[RPC] Fix addwitnessaddress by replacing ismine with producesignature #10788

pull achow101 wants to merge 1 commits into bitcoin:master from achow101:fix-addwitnessaddress changing 2 files +22 −13
  1. achow101 commented at 1:35 AM on July 11, 2017: member

    Instead of using ismine to check whether an address can be spent by us, make the witness version of the script or address first and then use ProduceSignature with the DummySignatureCreator to check if we can solve for the script.

    This is to fix cases where we don't have all of the private keys (for something like a multisig address) but have the redeemscript so we can witnessify it.

  2. achow101 renamed this:
    Replace ismine with producesignature check in witnessifier
    [RPC] Fix addwitnessaddress by replacing ismine with producesignature
    on Jul 11, 2017
  3. sipa commented at 7:40 AM on July 11, 2017: member

    Concept ACK, but you'll need to adapt the tests (there is a test in segwit.py which specifically tests for this behaviour).

  4. laanwj added the label RPC/REST/ZMQ on Jul 11, 2017
  5. achow101 commented at 2:48 AM on July 12, 2017: member

    @sipa I have adapted segwit.py to reflect the new behavior.

  6. jnewbery commented at 9:47 PM on July 12, 2017: member

    Travis failed on an unrelated call to encryptwallet() in wallet-dump.py: https://travis-ci.org/bitcoin/bitcoin/jobs/252653271 . I've restarted the job.

    (encryptwallet() causes the node to shutdown, so I guess there's a race between the node shutting down and responding to the RPC. That's unrelated to this PR and is something we should think about fixing independently)

  7. gmaxwell approved
  8. gmaxwell commented at 5:16 PM on July 18, 2017: contributor

    ACK.

  9. sipa commented at 5:51 PM on July 18, 2017: member

    @sdaftuar Would you mind reviewing this?

  10. sipa commented at 5:54 PM on July 18, 2017: member

    utACK db5cd10bbe1688a5e05e558d1323f8cab923567c, but needs squash before merge.

  11. in test/functional/segwit.py:464 in db5cd10bbe outdated 
     458 | @@ -459,13 +459,15 @@ def run_test(self):
 459 |          self.mine_and_test_listunspent(unsolvable_after_importaddress, 1)
 460 |          self.mine_and_test_listunspent(unseen_anytime, 0)
 461 |  
 462 | -        # addwitnessaddress should refuse to return a witness address if an uncompressed key is used or the address is
 463 | -        # not in the wallet
 464 | +        # addwitnessaddress should refuse to return a witness address if an uncompressed key is used
 465 |          # note that no witness address should be returned by unsolvable addresses
 466 |          # the multisig_without_privkey_address will fail because its keys were not added with importpubkey
    sdaftuar commented at 8:27 PM on July 19, 2017:

    This comment should be updated/removed.

  12. sdaftuar commented at 9:20 PM on July 19, 2017: member

    Seems like this is the right general direction to me (seems vastly simpler than what happens in IsMine()), though I have two concerns that I need to think more about before I can ACK:

    • The protection against accidentally allowing an uncompressed pubkey in a segwit script via addwitnessaddress has now moved from the logic in IsMine() to the VerifyScript() call at the end of ProduceSignature. First, I think that's generally surprising and I could imagine someone not understanding that it's important that we call VerifyScript at the end of ProduceSignature. But second, I think it's unexpected that the script flags passed to VerifyScript in ProduceSignature (which are just our regular policy script flags) are what we're relying on for this wallet behavior. The policy script flags are not something that generally affects our wallet, so I think it'd be unexpected if someone tweaked theirs and got different wallet behavior as a result.

    • Along the lines of the above, it seems like we could use some tests to ensure that IsMine() interacts with ProduceSignature() as expected. In the above example of someone tweaking their policy script flags (eg to turn off SCRIPT_VERIFY_WITNESS_PUBKEYTYPE) then I think you could get into a situation where you could add an address to your wallet that fails IsMine(). This is pretty edge-case, but I want to spend more time thinking about whether other kinds of inconsistencies could exist between IsMine() and this ProduceSignature(...) method.

  13. laanwj added this to the milestone 0.15.0 on Jul 25, 2017
  14. sipa commented at 12:37 AM on July 26, 2017: member

    @sdaftuar Would an explicit VerifyScript call (with consensus + compressed pubkey flags) after ProduceSignature help alleviate your concerns?

  15. Replace ismine with producesignature check in witnessifier
    Instead of using ismine to check whether an address can be spent by us,
make the witness version of the script or address first and then use
ProduceSignature with the DummySignatureCreator to check if we can
solve for the script.

Also fixes test cases to reflect this change.
    e222dc2aee
  16. achow101 force-pushed on Jul 27, 2017
  17. achow101 commented at 10:04 PM on July 27, 2017: member

    I have updated this with @sipa's suggestion and squashed.

  18. laanwj commented at 12:27 PM on August 1, 2017: member

    utACK e222dc2

  19. laanwj merged this on Aug 1, 2017
  20. laanwj closed this on Aug 1, 2017
  21. laanwj referenced this in commit f66c596505 on Aug 1, 2017
  22. achow101 deleted the branch on Aug 29, 2017
  23. MarcoFalke locked this on Sep 8, 2021
Contributors
achow101sipajnewberygmaxwellsdaftuarlaanwj
Labels
RPC/REST/ZMQ

Milestone
0.15.0

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me