wallet: Pass in transactions and messages for signing instead of exporting the private keys

achow101 commented at 5:23 am on February 11, 2020: member

Following #17261, the way to sign transactions, PSBTs, and messages was to use GetSigningProvider() and get a SigningProvider containing the private keys. However this may not be feasible for future ScriptPubKeyMans, such as for hardware wallets. Instead of exporting a SigningProvider containing private keys, we need to pass these things into the ScriptPubKeyMan (via CWallet) so that they can do whatever is needed internally to sign them. This is largely a refactor as the logic of processing transactions, PSBTs, and messages for is moved into LegacyScriptPubKeyMan and CWallet instead of being handled by the caller (e.g. signrawtransaction).

To help with this, I’ve refactored the 3(!) implementations of a SignTransaction() function into one generic one. This function will be called by signrawtransactionwithkey and LegacyScriptPubKeyMan::SignTransaction(). CWallet::CreateTransaction() is changed to call CWallet::SignTransaction() which in turn, calls LegacyScriptPubKeyMan::SignTransaction(). Other ScriptPubKeyMans may implement SignTransaction() differently.

FillPSBT() is moved to be a member function of CWallet and the psbtwallet.cpp/h files removed. It is further split so that CWallet handles filling the UTXOs while the ScriptPubKeyMan handles adding keys, derivation paths, scripts, and signatures. In the end LegacyScriptPubKeyMan::FillPSBT still calls SignPSBTInput, but the SigningProvider is internal to LegacyScriptPubKeyMan. Other ScriptPubKeyMans may do something different.

A new SignMessage() function is added to both CWallet and ScriptPubKeyMan. Instead of having the caller (i.e. signmessage or the sign message dialog) get the private key, hash the message, and sign, ScriptPubKeyMan will now handle that (CWallet passes through to the ScriptPubKeyMans as it does for many functions). This signing code is thus consolidated into LegacyScriptPubKeyMan::SignMessage(), though other ScriptPubKeyMans may implement it differently. Additionally, a SigningError enum is introduced for the different errors that we expect to see from SignMessage().

Lastly, GetSigningProvider() is renamed to GetPublicSigningProvider(). It will now only provide pubkeys, key origins, and scripts. LegacySigningProvider has it’s GetKey and HaveKey functions changed to only return false. Future implementations should return HidingSigningProviders where private keys are hidden.

Other things like dumpprivkey and dumpwallet are not changed because they directly need and access the LegacyScriptPubKeyMan so are not relevant to future changes.

fanquake added the label Wallet on Feb 11, 2020

DrahtBot commented at 5:47 am on February 11, 2020: member

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

#17938 (Disallow automatic conversion between disparate hash types by Empact)
#17211 (Allow fundrawtransaction and walletcreatefundedpsbt to take external inputs by achow101)
#16910 (wallet: reduce loading time by using unordered maps by achow101)
#16549 ([WIP] UI external signer support (e.g. hardware wallet) by Sjors)
#16546 ([WIP] External signer support - Wallet Box edition by Sjors)
#16528 (Native Descriptor Wallets using DescriptorScriptPubKeyMan by achow101)
#16440 (BIP-322: Generic signed message format by kallewoof)
#12911 (wallet: Show fee in results for signrawtransaction* for segwit inputs by kallewoof)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

achow101 force-pushed on Feb 11, 2020

fanquake renamed this:
~~[wallet] Pass in transactions and messages for signing instead of exporting the private keys~~
wallet: Pass in transactions and messages for signing instead of exporting the private keys
on Feb 12, 2020

Sjors commented at 8:57 am on February 12, 2020: member

@kallewoof may find this interesting too in light of BIP-322 (Generic signed message format) #16440

in src/rpc/rawtransaction_util.h:27 in 0eb285f714 outdated

23@@ -24,6 +24,7 @@ class SigningProvider;
24  * @param result         JSON object where signed transaction results accumulate
25  */
26 void SignTransaction(CMutableTransaction& mtx, const SigningProvider* keystore, const std::map<COutPoint, Coin>& coins, const UniValue& hashType, UniValue& result);
27+void MakeSignTransactionResult(CMutableTransaction& mtx, bool complete, const std::map<COutPoint, Coin>& coins, std::map<int, std::string>& input_errors, UniValue& result);

Sjors commented at 9:20 am on February 12, 2020:

In 0eb285f7146ae9beec3a19829cc4420ad9f251ae, this trips up AppVeyor:

0:\projects\bitcoin\src\rpc\rawtransaction_util.h(27,132): error C2039: 'string': is not a member of 'std' [C:\projects\bitcoin\build_msvc\libbitcoin_common\libbitcoin_common.vcxproj]
163C:\projects\bitcoin\src\rpc\rawtransaction_util.h(27,138): error C2065: 'string': undeclared identifier [C:\projects\bitcoin\build_msvc\libbitcoin_common\libbitcoin_common.vcxproj]
264C:\projects\bitcoin\src\rpc\rawtransaction_util.h(27,118): error C2923: 'std::map': 'string' is not a valid template type argument for parameter '_Ty' [C:\projects\bitcoin\build_msvc\libbitcoin_common\libbitcoin_common.vcxproj]
365C:\projects\bitcoin\src\rpc\rawtransaction_util.h(27,138): fatal error C1903: unable to recover from previous error(s); stopping compilation [C:\projects\bitcoin\build_msvc\libbitcoin_common\libbitcoin_common.vcxproj]

Sjors commented at 9:40 am on February 12, 2020:

Maybe rename it to SignTransactionResultToJSON().

achow101 commented at 5:35 pm on February 12, 2020:

Fixed (I think) and renamed

in src/qt/signverifymessagedialog.cpp:146 in e4714e05ca outdated

146+    QString error;
147+    switch (err) {
148+        case SigningError::OK:
149+            error = tr("No error");
150+        case SigningError::PRIVATE_KEY_NOT_AVAILABLE:
151+            error = tr("Private key for the entered address is not available.");

vasild commented at 9:34 am on February 12, 2020:

Missing break;?

Sjors commented at 10:31 am on February 12, 2020:

Also these strings can be obtained fromSigningErrorString in error.cpp (the wording here seems better)

achow101 commented at 5:20 pm on February 12, 2020:

The strings from SigningErrorString won’t be translated (we don’t translate things for RPC), so that logic had to be duplicated here. Also, the strings are different to maintain compatibility.

achow101 commented at 5:34 pm on February 12, 2020:

Added the breaks in.

in src/script/sign.cpp:497 in 0eb285f714 outdated

492+
493+        UpdateInput(txin, sigdata);
494+
495+        // amount must be specified for valid segwit signature
496+        if (amount == MAX_MONEY && !txin.scriptWitness.IsNull()) {
497+            input_errors[i] = "Missing amount";

Sjors commented at 9:47 am on February 12, 2020:

In 0eb285f7146ae9beec3a19829cc4420ad9f251ae this seems a bit brittle: input_errors[i] = "Missing amount"; (which is then matched by string to throw an exception later). But at least this error message is covered by rpc_rawtransaction.py

achow101 commented at 5:07 pm on February 12, 2020:

It is brittle, and I’m not sure why only that error specifically throws an exception. But keeping it for compatibility.

vasild commented at 9:51 am on February 12, 2020: member

https://github.com/achow101/bitcoin/blob/e4714e0/src/rpc/misc.cpp#L340 still calls the old signing code key.SignCompact(); directly. Maybe that needs to be updated to also use the newly added function SignMessage()?

in src/script/sign.cpp:505 in 0eb285f714 outdated

500+
501+        ScriptError serror = SCRIPT_ERR_OK;
502+        if (!VerifyScript(txin.scriptSig, spk, &txin.scriptWitness, STANDARD_SCRIPT_VERIFY_FLAGS, TransactionSignatureChecker(&tx_const, i, amount), &serror)) {
503+            if (serror == SCRIPT_ERR_INVALID_STACK_OPERATION) {
504+                // Unable to sign input and verification failed (possible attempt to partially sign).
505+                input_errors[i] = "Unable to sign input, invalid stack size (possibly missing key)";

Sjors commented at 9:52 am on February 12, 2020:

This is a good time to add tests for the three error strings used here (SCRIPT_ERR_INVALID_STACK_OPERATION, SCRIPT_ERR_SIG_NULLFAIL, else). Not sure how though.

in src/wallet/wallet.cpp:2428 in e496e29816 outdated

2440-        nIn++;
2441+bool CWallet::SignTransaction(CMutableTransaction& tx, const std::map<COutPoint, Coin>& coins, int sighash, std::map<int, std::string>& input_errors) const
2442+{
2443+    // Sign the tx with ScriptPubKeyMans
2444+    bool result = false;
2445+    for (const auto& spk_man_pair : m_spk_managers) {

Sjors commented at 10:06 am on February 12, 2020:

In e496e2981699ac2938b74297d9b0bce355d26ad8 Implement CWallet::SignTransaction using ScriptPubKeyMan::SignTransaction at // Sign the tx with ScriptPubKeyMans, check CanProvide() first?

achow101 commented at 6:56 pm on February 12, 2020:

I’ve updated it to use GetScriptPubKeyMan which calls CanProvide

This change is slightly more complex but it does reduce the number of repeated signings.

in src/wallet/wallet.cpp:2429 in e496e29816 outdated

2441+bool CWallet::SignTransaction(CMutableTransaction& tx, const std::map<COutPoint, Coin>& coins, int sighash, std::map<int, std::string>& input_errors) const
2442+{
2443+    // Sign the tx with ScriptPubKeyMans
2444+    bool result = false;
2445+    for (const auto& spk_man_pair : m_spk_managers) {
2446+        result |= spk_man_pair.second->SignTransaction(tx, coins, sighash, input_errors);

Sjors commented at 10:08 am on February 12, 2020:

The way input_errors are set, if there are multiple matching ScriptPubKeyMans* they would override each-others results. The last commit e4714e05ca9f3000384f9ed8f44e91a485f88bee clears the error for any given input, but only if SPKman SignTransaction() returns true, which requires all input errors to be empty, so that seems useless. At minimum this is confusing.

* = not the case with legacy, and in practice shouldn’t happen with descriptor wallets, but that’s not enforced

achow101 commented at 5:14 pm on February 12, 2020:

The expectation is that all of the errors will be the same across all failed ScriptPubKeyMans because they don’t have the private keys. The ScriptPubKeyMan which fully signs an input will clear the error for that input. This clearing is not dependent on input_errors.empty().

in src/wallet/wallet.cpp:2466 in a90a98c3aa outdated

2486-        if (!provider) {
2487-            complete = false;
2488-            continue;
2489+    // Fill in information from ScriptPubKeyMans
2490+    for (const auto& spk_man_pair : m_spk_managers) {
2491+        TransactionError res = spk_man_pair.second->FillPSBT(psbtx, sighash_type, sign, bip32derivs);

Sjors commented at 10:20 am on February 12, 2020:

In a90a98c3aa90ed4dc4f995fac0859e58f177a79a under // Fill in information from ScriptPubKeyMans, add CanProvide()?

achow101 commented at 6:56 pm on February 12, 2020:

I’ve updated it to use GetScriptPubKeyMan which calls CanProvide

This change is slightly more complex but it does reduce the number of repeated signings.

in src/wallet/scriptpubkeyman.cpp:526 in a90a98c3aa outdated

521+        // Get the Sighash type
522+        if (sign && input.sighash_type > 0 && input.sighash_type != sighash_type) {
523+            return TransactionError::SIGHASH_MISMATCH;
524+        }
525+
526+        // Get the scriptPubKey to know which SigningProvider to use

Sjors commented at 10:26 am on February 12, 2020:

In a90a98c3aa90ed4dc4f995fac0859e58f177a79a: this comment is outdated, because you’re no longer calling GetSigningProvider(script, sigdata). Also the CScript script below is not used.

achow101 commented at 5:36 pm on February 12, 2020:

Fixed the comment and simplified this block to just check for correct non_witness_utxo or continue if there is no utxo.

in src/wallet/scriptpubkeyman.h:218 in e4714e05ca outdated

216     virtual bool CanProvide(const CScript& script, SignatureData& sigdata) { return false; }
217 
218+    /** Creates new signatures and adds them to the transaction. Returns whether all inputs were signed */
219+    virtual bool SignTransaction(CMutableTransaction& tx, const std::map<COutPoint, Coin>& coins, int sighash, std::map<int, std::string>& input_errors) const { return false; }
220+    /** Sign a message with the given script */
221+    virtual SigningError SignMessage(const std::string& message, const PKHash& pkhash, std::string& str_sig) const { return SigningError::OK; };

vasild commented at 10:35 am on February 12, 2020:

It would be better to return some error from here (like the neighboring methods do). In case somebody forgets to override this method, it would be unexpected to return OK and leave the output str_sig unmodified.

Maybe even use a pure virtual method ...str_sig) const = 0; to cause a compilation error if somebody forgets to override SignMessage(). I checked that:

it compiles if changed to pure virtual and
it does not compile if changed to pure virtual and the LegacyScriptPubKeyMan child class forgets to override SignMessage().

achow101 commented at 5:35 pm on February 12, 2020:

Changed it to return SigningError::SIGNING_FAILED. I’m avoiding pure virtual functions in ScriptPubKeyMan because there is no requirement for every ScriptPubKeyMan to implement every function.

Sjors commented at 10:51 am on February 12, 2020: member

Concept ACK. I roughly reviewed code for e4714e05ca9f3000384f9ed8f44e91a485f88bee and left some comments.

0eb285f7146ae9beec3a19829cc4420ad9f251ae Refactor rawtransaction's SignTransaction into generic SignTransaction function would be easier to review (--color-moved=dimmed-zebra -w) if you renamed the variables in separate commit.

It may be better to combine 4595326628bd4c91c753e923535178fca9ade2fd with be7991f63de2c0cce7d1e622a6ee12dd8f7204c9 so the signing code is moved, rather than just appear (though it’s short enough to compare manually).

Lastly, GetSigningProvider() is renamed to GetPublicSigningProvider(). It will now only provide pubkeys, key origins, and scripts. LegacySigningProvider has it’s GetKey and HaveKey functions changed to only return false. Future implementations should return HidingSigningProviders where private keys are hidden.

This bit is fairly confusing.

This PR is fairly large, and only deduplicates a subset of @vasild’s #17577 (only what’s needed to move forward with the wallet refactor). I didn’t study this other PR in detail, but if it’s possible to build on top of that, it would split the review burden and remove more duplication.

achow101 force-pushed on Feb 12, 2020

achow101 commented at 5:53 pm on February 12, 2020: member

0eb285f Refactor rawtransaction's SignTransaction into generic SignTransaction function would be easier to review (--color-moved=dimmed-zebra -w) if you renamed the variables in separate commit.

I’ve undone the renames.

It may be better to combine 4595326 with be7991f so the signing code is moved, rather than just appear (though it’s short enough to compare manually).

Squashed them together.

Lastly, GetSigningProvider() is renamed to GetPublicSigningProvider(). It will now only provide pubkeys, key origins, and scripts. LegacySigningProvider has it’s GetKey and HaveKey functions changed to only return false. Future implementations should return HidingSigningProviders where private keys are hidden.

This bit is fairly confusing.

How so? I’m just saying that GetPublicSigningProvider() will just return a SigningProvider where GetKey() and HaveKey() will fail.

This PR is fairly large, and only deduplicates a subset of @vasild’s #17577 (only what’s needed to move forward with the wallet refactor). I didn’t study this other PR in detail, but if it’s possible to build on top of that, it would split the review burden and remove more duplication.

I’ll take a look at that.

https://github.com/achow101/bitcoin/blob/e4714e0/src/rpc/misc.cpp#L340 still calls the old signing code key.SignCompact(); directly. Maybe that needs to be updated to also use the newly added function SignMessage()?

Done

achow101 force-pushed on Feb 12, 2020

in src/util/error.h:37 in 01839f3797 outdated

33@@ -34,6 +34,14 @@ enum class TransactionError {
34 
35 std::string TransactionErrorString(const TransactionError error);
36 
37+enum class SigningError {

kallewoof commented at 10:52 am on February 13, 2020:

SigningResult seems more friendly, considering this can be OK.

achow101 commented at 1:23 am on February 14, 2020:

Renamed to SigningResult

kallewoof commented at 11:33 am on February 13, 2020: member

Looked at code a bit, but not extensively.

The SignMessage for each scriptpubman is a step backwards considering BIP322 will unify these all into a single place. It would be great if you reviewed that PR (if you already have, and still feel this is the right approach, I’d love to know why).

I’ll review/test this PR as well and comment more generally but wanted to put this out there now.

kallewoof commented at 1:08 pm on February 13, 2020: member

I am trying to merge BIP322 #16440 on top of this, and am running into an issue demonstrated by the below patch:

 0diff --git a/src/wallet/rpcwallet.cpp b/src/wallet/rpcwallet.cpp
 1index bde8a6099..dde7819fa 100644
 2--- a/src/wallet/rpcwallet.cpp
 3+++ b/src/wallet/rpcwallet.cpp
 4@@ -559,6 +559,14 @@ static UniValue signmessage(const JSONRPCRequest& request)
 5     }
 6
 7     const PKHash *pkhash = boost::get<PKHash>(&dest);
 8+
 9+    auto provider = pwallet->GetPublicSigningProvider(GetScriptForDestination(dest));
10+    auto keyid = GetKeyForDestination(*provider, dest);
11+    CKey secret;
12+    if (!provider->GetKey(keyid, secret)) {
13+        assert(0);
14+    }
15+
16     if (!pkhash) {
17         throw JSONRPCError(RPC_TYPE_ERROR, "Address does not refer to key");
18     }

The above code hits the assert. I.e. despite getting a signing provider for the destination, it still fails to get the key. This code (i.e. getting signing provider and then getting privkey from that) in current master.

achow101 commented at 3:40 pm on February 13, 2020: member

The SignMessage for each scriptpubman is a step backwards considering BIP322 will unify these all into a single place. It would be great if you reviewed that PR (if you already have, and still feel this is the right approach, I’d love to know why).

You can still have the message signing code unified to a single place, and in fact, this PR does that (it consolidates the signmessage RPC and the Sign Message dialog signing implementations). Each ScriptPubKeyMan can still call that single unified function from within it’s own SignMessage function. But each one having it’s own SignMessage also allows us to implement it differently depending on the ScriptPubKeyMan. In particular, for hardware wallets, we can’t use the unified SignMessage function because that would require producing a SigningProvider containing private keys, which is not possible for hardware wallets. In order to sign anything with hardware wallets, we need to pass in the thing to be signed to the device and let it handle the signing rather than signing it ourselves.

This change means that a future HardwareScriptPubKeyMan can do exactly that: the message is passed into HardwareScriptPubKeyMan::SignMessage which then passes it along to the hardware wallet. This way, nothing external to the wallet needs to know that there is a hardware wallet or how to handle it. That can all be done within the HardwareScriptPubKeyMan.

The above code hits the assert. I.e. despite getting a signing provider for the destination, it still fails to get the key. This code (i.e. getting signing provider and then getting privkey from that) in current master.

That’s because you are still using the old code and way of signing messages. There is no need for signmessage to get a SigningProvider anymore. Instead you should be implementing either within the SignMessage function that is now in sign.cpp. You’ll probably need to change the arguments, but you shouldn’t need to go to the specific call sites like signmessage or the Sign Message dialog.

Specifically the reason this hits the assert is that the SigningProvider that is returned only returns public keys and scripts. GetKey and HaveKey have been changed to always fail. Notice that the function named GetSigningProvider was renamed to GetPublicSigningProvider.

achow101 force-pushed on Feb 13, 2020

achow101 commented at 11:05 pm on February 13, 2020: member

I’ve based this on top of #17577

kallewoof commented at 4:03 am on February 14, 2020: member

That’s because you are still using the old code and way of signing messages. There is no need for signmessage to get a SigningProvider anymore. Instead you should be implementing either within the SignMessage function that is now in sign.cpp. You’ll probably need to change the arguments, but you shouldn’t need to go to the specific call sites like signmessage or the Sign Message dialog.

Ahh. In that case PublicSigningProvider is a bad name for it, I think? It’s not providing any signing at all, after all. I assume this is used to verify signatures? Maybe GetPublicKeyProvider.

achow101 force-pushed on Feb 14, 2020

achow101 commented at 6:07 pm on February 14, 2020: member

Ahh. In that case PublicSigningProvider is a bad name for it, I think? It’s not providing any signing at all, after all. I assume this is used to verify signatures? Maybe GetPublicKeyProvider.

It’s used primarily for checking solvability. So I’ve renamed it to GetSolvingProvider

achow101 force-pushed on Feb 14, 2020

Sjors commented at 7:50 pm on February 14, 2020: member

GetSolutionProvider? :-P

instagibbs commented at 5:13 pm on February 19, 2020: member

concept ACK

in src/script/sign.cpp:514 in a9f1c58ccd outdated

509+            } else {
510+                input_errors[i] = ScriptErrorString(serror);
511+            }
512+        }
513+    }
514+    return input_errors.empty();;

Sjors commented at 4:19 pm on February 20, 2020:

double semicolumn

achow101 commented at 5:13 pm on February 21, 2020:

Fixed

in src/wallet/wallet.cpp:2474 in 2c6db38744 outdated

2472+        if (spk_man->SignTransaction(tx, coins, sighash, input_errors)) {
2473+            return true;
2474+        }
2475+
2476+        // Add this spk_man to visited_spk_mans so we can skip it later
2477+        visited_spk_mans.insert(spk_man->GetID());

Sjors commented at 4:48 pm on February 20, 2020:

Rather than having this visited_spk_mans bookkeeping, maybe just add spk_man->SignInput(tx, input, coins, sighash, error).

achow101 commented at 4:18 pm on February 21, 2020:

I considered that, but not all ScriptPubKeyMan implementations will be able to sign just one input without potentially signing all inputs. E.g. a hardware wallet spkman. With such spkmans, we would end up signing the entire tx multiple times which is both slow and bad UX.

Sjors commented at 5:13 pm on February 21, 2020:

That makes sense. It’s worth emphasizing in the comments that SignTransaction() will try to sign all inputs, not just txin.

achow101 commented at 5:19 pm on February 21, 2020:

I’ve added some comments.

in src/wallet/wallet.cpp:2554 in 886002c66b outdated

2547+        if (res != TransactionError::OK) {
2548+            return res;
2549         }
2550+
2551+        // Add this spk_man to visited_spk_mans so we can skip it later
2552+        visited_spk_mans.insert(spk_man->GetID());

Sjors commented at 5:20 pm on February 20, 2020:

Same suggestion as with regular signing: adding FillPSBT(PartiallySignedTransaction& psbt, int& index, ... to LegacyScriptPubKeyMan() would avoid this bookkeeping and be easier to reason about than this loop-in-loop behavior.

Such per input control could also make its way into the RPC, where e.g. coinjoin software could tell the wallet what to sign while ignoring the other inputs. That might save some (negligible?) time doing spk_man lookups on a thousand inputs.

Sjors commented at 5:14 pm on February 21, 2020:

Nvm, see #18115 (review)

in src/wallet/scriptpubkeyman.cpp:564 in 886002c66b outdated

537+        SignPSBTInput(HidingSigningProvider(this, !sign, !bip32derivs), psbtx, i, sighash_type);
538+    }
539+
540+    // Fill in the bip32 keypaths and redeemscripts for the outputs so that hardware wallets can identify change
541+    for (unsigned int i = 0; i < psbtx.tx->vout.size(); ++i) {
542+        UpdatePSBTOutput(HidingSigningProvider(this, true, !bip32derivs), psbtx, i);

Sjors commented at 5:35 pm on February 20, 2020:

I tested that BIP32 info is correctly added to watch-only wallets (see also my comment #16528 (review) and earlier(?) version of this code).

Sjors commented at 7:51 pm on February 20, 2020: member

ACK ba91cc878ad18e457c79ca3f84be3b53f1182887 (pending parent PR)

I made a commit that introduces SolvingProvider as the SigningProvider base class, which I think makes things more clear. But it’s lot of code changes: https://github.com/Sjors/bitcoin/commit/7f97d83ccbc291d0a69c7c8aa5b8f9d217d6badf

instagibbs commented at 4:42 pm on February 21, 2020: member

note that this PR is built on https://github.com/bitcoin/bitcoin/pull/17577

achow101 force-pushed on Feb 21, 2020

in src/rpc/rawtransaction_util.cpp:288 in 5cab890b91 outdated

323+{
324+    // Make errors UniValue
325+    UniValue vErrors(UniValue::VARR);
326+    for (const auto& err_pair : input_errors) {
327+        if (err_pair.second == "Missing amount") {
328+            // This particular error needs to be an exception for some reason

instagibbs commented at 3:05 pm on February 24, 2020:

This comment isn’t really helpful for future code readers, just reviewers.

ProofOfKeags commented at 7:33 pm on February 27, 2020:

Is the reason known, or is this a “rain dance” and all we know is that it doesn’t work if it isn’t an Exception?

achow101 commented at 7:42 pm on February 27, 2020:

It’s preserving previous behavior of the API which would throw an exception for that particular error instead of putting it into the errors array.

in src/wallet/wallet.h:924 in 1bb7939d3e outdated

915@@ -916,7 +916,8 @@ class CWallet final : public WalletStorage, private interfaces::Chain::Notificat
916      * calling CreateTransaction();
917      */
918     bool FundTransaction(CMutableTransaction& tx, CAmount& nFeeRet, int& nChangePosInOut, std::string& strFailReason, bool lockUnspents, const std::set<int>& setSubtractFeeFromOutputs, CCoinControl);
919-    bool SignTransaction(CMutableTransaction& tx) EXCLUSIVE_LOCKS_REQUIRED(cs_wallet);
920+    bool SignTransaction(CMutableTransaction& tx) const EXCLUSIVE_LOCKS_REQUIRED(cs_wallet);
921+    bool SignTransaction(CMutableTransaction& tx, const std::map<COutPoint, Coin>& coins, int sighash, std::map<int, std::string>& input_errors) const;

instagibbs commented at 3:10 pm on February 24, 2020:

Please document when these two functions are used.

achow101 commented at 5:15 pm on February 24, 2020:

Added a comment.

in src/wallet/wallet.h:1179 in 1bb7939d3e outdated

1150@@ -1150,6 +1151,7 @@ class CWallet final : public WalletStorage, private interfaces::Chain::Notificat
1151 
1152     //! Get the ScriptPubKeyMan for a script
1153     ScriptPubKeyMan* GetScriptPubKeyMan(const CScript& script) const;
1154+    ScriptPubKeyMan* GetScriptPubKeyMan(const CScript& script, SignatureData& sigdata) const;

instagibbs commented at 3:10 pm on February 24, 2020:

Please document how this is used.

achow101 commented at 5:18 pm on February 24, 2020:

Added a comment.

in src/wallet/wallet.cpp:2455 in 1bb7939d3e outdated

2455         }
2456-        UpdateInput(input, sigdata);
2457-        nIn++;
2458+
2459+        // Input needs to be signed, find the right ScriptPubKeyMan
2460+        ScriptPubKeyMan* spk_man = GetScriptPubKeyMan(coin->second.out.scriptPubKey, sigdata);

instagibbs commented at 3:21 pm on February 24, 2020:

Will one SPKM always be sufficient for any input even going forward? Seems to me the same SPKM will always be sourced for a particular input?

instagibbs commented at 3:44 pm on February 24, 2020:

5cab890b915fd9f25cada7ddab7cc00eea22c80b suggests no, there may be multiple.

achow101 commented at 4:54 pm on February 24, 2020:

The expectation is that one spkman will be sufficient. But I suppose it is possible that multiple spkmans could sign for a particular input. I don’t think we handle that case.

5cab890 was from a previous iteration where all spkmans signed the transaction. Perhaps it isn’t needed anymore.

instagibbs commented at 4:57 pm on February 24, 2020:

I think it makes sense to remove that commit then, and just state the assumption here.

achow101 commented at 5:14 pm on February 24, 2020:

Dropped the commit. Added a comment about the assumption.

achow101 commented at 5:43 pm on February 25, 2020:

I’ve had to restore the commit. It actually is needed. It actually doesn’t imply that the different ScriptPubKeyMans can successfully sign the same input.

It is still needed because each time the wrong ScriptPubKeyMan signs an input, it will add an error. Once that input becomes signed by the correct ScriptPubKeyMan, we need to clear away those errors otherwise they will incorrectly persist. Thus that commit is still needed.

Sjors commented at 6:52 pm on February 25, 2020:

Shouldn’t this loop over all matching GetScriptPubKeyMans? Otherwise the comment above should be changed to “We assume that each input is matched (and signed) by only one ScriptPubKeyMan.”.

Right now:

if non-matching ScriptPubKeyMan tries and fails to sign this input, we’ll try with the matching ScriptPubKeyMan, but;
if we match, but can’t sign, that error can only be cleared if another input happens to match a ScriptPubKeyMan that then happens to be able for the failed input as well.

In practice this shouldn’t matter because two ScriptPubKeyMans should never overlap, but we don’t have a way to enforce that.

achow101 commented at 7:29 pm on February 25, 2020:

Fine. I’ve changed it to check all ScriptPubKeyMans that CanProvide.

in src/wallet/wallet.cpp:2542 in c5ae320bc6 outdated

2533             continue;
2534         }
2535 
2536-        complete &= SignPSBTInput(HidingSigningProvider(provider.get(), !sign, !bip32derivs), psbtx, i, sighash_type);
2537-    }
2538+        // If we've already been signed by this spk_man, skip it

instagibbs commented at 3:37 pm on February 24, 2020:

Will one SPKM always be sufficient for any input even going forward? Seems to me the same SPKM will always be sourced for a particular input?

achow101 commented at 5:14 pm on February 24, 2020:

Documented the assumption.

in src/wallet/wallet.h:1185 in f2bd919cfd outdated

1177@@ -1178,8 +1178,8 @@ class CWallet final : public WalletStorage, private interfaces::Chain::Notificat
1178     ScriptPubKeyMan* GetScriptPubKeyMan(const uint256& id) const;
1179 
1180     //! Get the SigningProvider for a script
1181-    std::unique_ptr<SigningProvider> GetSigningProvider(const CScript& script) const;
1182-    std::unique_ptr<SigningProvider> GetSigningProvider(const CScript& script, SignatureData& sigdata) const;
1183+    std::unique_ptr<SigningProvider> GetSolvingProvider(const CScript& script) const;

instagibbs commented at 3:43 pm on February 24, 2020:

A little confused by this commit. Should SigningProvider itself be renamed as well?

achow101 commented at 4:55 pm on February 24, 2020:

We should probably refactor SigningProvider at some point to have a parent SolvingProvider that doesn’t have private keys. But for now, this just returns a SigningProvider without private keys.

Sjors commented at 5:05 pm on February 24, 2020:

I have commit for exactly that, see my earlier comment: #18115#pullrequestreview-362040407

instagibbs approved

instagibbs commented at 3:49 pm on February 24, 2020: member

reviewed to 5cab890b915fd9f25cada7ddab7cc00eea22c80b , just a few points, otherwise looks good

achow101 force-pushed on Feb 24, 2020

instagibbs commented at 5:19 pm on February 24, 2020: member

utACK https://github.com/bitcoin/bitcoin/pull/18115/commits/2525db8eb1af79f00899cac1bd2ff8a1e85d32f8

DrahtBot added the label Needs rebase on Feb 25, 2020

achow101 force-pushed on Feb 25, 2020

DrahtBot removed the label Needs rebase on Feb 25, 2020

Sjors commented at 6:58 pm on February 25, 2020: member

utACK b26777cb7b3fa59c4b518d953165fdb80ca444a9, modulo the below issue

achow101 force-pushed on Feb 25, 2020

Sjors commented at 7:41 pm on February 25, 2020: member

utACK 1f9a806a0184ebc4fe7b7b99df6341e0a00fef80

in src/script/sign.cpp:514 in 1f9a806a01 outdated

508@@ -509,6 +509,9 @@ bool SignTransaction(CMutableTransaction& mtx, const SigningProvider* keystore,
509             } else {
510                 input_errors[i] = ScriptErrorString(serror);
511             }
512+        } else {
513+            // If this input succeeds, make sure there is no error set for it
514+            input_errors.erase(i);

instagibbs commented at 8:24 pm on February 25, 2020:

Help me understand:

Two SPKM: A and B
Two input tx: input 1: key resides in A input 2: key resides in B
A asked to sign 1, successfully
A asked to sign 2, unsuccessful, appends error C
B asked to sign 1, unsuccessful, appends error D
B asked to sign 2, successful, deletes C

We’re left with error D?

achow101 commented at 8:26 pm on February 25, 2020:

B asked to sign 1. 1 comes with existing signature. Skips signing because already signed, no error.

instagibbs commented at 8:34 pm on February 25, 2020:

CWallet::SignTransaction outer loop over inputs has the complete check, not the inner SPKM loop?

Sjors commented at 8:50 pm on February 25, 2020:

@achow101 CWallet skips B when considering input 1, because it’s already signed. But then when it’s considering input 2 it will tell B to sign the transaction, and the sign code doesn’t seem skip already signed inputs.

It should be easy to reproduce this scenario in a test on the descriptor wallet PR. E.g. spend from a wallet with one legacy and one native SegWit UTXO.

achow101 commented at 10:13 pm on February 25, 2020:

To be more specific, the generic SignTransaction function uses DataFromTransaction on each input to pull out any existing signatures, pubkeys, and scripts into a SignatureData object. When this SignatureData object gets passed into ProduceSignature, ProduceSignature first looks at the SignatureData finds an existing signatures, pubkeys, and scripts, and fills those into the transaction rather than asking for the SigningProvider (which is produced by the ScriptPubKeyMan). So even if that SigningProvider can’t sign, because we already had signatures, pubkeys, and scripts in that transaction, no error occurs.

There is an additional optimization already in ProduceSignature which skips signing when it finds that SignatureData.complete == true, which is determined by doing a VerifyScript within DataFromTransaction. Hence signing is skipped for that input.

All of this is pre-existing code which allows us to sign a transaction with external inputs without error. The same process that we do internally with multiple ScriptPubKeyMans is almost the same as if you signed a transaction that has inputs from multiple wallets with those different wallets. Errors are not given for the inputs that are already signed.

instagibbs commented at 10:17 pm on February 25, 2020:

Ok, I agree with what you’re saying, though it’s indirect.

Sjors commented at 8:39 am on February 26, 2020:

That makes sense and will do for now. Would be good to add a test to #15764 for this type of stuff, because it seems brittle.

achow101 commented at 6:00 pm on February 26, 2020:

The nature of descriptor wallets as implemented in #16528 requires this commit or tests fail. We are already testing this case. I added back this commit because tests were failing without it in #16528.

instagibbs commented at 10:19 pm on February 25, 2020: member

utACK https://github.com/bitcoin/bitcoin/pull/18115/commits/1f9a806a0184ebc4fe7b7b99df6341e0a00fef80

Though I wish the code regarding the last commit was easier to grok about.

laanwj added this to the "Blockers" column in a project

fanquake requested review from meshcollider on Feb 28, 2020

in src/wallet/wallet.cpp:3030 in f4b3fbd70b outdated

2940-                } else {
2941-                    UpdateInput(txNew.vin.at(nIn), sigdata);
2942-                }
2943-
2944-                nIn++;
2945+            if (!SignTransaction(txNew)) {

Empact commented at 11:28 pm on February 28, 2020:

nit: Might also collapse the outer if (sign)

achow101 commented at 0:35 am on February 29, 2020:

Will collapse if rebase or other changes are needed.

achow101 commented at 4:27 pm on March 8, 2020:

had to rebase, collapsed.

in src/primitives/transaction.h:131 in b525f73852 outdated

123@@ -124,6 +124,11 @@ class CTxIn
124         return !(a == b);
125     }
126 
127+    friend bool operator<(const CTxIn& a, const CTxIn& b)
128+    {
129+        return a.prevout < b.prevout;
130+    }
131+

Empact commented at 11:28 pm on February 28, 2020:

nit: this isn’t required for this commit - maybe move it to later where it is required?

achow101 commented at 0:34 am on February 29, 2020:

It looks like this isn’t needed at all… But I would like to avoid invalidating ACKs, so I’ll leave it in unless I have to rebase or make other changes.

achow101 commented at 4:27 pm on March 8, 2020:

Had to rebase, removed

in src/qt/signverifymessagedialog.cpp:143 in 1f9a806a01 outdated

146+    SigningResult res = model->wallet().signMessage(message, *pkhash, signature);
147+
148+    QString error;
149+    switch (res) {
150+        case SigningResult::OK:
151+            error = tr("No error");

Empact commented at 11:52 pm on February 28, 2020:

nit: unnecessary assignment

achow101 commented at 0:26 am on February 29, 2020:

Meh. Just in case some other change results in error being shown.

Empact approved

Empact commented at 0:13 am on February 29, 2020: member

ACK https://github.com/bitcoin/bitcoin/commit/1f9a806a0184ebc4fe7b7b99df6341e0a00fef80

achow101 force-pushed on Mar 8, 2020

Refactor rawtransaction's SignTransaction into generic SignTransaction function 2c52b59d0a

Add SignTransaction function to ScriptPubKeyMan and LegacyScriptPubKeyMan d999dd588c

Implement CWallet::SignTransaction using ScriptPubKeyMan::SignTransaction f37de92744

Use CWallet::SignTransaction in CreateTransaction and signrawtransactionwithwallet

Instead of duplicating signing code, just use the function we already
have.

a4af324d15

achow101 force-pushed on Mar 8, 2020

achow101 commented at 4:28 pm on March 8, 2020: member

There was a hidden merge conflict that required a rebase.

achow101 force-pushed on Mar 8, 2020

meshcollider commented at 7:51 am on March 9, 2020: contributor

Light code review / build / test run ACK 08b9b68528b4644bce6bb925d6b0cbcaae62c5a9

If Empact, instagibbs, or Sjors could post-rebase re-ACK I’ll merge this

Sjors commented at 10:38 am on March 9, 2020: member

Will do after @achow101 fixes the Travis build failure :-) https://travis-ci.org/bitcoin/bitcoin/jobs/659844515#L2418

Marking fillPSBT() as const in src/interfaces/wallet.{h,cpp} might help, and would at least be consistent.

Move FillPSBT to be a member of CWallet 3d70dd99f9

Move key and script filling and signing from CWallet::FillPSBT to ScriptPubKeyMan::FillPSBT

Instead of fetching a SigningProvider from ScriptPubKeyMan in order
to fill and sign the keys and scripts for a PSBT, just pass that
PSBT to a new FillPSBT function that does all that for us.

82a30fade7

Move direct calls to MessageSign into new SignMessage functions in CWallet and ScriptPubKeyMan

Instead of getting a SigningProvider and then going to MessageSign,
have ScriptPubKeyMan handle the message signing internally.

6a9c429084

Replace GetSigningProvider with GetSolvingProvider

Not all ScriptPubKeyMans will be able to provide private keys,
but pubkeys and scripts should be. So only provide public-only
SigningProviders, i.e. ones that can help with Solving.

dc174881ad

Clear any input_errors for an input after it is signed

Make sure that there are no errors set for an input after it is signed.
This is useful for when there are multiple ScriptPubKeyMans. Some may
fail to sign, but one may be able to sign, and after it does, we don't
want there to be any more errors there.

d2774c09cf

achow101 force-pushed on Mar 9, 2020

instagibbs commented at 3:27 pm on March 9, 2020: member

reACK https://github.com/bitcoin/bitcoin/pull/18115/commits/d2774c09cfcc6c5c967d40bb094eabc8c0bdb6bf

achow101 commented at 3:29 pm on March 9, 2020: member

Will do after @achow101 fixes the Travis build failure :-) https://travis-ci.org/bitcoin/bitcoin/jobs/659844515#L2418

Marking fillPSBT() as const in src/interfaces/wallet.{h,cpp} might help, and would at least be consistent.

I did that, but I don’t think it will help. I’m not sure what would cause that travis failure; it’s failing on something that the other targets are compiling too. I think travis may have gotten confused?

Sjors commented at 6:15 pm on March 9, 2020: member

re-utACK d2774c09cfcc6c5c967d40bb094eabc8c0bdb6bf

meshcollider commented at 7:56 pm on March 9, 2020: contributor

re-utACK d2774c09cfcc6c5c967d40bb094eabc8c0bdb6bf

meshcollider merged this on Mar 9, 2020

meshcollider closed this on Mar 9, 2020

sidhujag referenced this in commit 98c8a84b4c on Mar 10, 2020

laanwj removed this from the "Blockers" column in a project

sidhujag referenced this in commit 248ed9dbbc on Mar 28, 2020

jasonbcox referenced this in commit dabfedaea0 on Oct 24, 2020

jasonbcox referenced this in commit 588d25004d on Oct 24, 2020

jasonbcox referenced this in commit dd2c6cebcd on Oct 24, 2020

jasonbcox referenced this in commit 27fe47e7af on Oct 24, 2020

jasonbcox referenced this in commit 7f2483ac94 on Oct 25, 2020

jasonbcox referenced this in commit f0ce817308 on Oct 25, 2020

jasonbcox referenced this in commit bee3cb09b3 on Oct 25, 2020

jasonbcox referenced this in commit 67435e511a on Oct 25, 2020

jasonbcox referenced this in commit 206346fce4 on Oct 25, 2020

sidhujag referenced this in commit cf35de8d51 on Nov 10, 2020

DrahtBot locked this on Feb 15, 2022

wallet: Pass in transactions and messages for signing instead of exporting the private keys #18115

Conflicts