add -xpub option to encryptbackup

To include derivation path in backup header.

Author: Sjors

src/bitcoin-wallet.cpp

@@ -40,6 +40,7 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddArg("-debug=<category>", "Output debugging information (default: 0).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-printtoconsole", "Send trace/debug info to console (default: 1 when no -debug is true, 0 otherwise).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-pubkey=<key>", "Extended public key (xpub/tpub) for decrypting a backup", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
+    argsman.AddArg("-xpub=<key>", "Extended public key (xpub/tpub) whose derivation path to include in backup header", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
 
     argsman.AddCommand("info", "Get wallet info");
     argsman.AddCommand("create", "Create a new descriptor wallet file");

src/wallet/wallettool.cpp

@@ -195,9 +195,24 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
 
         LOCK(wallet_instance->cs_wallet);
 
+        // If -xpub is provided, validate it
+        std::optional<std::string> target_xpub;
+        if (args.IsArgSet("-xpub")) {
+            std::string xpub_str = args.GetArg("-xpub", "");
+            CExtPubKey ext_pubkey = DecodeExtPubKey(xpub_str);
+            if (!ext_pubkey.pubkey.IsValid()) {
+                tfm::format(std::cerr, "Invalid extended public key: %s\n", xpub_str);
+                wallet_instance->Close();
+                return false;
+            }
+            target_xpub = xpub_str;
+        }
+
         // Collect all descriptors from the wallet in listdescriptors format
         // This format preserves origin info and can be used with importdescriptors
         std::vector<std::pair<std::string, WalletDescriptorInfo>> all_descriptors;
+        std::vector<DerivationPath> derivation_paths;
+        bool found_target_xpub = false;
 
         const auto active_spk_mans = wallet_instance->GetActiveScriptPubKeyMans();
 
@@ -226,6 +241,34 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
                     wallet_desc.next_index
                 };
                 all_descriptors.emplace_back(desc_str, std::move(info));
+
+                // Check if this descriptor contains the target xpub (if specified)
+                // and extract its derivation path from the origin info
+                if (target_xpub) {
+                    // Look for the xpub in the descriptor string and check for origin info
+                    // Format: [fingerprint/path]xpub...
+                    size_t xpub_pos = desc_str.find(*target_xpub);
+                    if (xpub_pos != std::string::npos) {
+                        found_target_xpub = true;
+                        // Look for origin info before the xpub: [fingerprint/path]
+                        if (xpub_pos > 0 && desc_str[xpub_pos - 1] == ']') {
+                            size_t bracket_start = desc_str.rfind('[', xpub_pos - 1);
+                            if (bracket_start != std::string::npos) {
+                                std::string origin = desc_str.substr(bracket_start + 1, xpub_pos - bracket_start - 2);
+                                // origin is "fingerprint/path" - find the first /
+                                size_t slash_pos = origin.find('/');
+                                if (slash_pos != std::string::npos) {
+                                    std::string path_str = "m" + origin.substr(slash_pos);
+
+                                    auto parsed_path = ParseDerivationPath(path_str);
+                                    if (parsed_path && derivation_paths.empty()) {
+                                        derivation_paths.push_back(*parsed_path);
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
             }
         }
 
@@ -235,6 +278,18 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
             return false;
         }
 
+        if (target_xpub && !found_target_xpub) {
+            tfm::format(std::cerr, "Specified xpub not found in any wallet descriptor: %s\n", *target_xpub);
+            wallet_instance->Close();
+            return false;
+        }
+
+        if (target_xpub && derivation_paths.empty()) {
+            tfm::format(std::cerr, "Specified xpub has no origin info (derivation path) in descriptor.\n");
+            wallet_instance->Close();
+            return false;
+        }
+
         // Sort by descriptor string for deterministic ordering
         std::sort(all_descriptors.begin(), all_descriptors.end(),
                   [](const auto& a, const auto& b) { return a.first < b.first; });
@@ -256,7 +311,7 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
         content.bip_number = BIP_DESCRIPTORS;
 
         // Create the encrypted backup
-        auto backup_result = CreateEncryptedBackup(primary_descriptor, plaintext, content, {});
+        auto backup_result = CreateEncryptedBackup(primary_descriptor, plaintext, content, derivation_paths);
         if (!backup_result) {
             tfm::format(std::cerr, "Failed to create encrypted backup: %s\n",
                         util::ErrorString(backup_result).original);

test/functional/tool_wallet.py

@@ -482,9 +482,35 @@ def test_encrypted_backup(self):
         assert_equal(metadata["version"], 1)
         assert_equal(metadata["encryption"], "ChaCha20-Poly1305")
         assert metadata["recipients"] >= 1
-        # Content type is encrypted, not visible in header
+        # Without -xpub, there should be no derivation paths
+        assert_equal(metadata["derivation_paths"], [])
         self.log.debug(f"Backup metadata: {json.dumps(metadata, indent=2)}")
 
+        # Test that -xpub with an xpub not in the wallet gets rejected
+        self.log.info("Testing that unknown xpub is rejected...")
+        # Use a valid but unrelated testnet xpub
+        unknown_xpub = "tpubD6NzVbkrYhZ4XgiXtGrdW5XDAPFCL9h7we1vwNCpn8tGbBcgfVYjXyhWo4E1xkh56hjod1RhGjxbaTLV3X4FyWuejifB9jusQ46QzG87VKp"
+        p = self.bitcoin_wallet_process(f"-wallet={wallet_name}", f"-xpub={unknown_xpub}", "encryptbackup")
+        backup_output, stderr = p.communicate()
+        assert_equal(p.poll(), 1)
+        assert "not found in any wallet descriptor" in stderr
+
+        # Test encryptbackup with -xpub to include derivation path
+        self.log.info("Creating encrypted backup with -xpub for derivation path...")
+        p = self.bitcoin_wallet_process(f"-wallet={wallet_name}", f"-xpub={xpub_for_decrypt}", "encryptbackup")
+        backup_with_path_output, stderr = p.communicate()
+        assert_equal(p.poll(), 0)
+        backup_with_path_base64 = backup_with_path_output.strip()
+
+        # Inspect the backup with derivation path
+        p = self.bitcoin_wallet_process("inspectbackup")
+        inspect_output, stderr = p.communicate(input=backup_with_path_base64)
+        assert_equal(p.poll(), 0)
+        metadata_with_path = json.loads(inspect_output)
+        # BIP44 testnet path: m/44'/1'/0'
+        assert_equal(metadata_with_path["derivation_paths"], ["m/44'/1'/0'"])
+        self.log.info(f"Derivation paths in backup: {metadata_with_path['derivation_paths']}")
+
         # Decrypt the backup using just the xpub (no wallet needed)
         self.log.info("Decrypting backup using xpub...")
         p = self.bitcoin_wallet_process(f"-pubkey={xpub_for_decrypt}", "decryptbackup")