@matter/protocol 0.11.0-alpha.0-20241005-e3e4e4a7a

package/src/session/case/CaseClient.ts

@@ -0,0 +1,235 @@
+/**
+ * @license
+ * Copyright 2022-2024 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { Bytes, Crypto, Diagnostic, Logger, PublicKey, UnexpectedDataError } from "#general";
+import { SessionManager } from "#session/SessionManager.js";
+import { NodeId } from "#types";
+import { TlvIntermediateCertificate, TlvOperationalCertificate } from "../../certificate/CertificateManager.js";
+import { Fabric } from "../../fabric/Fabric.js";
+import { MessageExchange } from "../../protocol/MessageExchange.js";
+import {
+    KDFSR1_KEY_INFO,
+    KDFSR2_INFO,
+    KDFSR2_KEY_INFO,
+    KDFSR3_INFO,
+    RESUME1_MIC_NONCE,
+    RESUME2_MIC_NONCE,
+    TBE_DATA2_NONCE,
+    TBE_DATA3_NONCE,
+    TlvEncryptedDataSigma2,
+    TlvEncryptedDataSigma3,
+    TlvSignedData,
+} from "./CaseMessages.js";
+import { CaseClientMessenger } from "./CaseMessenger.js";
+
+const logger = Logger.get("CaseClient");
+
+export class CaseClient {
+    #sessions: SessionManager;
+
+    constructor(sessions: SessionManager) {
+        this.#sessions = sessions;
+    }
+
+    async pair(exchange: MessageExchange, fabric: Fabric, peerNodeId: NodeId, expectedProcessingTimeMs?: number) {
+        const messenger = new CaseClientMessenger(exchange, expectedProcessingTimeMs);
+
+        // Generate pairing info
+        const initiatorRandom = Crypto.getRandom();
+        const initiatorSessionId = await this.#sessions.getNextAvailableSessionId(); // Initiator Session Id
+        const { operationalIdentityProtectionKey, operationalCert: nodeOpCert, intermediateCACert } = fabric;
+        const { publicKey: initiatorEcdhPublicKey, ecdh } = Crypto.ecdhGeneratePublicKey();
+
+        // Send sigma1
+        let sigma1Bytes;
+        let resumed = false;
+        let resumptionRecord = this.#sessions.findResumptionRecordByAddress(fabric.addressOf(peerNodeId));
+        if (resumptionRecord !== undefined) {
+            const { sharedSecret, resumptionId } = resumptionRecord;
+            const resumeKey = await Crypto.hkdf(
+                sharedSecret,
+                Bytes.concat(initiatorRandom, resumptionId),
+                KDFSR1_KEY_INFO,
+            );
+            const initiatorResumeMic = Crypto.encrypt(resumeKey, new Uint8Array(0), RESUME1_MIC_NONCE);
+            sigma1Bytes = await messenger.sendSigma1({
+                initiatorSessionId,
+                destinationId: fabric.getDestinationId(peerNodeId, initiatorRandom),
+                initiatorEcdhPublicKey,
+                initiatorRandom,
+                resumptionId,
+                initiatorResumeMic,
+                initiatorSessionParams: this.#sessions.sessionParameters,
+            });
+        } else {
+            sigma1Bytes = await messenger.sendSigma1({
+                initiatorSessionId,
+                destinationId: fabric.getDestinationId(peerNodeId, initiatorRandom),
+                initiatorEcdhPublicKey,
+                initiatorRandom,
+                initiatorSessionParams: this.#sessions.sessionParameters,
+            });
+        }
+
+        let secureSession;
+        const { sigma2Bytes, sigma2, sigma2Resume } = await messenger.readSigma2();
+        if (sigma2Resume !== undefined) {
+            // Process sigma2 resume
+            if (resumptionRecord === undefined) throw new UnexpectedDataError("Received an unexpected sigma2Resume.");
+            const { sharedSecret, fabric, sessionParameters: resumptionSessionParams } = resumptionRecord;
+            const { responderSessionId: peerSessionId, resumptionId, resumeMic } = sigma2Resume;
+
+            // We use the Fallbacks for the session parameters overridden by our stored ones from the resumption record
+            const sessionParameters = {
+                ...exchange.session.parameters,
+                ...(resumptionSessionParams ?? {}),
+            };
+
+            const resumeSalt = Bytes.concat(initiatorRandom, resumptionId);
+            const resumeKey = await Crypto.hkdf(sharedSecret, resumeSalt, KDFSR2_KEY_INFO);
+            Crypto.decrypt(resumeKey, resumeMic, RESUME2_MIC_NONCE);
+
+            const secureSessionSalt = Bytes.concat(initiatorRandom, resumptionRecord.resumptionId);
+            secureSession = await this.#sessions.createSecureSession({
+                sessionId: initiatorSessionId,
+                fabric,
+                peerNodeId,
+                peerSessionId,
+                sharedSecret,
+                salt: secureSessionSalt,
+                isInitiator: true,
+                isResumption: true,
+                peerSessionParameters: sessionParameters,
+            });
+            await messenger.sendSuccess();
+            logger.info(
+                `Case client: session resumed with ${messenger.getChannelName()} and parameters`,
+                Diagnostic.dict(secureSession.parameters),
+            );
+
+            resumptionRecord.resumptionId = resumptionId; /* update resumptionId */
+            resumptionRecord.sessionParameters = secureSession.parameters; /* update mrpParams */
+            resumed = true;
+        } else {
+            // Process sigma2
+            const {
+                responderEcdhPublicKey: peerEcdhPublicKey,
+                encrypted: peerEncrypted,
+                responderRandom,
+                responderSessionId: peerSessionId,
+                responderSessionParams,
+            } = sigma2;
+            // We use the Fallbacks for the session parameters overridden by what was sent by the device in Sigma2
+            const sessionParameters = {
+                ...exchange.session.parameters,
+                ...(responderSessionParams ?? {}),
+            };
+            const sharedSecret = Crypto.ecdhGenerateSecret(peerEcdhPublicKey, ecdh);
+            const sigma2Salt = Bytes.concat(
+                operationalIdentityProtectionKey,
+                responderRandom,
+                peerEcdhPublicKey,
+                Crypto.hash(sigma1Bytes),
+            );
+            const sigma2Key = await Crypto.hkdf(sharedSecret, sigma2Salt, KDFSR2_INFO);
+            const peerEncryptedData = Crypto.decrypt(sigma2Key, peerEncrypted, TBE_DATA2_NONCE);
+            const {
+                nodeOpCert: peerNewOpCert,
+                intermediateCACert: peerIntermediateCACert,
+                signature: peerSignature,
+                resumptionId: peerResumptionId,
+            } = TlvEncryptedDataSigma2.decode(peerEncryptedData);
+            const peerSignatureData = TlvSignedData.encode({
+                nodeOpCert: peerNewOpCert,
+                intermediateCACert: peerIntermediateCACert,
+                ecdhPublicKey: peerEcdhPublicKey,
+                peerEcdhPublicKey: initiatorEcdhPublicKey,
+            });
+            const {
+                ellipticCurvePublicKey: peerPublicKey,
+                subject: { fabricId: peerFabricIdNOCert, nodeId: peerNodeIdNOCert },
+            } = TlvOperationalCertificate.decode(peerNewOpCert);
+
+            Crypto.verify(PublicKey(peerPublicKey), peerSignatureData, peerSignature);
+
+            if (peerNodeIdNOCert !== peerNodeId) {
+                throw new UnexpectedDataError(
+                    "The node ID in the peer certificate doesn't match the expected peer node ID",
+                );
+            }
+            if (peerNodeIdNOCert !== peerNodeId) {
+                throw new UnexpectedDataError(
+                    "The node ID in the peer certificate doesn't match the expected peer node ID",
+                );
+            }
+            if (peerFabricIdNOCert !== fabric.fabricId) {
+                throw new UnexpectedDataError(
+                    "The fabric ID in the peer certificate doesn't match the expected fabric ID",
+                );
+            }
+            if (peerIntermediateCACert !== undefined) {
+                const {
+                    subject: { fabricId: peerFabricIdIcaCert },
+                } = TlvIntermediateCertificate.decode(peerIntermediateCACert);
+
+                if (peerFabricIdIcaCert !== fabric.fabricId) {
+                    throw new UnexpectedDataError(
+                        "The fabric ID in the peer intermediate CA certificate doesn't match the expected fabric ID",
+                    );
+                }
+            }
+            fabric.verifyCredentials(peerNewOpCert, peerIntermediateCACert);
+
+            // Generate and send sigma3
+            const sigma3Salt = Bytes.concat(operationalIdentityProtectionKey, Crypto.hash([sigma1Bytes, sigma2Bytes]));
+            const sigma3Key = await Crypto.hkdf(sharedSecret, sigma3Salt, KDFSR3_INFO);
+            const signatureData = TlvSignedData.encode({
+                nodeOpCert,
+                intermediateCACert,
+                ecdhPublicKey: initiatorEcdhPublicKey,
+                peerEcdhPublicKey,
+            });
+            const signature = fabric.sign(signatureData);
+            const encryptedData = TlvEncryptedDataSigma3.encode({ nodeOpCert, intermediateCACert, signature });
+            const encrypted = Crypto.encrypt(sigma3Key, encryptedData, TBE_DATA3_NONCE);
+            const sigma3Bytes = await messenger.sendSigma3({ encrypted });
+            await messenger.waitForSuccess("Success after CASE Sigma3");
+
+            // All good! Create secure session
+            const secureSessionSalt = Bytes.concat(
+                operationalIdentityProtectionKey,
+                Crypto.hash([sigma1Bytes, sigma2Bytes, sigma3Bytes]),
+            );
+            secureSession = await this.#sessions.createSecureSession({
+                sessionId: initiatorSessionId,
+                fabric,
+                peerNodeId,
+                peerSessionId,
+                sharedSecret,
+                salt: secureSessionSalt,
+                isInitiator: true,
+                isResumption: false,
+                peerSessionParameters: sessionParameters,
+            });
+            logger.info(
+                `Case client: Paired successfully with ${messenger.getChannelName()} and parameters`,
+                Diagnostic.dict(secureSession.parameters),
+            );
+            resumptionRecord = {
+                fabric,
+                peerNodeId,
+                sharedSecret,
+                resumptionId: peerResumptionId,
+                sessionParameters: secureSession.parameters,
+            };
+        }
+
+        await messenger.close();
+        await this.#sessions.saveResumptionRecord(resumptionRecord);
+
+        return { session: secureSession, resumed };
+    }
+}

package/src/session/case/CaseMessages.ts

@@ -0,0 +1,81 @@
+/**
+ * @license
+ * Copyright 2022-2024 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import {
+    Bytes,
+    CRYPTO_AEAD_MIC_LENGTH_BYTES,
+    CRYPTO_GROUP_SIZE_BYTES,
+    CRYPTO_HASH_LEN_BYTES,
+    CRYPTO_PUBLIC_KEY_SIZE_BYTES,
+} from "#general";
+import { TlvByteString, TlvField, TlvObject, TlvOptionalField, TlvUInt16 } from "#types";
+import { TlvSessionParameters } from "../pase/PaseMessages.js";
+
+const CASE_SIGNATURE_LENGTH = CRYPTO_GROUP_SIZE_BYTES * 2;
+
+export const KDFSR1_KEY_INFO = Bytes.fromString("Sigma1_Resume");
+export const KDFSR2_KEY_INFO = Bytes.fromString("Sigma2_Resume");
+export const RESUME1_MIC_NONCE = Bytes.fromString("NCASE_SigmaS1");
+export const RESUME2_MIC_NONCE = Bytes.fromString("NCASE_SigmaS2");
+export const KDFSR2_INFO = Bytes.fromString("Sigma2");
+export const KDFSR3_INFO = Bytes.fromString("Sigma3");
+export const TBE_DATA2_NONCE = Bytes.fromString("NCASE_Sigma2N");
+export const TBE_DATA3_NONCE = Bytes.fromString("NCASE_Sigma3N");
+
+/** @see {@link MatterSpecification.v13.Core} § 4.14.2.3 */
+export const TlvCaseSigma1 = TlvObject({
+    initiatorRandom: TlvField(1, TlvByteString.bound({ length: 32 })),
+    initiatorSessionId: TlvField(2, TlvUInt16),
+    destinationId: TlvField(3, TlvByteString.bound({ length: CRYPTO_HASH_LEN_BYTES })),
+    initiatorEcdhPublicKey: TlvField(4, TlvByteString.bound({ length: CRYPTO_PUBLIC_KEY_SIZE_BYTES })),
+    initiatorSessionParams: TlvOptionalField(5, TlvSessionParameters),
+    resumptionId: TlvOptionalField(6, TlvByteString.bound({ length: 16 })),
+    initiatorResumeMic: TlvOptionalField(7, TlvByteString.bound({ length: CRYPTO_AEAD_MIC_LENGTH_BYTES })),
+});
+
+/** @see {@link MatterSpecification.v13.Core} § 4.14.2.3 */
+export const TlvCaseSigma2 = TlvObject({
+    responderRandom: TlvField(1, TlvByteString.bound({ length: 32 })),
+    responderSessionId: TlvField(2, TlvUInt16),
+    responderEcdhPublicKey: TlvField(3, TlvByteString.bound({ length: CRYPTO_PUBLIC_KEY_SIZE_BYTES })),
+    encrypted: TlvField(4, TlvByteString),
+    responderSessionParams: TlvOptionalField(5, TlvSessionParameters),
+});
+
+/** @see {@link MatterSpecification.v13.Core} § 4.14.2.3 */
+export const TlvCaseSigma2Resume = TlvObject({
+    resumptionId: TlvField(1, TlvByteString.bound({ length: 16 })),
+    resumeMic: TlvField(2, TlvByteString.bound({ length: 16 })),
+    responderSessionId: TlvField(3, TlvUInt16),
+    responderSessionParams: TlvOptionalField(4, TlvSessionParameters),
+});
+
+/** @see {@link MatterSpecification.v13.Core} § 4.14.2.3 */
+export const TlvCaseSigma3 = TlvObject({
+    encrypted: TlvField(1, TlvByteString),
+});
+
+/** @see {@link MatterSpecification.v10.Core} § 4.13.2.3 */
+export const TlvSignedData = TlvObject({
+    nodeOpCert: TlvField(1, TlvByteString),
+    intermediateCACert: TlvOptionalField(2, TlvByteString),
+    ecdhPublicKey: TlvField(3, TlvByteString.bound({ length: CRYPTO_PUBLIC_KEY_SIZE_BYTES })),
+    peerEcdhPublicKey: TlvField(4, TlvByteString.bound({ length: CRYPTO_PUBLIC_KEY_SIZE_BYTES })),
+});
+
+/** @see {@link MatterSpecification.v10.Core} § 4.13.2.3 */
+export const TlvEncryptedDataSigma2 = TlvObject({
+    nodeOpCert: TlvField(1, TlvByteString),
+    intermediateCACert: TlvOptionalField(2, TlvByteString),
+    signature: TlvField(3, TlvByteString.bound({ length: CASE_SIGNATURE_LENGTH })),
+    resumptionId: TlvField(4, TlvByteString.bound({ length: 16 })),
+});
+
+/** @see {@link MatterSpecification.v10.Core} § 4.13.2.3 */
+export const TlvEncryptedDataSigma3 = TlvObject({
+    nodeOpCert: TlvField(1, TlvByteString),
+    intermediateCACert: TlvOptionalField(2, TlvByteString),
+    signature: TlvField(3, TlvByteString.bound({ length: CASE_SIGNATURE_LENGTH })),
+});

package/src/session/case/CaseMessenger.ts

@@ -0,0 +1,57 @@
+/**
+ * @license
+ * Copyright 2022-2024 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { MatterFlowError } from "#general";
+import { SecureMessageType, TypeFromSchema } from "#types";
+import { SecureChannelMessenger } from "../../securechannel/SecureChannelMessenger.js";
+import { TlvCaseSigma1, TlvCaseSigma2, TlvCaseSigma2Resume, TlvCaseSigma3 } from "./CaseMessages.js";
+
+export class CaseServerMessenger extends SecureChannelMessenger {
+    async readSigma1() {
+        const { payload } = await this.nextMessage("CASE Sigma1", SecureMessageType.Sigma1);
+        return { sigma1Bytes: payload, sigma1: TlvCaseSigma1.decode(payload) };
+    }
+
+    sendSigma2(sigma2: TypeFromSchema<typeof TlvCaseSigma2>) {
+        return this.send(sigma2, SecureMessageType.Sigma2, TlvCaseSigma2);
+    }
+
+    sendSigma2Resume(sigma2Resume: TypeFromSchema<typeof TlvCaseSigma2Resume>) {
+        return this.send(sigma2Resume, SecureMessageType.Sigma2Resume, TlvCaseSigma2Resume);
+    }
+
+    async readSigma3() {
+        const { payload } = await this.nextMessage("CASE Sigma3", SecureMessageType.Sigma3);
+        return { sigma3Bytes: payload, sigma3: TlvCaseSigma3.decode(payload) };
+    }
+}
+
+export class CaseClientMessenger extends SecureChannelMessenger {
+    sendSigma1(sigma1: TypeFromSchema<typeof TlvCaseSigma1>) {
+        return this.send(sigma1, SecureMessageType.Sigma1, TlvCaseSigma1);
+    }
+
+    async readSigma2() {
+        const {
+            payload,
+            payloadHeader: { messageType },
+        } = await this.nextMessage("CASE Sigma2 or Sigma2Resume");
+        switch (messageType) {
+            case SecureMessageType.Sigma2:
+                return { sigma2Bytes: payload, sigma2: TlvCaseSigma2.decode(payload) };
+            case SecureMessageType.Sigma2Resume:
+                return { sigma2Resume: TlvCaseSigma2Resume.decode(payload) };
+            default:
+                throw new MatterFlowError(
+                    `Received unexpected message type while expecting CASE Sigma2: ${messageType}, expected: ${SecureMessageType.Sigma2} or ${SecureMessageType.Sigma2Resume}`,
+                );
+        }
+    }
+
+    sendSigma3(sigma3: TypeFromSchema<typeof TlvCaseSigma3>) {
+        return this.send(sigma3, SecureMessageType.Sigma3, TlvCaseSigma3);
+    }
+}

package/src/session/case/CaseServer.ts

@@ -0,0 +1,269 @@
+/**
+ * @license
+ * Copyright 2022-2024 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { Bytes, Crypto, Logger, PublicKey, UnexpectedDataError } from "#general";
+import { SessionManager } from "#session/SessionManager.js";
+import { NodeId, ProtocolStatusCode, SECURE_CHANNEL_PROTOCOL_ID } from "#types";
+import { TlvOperationalCertificate } from "../../certificate/CertificateManager.js";
+import { FabricManager, FabricNotFoundError } from "../../fabric/FabricManager.js";
+import { MessageExchange } from "../../protocol/MessageExchange.js";
+import { ProtocolHandler } from "../../protocol/ProtocolHandler.js";
+import { ChannelStatusResponseError } from "../../securechannel/SecureChannelMessenger.js";
+import {
+    KDFSR1_KEY_INFO,
+    KDFSR2_INFO,
+    KDFSR2_KEY_INFO,
+    KDFSR3_INFO,
+    RESUME1_MIC_NONCE,
+    RESUME2_MIC_NONCE,
+    TBE_DATA2_NONCE,
+    TBE_DATA3_NONCE,
+    TlvEncryptedDataSigma2,
+    TlvEncryptedDataSigma3,
+    TlvSignedData,
+} from "./CaseMessages.js";
+import { CaseServerMessenger } from "./CaseMessenger.js";
+
+const logger = Logger.get("CaseServer");
+
+export class CaseServer implements ProtocolHandler {
+    #sessions: SessionManager;
+    #fabrics: FabricManager;
+
+    constructor(sessions: SessionManager, fabrics: FabricManager) {
+        this.#sessions = sessions;
+        this.#fabrics = fabrics;
+    }
+
+    async onNewExchange(exchange: MessageExchange) {
+        const messenger = new CaseServerMessenger(exchange);
+        try {
+            await this.handleSigma1(messenger);
+        } catch (error) {
+            logger.error("An error occurred during the commissioning", error);
+
+            if (error instanceof FabricNotFoundError) {
+                await messenger.sendError(ProtocolStatusCode.NoSharedTrustRoots);
+            }
+            // If we received a ChannelStatusResponseError we do not need to send one back, so just cancel pairing
+            else if (!(error instanceof ChannelStatusResponseError)) {
+                await messenger.sendError(ProtocolStatusCode.InvalidParam);
+            }
+        } finally {
+            // Destroy the unsecure session used to establish the secure Case session
+            await exchange.session.destroy();
+        }
+    }
+
+    getId(): number {
+        return SECURE_CHANNEL_PROTOCOL_ID;
+    }
+
+    private async handleSigma1(messenger: CaseServerMessenger) {
+        logger.info(`Received pairing request from ${messenger.getChannelName()}`);
+        // Generate pairing info
+        const responderRandom = Crypto.getRandom();
+
+        // Read and process sigma 1
+        const { sigma1Bytes, sigma1 } = await messenger.readSigma1();
+        const {
+            initiatorSessionId: peerSessionId,
+            resumptionId: peerResumptionId,
+            initiatorResumeMic: peerResumeMic,
+            destinationId,
+            initiatorRandom: peerRandom,
+            initiatorEcdhPublicKey: peerEcdhPublicKey,
+            initiatorSessionParams,
+        } = sigma1;
+
+        // Try to resume a previous session
+        const resumptionId = Crypto.getRandomData(16);
+
+        const resumptionRecord =
+            peerResumptionId !== undefined && peerResumeMic !== undefined
+                ? this.#sessions.findResumptionRecordById(peerResumptionId)
+                : undefined;
+        // We try to resume the session
+        if (peerResumptionId !== undefined && peerResumeMic !== undefined && resumptionRecord !== undefined) {
+            const { sharedSecret, fabric, peerNodeId, caseAuthenticatedTags } = resumptionRecord;
+            const peerResumeKey = await Crypto.hkdf(
+                sharedSecret,
+                Bytes.concat(peerRandom, peerResumptionId),
+                KDFSR1_KEY_INFO,
+            );
+            Crypto.decrypt(peerResumeKey, peerResumeMic, RESUME1_MIC_NONCE);
+
+            // All good! Create secure session
+            const responderSessionId = await this.#sessions.getNextAvailableSessionId();
+            const secureSessionSalt = Bytes.concat(peerRandom, peerResumptionId);
+            const secureSession = await this.#sessions.createSecureSession({
+                sessionId: responderSessionId,
+                fabric,
+                peerNodeId,
+                peerSessionId,
+                sharedSecret,
+                salt: secureSessionSalt,
+                isInitiator: false,
+                isResumption: true,
+                peerSessionParameters: initiatorSessionParams,
+                caseAuthenticatedTags,
+            });
+
+            // Generate sigma 2 resume
+            const resumeSalt = Bytes.concat(peerRandom, resumptionId);
+            const resumeKey = await Crypto.hkdf(sharedSecret, resumeSalt, KDFSR2_KEY_INFO);
+            const resumeMic = Crypto.encrypt(resumeKey, new Uint8Array(0), RESUME2_MIC_NONCE);
+            try {
+                await messenger.sendSigma2Resume({
+                    resumptionId,
+                    resumeMic,
+                    responderSessionId,
+                    responderSessionParams: this.#sessions.sessionParameters, // responder session parameters
+                });
+            } catch (error) {
+                // If we fail to send the resume, we destroy the session
+                await secureSession.destroy(false);
+                throw error;
+            }
+
+            logger.info(
+                `session ${secureSession.id} resumed with ${messenger.getChannelName()} for Fabric ${NodeId.toHexString(
+                    fabric.nodeId,
+                )}(index ${fabric.fabricIndex}) and PeerNode ${NodeId.toHexString(peerNodeId)}`,
+                "with CATs",
+                caseAuthenticatedTags,
+            );
+            resumptionRecord.resumptionId = resumptionId; /* Update the ID */
+
+            // Wait for success on the peer side
+            await messenger.waitForSuccess("Success after CASE Sigma2Resume");
+
+            await messenger.close();
+            await this.#sessions.saveResumptionRecord(resumptionRecord);
+        } else if (
+            (peerResumptionId === undefined && peerResumeMic === undefined) ||
+            (peerResumptionId !== undefined && peerResumeMic !== undefined && resumptionRecord === undefined)
+        ) {
+            // Generate sigma 2
+            // TODO: Pass through a group id?
+            const fabric = this.#fabrics.findFabricFromDestinationId(destinationId, peerRandom);
+            const { operationalCert: nodeOpCert, intermediateCACert, operationalIdentityProtectionKey } = fabric;
+            const { publicKey: responderEcdhPublicKey, sharedSecret } =
+                Crypto.ecdhGeneratePublicKeyAndSecret(peerEcdhPublicKey);
+            const sigma2Salt = Bytes.concat(
+                operationalIdentityProtectionKey,
+                responderRandom,
+                responderEcdhPublicKey,
+                Crypto.hash(sigma1Bytes),
+            );
+            const sigma2Key = await Crypto.hkdf(sharedSecret, sigma2Salt, KDFSR2_INFO);
+            const signatureData = TlvSignedData.encode({
+                nodeOpCert,
+                intermediateCACert,
+                ecdhPublicKey: responderEcdhPublicKey,
+                peerEcdhPublicKey,
+            });
+            const signature = fabric.sign(signatureData);
+            const encryptedData = TlvEncryptedDataSigma2.encode({
+                nodeOpCert,
+                intermediateCACert,
+                signature,
+                resumptionId,
+            });
+            const encrypted = Crypto.encrypt(sigma2Key, encryptedData, TBE_DATA2_NONCE);
+            const responderSessionId = await this.#sessions.getNextAvailableSessionId();
+            const sigma2Bytes = await messenger.sendSigma2({
+                responderRandom,
+                responderSessionId,
+                responderEcdhPublicKey,
+                encrypted,
+                responderSessionParams: this.#sessions.sessionParameters, // responder session parameters
+            });
+
+            // Read and process sigma 3
+            const {
+                sigma3Bytes,
+                sigma3: { encrypted: peerEncrypted },
+            } = await messenger.readSigma3();
+            const sigma3Salt = Bytes.concat(operationalIdentityProtectionKey, Crypto.hash([sigma1Bytes, sigma2Bytes]));
+            const sigma3Key = await Crypto.hkdf(sharedSecret, sigma3Salt, KDFSR3_INFO);
+            const peerDecryptedData = Crypto.decrypt(sigma3Key, peerEncrypted, TBE_DATA3_NONCE);
+            const {
+                nodeOpCert: peerNewOpCert,
+                intermediateCACert: peerIntermediateCACert,
+                signature: peerSignature,
+            } = TlvEncryptedDataSigma3.decode(peerDecryptedData);
+
+            fabric.verifyCredentials(peerNewOpCert, peerIntermediateCACert);
+
+            const peerSignatureData = TlvSignedData.encode({
+                nodeOpCert: peerNewOpCert,
+                intermediateCACert: peerIntermediateCACert,
+                ecdhPublicKey: peerEcdhPublicKey,
+                peerEcdhPublicKey: responderEcdhPublicKey,
+            });
+            const {
+                ellipticCurvePublicKey: peerPublicKey,
+                subject: { fabricId: peerFabricId, nodeId: peerNodeId, caseAuthenticatedTags },
+            } = TlvOperationalCertificate.decode(peerNewOpCert);
+
+            if (fabric.fabricId !== peerFabricId) {
+                throw new UnexpectedDataError(`Fabric ID mismatch: ${fabric.fabricId} !== ${peerFabricId}`);
+            }
+
+            Crypto.verify(PublicKey(peerPublicKey), peerSignatureData, peerSignature);
+
+            // All good! Create secure session
+            const secureSessionSalt = Bytes.concat(
+                operationalIdentityProtectionKey,
+                Crypto.hash([sigma1Bytes, sigma2Bytes, sigma3Bytes]),
+            );
+            const secureSession = await this.#sessions.createSecureSession({
+                sessionId: responderSessionId,
+                fabric,
+                peerNodeId,
+                peerSessionId,
+                sharedSecret,
+                salt: secureSessionSalt,
+                isInitiator: false,
+                isResumption: false,
+                peerSessionParameters: initiatorSessionParams,
+                caseAuthenticatedTags,
+            });
+            logger.info(
+                `session ${secureSession.id} created with ${messenger.getChannelName()} for Fabric ${NodeId.toHexString(
+                    fabric.nodeId,
+                )}(index ${fabric.fabricIndex}) and PeerNode ${NodeId.toHexString(peerNodeId)}`,
+                "with CATs",
+                caseAuthenticatedTags,
+            );
+            await messenger.sendSuccess();
+
+            const resumptionRecord = {
+                peerNodeId,
+                fabric,
+                sharedSecret,
+                resumptionId,
+                sessionParameters: secureSession.parameters,
+                caseAuthenticatedTags,
+            };
+
+            await messenger.close();
+            await this.#sessions.saveResumptionRecord(resumptionRecord);
+        } else {
+            logger.info(
+                `Invalid resumption ID or resume MIC received from ${messenger.getChannelName()}`,
+                peerResumptionId,
+                peerResumeMic,
+            );
+            throw new UnexpectedDataError("Invalid resumption ID or resume MIC.");
+        }
+    }
+
+    async close() {
+        // Nothing to do
+    }
+}

package/src/session/index.ts

@@ -0,0 +1,21 @@
+/**
+ * @license
+ * Copyright 2022-2024 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+// Export generic Session classes
+// Export CaseSession classes
+export * from "./case/CaseClient.js";
+export * from "./case/CaseMessages.js";
+export * from "./case/CaseMessenger.js";
+export * from "./case/CaseServer.js";
+// Export PaseSession classes
+export * from "./InsecureSession.js";
+export * from "./pase/PaseClient.js";
+export * from "./pase/PaseMessages.js";
+export * from "./pase/PaseMessenger.js";
+export * from "./pase/PaseServer.js";
+export * from "./SecureSession.js";
+export * from "./Session.js";
+export * from "./SessionManager.js";