Use long derivation paths for App Private Keys (courtesy of blockstack.js)

[kantai]

This adds support for longer derivation paths for app private keys (#1367)

This maintains quasi-backwards compatibility by

1. Checking whether or not a legacy public key was used (by checking the profile's apps key
2. If so, using the legacy key, otherwise, uses the new derivation path.

To test this, you'll need to npm link in the wallet support branch on blockstack.js (or develop once it's merged).

[wbobeirne]

I've expanded this PR to use BlockstackWallet wherever possible.

[wbobeirne]

Because blockstack.js has upgraded to bitcoinjs-lib@4.x.x, we'll need to do the same in this repo. Unfortunately that's going to be a lot of effort because all HDNode usage was replaced with bip32 usage.

[kantai]

This is updated to work with the latest from this PR: hirosystems/stacks.js#433

I recommend testing this by restoring an old account, logging into multiplayer apps (which should continue to work with the same app private key that you used before if you had previously logged in) and single player apps, and by creating a new user and logging in and out of apps.

[markmhendrickson]

@kantai should this issue be considered resolved and closed out based on your PR? #1620

[kantai]

Nope -- as far as I understand, we still are using the short app derivation paths.

[markmhendrickson]

@kantai What's the main benefit here? Stronger security or?

[kantai]

@kantai What's the main benefit here? Stronger security or?

Yep -- this would increase the security of the app-derived keys.

[markmhendrickson]

@kantai Sounds good – it seems this PR is almost across the finish line and just needs a bit more testing. Is that the case? I'm moving this to the backlog so we can prioritize for the next sprint assuming that's the case.

[hstove]

Unless I'm mistaken, this is not backwards compatible with single-player apps, because they aren't in the apps key. So if you login to a single-player app, your data and private key will not be the same.