@Override
 public DeterministicKeyChain toDecrypted(KeyParameter aesKey) {
   checkState(getKeyCrypter() != null, "Key chain not encrypted");
   checkState(seed != null, "Can't decrypt a watching chain");
   checkState(seed.isEncrypted());
   String passphrase = DEFAULT_PASSPHRASE_FOR_MNEMONIC; // FIXME allow non-empty passphrase
   DeterministicSeed decSeed = seed.decrypt(getKeyCrypter(), passphrase, aesKey);
   DeterministicKeyChain chain = new DeterministicKeyChain(decSeed);
   // Now double check that the keys match to catch the case where the key is wrong but padding
   // didn't catch it.
   if (!chain.getWatchingKey().getPubKeyPoint().equals(getWatchingKey().getPubKeyPoint()))
     throw new KeyCrypterException("Provided AES key is wrong");
   chain.lookaheadSize = lookaheadSize;
   // Now copy the (pubkey only) leaf keys across to avoid rederiving them. The private key bytes
   // are missing
   // anyway so there's nothing to decrypt.
   for (ECKey eckey : basicKeyChain.getKeys()) {
     DeterministicKey key = (DeterministicKey) eckey;
     if (key.getPath().size() != 3) continue; // Not a leaf key.
     checkState(key.isEncrypted());
     DeterministicKey parent =
         chain.hierarchy.get(checkNotNull(key.getParent()).getPath(), false, false);
     // Clone the key to the new decrypted hierarchy.
     key = new DeterministicKey(key.getPubOnly(), parent);
     chain.hierarchy.putKey(key);
     chain.basicKeyChain.importKey(key);
   }
   chain.issuedExternalKeys = issuedExternalKeys;
   chain.issuedInternalKeys = issuedInternalKeys;
   return chain;
 }
  /**
   * Pre-generate enough keys to reach the lookahead size, but only if there are more than the
   * lookaheadThreshold to be generated, so that the Bloom filter does not have to be regenerated
   * that often.
   *
   * <p>The returned mutable list of keys must be inserted into the basic key chain.
   */
  private List<DeterministicKey> maybeLookAhead(
      DeterministicKey parent, int issued, int lookaheadSize, int lookaheadThreshold) {
    checkState(lock.isHeldByCurrentThread());
    final int numChildren = hierarchy.getNumChildren(parent.getPath());
    final int needed = issued + lookaheadSize + lookaheadThreshold - numChildren;

    if (needed <= lookaheadThreshold) return new ArrayList<DeterministicKey>();

    log.info(
        "{} keys needed for {} = {} issued + {} lookahead size + {} lookahead threshold - {} num children",
        needed,
        parent.getPathAsString(),
        issued,
        lookaheadSize,
        lookaheadThreshold,
        numChildren);

    List<DeterministicKey> result = new ArrayList<DeterministicKey>(needed);
    long now = System.currentTimeMillis();
    int nextChild = numChildren;
    for (int i = 0; i < needed; i++) {
      DeterministicKey key = HDKeyDerivation.deriveThisOrNextChildKey(parent, nextChild);
      key = key.getPubOnly();
      hierarchy.putKey(key);
      result.add(key);
      nextChild = key.getChildNumber().num() + 1;
    }
    log.info("Took {} msec", System.currentTimeMillis() - now);
    return result;
  }
 /**
  * Creates a deterministic key chain that watches the given (public only) root key. You can use
  * this to calculate balances and generally follow along, but spending is not possible with such a
  * chain. Currently you can't use this method to watch an arbitrary fragment of some other tree,
  * this limitation may be removed in future.
  */
 public DeterministicKeyChain(DeterministicKey watchingKey, long creationTimeSeconds) {
   checkArgument(watchingKey.isPubKeyOnly(), "Private subtrees not currently supported");
   checkArgument(watchingKey.getPath().size() == 1, "You can only watch an account key currently");
   basicKeyChain = new BasicKeyChain();
   this.creationTimeSeconds = creationTimeSeconds;
   this.seed = null;
   initializeHierarchyUnencrypted(watchingKey);
 }
 /** Returns leaf keys issued by this chain (including lookahead zone) */
 public List<DeterministicKey> getLeafKeys() {
   ImmutableList.Builder<DeterministicKey> keys = ImmutableList.builder();
   for (ECKey key : getKeys(true)) {
     DeterministicKey dKey = (DeterministicKey) key;
     if (dKey.getPath().size() > 2) {
       keys.add(dKey);
     }
   }
   return keys.build();
 }
 @Override
 public boolean checkAESKey(KeyParameter aesKey) {
   checkState(rootKey != null, "Can't check password for a watching chain");
   checkNotNull(aesKey);
   checkState(getKeyCrypter() != null, "Key chain not encrypted");
   try {
     return rootKey.decrypt(aesKey).getPubKeyPoint().equals(rootKey.getPubKeyPoint());
   } catch (KeyCrypterException e) {
     return false;
   }
 }
 private DeterministicKey encryptNonLeaf(
     KeyParameter aesKey,
     DeterministicKeyChain chain,
     DeterministicKey parent,
     ImmutableList<ChildNumber> path) {
   DeterministicKey key = chain.hierarchy.get(path, false, false);
   key = key.encrypt(checkNotNull(basicKeyChain.getKeyCrypter()), aesKey, parent);
   hierarchy.putKey(key);
   basicKeyChain.importKey(key);
   return key;
 }
 private void checkForBitFlip(DeterministicKey k) {
   DeterministicKey parent = checkNotNull(k.getParent());
   byte[] rederived =
       HDKeyDerivation.deriveChildKeyBytesFromPublic(
               parent, k.getChildNumber(), HDKeyDerivation.PublicDeriveMode.WITH_INVERSION)
           .keyBytes;
   byte[] actual = k.getPubKey();
   if (!Arrays.equals(rederived, actual))
     throw new IllegalStateException(
         String.format(
             "Bit-flip check failed: %s vs %s",
             Arrays.toString(rederived), Arrays.toString(actual)));
 }
  /**
   * Mark the DeterministicKey as used. Also correct the issued{Internal|External}Keys counter,
   * because all lower children seem to be requested already. If the counter was updated, we also
   * might trigger lookahead.
   */
  public DeterministicKey markKeyAsUsed(DeterministicKey k) {
    int numChildren = k.getChildNumber().i() + 1;

    if (k.getParent() == internalKey) {
      if (issuedInternalKeys < numChildren) {
        issuedInternalKeys = numChildren;
        maybeLookAhead();
      }
    } else if (k.getParent() == externalKey) {
      if (issuedExternalKeys < numChildren) {
        issuedExternalKeys = numChildren;
        maybeLookAhead();
      }
    }
    return k;
  }
 // Derives the account path keys and inserts them into the basic key chain. This is important to
 // preserve their
 // order for serialization, amongst other things.
 private void initializeHierarchyUnencrypted(DeterministicKey baseKey) {
   if (baseKey.getPath().isEmpty()) {
     // baseKey is a master/root key derived directly from a seed.
     addToBasicChain(rootKey);
     hierarchy = new DeterministicHierarchy(rootKey);
     addToBasicChain(hierarchy.get(ACCOUNT_ZERO_PATH, false, true));
   } else if (baseKey.getPath().size() == 1) {
     // baseKey is a "watching key" that we were given so we could follow along with this account.
     rootKey = null;
     addToBasicChain(baseKey);
     hierarchy = new DeterministicHierarchy(baseKey);
   } else {
     throw new IllegalArgumentException();
   }
   externalKey = hierarchy.deriveChild(ACCOUNT_ZERO_PATH, false, false, ChildNumber.ZERO);
   internalKey = hierarchy.deriveChild(ACCOUNT_ZERO_PATH, false, false, ChildNumber.ONE);
   addToBasicChain(externalKey);
   addToBasicChain(internalKey);
 }
  // For use in encryption.
  private DeterministicKeyChain(
      KeyCrypter crypter, KeyParameter aesKey, DeterministicKeyChain chain) {
    // Can't encrypt a watching chain.
    checkNotNull(chain.rootKey);
    checkNotNull(chain.seed);

    checkArgument(!chain.rootKey.isEncrypted(), "Chain already encrypted");

    this.issuedExternalKeys = chain.issuedExternalKeys;
    this.issuedInternalKeys = chain.issuedInternalKeys;

    this.lookaheadSize = chain.lookaheadSize;
    this.lookaheadThreshold = chain.lookaheadThreshold;

    this.seed = chain.seed.encrypt(crypter, aesKey);
    basicKeyChain = new BasicKeyChain(crypter);
    // The first number is the "account number" but we don't use that feature.
    rootKey = chain.rootKey.encrypt(crypter, aesKey, null);
    hierarchy = new DeterministicHierarchy(rootKey);
    basicKeyChain.importKey(rootKey);

    DeterministicKey account = encryptNonLeaf(aesKey, chain, rootKey, ACCOUNT_ZERO_PATH);
    externalKey = encryptNonLeaf(aesKey, chain, account, EXTERNAL_PATH);
    internalKey = encryptNonLeaf(aesKey, chain, account, INTERNAL_PATH);

    // Now copy the (pubkey only) leaf keys across to avoid rederiving them. The private key bytes
    // are missing
    // anyway so there's nothing to encrypt.
    for (ECKey eckey : chain.basicKeyChain.getKeys()) {
      DeterministicKey key = (DeterministicKey) eckey;
      if (key.getPath().size() != 3) continue; // Not a leaf key.
      DeterministicKey parent =
          hierarchy.get(checkNotNull(key.getParent()).getPath(), false, false);
      // Clone the key to the new encrypted hierarchy.
      key = new DeterministicKey(key.getPubOnly(), parent);
      hierarchy.putKey(key);
      basicKeyChain.importKey(key);
    }
  }
 DeterministicKeyChain(DeterministicSeed seed, @Nullable KeyCrypter crypter) {
   this.seed = seed;
   basicKeyChain = new BasicKeyChain(crypter);
   if (!seed.isEncrypted()) {
     rootKey = HDKeyDerivation.createMasterPrivateKey(checkNotNull(seed.getSeedBytes()));
     rootKey.setCreationTimeSeconds(seed.getCreationTimeSeconds());
     initializeHierarchyUnencrypted(rootKey);
   }
   // Else...
   // We can't initialize ourselves with just an encrypted seed, so we expected deserialization
   // code to do the
   // rest of the setup (loading the root key).
 }
 // For internal usage only
 /* package */ List<ECKey> getKeys(boolean includeLookahead) {
   List<ECKey> keys = basicKeyChain.getKeys();
   if (!includeLookahead) {
     int treeSize = internalKey.getPath().size();
     List<ECKey> issuedKeys = new LinkedList<ECKey>();
     for (ECKey key : keys) {
       DeterministicKey detkey = (DeterministicKey) key;
       DeterministicKey parent = detkey.getParent();
       if (parent == null) continue;
       if (detkey.getPath().size() <= treeSize) continue;
       if (parent.equals(internalKey) && detkey.getChildNumber().i() > issuedInternalKeys)
         continue;
       if (parent.equals(externalKey) && detkey.getChildNumber().i() > issuedExternalKeys)
         continue;
       issuedKeys.add(detkey);
     }
     return issuedKeys;
   }
   return keys;
 }
 @Override
 public List<Protos.Key> serializeToProtobuf() {
   lock.lock();
   try {
     // Most of the serialization work is delegated to the basic key chain, which will serialize
     // the bulk of the
     // data (handling encryption along the way), and letting us patch it up with the extra data we
     // care about.
     LinkedList<Protos.Key> entries = newLinkedList();
     if (seed != null) {
       Protos.Key.Builder mnemonicEntry = BasicKeyChain.serializeEncryptableItem(seed);
       mnemonicEntry.setType(Protos.Key.Type.DETERMINISTIC_MNEMONIC);
       entries.add(mnemonicEntry.build());
     }
     Map<ECKey, Protos.Key.Builder> keys = basicKeyChain.serializeToEditableProtobufs();
     for (Map.Entry<ECKey, Protos.Key.Builder> entry : keys.entrySet()) {
       DeterministicKey key = (DeterministicKey) entry.getKey();
       Protos.Key.Builder proto = entry.getValue();
       proto.setType(Protos.Key.Type.DETERMINISTIC_KEY);
       final Protos.DeterministicKey.Builder detKey = proto.getDeterministicKeyBuilder();
       detKey.setChainCode(ByteString.copyFrom(key.getChainCode()));
       for (ChildNumber num : key.getPath()) detKey.addPath(num.i());
       if (key.equals(externalKey)) {
         detKey.setIssuedSubkeys(issuedExternalKeys);
         detKey.setLookaheadSize(lookaheadSize);
       } else if (key.equals(internalKey)) {
         detKey.setIssuedSubkeys(issuedInternalKeys);
         detKey.setLookaheadSize(lookaheadSize);
       }
       // Flag the very first key of following keychain.
       if (entries.isEmpty() && isFollowing()) {
         detKey.setIsFollowing(true);
       }
       if (key.getParent() != null) {
         // HD keys inherit the timestamp of their parent if they have one, so no need to serialize
         // it.
         proto.clearCreationTimestamp();
       }
       entries.add(proto.build());
     }
     return entries;
   } finally {
     lock.unlock();
   }
 }
 /**
  * Returns all the key chains found in the given list of keys. Typically there will only be one,
  * but in the case of key rotation it can happen that there are multiple chains found.
  */
 public static List<DeterministicKeyChain> fromProtobuf(
     List<Protos.Key> keys, @Nullable KeyCrypter crypter) throws UnreadableWalletException {
   List<DeterministicKeyChain> chains = newLinkedList();
   DeterministicSeed seed = null;
   DeterministicKeyChain chain = null;
   int lookaheadSize = -1;
   for (Protos.Key key : keys) {
     final Protos.Key.Type t = key.getType();
     if (t == Protos.Key.Type.DETERMINISTIC_MNEMONIC) {
       if (chain != null) {
         checkState(lookaheadSize >= 0);
         chain.setLookaheadSize(lookaheadSize);
         chain.maybeLookAhead();
         chains.add(chain);
         chain = null;
       }
       long timestamp = key.getCreationTimestamp() / 1000;
       String passphrase = DEFAULT_PASSPHRASE_FOR_MNEMONIC; // FIXME allow non-empty passphrase
       if (key.hasSecretBytes()) {
         seed = new DeterministicSeed(key.getSecretBytes().toStringUtf8(), passphrase, timestamp);
       } else if (key.hasEncryptedData()) {
         EncryptedData data =
             new EncryptedData(
                 key.getEncryptedData().getInitialisationVector().toByteArray(),
                 key.getEncryptedData().getEncryptedPrivateKey().toByteArray());
         seed = new DeterministicSeed(data, timestamp);
       } else {
         throw new UnreadableWalletException("Malformed key proto: " + key.toString());
       }
       if (log.isDebugEnabled()) log.debug("Deserializing: DETERMINISTIC_MNEMONIC: {}", seed);
     } else if (t == Protos.Key.Type.DETERMINISTIC_KEY) {
       if (!key.hasDeterministicKey())
         throw new UnreadableWalletException(
             "Deterministic key missing extra data: " + key.toString());
       byte[] chainCode = key.getDeterministicKey().getChainCode().toByteArray();
       // Deserialize the path through the tree.
       LinkedList<ChildNumber> path = newLinkedList();
       for (int i : key.getDeterministicKey().getPathList()) path.add(new ChildNumber(i));
       // Deserialize the public key and path.
       ECPoint pubkey = ECKey.CURVE.getCurve().decodePoint(key.getPublicKey().toByteArray());
       final ImmutableList<ChildNumber> immutablePath = ImmutableList.copyOf(path);
       // Possibly create the chain, if we didn't already do so yet.
       boolean isWatchingAccountKey = false;
       boolean isFollowingKey = false;
       // save previous chain if any if the key is marked as following. Current key and the next
       // ones are to be
       // placed in new following key chain
       if (key.getDeterministicKey().getIsFollowing()) {
         if (chain != null) {
           checkState(lookaheadSize >= 0);
           chain.setLookaheadSize(lookaheadSize);
           chain.maybeLookAhead();
           chains.add(chain);
           chain = null;
           seed = null;
         }
         isFollowingKey = true;
       }
       if (chain == null) {
         if (seed == null) {
           DeterministicKey accountKey =
               new DeterministicKey(immutablePath, chainCode, pubkey, null, null);
           if (!accountKey.getPath().equals(ACCOUNT_ZERO_PATH))
             throw new UnreadableWalletException(
                 "Expecting account key but found key with path: "
                     + HDUtils.formatPath(accountKey.getPath()));
           chain = new DeterministicKeyChain(accountKey, isFollowingKey);
           isWatchingAccountKey = true;
         } else {
           chain = new DeterministicKeyChain(seed, crypter);
           chain.lookaheadSize = LAZY_CALCULATE_LOOKAHEAD;
           // If the seed is encrypted, then the chain is incomplete at this point. However, we
           // will load
           // it up below as we parse in the keys. We just need to check at the end that we've
           // loaded
           // everything afterwards.
         }
       }
       // Find the parent key assuming this is not the root key, and not an account key for a
       // watching chain.
       DeterministicKey parent = null;
       if (!path.isEmpty() && !isWatchingAccountKey) {
         ChildNumber index = path.removeLast();
         parent = chain.hierarchy.get(path, false, false);
         path.add(index);
       }
       DeterministicKey detkey;
       if (key.hasSecretBytes()) {
         // Not encrypted: private key is available.
         final BigInteger priv = new BigInteger(1, key.getSecretBytes().toByteArray());
         detkey = new DeterministicKey(immutablePath, chainCode, pubkey, priv, parent);
       } else {
         if (key.hasEncryptedData()) {
           Protos.EncryptedData proto = key.getEncryptedData();
           EncryptedData data =
               new EncryptedData(
                   proto.getInitialisationVector().toByteArray(),
                   proto.getEncryptedPrivateKey().toByteArray());
           checkNotNull(crypter, "Encountered an encrypted key but no key crypter provided");
           detkey = new DeterministicKey(immutablePath, chainCode, crypter, pubkey, data, parent);
         } else {
           // No secret key bytes and key is not encrypted: either a watching key or private key
           // bytes
           // will be rederived on the fly from the parent.
           detkey = new DeterministicKey(immutablePath, chainCode, pubkey, null, parent);
         }
       }
       if (key.hasCreationTimestamp())
         detkey.setCreationTimeSeconds(key.getCreationTimestamp() / 1000);
       if (log.isDebugEnabled()) log.debug("Deserializing: DETERMINISTIC_KEY: {}", detkey);
       if (!isWatchingAccountKey) {
         // If the non-encrypted case, the non-leaf keys (account, internal, external) have already
         // been
         // rederived and inserted at this point and the two lines below are just a no-op. In the
         // encrypted
         // case though, we can't rederive and we must reinsert, potentially building the heirarchy
         // object
         // if need be.
         if (path.size() == 0) {
           // Master key.
           chain.rootKey = detkey;
           chain.hierarchy = new DeterministicHierarchy(detkey);
         } else if (path.size() == 2) {
           if (detkey.getChildNumber().num() == 0) {
             chain.externalKey = detkey;
             chain.issuedExternalKeys = key.getDeterministicKey().getIssuedSubkeys();
             lookaheadSize = Math.max(lookaheadSize, key.getDeterministicKey().getLookaheadSize());
           } else if (detkey.getChildNumber().num() == 1) {
             chain.internalKey = detkey;
             chain.issuedInternalKeys = key.getDeterministicKey().getIssuedSubkeys();
           }
         }
       }
       chain.hierarchy.putKey(detkey);
       chain.basicKeyChain.importKey(detkey);
     }
   }
   if (chain != null) {
     checkState(lookaheadSize >= 0);
     chain.setLookaheadSize(lookaheadSize);
     chain.maybeLookAhead();
     chains.add(chain);
   }
   return chains;
 }
 /** Returns freshly derived key/s that have not been returned by this method before. */
 @Override
 public List<DeterministicKey> getKeys(KeyPurpose purpose, int numberOfKeys) {
   checkArgument(numberOfKeys > 0);
   lock.lock();
   try {
     DeterministicKey parentKey;
     int index;
     switch (purpose) {
         // Map both REFUND and RECEIVE_KEYS to the same branch for now. Refunds are a feature of
         // the BIP 70
         // payment protocol. Later we may wish to map it to a different branch (in a new wallet
         // version?).
         // This would allow a watching wallet to only be able to see inbound payments, but not
         // change
         // (i.e. spends) or refunds. Might be useful for auditing ...
       case RECEIVE_FUNDS:
       case REFUND:
         issuedExternalKeys += numberOfKeys;
         index = issuedExternalKeys;
         parentKey = externalKey;
         break;
       case AUTHENTICATION:
       case CHANGE:
         issuedInternalKeys += numberOfKeys;
         index = issuedInternalKeys;
         parentKey = internalKey;
         break;
       default:
         throw new UnsupportedOperationException();
     }
     // Optimization: potentially do a very quick key generation for just the number of keys we
     // need if we
     // didn't already create them, ignoring the configured lookahead size. This ensures we'll be
     // able to
     // retrieve the keys in the following loop, but if we're totally fresh and didn't get a chance
     // to
     // calculate the lookahead keys yet, this will not block waiting to calculate 100+ EC point
     // multiplies.
     // On slow/crappy Android phones looking ahead 100 keys can take ~5 seconds but the OS will
     // kill us
     // if we block for just one second on the UI thread. Because UI threads may need an address in
     // order
     // to render the screen, we need getKeys to be fast even if the wallet is totally brand new
     // and lookahead
     // didn't happen yet.
     //
     // It's safe to do this because when a network thread tries to calculate a Bloom filter, we'll
     // go ahead
     // and calculate the full lookahead zone there, so network requests will always use the right
     // amount.
     List<DeterministicKey> lookahead = maybeLookAhead(parentKey, index, 0, 0);
     basicKeyChain.importKeys(lookahead);
     List<DeterministicKey> keys = new ArrayList<DeterministicKey>(numberOfKeys);
     for (int i = 0; i < numberOfKeys; i++) {
       ImmutableList<ChildNumber> path =
           HDUtils.append(parentKey.getPath(), new ChildNumber(index - numberOfKeys + i, false));
       DeterministicKey k = hierarchy.get(path, false, false);
       // Just a last minute sanity check before we hand the key out to the app for usage. This
       // isn't inspired
       // by any real problem reports from bitcoinj users, but I've heard of cases via the
       // grapevine of
       // places that lost money due to bitflips causing addresses to not match keys. Of course in
       // an
       // environment with flaky RAM there's no real way to always win: bitflips could be
       // introduced at any
       // other layer. But as we're potentially retrieving from long term storage here, check
       // anyway.
       checkForBitFlip(k);
       keys.add(k);
     }
     return keys;
   } finally {
     lock.unlock();
   }
 }