@matter/protocol 0.14.0 → 0.14.1-alpha.0-20250606-a9bcd03f9

package/src/cluster/client/ClusterClient.ts

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { capitalize, Diagnostic, Logger, Merge } from "#general";
+import { capitalize, Diagnostic, ImplementationError, Logger, Merge } from "#general";
 import {
     Attribute,
     AttributeId,
@@ -31,18 +31,37 @@ import {
     AttributeClientValues,
     ClusterClientObj,
     EventClients,
+    GroupClusterClientObj,
     SignatureFromCommandSpec,
+    SignatureFromCommandSpecWithoutResponse,
 } from "./ClusterClientTypes.js";
 import { createEventClient } from "./EventClient.js";
 
 const logger = Logger.get("ClusterClient");
 
+export function GroupClusterClient<const T extends ClusterType>(
+    clusterDef: T,
+    interactionClient: InteractionClient,
+    globalAttributeValues: Partial<AttributeClientValues<GlobalAttributes<T["features"]>>> = {},
+): GroupClusterClientObj<T> {
+    if (!interactionClient.isGroupAddress) {
+        throw new Error("GroupClusterClient must be used with a GroupAddress InteractionClient");
+    }
+
+    return ClusterClient(clusterDef, undefined, interactionClient, globalAttributeValues);
+}
+
 export function ClusterClient<const T extends ClusterType>(
     clusterDef: T,
-    endpointId: EndpointNumber,
+    endpointId: EndpointNumber | undefined,
     interactionClient: InteractionClient,
     globalAttributeValues: Partial<AttributeClientValues<GlobalAttributes<T["features"]>>> = {},
 ): ClusterClientObj<T> {
+    const isGroupAddress = interactionClient.isGroupAddress;
+    if (isGroupAddress !== (endpointId === undefined)) {
+        throw new Error("Endpoint ID must be defined for a Non-Group ClusterClient");
+    }
+
     function addAttributeToResult(attribute: Attribute<any, any>, attributeName: string) {
         (attributes as any)[attributeName] = createAttributeClient(
             attribute,
@@ -59,6 +78,10 @@ export function ClusterClient<const T extends ClusterType>(
             requestFromRemote?: boolean,
             isFabricFiltered = true,
         ) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support reading attributes");
+            }
+
             try {
                 return await (attributes as any)[attributeName].get(requestFromRemote, isFabricFiltered);
             } catch (e) {
@@ -77,6 +100,10 @@ export function ClusterClient<const T extends ClusterType>(
             knownDataVersion?: number,
             isFabricFiltered?: boolean,
         ) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support subscribing attributes");
+            }
+
             (attributes as any)[attributeName].addListener(listener);
             return (attributes as any)[attributeName].subscribe(
                 minIntervalS,
@@ -86,9 +113,17 @@ export function ClusterClient<const T extends ClusterType>(
             );
         };
         result[`add${capitalizedAttributeName}AttributeListener`] = <T>(listener: (value: T) => void) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support subscribing attributes");
+            }
+
             (attributes as any)[attributeName].addListener(listener);
         };
         result[`remove${capitalizedAttributeName}AttributeListener`] = <T>(listener: (value: T) => void) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support subscribing attributes");
+            }
+
             (attributes as any)[attributeName].removeListener(listener);
         };
     }
@@ -102,6 +137,10 @@ export function ClusterClient<const T extends ClusterType>(
             minimumEventNumber?: number | bigint,
             isFabricFiltered?: boolean,
         ) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support reading events");
+            }
+
             try {
                 return await (events as any)[eventName].get(minimumEventNumber, isFabricFiltered);
             } catch (e) {
@@ -119,6 +158,10 @@ export function ClusterClient<const T extends ClusterType>(
             minimumEventNumber?: number | bigint,
             isFabricFiltered?: boolean,
         ) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support subscribing to events");
+            }
+
             (events as any)[eventName].addListener(listener);
             return (events as any)[eventName].subscribe(
                 minIntervalS,
@@ -129,9 +172,17 @@ export function ClusterClient<const T extends ClusterType>(
             );
         };
         result[`add${capitalizedEventName}EventListener`] = <T>(listener: (value: DecodedEventData<T>) => void) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support subscribing events");
+            }
+
             (events as any)[eventName].addListener(listener);
         };
         result[`remove${capitalizedEventName}EventListener`] = <T>(listener: (value: DecodedEventData<T>) => void) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support subscribing events");
+            }
+
             (events as any)[eventName].removeListener(listener);
         };
     }
@@ -149,7 +200,13 @@ export function ClusterClient<const T extends ClusterType>(
     } = clusterDef;
     const attributes = <AttributeClients<T["features"], T["attributes"]>>{};
     const events = <EventClients<T["events"]>>{};
-    const commands = <{ [P in keyof T["commands"]]: SignatureFromCommandSpec<T["commands"][P]> }>{};
+    const commands = <
+        {
+            [P in keyof T["commands"]]:
+                | SignatureFromCommandSpec<T["commands"][P]>
+                | SignatureFromCommandSpecWithoutResponse<T["commands"][P]>;
+        }
+    >{};
 
     let reportedFeatures: TypeFromPartialBitSchema<T["features"]> | undefined = undefined;
     // If we have global attribute values we use them to modify
@@ -178,6 +235,10 @@ export function ClusterClient<const T extends ClusterType>(
             eventFilters?: TypeFromSchema<typeof TlvEventFilter>[];
             dataVersionFilters?: { endpointId: EndpointNumber; clusterId: ClusterId; dataVersion: number }[];
         }) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support subscribing attributes");
+            }
+
             const {
                 minIntervalFloorSeconds,
                 maxIntervalCeilingSeconds,
@@ -237,10 +298,18 @@ export function ClusterClient<const T extends ClusterType>(
         },
 
         isAttributeSupported: (attributeId: AttributeId) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not allow to determine attribute existence.");
+            }
+
             return !!globalAttributeValues?.attributeList?.includes(attributeId);
         },
 
         isAttributeSupportedByName: (attributeName: string) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not allow to determine attribute existence.");
+            }
+
             const attribute = (attributes as any)[attributeName];
             if (attribute === undefined) {
                 return false;
@@ -249,10 +318,18 @@ export function ClusterClient<const T extends ClusterType>(
         },
 
         isCommandSupported: (commandId: CommandId) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not allow to determine command existence.");
+            }
+
             return !!globalAttributeValues?.acceptedCommandList?.includes(commandId);
         },
 
         isCommandSupportedByName: (commandName: string) => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not allow to determine attribute existence.");
+            }
+
             const command = commandDef[commandName];
             if (command === undefined) {
                 return false;
@@ -308,8 +385,17 @@ export function ClusterClient<const T extends ClusterType>(
             } = {},
         ) => {
             const { asTimedRequest, timedRequestTimeoutMs, useExtendedFailSafeMessageResponseTimeout } = options;
+            if (isGroupAddress) {
+                return interactionClient.invokeWithSuppressedResponse<Command<RequestT, ResponseT, any>>({
+                    clusterId,
+                    command: commandDef[commandName],
+                    request,
+                    asTimedRequest,
+                    timedRequestTimeoutMs,
+                });
+            }
             return interactionClient.invoke<Command<RequestT, ResponseT, any>>({
-                endpointId,
+                endpointId: endpointId!,
                 clusterId,
                 command: commandDef[commandName],
                 request,

package/src/cluster/client/ClusterClientTypes.ts

@@ -72,6 +72,23 @@ export type SignatureFromCommandSpec<C extends Command<any, any, any>> = (
         useExtendedFailSafeMessageResponseTimeout?: boolean;
     },
 ) => Promise<ResponseType<C>>;
+
+export type SignatureFromCommandSpecWithoutResponse<C extends Command<any, any, any>> = (
+    request: RequestType<C>,
+    options?: {
+        /** Send this command as a timed request also when not required. Default timeout are 10 seconds. */
+        asTimedRequest?: boolean;
+
+        /** Override the request timeout when the command is sent as times request. Default are 10s. */
+        timedRequestTimeoutMs?: number;
+
+        /**
+         * Use the extended fail-safe message response timeout of 30 seconds. Use this for all commands
+         * executed during an activated FailSafe context!
+         */
+        useExtendedFailSafeMessageResponseTimeout?: boolean;
+    },
+) => Promise<void>;
 type GetterTypeFromSpec<A extends Attribute<any, any>> =
     A extends OptionalAttribute<infer T, any> ? T | undefined : AttributeJsType<A>;
 type ClientAttributeGetters<A extends Attributes> = Omit<
@@ -116,6 +133,7 @@ type ClientAttributeListeners<A extends Attributes> = {
 };
 
 type CommandServers<C extends Commands> = { [P in keyof C]: SignatureFromCommandSpec<C[P]> };
+type NoResponseCommandServers<C extends Commands> = { [P in keyof C]: SignatureFromCommandSpecWithoutResponse<C[P]> };
 
 type ClientEventGetters<E extends Events> = {
     [P in keyof E as `get${Capitalize<string & P>}Event`]: (
@@ -143,8 +161,8 @@ type ClientEventListeners<E extends Events> = {
     ) => void;
 };
 
-/** Strongly typed interface of a cluster client */
-export type ClusterClientObj<T extends ClusterType = ClusterType> = {
+/** Strongly typed interface of a group cluster client (limited functionalities) */
+export type BaseClusterClientObj<T extends ClusterType = ClusterType> = {
     /**
      * Cluster ID
      * @readonly
@@ -177,12 +195,6 @@ export type ClusterClientObj<T extends ClusterType = ClusterType> = {
      */
     readonly isUnknown: boolean;
 
-    /**
-     * Endpoint ID the cluster is on.
-     * @readonly
-     */
-    readonly endpointId: number;
-
     /**
      * Supported Features of the cluster
      * @readonly
@@ -195,6 +207,24 @@ export type ClusterClientObj<T extends ClusterType = ClusterType> = {
      * @readonly
      */
     readonly attributes: AttributeClients<T["features"], T["attributes"]>;
+} & ClientAttributeSetters<T["attributes"]>;
+
+export type GroupClusterClientObj<T extends ClusterType = ClusterType> = BaseClusterClientObj<T> & {
+    /**
+     * Commands of the cluster as object with named keys. This can be used to discover the commands of the cluster
+     * programmatically.
+     * @readonly
+     */
+    readonly commands: NoResponseCommandServers<T["commands"]>;
+} & NoResponseCommandServers<T["commands"]>;
+
+/** Strongly typed interface of a cluster client */
+export type ClusterClientObj<T extends ClusterType = ClusterType> = BaseClusterClientObj<T> & {
+    /**
+     * Endpoint ID the cluster is on.
+     * @readonly
+     */
+    readonly endpointId: number;
 
     /**
      * Events of the cluster as object with named keys. This can be used to discover the events of the cluster
@@ -236,7 +266,6 @@ export type ClusterClientObj<T extends ClusterType = ClusterType> = {
     isCommandSupportedByName: (commandName: string) => boolean;
 } & ClientAttributeGetters<T["attributes"]> &
     ClientGlobalAttributeGetters<T["features"]> &
-    ClientAttributeSetters<T["attributes"]> &
     ClientAttributeSubscribers<T["attributes"]> &
     ClientAttributeListeners<T["attributes"]> &
     CommandServers<T["commands"]> &

package/src/cluster/client/EventClient.ts

@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+import { ImplementationError } from "#general";
 import { ClusterId, EndpointNumber, Event, EventId, EventNumber } from "#types";
 import { DecodedEventData } from "../../interaction/EventDataDecoder.js";
 import { InteractionClient } from "../../interaction/InteractionClient.js";
@@ -14,7 +15,7 @@ import { InteractionClient } from "../../interaction/InteractionClient.js";
 export function createEventClient<T>(
     event: Event<T, any>,
     name: string,
-    endpointId: EndpointNumber,
+    endpointId: EndpointNumber | undefined,
     clusterId: ClusterId,
     interactionClient: InteractionClient,
 ): EventClient<T> {
@@ -32,7 +33,7 @@ export class EventClient<T> {
     constructor(
         readonly event: Event<T, any>,
         readonly name: string,
-        readonly endpointId: EndpointNumber,
+        readonly endpointId: EndpointNumber | undefined,
         readonly clusterId: ClusterId,
         interactionClient: InteractionClient,
     ) {
@@ -44,6 +45,9 @@ export class EventClient<T> {
         minimumEventNumber?: EventNumber,
         isFabricFiltered?: boolean,
     ): Promise<DecodedEventData<T>[] | undefined> {
+        if (this.endpointId === undefined) {
+            throw new ImplementationError("Cannot read event without endpointId");
+        }
         return await this.#interactionClient.getEvent({
             endpointId: this.endpointId,
             clusterId: this.clusterId,
@@ -60,6 +64,9 @@ export class EventClient<T> {
         minimumEventNumber?: EventNumber,
         isFabricFiltered?: boolean,
     ) {
+        if (this.endpointId === undefined) {
+            throw new ImplementationError("Cannot read event without endpointId");
+        }
         return await this.#interactionClient.subscribeEvent({
             endpointId: this.endpointId,
             clusterId: this.clusterId,

package/src/codec/MessageCodec.ts

@@ -4,7 +4,16 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { Bytes, DataReader, DataWriter, Diagnostic, Endian, NotImplementedError, UnexpectedDataError } from "#general";
+import {
+    Bytes,
+    DataReader,
+    DataWriter,
+    Diagnostic,
+    Endian,
+    InternalError,
+    NotImplementedError,
+    UnexpectedDataError,
+} from "#general";
 import { ExchangeLogContext } from "#protocol/index.js";
 import { GroupId, INTERACTION_PROTOCOL_ID, NodeId, SECURE_CHANNEL_PROTOCOL_ID, SecureMessageType } from "#types";
 import { MessageType } from "../interaction/InteractionMessenger.js";
@@ -84,6 +93,7 @@ const enum SecurityFlag {
     HasPrivacyEnhancements = 0b10000000,
     IsControlMessage = 0b01000000,
     HasMessageExtension = 0b00100000,
+    SessionTypeMask = 0b00000011,
 }
 
 function mapProtocolAndMessageType(protocolId: number, messageType: number): { type: string; for?: string } {
@@ -129,6 +139,13 @@ export class MessageCodec {
             const extensionLength = reader.readUInt16();
             securityExtension = reader.readByteArray(extensionLength);
         }
+
+        if (header.sessionType === SessionType.Group && !header.isControlMessage) {
+            if (payloadHeader.requiresAck || payloadHeader.ackedMessageId) {
+                throw new UnexpectedDataError(`Group data messages cannot have requiresAck or ackedMessageId set.`);
+            }
+        }
+
         return {
             packetHeader: header,
             payloadHeader,
@@ -176,13 +193,31 @@ export class MessageCodec {
         const destNodeId = hasDestNodeId ? NodeId(reader.readUInt64()) : undefined;
         const destGroupId = hasDestGroupId ? GroupId(reader.readUInt16()) : undefined;
 
-        const sessionType = securityFlags & 0b00000011;
-        if (sessionType !== SessionType.Group && sessionType !== SessionType.Unicast)
-            throw new UnexpectedDataError(`Unsupported session type ${sessionType}`);
+        const sessionType = securityFlags & SecurityFlag.SessionTypeMask;
+
+        if (sessionType !== SessionType.Group && sessionType !== SessionType.Unicast) {
+            throw new UnexpectedDataError(`Unsupported session type ${sessionType}.`);
+        }
+        if (sessionType === SessionType.Unicast && hasDestGroupId) {
+            throw new UnexpectedDataError(`Unicast session cannot have destination group id.`);
+        }
+        if (sessionType === SessionType.Group) {
+            if (!hasDestGroupId && !hasDestNodeId) {
+                throw new UnexpectedDataError(`Group session must have destination group id or destination node id.`);
+            }
+            if (!hasSourceNodeId) {
+                throw new UnexpectedDataError(`Group session must have source node id.`);
+            }
+        }
         const hasPrivacyEnhancements = (securityFlags & SecurityFlag.HasPrivacyEnhancements) !== 0;
-        if (hasPrivacyEnhancements) throw new NotImplementedError(`Privacy enhancements not supported`);
+        if (hasPrivacyEnhancements) {
+            throw new NotImplementedError(`Privacy enhancements not supported.`);
+        }
         const isControlMessage = (securityFlags & SecurityFlag.IsControlMessage) !== 0;
-        if (isControlMessage) throw new NotImplementedError(`Control Messages not supported`);
+        if (isControlMessage) {
+            // And also currently not needed because MCP is not relevant
+            throw new NotImplementedError(`Control Messages not supported.`);
+        }
         const hasMessageExtensions = (securityFlags & SecurityFlag.HasMessageExtension) !== 0;
 
         return {
@@ -207,7 +242,7 @@ export class MessageCodec {
         const hasSecuredExtension = (exchangeFlags & PayloadHeaderFlag.HasSecureExtension) !== 0;
         const hasVendorId = (exchangeFlags & PayloadHeaderFlag.HasVendorId) !== 0;
 
-        const messageType = reader.readUInt8();
+        const messageType = reader.readUInt8(); // Protocol Opcode
         const exchangeId = reader.readUInt16();
         const vendorId = hasVendorId ? reader.readUInt16() : COMMON_VENDOR_ID;
         const protocolId = (vendorId << 16) | reader.readUInt16();
@@ -232,6 +267,12 @@ export class MessageCodec {
         sourceNodeId,
         sessionType,
     }: PacketHeader) {
+        if (
+            sessionType === SessionType.Group &&
+            (destGroupId === undefined || sourceNodeId === undefined || destNodeId !== undefined)
+        ) {
+            throw new InternalError(`Group session must have destination group id or source node id.`);
+        }
         const writer = new DataWriter(Endian.Little);
         const flags =
             (HEADER_VERSION << 4) |
@@ -246,7 +287,7 @@ export class MessageCodec {
         writer.writeUInt32(messageCounter);
         if (sourceNodeId !== undefined) writer.writeUInt64(sourceNodeId);
         if (destNodeId !== undefined) writer.writeUInt64(destNodeId);
-        if (destGroupId !== undefined) writer.writeUInt32(destGroupId);
+        if (destGroupId !== undefined) writer.writeUInt16(destGroupId);
         return writer.toByteArray();
     }
 

package/src/fabric/Fabric.ts

@@ -10,7 +10,6 @@ import {
     TlvOperationalCertificate,
     TlvRootCertificate,
 } from "#certificate/CertificateManager.js";
-import { GroupKeyManagement } from "#clusters/group-key-management";
 import {
     BinaryKeyPair,
     Bytes,
@@ -25,56 +24,19 @@ import {
     MatterFlowError,
     MaybePromise,
     PrivateKey,
+    StorageContext,
 } from "#general";
+import { FabricGroupsManager, GROUP_SECURITY_INFO } from "#groups/FabricGroupsManager.js";
 import { PeerAddress } from "#peer/PeerAddress.js";
-import { CaseAuthenticatedTag, FabricId, FabricIndex, NodeId, TypeFromSchema, VendorId } from "#types";
-import { SecureSession } from "../session/SecureSession.js";
+import { Session } from "#session/Session.js";
+import { CaseAuthenticatedTag, FabricId, FabricIndex, GroupId, NodeId, VendorId } from "#types";
 
 const logger = Logger.get("Fabric");
 
 const COMPRESSED_FABRIC_ID_INFO = Bytes.fromString("CompressedFabric");
-const GROUP_SECURITY_INFO = Bytes.fromString("GroupKey v1.0");
 
 export class PublicKeyError extends MatterError {}
 
-type OperationalGroupKeySet = TypeFromSchema<typeof GroupKeyManagement.TlvGroupKeySet> & {
-    operationalEpochKey0: Uint8Array;
-    groupSessionId0: number | null;
-    operationalEpochKey1: Uint8Array | null;
-    groupSessionId1: number | null;
-    operationalEpochKey2: Uint8Array | null;
-    groupSessionId2: number | null;
-};
-
-namespace OperationalGroupKeySet {
-    export const asTlvGroupSet = (
-        operationalGroupSet: OperationalGroupKeySet,
-    ): TypeFromSchema<typeof GroupKeyManagement.TlvGroupKeySet> => {
-        const {
-            groupKeySetId,
-            epochKey0,
-            epochStartTime0,
-            epochKey1,
-            epochStartTime1,
-            epochKey2,
-            epochStartTime2,
-            groupKeySecurityPolicy,
-            groupKeyMulticastPolicy,
-        } = operationalGroupSet;
-        return {
-            groupKeySetId,
-            epochKey0,
-            epochStartTime0,
-            epochKey1,
-            epochStartTime1,
-            epochKey2,
-            epochStartTime2,
-            groupKeySecurityPolicy,
-            groupKeyMulticastPolicy,
-        };
-    };
-}
-
 export type ExposedFabricInformation = {
     fabricIndex: FabricIndex;
     fabricId: FabricId;
@@ -97,14 +59,13 @@ export class Fabric {
     readonly operationalIdentityProtectionKey: Uint8Array;
     readonly intermediateCACert: Uint8Array | undefined;
     readonly operationalCert: Uint8Array;
-
     readonly #keyPair: Key;
-
-    readonly #sessions = new Set<SecureSession>();
-
+    readonly #sessions = new Set<Session>();
+    readonly #groupManager: FabricGroupsManager;
     #label: string;
     #removeCallbacks = new Array<() => MaybePromise<void>>();
     #persistCallback: ((isUpdate?: boolean) => MaybePromise<void>) | undefined;
+    #storage?: StorageContext;
 
     constructor(config: Fabric.Config) {
         this.fabricIndex = config.fabricIndex;
@@ -120,8 +81,8 @@ export class Fabric {
         this.intermediateCACert = config.intermediateCACert;
         this.operationalCert = config.operationalCert;
         this.#label = config.label;
-
         this.#keyPair = PrivateKey(config.keyPair);
+        this.#groupManager = new FabricGroupsManager(this);
     }
 
     get config(): Fabric.Config {
@@ -158,6 +119,19 @@ export class Fabric {
         await this.persist();
     }
 
+    set storage(storage: StorageContext) {
+        this.#storage = storage;
+        this.#groupManager.storage = storage;
+    }
+
+    get storage(): StorageContext | undefined {
+        return this.#storage;
+    }
+
+    get groups() {
+        return this.#groupManager;
+    }
+
     get publicKey() {
         return this.#keyPair.publicKey;
     }
@@ -190,20 +164,39 @@ export class Fabric {
         );
     }
 
-    getDestinationId(nodeId: NodeId, random: Uint8Array) {
+    #generateSalt(nodeId: NodeId, random: Uint8Array) {
         const writer = new DataWriter(Endian.Little);
         writer.writeByteArray(random);
         writer.writeByteArray(this.rootPublicKey);
         writer.writeUInt64(this.fabricId);
         writer.writeUInt64(nodeId);
-        return Crypto.hmac(this.operationalIdentityProtectionKey, writer.toByteArray());
+        return writer.toByteArray();
+    }
+
+    /**
+     * Returns the destination IDs for a given nodeId, random value and optional groupId.
+     * When groupId is provided, it returns the time-wise valid operational keys for that groupId.
+     */
+    async currentDestinationIdFor(nodeId: NodeId, random: Uint8Array) {
+        return await Crypto.hmac(this.groups.keySets.currentKeyForId(0).key, this.#generateSalt(nodeId, random));
+    }
+
+    /**
+     * Returns the destination IDs for a given nodeId, random value and optional groupId.
+     * When groupId is provided, it returns all operational keys for that groupId.
+     */
+    async destinationIdsFor(nodeId: NodeId, random: Uint8Array) {
+        const salt = this.#generateSalt(nodeId, random);
+        // Check all keys of keyset 0 - typically it is only the IPK
+        const destinationIds = this.groups.keySets.allKeysForId(0).map(({ key }) => Crypto.hmac(key, salt));
+        return await Promise.all(destinationIds);
     }
 
-    addSession(session: SecureSession) {
+    addSession(session: Session) {
         this.#sessions.add(session);
     }
 
-    removeSession(session: SecureSession) {
+    removeSession(session: Session) {
         this.#sessions.delete(session);
     }
 
@@ -236,39 +229,6 @@ export class Fabric {
         return this.#persistCallback?.(isUpdate);
     }
 
-    getGroupKeySet(groupKeySetId: number) {
-        if (groupKeySetId === 0) {
-            return OperationalGroupKeySet.asTlvGroupSet(this.getGroupSetForIpk());
-        }
-        // TODO add correct group handling later, right now only IPK exists
-        return undefined;
-    }
-
-    private getGroupSetForIpk(): OperationalGroupKeySet {
-        return {
-            groupKeySetId: 0,
-            epochKey0: this.identityProtectionKey,
-            operationalEpochKey0: this.operationalIdentityProtectionKey,
-            epochStartTime0: 0, // or do we need to track Fabric creation date?
-            groupSessionId0: null,
-            epochKey1: null,
-            operationalEpochKey1: null,
-            epochStartTime1: null,
-            groupSessionId1: null,
-            epochKey2: null,
-            operationalEpochKey2: null,
-            epochStartTime2: null,
-            groupSessionId2: null,
-            groupKeySecurityPolicy: GroupKeyManagement.GroupKeySecurityPolicy.TrustFirst,
-            groupKeyMulticastPolicy: GroupKeyManagement.GroupKeyMulticastPolicy.PerGroupId,
-        };
-    }
-
-    getAllGroupKeySets() {
-        // TODO add correct group handling later, right now only IPK exists
-        return [OperationalGroupKeySet.asTlvGroupSet(this.getGroupSetForIpk())];
-    }
-
     get externalInformation(): ExposedFabricInformation {
         return {
             fabricIndex: this.fabricIndex,
@@ -283,6 +243,12 @@ export class Fabric {
     addressOf(nodeId: NodeId) {
         return PeerAddress({ fabricIndex: this.fabricIndex, nodeId });
     }
+
+    groupAddressOf(groupId: GroupId) {
+        GroupId.assertGroupId(groupId);
+
+        return PeerAddress({ fabricIndex: this.fabricIndex, nodeId: NodeId.fromGroupId(groupId) });
+    }
 }
 
 export class FabricBuilder {
@@ -433,7 +399,7 @@ export class FabricBuilder {
             throw new InternalError("operationalCert needs to be set");
 
         this.#fabricIndex = fabricIndex;
-        const saltWriter = new DataWriter(Endian.Big);
+        const saltWriter = new DataWriter();
         saltWriter.writeUInt64(this.#fabricId);
         const operationalId = await Crypto.hkdf(
             this.#rootPublicKey.slice(1),