001/**
002 * Copyright 2011 Google Inc.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *    http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016
017package com.google.bitcoin.core;
018
019import com.google.bitcoin.core.TransactionConfidence.ConfidenceType;
020import com.google.bitcoin.script.Script;
021import com.google.bitcoin.script.ScriptBuilder;
022import com.google.bitcoin.script.ScriptOpCodes;
023import com.google.common.base.Preconditions;
024import org.slf4j.Logger;
025import org.slf4j.LoggerFactory;
026import org.spongycastle.crypto.params.KeyParameter;
027
028import java.io.*;
029import java.math.BigInteger;
030import java.text.ParseException;
031import java.text.SimpleDateFormat;
032import java.util.*;
033
034import static com.google.bitcoin.core.Utils.*;
035
036/**
037 * <p>A transaction represents the movement of coins from some addresses to some other addresses. It can also represent
038 * the minting of new coins. A Transaction object corresponds to the equivalent in the Bitcoin C++ implementation.</p>
039 *
040 * <p>Transactions are the fundamental atoms of Bitcoin and have many powerful features. Read
041 * <a href="http://code.google.com/p/bitcoinj/wiki/WorkingWithTransactions">"Working with transactions"</a> in the
042 * documentation to learn more about how to use this class.</p>
043 *
044 * <p>All Bitcoin transactions are at risk of being reversed, though the risk is much less than with traditional payment
045 * systems. Transactions have <i>confidence levels</i>, which help you decide whether to trust a transaction or not.
046 * Whether to trust a transaction is something that needs to be decided on a case by case basis - a rule that makes 
047 * sense for selling MP3s might not make sense for selling cars, or accepting payments from a family member. If you
048 * are building a wallet, how to present confidence to your users is something to consider carefully.</p>
049 */
050public class Transaction extends ChildMessage implements Serializable {
051    private static final Logger log = LoggerFactory.getLogger(Transaction.class);
052    private static final long serialVersionUID = -8567546957352643140L;
053    
054    /** Threshold for lockTime: below this value it is interpreted as block number, otherwise as timestamp. **/
055    public static final int LOCKTIME_THRESHOLD = 500000000; // Tue Nov  5 00:53:20 1985 UTC
056
057    /** How many bytes a transaction can be before it won't be relayed anymore. */
058    public static final int MAX_STANDARD_TX_SIZE = 100 * 1024;
059
060    /** If fee is lower than this value (in satoshis), a default reference client will treat it as if there were no fee */
061    public static final BigInteger REFERENCE_DEFAULT_MIN_TX_FEE = BigInteger.valueOf(10000);
062
063    /**
064     * Any standard (ie pay-to-address) output smaller than this value (in satoshis) will most likely be rejected by the network.
065     * This is calculated by assuming a standard output will be 34 bytes, and then using the formula used in
066     * {@link TransactionOutput#getMinNonDustValue(BigInteger)}.
067     */
068    public static final BigInteger MIN_NONDUST_OUTPUT = BigInteger.valueOf(5460);
069
070    // These are serialized in both bitcoin and java serialization.
071    private long version;
072    private ArrayList<TransactionInput> inputs;
073
074    private ArrayList<TransactionOutput> outputs;
075
076    private long lockTime;
077
078    // This is either the time the transaction was broadcast as measured from the local clock, or the time from the
079    // block in which it was included. Note that this can be changed by re-orgs so the wallet may update this field.
080    // Old serialized transactions don't have this field, thus null is valid. It is used for returning an ordered
081    // list of transactions from a wallet, which is helpful for presenting to users.
082    private Date updatedAt;
083
084    // This is an in memory helper only.
085    private transient Sha256Hash hash;
086    
087    // Data about how confirmed this tx is. Serialized, may be null. 
088    private TransactionConfidence confidence;
089
090    // This records which blocks the transaction has been included in. For most transactions this set will have a
091    // single member. In the case of a chain split a transaction may appear in multiple blocks but only one of them
092    // is part of the best chain. It's not valid to have an identical transaction appear in two blocks in the same chain
093    // but this invariant is expensive to check, so it's not directly enforced anywhere.
094    //
095    // If this transaction is not stored in the wallet, appearsInHashes is null.
096    private Set<Sha256Hash> appearsInHashes;
097    
098    // Transactions can be encoded in a way that will use more bytes than is optimal
099    // (due to VarInts having multiple encodings)
100    // MAX_BLOCK_SIZE must be compared to the optimal encoding, not the actual encoding, so when parsing, we keep track
101    // of the size of the ideal encoding in addition to the actual message size (which Message needs) so that Blocks
102    // can properly keep track of optimal encoded size
103    private transient int optimalEncodingMessageSize;
104
105    public Transaction(NetworkParameters params) {
106        super(params);
107        version = 1;
108        inputs = new ArrayList<TransactionInput>();
109        outputs = new ArrayList<TransactionOutput>();
110        // We don't initialize appearsIn deliberately as it's only useful for transactions stored in the wallet.
111        length = 8; // 8 for std fields
112    }
113
114    public Transaction(NetworkParameters params, int version, Sha256Hash hash) {
115        super(params);
116        this.version = version & ((1L<<32) - 1); // this field is unsigned - remove any sign extension
117        inputs = new ArrayList<TransactionInput>();
118        outputs = new ArrayList<TransactionOutput>();
119        this.hash = hash;
120        // We don't initialize appearsIn deliberately as it's only useful for transactions stored in the wallet.
121        length = 8; //8 for std fields
122    }
123
124    /**
125     * Creates a transaction from the given serialized bytes, eg, from a block or a tx network message.
126     */
127    public Transaction(NetworkParameters params, byte[] payloadBytes) throws ProtocolException {
128        super(params, payloadBytes, 0);
129    }
130
131    /**
132     * Creates a transaction by reading payload starting from offset bytes in. Length of a transaction is fixed.
133     */
134    public Transaction(NetworkParameters params, byte[] payload, int offset) throws ProtocolException {
135        super(params, payload, offset);
136        // inputs/outputs will be created in parse()
137    }
138
139    /**
140     * Creates a transaction by reading payload starting from offset bytes in. Length of a transaction is fixed.
141     * @param params NetworkParameters object.
142     * @param msg Bitcoin protocol formatted byte array containing message content.
143     * @param offset The location of the first msg byte within the array.
144     * @param parseLazy Whether to perform a full parse immediately or delay until a read is requested.
145     * @param parseRetain Whether to retain the backing byte array for quick reserialization.  
146     * If true and the backing byte array is invalidated due to modification of a field then 
147     * the cached bytes may be repopulated and retained if the message is serialized again in the future.
148     * @param length The length of message if known.  Usually this is provided when deserializing of the wire
149     * as the length will be provided as part of the header.  If unknown then set to Message.UNKNOWN_LENGTH
150     * @throws ProtocolException
151     */
152    public Transaction(NetworkParameters params, byte[] msg, int offset, Message parent, boolean parseLazy, boolean parseRetain, int length)
153            throws ProtocolException {
154        super(params, msg, offset, parent, parseLazy, parseRetain, length);
155    }
156
157    /**
158     * Creates a transaction by reading payload starting from offset bytes in. Length of a transaction is fixed.
159     */
160    public Transaction(NetworkParameters params, byte[] msg, Message parent, boolean parseLazy, boolean parseRetain, int length)
161            throws ProtocolException {
162        super(params, msg, 0, parent, parseLazy, parseRetain, length);
163    }
164
165    /**
166     * Returns the transaction hash as you see them in the block explorer.
167     */
168    public Sha256Hash getHash() {
169        if (hash == null) {
170            byte[] bits = bitcoinSerialize();
171            hash = new Sha256Hash(reverseBytes(doubleDigest(bits)));
172        }
173        return hash;
174    }
175
176    /**
177     * Used by BitcoinSerializer.  The serializer has to calculate a hash for checksumming so to
178     * avoid wasting the considerable effort a set method is provided so the serializer can set it.
179     *
180     * No verification is performed on this hash.
181     */
182    void setHash(Sha256Hash hash) {
183        this.hash = hash;
184    }
185
186    public String getHashAsString() {
187        return getHash().toString();
188    }
189
190    /**
191     * Calculates the sum of the outputs that are sending coins to a key in the wallet. The flag controls whether to
192     * include spent outputs or not.
193     */
194    BigInteger getValueSentToMe(Wallet wallet, boolean includeSpent) {
195        maybeParse();
196        // This is tested in WalletTest.
197        BigInteger v = BigInteger.ZERO;
198        for (TransactionOutput o : outputs) {
199            if (!o.isMine(wallet)) continue;
200            if (!includeSpent && !o.isAvailableForSpending()) continue;
201            v = v.add(o.getValue());
202        }
203        return v;
204    }
205    
206    /*
207     * If isSpent - check that all my outputs spent, otherwise check that there at least
208     * one unspent.
209     */
210    boolean isConsistent(Wallet wallet, boolean isSpent) {
211        boolean isActuallySpent = true;
212        for (TransactionOutput o : outputs) {
213            if (o.isAvailableForSpending()) {
214                if (o.isMine(wallet)) isActuallySpent = false;
215                if (o.getSpentBy() != null) {
216                    log.error("isAvailableForSpending != spentBy");
217                    return false;
218                }
219            } else {
220                if (o.getSpentBy() == null) {
221                    log.error("isAvailableForSpending != spentBy");
222                    return false;
223                }
224            }
225        }
226        return isActuallySpent == isSpent;
227    }
228
229    /**
230     * Calculates the sum of the outputs that are sending coins to a key in the wallet.
231     */
232    public BigInteger getValueSentToMe(Wallet wallet) {
233        return getValueSentToMe(wallet, true);
234    }
235
236    /**
237     * Returns a set of blocks which contain the transaction, or null if this transaction doesn't have that data
238     * because it's not stored in the wallet or because it has never appeared in a block.
239     */
240    public Collection<Sha256Hash> getAppearsInHashes() {
241        return appearsInHashes;
242    }
243
244    /**
245     * Convenience wrapper around getConfidence().getConfidenceType()
246     * @return true if this transaction hasn't been seen in any block yet.
247     */
248    public boolean isPending() {
249        return getConfidence().getConfidenceType() == TransactionConfidence.ConfidenceType.PENDING;
250    }
251
252    /**
253     * <p>Puts the given block in the internal serializable set of blocks in which this transaction appears. This is
254     * used by the wallet to ensure transactions that appear on side chains are recorded properly even though the
255     * block stores do not save the transaction data at all.</p>
256     *
257     * <p>If there is a re-org this will be called once for each block that was previously seen, to update which block
258     * is the best chain. The best chain block is guaranteed to be called last. So this must be idempotent.</p>
259     *
260     * <p>Sets updatedAt to be the earliest valid block time where this tx was seen.</p>
261     * 
262     * @param block     The {@link StoredBlock} in which the transaction has appeared.
263     * @param bestChain whether to set the updatedAt timestamp from the block header (only if not already set)
264     */
265    public void setBlockAppearance(StoredBlock block, boolean bestChain) {
266        long blockTime = block.getHeader().getTimeSeconds() * 1000;
267        if (bestChain && (updatedAt == null || updatedAt.getTime() == 0 || updatedAt.getTime() > blockTime)) {
268            updatedAt = new Date(blockTime);
269        }
270
271        addBlockAppearance(block.getHeader().getHash());
272
273        if (bestChain) {
274            // This can cause event listeners on TransactionConfidence to run. After these lines complete, the wallets
275            // state may have changed!
276            TransactionConfidence transactionConfidence = getConfidence();
277            // Reset the work done.
278            try {
279                transactionConfidence.setWorkDone(block.getHeader().getWork());
280            } catch (VerificationException e) {
281                throw new RuntimeException(e);  // Cannot happen.
282            }
283            // This sets type to BUILDING and depth to one.
284            transactionConfidence.setAppearedAtChainHeight(block.getHeight());
285        }
286    }
287
288    public void addBlockAppearance(final Sha256Hash blockHash) {
289        if (appearsInHashes == null) {
290            appearsInHashes = new HashSet<Sha256Hash>();
291        }
292        appearsInHashes.add(blockHash);
293    }
294
295    /**
296     * Calculates the sum of the inputs that are spending coins with keys in the wallet. This requires the
297     * transactions sending coins to those keys to be in the wallet. This method will not attempt to download the
298     * blocks containing the input transactions if the key is in the wallet but the transactions are not.
299     *
300     * @return sum in nanocoins.
301     */
302    public BigInteger getValueSentFromMe(Wallet wallet) throws ScriptException {
303        maybeParse();
304        // This is tested in WalletTest.
305        BigInteger v = BigInteger.ZERO;
306        for (TransactionInput input : inputs) {
307            // This input is taking value from a transaction in our wallet. To discover the value,
308            // we must find the connected transaction.
309            TransactionOutput connected = input.getConnectedOutput(wallet.unspent);
310            if (connected == null)
311                connected = input.getConnectedOutput(wallet.spent);
312            if (connected == null)
313                connected = input.getConnectedOutput(wallet.pending);
314            if (connected == null)
315                continue;
316            // The connected output may be the change to the sender of a previous input sent to this wallet. In this
317            // case we ignore it.
318            if (!connected.isMine(wallet))
319                continue;
320            v = v.add(connected.getValue());
321        }
322        return v;
323    }
324
325    /**
326     * Returns the difference of {@link Transaction#getValueSentFromMe(Wallet)} and {@link Transaction#getValueSentToMe(Wallet)}.
327     */
328    public BigInteger getValue(Wallet wallet) throws ScriptException {
329        return getValueSentToMe(wallet).subtract(getValueSentFromMe(wallet));
330    }
331
332    boolean disconnectInputs() {
333        boolean disconnected = false;
334        maybeParse();
335        for (TransactionInput input : inputs) {
336            disconnected |= input.disconnect();
337        }
338        return disconnected;
339    }
340
341    /**
342     * Connects all inputs using the provided transactions. If any input cannot be connected returns that input or
343     * null on success.
344     */
345    TransactionInput connectForReorganize(Map<Sha256Hash, Transaction> transactions) {
346        maybeParse();
347        for (TransactionInput input : inputs) {
348            // Coinbase transactions, by definition, do not have connectable inputs.
349            if (input.isCoinBase()) continue;
350            TransactionInput.ConnectionResult result =
351                    input.connect(transactions, TransactionInput.ConnectMode.ABORT_ON_CONFLICT);
352            // Connected to another tx in the wallet?
353            if (result == TransactionInput.ConnectionResult.SUCCESS)
354                continue;
355            // The input doesn't exist in the wallet, eg because it belongs to somebody else (inbound spend).
356            if (result == TransactionInput.ConnectionResult.NO_SUCH_TX)
357                continue;
358            // Could not connect this input, so return it and abort.
359            return input;
360        }
361        return null;
362    }
363
364    /**
365     * Returns true if every output is marked as spent.
366     */
367    public boolean isEveryOutputSpent() {
368        maybeParse();
369        for (TransactionOutput output : outputs) {
370            if (output.isAvailableForSpending())
371                return false;
372        }
373        return true;
374    }
375
376    /**
377     * Returns false if this transaction has at least one output that is owned by the given wallet and unspent, true
378     * otherwise.
379     */
380    public boolean isEveryOwnedOutputSpent(Wallet wallet) {
381        maybeParse();
382        for (TransactionOutput output : outputs) {
383            if (output.isAvailableForSpending() && output.isMine(wallet))
384                return false;
385        }
386        return true;
387    }
388
389    /**
390     * Returns the earliest time at which the transaction was seen (broadcast or included into the chain),
391     * or the epoch if that information isn't available.
392     */
393    public Date getUpdateTime() {
394        if (updatedAt == null) {
395            // Older wallets did not store this field. Set to the epoch.
396            updatedAt = new Date(0);
397        }
398        return updatedAt;
399    }
400    
401    public void setUpdateTime(Date updatedAt) {
402        this.updatedAt = updatedAt;
403    }
404
405    /**
406     * These constants are a part of a scriptSig signature on the inputs. They define the details of how a
407     * transaction can be redeemed, specifically, they control how the hash of the transaction is calculated.
408     * <p/>
409     * In the official client, this enum also has another flag, SIGHASH_ANYONECANPAY. In this implementation,
410     * that's kept separate. Only SIGHASH_ALL is actually used in the official client today. The other flags
411     * exist to allow for distributed contracts.
412     */
413    public enum SigHash {
414        ALL,         // 1
415        NONE,        // 2
416        SINGLE,      // 3
417    }
418    public static final byte SIGHASH_ANYONECANPAY_VALUE = (byte) 0x80;
419
420    protected void unCache() {
421        super.unCache();
422        hash = null;
423    }
424
425    protected void parseLite() throws ProtocolException {
426
427        //skip this if the length has been provided i.e. the tx is not part of a block
428        if (parseLazy && length == UNKNOWN_LENGTH) {
429            //If length hasn't been provided this tx is probably contained within a block.
430            //In parseRetain mode the block needs to know how long the transaction is
431            //unfortunately this requires a fairly deep (though not total) parse.
432            //This is due to the fact that transactions in the block's list do not include a
433            //size header and inputs/outputs are also variable length due the contained
434            //script so each must be instantiated so the scriptlength varint can be read
435            //to calculate total length of the transaction.
436            //We will still persist will this semi-light parsing because getting the lengths
437            //of the various components gains us the ability to cache the backing bytearrays
438            //so that only those subcomponents that have changed will need to be reserialized.
439
440            //parse();
441            //parsed = true;
442            length = calcLength(bytes, offset);
443            cursor = offset + length;
444        }
445    }
446
447    protected static int calcLength(byte[] buf, int offset) {
448        VarInt varint;
449        // jump past version (uint32)
450        int cursor = offset + 4;
451
452        int i;
453        long scriptLen;
454
455        varint = new VarInt(buf, cursor);
456        long txInCount = varint.value;
457        cursor += varint.getOriginalSizeInBytes();
458
459        for (i = 0; i < txInCount; i++) {
460            // 36 = length of previous_outpoint
461            cursor += 36;
462            varint = new VarInt(buf, cursor);
463            scriptLen = varint.value;
464            // 4 = length of sequence field (unint32)
465            cursor += scriptLen + 4 + varint.getOriginalSizeInBytes();
466        }
467
468        varint = new VarInt(buf, cursor);
469        long txOutCount = varint.value;
470        cursor += varint.getOriginalSizeInBytes();
471
472        for (i = 0; i < txOutCount; i++) {
473            // 8 = length of tx value field (uint64)
474            cursor += 8;
475            varint = new VarInt(buf, cursor);
476            scriptLen = varint.value;
477            cursor += scriptLen + varint.getOriginalSizeInBytes();
478        }
479        // 4 = length of lock_time field (uint32)
480        return cursor - offset + 4;
481    }
482
483    void parse() throws ProtocolException {
484
485        if (parsed)
486            return;
487
488        cursor = offset;
489
490        version = readUint32();
491        optimalEncodingMessageSize = 4;
492
493        // First come the inputs.
494        long numInputs = readVarInt();
495        optimalEncodingMessageSize += VarInt.sizeOf(numInputs);
496        inputs = new ArrayList<TransactionInput>((int) numInputs);
497        for (long i = 0; i < numInputs; i++) {
498            TransactionInput input = new TransactionInput(params, this, bytes, cursor, parseLazy, parseRetain);
499            inputs.add(input);
500            long scriptLen = readVarInt(TransactionOutPoint.MESSAGE_LENGTH);
501            optimalEncodingMessageSize += TransactionOutPoint.MESSAGE_LENGTH + VarInt.sizeOf(scriptLen) + scriptLen + 4;
502            cursor += scriptLen + 4;
503        }
504        // Now the outputs
505        long numOutputs = readVarInt();
506        optimalEncodingMessageSize += VarInt.sizeOf(numOutputs);
507        outputs = new ArrayList<TransactionOutput>((int) numOutputs);
508        for (long i = 0; i < numOutputs; i++) {
509            TransactionOutput output = new TransactionOutput(params, this, bytes, cursor, parseLazy, parseRetain);
510            outputs.add(output);
511            long scriptLen = readVarInt(8);
512            optimalEncodingMessageSize += 8 + VarInt.sizeOf(scriptLen) + scriptLen;
513            cursor += scriptLen;
514        }
515        lockTime = readUint32();
516        optimalEncodingMessageSize += 4;
517        length = cursor - offset;
518    }
519    
520    public int getOptimalEncodingMessageSize() {
521        if (optimalEncodingMessageSize != 0)
522            return optimalEncodingMessageSize;
523        maybeParse();
524        if (optimalEncodingMessageSize != 0)
525            return optimalEncodingMessageSize;
526        optimalEncodingMessageSize = getMessageSize();
527        return optimalEncodingMessageSize;
528    }
529
530    /**
531     * A coinbase transaction is one that creates a new coin. They are the first transaction in each block and their
532     * value is determined by a formula that all implementations of Bitcoin share. In 2011 the value of a coinbase
533     * transaction is 50 coins, but in future it will be less. A coinbase transaction is defined not only by its
534     * position in a block but by the data in the inputs.
535     */
536    public boolean isCoinBase() {
537        maybeParse();
538        return inputs.size() == 1 && inputs.get(0).isCoinBase();
539    }
540
541    /**
542     * A transaction is mature if it is either a building coinbase tx that is as deep or deeper than the required coinbase depth, or a non-coinbase tx.
543     */
544    public boolean isMature() {
545        if (!isCoinBase())
546            return true;
547
548        if (getConfidence().getConfidenceType() != ConfidenceType.BUILDING)
549            return false;
550
551        return getConfidence().getDepthInBlocks() >= params.getSpendableCoinbaseDepth();
552    }
553
554    public String toString() {
555        return toString(null);
556    }
557
558    /**
559     * A human readable version of the transaction useful for debugging. The format is not guaranteed to be stable.
560     * @param chain If provided, will be used to estimate lock times (if set). Can be null.
561     */
562    public String toString(AbstractBlockChain chain) {
563        // Basic info about the tx.
564        StringBuffer s = new StringBuffer();
565        s.append(String.format("  %s: %s%n", getHashAsString(), getConfidence()));
566        if (isTimeLocked()) {
567            String time;
568            if (lockTime < LOCKTIME_THRESHOLD) {
569                time = "block " + lockTime;
570                if (chain != null) {
571                    time = time + " (estimated to be reached at " +
572                            chain.estimateBlockTime((int)lockTime).toString() + ")";
573                }
574            } else {
575                time = new Date(lockTime).toString();
576            }
577            s.append(String.format("  time locked until %s%n", time));
578        }
579        if (inputs.size() == 0) {
580            s.append(String.format("  INCOMPLETE: No inputs!%n"));
581            return s.toString();
582        }
583        if (isCoinBase()) {
584            String script;
585            String script2;
586            try {
587                script = inputs.get(0).getScriptSig().toString();
588                script2 = outputs.get(0).getScriptPubKey().toString();
589            } catch (ScriptException e) {
590                script = "???";
591                script2 = "???";
592            }
593            s.append("     == COINBASE TXN (scriptSig " + script + ")  (scriptPubKey " + script2 + ")\n");
594            return s.toString();
595        }
596        for (TransactionInput in : inputs) {
597            s.append("     ");
598            s.append("from ");
599
600            try {
601                Script scriptSig = in.getScriptSig();
602                if (scriptSig.getChunks().size() == 2)
603                    s.append(scriptSig.getFromAddress(params).toString());
604                else if (scriptSig.getChunks().size() == 1) {
605                    s.append("[sig:");
606                    s.append(bytesToHexString(scriptSig.getChunks().get(0).data));
607                    s.append("]");
608                } else
609                    s.append(scriptSig);
610                s.append(" / ");
611                s.append(in.getOutpoint().toString());
612            } catch (Exception e) {
613                s.append("[exception: ").append(e.getMessage()).append("]");
614            }
615            s.append(String.format("%n"));
616        }
617        for (TransactionOutput out : outputs) {
618            s.append("       ");
619            s.append("to ");
620            try {
621                Script scriptPubKey = out.getScriptPubKey();
622                if (scriptPubKey.isSentToAddress()) {
623                    s.append(scriptPubKey.getToAddress(params).toString());
624                } else if (scriptPubKey.isSentToRawPubKey()) {
625                    s.append("[pubkey:");
626                    s.append(bytesToHexString(scriptPubKey.getPubKey()));
627                    s.append("]");
628                } else {
629                    s.append(scriptPubKey);
630                }
631                s.append(" ");
632                s.append(bitcoinValueToFriendlyString(out.getValue()));
633                s.append(" BTC");
634                if (!out.isAvailableForSpending()) {
635                    s.append(" Spent");
636                }
637                if (out.getSpentBy() != null) {
638                    s.append(" by ");
639                    s.append(out.getSpentBy().getParentTransaction().getHashAsString());
640                }
641            } catch (Exception e) {
642                s.append("[exception: ").append(e.getMessage()).append("]");
643            }
644            s.append(String.format("%n"));
645        }
646        return s.toString();
647    }
648
649    /**
650     * Removes all the inputs from this transaction.
651     * Note that this also invalidates the length attribute
652     */
653    public void clearInputs() {
654        unCache();
655        for (TransactionInput input : inputs) {
656            input.setParent(null);
657        }
658        inputs.clear();
659        // You wanted to reserialize, right?
660        this.length = this.bitcoinSerialize().length;
661    }
662
663    /**
664     * Adds an input to this transaction that imports value from the given output. Note that this input is NOT
665     * complete and after every input is added with addInput() and every output is added with addOutput(),
666     * signInputs() must be called to finalize the transaction and finish the inputs off. Otherwise it won't be
667     * accepted by the network. Returns the newly created input.
668     */
669    public TransactionInput addInput(TransactionOutput from) {
670        return addInput(new TransactionInput(params, this, from));
671    }
672
673    /**
674     * Adds an input directly, with no checking that it's valid. Returns the new input.
675     */
676    public TransactionInput addInput(TransactionInput input) {
677        unCache();
678        input.setParent(this);
679        inputs.add(input);
680        adjustLength(inputs.size(), input.length);
681        return input;
682    }
683
684    /**
685     * Removes all the inputs from this transaction.
686     * Note that this also invalidates the length attribute
687     */
688    public void clearOutputs() {
689        unCache();
690        for (TransactionOutput output : outputs) {
691            output.setParent(null);
692        }
693        outputs.clear();
694        // You wanted to reserialize, right?
695        this.length = this.bitcoinSerialize().length;
696    }
697
698    /**
699     * Adds the given output to this transaction. The output must be completely initialized. Returns the given output.
700     */
701    public TransactionOutput addOutput(TransactionOutput to) {
702        unCache();
703        to.setParent(this);
704        outputs.add(to);
705        adjustLength(outputs.size(), to.length);
706        return to;
707    }
708
709    /**
710     * Creates an output based on the given address and value, adds it to this transaction, and returns the new output.
711     */
712    public TransactionOutput addOutput(BigInteger value, Address address) {
713        return addOutput(new TransactionOutput(params, this, value, address));
714    }
715
716    /**
717     * Creates an output that pays to the given pubkey directly (no address) with the given value, adds it to this
718     * transaction, and returns the new output.
719     */
720    public TransactionOutput addOutput(BigInteger value, ECKey pubkey) {
721        return addOutput(new TransactionOutput(params, this, value, pubkey));
722    }
723
724    /**
725     * Creates an output that pays to the given script. The address and key forms are specialisations of this method,
726     * you won't normally need to use it unless you're doing unusual things.
727     */
728    public TransactionOutput addOutput(BigInteger value, Script script) {
729        return addOutput(new TransactionOutput(params, this, value, script.getProgram()));
730    }
731
732    /**
733     * Once a transaction has some inputs and outputs added, the signatures in the inputs can be calculated. The
734     * signature is over the transaction itself, to prove the redeemer actually created that transaction,
735     * so we have to do this step last.<p>
736     * <p/>
737     * This method is similar to SignatureHash in script.cpp
738     *
739     * @param hashType This should always be set to SigHash.ALL currently. Other types are unused.
740     * @param wallet   A wallet is required to fetch the keys needed for signing.
741     */
742    public synchronized void signInputs(SigHash hashType, Wallet wallet) throws ScriptException {
743        signInputs(hashType, wallet, null);
744    }
745
746    /**
747     * <p>Once a transaction has some inputs and outputs added, the signatures in the inputs can be calculated. The
748     * signature is over the transaction itself, to prove the redeemer actually created that transaction,
749     * so we have to do this step last.</p>
750     *
751     * @param hashType This should always be set to SigHash.ALL currently. Other types are unused.
752     * @param wallet  A wallet is required to fetch the keys needed for signing.
753     * @param aesKey The AES key to use to decrypt the key before signing. Null if no decryption is required.
754     */
755    public synchronized void signInputs(SigHash hashType, Wallet wallet, KeyParameter aesKey) throws ScriptException {
756        // TODO: This should be a method of the TransactionInput that (possibly?) operates with a copy of this object.
757        Preconditions.checkState(inputs.size() > 0);
758        Preconditions.checkState(outputs.size() > 0);
759
760        // I don't currently have an easy way to test other modes work, as the official client does not use them.
761        Preconditions.checkArgument(hashType == SigHash.ALL, "Only SIGHASH_ALL is currently supported");
762
763        // The transaction is signed with the input scripts empty except for the input we are signing. In the case
764        // where addInput has been used to set up a new transaction, they are already all empty. The input being signed
765        // has to have the connected OUTPUT program in it when the hash is calculated!
766        //
767        // Note that each input may be claiming an output sent to a different key. So we have to look at the outputs
768        // to figure out which key to sign with.
769
770        int[] sigHashFlags = new int[inputs.size()];
771        ECKey.ECDSASignature[] signatures = new ECKey.ECDSASignature[inputs.size()];
772        ECKey[] signingKeys = new ECKey[inputs.size()];
773        for (int i = 0; i < inputs.size(); i++) {
774            TransactionInput input = inputs.get(i);
775            // We don't have the connected output, we assume it was signed already and move on
776            if (input.getOutpoint().getConnectedOutput() == null) {
777                log.warn("Missing connected output, assuming input {} is already signed.", i);
778                continue;
779            }
780            try {
781                // We assume if its already signed, its hopefully got a SIGHASH type that will not invalidate when
782                // we sign missing pieces (to check this would require either assuming any signatures are signing
783                // standard output types or a way to get processed signatures out of script execution)
784                input.getScriptSig().correctlySpends(this, i, input.getOutpoint().getConnectedOutput().getScriptPubKey(), true);
785                log.warn("Input {} already correctly spends output, assuming SIGHASH type used will be safe and skipping signing.", i);
786                continue;
787            } catch (ScriptException e) {}
788            if (input.getScriptBytes().length != 0)
789                log.warn("Re-signing an already signed transaction! Be sure this is what you want.");
790            // Find the signing key we'll need to use.
791            ECKey key = input.getOutpoint().getConnectedKey(wallet);
792            // This assert should never fire. If it does, it means the wallet is inconsistent.
793            Preconditions.checkNotNull(key, "Transaction exists in wallet that we cannot redeem: %s",
794                                       input.getOutpoint().getHash());
795            // Keep the key around for the script creation step below.
796            signingKeys[i] = key;
797            // The anyoneCanPay feature isn't used at the moment.
798            boolean anyoneCanPay = false;
799            byte[] connectedPubKeyScript = input.getOutpoint().getConnectedPubKeyScript();
800            Sha256Hash hash = hashTransactionForSignature(i, connectedPubKeyScript, hashType, anyoneCanPay);
801
802            // Now calculate the signatures we need to prove we own this transaction and are authorized to claim the
803            // associated money.
804            signatures[i] = key.sign(hash, aesKey);
805            sigHashFlags[i] = (hashType.ordinal() + 1) | (anyoneCanPay ? SIGHASH_ANYONECANPAY_VALUE : 0);
806        }
807
808        // Now we have calculated each signature, go through and create the scripts. Reminder: the script consists:
809        // 1) For pay-to-address outputs: a signature (over a hash of the simplified transaction) and the complete
810        //    public key needed to sign for the connected output. The output script checks the provided pubkey hashes
811        //    to the address and then checks the signature.
812        // 2) For pay-to-key outputs: just a signature.
813        for (int i = 0; i < inputs.size(); i++) {
814            if (signatures[i] == null)
815                continue;
816            TransactionInput input = inputs.get(i);
817            Script scriptPubKey = input.getOutpoint().getConnectedOutput().getScriptPubKey();
818            if (scriptPubKey.isSentToAddress()) {
819                input.setScriptSig(ScriptBuilder.createInputScript(signatures[i], signingKeys[i], sigHashFlags[i]));
820            } else if (scriptPubKey.isSentToRawPubKey()) {
821                input.setScriptSig(ScriptBuilder.createInputScript(signatures[i], sigHashFlags[i]));
822            } else {
823                // Should be unreachable - if we don't recognize the type of script we're trying to sign for, we should
824                // have failed above when fetching the key to sign with.
825                throw new RuntimeException("Do not understand script type: " + scriptPubKey);
826            }
827        }
828
829        // Every input is now complete.
830    }
831
832    /**
833     * <p>Calculates a signature hash, that is, a hash of a simplified form of the transaction. How exactly the transaction
834     * is simplified is specified by the type and anyoneCanPay parameters.</p>
835     *
836     * <p>You don't normally ever need to call this yourself. It will become more useful in future as the contracts
837     * features of Bitcoin are developed.</p>
838     *
839     * @param inputIndex input the signature is being calculated for. Tx signatures are always relative to an input.
840     * @param connectedScript the bytes that should be in the given input during signing.
841     * @param type Should be SigHash.ALL
842     * @param anyoneCanPay should be false.
843     */
844    public synchronized Sha256Hash hashTransactionForSignature(int inputIndex, byte[] connectedScript,
845                                                               SigHash type, boolean anyoneCanPay) {
846        return hashTransactionForSignature(inputIndex, connectedScript, (byte)((type.ordinal() + 1) | (anyoneCanPay ? SIGHASH_ANYONECANPAY_VALUE : 0x00)));
847    }
848
849    /**
850     * <p>Calculates a signature hash, that is, a hash of a simplified form of the transaction. How exactly the transaction
851     * is simplified is specified by the type and anyoneCanPay parameters.</p>
852     *
853     * <p>You don't normally ever need to call this yourself. It will become more useful in future as the contracts
854     * features of Bitcoin are developed.</p>
855     *
856     * @param inputIndex input the signature is being calculated for. Tx signatures are always relative to an input.
857     * @param connectedScript the script that should be in the given input during signing.
858     * @param type Should be SigHash.ALL
859     * @param anyoneCanPay should be false.
860     */
861    public synchronized Sha256Hash hashTransactionForSignature(int inputIndex, Script connectedScript,
862                                                               SigHash type, boolean anyoneCanPay) {
863        return hashTransactionForSignature(inputIndex, connectedScript.getProgram(),
864                (byte)((type.ordinal() + 1) | (anyoneCanPay ? SIGHASH_ANYONECANPAY_VALUE : 0x00)));
865    }
866
867    /**
868     * This is required for signatures which use a sigHashType which cannot be represented using SigHash and anyoneCanPay
869     * See transaction c99c49da4c38af669dea436d3e73780dfdb6c1ecf9958baa52960e8baee30e73, which has sigHashType 0
870     */
871    public synchronized Sha256Hash hashTransactionForSignature(int inputIndex, byte[] connectedScript,
872            byte sigHashType) {
873        // TODO: This whole separate method should be un-necessary if we fix how we deserialize sighash flags.
874
875        // The SIGHASH flags are used in the design of contracts, please see this page for a further understanding of
876        // the purposes of the code in this method:
877        //
878        //   https://en.bitcoin.it/wiki/Contracts
879
880        try {
881            // Store all the input scripts and clear them in preparation for signing. If we're signing a fresh
882            // transaction that step isn't very helpful, but it doesn't add much cost relative to the actual
883            // EC math so we'll do it anyway.
884            //
885            // Also store the input sequence numbers in case we are clearing them with SigHash.NONE/SINGLE
886            byte[][] inputScripts = new byte[inputs.size()][];
887            long[] inputSequenceNumbers = new long[inputs.size()];
888            for (int i = 0; i < inputs.size(); i++) {
889                inputScripts[i] = inputs.get(i).getScriptBytes();
890                inputSequenceNumbers[i] = inputs.get(i).getSequenceNumber();
891                inputs.get(i).setScriptBytes(TransactionInput.EMPTY_ARRAY);
892            }
893
894            // This step has no purpose beyond being synchronized with the reference clients bugs. OP_CODESEPARATOR
895            // is a legacy holdover from a previous, broken design of executing scripts that shipped in Bitcoin 0.1.
896            // It was seriously flawed and would have let anyone take anyone elses money. Later versions switched to
897            // the design we use today where scripts are executed independently but share a stack. This left the
898            // OP_CODESEPARATOR instruction having no purpose as it was only meant to be used internally, not actually
899            // ever put into scripts. Deleting OP_CODESEPARATOR is a step that should never be required but if we don't
900            // do it, we could split off the main chain.
901            connectedScript = Script.removeAllInstancesOfOp(connectedScript, ScriptOpCodes.OP_CODESEPARATOR);
902            
903            // Set the input to the script of its output. Satoshi does this but the step has no obvious purpose as
904            // the signature covers the hash of the prevout transaction which obviously includes the output script
905            // already. Perhaps it felt safer to him in some way, or is another leftover from how the code was written.
906            TransactionInput input = inputs.get(inputIndex);
907            input.setScriptBytes(connectedScript);
908            
909            ArrayList<TransactionOutput> outputs = this.outputs;
910            if ((sigHashType & 0x1f) == (SigHash.NONE.ordinal() + 1)) {
911                // SIGHASH_NONE means no outputs are signed at all - the signature is effectively for a "blank cheque".
912                this.outputs = new ArrayList<TransactionOutput>(0);
913                // The signature isn't broken by new versions of the transaction issued by other parties.
914                for (int i = 0; i < inputs.size(); i++)
915                    if (i != inputIndex)
916                        inputs.get(i).setSequenceNumber(0);
917            } else if ((sigHashType & 0x1f) == (SigHash.SINGLE.ordinal() + 1)) {
918                // SIGHASH_SINGLE means only sign the output at the same index as the input (ie, my output).
919                if (inputIndex >= this.outputs.size()) {
920                    // The input index is beyond the number of outputs, it's a buggy signature made by a broken
921                    // Bitcoin implementation. The reference client also contains a bug in handling this case:
922                    // any transaction output that is signed in this case will result in both the signed output
923                    // and any future outputs to this public key being steal-able by anyone who has
924                    // the resulting signature and the public key (both of which are part of the signed tx input).
925                    // Put the transaction back to how we found it.
926                    //
927                    // TODO: Only allow this to happen if we are checking a signature, not signing a transactions
928                    for (int i = 0; i < inputs.size(); i++) {
929                        inputs.get(i).setScriptBytes(inputScripts[i]);
930                        inputs.get(i).setSequenceNumber(inputSequenceNumbers[i]);
931                    }
932                    this.outputs = outputs;
933                    // Satoshis bug is that SignatureHash was supposed to return a hash and on this codepath it
934                    // actually returns the constant "1" to indicate an error, which is never checked for. Oops.
935                    return new Sha256Hash("0100000000000000000000000000000000000000000000000000000000000000");
936                }
937                // In SIGHASH_SINGLE the outputs after the matching input index are deleted, and the outputs before
938                // that position are "nulled out". Unintuitively, the value in a "null" transaction is set to -1.
939                this.outputs = new ArrayList<TransactionOutput>(this.outputs.subList(0, inputIndex + 1));
940                for (int i = 0; i < inputIndex; i++)
941                    this.outputs.set(i, new TransactionOutput(params, this, BigInteger.valueOf(-1), new byte[] {}));
942                // The signature isn't broken by new versions of the transaction issued by other parties.
943                for (int i = 0; i < inputs.size(); i++)
944                    if (i != inputIndex)
945                        inputs.get(i).setSequenceNumber(0);
946            }
947            
948            ArrayList<TransactionInput> inputs = this.inputs;
949            if ((sigHashType & SIGHASH_ANYONECANPAY_VALUE) == SIGHASH_ANYONECANPAY_VALUE) {
950                // SIGHASH_ANYONECANPAY means the signature in the input is not broken by changes/additions/removals
951                // of other inputs. For example, this is useful for building assurance contracts.
952                this.inputs = new ArrayList<TransactionInput>();
953                this.inputs.add(input);
954            }
955
956            ByteArrayOutputStream bos = new UnsafeByteArrayOutputStream(length == UNKNOWN_LENGTH ? 256 : length + 4);
957            bitcoinSerialize(bos);
958            // We also have to write a hash type (sigHashType is actually an unsigned char)
959            uint32ToByteStreamLE(0x000000ff & sigHashType, bos);
960            // Note that this is NOT reversed to ensure it will be signed correctly. If it were to be printed out
961            // however then we would expect that it is IS reversed.
962            Sha256Hash hash = new Sha256Hash(doubleDigest(bos.toByteArray()));
963            bos.close();
964
965            // Put the transaction back to how we found it.
966            this.inputs = inputs;
967            for (int i = 0; i < inputs.size(); i++) {
968                inputs.get(i).setScriptBytes(inputScripts[i]);
969                inputs.get(i).setSequenceNumber(inputSequenceNumbers[i]);
970            }
971            this.outputs = outputs;
972            return hash;
973        } catch (IOException e) {
974            throw new RuntimeException(e);  // Cannot happen.
975        }
976    }
977
978    @Override
979    protected void bitcoinSerializeToStream(OutputStream stream) throws IOException {
980        uint32ToByteStreamLE(version, stream);
981        stream.write(new VarInt(inputs.size()).encode());
982        for (TransactionInput in : inputs)
983            in.bitcoinSerialize(stream);
984        stream.write(new VarInt(outputs.size()).encode());
985        for (TransactionOutput out : outputs)
986            out.bitcoinSerialize(stream);
987        uint32ToByteStreamLE(lockTime, stream);
988    }
989
990
991    /**
992     * Transactions can have an associated lock time, specified either as a block height or in seconds since the
993     * UNIX epoch. A transaction is not allowed to be confirmed by miners until the lock time is reached, and
994     * since Bitcoin 0.8+ a transaction that did not end its lock period (non final) is considered to be non
995     * standard and won't be relayed or included in the memory pool either.
996     */
997    public long getLockTime() {
998        maybeParse();
999        return lockTime;
1000    }
1001
1002    /**
1003     * Transactions can have an associated lock time, specified either as a block height or in seconds since the
1004     * UNIX epoch. A transaction is not allowed to be confirmed by miners until the lock time is reached, and
1005     * since Bitcoin 0.8+ a transaction that did not end its lock period (non final) is considered to be non
1006     * standard and won't be relayed or included in the memory pool either.
1007     */
1008    public void setLockTime(long lockTime) {
1009        unCache();
1010        // TODO: Consider checking that at least one input has a non-final sequence number.
1011        this.lockTime = lockTime;
1012    }
1013
1014    /**
1015     * @return the version
1016     */
1017    public long getVersion() {
1018        maybeParse();
1019        return version;
1020    }
1021
1022    /** Returns an unmodifiable view of all inputs. */
1023    public List<TransactionInput> getInputs() {
1024        maybeParse();
1025        return Collections.unmodifiableList(inputs);
1026    }
1027
1028    /** Returns an unmodifiable view of all outputs. */
1029    public List<TransactionOutput> getOutputs() {
1030        maybeParse();
1031        return Collections.unmodifiableList(outputs);
1032    }
1033
1034    /** @return the given transaction: same as getInputs().get(index). */
1035    public TransactionInput getInput(int index) {
1036        maybeParse();
1037        return inputs.get(index);
1038    }
1039
1040    public TransactionOutput getOutput(int index) {
1041        maybeParse();
1042        return outputs.get(index);
1043    }
1044
1045    public synchronized TransactionConfidence getConfidence() {
1046        if (confidence == null) {
1047            confidence = new TransactionConfidence(this);
1048        }
1049        return confidence;
1050    }
1051
1052    /** Check if the transaction has a known confidence */
1053    public synchronized boolean hasConfidence() {
1054        return confidence != null && confidence.getConfidenceType() != TransactionConfidence.ConfidenceType.UNKNOWN;
1055    }
1056
1057    @Override
1058    public boolean equals(Object other) {
1059        if (!(other instanceof Transaction)) return false;
1060        Transaction t = (Transaction) other;
1061
1062        return t.getHash().equals(getHash());
1063    }
1064
1065    @Override
1066    public int hashCode() {
1067        return getHash().hashCode();
1068    }
1069
1070    /**
1071     * Ensure object is fully parsed before invoking java serialization.  The backing byte array
1072     * is transient so if the object has parseLazy = true and hasn't invoked checkParse yet
1073     * then data will be lost during serialization.
1074     */
1075    private void writeObject(ObjectOutputStream out) throws IOException {
1076        maybeParse();
1077        out.defaultWriteObject();
1078    }
1079
1080    /**
1081     * Gets the count of regular SigOps in this transactions
1082     */
1083    public int getSigOpCount() throws ScriptException {
1084        maybeParse();
1085        int sigOps = 0;
1086        for (TransactionInput input : inputs)
1087            sigOps += Script.getSigOpCount(input.getScriptBytes());
1088        for (TransactionOutput output : outputs)
1089            sigOps += Script.getSigOpCount(output.getScriptBytes());
1090        return sigOps;
1091    }
1092
1093    /**
1094     * Checks the transaction contents for sanity, in ways that can be done in a standalone manner.
1095     * Does <b>not</b> perform all checks on a transaction such as whether the inputs are already spent.
1096     *
1097     * @throws VerificationException
1098     */
1099    public void verify() throws VerificationException {
1100        maybeParse();
1101        if (inputs.size() == 0 || outputs.size() == 0)
1102            throw new VerificationException("Transaction had no inputs or no outputs.");
1103        if (this.getMessageSize() > Block.MAX_BLOCK_SIZE)
1104            throw new VerificationException("Transaction larger than MAX_BLOCK_SIZE");
1105        
1106        BigInteger valueOut = BigInteger.ZERO;
1107        for (TransactionOutput output : outputs) {
1108            if (output.getValue().compareTo(BigInteger.ZERO) < 0)
1109                throw new VerificationException("Transaction output negative");
1110            valueOut = valueOut.add(output.getValue());
1111        }
1112        if (valueOut.compareTo(params.MAX_MONEY) > 0)
1113            throw new VerificationException("Total transaction output value greater than possible");
1114        
1115        if (isCoinBase()) {
1116            if (inputs.get(0).getScriptBytes().length < 2 || inputs.get(0).getScriptBytes().length > 100)
1117                throw new VerificationException("Coinbase script size out of range");
1118        } else {
1119            for (TransactionInput input : inputs)
1120                if (input.isCoinBase())
1121                    throw new VerificationException("Coinbase input as input in non-coinbase transaction");
1122        }
1123    }
1124
1125    /**
1126     * <p>A transaction is time locked if at least one of its inputs is non-final and it has a lock time</p>
1127     *
1128     * <p>To check if this transaction is final at a given height and time, see {@link Transaction#isFinal(int, long)}
1129     * </p>
1130     */
1131    public boolean isTimeLocked() {
1132        if (getLockTime() == 0)
1133            return false;
1134        for (TransactionInput input : getInputs())
1135            if (input.hasSequence())
1136                return true;
1137        return false;
1138    }
1139
1140    /**
1141     * <p>Returns true if this transaction is considered finalized and can be placed in a block. Non-finalized
1142     * transactions won't be included by miners and can be replaced with newer versions using sequence numbers.
1143     * This is useful in certain types of <a href="http://en.bitcoin.it/wiki/Contracts">contracts</a>, such as
1144     * micropayment channels.</p>
1145     *
1146     * <p>Note that currently the replacement feature is disabled in the Satoshi client and will need to be
1147     * re-activated before this functionality is useful.</p>
1148     */
1149    public boolean isFinal(int height, long blockTimeSeconds) {
1150        long time = getLockTime();
1151        if (time < (time < LOCKTIME_THRESHOLD ? height : blockTimeSeconds))
1152            return true;
1153        if (!isTimeLocked())
1154            return true;
1155        return false;
1156    }
1157
1158    /**
1159     * Parses the string either as a whole number of blocks, or if it contains slashes as a YYYY/MM/DD format date
1160     * and returns the lock time in wire format.
1161     */
1162    public static long parseLockTimeStr(String lockTimeStr) throws ParseException {
1163        if (lockTimeStr.indexOf("/") != -1) {
1164            SimpleDateFormat format = new SimpleDateFormat("yyyy/MM/dd");
1165            Date date = format.parse(lockTimeStr);
1166            return date.getTime() / 1000;
1167        }
1168        return Long.parseLong(lockTimeStr);
1169    }
1170
1171    /**
1172     * Returns either the lock time as a date, if it was specified in seconds, or an estimate based on the time in
1173     * the current head block if it was specified as a block time.
1174     */
1175    public Date estimateLockTime(AbstractBlockChain chain) {
1176        if (lockTime < LOCKTIME_THRESHOLD)
1177            return chain.estimateBlockTime((int)getLockTime());
1178        else
1179            return new Date(getLockTime()*1000);
1180    }
1181}