Move BOLT11 JIT params to payment metadata#899
Move BOLT11 JIT params to payment metadata#899tnull wants to merge 4 commits intolightningdevkit:mainfrom
Conversation
The values describe the `LSPS2` parameters negotiated for JIT-channel receives, not a fee-limit concept owned by the payment store. Rename the public type and internal references while preserving the existing fields, TLV encoding, and `PaymentKind::Bolt11Jit` storage shape for the follow-up refactor. Co-Authored-By: HAL 9000
|
👋 Thanks for assigning @joostjager as a reviewer! |
joostjager
left a comment
joostjager
left a comment
There was a problem hiding this comment.
PR looks great. I like the offloading of state to clients. And ofc happy to see usage of lightning/bolts#912 😄
| let payment_hash = invoice.payment_hash(); | ||
| let payment_secret = invoice.payment_secret(); | ||
| let lsp_fee_limits = LSPFeeLimits { | ||
| let lsp_fee_limits = LSPS2Parameters { |
There was a problem hiding this comment.
Not sure if this rename is strictly better. Parameters sounds broader than what it is.
There was a problem hiding this comment.
Yes, that's intentional as we might add more fields in the BOLT12 context that are not 'fee limits'. Sorry, maybe should have given that rationale in the commit description.
There was a problem hiding this comment.
Which parameters are that?
There was a problem hiding this comment.
| let client_payment = client_node.payment(&client_payment_id).unwrap(); | ||
| match client_payment.kind { | ||
| PaymentKind::Bolt11Jit { counterparty_skimmed_fee_msat, .. } => { | ||
| PaymentKind::Bolt11 { counterparty_skimmed_fee_msat, .. } => { |
There was a problem hiding this comment.
Would it be worth to add some coverage for "skimmed fee with missing/malformed metadata" failing?
There was a problem hiding this comment.
I added a small fixup that basically asserts that, let me know if you deem this sufficient. Note that asserting handle_event behavior overall is a bit tricky, and we don't have a good way to create integration tests that feature LSPs maliciously withholding funds.
tnull
force-pushed
the
2026-05-move-jit-params-to-payment-metadata
branch
from
7d41d4f to
40f11e6
Compare
|
Now updated and included a commit that allows us to de/encrypt |
| } | ||
| } | ||
|
|
||
| fn nonce(&self, payment_hash: &PaymentHash, payment_secret: &PaymentSecret) -> [u8; 12] { |
There was a problem hiding this comment.
Is it totally ruled out that payment hash and secret are never reused, also not in some manual flow for example? Perhaps defensively picking a random nonce and storing it in the metadata is safer?
There was a problem hiding this comment.
Yes, pretty much. If we reuse the payment hash for example we have worse issues than just privacy leakage at our hands. Happy to store the nonce if you insist, but note that we try to keep invoices as small as possible, in particular for QR encoding.
There was a problem hiding this comment.
Still I think it is better to not rely on that, but might be worth getting a 2nd opinion.
There was a problem hiding this comment.
Related question: if size is important, is the current scheme minimal? Perhaps the double tlv wrapper and/or u64 can be shaved down too.
| let nonce = keys.nonce(payment_hash, payment_secret); | ||
| let mut ciphertext = sealed::PaymentMetadataTlv::from(self.clone()).encode(); | ||
| let cipher = ChaCha20Poly1305::new(Key::new(keys.encryption_key), Nonce::new(nonce)); | ||
| let tag = cipher.encrypt(&mut ciphertext, Some(PAYMENT_METADATA_AAD)); |
There was a problem hiding this comment.
I would really check to see if anything useful can be exposed from lightning/src/crypto rather than doing it again here. And maybe also just drop encryption from this PR until there is an answer to that.
There was a problem hiding this comment.
Well, upstream we use the same library (chacha20poly1305), which is why adding the direct dependency is also fine, IMO.
There was a problem hiding this comment.
What I was trying to question is whether RL has a reusable layer above the raw ChaCha call, something that already standardizes the envelope, key separation, nonce handling, etc.
| }]); | ||
|
|
||
| let payment_metadata = PaymentMetadata { lsps2_parameters: Some(lsps2_parameters) } | ||
| .encrypt(&payment_metadata_keys, &payment_hash, &payment_secret) |
There was a problem hiding this comment.
For bolt12, I think the encryption happens on the blinded path level? Is there anything in the design of this PR that would then double-encrypt when bolt12 is added?
There was a problem hiding this comment.
Yes, for BOLT12 we could leak PaymentMetadataTlvs and use that directly, potentially, but I'd like to get into those details when we get to the BOLT12 part.
There was a problem hiding this comment.
Just checking that there are no obvious rewrites necessary, but seems good then
3 participants
Context
We recently found that for the intended BOLT12-JIT flow we'll have to encode the LSPS2 parameters in the payment metadata (based on lightningdevkit/rust-lightning#4584). As a prefactor to that (and to simplify things for #811, rather than add yet another store type there, just to revert once we get to the BOLT12-JIT changes), we here switch to store the LSPS2 parameters in the BOLT11
payment_metadatarather than persisting them on-disk. To make this safe we'll also need lightningdevkit/rust-lightning#4528, as otherwise the payer could collude with the LSP to rob the payee.Summary
This moves LSPS2/JIT-channel receive parameters out of dedicated payment-store
state and into the BOLT11 invoice
payment_metadata, so the payment store nolonger needs a
PaymentKind::Bolt11Jitvariant for new payments.Changes
LSPFeeLimitstoLSPS2Parameters.Bolt11PaymentMetadatainbolt11.rswith TLV-based encoding.LSPS2Parametersinto BOLT11payment_metadatawhen creating JITinvoices.
PaymentKind::Bolt11.PaymentKind::Bolt11Jitrecords asPaymentKind::Bolt11.payment_metadataprovesthe LSPS2 fee is within the negotiated limit.
PaymentDetailsfield-1 JIT metadata reader, whilekeeping the released legacy
PaymentKind::Bolt11Jitdecoder.prior JIT state is not migrated.