[WIP] External signer support (e.g. hardware wallet) #14912

This PR lets bitcoind to call an arbitrary command -signer=<cmd>, e.g. a hardware wallet driver, where it can fetch public keys, ask to display an address, and sign a PSBT.

It's design to work with https://github.com/bitcoin-core/HWI, which supports multiple hardware wallets. Any command with the same arguments and return values will work. It simplifies the manual procedure described here.

Usage is documented in doc/external-signer.md, which also describes what protocol a different signer binary should conform to.

It adds the following RPC methods:

• enumeratesigners: asks <cmd> for a list of signers (e.g. devices) and their master key fingerprint
• signerfetchkeys (needs https://github.com/bitcoin-core/HWI/pull/137): asks <cmd> for descriptors and then fills the keypool (no private keys)
• signerdisplayaddress <address>: asks <cmd> to display an address
• signerprocesspsbt <psbt> to send the <psbt> to <cmd> to sign and wait for the result

Usage TL&DR:

• clone HWI repo somewhere and launch bitcoind -signer=../HWI/hwi.py
• create wallet without private keys: bitcoin-cli createwallet hww true
• list hardware devices: bitcoin-cli enumeratesigners
• fetch keys from hardware device into the wallet: bitcoin-cli -rpcwallet=hww signerfetchkeys
• display address on device, sign transaction: see doc/external-signer.md

For easier review, this builds on the following PRs:

• #15382: add runCommandParseJSON
• #15590 Descriptor: add GetAddressType() and IsSegwit()

Potentially useful followups:

• #15876: signer send and bumpfee conveniance methods
• #16528: descriptor based wallets (to preserve BIP44/49/84 compatibility with mixed address types)
• (automatically) verify (a subset of) keys on the device after import, through message signing

Now that #14491 has been rebased, the hww branch I'm building off should also soon be rebased. At that point I can rebase and make Travis happy. In addition, I'll be able to leverage #14646 to clean up my descriptor related code (I'm currently using string concatenation to build descriptors). I have a few other spring cleaning items on my todo list too.

See also the wallet meeting notes.

<!--e57a25ab6845829454e8d69fc972939a-->

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

<!--174a7506f384e20aa4161008e828411d-->

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #16542 (Return more specific errors about invalid descriptors by achow101)
• #16539 ([wallet] lower -txmaxfee default from 0.1 to 0.01 BTC by Sjors)
• #16528 ([WIP] Native Descriptor Wallets (take 2) by achow101)
• #16365 (Log RPC parameters (arguments) if -debug=rpcparams by LarryRuane)
• #16341 (Introduce ScriptPubKeyMan interface and use it for key and script management (aka wallet boxes) by achow101)
• #16273 (refactor: Remove unused includes by practicalswift)
• #15876 ([rpc] signer send and fee bump convenience methods by Sjors)
• #15529 (Add Qt programs to msvc build (updated, no code changes) by sipsorcery)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

Great work! I think the signer API (calling an external script/application) seems fine. We should make sure all calls are non-blocking sync it could be, that the signer application has a GUI and requires user interaction on all non-obvious commands like "displayaddress". Also, the device could require initialisation which could be triggered by a first display/sign command.

@jonasschnelli I have a idea on how to allow asynchronous interaction. That also makes sense if you're using an online service with a 48 hour cool down period.

The signtransaction command (called by processpsbt in this PR) could take an optional ephemeral public key argument. The commands then immediately returns with a UUID and a timestamp for when the client should come back. We could then add a polltransaction command which takes the UUID and returns the encrypted transaction (or nothing), encrypted using the ephemeral public key. This would involve making the wallet aware of pending transactions, and perhaps an additional RPC call like walletprocesspendingtransactions.

Device initialization could be a new RPC call, and other calls would just throw an error if not initialized. The enumeratesigners call can return more information about the device, such as the initialization status.

I added a signersend RPC method which Just Works(tm) by combining the functionality of walletcreatefundedpsbt, signerprocesspsbt, finalizepsbt and sendrawtransaction. Updated the documentation.

Addressed some of the nits. Still much to improve in terms of code quality, and I'm waiting on multiple upstream pull requests.

The most useful review at this point is to test the workflow. In addition, feedback on runCommandParseJSON() is welcome.

Some things I plan to work on next:

1. Create wallet/rpcsigner.cpp and move the various functions there; wallet/rpcwallet.cpp and src/rpc/rpcdump.cpp are already big enough
2. Clean up the way I made sendrawtransaction reusable (I just noticed #14978 already does that)
3. Incorporate #14978 (reusable PSBT code, I might wait for that to be merged)
4. Similar to #14978, find a way to make this code reusable, so I can build GUI support in a followup PR

Rebased on the latest hww branch. Moved a bunch of things to wallet/rpcsigner.cpp. @ken2812221 any idea how I can make AppVeyor happy? My guess is that it doesn't like runCommandParseJSON() in system.cpp

<img width="899" alt="schermafbeelding 2019-01-19 om 19 08 39" src="https://user-images.githubusercontent.com/10217/51430571-a5a20980-1c1d-11e9-87b4-f4dab92e4dc3.png">

• updated to incorporate the latest changes in https://github.com/achow101/HWI/pull/73 and https://github.com/achow101/bitcoin/tree/hww
• added (BIP32) account argument to signerfetchkeys (will add custom descriptor arguments later)
• using RPCHelpMan (surviving the Travis linter again)
• using inferred descriptor for signerdisplayaddress
• included commits from #14978 to clean up PSBT & sendrawtransaction stuff (and fix Travis)
• added the most important remaining todo's to the PR description

I changed signerfetchkeys to use getxpub instead of getkeys. You can now use the master branch of HWI, except for displayaddress.

I'll deal with the rebase once a bit more upstream stuff is merged.

Conceptually, I think we should initially create the option to allow a wallet to contain a main descriptor (main xpub). The scripts may be derived in-mem only during wallet load. If a form of "getnewaddress" (receive address) (child-pub-key-derviation) is supported, the wallet may want to remain the used child key indexes for the metadata storage rather than the pubkeyhash.

Time for a big rebase 🎉

Giant rebase done! I created separate pull request for a number of commits in order to keep discussion a bit focussed here. Please check the list at the bottom of the PR description before commenting.

There's still two significant todo's (plus cleanup) before this is really read for review, but more high level feedback is always welcome:

1. A way to construct descriptors from code, to get rid of the string concatenation mess in signerfetchkeys (separate PR)
2. Have the device sign one or more messages using the keys after importing with signerfetchkeys

Rebased! I changed signerfetchkeys to call hwi.py getdescriptors (https://github.com/bitcoin-core/HWI/pull/137).

#15713 adds a broadcastTransaction() chain interface method which is required here, so would remove one of the commits from this PR.

I don't understand why users would apparently need to use new RPCs to achieve the same things they can already do?

@luke-jr that's true for enumerate which does exactly the same as hwi.py enumerate. But fetching keys, sending transactions and (as a followup) doing RBF is very tedious without these RPC methods. The same goes for generating a new receive address in the wallet and displaying it on the device.

The longer term goal is to get this functionality in the GUI, so I also see the RPC as a foundation for that (combined with making RPC code more reusable in general). It's also much easier to write RPC tests than GUI tests.

I cleaned up signerfetchkeys a bit. It now takes advantage of (still to be discussed) #15590 Descriptor->IsSegWit() and Descriptor->GetAddressType() to pick the right descriptor for the given -addresstype and -changetype.

The RPC documentation warns the user not switch address types for the wallet (due to BIP44/49/84 interoperability), though in the long run native descriptor wallets provide better protection, by making keypool topup unnecessary.

It can now also topup the keypool, though the user needs to specify the range.

Instead of adding more complexity into the core wallet, shouldn't all this logic be handled externally? For example: I was envisioning importing all of your hw wallet keys into core. When you want to spend you would just ask core to give you a partially signed transaction from some of your unspent outputs.

I guess I'm confused as to why you would need core to call some external signer when PSBTs already support that use case?

Rebased and dropped signersend from this PR, moved it to #15876 (which also contains fee bump support).

I'm considering rebasing* this on top of #16341 (aka "box"), by introducing a ExternalSignerScriptPubKeyMan. It can be make a bit safer in the process.

1. move all of externalsigner.{h,cpp} into a ExternalSignerScriptPubKeyMan
2. Get rid of signerfetchkeys RPC; createwallet and keypoolrefill cover this
3. SetupGeneration: this would call getdescriptors on the device at wallet creation time. The BIP32 account number could be passed as on option to createwallet. Wallet creation will fail if it can't fetch keys.
4. TopUp will also call getdescriptors on the device, with a higher range. This will become unecessary with native wallet descriptors. In practice with a keypool size of 1000 this is not a big inconvenience. The current behavior of GetReservedDestination calling TopUp needs to go away.
5. add a feature flag that this wallet should use ExternalSignerScriptPubKeyMan
6. store the device fingerprint in the wallet metadata at creation time, so enumeratesigners is unnecessary after wallet creation
7. allow only a single OutputType, store it and refuse getnewaddress for different types. This is necessary to remain compatible with BIP44/49/84, which requires a different derivation path per output type. This can be relaxed with native descriptor wallets, see also #15590.
8. The current flow of calling enumeratesigners on an existing wallet won't do anymore, because we already need to know the signer at createwallet time. Instead enumeratesigners could work without a wallet and not store the result anywhere. When creating a wallet it will just use the first available result from enumeratesigners unless a fingerprint option is provided.
9. signerdisplayaddress remains unchanged
10. signerprocesspsbt can be melted into processpsbt thanks to the feature flag

* = later though, I'd rather not have a PR with 110 commits

Rebased now that #15911 is merged. Dropped a few commits that should have been in #15876 and aren't needed anyway after #15713. Removed the need for the unit test to add private keys to the keypool (closing #15414).

I'll keep this and the convenience methods in #15876 up to date and work on a "boxed" version in a separate PR.

Here's a simple rebase on top of a native descriptor wallet #16528 (benefit: gives access to full BIP44/49/84 address tree): https://github.com/Sjors/bitcoin/tree/2019/08/hww-box

Closing in favor of the native descriptor edition in #16546.