@matter/protocol 0.13.1-alpha.0-20250506-f9ad9c3d8 → 0.13.1-alpha.0-20250508-047aa0277

package/src/certificate/AttestationCertificateManager.ts

@@ -33,29 +33,39 @@ export class AttestationCertificateManager {
 
     // We use the official PAA cert for now because else pairing with Chip tool do not work because
     // only this one is the Certificate store
-    private readonly paaKeyPair = PrivateKey(TestCert_PAA_NoVID_PrivateKey, {
+    readonly #paaKeyPair = PrivateKey(TestCert_PAA_NoVID_PrivateKey, {
         publicKey: TestCert_PAA_NoVID_PublicKey,
     });
-    private readonly paaKeyIdentifier = TestCert_PAA_NoVID_SKID;
-    private readonly paiCertId = BigInt(1);
-    private readonly paiKeyPair = Crypto.createKeyPair();
-    private readonly paiKeyIdentifier = Crypto.hash(this.paiKeyPair.publicKey).slice(0, 20);
-    private readonly paiCertBytes;
-    private nextCertificateId = 2;
+    readonly #vendorId: VendorId;
+    readonly #paiKeyPair: PrivateKey;
+    readonly #paiKeyIdentifier: Uint8Array;
+    readonly #paaKeyIdentifier = TestCert_PAA_NoVID_SKID;
+    readonly #paiCertId = BigInt(1);
+    readonly #paiCertBytes;
+    #nextCertificateId = 2;
 
-    constructor(private readonly vendorId: VendorId) {
-        this.paiCertBytes = this.generatePAICert(vendorId);
+    constructor(vendorId: VendorId, paiKeyPair: PrivateKey, paiKeyIdentifier: Uint8Array) {
+        this.#vendorId = vendorId;
+        this.#paiKeyPair = paiKeyPair;
+        this.#paiKeyIdentifier = paiKeyIdentifier;
+        this.#paiCertBytes = this.generatePAICert(vendorId);
+    }
+
+    static async create(vendorId: VendorId) {
+        const key = await Crypto.createKeyPair();
+        const identifier = await Crypto.hash(key.publicKey);
+        return new AttestationCertificateManager(vendorId, key, identifier.slice(0, 20));
     }
 
     getPAICert() {
-        return this.paiCertBytes;
+        return this.#paiCertBytes;
     }
 
-    getDACert(productId: number) {
-        const dacKeyPair = Crypto.createKeyPair();
+    async getDACert(productId: number) {
+        const dacKeyPair = await Crypto.createKeyPair();
         return {
             keyPair: dacKeyPair,
-            dac: this.generateDaCert(dacKeyPair.publicKey, this.vendorId, productId),
+            dac: await this.generateDaCert(dacKeyPair.publicKey, this.#vendorId, productId),
         };
     }
 
@@ -79,7 +89,7 @@ export class AttestationCertificateManager {
                 commonName: getPaaCommonName(),
                 vendorId: vendorId,
             },
-            ellipticCurvePublicKey: this.paaKeyPair.publicKey,
+            ellipticCurvePublicKey: this.#paaKeyPair.publicKey,
             extensions: {
                 basicConstraints: {
                     isCa: true,
@@ -89,17 +99,17 @@ export class AttestationCertificateManager {
                     keyCertSign: true,
                     cRLSign: true,
                 },
-                subjectKeyIdentifier: this.paaKeyIdentifier,
-                authorityKeyIdentifier: this.paaKeyIdentifier,
+                subjectKeyIdentifier: this.#paaKeyIdentifier,
+                authorityKeyIdentifier: this.#paaKeyIdentifier,
             },
         };
-        return CertificateManager.productAttestationAuthorityCertToAsn1(unsignedCertificate, this.paaKeyPair);
+        return CertificateManager.productAttestationAuthorityCertToAsn1(unsignedCertificate, this.#paaKeyPair);
     }
 
     private generatePAICert(vendorId: VendorId, productId?: number) {
         const now = Time.get().now();
         const unsignedCertificate = {
-            serialNumber: Bytes.fromHex(toHex(this.paiCertId)),
+            serialNumber: Bytes.fromHex(toHex(this.#paiCertId)),
             signatureAlgorithm: 1 /* EcdsaWithSHA256 */,
             publicKeyAlgorithm: 1 /* EC */,
             ellipticCurveIdentifier: 1 /* P256v1 */,
@@ -113,7 +123,7 @@ export class AttestationCertificateManager {
                 vendorId: vendorId,
                 productId: productId,
             },
-            ellipticCurvePublicKey: this.paiKeyPair.publicKey,
+            ellipticCurvePublicKey: this.#paiKeyPair.publicKey,
             extensions: {
                 basicConstraints: {
                     isCa: true,
@@ -123,16 +133,16 @@ export class AttestationCertificateManager {
                     keyCertSign: true,
                     cRLSign: true,
                 },
-                subjectKeyIdentifier: this.paiKeyIdentifier,
-                authorityKeyIdentifier: this.paaKeyIdentifier,
+                subjectKeyIdentifier: this.#paiKeyIdentifier,
+                authorityKeyIdentifier: this.#paaKeyIdentifier,
             },
         };
-        return CertificateManager.productAttestationIntermediateCertToAsn1(unsignedCertificate, this.paaKeyPair);
+        return CertificateManager.productAttestationIntermediateCertToAsn1(unsignedCertificate, this.#paaKeyPair);
     }
 
-    generateDaCert(publicKey: Uint8Array, vendorId: VendorId, productId: number) {
+    async generateDaCert(publicKey: Uint8Array, vendorId: VendorId, productId: number) {
         const now = Time.get().now();
-        const certId = this.nextCertificateId++;
+        const certId = this.#nextCertificateId++;
         const unsignedCertificate = {
             serialNumber: Bytes.fromHex(toHex(certId)),
             signatureAlgorithm: 1 /* EcdsaWithSHA256 */,
@@ -157,10 +167,10 @@ export class AttestationCertificateManager {
                 keyUsage: {
                     digitalSignature: true,
                 },
-                subjectKeyIdentifier: Crypto.hash(publicKey).slice(0, 20),
-                authorityKeyIdentifier: this.paiKeyIdentifier,
+                subjectKeyIdentifier: (await Crypto.hash(publicKey)).slice(0, 20),
+                authorityKeyIdentifier: this.#paiKeyIdentifier,
             },
         };
-        return CertificateManager.deviceAttestationCertToAsn1(unsignedCertificate, this.paiKeyPair);
+        return CertificateManager.deviceAttestationCertToAsn1(unsignedCertificate, this.#paiKeyPair);
     }
 }

package/src/certificate/CertificateAuthority.ts

@@ -11,6 +11,7 @@ import {
     Crypto,
     Environment,
     Environmental,
+    InternalError,
     Logger,
     PrivateKey,
     StorageContext,
@@ -37,11 +38,11 @@ const logger = Logger.get("CertificateAuthority");
  * TODO: Add support for (optional) ICACs
  */
 export class CertificateAuthority {
-    private rootCertId = BigInt(0);
-    private rootKeyPair = Crypto.createKeyPair();
-    private rootKeyIdentifier: Uint8Array<ArrayBufferLike> = Crypto.hash(this.rootKeyPair.publicKey).slice(0, 20);
-    private rootCertBytes: Uint8Array<ArrayBufferLike> = this.#generateRootCert();
-    private nextCertificateId = BigInt(1);
+    #rootCertId = BigInt(0);
+    #rootKeyPair?: PrivateKey;
+    #rootKeyIdentifier?: Uint8Array<ArrayBufferLike>;
+    #rootCertBytes?: Uint8Array<ArrayBufferLike>;
+    #nextCertificateId = BigInt(1);
     #construction: Construction<CertificateAuthority>;
 
     get construction() {
@@ -57,6 +58,10 @@ export class CertificateAuthority {
             // Use provided CA config or read from storage, otherwise initialize and store
             const certValues = options instanceof StorageContext ? await options.values() : options;
 
+            this.#rootKeyPair = await Crypto.createKeyPair();
+            this.#rootKeyIdentifier = (await Crypto.hash(this.#rootKeyPair.publicKey)).slice(0, 20);
+            this.#rootCertBytes = await this.#generateRootCert();
+
             if (
                 (typeof certValues.rootCertId === "number" || typeof certValues.rootCertId === "bigint") &&
                 (ArrayBuffer.isView(certValues.rootKeyPair) || typeof certValues.rootKeyPair === "object") &&
@@ -64,24 +69,24 @@ export class CertificateAuthority {
                 ArrayBuffer.isView(certValues.rootCertBytes) &&
                 (typeof certValues.nextCertificateId === "number" || typeof certValues.nextCertificateId === "bigint")
             ) {
-                this.rootCertId = BigInt(certValues.rootCertId);
-                this.rootKeyPair = PrivateKey(certValues.rootKeyPair as BinaryKeyPair);
-                this.rootKeyIdentifier = certValues.rootKeyIdentifier;
-                this.rootCertBytes = certValues.rootCertBytes;
-                this.nextCertificateId = BigInt(certValues.nextCertificateId);
-                logger.info(`Loaded stored credentials with ID ${this.rootCertId}`);
+                this.#rootCertId = BigInt(certValues.rootCertId);
+                this.#rootKeyPair = PrivateKey(certValues.rootKeyPair as BinaryKeyPair);
+                this.#rootKeyIdentifier = certValues.rootKeyIdentifier;
+                this.#rootCertBytes = certValues.rootCertBytes;
+                this.#nextCertificateId = BigInt(certValues.nextCertificateId);
+                logger.info(`Loaded stored credentials with ID ${this.#rootCertId}`);
                 return;
             }
 
-            logger.info(`Created new credentials with ID ${this.rootCertId}`);
+            logger.info(`Created new credentials with ID ${this.#rootCertId}`);
 
             if (options instanceof StorageContext) {
                 await options.set({
-                    rootCertId: this.rootCertId,
-                    rootKeyPair: this.rootKeyPair.keyPair,
-                    rootKeyIdentifier: this.rootKeyIdentifier,
-                    rootCertBytes: this.rootCertBytes,
-                    nextCertificateId: this.nextCertificateId,
+                    rootCertId: this.#rootCertId,
+                    rootKeyPair: this.#rootKeyPair.keyPair,
+                    rootKeyIdentifier: this.#rootKeyIdentifier,
+                    rootCertBytes: this.#rootCertBytes,
+                    nextCertificateId: this.#nextCertificateId,
                 });
             }
         });
@@ -95,59 +100,62 @@ export class CertificateAuthority {
     }
 
     get rootCert() {
-        return this.rootCertBytes;
+        return this.#construction.assert("root cert", this.#rootCertBytes);
     }
 
     get config(): CertificateAuthority.Configuration {
         return {
-            rootCertId: this.rootCertId,
-            rootKeyPair: this.rootKeyPair.keyPair,
-            rootKeyIdentifier: this.rootKeyIdentifier,
-            rootCertBytes: this.rootCertBytes,
-            nextCertificateId: this.nextCertificateId,
+            rootCertId: this.#rootCertId,
+            rootKeyPair: this.construction.assert("root key pair", this.#rootKeyPair).keyPair,
+            rootKeyIdentifier: this.construction.assert("root key identifier", this.#rootKeyIdentifier),
+            rootCertBytes: this.construction.assert("root cert bytes", this.#rootCertBytes),
+            nextCertificateId: this.#nextCertificateId,
         };
     }
 
-    #generateRootCert() {
+    async #generateRootCert() {
         const now = Time.get().now();
         const unsignedCertificate: Unsigned<RootCertificate> = {
-            serialNumber: Bytes.fromHex(toHex(this.rootCertId)),
+            serialNumber: Bytes.fromHex(toHex(this.#rootCertId)),
             signatureAlgorithm: 1 /* EcdsaWithSHA256 */,
             publicKeyAlgorithm: 1 /* EC */,
             ellipticCurveIdentifier: 1 /* P256v1 */,
-            issuer: { rcacId: this.rootCertId },
+            issuer: { rcacId: this.#rootCertId },
             notBefore: jsToMatterDate(now, -1),
             notAfter: jsToMatterDate(now, 10),
-            subject: { rcacId: this.rootCertId },
-            ellipticCurvePublicKey: this.rootKeyPair.publicKey,
+            subject: { rcacId: this.#rootCertId },
+            ellipticCurvePublicKey: this.#initializedRootKeyPair.publicKey,
             extensions: {
                 basicConstraints: { isCa: true },
                 keyUsage: {
                     keyCertSign: true,
                     cRLSign: true,
                 },
-                subjectKeyIdentifier: this.rootKeyIdentifier,
-                authorityKeyIdentifier: this.rootKeyIdentifier,
+                subjectKeyIdentifier: this.#initializedRootKeyIdentifier,
+                authorityKeyIdentifier: this.#initializedRootKeyIdentifier,
             },
         };
-        const signature = Crypto.sign(this.rootKeyPair, CertificateManager.rootCertToAsn1(unsignedCertificate));
+        const signature = await Crypto.sign(
+            this.#initializedRootKeyPair,
+            CertificateManager.rootCertToAsn1(unsignedCertificate),
+        );
         return TlvRootCertificate.encode({ ...unsignedCertificate, signature });
     }
 
-    generateNoc(
+    async generateNoc(
         publicKey: Uint8Array,
         fabricId: FabricId,
         nodeId: NodeId,
         caseAuthenticatedTags?: CaseAuthenticatedTag[],
     ) {
         const now = Time.get().now();
-        const certId = this.nextCertificateId++;
+        const certId = this.#nextCertificateId++;
         const unsignedCertificate: Unsigned<OperationalCertificate> = {
             serialNumber: Bytes.fromHex(toHex(certId)),
             signatureAlgorithm: 1 /* EcdsaWithSHA256 */,
             publicKeyAlgorithm: 1 /* EC */,
             ellipticCurveIdentifier: 1 /* P256v1 */,
-            issuer: { rcacId: this.rootCertId },
+            issuer: { rcacId: this.#rootCertId },
             notBefore: jsToMatterDate(now, -1),
             notAfter: jsToMatterDate(now, 10),
             subject: { fabricId, nodeId, caseAuthenticatedTags },
@@ -158,18 +166,32 @@ export class CertificateAuthority {
                     digitalSignature: true,
                 },
                 extendedKeyUsage: [2, 1],
-                subjectKeyIdentifier: Crypto.hash(publicKey).slice(0, 20),
-                authorityKeyIdentifier: this.rootKeyIdentifier,
+                subjectKeyIdentifier: (await Crypto.hash(publicKey)).slice(0, 20),
+                authorityKeyIdentifier: this.#initializedRootKeyIdentifier,
             },
         };
 
-        const signature = Crypto.sign(
-            this.rootKeyPair,
+        const signature = await Crypto.sign(
+            this.#initializedRootKeyPair,
             CertificateManager.nodeOperationalCertToAsn1(unsignedCertificate),
         );
 
         return TlvOperationalCertificate.encode({ ...unsignedCertificate, signature });
     }
+
+    get #initializedRootKeyPair() {
+        if (this.#rootKeyPair === undefined) {
+            throw new InternalError("CA private key is not installed");
+        }
+        return this.#rootKeyPair;
+    }
+
+    get #initializedRootKeyIdentifier() {
+        if (this.#rootKeyIdentifier === undefined) {
+            throw new InternalError("CA key identifier is not installed");
+        }
+        return this.#rootKeyIdentifier;
+    }
 }
 
 export namespace CertificateAuthority {

package/src/certificate/CertificateManager.ts

@@ -664,18 +664,18 @@ export namespace CertificateManager {
         return genericCertToAsn1(cert);
     }
 
-    export function deviceAttestationCertToAsn1(cert: Unsigned<DeviceAttestationCertificate>, key: Key) {
+    export async function deviceAttestationCertToAsn1(cert: Unsigned<DeviceAttestationCertificate>, key: Key) {
         const certificate = genericBuildAsn1Structure(cert);
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: BitByteArray(Crypto.sign(key, DerCodec.encode(certificate), "der")),
+            signature: BitByteArray(await Crypto.sign(key, DerCodec.encode(certificate), "der")),
         });
         assertCertificateDerSize(certBytes);
         return certBytes;
     }
 
-    export function productAttestationIntermediateCertToAsn1(
+    export async function productAttestationIntermediateCertToAsn1(
         cert: Unsigned<ProductAttestationIntermediateCertificate>,
         key: Key,
     ) {
@@ -683,13 +683,13 @@ export namespace CertificateManager {
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: BitByteArray(Crypto.sign(key, DerCodec.encode(certificate), "der")),
+            signature: BitByteArray(await Crypto.sign(key, DerCodec.encode(certificate), "der")),
         });
         assertCertificateDerSize(certBytes);
         return certBytes;
     }
 
-    export function productAttestationAuthorityCertToAsn1(
+    export async function productAttestationAuthorityCertToAsn1(
         cert: Unsigned<ProductAttestationAuthorityCertificate>,
         key: Key,
     ) {
@@ -697,7 +697,7 @@ export namespace CertificateManager {
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: BitByteArray(Crypto.sign(key, DerCodec.encode(certificate), "der")),
+            signature: BitByteArray(await Crypto.sign(key, DerCodec.encode(certificate), "der")),
         });
         assertCertificateDerSize(certBytes);
         return certBytes;
@@ -777,7 +777,7 @@ export namespace CertificateManager {
      * Verify requirements a Matter Root certificate must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export function verifyRootCertificate(rootCert: RootCertificate) {
+    export async function verifyRootCertificate(rootCert: RootCertificate) {
         CertificateManager.validateGeneralCertificateFields(rootCert);
 
         // The subject DN SHALL NOT encode any matter-node-id attribute.
@@ -861,14 +861,14 @@ export namespace CertificateManager {
             );
         }
 
-        Crypto.verify(PublicKey(rootCert.ellipticCurvePublicKey), rootCertToAsn1(rootCert), rootCert.signature);
+        await Crypto.verify(PublicKey(rootCert.ellipticCurvePublicKey), rootCertToAsn1(rootCert), rootCert.signature);
     }
 
     /**
      * Verify requirements a Matter Node Operational certificate must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export function verifyNodeOperationalCertificate(
+    export async function verifyNodeOperationalCertificate(
         nocCert: OperationalCertificate,
         rootCert: RootCertificate,
         icaCert?: IntermediateCertificate,
@@ -985,7 +985,7 @@ export namespace CertificateManager {
             );
         }
 
-        Crypto.verify(
+        await Crypto.verify(
             PublicKey((icaCert ?? rootCert).ellipticCurvePublicKey),
             nodeOperationalCertToAsn1(nocCert),
             nocCert.signature,
@@ -996,7 +996,7 @@ export namespace CertificateManager {
      * Verify requirements a Matter Intermediate CA certificate must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export function verifyIntermediateCaCertificate(rootCert: RootCertificate, icaCert: IntermediateCertificate) {
+    export async function verifyIntermediateCaCertificate(rootCert: RootCertificate, icaCert: IntermediateCertificate) {
         CertificateManager.validateGeneralCertificateFields(icaCert);
 
         // The subject DN SHALL NOT encode any matter-node-id attribute.
@@ -1103,10 +1103,14 @@ export namespace CertificateManager {
             );
         }
 
-        Crypto.verify(PublicKey(rootCert.ellipticCurvePublicKey), intermediateCaCertToAsn1(icaCert), icaCert.signature);
+        await Crypto.verify(
+            PublicKey(rootCert.ellipticCurvePublicKey),
+            intermediateCaCertToAsn1(icaCert),
+            icaCert.signature,
+        );
     }
 
-    export function createCertificateSigningRequest(key: Key) {
+    export async function createCertificateSigningRequest(key: Key) {
         const request = {
             version: 0,
             subject: { organization: X520.OrganisationName("CSR") },
@@ -1117,11 +1121,11 @@ export namespace CertificateManager {
         return DerCodec.encode({
             request,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: BitByteArray(Crypto.sign(key, DerCodec.encode(request), "der")),
+            signature: BitByteArray(await Crypto.sign(key, DerCodec.encode(request), "der")),
         });
     }
 
-    export function getPublicKeyFromCsr(csr: Uint8Array) {
+    export async function getPublicKeyFromCsr(csr: Uint8Array) {
         const { [DerKey.Elements]: rootElements } = DerCodec.decode(csr);
         if (rootElements?.length !== 3) throw new CertificateError("Invalid CSR data");
         const [requestNode, signAlgorithmNode, signatureNode] = rootElements;
@@ -1149,7 +1153,7 @@ export namespace CertificateManager {
             )
         )
             throw new CertificateError("Unsupported signature type");
-        Crypto.verify(PublicKey(publicKey), DerCodec.encode(requestNode), signatureNode[DerKey.Bytes], "der");
+        await Crypto.verify(PublicKey(publicKey), DerCodec.encode(requestNode), signatureNode[DerKey.Bytes], "der");
 
         return publicKey;
     }

package/src/certificate/DeviceCertification.ts

@@ -37,42 +37,38 @@ export class DeviceCertification {
     }
 
     constructor(config?: DeviceCertification.Definition, product?: ProductDescription) {
-        // Certification Provider function is used to request the certificates delayed
+        let configProvider;
         if (typeof config === "function") {
-            const configProvider = config;
-            this.#construction = Construction(this, async () => {
-                this.#initializeFromConfig(await configProvider());
-            });
-            return;
-        }
-
-        // We need a dummy construction to avoid errors
-        this.#construction = Construction(this, () => {});
-
-        // With a directly provided config or without we can initialize directly
-        if (config === undefined) {
-            if (product === undefined) {
-                throw new ImplementationError(`Cannot generate device certification without product information`);
-            }
-
-            const paa = new AttestationCertificateManager(product.vendorId);
-            const { keyPair: dacKeyPair, dac } = paa.getDACert(product.productId);
-
-            config = {
-                privateKey: PrivateKey(dacKeyPair.privateKey),
-                certificate: dac,
-                intermediateCertificate: paa.getPAICert(),
-                declaration: CertificationDeclarationManager.generate(product.vendorId, product.productId),
+            configProvider = config;
+        } else if (config) {
+            configProvider = () => config;
+        } else {
+            configProvider = async () => {
+                if (product === undefined) {
+                    throw new ImplementationError(`Cannot generate device certification without product information`);
+                }
+
+                const paa = await AttestationCertificateManager.create(product.vendorId);
+                const { keyPair: dacKeyPair, dac } = await paa.getDACert(product.productId);
+
+                return {
+                    privateKey: PrivateKey(dacKeyPair.privateKey),
+                    certificate: dac,
+                    intermediateCertificate: await paa.getPAICert(),
+                    declaration: CertificationDeclarationManager.generate(product.vendorId, product.productId),
+                };
             };
         }
-        this.#initializeFromConfig(config);
-    }
 
-    #initializeFromConfig(config: DeviceCertification.Configuration) {
-        this.#privateKey = config.privateKey instanceof Uint8Array ? PrivateKey(config.privateKey) : config.privateKey;
-        this.#certificate = config.certificate;
-        this.#intermediateCertificate = config.intermediateCertificate;
-        this.#declaration = config.declaration;
+        this.#construction = Construction(this, async () => {
+            const config = await configProvider();
+
+            this.#privateKey =
+                config.privateKey instanceof Uint8Array ? PrivateKey(config.privateKey) : config.privateKey;
+            this.#certificate = config.certificate;
+            this.#intermediateCertificate = config.intermediateCertificate;
+            this.#declaration = config.declaration;
+        });
     }
 
     sign(session: SecureSession, data: Uint8Array) {

package/src/common/FailsafeContext.ts

@@ -4,7 +4,14 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { AsyncObservable, Construction, Logger, MatterFlowError, UnexpectedDataError } from "#general";
+import {
+    AsyncObservable,
+    Construction,
+    Logger,
+    MatterFlowError,
+    UnexpectedDataError,
+    UninitializedDependencyError,
+} from "#general";
 import { CaseAuthenticatedTag, NodeId, ValidationError, VendorId } from "#types";
 import { Fabric, FabricBuilder } from "../fabric/Fabric.js";
 import { FabricManager } from "../fabric/FabricManager.js";
@@ -32,7 +39,7 @@ export abstract class FailsafeContext {
     #associatedFabric?: Fabric;
     #csrSessionId?: number;
     #forUpdateNoc?: boolean;
-    #fabricBuilder = new FabricBuilder();
+    #fabricBuilder?: FabricBuilder;
     #rootCertSet = false;
 
     #commissioned = AsyncObservable<[], void>();
@@ -45,6 +52,7 @@ export abstract class FailsafeContext {
         this.#associatedFabric = options.associatedFabric;
 
         this.#construction = Construction(this, async () => {
+            this.#fabricBuilder = await FabricBuilder.create();
             // Ensure derived class construction is complete
             await Promise.resolve();
 
@@ -71,7 +79,7 @@ export abstract class FailsafeContext {
     }
 
     get fabricIndex() {
-        return this.#fabricBuilder.fabricIndex;
+        return this.#builder.fabricIndex;
     }
 
     get construction() {
@@ -99,11 +107,11 @@ export abstract class FailsafeContext {
     }
 
     get hasRootCert() {
-        return this.#fabricBuilder.rootCert !== undefined;
+        return this.#builder.rootCert !== undefined;
     }
 
     get rootCert() {
-        return this.#fabricBuilder.rootCert;
+        return this.#builder.rootCert;
     }
 
     async completeCommission() {
@@ -157,11 +165,11 @@ export abstract class FailsafeContext {
      * validity checks.
      */
     createCertificateSigningRequest(isForUpdateNoc: boolean, sessionId: number) {
-        if (this.#fabrics.findByKeypair(this.#fabricBuilder.keyPair)) {
+        if (this.#fabrics.findByKeypair(this.#builder.keyPair)) {
             throw new MatterFlowError("Key pair already exists."); // becomes Failure as StatusResponse
         }
 
-        const result = this.#fabricBuilder.createCertificateSigningRequest();
+        const result = this.#builder.createCertificateSigningRequest();
         this.#csrSessionId = sessionId;
         this.#forUpdateNoc = isForUpdateNoc;
         return result;
@@ -186,8 +194,8 @@ export abstract class FailsafeContext {
     }
 
     /** Handles adding a trusted root certificate from Operational Credentials cluster. */
-    setRootCert(rootCert: Uint8Array) {
-        this.#fabricBuilder.setRootCert(rootCert);
+    async setRootCert(rootCert: Uint8Array) {
+        await this.#builder.setRootCert(rootCert);
         this.#rootCertSet = true;
     }
 
@@ -199,9 +207,9 @@ export abstract class FailsafeContext {
         if (this.associatedFabric === undefined) {
             throw new MatterFlowError("No fabric associated with failsafe context, but we prepare an Fabric update.");
         }
-        this.#fabricBuilder.initializeFromFabricForUpdate(this.associatedFabric);
-        this.#fabricBuilder.setOperationalCert(nocValue, icacValue);
-        return await this.#fabricBuilder.build(this.associatedFabric.fabricIndex);
+        this.#builder.initializeFromFabricForUpdate(this.associatedFabric);
+        await this.#builder.setOperationalCert(nocValue, icacValue);
+        return await this.#builder.build(this.associatedFabric.fabricIndex);
     }
 
     /** Build a new Fabric object for a new fabric for the "AddNoc" case of the Operational Credentials cluster. */
@@ -212,7 +220,7 @@ export abstract class FailsafeContext {
         ipkValue: Uint8Array;
         caseAdminSubject: NodeId;
     }) {
-        const builder = this.#fabricBuilder;
+        const builder = this.#builder;
 
         const { nocValue, icacValue, adminVendorId, ipkValue, caseAdminSubject } = nocData;
 
@@ -232,7 +240,7 @@ export abstract class FailsafeContext {
             }
         }
 
-        builder.setOperationalCert(nocValue, icacValue);
+        await builder.setOperationalCert(nocValue, icacValue);
         const fabricAlreadyExisting = this.#fabrics.find(fabric => builder.matchesToFabric(fabric));
 
         if (fabricAlreadyExisting) {
@@ -320,6 +328,13 @@ export abstract class FailsafeContext {
     abstract revokeFabric(fabric: Fabric): Promise<void>;
 
     abstract restoreBreadcrumb(): Promise<void>;
+
+    get #builder() {
+        if (this.#fabricBuilder === undefined) {
+            throw new UninitializedDependencyError("FailsafeContext", "Fabric builder has not been initialized");
+        }
+        return this.#fabricBuilder;
+    }
 }
 
 export namespace FailsafeContext {