Merge bitcoin/bitcoin#27997: Descriptors: rule out unspendable miniscript descriptors

c7db88af71 descriptor: assert we never parse a sane miniscript with no pubkey (Antoine Poinsot)
a49402a9ec qa: make sure we don't let unspendable Miniscript descriptors be imported (Antoine Poinsot)
639e3b6c97 descriptor: refuse to parse unspendable miniscript descriptors (Antoine Poinsot)
e3280eae1b miniscript: make GetStackSize() and GetOps() return optionals (Antoine Poinsot)

Pull request description:

  `IsSane()` in Miniscript does not ensure a Script is actually spendable. This is an issue as we would accept any sane Miniscript when parsing a descriptor. Fix this by explicitly checking a Miniscript descriptor is both sane and spendable when parsing it.

  This bug was exposed due to a check added in #22838 (https://github.com/bitcoin/bitcoin/pull/22838#discussion_r1226859880) that triggered a fuzz crash (https://github.com/bitcoin/bitcoin/pull/22838#issuecomment-1612510057).

ACKs for top commit:
  sipa:
    utACK c7db88af71
  achow101:
    ACK c7db88af71

Tree-SHA512: e79bc9f7842e98a4e8f358f05811fca51b15b4b80a171c0d2b17cf4bb1f578a18e4397bc2ece9817d392e0de0196ee6a054b7318441fd3566dd22e1f03eb64a5

test/functional/wallet_miniscript.py

@@ -277,6 +277,18 @@ class WalletMiniscriptTest(BitcoinTestFramework):
         assert not res["success"]
         assert "is not sane: witnesses without signature exist" in res["error"]["message"]
 
+        # Sanity check we wouldn't let an unspendable Miniscript descriptor in
+        res = self.ms_wo_wallet.importdescriptors(
+            [
+                {
+                    "desc": descsum_create("wsh(0)"),
+                    "active": False,
+                    "timestamp": "now",
+                }
+            ]
+        )[0]
+        assert not res["success"] and "is not satisfiable" in res["error"]["message"]
+
         # Test we can track any type of Miniscript
         for ms in MINISCRIPTS:
             self.watchonly_test(ms)