ACINQ
diff --git a/‎eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentPacket.scala‎
Lines changed: 54 additions & 28 deletions b/‎eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentPacket.scala‎
Lines changed: 54 additions & 28 deletions
diff --git a/‎eclair-core/src/main/scala/fr/acinq/eclair/payment/relay/NodeRelay.scala‎
Lines changed: 25 additions & 0 deletions b/‎eclair-core/src/main/scala/fr/acinq/eclair/payment/relay/NodeRelay.scala‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎eclair-core/src/main/scala/fr/acinq/eclair/payment/send/Recipient.scala‎
Lines changed: 5 additions & 3 deletions b/‎eclair-core/src/main/scala/fr/acinq/eclair/payment/send/Recipient.scala‎
Lines changed: 5 additions & 3 deletions
@@ -59,6 +59,7 @@ object IncomingPaymentPacket {
     def innerPayload: IntermediatePayload.NodeRelay
   }
   case class RelayToTrampolinePacket(add: UpdateAddHtlc, outerPayload: FinalPayload.Standard, innerPayload: IntermediatePayload.NodeRelay.Standard, nextPacket: OnionRoutingPacket) extends NodeRelayPacket
+  case class RelayToBlindedTrampolinePacket(add: UpdateAddHtlc, outerPayload: FinalPayload.Standard, innerPayload: IntermediatePayload.NodeRelay.Blinded, nextPacket: OnionRoutingPacket) extends NodeRelayPacket
   case class RelayToNonTrampolinePacket(add: UpdateAddHtlc, outerPayload: FinalPayload.Standard, innerPayload: IntermediatePayload.NodeRelay.ToNonTrampoline) extends NodeRelayPacket
   case class RelayToBlindedPathsPacket(add: UpdateAddHtlc, outerPayload: FinalPayload.Standard, innerPayload: IntermediatePayload.NodeRelay.ToBlindedPaths) extends NodeRelayPacket
   // @formatter:on
@@ -172,9 +173,14 @@ object IncomingPaymentPacket {
                     val totalAmount = payload.get[OnionPaymentPayloadTlv.AmountToForward].map(_.amount).getOrElse(add.amountMsat)
                     payload.copy(records = payload.records + OnionPaymentPayloadTlv.PaymentData(dummyPaymentSecret, totalAmount))
                 }
-                // NB: when we enable blinded trampoline routes, we will need to check if the outer onion contains a
-                // path key and use it to derive the decryption key for the blinded trampoline onion.
-                decryptOnion(add.paymentHash, privateKey, trampolinePacket).flatMap {
+                // If we are an intermediate trampoline node inside a blinded path, the payer doesn't know our node_id
+                // and has encrypted the trampoline onion to our blinded node_id: in that case, the previous trampoline
+                // node will provide the path key in the outer onion.
+                val trampolineOnionDecryptionKey = payload.get[OnionPaymentPayloadTlv.PathKey].map(_.publicKey) match {
+                  case Some(pathKey) => Sphinx.RouteBlinding.derivePrivateKey(privateKey, pathKey)
+                  case None => privateKey
+                }
+                decryptOnion(add.paymentHash, trampolineOnionDecryptionKey, trampolinePacket).flatMap {
                   case DecodedOnionPacket(innerPayload, Some(next)) =>
                     // We are an intermediate trampoline node.
                     if (innerPayload.get[InvoiceRoutingInfo].isDefined) {
@@ -183,7 +189,8 @@ object IncomingPaymentPacket {
                       // The payer is a wallet using the legacy trampoline feature.
                       validateTrampolineToNonTrampoline(add, outerPayload, innerPayload)
                     } else {
-                      validateNodeRelay(add, outerPayload, innerPayload, next)
+                      // The recipient supports trampoline (and may support blinded payments).
+                      validateNodeRelay(add, privateKey, outerPayload, innerPayload, next)
                     }
                   case DecodedOnionPacket(innerPayload, None) =>
                     if (innerPayload.get[OutgoingBlindedPaths].isDefined) {
@@ -195,8 +202,8 @@ object IncomingPaymentPacket {
                       // They can be reached with the invoice data provided.
                       validateTrampolineToNonTrampoline(add, outerPayload, innerPayload)
                     } else {
-                      // We're the final recipient of this trampoline payment.
-                      validateTrampolineFinalPayload(add, outerPayload, innerPayload)
+                      // We're the final recipient of this trampoline payment (which may be blinded).
+                      validateTrampolineFinalPayload(add, privateKey, outerPayload, innerPayload)
                     }
                 }
               case None =>
@@ -238,31 +245,50 @@ object IncomingPaymentPacket {
     }
   }
 
-  private def validateTrampolineFinalPayload(add: UpdateAddHtlc, outerPayload: TlvStream[OnionPaymentPayloadTlv], innerPayload: TlvStream[OnionPaymentPayloadTlv]): Either[FailureMessage, FinalPacket] = {
-    // The outer payload cannot use route blinding, but the inner payload may (but it's not supported yet).
-    FinalPayload.Standard.validate(outerPayload).left.map(_.failureMessage).flatMap { outerPayload =>
-      FinalPayload.Standard.validate(innerPayload).left.map(_.failureMessage).flatMap {
-        case _ if add.amountMsat < outerPayload.amount => Left(FinalIncorrectHtlcAmount(add.amountMsat))
-        case _ if add.cltvExpiry < outerPayload.expiry => Left(FinalIncorrectCltvExpiry(add.cltvExpiry))
-        case innerPayload if outerPayload.expiry < innerPayload.expiry => Left(FinalIncorrectCltvExpiry(add.cltvExpiry)) // previous trampoline didn't forward the right expiry
-        case innerPayload if outerPayload.totalAmount < innerPayload.amount => Left(FinalIncorrectHtlcAmount(outerPayload.totalAmount)) // previous trampoline didn't forward the right amount
-        case innerPayload =>
-          // We merge contents from the outer and inner payloads.
-          // We must use the inner payload's total amount and payment secret because the payment may be split between multiple trampoline payments (#reckless).
-          val trampolinePacket = outerPayload.records.get[OnionPaymentPayloadTlv.TrampolineOnion].map(_.packet)
-          Right(FinalPacket(add, FinalPayload.Standard.createPayload(outerPayload.amount, innerPayload.totalAmount, innerPayload.expiry, innerPayload.paymentSecret, innerPayload.paymentMetadata, trampolinePacket)))
-      }
+  private def validateTrampolineFinalPayload(add: UpdateAddHtlc, privateKey: PrivateKey, outerPayload: TlvStream[OnionPaymentPayloadTlv], innerPayload: TlvStream[OnionPaymentPayloadTlv]): Either[FailureMessage, FinalPacket] = {
+    // The outer payload cannot use route blinding, but the inner payload may.
+    FinalPayload.Standard.validate(outerPayload).left.map(_.failureMessage).flatMap {
+      case outerPayload if add.amountMsat < outerPayload.amount => Left(FinalIncorrectHtlcAmount(add.amountMsat))
+      case outerPayload if add.cltvExpiry < outerPayload.expiry => Left(FinalIncorrectCltvExpiry(add.cltvExpiry))
+      case outerPayload =>
+        innerPayload.get[OnionPaymentPayloadTlv.EncryptedRecipientData] match {
+          case Some(encrypted) =>
+            decryptEncryptedRecipientData(add, privateKey, outerPayload.records, encrypted.data).flatMap {
+              case DecodedEncryptedRecipientData(blindedPayload, _) => validateBlindedFinalPayload(add, innerPayload, blindedPayload)
+            }
+          case None =>
+            FinalPayload.Standard.validate(innerPayload).left.map(_.failureMessage).flatMap {
+              case innerPayload if outerPayload.expiry < innerPayload.expiry => Left(FinalIncorrectCltvExpiry(add.cltvExpiry)) // previous trampoline didn't forward the right expiry
+              case innerPayload if outerPayload.totalAmount < innerPayload.amount => Left(FinalIncorrectHtlcAmount(outerPayload.totalAmount)) // previous trampoline didn't forward the right amount
+              case innerPayload =>
+                // We merge contents from the outer and inner payloads.
+                // We must use the inner payload's total amount and payment secret because the payment may be split between multiple trampoline payments (#reckless).
+                val trampolinePacket = outerPayload.records.get[OnionPaymentPayloadTlv.TrampolineOnion].map(_.packet)
+                Right(FinalPacket(add, FinalPayload.Standard.createPayload(outerPayload.amount, innerPayload.totalAmount, innerPayload.expiry, innerPayload.paymentSecret, innerPayload.paymentMetadata, trampolinePacket)))
+            }
+        }
     }
   }
 
-  private def validateNodeRelay(add: UpdateAddHtlc, outerPayload: TlvStream[OnionPaymentPayloadTlv], innerPayload: TlvStream[OnionPaymentPayloadTlv], next: OnionRoutingPacket): Either[FailureMessage, RelayToTrampolinePacket] = {
-    // The outer payload cannot use route blinding, but the inner payload may (but it's not supported yet).
-    FinalPayload.Standard.validate(outerPayload).left.map(_.failureMessage).flatMap { outerPayload =>
-      IntermediatePayload.NodeRelay.Standard.validate(innerPayload).left.map(_.failureMessage).flatMap {
-        case _ if add.amountMsat < outerPayload.amount => Left(FinalIncorrectHtlcAmount(add.amountMsat))
-        case _ if add.cltvExpiry != outerPayload.expiry => Left(FinalIncorrectCltvExpiry(add.cltvExpiry))
-        case innerPayload => Right(RelayToTrampolinePacket(add, outerPayload, innerPayload, next))
-      }
+  private def validateNodeRelay(add: UpdateAddHtlc, privateKey: PrivateKey, outerPayload: TlvStream[OnionPaymentPayloadTlv], innerPayload: TlvStream[OnionPaymentPayloadTlv], next: OnionRoutingPacket): Either[FailureMessage, IncomingPaymentPacket] = {
+    // The outer payload cannot use route blinding, but the inner payload may.
+    FinalPayload.Standard.validate(outerPayload).left.map(_.failureMessage).flatMap {
+      case outerPayload if add.amountMsat < outerPayload.amount => Left(FinalIncorrectHtlcAmount(add.amountMsat))
+      case outerPayload if add.cltvExpiry != outerPayload.expiry => Left(FinalIncorrectCltvExpiry(add.cltvExpiry))
+      case outerPayload =>
+        innerPayload.get[OnionPaymentPayloadTlv.EncryptedRecipientData] match {
+          case Some(encrypted) =>
+            // The path key can be found:
+            //  - in the inner payload if we are the introduction node of the blinded path (provided by the payer).
+            //  - in the outer payload if we are an intermediate node in the blinded path (provided by the previous trampoline node).
+            val pathKey_opt = innerPayload.get[OnionPaymentPayloadTlv.PathKey].orElse(outerPayload.records.get[OnionPaymentPayloadTlv.PathKey]).map(_.publicKey)
+            decryptEncryptedRecipientData(add, privateKey, pathKey_opt, encrypted.data).flatMap {
+              case DecodedEncryptedRecipientData(blindedPayload, nextPathKey) =>
+                IntermediatePayload.NodeRelay.Blinded.validate(innerPayload, blindedPayload, nextPathKey).left.map(_.failureMessage).map(innerPayload => RelayToBlindedTrampolinePacket(add, outerPayload, innerPayload, next))
+            }
+          case None =>
+            IntermediatePayload.NodeRelay.Standard.validate(innerPayload).left.map(_.failureMessage).map(innerPayload => RelayToTrampolinePacket(add, outerPayload, innerPayload, next))
+        }
     }
   }
 
 
@@ -64,6 +64,7 @@ object NodeRelay {
   private case class WrappedPaymentSent(paymentSent: PaymentSent) extends Command
   private case class WrappedPaymentFailed(paymentFailed: PaymentFailed) extends Command
   private case class WrappedPeerReadyResult(result: PeerReadyNotifier.Result) extends Command
+  private case class WrappedOutgoingNodeId(nodeId_opt: Option[PublicKey]) extends Command
   private case class WrappedResolvedPaths(resolved: Seq[ResolvedPath]) extends Command
   private case class WrappedPeerInfo(remoteFeatures_opt: Option[Features[InitFeature]]) extends Command
   private case class WrappedOnTheFlyFundingResponse(result: Peer.ProposeOnTheFlyFundingResponse) extends Command
@@ -108,6 +109,7 @@ object NodeRelay {
         val incomingPaymentHandler = context.actorOf(MultiPartPaymentFSM.props(nodeParams, paymentHash, totalAmountIn, mppFsmAdapters))
         val nextPacket_opt = nodeRelayPacket match {
           case IncomingPaymentPacket.RelayToTrampolinePacket(_, _, _, nextPacket) => Some(nextPacket)
+          case IncomingPaymentPacket.RelayToBlindedTrampolinePacket(_, _, _, nextPacket) => Some(nextPacket)
           case _: IncomingPaymentPacket.RelayToNonTrampolinePacket => None
           case _: IncomingPaymentPacket.RelayToBlindedPathsPacket => None
         }
@@ -184,6 +186,7 @@ object NodeRelay {
           case nextPayload: IntermediatePayload.NodeRelay.Standard => failures.collectFirst { case RemoteFailure(_, _, e) if e.originNode == nextPayload.outgoingNodeId => e.failureMessage }
           case nextPayload: IntermediatePayload.NodeRelay.ToNonTrampoline => failures.collectFirst { case RemoteFailure(_, _, e) if e.originNode == nextPayload.outgoingNodeId => e.failureMessage }
           // When using blinded paths, we will never get a failure from the final node (for privacy reasons).
+          case _: IntermediatePayload.NodeRelay.Blinded => None
           case _: IntermediatePayload.NodeRelay.ToBlindedPaths => None
         }
         val otherNodeFailure = failures.collectFirst { case RemoteFailure(_, _, e) => e.failureMessage }
@@ -253,6 +256,28 @@ class NodeRelay private(nodeParams: NodeParams,
         val recipient = ClearRecipient(payloadOut.outgoingNodeId, features, payloadOut.amountToForward, payloadOut.outgoingCltv, paymentSecret, nextTrampolineOnion_opt = nextPacket_opt)
         context.log.debug("forwarding payment to the next trampoline node {}", recipient.nodeId)
         attemptWakeUpIfRecipientIsWallet(upstream, recipient, nextPayload, nextPacket_opt)
+      case payloadOut: IntermediatePayload.NodeRelay.Blinded =>
+        // Blinded paths in Bolt 12 invoices may use an scid to reference the next node, if it is one of our peers.
+        // We need to resolve that to a nodeId in order to create a payment onion.
+        payloadOut.outgoing match {
+          case Left(outgoingNodeId) => context.self ! WrappedOutgoingNodeId(Some(outgoingNodeId.publicKey))
+          case Right(outgoingChannelId) => register ! Register.GetNextNodeId(context.messageAdapter[Option[PublicKey]](WrappedOutgoingNodeId), outgoingChannelId)
+        }
+        Behaviors.receiveMessagePartial {
+          rejectExtraHtlcPartialFunction orElse {
+            case WrappedOutgoingNodeId(Some(outgoingNodeId)) =>
+              val outgoingAmount = nextPayload.outgoingAmount(upstream.amountIn)
+              val outgoingExpiry = nextPayload.outgoingExpiry(upstream.expiryIn)
+              val paymentSecret = randomBytes32() // we generate a new secret to protect against probing attacks
+              val recipient = ClearRecipient(outgoingNodeId, Features.empty, outgoingAmount, outgoingExpiry, paymentSecret, nextTrampolineOnion_opt = nextPacket_opt, trampolinePathKey_opt = Some(payloadOut.nextPathKey))
+              context.log.debug("forwarding payment to the next blinded trampoline node {}", recipient.nodeId)
+              attemptWakeUpIfRecipientIsWallet(upstream, recipient, nextPayload, nextPacket_opt)
+            case WrappedOutgoingNodeId(None) =>
+              context.log.warn("rejecting trampoline payment to blinded trampoline: cannot identify next node for scid={}", payloadOut.outgoing)
+              rejectPayment(upstream, Some(UnknownNextPeer()))
+              stopping()
+          }
+        }
       case payloadOut: IntermediatePayload.NodeRelay.ToNonTrampoline =>
         val paymentSecret = payloadOut.paymentSecret
         val features = Features(payloadOut.invoiceFeatures).invoiceFeatures()
 
@@ -73,6 +73,8 @@ case class ClearRecipient(nodeId: PublicKey,
                           extraEdges: Seq[ExtraEdge] = Nil,
                           paymentMetadata_opt: Option[ByteVector] = None,
                           nextTrampolineOnion_opt: Option[OnionRoutingPacket] = None,
+                          // Must be provided if the payer is using a blinded trampoline path.
+                          trampolinePathKey_opt: Option[PublicKey] = None,
                           customTlvs: Set[GenericTlv] = Set.empty) extends Recipient {
   // Feature bit used by the legacy trampoline feature.
   private val isLegacyTrampoline = features.unknown.contains(UnknownFeature(149))
@@ -81,8 +83,8 @@ case class ClearRecipient(nodeId: PublicKey,
     ClearRecipient.validateRoute(nodeId, route).map(_ => {
       val finalPayload = nextTrampolineOnion_opt match {
         case Some(trampolinePacket) if isLegacyTrampoline => NodePayload(nodeId, FinalPayload.Standard.createLegacyTrampolinePayload(route.amount, totalAmount, expiry, paymentSecret, trampolinePacket))
-        case Some(trampolinePacket) => NodePayload(nodeId, FinalPayload.Standard.createTrampolinePayload(route.amount, totalAmount, expiry, paymentSecret, trampolinePacket))
-        case None => NodePayload(nodeId, FinalPayload.Standard.createPayload(route.amount, totalAmount, expiry, paymentSecret, paymentMetadata_opt, trampolineOnion_opt = None, customTlvs = customTlvs))
+        case Some(trampolinePacket) => NodePayload(nodeId, FinalPayload.Standard.createTrampolinePayload(route.amount, totalAmount, expiry, paymentSecret, trampolinePacket, trampolinePathKey_opt))
+        case None => NodePayload(nodeId, FinalPayload.Standard.createPayload(route.amount, totalAmount, expiry, paymentSecret, paymentMetadata_opt, trampolineOnion_opt = None, customTlvs))
       }
       Recipient.buildPayloads(PaymentPayloads(route.amount, expiry, Seq(finalPayload), None), route.hops)
     })
@@ -91,7 +93,7 @@ case class ClearRecipient(nodeId: PublicKey,
 
 object ClearRecipient {
   def apply(invoice: Bolt11Invoice, totalAmount: MilliSatoshi, expiry: CltvExpiry, customTlvs: Set[GenericTlv]): ClearRecipient = {
-    ClearRecipient(invoice.nodeId, invoice.features, totalAmount, expiry, invoice.paymentSecret, invoice.extraEdges, invoice.paymentMetadata, None, customTlvs)
+    ClearRecipient(invoice.nodeId, invoice.features, totalAmount, expiry, invoice.paymentSecret, invoice.extraEdges, invoice.paymentMetadata, None, None, customTlvs)
   }
 
   def validateRoute(nodeId: PublicKey, route: Route): Either[OutgoingPaymentError, Route] = {