Send offer paths in response to requests

As part of serving static invoices to payers on behalf of often-offline
recipients, we need to provide the async recipient with blinded message paths
to include in their offers.

Support responding to inbound requests for offer paths from async recipients.

Author: valentinewallace

lightning/src/blinded_path/message.rs

@@ -35,6 +35,7 @@ use bitcoin::hashes::sha256::Hash as Sha256;
 
 use core::mem;
 use core::ops::Deref;
+use core::time::Duration;
 
 /// A blinded path to be used for sending or receiving a message, hiding the identity of the
 /// recipient.
@@ -331,6 +332,47 @@ pub enum OffersContext {
 		/// [`Offer`]: crate::offers::offer::Offer
 		nonce: Nonce,
 	},
+	/// Context used by a [`BlindedMessagePath`] within the [`Offer`] of an async recipient on behalf
+	/// of whom we are serving [`StaticInvoice`]s.
+	///
+	/// This variant is intended to be received when handling an [`InvoiceRequest`] on behalf of said
+	/// async recipient.
+	///
+	/// [`StaticInvoice`]: crate::offers::static_invoice::StaticInvoice
+	/// [`InvoiceRequest`]: crate::offers::invoice_request::InvoiceRequest
+	StaticInvoiceRequested {
+		/// An identifier for the async recipient for whom we are serving [`StaticInvoice`]s. Used to
+		/// look up a corresponding [`StaticInvoice`] to return to the payer if the recipient is offline.
+		///
+		/// Also useful to rate limit the number of [`InvoiceRequest`]s we will respond to on
+		/// recipient's behalf.
+		///
+		/// [`StaticInvoice`]: crate::offers::static_invoice::StaticInvoice
+		/// [`InvoiceRequest`]: crate::offers::invoice_request::InvoiceRequest
+		recipient_id_nonce: Nonce,
+
+		/// A nonce used for authenticating that a received [`InvoiceRequest`] is valid for a preceding
+		/// [`OfferPaths`] message that we sent.
+		///
+		/// [`InvoiceRequest`]: crate::offers::invoice_request::InvoiceRequest
+		/// [`OfferPaths`]: crate::onion_message::async_payments::OfferPaths
+		nonce: Nonce,
+
+		/// Authentication code for the [`InvoiceRequest`].
+		///
+		/// Prevents nodes from creating their own blinded path to us and causing us to unintentionally
+		/// hit our database looking for a [`StaticInvoice`] to return.
+		///
+		/// [`InvoiceRequest`]: crate::offers::invoice_request::InvoiceRequest
+		/// [`StaticInvoice`]: crate::offers::static_invoice::StaticInvoice
+		hmac: Hmac<Sha256>,
+
+		/// The time as duration since the Unix epoch at which this path expires and messages sent over
+		/// it should be ignored.
+		///
+		/// Useful to timeout async recipients that are no longer supported as clients.
+		path_absolute_expiry: Duration,
+	},
 	/// Context used by a [`BlindedMessagePath`] within a [`Refund`] or as a reply path for an
 	/// [`InvoiceRequest`].
 	///
@@ -448,6 +490,43 @@ pub enum AsyncPaymentsContext {
 		/// is no longer configured to accept paths from them.
 		path_absolute_expiry: core::time::Duration,
 	},
+	/// Context used by a reply path to an [`OfferPaths`] message, provided back to us in
+	/// corresponding [`ServeStaticInvoice`] messages.
+	///
+	/// [`OfferPaths`]: crate::onion_message::async_payments::OfferPaths
+	/// [`ServeStaticInvoice`]: crate::onion_message::async_payments::ServeStaticInvoice
+	ServeStaticInvoice {
+		/// An identifier for the async recipient that is requesting that a [`StaticInvoice`] be served
+		/// on their behalf.
+		///
+		/// Useful as a key to retrieve the invoice when payers send an [`InvoiceRequest`] over the
+		/// paths that we previously created for the recipient's [`Offer::paths`]. Also useful to rate
+		/// limit the invoices being persisted on behalf of a particular recipient.
+		///
+		/// [`StaticInvoice`]: crate::offers::static_invoice::StaticInvoice
+		/// [`InvoiceRequest`]: crate::offers::invoice_request::InvoiceRequest
+		/// [`Offer::paths`]: crate::offers::offer::Offer::paths
+		recipient_id_nonce: Nonce,
+		/// A nonce used for authenticating that a [`ServeStaticInvoice`] message is valid for a preceding
+		/// [`OfferPaths`] message.
+		///
+		/// [`ServeStaticInvoice`]: crate::onion_message::async_payments::ServeStaticInvoice
+		/// [`OfferPaths`]: crate::onion_message::async_payments::OfferPaths
+		nonce: Nonce,
+		/// Authentication code for the [`ServeStaticInvoice`] message.
+		///
+		/// Prevents nodes from creating their own blinded path to us and causing us to persist an
+		/// unintended [`StaticInvoice`].
+		///
+		/// [`ServeStaticInvoice`]: crate::onion_message::async_payments::ServeStaticInvoice
+		/// [`StaticInvoice`]: crate::offers::static_invoice::StaticInvoice
+		hmac: Hmac<Sha256>,
+		/// The time as duration since the Unix epoch at which this path expires and messages sent over
+		/// it should be ignored.
+		///
+		/// Useful to timeout async recipients that are no longer supported as clients.
+		path_absolute_expiry: core::time::Duration,
+	},
 	/// Context used by a reply path to a [`ServeStaticInvoice`] message, provided back to us in
 	/// corresponding [`StaticInvoicePersisted`] messages.
 	///
@@ -549,6 +628,12 @@ impl_writeable_tlv_based_enum!(OffersContext,
 		(1, nonce, required),
 		(2, hmac, required)
 	},
+	(3, StaticInvoiceRequested) => {
+		(0, recipient_id_nonce, required),
+		(2, nonce, required),
+		(4, hmac, required),
+		(6, path_absolute_expiry, required),
+	},
 );
 
 impl_writeable_tlv_based_enum!(AsyncPaymentsContext,
@@ -578,6 +663,12 @@ impl_writeable_tlv_based_enum!(AsyncPaymentsContext,
 		(2, hmac, required),
 		(4, path_absolute_expiry, required),
 	},
+	(5, ServeStaticInvoice) => {
+		(0, recipient_id_nonce, required),
+		(2, nonce, required),
+		(4, hmac, required),
+		(6, path_absolute_expiry, required),
+	},
 );
 
 /// Contains a simple nonce for use in a blinded path's context.

lightning/src/ln/channelmanager.rs

@@ -12702,6 +12702,56 @@ where
 		&self, _message: OfferPathsRequest, _context: AsyncPaymentsContext,
 		_responder: Option<Responder>,
 	) -> Option<(OfferPaths, ResponseInstruction)> {
+		#[cfg(async_payments)] {
+			let entropy = &*self.entropy_source;
+			let expanded_key = &self.inbound_payment_key;
+			let duration_since_epoch = self.duration_since_epoch();
+
+			let recipient_id_nonce = match _context {
+				AsyncPaymentsContext::OfferPathsRequest { recipient_id_nonce, hmac, path_absolute_expiry } => {
+					if let Err(()) = signer::verify_offer_paths_request_context(
+						recipient_id_nonce, hmac, expanded_key
+					) { return None }
+					if duration_since_epoch > path_absolute_expiry {
+						return None }
+					recipient_id_nonce
+				},
+				_ => return None
+			};
+
+			let (offer_paths, paths_expiry) = {
+				// TODO: support longer-lived offers
+				const OFFER_PATH_EXPIRY: Duration = Duration::from_secs(30 * 24 * 60 * 60);
+				let path_absolute_expiry =
+					duration_since_epoch.saturating_add(OFFER_PATH_EXPIRY);
+				let nonce = Nonce::from_entropy_source(entropy);
+				let hmac = signer::hmac_for_async_recipient_invreq_context(nonce, expanded_key);
+				let context = OffersContext::StaticInvoiceRequested {
+					recipient_id_nonce, nonce, hmac, path_absolute_expiry
+				};
+				match self.create_blinded_paths_using_absolute_expiry(
+					context, Some(path_absolute_expiry)
+				) {
+					Ok(paths) => (paths, path_absolute_expiry),
+					Err(()) => return None,
+				}
+			};
+
+			let reply_path_context = {
+				let nonce = Nonce::from_entropy_source(entropy);
+				let path_absolute_expiry = duration_since_epoch.saturating_add(REPLY_PATH_RELATIVE_EXPIRY);
+				let hmac = signer::hmac_for_serve_static_invoice_context(nonce, expanded_key);
+				MessageContext::AsyncPayments(AsyncPaymentsContext::ServeStaticInvoice {
+					nonce, recipient_id_nonce, hmac, path_absolute_expiry
+				})
+			};
+
+			let offer_paths_om = OfferPaths { paths: offer_paths, paths_absolute_expiry: Some(paths_expiry) };
+			return _responder
+				.map(|responder| (offer_paths_om, responder.respond_with_reply_path(reply_path_context)))
+		}
+
+		#[cfg(not(async_payments))]
 		None
 	}
 

lightning/src/offers/signer.rs

@@ -69,6 +69,16 @@ const ASYNC_PAYMENTS_STATIC_INV_PERSISTED_INPUT: &[u8; 16] = &[11; 16];
 #[cfg(async_payments)]
 const ASYNC_PAYMENTS_OFFER_PATHS_REQUEST_INPUT: &[u8; 16] = &[12; 16];
 
+/// HMAC input used in `OffersContext::StaticInvoiceRequested` to authenticate inbound invoice
+/// requests that are being serviced on behalf of async recipients.
+#[cfg(async_payments)]
+const ASYNC_PAYMENTS_INVREQ: &[u8; 16] = &[13; 16];
+
+/// HMAC input used in `AsyncPaymentsContext::ServeStaticInvoice` to authenticate inbound
+/// serve_static_invoice onion messages.
+#[cfg(async_payments)]
+const ASYNC_PAYMENTS_SERVE_STATIC_INVOICE_INPUT: &[u8; 16] = &[14; 16];
+
 /// Message metadata which possibly is derived from [`MetadataMaterial`] such that it can be
 /// verified.
 #[derive(Clone)]
@@ -583,6 +593,13 @@ pub(crate) fn hmac_for_offer_paths_request_context(
 	Hmac::from_engine(hmac)
 }
 
+#[cfg(async_payments)]
+pub(crate) fn verify_offer_paths_request_context(
+	nonce: Nonce, hmac: Hmac<Sha256>, expanded_key: &ExpandedKey,
+) -> Result<(), ()> {
+	if hmac_for_offer_paths_request_context(nonce, expanded_key) == hmac { Ok(()) } else { Err(()) }
+}
+
 #[cfg(async_payments)]
 pub(crate) fn hmac_for_offer_paths_context(
 	nonce: Nonce, expanded_key: &ExpandedKey,
@@ -607,6 +624,19 @@ pub(crate) fn verify_offer_paths_context(
 	}
 }
 
+#[cfg(async_payments)]
+pub(crate) fn hmac_for_serve_static_invoice_context(
+	nonce: Nonce, expanded_key: &ExpandedKey,
+) -> Hmac<Sha256> {
+	const IV_BYTES: &[u8; IV_LEN] = b"LDK Serve Inv~~~";
+	let mut hmac = expanded_key.hmac_for_offer();
+	hmac.input(IV_BYTES);
+	hmac.input(&nonce.0);
+	hmac.input(ASYNC_PAYMENTS_SERVE_STATIC_INVOICE_INPUT);
+
+	Hmac::from_engine(hmac)
+}
+
 #[cfg(async_payments)]
 pub(crate) fn hmac_for_static_invoice_persisted_context(
 	nonce: Nonce, expanded_key: &ExpandedKey,
@@ -630,3 +660,16 @@ pub(crate) fn verify_static_invoice_persisted_context(
 		Err(())
 	}
 }
+
+#[cfg(async_payments)]
+pub(crate) fn hmac_for_async_recipient_invreq_context(
+	nonce: Nonce, expanded_key: &ExpandedKey,
+) -> Hmac<Sha256> {
+	const IV_BYTES: &[u8; IV_LEN] = b"LDK Async Invreq";
+	let mut hmac = expanded_key.hmac_for_offer();
+	hmac.input(IV_BYTES);
+	hmac.input(&nonce.0);
+	hmac.input(ASYNC_PAYMENTS_INVREQ);
+
+	Hmac::from_engine(hmac)
+}