Leaf Node Validation

The validity of a LeafNode needs to be verified at the following stages:

idstatusdescriptionnotes & code refs
valn0101 Unknown

Verify that the credential in the LeafNode is valid, as described in Section 5.3.1.

search code

notes:

  • This is about what leaf nodes get passed into OpenMLS rather than what we do with them. Therefore this is an application-level check.

no refs to code.

no refs to tests.

valn0102 Partial

Verify that the signature on the LeafNode is valid using signature_key.

search code

notes:

  • todo: add test ref

code refs:

no refs to tests.

valn0103 Partial

Verify that the LeafNode is compatible with the group's parameters. If the GroupContext has a required_capabilities extension, then the required extensions, proposals, and credential types MUST be listed in the LeafNode's capabilities field.

search code

notes:

  • reported in https://github.com/xmtp/openmls/pull/19
  • We currently test this when an Add and Update proposal is being committed.

no refs to code.

test refs:

valn0104 Partial

Verify that the credential type is supported by all members of the group, as specified by the capabilities field of each member's LeafNode, and that the capabilities field of this LeafNode indicates support for all the credential types currently in use by other members.

search code

notes:

  • todo: add test refs

code refs:

no refs to tests.

valn0105 Partial

Verify the `lifetime` field: If the LeafNode appears in a message being sent by the client, e.g., a Proposal or a Commit, then the client MUST verify that the current time is within the range of the lifetime field.

search code

notes:

  • probably only done for key packages, but these should be the only leaf nodes with lifetimes anyway
  • todo: add test refs

code refs:

no refs to tests.

valn0106 Partial

Verify the `lifetime` field: If instead the LeafNode appears in a message being received by the client, e.g., a Proposal, a Commit, or a ratchet tree of the group the client is joining, it is RECOMMENDED that the client verifies that the current time is within the range of the lifetime field. (This check is not mandatory because the LeafNode might have expired in the time between when the message was sent and when it was received.)

search code

notes:

  • check is implemented, still needs to be tested.

no refs to code.

no refs to tests.

valn0107 Partial

Verify that the extensions in the LeafNode are supported by checking that the ID for each extension in the extensions field is listed in the capabilities.extensions field of the LeafNode.

search code

notes:

  • todo: add test ref

code refs:

no refs to tests.

valn0108 Partial

Verify the `leaf_node_source` field: If the LeafNode appears in a KeyPackage, verify that leaf_node_source is set to key_package.

search code

notes:

  • todo: add test refs

code refs:

no refs to tests.

valn0109 Partial

Verify the `leaf_node_source` field: If the LeafNode appears in an Update proposal, verify that leaf_node_source is set to update and that encryption_key represents a different public key than the encryption_key in the leaf node being replaced by the Update proposal.

search code

notes:

  • we might be more restrictive here, because we don't accept colliding keys at all, not just in Update proposals
  • todo: add test refs

code refs:

no refs to tests.

valn0110 Partial

Verify the `leaf_node_source` field: If the LeafNode appears in the leaf_node value of the UpdatePath in a Commit, verify that leaf_node_source is set to commit.

search code

notes:

  • TODO: find and document where this is tested

code refs:

no refs to tests.

valn0111 Partial

Verify that the following fields are unique among the members of the group: `signature_key`

search code

notes:

  • todo: add test ref

code refs:

no refs to tests.

valn0112 Partial

Verify that the following fields are unique among the members of the group: `encryption_key`

search code

notes:

  • todo: add test ref

code refs:

no refs to tests.

Key Package Validation

The validity of a KeyPackage needs to be verified at a few stages:

  • ref
  • idstatusdescriptionnotes & code refs
    valn0201 Complete

    Verify that the cipher suite and protocol version of the KeyPackage match those in the GroupContext.

    search code

    no notes.

    no refs to code.

    test refs:

    valn0202 Partial

    Verify that the leaf_node of the KeyPackage is valid for a KeyPackage according to Section 7.3.

    search code

    notes:

    • currently this is only done when processing adds in commit messages

    no refs to code.

    no refs to tests.

    valn0203 Partial

    Verify that the signature on the KeyPackage is valid using the public key in `leaf_node.credential`.

    search code

    notes:

    • this looks like a bug in the RFC. It should be signed using leaf_node.signature_key, but the credential can have opinions on whether that key is valid.

    code refs:

    no refs to tests.

    valn0204 Partial

    Verify that the value of `leaf_node.encryption_key` is different from the value of the `init_key` field.

    search code

    notes:

    • todo: add test ref

    code refs:

    no refs to tests.

    valn0205 Partial

    If a client receives a KeyPackage carried within an MLSMessage object, then it MUST verify that the version field of the KeyPackage has the same value as the version field of the MLSMessage.

    search code

    notes:

    • todo: add test ref

    no refs to code.

    no refs to tests.

    Regular Commit Proposal List Validation

    A group member creating a `Commit` and a group member processing a `Commit` MUST verify that the list of committed proposals is valid using one of the following procedures, depending on whether the `Commit` is external or not. If the list of proposals is invalid, then the Commit message MUST be rejected as invalid.

    For a regular, i.e., not external, Commit, the list is invalid if any of the following occurs:

    idstatusdescriptionnotes & code refs
    valn0301 Partial

    It contains an individual proposal that is invalid as specified invalid Section 12.1.

    search code

    notes:

    • The use of the ? operator means that if any of the checks fails, the function returns an error
    • todo: add test ref

    code refs:

    no refs to tests.

    valn0302 Partial

    It contains an Update proposal generated by the committer.

    search code

    notes:

    • todo: add tests ref

    code refs:

    no refs to tests.

    valn0303 Partial

    It contains a Remove proposal that removes the committer.

    search code

    no notes.

    code refs:

    no refs to tests.

    valn0304 Partial

    It contains multiple Update and/or Remove proposals that apply to the same leaf. If the committer has received multiple such proposals they SHOULD prefer any Remove received, or the most recent Update if there are no Removes.

    search code

    notes:

    • reported in https://github.com/xmtp/openmls/pull/19
    • We do the check but need to test it.

    no refs to code.

    no refs to tests.

    valn0305 Partial

    It contains multiple Add proposals that contain KeyPackages that represent the same client according to the application (for example, identical signature keys).

    search code

    notes:

    • reported in https://github.com/xmtp/openmls/pull/19
    • We check that keys are unique. Beyond that it's an application-level concern. We still need to give the app an API to validate this.

    no refs to code.

    no refs to tests.

    valn0306 Partial

    It contains an Add proposal with a KeyPackage that represents a client already in the group according to the application, unless there is a Remove proposal in the list removing the matching client from the group.

    search code

    notes:

    • reported in https://github.com/xmtp/openmls/pull/19
    • We check that keys are unique. Beyond that it's an application-level concern. We still need to give the app an API to validate this.

    no refs to code.

    no refs to tests.

    valn0307 Partial

    It contains multiple PreSharedKey proposals that reference then same PreSharedKeyID.

    search code

    no notes.

    code refs:

    no refs to tests.

    valn0308 Complete

    It contains multiple GroupContextExtension proposals.

    search code

    no notes.

    code refs:

    test refs:

    valn0309 Missing

    It contains a ReInit proposal together with any other proposal. If the committer has received other proposals during the epoch, they SHOULD prefer them over the ReInit proposal, allowing the ReInit to be resent and applied in a subsequent epoch.

    search code

    notes:

    • reported in https://github.com/xmtp/openmls/pull/19
    • We don't support ReInit yet (<a href="https://github.com/openmls/openmls/issues/1685">openmls#1685</a>)

    no refs to code.

    no refs to tests.

    valn0310 Partial

    It contains an ExternalInit proposal.

    search code

    notes:

    • Check is in code, need tests
    • reported in https://github.com/xmtp/openmls/pull/19

    no refs to code.

    no refs to tests.

    valn0311 Partial

    It contains a Proposal with a non-default proposal type that is not supported by some members of the group that will process the Commit (i.e., members being added or removed by the Commit do not need to support the proposal type).

    search code

    notes:

    • implemented, still needs tests

    no refs to code.

    no refs to tests.

    valn0312 Missing

    After processing the Commit the ratchet tree is invalid, in particular, if it contains any leaf node that is invalid according to Section 7.3.

    search code

    notes:

    • This is difficult to check, because at that point the state has already been changed. It would be nice if we instead could show before applying the diff, that applying the diff will result in a valid tree.

    no refs to code.

    no refs to tests.

    External Commit Proposal List Validation

    A group member creating a `Commit` and a group member processing a `Commit` MUST verify that the list of committed proposals is valid using one of the following procedures, depending on whether the `Commit` is external or not. If the list of proposals is invalid, then the Commit message MUST be rejected as invalid.

    For an external Commit, the list is valid if it contains only the following proposals (not necessarily in this order):

    idstatusdescriptionnotes & code refs
    valn0401 Partial

    Exactly one ExternalInit

    search code

    no notes.

    no refs to code.

    no refs to tests.

    valn0402 Partial

    At most one Remove proposal, with which the joiner removes an old version of themselves. If a Remove proposal is present, then the LeafNode in the path field of the external Commit MUST meet the same criteria as would the LeafNode in an Update for the removed leaf (see Section 12.1.2). In particular, the credential in the LeafNode MUST present a set of identifiers that is acceptable to the application for the removed participant.

    search code

    notes:

    • We are checking that there is not more than one Remove proposal in external commits, but the application has to ensure that the provided key package satisfies the requirements.

    no refs to code.

    no refs to tests.

    valn0403 Complete

    Zero or more PreSharedKey proposals

    search code

    notes:

    • Since we can only include a non-negative integer number of proposals, it necessarily is "zero or more". There is no check required.

    no refs to code.

    no refs to tests.

    valn0404 Partial

    No other proposals

    search code

    notes:

    • The check is implemented, but we need to test that we do it correctly

    no refs to code.

    no refs to tests.

    valn0405 Partial

    External Commits MUST contain a path field (and is therefore a "full" Commit). The joiner is added at the leftmost free leaf node (just as if they were added with an Add proposal), and the path is calculated relative to that leaf node.

    search code

    notes:

    • The check is implemented, but we need to test that we do it correctly

    no refs to code.

    no refs to tests.

    valn0406 Partial

    The Commit MUST NOT include any proposals by reference, since an external joiner cannot determine the validity of proposals sent within the group.

    search code

    notes:

    • The check is implemented, but we need to test that we do it correctly

    no refs to code.

    no refs to tests.

    valn0407 Partial

    External Commits MUST be signed by the new member. In particular, the signature on the enclosing AuthenticatedContent MUST verify using the public key for the credential in the leaf_node of the path field.

    search code

    notes:

    • The check is implemented, but we need to test that we do it correctly

    no refs to code.

    no refs to tests.

    valn0408 Partial

    The sender type for the AuthenticatedContent encapsulating the external Commit MUST be new_member_commit.

    search code

    notes:

    • This is implicit, because it's the value on which our decision how to process the message is based.

    no refs to code.

    no refs to tests.

    Add Proposal Validation

    An Add proposal requests that a client with a specified KeyPackage be added to the group.

    idstatusdescriptionnotes & code refs
    valn0501 Partial

    An Add proposal is invalid if the KeyPackage is invalid according to Section 10.1.

    search code

    notes:

    • todo: add test refs

    code refs:

    no refs to tests.

    Update Proposal Validation

    An Update proposal is a similar mechanism to Add with the distinction that it replaces the sender's LeafNode in the tree instead of adding a new leaf to the tree.

    idstatusdescriptionnotes & code refs
    valn0601 Partial

    An Update proposal is invalid if the LeafNode is invalid for an Update proposal according to Section 7.3.

    search code

    notes:

    • todo: add test refs

    code refs:

    no refs to tests.

    Remove Proposal Validation

    A Remove proposal requests that the member with the leaf index removed be removed from the group.

    idstatusdescriptionnotes & code refs
    valn0701 Partial

    A Remove proposal is invalid if the removed field does not identify a non-blank leaf node.

    search code

    notes:

    • the tests we have a are not great. The check and basic tests were added in PR https://github.com/openmls/openmls/pull/1655

    code refs:

    no refs to tests.

    PreSharedKey Proposal Validation

    A PreSharedKey proposal can be used to request that a pre-shared key be injected into the key schedule in the process of advancing the epoch.

    A PreSharedKey proposal is invalid if any of the following is true:

    idstatusdescriptionnotes & code refs
    valn0801 Missing

    The PreSharedKey proposal is not being processed as part of a reinitialization of the group (see Section 11.2), and the PreSharedKeyID has psktype set to resumption and usage set to reinit.

    search code

    notes:

    • PSK support not implemented

    no refs to code.

    no refs to tests.

    valn0802 Missing

    The PreSharedKey proposal is not being processed as part of a subgroup branching operation (see Section 11.3), and the PreSharedKeyID has psktype set to resumption and usage set to branch.

    search code

    notes:

    • PSK support not implemented

    no refs to code.

    no refs to tests.

    valn0803 Partial

    The psk_nonce is not of length KDF.Nh.

    search code

    notes:

    • todo: find test refs

    code refs:

    no refs to tests.

    ReInit Proposal Validation

    A ReInit proposal represents a request to reinitialize the group with different parameters, for example, to increase the version number or to change the cipher suite. The reinitialization is done by creating a completely new group and shutting down the old one.

    idstatusdescriptionnotes & code refs
    valn0901 Unknown

    A ReInit proposal is invalid if the version field is less than the version for the current group.

    search code

    notes:

    • this feature is not implemented

    no refs to code.

    no refs to tests.

    GroupContextExtensions Proposal Validation

    A GroupContextExtensions proposal is used to update the list of extensions in the GroupContext for the group.

    idstatusdescriptionnotes & code refs
    valn1001 Partial

    A GroupContextExtensions proposal is invalid if it includes a required_capabilities extension and some members of the group do not support some of the required capabilities (including those added in the same Commit, and excluding those removed).

    search code

    notes:

    • currently, we only test for missing supported extension types, not proposal or proposal types.

    code refs:

    test refs:

    Update Path Validation

    As described in Section 12.4, each Commit message may optionally contain an UpdatePath, with a new LeafNode and set of parent nodes for the sender's filtered direct path. For each parent node, the UpdatePath contains a new public key and encrypted path secret. The parent nodes are kept in the same order as the filtered direct path.

    idstatusdescriptionnotes & code refs
    valn1101 Partial

    For each UpdatePathNode, the resolution of the corresponding copath node MUST exclude all new leaf nodes added as part of the current Commit. The length of the encrypted_path_secret vector MUST be equal to the length of the resolution of the copath node (excluding new leaf nodes), with each ciphertext being the encryption to the respective resolution node.

    search code

    notes:

    • todo: find test refs

    code refs:

    no refs to tests.

    Processing a Commit

    A member of the group applies a Commit message by taking the following steps:

    idstatusdescriptionnotes & code refs
    valn1201 Partial

    Verify that the epoch field of the enclosing FramedContent is equal to the epoch field of the current GroupContext object.

    search code

    notes:

    • todo: find test refs

    code refs:

    no refs to tests.

    valn1202 Partial

    Unprotect the Commit using the keys from the current epoch: If the message is encoded as PublicMessage, verify the membership MAC using the membership_key.

    search code

    notes:

    • todo: add test refs

    code refs:

    no refs to tests.

    valn1203 Partial

    Verify the signature on the FramedContent message as described in Section 6.1.

    search code

    notes:

    • todo: find test refs

    code refs:

    no refs to tests.

    valn1204 Partial

    Verify that the proposals vector is valid according to the rules in Section 12.2.

    search code

    notes:

    • todo: find test refs

    code refs:

    no refs to tests.

    valn1205 Partial

    Verify that all PreSharedKey proposals in the proposals vector are available.

    search code

    notes:

    • We need to test that we do the right thing here.

    no refs to code.

    no refs to tests.

    valn1206 Partial

    Verify that the path value is populated if the proposals vector contains any Update or Remove proposals, or if it's empty. Otherwise, the path value MAY be omitted.

    search code

    notes:

    • TODO: Find Tests and reference them here or annotate them

    code refs:

    no refs to tests.

    valn1207 Partial

    If the path value is populated, validate it and apply it to the tree: Validate the LeafNode as specified in Section 7.3. The leaf_node_source field MUST be set to commit.

    search code

    notes:

    • This is done when parsing the update path

    no refs to code.

    no refs to tests.

    valn1208 Partial

    If the path value is populated, validate it and apply it to the tree: Verify that the encryption_key value in the LeafNode is different from the committer's current leaf node.

    search code

    notes:

    • we check that it is different from the keys of _any_ current member. Still need to test this check.

    no refs to code.

    no refs to tests.

    valn1209 Partial

    If the path value is populated, validate it and apply it to the tree: Verify that none of the public keys in the UpdatePath appear in any node of the new ratchet tree.

    search code

    notes:

    • todo: add test refs

    code refs:

    no refs to tests.

    Message Framing Validation

    Handshake and application messages use a common framing structure. This framing provides encryption to ensure confidentiality within the group, as well as signing to authenticate the sender.

    idstatusdescriptionnotes & code refs
    valn1301 Partial

    Recipients of an MLSMessage MUST verify the signature with the key depending on the sender_type of the sender as described above.

    search code

    notes:

    • NB: This is about picking the right key, not verifying the signature. That is done in valn1302 and valn1304.
    • todo: find test refs

    no refs to code.

    no refs to tests.

    valn1302 Partial

    When decoding a PublicMessage into an AuthenticatedContent, the application MUST check membership_tag and MUST check that the FramedContentAuthData is valid.

    search code

    notes:

    • todo: find test refs

    no refs to code.

    no refs to tests.

    valn1303 Partial

    The padding field is set by the sender, by first encoding the content (via the select) and the auth field, and then appending the chosen number of zero bytes. A receiver identifies the padding field in a plaintext decoded from PrivateMessage.ciphertext by first decoding the content and the auth field; then the padding field comprises any remaining octets of plaintext. The padding field MUST be filled with all zero bytes. A receiver MUST verify that there are no non-zero bytes in the padding field, and if this check fails, the enclosing PrivateMessage MUST be rejected as malformed. This check ensures that the padding process is deterministic, so that, for example, padding cannot be used as a covert channel.

    search code

    notes:

    • todo: find test refs

    no refs to code.

    no refs to tests.

    valn1304 Partial

    When decoding a PrivateMessageContent, the application MUST check that the FramedContentAuthData is valid.

    search code

    notes:

    • todo: find test refs

    no refs to code.

    no refs to tests.

    valn1305 Partial

    When constructing a SenderData object from a Sender object, the sender MUST verify Sender.sender_type is member and use Sender.leaf_index for SenderData.leaf_index.

    search code

    notes:

    • todo: find test refs

    no refs to code.

    no refs to tests.

    valn1306 Partial

    When parsing a SenderData struct as part of message decryption, the recipient MUST verify that the leaf index indicated in the leaf_index field identifies a non-blank node.

    search code

    notes:

    • todo: find test refs

    no refs to code.

    no refs to tests.

    valn1307 Partial

    On receiving a FramedContent containing a Proposal, a client MUST verify the signature inside FramedContentAuthData and that the epoch field of the enclosing FramedContent is equal to the epoch field of the current GroupContext object. If the verification is successful, then the Proposal should be cached in such a way that it can be retrieved by hash (as a ProposalOrRef object) in a later Commit message.

    search code

    notes:

    • todo: proper testing

    no refs to code.

    no refs to tests.

    Welcome Validation

    On receiving a Welcome message, a client processes it using the following steps:

    idstatusdescriptionnotes & code refs
    valn1401 Missing

    If a PreSharedKeyID is part of the GroupSecrets and the client is not in possession of the corresponding PSK, return an error. Additionally, if a PreSharedKeyID has type resumption with usage reinit or branch, verify that it is the only such PSK.

    search code

    notes:

    • reinit and branch are not implement so far

    no refs to code.

    no refs to tests.

    valn1402 Partial

    Verify the signature on the GroupInfo object. The signature input comprises all of the fields in the GroupInfo object except the signature field. The public key is taken from the LeafNode of the ratchet tree with leaf index signer. If the node is blank or if signature verification fails, return an error.

    search code

    notes:

    • The test might be missing

    no refs to code.

    no refs to tests.

    valn1403 Missing

    Verify that the group_id is unique among the groups that the client is currently participating in.

    search code

    notes:

    • This is an application-level concern. We only handle individual groups

    no refs to code.

    no refs to tests.

    valn1404 Partial

    Verify that the cipher_suite in the GroupInfo matches the cipher_suite in the KeyPackage.

    search code

    notes:

    • This one is a bit unclear. It does not clearly state which key package is meant (though we can guess it's the new member's key package), and also GroupInfo itself doesn't even have a cipher_suite (but the GroupContext in there does).
    • And what about the cipher_suite of the Welcome message itself?
    • The current status is that we do the check and compare the group context cipher suite with that of the key package of the new member. We also check that they match with the welcome message.

    no refs to code.

    no refs to tests.

    valn1405 Partial

    Verify the integrity of the ratchet tree: Verify that the tree hash of the ratchet tree matches the tree_hash field in GroupInfo.

    search code

    notes:

    • The test might be missing

    no refs to code.

    no refs to tests.

    valn1406 Partial

    Verify the integrity of the ratchet tree: For each non-empty parent node, verify that it is "parent-hash valid", as described in Section 7.9.2.

    search code

    notes:

    • The test might be missing

    no refs to code.

    no refs to tests.

    valn1407 Partial

    Verify the integrity of the ratchet tree: For each non-empty leaf node, validate the LeafNode as described in Section 7.3.

    search code

    notes:

    • The test might be missing

    no refs to code.

    no refs to tests.

    valn1408 Partial

    Verify the integrity of the ratchet tree: For each non-empty parent node and each entry in the node's unmerged_leaves field: Verify that the entry represents a non-blank leaf node that is a descendant of the parent node.

    search code

    notes:

    • The test might be missing

    no refs to code.

    no refs to tests.

    valn1409 Partial

    Verify the integrity of the ratchet tree: For each non-empty parent node and each entry in the node's unmerged_leaves field: Verify that every non-blank intermediate node between the leaf node and the parent node also has an entry for the leaf node in its unmerged_leaves.

    search code

    notes:

    • The test might be missing

    no refs to code.

    no refs to tests.

    valn1410 Partial

    Verify the integrity of the ratchet tree: For each non-empty parent node and each entry in the node's unmerged_leaves field: Verify that the encryption key in the parent node does not appear in any other node of the tree.

    search code

    notes:

    • The test might be missing

    no refs to code.

    no refs to tests.

    valn1411 Partial

    Verify the integrity of the ratchet tree: Verify the confirmation tag in the GroupInfo using the derived confirmation key and the confirmed_transcript_hash from the GroupInfo.

    search code

    notes:

    • The test might be missing

    no refs to code.

    no refs to tests.

    valn1412 Missing

    Verify the integrity of the ratchet tree: If a PreSharedKeyID was used that has type resumption with usage reinit or branch, verify that the epoch field in the GroupInfo is equal to 1.

    search code

    notes:

    • reinit isn't currently implemented

    no refs to code.

    no refs to tests.

    valn1413 Missing

    Verify the integrity of the ratchet tree: For usage reinit, verify that the last Commit to the referenced group contains a ReInit proposal and that the group_id, version, cipher_suite, and group_context.extensions fields of the GroupInfo match the ReInit proposal. Additionally, verify that all the members of the old group are also members of the new group, according to the application.

    search code

    notes:

    • reinit isn't currently implemented

    no refs to code.

    no refs to tests.

    valn1414 Missing

    Verify the integrity of the ratchet tree: For usage branch, verify that the version and cipher_suite of the new group match those of the old group, and that the members of the new group compose a subset of the members of the old group, according to the application.

    search code

    notes:

    • branching isn't currently implemented

    no refs to code.

    no refs to tests.