and cleaned up the commits for better review.

[saleemrashid]

As far as I understand, Bitcoin Core uses m/0'/0'/k' whereas BIP 44 uses m/0'/0/k and m/0'/1/k. It makes most sense for this PR to implement m/0/k (and, with #9294, m/1/k). This allows you to use an xpub derived from m/0' (or any other account) by your hardware wallet, for example.

However, this means that you are doing one less derivation than with xprv in Bitcoin Core. I don't think this is too much of an issue since m/0'/0'/k' is in no way compatible with m/0'/0/k anyway.

[NicolasDorier]

@saleemrashid very good point. Will make your change once #9294 is merged.

[jonasschnelli]

nit: CURRENT_VERSION = SUPPORT_WATCHONLY_VERSION.

[jonasschnelli]

To make this compatible with BIP44, can we not just use m as the BIP44 account key. No hardened derivation would then be involved and users could use their BIP44 xpub's to generate watchonlys.
The externalChainChildKey would then be m/0 (instead of m/0/0)

[saleemrashid]

@jonasschnelli #9728 (comment)

[jonasschnelli]

Ah.. Wasn't aware that @saleemrashid already pointed this out. Great.

[jonasschnelli]

IMO this constant (BIP32_NONHARDENED_KEY_LIMIT) is superfluous. Just use 0.

[jonasschnelli]

Also here, ... just use hdChain.nExternalChainCounter instead of hdChain.nExternalChainCounter | BIP32_NONHARDENED_KEY_LIMIT (no need to bitwise OR it with 0).

[jonasschnelli]

I think there is no way to verify the correctness of the derived pubkey?

[jonasschnelli]

Somehow this PR was crashing here because of

Assertion failed: (pubkey.size() == 33), function Encode, file pubkey.cpp, line 255.

It looks like that my tested tpub was non compressed? How is that even possible?
LLDB told me pubkey = (vch = unsigned char [65] @ 0x00007fd16736976c).

[jonasschnelli]

Wait... I was using the extended private key instead. Though, I guess it should not crash in this case.

[NicolasDorier]

How is it possible to get an extended private key here? if you provided a xpriv instead of xpub, it should have crashed at startup.

[jonasschnelli]

I used a tpriv which made this PR proceeding the hdwatchonly initialisation but then crashed at this point. Haven't looked into the details why the tpriv was accepted during init.

[NicolasDorier]

ah OK I know why... I do not verify the prefix

[NicolasDorier]

Issue fixed and tested

[jonasschnelli]

Hmm.. I think this is incorrect. I could load a xpub (mainnet) on regtest.
Shouldn't CBitcoinExtPubKey("<x|tpub>") do the check for the correct encoding according to the chainparams?

[jonasschnelli]

I got no warning when I started bitcoind again with a different -hdwatchonly=xpub.
Here there should be a check wether the wallet has already a watch-only xpub set, and if the user provides one, and it's different, it should warn or stop.

[NicolasDorier]

this is normally checked. Actually I am testing it on https://github.com/bitcoin/bitcoin/pull/9728/files#diff-08fcd10ff4d7d4f9f0249ba978b3b4d4R49 this is strange... actual check done on https://github.com/bitcoin/bitcoin/pull/9728/files#diff-b2bb174788c7409b671c46ccc86034bdR3731 can you verify that you did not made another mistake ?

[jonasschnelli]

This is a great PR. I really would like this to be in 0.15. It makes HWW signing much simpler and could be a pre-step for HWW support in Core.

[NicolasDorier]

I will rebase and pass on all your nits and better test/code the case where you pass a xpriv once #9294 get merged.

[NicolasDorier]

1. Removed the addition of CChainParams into InitLoadWallet
2. Correctly error if not passing an extpubkey with the right network
3. Testing hdwatchonly parsing

[NicolasDorier]

Rebased:

• Support internal addresses of #9294
• Using BIP44 friendly derivation @saleemrashid

[NicolasDorier]

Rebased @saleemrashid

[saleemrashid]

ACK

[instagibbs]

needs rebase, will review

[NicolasDorier]

rebased

[instagibbs]

Is there a way exposed to the user that their wallet is HD watch-only? Might be useful in getwalletinfo.

[NicolasDorier]

just added info in getwalletinfo. I sadly can't compile because of #10622 and it seems my travis build is queued and does not want to run.

[NicolasDorier]

Ok my blinded push passed @instagibbs . Added some info in getwalletinfo as suggested.

[instagibbs]

tACK, works as expected

[instagibbs]

Braces are the recommended code style, not sure why they're being removed.

[instagibbs]

Please add braces.

[instagibbs]

Perhaps move this into AddKeyPubKey

[instagibbs]

Message should be something like "Cannot specify new hdwatchonly on an already existing wallet"

[instagibbs]

"extended pubkey"

[instagibbs]

Please add braces for readability

Should you be using WriteIC like everywhere else?

[instagibbs]

suggested rewording:

"check for graceful failure due to any invalid hdwatchonly parameters"

[instagibbs]

s/was/has/

[NicolasDorier]

Thanks for the review @instagibbs I addressed your nits, can you re tACK once ?

[instagibbs]

re-tACK 067b117

[instagibbs]

We could actually also return the xpub in validateaddress as well...

[instagibbs]

Included the return in validateaddress here: instagibbs/bitcoin@b8e1316

Please feel free to take.

Using this PR "in production" with no issues.

[instagibbs]

I think we may need to generalize this check a bit more. If the script here is a multisig in which the watch-only wallet owns all the keys, this will return false since there is no hdKeypath.

Practically this means that spending 0-conf p2sh funds is a dicey experience that results in "Insufficient funds" responses sometimes.

Perhaps something like pwalletMain->IsHDWatchOnly(CScriptID& scriptID) to make this check, which accounts for this situation?

[instagibbs]

Since we're not even required to be backwards compatible, I think adding a new piece of key metadata fIsHDWatchOnly, and adding that during importaddress(or some new call) when all keys are hdwatchonly keys(or a mixture of watchonly and stored private keys?).

[NicolasDorier]

Does IsTrusted() returns ISMINE_SPENDABLE when for a multi sig output where we know all the keys when not hdwatchonly?

[instagibbs]

If you have the private keys, yes, because of check a few lines above.

[NicolasDorier]

So your goal is that importaddress scriptPubKeys should be considered trusted if we are in hdwatchonly mode ?

[instagibbs]

If we completely those addresses via hdwatchonly keys and/or privkeys, yes.

[instagibbs]

Currently in this mode you can import a privkey and spend unconfirmed outputs. Likewise you can spend unconfirmed hdwatchonly outputs. You cannot however spend a mixture of the two in a multisig, or pure hdwatchonly p2sh.

[NicolasDorier]

Rebased and included @instagibbs commit.

[instagibbs]

Not trying to completely sidetrack this PR, but this is for future PR consideration:

@NicolasDorier instagibbs/bitcoin@bb72d12

This is the implementation that works for unconfirmed p2sh multisig where all keys are mixture of imported privkeys and hdwatchonly. Pretty ugly though and quite special-cased. Longer-term I'd look to extend ISMINE instead to have a value which covers this consideration and make this whole IsTrusted logic much simpler.

[NicolasDorier]

I think making more general case with SPENDABLE_WATCHONLY is preferable.
I sadly don't have too much time these days, but I am interested into fixing it during 27-28.

[jtimon]

it seems like you are repeating yourself a little bit here. Perhaps a common function can be extracted to avoid some code duplication between this if and the next one?

[NicolasDorier]

I tried to think about this, but this was not as easy. I preferred keeping this way as it makes review easier: I did not touch what was already working.