Introduce flag to allow non-comliant derivation paths

crates/apps/src/lib/cli.rs

@@ -2975,8 +2975,10 @@ pub mod args {
         arg("validator");
     pub const HALT_ACTION: ArgFlag = flag("halt");
     pub const HASH_LIST: Arg<String> = arg("hash-list");
-    pub const HD_WALLET_DERIVATION_PATH: ArgDefault<String> =
+    pub const HD_DERIVATION_PATH: ArgDefault<String> =
         arg_default("hd-path", DefaultFn(|| "default".to_string()));
+    pub const HD_ALLOW_NON_COMPLIANT_DERIVATION_PATH: ArgFlag =
+        flag("allow-non-compliant");
     pub const HISTORIC: ArgFlag = flag("historic");
     pub const IBC_TRANSFER_MEMO_PATH: ArgOpt<PathBuf> = arg_opt("memo-path");
     pub const INPUT_OPT: ArgOpt<PathBuf> = arg_opt("input");
@@ -6196,7 +6198,9 @@ pub mod args {
             let alias_force = ALIAS_FORCE.parse(matches);
             let unsafe_dont_encrypt = UNSAFE_DONT_ENCRYPT.parse(matches);
             let use_device = USE_DEVICE.parse(matches);
-            let derivation_path = HD_WALLET_DERIVATION_PATH.parse(matches);
+            let derivation_path = HD_DERIVATION_PATH.parse(matches);
+            let allow_non_compliant =
+                HD_ALLOW_NON_COMPLIANT_DERIVATION_PATH.parse(matches);
             Self {
                 scheme,
                 shielded,
@@ -6205,6 +6209,7 @@ pub mod args {
                 unsafe_dont_encrypt,
                 use_device,
                 derivation_path,
+                allow_non_compliant,
             }
         }
 
@@ -6234,14 +6239,29 @@ pub mod args {
                 "Derive an address and public key from the seed stored on the \
                  connected hardware wallet.",
             ))
-            .arg(HD_WALLET_DERIVATION_PATH.def().help(
+            .arg(HD_DERIVATION_PATH.def().help(
                 "HD key derivation path. Use keyword `default` to refer to a \
-                 scheme default path:\n- m/44'/60'/0'/0/0 for secp256k1 \
-                 scheme\n- m/44'/877'/0'/0'/0' for ed25519 scheme.\nFor \
-                 ed25519, all path indices will be promoted to hardened \
-                 indexes. If none is specified, the scheme default path is \
-                 used.",
+                 scheme default path:\n- m/44'/60'/0'/0/0 for the transparent \
+                 secp256k1 scheme\n- m/44'/877'/0'/0'/0' for the transparent \
+                 ed25519 scheme\n- m/32'/877'/0' for the shielded \
+                 setting\nFor ed25519 scheme, all path indices will be \
+                 promoted to hardened indexes. If none is specified, the \
+                 scheme default path is used.",
             ))
+            .arg(HD_ALLOW_NON_COMPLIANT_DERIVATION_PATH.def().help(
+                "Allow non-compliant HD derivation path. The compliant \
+                 derivation path schemes include:\n- \
+                 m/44'/60'/account'/change/address_index for the transparent \
+                 secp256k1 scheme\n- \
+                 m/44'/877'/account'/change'/address_index' for the \
+                 transparent ed25519 scheme\n- m/32'/877'/account' and\n- \
+                 m/32'/877'/account'/address_index for the shielded setting",
+            ))
+            .group(
+                ArgGroup::new("requires_group")
+                    .args([HD_ALLOW_NON_COMPLIANT_DERIVATION_PATH.name])
+                    .requires(HD_DERIVATION_PATH.name),
+            )
         }
     }
 
@@ -6253,7 +6273,9 @@ pub mod args {
             let alias = ALIAS.parse(matches);
             let alias_force = ALIAS_FORCE.parse(matches);
             let unsafe_dont_encrypt = UNSAFE_DONT_ENCRYPT.parse(matches);
-            let derivation_path = HD_WALLET_DERIVATION_PATH.parse(matches);
+            let derivation_path = HD_DERIVATION_PATH.parse(matches);
+            let allow_non_compliant =
+                HD_ALLOW_NON_COMPLIANT_DERIVATION_PATH.parse(matches);
             Self {
                 scheme,
                 shielded,
@@ -6262,6 +6284,7 @@ pub mod args {
                 alias_force,
                 unsafe_dont_encrypt,
                 derivation_path,
+                allow_non_compliant,
             }
         }
 
@@ -6280,7 +6303,7 @@ pub mod args {
             .arg(
                 RAW_KEY_GEN
                     .def()
-                    .conflicts_with(HD_WALLET_DERIVATION_PATH.name)
+                    .conflicts_with(HD_DERIVATION_PATH.name)
                     .help(
                         "Generate a random non-HD secret / spending key. No \
                          mnemonic code is generated.",
@@ -6294,14 +6317,29 @@ pub mod args {
                 "UNSAFE: Do not encrypt the keypair. Do not use this for keys \
                  used in a live network.",
             ))
-            .arg(HD_WALLET_DERIVATION_PATH.def().help(
+            .arg(HD_DERIVATION_PATH.def().help(
                 "HD key derivation path. Use keyword `default` to refer to a \
-                 scheme default path:\n- m/44'/60'/0'/0/0 for secp256k1 \
-                 scheme\n- m/44'/877'/0'/0'/0' for ed25519 scheme.\nFor \
-                 ed25519, all path indices will be promoted to hardened \
-                 indexes. If none is specified, the scheme default path is \
-                 used.",
+                 scheme default path:\n- m/44'/60'/0'/0/0 for the transparent \
+                 secp256k1 scheme\n- m/44'/877'/0'/0'/0' for the transparent \
+                 ed25519 scheme\n- m/32'/877'/0' for the shielded \
+                 setting\nFor ed25519 scheme, all path indices will be \
+                 promoted to hardened indexes. If none is specified, the \
+                 scheme default path is used.",
             ))
+            .arg(HD_ALLOW_NON_COMPLIANT_DERIVATION_PATH.def().help(
+                "Allow non-compliant HD derivation path. The compliant \
+                 derivation path schemes include:\n- \
+                 m/44'/60'/account'/change/address_index for the transparent \
+                 secp256k1 scheme\n- \
+                 m/44'/877'/account'/change'/address_index' for the \
+                 transparent ed25519 scheme\n- m/32'/877'/account' and\n- \
+                 m/32'/877'/account'/address_index for the shielded setting",
+            ))
+            .group(
+                ArgGroup::new("requires_group")
+                    .args([HD_ALLOW_NON_COMPLIANT_DERIVATION_PATH.name])
+                    .requires(HD_DERIVATION_PATH.name),
+            )
         }
     }
 

crates/apps/src/lib/cli/wallet.rs

@@ -178,6 +178,7 @@ fn shielded_key_derive(
         alias_force,
         unsafe_dont_encrypt,
         derivation_path,
+        allow_non_compliant,
         use_device,
         ..
     }: args::KeyDerive,
@@ -189,7 +190,7 @@ fn shielded_key_derive(
             cli::safe_exit(1)
         });
     println!("Using HD derivation path {}", derivation_path);
-    if !derivation_path.is_namada_shielded_compliant() {
+    if !allow_non_compliant && !derivation_path.is_namada_shielded_compliant() {
         display_line!(io, "Path {} is not compliant.", derivation_path);
         display_line!(io, "No changes are persisted. Exiting.");
         cli::safe_exit(1)
@@ -237,6 +238,7 @@ fn shielded_key_gen(
         alias_force,
         unsafe_dont_encrypt,
         derivation_path,
+        allow_non_compliant,
         ..
     }: args::KeyGen,
 ) {
@@ -252,7 +254,9 @@ fn shielded_key_gen(
                 cli::safe_exit(1)
             });
         println!("Using HD derivation path {}", derivation_path);
-        if !derivation_path.is_namada_shielded_compliant() {
+        if !allow_non_compliant
+            && !derivation_path.is_namada_shielded_compliant()
+        {
             display_line!(io, "Path {} is not compliant.", derivation_path);
             display_line!(io, "No changes are persisted. Exiting.");
             cli::safe_exit(1)
@@ -422,6 +426,7 @@ async fn transparent_key_and_address_derive(
         alias_force,
         unsafe_dont_encrypt,
         derivation_path,
+        allow_non_compliant,
         use_device,
         ..
     }: args::KeyDerive,
@@ -434,7 +439,9 @@ async fn transparent_key_and_address_derive(
                 cli::safe_exit(1)
             });
     println!("Using HD derivation path {}", derivation_path);
-    if !derivation_path.is_namada_transparent_compliant(scheme) {
+    if !allow_non_compliant
+        && !derivation_path.is_namada_transparent_compliant(scheme)
+    {
         display_line!(io, "Path {} is not compliant.", derivation_path);
         display_line!(io, "No changes are persisted. Exiting.");
         cli::safe_exit(1)
@@ -527,6 +534,7 @@ fn transparent_key_and_address_gen(
         alias_force,
         unsafe_dont_encrypt,
         derivation_path,
+        allow_non_compliant,
         ..
     }: args::KeyGen,
 ) {
@@ -550,7 +558,9 @@ fn transparent_key_and_address_gen(
                     cli::safe_exit(1)
                 });
         println!("Using HD derivation path {}", derivation_path);
-        if !derivation_path.is_namada_transparent_compliant(scheme) {
+        if !allow_non_compliant
+            && !derivation_path.is_namada_transparent_compliant(scheme)
+        {
             display_line!(io, "Path {} is not compliant.", derivation_path);
             display_line!(io, "No changes are persisted. Exiting.");
             cli::safe_exit(1)

crates/sdk/src/args.rs

@@ -2112,6 +2112,8 @@ pub struct KeyGen {
     pub unsafe_dont_encrypt: bool,
     /// BIP44 / ZIP32 derivation path
     pub derivation_path: String,
+    /// Allow non-compliant derivation path
+    pub allow_non_compliant: bool,
 }
 
 /// Wallet restore key and implicit address arguments
@@ -2129,6 +2131,8 @@ pub struct KeyDerive {
     pub unsafe_dont_encrypt: bool,
     /// BIP44 / ZIP32 derivation path
     pub derivation_path: String,
+    /// Allow non-compliant derivation path
+    pub allow_non_compliant: bool,
     /// Use device to generate key and address
     pub use_device: bool,
 }