InvoiceRequest metadata and payer id derivation

jkczyz · jkczyz · commit 070a6f3430b9 · 2023-02-09T15:26:52.000-06:00
Add support for deriving a transient payer id for each InvoiceRequest
from an ExpandedKey and a nonce. This facilitates payer privacy by not
tying any InvoiceRequest to any other nor to the payer's node id.

Additionally, support stateless Invoice verification by setting payer
metadata using an HMAC over the nonce and the remaining TLV records,
which will be later verified when receiving an Invoice response.
diff --git a/lightning/src/offers/invoice_request.rs b/lightning/src/offers/invoice_request.rs
@@ -60,13 +60,14 @@ use core::convert::TryFrom;
 use crate::io;
 use crate::ln::PaymentHash;
 use crate::ln::features::InvoiceRequestFeatures;
-use crate::ln::inbound_payment::ExpandedKey;
+use crate::ln::inbound_payment::{ExpandedKey, Nonce};
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice::{BlindedPayInfo, InvoiceBuilder};
 use crate::offers::merkle::{SignError, SignatureTlvStream, SignatureTlvStreamRef, TlvStream, self};
 use crate::offers::offer::{Offer, OfferContents, OfferTlvStream, OfferTlvStreamRef};
 use crate::offers::parse::{ParseError, ParsedMessage, SemanticError};
 use crate::offers::payer::{PayerContents, PayerTlvStream, PayerTlvStreamRef};
+use crate::offers::signer::{MetadataMaterial, DerivedPubkey};
 use crate::onion_message::BlindedPath;
 use crate::util::ser::{HighZeroBytesDroppedBigSize, SeekReadable, WithoutLength, Writeable, Writer};
 use crate::util::string::PrintableString;
@@ -83,6 +84,7 @@ const SIGNATURE_TAG: &'static str = concat!("lightning", "invoice_request", "sig
 pub struct InvoiceRequestBuilder<'a> {
 	offer: &'a Offer,
 	invoice_request: InvoiceRequestContents,
+	metadata_material: Option<MetadataMaterial>,
 }
 
 impl<'a> InvoiceRequestBuilder<'a> {
@@ -94,9 +96,45 @@ impl<'a> InvoiceRequestBuilder<'a> {
 				amount_msats: None, features: InvoiceRequestFeatures::empty(), quantity: None,
 				payer_id, payer_note: None,
 			},
+			metadata_material: None,
 		}
 	}
 
+	#[allow(unused)]
+	pub(super) fn deriving_payer_id(offer: &'a Offer, payer_id: DerivedPubkey) -> Self {
+		let (payer_id, metadata_material) = payer_id.into_parts();
+		Self {
+			offer,
+			invoice_request: InvoiceRequestContents {
+				payer: PayerContents(vec![]), offer: offer.contents.clone(), chain: None,
+				amount_msats: None, features: InvoiceRequestFeatures::empty(), quantity: None,
+				payer_id, payer_note: None,
+			},
+			metadata_material: Some(metadata_material),
+		}
+	}
+
+	/// Sets the [`InvoiceRequest::metadata`] derived from the given `key` and any fields set prior
+	/// to calling [`InvoiceRequestBuilder::build`]. Allows for stateless verification of an
+	/// [`Invoice`] when using a public node id as the [`InvoiceRequest::payer_id`] instead of a
+	/// derived one.
+	///
+	/// Errors if already called or if the builder was constructed with [`Self::deriving_payer_id`].
+	///
+	/// [`Invoice`]: crate::offers::invoice::Invoice
+	#[allow(unused)]
+	pub(crate) fn metadata_derived(
+		mut self, key: &ExpandedKey, nonce: Nonce
+	) -> Result<Self, SemanticError> {
+		if self.metadata_material.is_some() {
+			return Err(SemanticError::UnexpectedMetadata);
+		}
+
+		self.invoice_request.payer = PayerContents(vec![]);
+		self.metadata_material = Some(MetadataMaterial::new(nonce, key));
+		Ok(self)
+	}
+
 	/// Sets the [`InvoiceRequest::chain`] of the given [`Network`] for paying an invoice. If not
 	/// called, [`Network::Bitcoin`] is assumed. Errors if the chain for `network` is not supported
 	/// by the offer.
@@ -153,6 +191,21 @@ impl<'a> InvoiceRequestBuilder<'a> {
 			}
 		}
 
+		// Create the metadata for stateless verification of an Invoice.
+		if let Some(mut metadata_material) = self.metadata_material {
+			debug_assert!(self.invoice_request.payer.0.is_empty());
+			let mut tlv_stream = self.invoice_request.as_tlv_stream();
+			tlv_stream.0.metadata = None;
+			tlv_stream.2.payer_id = None;
+			tlv_stream.write(&mut metadata_material).unwrap();
+
+			self.invoice_request.payer.0 = metadata_material.into_metadata();
+		}
+
+		if self.invoice_request.payer.0.is_empty() {
+			return Err(SemanticError::MissingPayerMetadata);
+		}
+
 		let chain = self.invoice_request.chain();
 		if !self.offer.supports_chain(chain) {
 			return Err(SemanticError::UnsupportedChain);
@@ -171,7 +224,7 @@ impl<'a> InvoiceRequestBuilder<'a> {
 			self.invoice_request.amount_msats, self.invoice_request.quantity
 		)?;
 
-		let InvoiceRequestBuilder { offer, invoice_request } = self;
+		let InvoiceRequestBuilder { offer, invoice_request, .. } = self;
 		Ok(UnsignedInvoiceRequest { offer, invoice_request })
 	}
 }
@@ -200,7 +253,7 @@ impl<'a> InvoiceRequestBuilder<'a> {
 	}
 
 	pub(super) fn build_unchecked(self) -> UnsignedInvoiceRequest<'a> {
-		let InvoiceRequestBuilder { offer, invoice_request } = self;
+		let InvoiceRequestBuilder { offer, invoice_request, .. } = self;
 		UnsignedInvoiceRequest { offer, invoice_request }
 	}
 }
@@ -998,7 +1051,7 @@ mod tests {
 		let invoice_request = OfferBuilder::new("foo".into(), recipient_pubkey())
 			.amount_msats(1000)
 			.build().unwrap()
-			.request_invoice(vec![42; 32], payer_pubkey()).unwrap()
+			.request_invoice(vec![1; 32], payer_pubkey()).unwrap()
 			.build().unwrap()
 			.sign(payer_sign).unwrap();
 
diff --git a/lightning/src/offers/offer.rs b/lightning/src/offers/offer.rs
@@ -442,6 +442,26 @@ impl Offer {
 		Ok(InvoiceRequestBuilder::new(self, metadata, payer_id))
 	}
 
+	/// Similar to [`Offer::request_invoice`] except it:
+	/// - derives the [`InvoiceRequest::payer_id`] such that a different key can be used for each
+	///   request, and
+	/// - sets the [`InvoiceRequest::metadata`] when [`InvoiceRequestBuilder::build`] is called such
+	///   that it can be used by [`Invoice::verify`] to determine if the invoice was requested using
+	///   a base [`ExpandedKey`] from which the payer id was derived.
+	///
+	/// [`Invoice::verify`]: crate::offers::invoice::Invoice::verify
+	/// [`ExpandedKey`]: crate::ln::inbound_payment::ExpandedKey
+	#[allow(unused)]
+	pub(crate) fn request_invoice_deriving_payer_id(
+		&self, payer_id: DerivedPubkey,
+	) -> Result<InvoiceRequestBuilder, SemanticError> {
+		if self.features().requires_unknown_bits() {
+			return Err(SemanticError::UnknownRequiredFeatures);
+		}
+
+		Ok(InvoiceRequestBuilder::deriving_payer_id(self, payer_id))
+	}
+
 	#[cfg(test)]
 	pub(super) fn as_tlv_stream(&self) -> OfferTlvStreamRef {
 		self.contents.as_tlv_stream()
