@matter/general 0.16.0-alpha.0-20250814-484abe647 → 0.16.0-alpha.0-20250815-ac9fd6eb0

package/src/crypto/Key.ts

@@ -62,8 +62,8 @@ const CurveLookup = {
 };
 
 export type BinaryKeyPair = {
-    publicKey: Uint8Array;
-    privateKey: Uint8Array;
+    publicKey: Bytes;
+    privateKey: Bytes;
 };
 
 /**
@@ -131,40 +131,40 @@ export interface Key extends JsonWebKey {
      * Binary alias to private key field.  Automatically encodes/decodes the
      * base-64 private key.
      */
-    privateBits?: Uint8Array;
+    privateBits?: Bytes;
 
     /**
      * Binary alias to the x field.  Automatically encodes/decodes the base-64
      * x-point on EC public keys.
      */
-    xBits?: Uint8Array;
+    xBits?: Bytes;
 
     /**
      * Binary alias to the y field.  Automatically encodes/decodes the base-64
      * y-point on EC public keys.
      */
-    yBits?: Uint8Array;
+    yBits?: Bytes;
 
     /**
      * Import (write-only) of private keys encoded in SEC1 format.
      */
-    sec1?: Uint8Array;
+    sec1?: Bytes;
 
     /**
      * Import (write-only) of private keys encoded in PKCS #8 format.
      */
-    pkcs8?: Uint8Array;
+    pkcs8?: Bytes;
 
     /**
      * Import (write-only) of public keys encoded in SPKI format.
      */
-    spki?: Uint8Array;
+    spki?: Bytes;
 
     /**
      * Import/export of EC public key in SEC1/SPKI format.  Maps to x & y
      * fields internally.
      */
-    publicBits?: Uint8Array;
+    publicBits?: Bytes;
 
     /**
      * Import/export of BinaryKeyPair structure used as an alternate
@@ -175,12 +175,12 @@ export interface Key extends JsonWebKey {
     /**
      * Alias for publicBits that throws if no public key is present.
      */
-    publicKey: Uint8Array;
+    publicKey: Bytes;
 
     /**
      * Alias for privateBits that throws if no private key is present.
      */
-    privateKey: Uint8Array;
+    privateKey: Bytes;
 
     /**
      * Alias for keyPairBits that throws if a complete key pair is not present.
@@ -196,9 +196,9 @@ export interface PublicKey extends Key {
     curve: CurveType;
     x: string;
     y: string;
-    xBits: Uint8Array;
-    yBits: Uint8Array;
-    publicBits: Uint8Array;
+    xBits: Bytes;
+    yBits: Bytes;
+    publicBits: Bytes;
 }
 
 /**
@@ -207,11 +207,11 @@ export interface PublicKey extends Key {
 export interface PrivateKey extends PublicKey {
     private: string;
     d: string;
-    privateBits: Uint8Array;
-    privateKey: Uint8Array;
+    privateBits: Bytes;
+    privateKey: Bytes;
     keyPair: BinaryKeyPair;
     keyPairBits: BinaryKeyPair;
-    sharedSecretFor(peerKey: PublicKey): Uint8Array;
+    sharedSecretFor(peerKey: PublicKey): Bytes;
 }
 
 /**
@@ -225,7 +225,11 @@ export interface SymmetricKey extends Key {
 
 function checkDerVersion(type: string, node: DerNode | undefined, version: number) {
     const derVersion =
-        node && node._tag === DerType.Integer && node._bytes && node._bytes.length === 1 && node._bytes[0];
+        node &&
+        node._tag === DerType.Integer &&
+        node._bytes &&
+        node._bytes.byteLength === 1 &&
+        Bytes.of(node._bytes)[0];
 
     if (derVersion !== version) {
         throw new KeyInputError(`${type} key version mismatch`);
@@ -233,7 +237,7 @@ function checkDerVersion(type: string, node: DerNode | undefined, version: numbe
 }
 
 function getDerObjectID(type: string, node?: DerNode) {
-    const id = node && node._tag === DerType.ObjectIdentifier && node._bytes?.length > 1 && node._bytes;
+    const id = node && node._tag === DerType.ObjectIdentifier && node._bytes?.byteLength > 1 && node._bytes;
 
     if (id) return id;
 
@@ -248,7 +252,7 @@ function getDerCurve(type: string, node?: DerNode) {
 }
 
 function getDerKey(type: string, node?: DerNode, derType: DerType = DerType.OctetString) {
-    const key = node && node._tag === derType && node._bytes?.length > 1 && node._bytes;
+    const key = node && node._tag === derType && node._bytes?.byteLength > 1 && node._bytes;
 
     if (key) return key;
 
@@ -259,7 +263,7 @@ function getDerKey(type: string, node?: DerNode, derType: DerType = DerType.Octe
 namespace Translators {
     // Import SEC1 private key
     export const sec1 = {
-        set: function (this: Key, input: Uint8Array) {
+        set: function (this: Key, input: Bytes) {
             const decoded = DerCodec.decode(input);
 
             // Version
@@ -286,7 +290,7 @@ namespace Translators {
 
     // Import PKCS8 private key
     export const pkcs8 = {
-        set: function (this: Key, input: Uint8Array) {
+        set: function (this: Key, input: Bytes) {
             const outer = DerCodec.decode(input);
 
             // Version
@@ -323,7 +327,7 @@ namespace Translators {
 
     // Import SPKI public key
     export const spki = {
-        set: function (this: Key, input: Uint8Array) {
+        set: function (this: Key, input: Bytes) {
             const decoded = DerCodec.decode(input);
 
             const algorithmElements = decoded?._elements?.[0]?._elements;
@@ -352,12 +356,13 @@ namespace Translators {
 
     // Import public key bytes in SEC1/SPKI format
     export const publicBits = {
-        set: function (this: Key, input: Uint8Array) {
-            if (!(input.length % 2)) {
+        set: function (this: Key, input: Bytes) {
+            const data = Bytes.of(input);
+            if (!(data.length % 2)) {
                 throw new KeyInputError("Invalid public key encoding");
             }
 
-            switch (input[0]) {
+            switch (data[0]) {
                 case 2:
                 case 3:
                     throw new KeyInputError("Unsupported public key compression");
@@ -369,13 +374,13 @@ namespace Translators {
                     throw new KeyInputError("Illegal public key format specifier");
             }
 
-            const coordinateLength = (input.length - 1) / 2;
+            const coordinateLength = (data.length - 1) / 2;
 
             inferCurve(this, coordinateLength);
 
             this.type = KeyType.EC;
-            this.xBits = input.slice(1, coordinateLength + 1);
-            this.yBits = input.slice(coordinateLength + 1);
+            this.xBits = data.slice(1, coordinateLength + 1);
+            this.yBits = data.slice(coordinateLength + 1);
         },
 
         get: function (this: Key) {
@@ -383,7 +388,7 @@ namespace Translators {
                 return undefined;
             }
 
-            return new Uint8Array([0x04, ...this.xBits, ...this.yBits]);
+            return Bytes.concat(new Uint8Array([0x04]), this.xBits, this.yBits);
         },
     };
 
@@ -401,8 +406,8 @@ namespace Translators {
                 return;
             }
             return {
-                publicKey: publicBits,
-                privateKey: privateBits,
+                publicKey: Bytes.of(publicBits),
+                privateKey: Bytes.of(privateBits),
             };
         },
     };
@@ -536,7 +541,7 @@ export function Key(properties: Partial<Key>) {
         }
 
         // Compute
-        const ecKey = Point.fromPrivateKey(that.privateKey);
+        const ecKey = Point.fromPrivateKey(Bytes.of(that.privateKey));
 
         // Install
         that.xBits = numberToBytesBE(ecKey.x, keyLength);
@@ -545,9 +550,9 @@ export function Key(properties: Partial<Key>) {
 
     if (that.type === KeyType.EC) {
         if (that.d) {
-            inferCurve(that, that.privateKey.length);
+            inferCurve(that, that.privateKey.byteLength);
         } else if (that.xBits) {
-            inferCurve(that, that.xBits.length);
+            inferCurve(that, that.xBits.byteLength);
         }
 
         if (that.d && (!that.x || !that.y)) {
@@ -561,9 +566,9 @@ export function Key(properties: Partial<Key>) {
 /**
  * EC private key factory.
  */
-export function PrivateKey(privateKey: Uint8Array | BinaryKeyPair, options?: Partial<Key>) {
+export function PrivateKey(privateKey: Bytes | BinaryKeyPair, options?: Partial<Key>) {
     let priv, pub;
-    if (ArrayBuffer.isView(privateKey)) {
+    if (Bytes.isBytes(privateKey)) {
         priv = privateKey;
     } else {
         priv = privateKey.privateKey;
@@ -581,7 +586,7 @@ export function PrivateKey(privateKey: Uint8Array | BinaryKeyPair, options?: Par
 /**
  * EC public key factory.
  */
-export function PublicKey(publicKey: Uint8Array, options?: Partial<Key>) {
+export function PublicKey(publicKey: Bytes, options?: Partial<Key>) {
     return Key({
         type: KeyType.EC,
         publicKey,
@@ -592,7 +597,7 @@ export function PublicKey(publicKey: Uint8Array, options?: Partial<Key>) {
 /**
  * Symmetric key factory.
  */
-export function SymmetricKey(privateKey: Uint8Array, options?: Partial<Key>) {
+export function SymmetricKey(privateKey: Bytes, options?: Partial<Key>) {
     return Key({
         type: KeyType.oct,
         privateKey: privateKey,
@@ -605,6 +610,6 @@ export function SymmetricKey(privateKey: Uint8Array, options?: Partial<Key>) {
  *
  * We provide this for platforms without a native implementation.
  */
-export function sharedSecretFor(this: PrivateKey, peerKey: PublicKey): Uint8Array {
-    return getSharedSecret(this.privateBits, peerKey.publicBits);
+export function sharedSecretFor(this: PrivateKey, peerKey: PublicKey): Bytes {
+    return Bytes.of(getSharedSecret(Bytes.of(this.privateBits), Bytes.of(peerKey.publicBits)));
 }

package/src/crypto/MockCrypto.ts

@@ -5,6 +5,7 @@
  */
 
 import { ImplementationError } from "#MatterError.js";
+import { Bytes } from "#util/Bytes.js";
 import { Crypto, ec } from "./Crypto.js";
 import { CurveType, Key, KeyType, PrivateKey } from "./Key.js";
 import { StandardCrypto } from "./StandardCrypto.js";
@@ -81,7 +82,7 @@ export function MockCrypto(index: number = 0x80, implementation: new () => Crypt
 
         // Ensure EC key generation uses our own "entropy" source rather than the platform's
         crypto.createKeyPair = function getRandomDataNONENTROPIC() {
-            const privateBits = ec.mapHashToField(new Uint8Array(crypto.randomBytes(48)), ec.p256.CURVE.n);
+            const privateBits = ec.mapHashToField(Bytes.of(crypto.randomBytes(48)), ec.p256.CURVE.n);
             return Key({
                 kty: KeyType.EC,
                 crv: CurveType.p256,

package/src/crypto/Spake2p.ts

@@ -25,19 +25,21 @@ const CRYPTO_W_SIZE_BYTES = CRYPTO_GROUP_SIZE_BYTES + 8;
 
 export interface PbkdfParameters {
     iterations: number;
-    salt: Uint8Array;
+    salt: Bytes;
 }
 
 export class Spake2p {
     readonly #crypto: Crypto;
-    readonly #context: Uint8Array;
+    readonly #context: Bytes;
     readonly #random: bigint;
     readonly #w0: bigint;
 
     static async computeW0W1(crypto: Crypto, { iterations, salt }: PbkdfParameters, pin: number) {
         const pinWriter = new DataWriter(Endian.Little);
         pinWriter.writeUInt32(pin);
-        const ws = await crypto.createPbkdf2Key(pinWriter.toByteArray(), salt, iterations, CRYPTO_W_SIZE_BYTES * 2);
+        const ws = Bytes.of(
+            await crypto.createPbkdf2Key(pinWriter.toByteArray(), salt, iterations, CRYPTO_W_SIZE_BYTES * 2),
+        );
         const w0 = mod(bytesToNumberBE(ws.slice(0, 40)), P256_CURVE.n);
         const w1 = mod(bytesToNumberBE(ws.slice(40, 80)), P256_CURVE.n);
         return { w0, w1 };
@@ -49,30 +51,30 @@ export class Spake2p {
         return { w0, L };
     }
 
-    static create(crypto: Crypto, context: Uint8Array, w0: bigint) {
+    static create(crypto: Crypto, context: Bytes, w0: bigint) {
         const random = crypto.randomBigInt(32, P256_CURVE.Fp.ORDER);
         return new Spake2p(crypto, context, random, w0);
     }
 
-    constructor(crypto: Crypto, context: Uint8Array, random: bigint, w0: bigint) {
+    constructor(crypto: Crypto, context: Bytes, random: bigint, w0: bigint) {
         this.#crypto = crypto;
         this.#context = context;
         this.#random = random;
         this.#w0 = w0;
     }
 
-    computeX(): Uint8Array {
+    computeX(): Bytes {
         const X = ProjectivePoint.BASE.multiply(this.#random).add(M.multiply(this.#w0));
         return X.toRawBytes(false);
     }
 
-    computeY(): Uint8Array {
+    computeY(): Bytes {
         const Y = ProjectivePoint.BASE.multiply(this.#random).add(N.multiply(this.#w0));
         return Y.toRawBytes(false);
     }
 
-    async computeSecretAndVerifiersFromY(w1: bigint, X: Uint8Array, Y: Uint8Array) {
-        const YPoint = ProjectivePoint.fromHex(Y);
+    async computeSecretAndVerifiersFromY(w1: bigint, X: Bytes, Y: Bytes) {
+        const YPoint = ProjectivePoint.fromHex(Bytes.of(Y));
         try {
             YPoint.assertValidity();
         } catch (error) {
@@ -81,12 +83,12 @@ export class Spake2p {
         const yNwo = YPoint.add(N.multiply(this.#w0).negate());
         const Z = yNwo.multiply(this.#random);
         const V = yNwo.multiply(w1);
-        return this.computeSecretAndVerifiers(X, Y, Z.toRawBytes(false), V.toRawBytes(false));
+        return this.computeSecretAndVerifiers(X, Y, Bytes.of(Z.toRawBytes(false)), Bytes.of(V.toRawBytes(false)));
     }
 
-    async computeSecretAndVerifiersFromX(L: Uint8Array, X: Uint8Array, Y: Uint8Array) {
-        const XPoint = ProjectivePoint.fromHex(X);
-        const LPoint = ProjectivePoint.fromHex(L);
+    async computeSecretAndVerifiersFromX(L: Bytes, X: Bytes, Y: Bytes) {
+        const XPoint = ProjectivePoint.fromHex(Bytes.of(X));
+        const LPoint = ProjectivePoint.fromHex(Bytes.of(L));
         try {
             XPoint.assertValidity();
         } catch (error) {
@@ -94,15 +96,17 @@ export class Spake2p {
         }
         const Z = XPoint.add(M.multiply(this.#w0).negate()).multiply(this.#random);
         const V = LPoint.multiply(this.#random);
-        return this.computeSecretAndVerifiers(X, Y, Z.toRawBytes(false), V.toRawBytes(false));
+        return this.computeSecretAndVerifiers(X, Y, Bytes.of(Z.toRawBytes(false)), Bytes.of(V.toRawBytes(false)));
     }
 
-    private async computeSecretAndVerifiers(X: Uint8Array, Y: Uint8Array, Z: Uint8Array, V: Uint8Array) {
-        const TT_HASH = await this.computeTranscriptHash(X, Y, Z, V);
+    private async computeSecretAndVerifiers(X: Bytes, Y: Bytes, Z: Bytes, V: Bytes) {
+        const TT_HASH = Bytes.of(await this.computeTranscriptHash(X, Y, Z, V));
         const Ka = TT_HASH.slice(0, 16);
         const Ke = TT_HASH.slice(16, 32);
 
-        const KcAB = await this.#crypto.createHkdfKey(Ka, new Uint8Array(0), Bytes.fromString("ConfirmationKeys"), 32);
+        const KcAB = Bytes.of(
+            await this.#crypto.createHkdfKey(Ka, new Uint8Array(0), Bytes.fromString("ConfirmationKeys"), 32),
+        );
         const KcA = KcAB.slice(0, 16);
         const KcB = KcAB.slice(16, 32);
 
@@ -112,13 +116,13 @@ export class Spake2p {
         return { Ke, hAY, hBX };
     }
 
-    private computeTranscriptHash(X: Uint8Array, Y: Uint8Array, Z: Uint8Array, V: Uint8Array) {
+    private computeTranscriptHash(X: Bytes, Y: Bytes, Z: Bytes, V: Bytes) {
         const TTwriter = new DataWriter(Endian.Little);
         this.addToContext(TTwriter, this.#context);
         this.addToContext(TTwriter, Bytes.fromString(""));
         this.addToContext(TTwriter, Bytes.fromString(""));
-        this.addToContext(TTwriter, M.toRawBytes(false));
-        this.addToContext(TTwriter, N.toRawBytes(false));
+        this.addToContext(TTwriter, Bytes.of(M.toRawBytes(false)));
+        this.addToContext(TTwriter, Bytes.of(N.toRawBytes(false)));
         this.addToContext(TTwriter, X);
         this.addToContext(TTwriter, Y);
         this.addToContext(TTwriter, Z);
@@ -127,8 +131,8 @@ export class Spake2p {
         return this.#crypto.computeSha256(TTwriter.toByteArray());
     }
 
-    private addToContext(TTwriter: DataWriter<Endian.Little>, data: Uint8Array) {
-        TTwriter.writeUInt64(data.length);
+    private addToContext(TTwriter: DataWriter<Endian.Little>, data: Bytes) {
+        TTwriter.writeUInt64(data.byteLength);
         TTwriter.writeByteArray(data);
     }
 }

package/src/crypto/StandardCrypto.ts

@@ -71,70 +71,76 @@ export class StandardCrypto extends Crypto {
         return new StandardCrypto();
     }
 
-    randomBytes(length: number): Uint8Array {
+    randomBytes(length: number): Bytes {
         const result = new Uint8Array(length);
         this.#crypto.getRandomValues(result);
         return result;
     }
 
-    encrypt(key: Uint8Array, data: Uint8Array, nonce: Uint8Array, associatedData?: Uint8Array) {
+    encrypt(key: Bytes, data: Bytes, nonce: Bytes, associatedData?: Bytes) {
         const ccm = Ccm(key);
-        return ccm.encrypt({ pt: data, nonce, adata: associatedData });
+        return ccm.encrypt({
+            pt: Bytes.of(data),
+            nonce: Bytes.of(nonce),
+            adata: associatedData !== undefined ? Bytes.of(associatedData) : undefined,
+        });
     }
 
-    decrypt(key: Uint8Array, data: Uint8Array, nonce: Uint8Array, associatedData?: Uint8Array) {
+    decrypt(key: Bytes, data: Bytes, nonce: Bytes, associatedData?: Bytes) {
         const ccm = Ccm(key);
-        return ccm.decrypt({ ct: data, nonce, adata: associatedData });
+        return ccm.decrypt({
+            ct: Bytes.of(data),
+            nonce: Bytes.of(nonce),
+            adata: associatedData !== undefined ? Bytes.of(associatedData) : undefined,
+        });
     }
 
-    async computeSha256(buffer: Uint8Array | Uint8Array[]) {
+    computeSha256(buffer: Bytes | Bytes[]) {
         if (Array.isArray(buffer)) {
             buffer = Bytes.concat(...buffer);
         }
-        return new Uint8Array(await this.#subtle.digest("SHA-256", buffer));
+        return this.#subtle.digest("SHA-256", Bytes.exclusive(buffer));
     }
 
-    async createPbkdf2Key(secret: Uint8Array, salt: Uint8Array, iteration: number, keyLength: number) {
+    async createPbkdf2Key(secret: Bytes, salt: Bytes, iteration: number, keyLength: number) {
         const key = await this.importKey("raw", secret, "PBKDF2", false, ["deriveBits"]);
-        const bits = await this.#subtle.deriveBits(
+        return this.#subtle.deriveBits(
             {
                 name: "PBKDF2",
                 hash: "SHA-256",
-                salt: salt,
+                salt: Bytes.exclusive(salt),
                 iterations: iteration,
             },
             key,
             keyLength * 8,
         );
-        return new Uint8Array(bits);
     }
 
     async createHkdfKey(
-        secret: Uint8Array,
-        salt: Uint8Array,
-        info: Uint8Array,
+        secret: Bytes,
+        salt: Bytes,
+        info: Bytes,
         length: number = CRYPTO_SYMMETRIC_KEY_LENGTH,
-    ) {
+    ): Promise<Bytes> {
         const key = await this.importKey("raw", secret, "HKDF", false, ["deriveBits"]);
-        const bits = await this.#subtle.deriveBits(
+        return this.#subtle.deriveBits(
             {
                 name: "HKDF",
                 hash: "SHA-256",
-                salt: salt,
-                info: info,
+                salt: Bytes.exclusive(salt),
+                info: Bytes.exclusive(info),
             },
             key,
             8 * length,
         );
-        return new Uint8Array(bits);
     }
 
-    async signHmac(secret: Uint8Array, data: Uint8Array) {
+    async signHmac(secret: Bytes, data: Bytes): Promise<Bytes> {
         const key = await this.importKey("raw", secret, { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
-        return new Uint8Array(await this.#subtle.sign("HMAC", key, data));
+        return this.#subtle.sign("HMAC", key, Bytes.exclusive(data));
     }
 
-    async signEcdsa(key: JsonWebKey, data: Uint8Array | Uint8Array[], dsaEncoding?: CryptoDsaEncoding) {
+    async signEcdsa(key: JsonWebKey, data: Bytes | Bytes[], dsaEncoding?: CryptoDsaEncoding) {
         if (Array.isArray(data)) {
             data = Bytes.concat(...data);
         }
@@ -153,9 +159,9 @@ export class StandardCrypto extends Crypto {
 
         const subtleKey = await this.importKey("jwk", key, SIGNATURE_ALGORITHM, false, ["sign"]);
 
-        const ieeeP1363 = await this.#subtle.sign(SIGNATURE_ALGORITHM, subtleKey, data);
+        const ieeeP1363 = Bytes.of(await this.#subtle.sign(SIGNATURE_ALGORITHM, subtleKey, Bytes.exclusive(data)));
 
-        if (dsaEncoding !== "der") return new Uint8Array(ieeeP1363);
+        if (dsaEncoding !== "der") return ieeeP1363;
 
         const bytesPerComponent = ieeeP1363.byteLength / 2;
 
@@ -165,7 +171,7 @@ export class StandardCrypto extends Crypto {
         });
     }
 
-    async verifyEcdsa(key: JsonWebKey, data: Uint8Array, signature: Uint8Array, dsaEncoding?: CryptoDsaEncoding) {
+    async verifyEcdsa(key: JsonWebKey, data: Bytes, signature: Bytes, dsaEncoding?: CryptoDsaEncoding) {
         const { crv, kty, x, y } = key;
         key = { crv, kty, x, y };
         const subtleKey = await this.importKey("jwk", key, SIGNATURE_ALGORITHM, false, ["verify"]);
@@ -185,7 +191,12 @@ export class StandardCrypto extends Crypto {
             }
         }
 
-        const verified = await this.#subtle.verify(SIGNATURE_ALGORITHM, subtleKey, signature, data);
+        const verified = await this.#subtle.verify(
+            SIGNATURE_ALGORITHM,
+            subtleKey,
+            Bytes.exclusive(signature),
+            Bytes.exclusive(data),
+        );
 
         if (!verified) {
             throw new CryptoVerifyError("Signature verification failed");
@@ -223,7 +234,7 @@ export class StandardCrypto extends Crypto {
         return await this.#subtle.exportKey("jwk", subtleKey.privateKey);
     }
 
-    async generateDhSecret(key: PrivateKey, peerKey: PublicKey) {
+    async generateDhSecret(key: PrivateKey, peerKey: PublicKey): Promise<Bytes> {
         const subtleKey = await this.importKey(
             "jwk",
             key,
@@ -246,7 +257,7 @@ export class StandardCrypto extends Crypto {
             [],
         );
 
-        const secret = await this.#subtle.deriveBits(
+        return this.#subtle.deriveBits(
             {
                 name: "ECDH",
                 public: subtlePeerKey,
@@ -254,13 +265,11 @@ export class StandardCrypto extends Crypto {
             subtleKey,
             256,
         );
-
-        return new Uint8Array(secret);
     }
 
     protected async importKey(
         format: KeyFormat,
-        keyData: JsonWebKey | BufferSource,
+        keyData: JsonWebKey | Bytes,
         algorithm: AlgorithmIdentifier | RsaHashedImportParams | EcKeyImportParams | HmacImportParams | AesKeyAlgorithm,
         extractable: boolean,
         keyUsages: ReadonlyArray<KeyUsage>,

package/src/crypto/aes/Aes.ts

@@ -10,6 +10,7 @@
  * OpenSSL: https://github.com/openssl/openssl/blob/master/crypto/aes/aes_core.c
  */
 
+import { Bytes } from "#util/Bytes.js";
 import { WordArray } from "./WordArray.js";
 
 /**
@@ -17,7 +18,7 @@ import { WordArray } from "./WordArray.js";
  *
  * WARNING: Unaudited.  Consider platform replacement if available.
  */
-export function Aes(key: Uint8Array) {
+export function Aes(key: Bytes) {
     const { encryptKey, decryptKey } = expandKey(key);
 
     return {
@@ -164,7 +165,8 @@ function crypt(input: WordArray, output: WordArray, roundKeys: WordArray, tabs:
  *
  * This generates keys for each round based off of the input key.
  */
-function expandKey(key: Uint8Array) {
+function expandKey(keyData: Bytes) {
+    const key = Bytes.of(keyData);
     const inputLength = key.length / 4,
         roundsNeeded = inputLength + 7,
         wordsNeeded = roundsNeeded * 4,

package/src/crypto/aes/Ccm.ts

@@ -14,6 +14,7 @@
 
 import { CRYPTO_AEAD_MIC_LENGTH_BYTES, CRYPTO_AEAD_NONCE_LENGTH_BYTES } from "#crypto/CryptoConstants.js";
 import { CryptoInputError } from "#crypto/CryptoError.js";
+import { Bytes } from "#util/Bytes.js";
 import { Aes } from "./Aes.js";
 import { WordArray } from "./WordArray.js";
 
@@ -57,11 +58,11 @@ import { WordArray } from "./WordArray.js";
  * * We use {@link DataView} to read/write words where possible.  However, byte buffers may not align to word
  *   boundaries.  We detect this case and manually read/write the last word
  */
-export function Ccm(key: Uint8Array) {
+export function Ccm(key: Bytes) {
     const aes = Aes(key);
 
     return {
-        encrypt(input: Ccm.EncryptInput): Uint8Array {
+        encrypt(input: Ccm.EncryptInput): Bytes {
             validateNonceAndAdata(input);
 
             const ptLength = input.pt.length;
@@ -91,7 +92,7 @@ export function Ccm(key: Uint8Array) {
             return ct;
         },
 
-        decrypt(input: Ccm.DecryptInput): Uint8Array {
+        decrypt(input: Ccm.DecryptInput): Bytes {
             validateNonceAndAdata(input);
 
             if (input.ct.length > MAX_CIPHERTEXT_LENGTH) {

package/src/log/Diagnostic.ts

@@ -400,7 +400,7 @@ export namespace Diagnostic {
             if (typeof value === "bigint") {
                 return value.toString();
             }
-            if (value instanceof Uint8Array) {
+            if (Bytes.isBytes(value)) {
                 return Bytes.toHex(value);
             }
             if (value === undefined) {

package/src/log/LogFormat.ts

@@ -465,7 +465,7 @@ function renderValue(value: unknown, formatter: Formatter, squash: boolean): str
     if (value === null) {
         return formatter.text("null");
     }
-    if (value instanceof Uint8Array) {
+    if (Bytes.isBytes(value)) {
         return formatter.text(Bytes.toHex(value));
     }
     if (value instanceof Error) {

package/src/log/Logger.ts

@@ -253,7 +253,7 @@ export class Logger {
             if (typeof value === "bigint") {
                 return value.toString();
             }
-            if (value instanceof Uint8Array) {
+            if (Bytes.isBytes(value)) {
                 return Bytes.toHex(value);
             }
             if (value === undefined) {