MatrixAI · tegefaulkes · Jun 24, 2025 · Jun 11, 2025
diff --git a/src/claims/errors.ts b/src/claims/errors.ts
@@ -8,6 +8,11 @@ class ErrorClaimsUndefinedClaimPayload<T> extends ErrorClaims<T> {
   exitCode = sysexits.UNKNOWN;
 }
 
+class ErrorClaimsVerificationFailed<T> extends ErrorClaims<T> {
+  static description = 'Failed to verify claim';
+  exitCode = sysexits.SOFTWARE;
+}
+
 /**
  * Exceptions arising in cross-signing process
  */
@@ -59,6 +64,7 @@ class ErrorNodesClaimType<T> extends ErrorSchemaValidate<T> {
 export {
   ErrorClaims,
   ErrorClaimsUndefinedClaimPayload,
+  ErrorClaimsVerificationFailed,
   ErrorEmptyStream,
   ErrorUndefinedSinglySignedClaim,
   ErrorUndefinedDoublySignedClaim,

diff --git a/src/claims/payloads/claimNetworkAccess.ts b/src/claims/payloads/claimNetworkAccess.ts
@@ -1,22 +1,28 @@
 import type { Claim, SignedClaim } from '../types.js';
-import type { NodeIdEncoded } from '../../ids/types.js';
+import type { NodeId, NodeIdEncoded } from '../../ids/types.js';
 import type { SignedTokenEncoded } from '../../tokens/types.js';
+import * as claimNetworkAuthorityUtils from './claimNetworkAuthority.js';
+import Token from '../../tokens/Token.js';
 import * as tokensSchema from '../../tokens/schemas/index.js';
 import * as ids from '../../ids/index.js';
 import * as claimsUtils from '../utils.js';
+import * as claimsErrors from '../errors.js';
 import * as tokensUtils from '../../tokens/utils.js';
 import * as validationErrors from '../../validation/errors.js';
 import * as utils from '../../utils/index.js';
+import * as nodesUtils from '../../nodes/utils.js';
+import * as keysUtils from '../../keys/utils/index.js';
 
 /**
- * Asserts that a node is apart of a network
+ * Asserts that a node is a part of a network
  */
 interface ClaimNetworkAccess extends Claim {
   typ: 'ClaimNetworkAccess';
   iss: NodeIdEncoded;
   sub: NodeIdEncoded;
   network: string;
-  signedClaimNetworkAuthorityEncoded?: SignedTokenEncoded;
+  signedClaimNetworkAuthorityEncoded: SignedTokenEncoded;
+  isPrivate: boolean;
 }
 
 function assertClaimNetworkAccess(
@@ -64,6 +70,14 @@ function assertClaimNetworkAccess(
       '`signedClaimNetworkAuthorityEncoded` property must be an encoded signed token',
     );
   }
+  if (
+    claimNetworkAccess['isPrivate'] == null ||
+    typeof claimNetworkAccess['isPrivate'] !== 'boolean'
+  ) {
+    throw new validationErrors.ErrorParse(
+      '`isPrivate` property must be a boolean',
+    );
+  }
 }
 
 function parseClaimNetworkAccess(
@@ -84,10 +98,81 @@ function parseSignedClaimNetworkAccess(
   return signedClaim as SignedClaim<ClaimNetworkAccess>;
 }
 
+function verifyClaimNetworkAccess(
+  networkNodeId: NodeId,
+  subjectNodeId: NodeId,
+  network: string,
+  tokenClaimNetworkAccess: Token<ClaimNetworkAccess>,
+): void {
+  const signedClaim =
+    claimNetworkAuthorityUtils.parseSignedClaimNetworkAuthority(
+      tokenClaimNetworkAccess.payload.signedClaimNetworkAuthorityEncoded,
+    );
+  const claimNetworkAuthority = Token.fromSigned(signedClaim);
+  const issuerNodeId = nodesUtils.decodeNodeId(
+    tokenClaimNetworkAccess.payload.iss,
+  );
+  if (issuerNodeId == null) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'failed to decode issuer nodeId',
+    );
+  }
+  claimNetworkAuthorityUtils.verifyClaimNetworkAuthority(
+    networkNodeId,
+    issuerNodeId,
+    network,
+    claimNetworkAuthority,
+  );
+  //  For the access claim
+  //  1. issuer is current node
+  //  2. subject is target node
+  //  3. is signed by both the target and issuer
+
+  // Issuer should be the subject of the ClaimNetworkAuthority and signed by it
+  const claimNetworkAuthoritySub = claimNetworkAuthority.payload.sub;
+  const nodeIdIss = tokenClaimNetworkAccess.payload.iss;
+  if (nodeIdIss !== claimNetworkAuthoritySub) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Issuer NodeIdEncoded does not match the expected network id',
+    );
+  }
+  const networkPublicKey = keysUtils.publicKeyFromNodeId(issuerNodeId);
+  if (!tokenClaimNetworkAccess.verifyWithPublicKey(networkPublicKey)) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Token was not signed by the issuer node',
+    );
+  }
+
+  // Subject should be the target node and signed by it
+  const targetNodeIdEncoded = nodesUtils.encodeNodeId(subjectNodeId);
+  const nodeIdSub = tokenClaimNetworkAccess.payload.sub;
+  if (nodeIdSub !== targetNodeIdEncoded) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Subject NodeIdEncoded does not match the expected subject node',
+    );
+  }
+  const targetPublicKey = keysUtils.publicKeyFromNodeId(subjectNodeId);
+
+  if (!tokenClaimNetworkAccess.verifyWithPublicKey(targetPublicKey)) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Token was not signed by the subject node',
+    );
+  }
+
+  // Checking if the network name matches
+  const networkName = tokenClaimNetworkAccess.payload.network;
+  if (networkName !== network) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Network name does not match the expected network',
+    );
+  }
+}
+
 export {
   assertClaimNetworkAccess,
   parseClaimNetworkAccess,
   parseSignedClaimNetworkAccess,
+  verifyClaimNetworkAccess,
 };
 
 export type { ClaimNetworkAccess };
diff --git a/src/claims/payloads/claimNetworkAuthority.ts b/src/claims/payloads/claimNetworkAuthority.ts
@@ -1,18 +1,25 @@
 import type { Claim, SignedClaim } from '../types.js';
-import type { NodeIdEncoded } from '../../ids/types.js';
+import type { NodeId, NodeIdEncoded } from '../../ids/types.js';
+import type Token from '../../tokens/Token.js';
 import * as ids from '../../ids/index.js';
 import * as claimsUtils from '../utils.js';
-import * as tokensUtils from '../../tokens/utils.js';
+import * as claimsErrors from '../errors.js';
 import * as validationErrors from '../../validation/errors.js';
 import * as utils from '../../utils/index.js';
+import * as nodesUtils from '../../nodes/utils.js';
+import * as keysUtils from '../../keys/utils/index.js';
 
 /**
- * Asserts that a node is apart of a network
+ * Asserts that a node has the authority of a network.
+ * The issuing nodeId has to be the root keypair for the whole network.
  */
+
 interface ClaimNetworkAuthority extends Claim {
   typ: 'ClaimNetworkAuthority';
   iss: NodeIdEncoded;
   sub: NodeIdEncoded;
+  network: string;
+  isPrivate: boolean;
 }
 
 function assertClaimNetworkAuthority(
@@ -42,6 +49,22 @@ function assertClaimNetworkAuthority(
       '`sub` property must be an encoded node ID',
     );
   }
+  if (
+    claimNetworkAuthority['network'] == null ||
+    typeof claimNetworkAuthority['network'] !== 'string'
+  ) {
+    throw new validationErrors.ErrorParse(
+      '`network` property must be a network name string',
+    );
+  }
+  if (
+    claimNetworkAuthority['isPrivate'] == null ||
+    typeof claimNetworkAuthority['isPrivate'] !== 'boolean'
+  ) {
+    throw new validationErrors.ErrorParse(
+      '`isPrivate` property must be a boolean',
+    );
+  }
 }
 
 function parseClaimNetworkAuthority(
@@ -55,17 +78,62 @@ function parseClaimNetworkAuthority(
 function parseSignedClaimNetworkAuthority(
   signedClaimNetworkNodeEncoded: unknown,
 ): SignedClaim<ClaimNetworkAuthority> {
-  const signedClaim = tokensUtils.parseSignedToken(
+  const signedClaim = claimsUtils.parseSignedClaim(
     signedClaimNetworkNodeEncoded,
   );
   assertClaimNetworkAuthority(signedClaim.payload);
   return signedClaim as SignedClaim<ClaimNetworkAuthority>;
 }
 
+function verifyClaimNetworkAuthority(
+  networkNodeId: NodeId,
+  targetNodeId: NodeId,
+  network: string,
+  token: Token<ClaimNetworkAuthority>,
+): void {
+  // Should be signed by the network authority as the issuer
+  const nodeIdIss = token.payload.iss;
+  const networkNodeIdEncoded = nodesUtils.encodeNodeId(networkNodeId);
+  if (nodeIdIss !== networkNodeIdEncoded) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Issuer NodeIdEncoded does not match the expected network id',
+    );
+  }
+  const networkPublicKey = keysUtils.publicKeyFromNodeId(networkNodeId);
+  if (!token.verifyWithPublicKey(networkPublicKey)) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Token was not signed by the network authority',
+    );
+  }
+  // Now we check if the claim applies to the target node
+  const targetNodeIdEncoded = nodesUtils.encodeNodeId(targetNodeId);
+  const nodeIdSub = token.payload.sub;
+  if (nodeIdSub !== targetNodeIdEncoded) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Subject NodeIdEncoded does not match the expected target Node',
+    );
+  }
+  // Checking if the claim was signed by the subject
+  const targetPublicKey = keysUtils.publicKeyFromNodeId(targetNodeId);
+  if (!token.verifyWithPublicKey(targetPublicKey)) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Token was not signed by the network authority',
+    );
+  }
+  // Checking if the network name matches
+  const networkName = token.payload.network;
+  if (networkName !== network) {
+    throw new claimsErrors.ErrorClaimsVerificationFailed(
+      'Network name does not match the expected network',
+    );
+  }
+}
+
 export {
   assertClaimNetworkAuthority,
   parseClaimNetworkAuthority,
   parseSignedClaimNetworkAuthority,
+  verifyClaimNetworkAuthority,
 };
 
 export type { ClaimNetworkAuthority };
diff --git a/src/gestalts/types.ts b/src/gestalts/types.ts
@@ -14,7 +14,7 @@ import type {
 } from '../claims/payloads/index.js';
 import type { ProviderPaginationToken } from '../identities/types.js';
 
-const gestaltActions = ['notify', 'scan', 'claim'] as const;
+const gestaltActions = ['notify', 'scan', 'claim', 'join'] as const;
 
 type GestaltKey = Opaque<'GestaltKey', Buffer>;
 

diff --git a/src/nodes/NodeConnectionManager.ts b/src/nodes/NodeConnectionManager.ts
@@ -111,7 +111,11 @@ const activeForwardAuthenticateCancellationReason = Symbol(
   'active forward authenticate cancellation reason',
 );
 
-const rpcMethodsWhitelist = ['nodesAuthenticateConnection'];
+const rpcMethodsWhitelist = [
+  'nodesAuthenticateConnection',
+  'nodesClaimNetworkSign',
+  'nodesClaimNetworkAuthorityGet',
+];
 
 /**
  * NodeConnectionManager is a server that manages all node connections.
@@ -711,7 +715,7 @@ class NodeConnectionManager<
    * @param targetNodeId Id of target node to communicate with
    * @returns ResourceAcquire Resource API for use in with contexts
    */
-  protected acquireConnectionInternal(
+  public acquireConnectionInternal(
     targetNodeId: NodeId,
   ): ResourceAcquire<NodeConnection<Manifest>> {
     if (this.keyRing.getNodeId().equals(targetNodeId)) {
@@ -1837,7 +1841,7 @@ class NodeConnectionManager<
     }
     try {
       // Should resolve without issue if authentication succeeds.
-      await this.authenticateNetworkReverseCallback(message, ctx);
+      await this.authenticateNetworkReverseCallback(message, nodeId, ctx);
       connectionsEntry.authenticatedReverse = AuthenticatingState.SUCCESS;
     } catch (e) {
       const err = new nodesErrors.ErrorNodeManagerAuthenticationFailedReverse(