@matter/protocol 0.14.1-alpha.0-20250606-a9bcd03f9 → 0.15.0-alpha.0-20250612-ddd428561

package/src/certificate/CertificateManager.ts

@@ -5,12 +5,12 @@
  */
 
 import {
-    BitByteArray,
     Bytes,
     ContextTagged,
     ContextTaggedBytes,
     Crypto,
     DatatypeOverride,
+    DerBitString,
     DerCodec,
     DerKey,
     DerObject,
@@ -666,10 +666,11 @@ export namespace CertificateManager {
 
     export async function deviceAttestationCertToAsn1(cert: Unsigned<DeviceAttestationCertificate>, key: Key) {
         const certificate = genericBuildAsn1Structure(cert);
+        const signature = await Crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: BitByteArray(await Crypto.sign(key, DerCodec.encode(certificate), "der")),
+            signature: DerBitString(signature),
         });
         assertCertificateDerSize(certBytes);
         return certBytes;
@@ -680,10 +681,11 @@ export namespace CertificateManager {
         key: Key,
     ) {
         const certificate = genericBuildAsn1Structure(cert);
+        const signature = await Crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: BitByteArray(await Crypto.sign(key, DerCodec.encode(certificate), "der")),
+            signature: DerBitString(signature),
         });
         assertCertificateDerSize(certBytes);
         return certBytes;
@@ -697,13 +699,13 @@ export namespace CertificateManager {
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: BitByteArray(await Crypto.sign(key, DerCodec.encode(certificate), "der")),
+            signature: DerBitString(await Crypto.signEcdsa(key, DerCodec.encode(certificate), "der")),
         });
         assertCertificateDerSize(certBytes);
         return certBytes;
     }
 
-    export function certificationDeclarationToAsn1(
+    export async function certificationDeclarationToAsn1(
         eContent: Uint8Array,
         subjectKeyIdentifier: Uint8Array,
         privateKey: JsonWebKey,
@@ -718,7 +720,7 @@ export namespace CertificateManager {
                     subjectKeyIdentifier: ContextTaggedBytes(0, subjectKeyIdentifier),
                     digestAlgorithm: SHA256_CMS,
                     signatureAlgorithm: X962.EcdsaWithSHA256,
-                    signature: Crypto.sign(privateKey, eContent, "der"),
+                    signature: await Crypto.signEcdsa(privateKey, eContent, "der"),
                 },
             ],
         };
@@ -861,7 +863,11 @@ export namespace CertificateManager {
             );
         }
 
-        await Crypto.verify(PublicKey(rootCert.ellipticCurvePublicKey), rootCertToAsn1(rootCert), rootCert.signature);
+        await Crypto.verifyEcdsa(
+            PublicKey(rootCert.ellipticCurvePublicKey),
+            rootCertToAsn1(rootCert),
+            rootCert.signature,
+        );
     }
 
     /**
@@ -985,7 +991,7 @@ export namespace CertificateManager {
             );
         }
 
-        await Crypto.verify(
+        await Crypto.verifyEcdsa(
             PublicKey((icaCert ?? rootCert).ellipticCurvePublicKey),
             nodeOperationalCertToAsn1(nocCert),
             nocCert.signature,
@@ -1103,7 +1109,7 @@ export namespace CertificateManager {
             );
         }
 
-        await Crypto.verify(
+        await Crypto.verifyEcdsa(
             PublicKey(rootCert.ellipticCurvePublicKey),
             intermediateCaCertToAsn1(icaCert),
             icaCert.signature,
@@ -1121,7 +1127,7 @@ export namespace CertificateManager {
         return DerCodec.encode({
             request,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: BitByteArray(await Crypto.sign(key, DerCodec.encode(request), "der")),
+            signature: DerBitString(await Crypto.signEcdsa(key, DerCodec.encode(request), "der")),
         });
     }
 
@@ -1153,7 +1159,12 @@ export namespace CertificateManager {
             )
         )
             throw new CertificateError("Unsupported signature type");
-        await Crypto.verify(PublicKey(publicKey), DerCodec.encode(requestNode), signatureNode[DerKey.Bytes], "der");
+        await Crypto.verifyEcdsa(
+            PublicKey(publicKey),
+            DerCodec.encode(requestNode),
+            signatureNode[DerKey.Bytes],
+            "der",
+        );
 
         return publicKey;
     }

package/src/certificate/DeviceCertification.ts

@@ -55,7 +55,7 @@ export class DeviceCertification {
                     privateKey: PrivateKey(dacKeyPair.privateKey),
                     certificate: dac,
                     intermediateCertificate: await paa.getPAICert(),
-                    declaration: CertificationDeclarationManager.generate(product.vendorId, product.productId),
+                    declaration: await CertificationDeclarationManager.generate(product.vendorId, product.productId),
                 };
             };
         }
@@ -71,8 +71,10 @@ export class DeviceCertification {
         });
     }
 
-    sign(session: NodeSession, data: Uint8Array) {
-        return Crypto.sign(this.#assertInitialized().privateKey, [data, session.attestationChallengeKey]);
+    async sign(session: NodeSession, data: Uint8Array) {
+        const { privateKey } = this.#assertInitialized();
+        const signature = await Crypto.signEcdsa(privateKey, [data, session.attestationChallengeKey]);
+        return signature;
     }
 
     /**

package/src/cluster/client/ClusterClient.ts

@@ -91,6 +91,13 @@ export function ClusterClient<const T extends ClusterType>(
                 throw e;
             }
         };
+        result[`get${capitalizedAttributeName}AttributeFromCache`] = () => {
+            if (isGroupAddress) {
+                throw new ImplementationError("Group cluster clients do not support reading attributes");
+            }
+
+            return (attributes as any)[attributeName].getLocal();
+        };
         result[`set${capitalizedAttributeName}Attribute`] = async <T>(value: T, dataVersion?: number) =>
             (attributes as any)[attributeName].set(value, dataVersion);
         result[`subscribe${capitalizedAttributeName}Attribute`] = async <T>(

package/src/cluster/client/ClusterClientTypes.ts

@@ -100,6 +100,12 @@ type ClientAttributeGetters<A extends Attributes> = Omit<
     },
     keyof GlobalAttributes<any>
 >;
+type ClientLocalAttributeGetters<A extends Attributes> = Omit<
+    {
+        [P in keyof A as `get${Capitalize<string & P>}AttributeFromCache`]: () => GetterTypeFromSpec<A[P]> | undefined;
+    },
+    keyof GlobalAttributes<any>
+>;
 type ClientGlobalAttributeGetters<F extends BitSchema> = {
     [P in GlobalAttributeNames<F> as `get${Capitalize<string & P>}Attribute`]: () => Promise<
         GetterTypeFromSpec<GlobalAttributes<F>[P]>
@@ -265,6 +271,7 @@ export type ClusterClientObj<T extends ClusterType = ClusterType> = BaseClusterC
     /** Returns if a given Command with provided name is present and supported at the connected cluster server. */
     isCommandSupportedByName: (commandName: string) => boolean;
 } & ClientAttributeGetters<T["attributes"]> &
+    ClientLocalAttributeGetters<T["attributes"]> &
     ClientGlobalAttributeGetters<T["features"]> &
     ClientAttributeSubscribers<T["attributes"]> &
     ClientAttributeListeners<T["attributes"]> &

package/src/fabric/Fabric.ts

@@ -15,6 +15,7 @@ import {
     Bytes,
     Crypto,
     DataWriter,
+    Diagnostic,
     Endian,
     ImplementationError,
     InternalError,
@@ -26,7 +27,8 @@ import {
     PrivateKey,
     StorageContext,
 } from "#general";
-import { FabricGroupsManager, GROUP_SECURITY_INFO } from "#groups/FabricGroupsManager.js";
+import { FabricGroups, GROUP_SECURITY_INFO } from "#groups/FabricGroups.js";
+import { FabricAccessControl } from "#interaction/FabricAccessControl.js";
 import { PeerAddress } from "#peer/PeerAddress.js";
 import { Session } from "#session/Session.js";
 import { CaseAuthenticatedTag, FabricId, FabricIndex, GroupId, NodeId, VendorId } from "#types";
@@ -61,7 +63,8 @@ export class Fabric {
     readonly operationalCert: Uint8Array;
     readonly #keyPair: Key;
     readonly #sessions = new Set<Session>();
-    readonly #groupManager: FabricGroupsManager;
+    readonly #groupManager: FabricGroups;
+    readonly #aclManager: FabricAccessControl;
     #label: string;
     #removeCallbacks = new Array<() => MaybePromise<void>>();
     #persistCallback: ((isUpdate?: boolean) => MaybePromise<void>) | undefined;
@@ -82,7 +85,8 @@ export class Fabric {
         this.operationalCert = config.operationalCert;
         this.#label = config.label;
         this.#keyPair = PrivateKey(config.keyPair);
-        this.#groupManager = new FabricGroupsManager(this);
+        this.#aclManager = new FabricAccessControl(this);
+        this.#groupManager = new FabricGroups(this);
     }
 
     get config(): Fabric.Config {
@@ -132,12 +136,16 @@ export class Fabric {
         return this.#groupManager;
     }
 
+    get acl() {
+        return this.#aclManager;
+    }
+
     get publicKey() {
         return this.#keyPair.publicKey;
     }
 
     sign(data: Uint8Array) {
-        return Crypto.sign(this.#keyPair, data);
+        return Crypto.signEcdsa(this.#keyPair, data);
     }
 
     async verifyCredentials(operationalCert: Uint8Array, intermediateCACert?: Uint8Array) {
@@ -174,21 +182,21 @@ export class Fabric {
     }
 
     /**
-     * Returns the destination IDs for a given nodeId, random value and optional groupId.
-     * When groupId is provided, it returns the time-wise valid operational keys for that groupId.
+     * Returns the destination IDs for a given nodeId, random value and optional groupId. When groupId is provided, it
+     * returns the time-wise valid operational keys for that groupId.
      */
     async currentDestinationIdFor(nodeId: NodeId, random: Uint8Array) {
-        return await Crypto.hmac(this.groups.keySets.currentKeyForId(0).key, this.#generateSalt(nodeId, random));
+        return await Crypto.signHmac(this.groups.keySets.currentKeyForId(0).key, this.#generateSalt(nodeId, random));
     }
 
     /**
-     * Returns the destination IDs for a given nodeId, random value and optional groupId.
-     * When groupId is provided, it returns all operational keys for that groupId.
+     * Returns the destination IDs for a given nodeId, random value and optional groupId. When groupId is provided, it
+     * returns all operational keys for that groupId.
      */
     async destinationIdsFor(nodeId: NodeId, random: Uint8Array) {
         const salt = this.#generateSalt(nodeId, random);
         // Check all keys of keyset 0 - typically it is only the IPK
-        const destinationIds = this.groups.keySets.allKeysForId(0).map(({ key }) => Crypto.hmac(key, salt));
+        const destinationIds = this.groups.keySets.allKeysForId(0).map(({ key }) => Crypto.signHmac(key, salt));
         return await Promise.all(destinationIds);
     }
 
@@ -306,18 +314,19 @@ export class FabricBuilder {
             ellipticCurvePublicKey,
         } = TlvOperationalCertificate.decode(operationalCert);
         logger.debug(
-            `FabricBuilder setOperationalCert: nodeId=${nodeId}, fabricId=${fabricId}, caseAuthenticatedTags=${caseAuthenticatedTags}`,
+            "Installing operational certificate",
+            Diagnostic.dict({ nodeId, fabricId, caseAuthenticatedTags }),
         );
         if (caseAuthenticatedTags !== undefined) {
             CaseAuthenticatedTag.validateNocTagList(caseAuthenticatedTags);
         }
 
         if (!Bytes.areEqual(ellipticCurvePublicKey, this.#keyPair.publicKey)) {
-            throw new PublicKeyError("Operational Certificate does not match public key.");
+            throw new PublicKeyError("Operational certificate does not match public key");
         }
 
         if (this.#rootCert === undefined) {
-            throw new MatterFlowError("Root Certificate needs to be set first.");
+            throw new MatterFlowError("Root certificate needs to be set first");
         }
 
         const rootCert = TlvRootCertificate.decode(this.#rootCert);
@@ -401,7 +410,7 @@ export class FabricBuilder {
         this.#fabricIndex = fabricIndex;
         const saltWriter = new DataWriter();
         saltWriter.writeUInt64(this.#fabricId);
-        const operationalId = await Crypto.hkdf(
+        const operationalId = await Crypto.createHkdfKey(
             this.#rootPublicKey.slice(1),
             saltWriter.toByteArray(),
             COMPRESSED_FABRIC_ID_INFO,
@@ -419,7 +428,7 @@ export class FabricBuilder {
             rootVendorId: this.#rootVendorId,
             rootCert: this.#rootCert,
             identityProtectionKey: this.#identityProtectionKey, // Epoch Key
-            operationalIdentityProtectionKey: await Crypto.hkdf(
+            operationalIdentityProtectionKey: await Crypto.createHkdfKey(
                 this.#identityProtectionKey,
                 operationalId,
                 GROUP_SECURITY_INFO,

package/src/fabric/FabricAuthority.ts

@@ -66,6 +66,13 @@ export class FabricAuthority {
         this.#config = context.config;
     }
 
+    /**
+     * Access the certificate authority.
+     */
+    get ca() {
+        return this.#ca;
+    }
+
     /**
      * Obtain the default fabric for this authority.
      */

package/src/fabric/FabricManager.ts

@@ -160,6 +160,9 @@ export class FabricManager {
         this.#fabrics.set(fabricIndex, fabric);
         fabric.addRemoveCallback(async () => this.removeFabric(fabricIndex));
         fabric.persistCallback = (isUpdate = true) => {
+            if (!this.#storage) {
+                return;
+            }
             const persistResult = this.persistFabrics();
             return MaybePromise.then(persistResult, () => {
                 if (isUpdate) {
@@ -184,7 +187,9 @@ export class FabricManager {
                 `Fabric with index ${fabricIndex} cannot be removed because it does not exist.`,
             );
         this.#fabrics.delete(fabricIndex);
-        await this.persistFabrics();
+        if (this.#storage) {
+            await this.persistFabrics();
+        }
         await fabric.storage?.clearAll();
         this.#events.deleted.emit(fabric);
     }
@@ -253,7 +258,9 @@ export class FabricManager {
             );
         }
         this.#fabrics.set(fabricIndex, fabric);
-        await this.persistFabrics();
+        if (this.#storage) {
+            await this.persistFabrics();
+        }
         this.#events.updated.emit(fabric);
     }
 

package/src/fabric/TestFabric.ts

@@ -0,0 +1,73 @@
+/**
+ * @license
+ * Copyright 2022-2025 Project CHIP Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { CertificateAuthority } from "#certificate/CertificateAuthority.js";
+import { ImplementationError, nonentropic } from "#general";
+import { FabricIndex, VendorId } from "#types";
+import { FabricAuthority } from "./FabricAuthority.js";
+import { FabricManager } from "./FabricManager.js";
+
+/**
+ * WARNING: ONLY FOR USE IN PROTECTED TESTING ENVIRONMENTS WHERE SECURITY IS NOT A CONCERN
+ *
+ * Generate a fabric useful for testing purposes.
+ *
+ * The properties of the fabric, including crypto matter, are stable with regards to {@link index}.
+ */
+export async function TestFabric(options: TestFabric.Options = {}) {
+    const authority = await TestFabric.Authority(options);
+
+    return authority.createFabric();
+}
+
+export namespace TestFabric {
+    /**
+     * WARNING: ONLY FOR USE IN PROTECTED TESTING ENVIRONMENTS WHERE SECURITY IS NOT A CONCERN
+     *
+     * Obtain a test authority.
+     *
+     * Crypto matter is stable with respect to {@link index}.
+     */
+    export async function Authority({ index, fabrics }: Options = {}) {
+        if (index === undefined) {
+            if (fabrics) {
+                index = fabrics.allocateFabricIndex();
+            } else {
+                index = 1;
+            }
+        }
+
+        return forFabric(index, async () => {
+            const authority = new FabricAuthority({
+                ca: await CertificateAuthority.create(),
+                config: {
+                    adminFabricLabel: `mock-fabric-${index}`,
+                    adminVendorId: VendorId(0xfff1),
+                    fabricIndex: FabricIndex(index),
+                },
+                fabrics: fabrics ?? new FabricManager(),
+            });
+
+            const createFabric = authority.createFabric.bind(authority);
+            authority.createFabric = () => forFabric(index ?? 1, createFabric);
+
+            return authority;
+        });
+    }
+
+    export interface Options {
+        index?: number;
+        fabrics?: FabricManager;
+    }
+}
+
+async function forFabric<T>(index: number, actor: () => Promise<T>): Promise<T> {
+    if (index < 1 || index > 254) {
+        throw new ImplementationError("Test fabric indexes must be in the range 1-254");
+    }
+
+    return nonentropic(index, actor);
+}

package/src/fabric/index.ts

@@ -7,3 +7,4 @@
 export * from "./Fabric.js";
 export * from "./FabricAuthority.js";
 export * from "./FabricManager.js";
+export * from "./TestFabric.js";

package/src/groups/{FabricGroupsManager.ts → FabricGroups.ts}

@@ -15,7 +15,7 @@ export const GROUP_SECURITY_INFO = Bytes.fromString("GroupKey v1.0");
 /**
  * Class that contains an operational view on the Group Keys for a fabric
  */
-export class FabricGroupsManager {
+export class FabricGroups {
     #fabric: Fabric;
     #groups: Groups;
     #messagingState: MessagingState;
@@ -122,11 +122,11 @@ export class FabricGroupsManager {
 
         // Lets pre-calculate the operational keys
         const operationalId = this.#fabric.operationalId;
-        const operationalEpochKey0 = await Crypto.hkdf(epochKey0, operationalId, GROUP_SECURITY_INFO);
+        const operationalEpochKey0 = await Crypto.createHkdfKey(epochKey0, operationalId, GROUP_SECURITY_INFO);
         const operationalEpochKey1 =
-            epochKey1 !== null ? await Crypto.hkdf(epochKey1, operationalId, GROUP_SECURITY_INFO) : null;
+            epochKey1 !== null ? await Crypto.createHkdfKey(epochKey1, operationalId, GROUP_SECURITY_INFO) : null;
         const operationalEpochKey2 =
-            epochKey2 !== null ? await Crypto.hkdf(epochKey2, operationalId, GROUP_SECURITY_INFO) : null;
+            epochKey2 !== null ? await Crypto.createHkdfKey(epochKey2, operationalId, GROUP_SECURITY_INFO) : null;
         this.#keySets.add({
             ...groupKeySet,
             operationalEpochKey0,

package/src/groups/KeySets.ts

@@ -143,7 +143,7 @@ export class KeySets<T extends OperationalKeySet> extends BasicSet<T> {
     /** Calculates a group session id based on the operational group key. */
     async sessionIdFromKey(operationalGroupKey: Uint8Array) {
         // GroupKeyHash is an array of 2 bytes (16 bits) per Crypto_KDF
-        const groupKeyHash = await Crypto.hkdf(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
+        const groupKeyHash = await Crypto.createHkdfKey(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
 
         // GroupSessionId is computed by considering the GroupKeyHash as a Big-Endian value. GroupSessionId is a scalar.
         // Its use in fields within messages may cause a re-serialization into a different byte order than the one used

package/src/groups/index.ts

@@ -4,5 +4,5 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-export * from "./FabricGroupsManager.js";
+export * from "./FabricGroups.js";
 export * from "./KeySets.js";

package/src/interaction/{AccessControlManager.ts → FabricAccessControl.ts}

@@ -5,7 +5,8 @@
  */
 import { Subject } from "#action/server/Subject.js";
 import { AccessControl } from "#clusters/access-control";
-import { MatterFlowError } from "#general";
+import { Fabric } from "#fabric/Fabric.js";
+import { InternalError, Logger, MatterFlowError } from "#general";
 import { AccessLevel } from "#model";
 import {
     CaseAuthenticatedTag,
@@ -20,6 +21,8 @@ import {
 } from "#types";
 import { AccessControl as AccessControlContext } from "../action/server/AccessControl.js";
 
+const logger = Logger.get("FabricAccessControlManager");
+
 export type AclEntry = Omit<AccessControl.AccessControlEntry, "privilege"> & {
     privilege: AccessLevel;
 };
@@ -59,10 +62,11 @@ export class AccessDeniedError extends StatusResponseError {
 }
 
 /**
- * Implements Access Control Logic as per Matter Specification @see {@link MatterSpecification.v12.Core} § 6.6.5.2.
+ * Implements Access Control Logic For one fabric as per Matter Specification @see {@link MatterSpecification.v12.Core} § 6.6.5.2.
  */
-export class AccessControlManager {
-    #aclList: AclList;
+export class FabricAccessControl {
+    #fabricIndex: FabricIndex;
+    #aclList: AclList = [];
     #extensionEntryAccessCheck: (
         aclList: AclList,
         aclEntry: AclEntry,
@@ -71,9 +75,36 @@ export class AccessControlManager {
         clusterId: ClusterId,
     ) => boolean = () => true;
 
-    constructor(
-        aclList: AccessControl.AccessControlEntry[] = [],
-        extensionEntryAccessCheck?: (
+    constructor(fabric?: Fabric) {
+        if (fabric === undefined) {
+            this.#fabricIndex = FabricIndex.NO_FABRIC;
+            // Add the implicit default PASE ACL entry for the fabric
+            this.#aclList.push(ImplicitDefaultPaseAclEntry);
+        } else {
+            this.#fabricIndex = fabric.fabricIndex;
+        }
+    }
+
+    set fabricIndex(fabricIndex: FabricIndex) {
+        if (this.#fabricIndex === undefined || this.#fabricIndex === FabricIndex.NO_FABRIC) {
+            this.#fabricIndex = fabricIndex;
+        }
+        throw new InternalError("Can not overwrite FabricIndex");
+    }
+
+    /**
+     * Public method used to update the Access Control List on changes.
+     */
+    set aclList(aclList: AccessControl.AccessControlEntry[]) {
+        if (aclList.some(({ fabricIndex }) => fabricIndex !== this.#fabricIndex)) {
+            throw new InternalError("ACL entries must match the fabric index of the manager");
+        }
+        this.#aclList = [...aclList] as unknown as AclList; // It is the same structure we just use an internal type for privilege
+        logger.info("ACL List updated for FabricIndex ", this.#fabricIndex, this.#aclList);
+    }
+
+    set extensionEntryAccessCheck(
+        func: (
             aclList: AclList,
             aclEntry: AclEntry,
             subjectDesc: IncomingSubjectDescriptor,
@@ -81,24 +112,31 @@ export class AccessControlManager {
             clusterId: ClusterId,
         ) => boolean,
     ) {
-        this.#aclList = aclList as unknown as AclList; // It is the same structure we just use an internal type for privilege
-        if (extensionEntryAccessCheck !== undefined) {
-            this.#extensionEntryAccessCheck = extensionEntryAccessCheck;
-        }
+        this.#extensionEntryAccessCheck = func;
     }
 
     /**
-     * Public method used to update the Access Control List on changes.
+     * Implements the access control check for the given context, location and endpoint and is called by the
+     * InteractionServer. The method returns the list of granted Access privileges for the given context, location and
+     * endpoint.
      */
-    updateAccessControlList(aclList: AccessControl.AccessControlEntry[] = []): void {
-        this.#aclList = [...aclList] as unknown as AclList; // It is the same structure we just use an internal type for privilege
-    }
+    accessLevelsFor(
+        context: AccessControlContext.Session,
+        location: AccessControlContext.Location,
+        endpoint?: AclEndpointContext,
+    ): AccessLevel[] {
+        if (location.cluster === undefined) {
+            // Without a cluster, internal behaviors are only accessible internally, so this is an irrelevant placeholder
+            logger.warn("Access control check without cluster, returning View access level");
+            return [AccessLevel.View];
+        }
+        if (endpoint === undefined) {
+            // Without an endpoint, we can't determine access levels, ???
+            logger.warn("Access control check without endpoint, returning View access level");
+            return [AccessLevel.View];
+        }
 
-    /**
-     * Get the Access Control List for a given fabric.
-     */
-    #getAccessControlEntriesForFabric(fabricIndex: FabricIndex): AclList {
-        return this.#aclList.filter(entry => entry.fabricIndex === fabricIndex);
+        return this.#getGrantedPrivileges(context, endpoint, location.cluster);
     }
 
     /**
@@ -152,15 +190,13 @@ export class AccessControlManager {
     /**
      * Determines the granted privileges for the given session, endpoint, and cluster ID and returns them.
      */
-    getGrantedPrivileges(
+    #getGrantedPrivileges(
         context: AccessControlContext.Session,
         endpoint: AclEndpointContext,
         clusterId: ClusterId,
     ): AccessLevel[] {
         const endpointId = endpoint.id;
-        const fabric = context.fabric;
         const subjectDesc = this.#getIsdFromMessage(context);
-        const acl = fabric ? this.#getAccessControlEntriesForFabric(fabric) : [ImplicitDefaultPaseAclEntry];
 
         // Granted privileges set is initially empty
         const grantedPrivileges = new Set<AccessLevel>();
@@ -170,7 +206,7 @@ export class AccessControlManager {
             this.#addGrantedPrivilege(grantedPrivileges, AccessLevel.Administer);
         }
 
-        for (const aclEntry of acl) {
+        for (const aclEntry of this.#aclList) {
             if (grantedPrivileges.has(AccessLevel.Administer)) {
                 // End checking if highest privilege is granted
                 break;
@@ -254,7 +290,7 @@ export class AccessControlManager {
             }
 
             // Extensions processing must not fail
-            if (!this.#extensionEntryAccessCheck(acl, aclEntry, subjectDesc, endpoint, clusterId)) {
+            if (!this.#extensionEntryAccessCheck(this.#aclList, aclEntry, subjectDesc, endpoint, clusterId)) {
                 continue;
             }
 

package/src/interaction/index.ts

@@ -4,10 +4,10 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-export * from "./AccessControlManager.js";
 export * from "./AttributeDataDecoder.js";
 export * from "./AttributeDataEncoder.js";
 export * from "./EventDataDecoder.js";
+export * from "./FabricAccessControl.js";
 export * from "./InteractionClient.js";
 export * from "./InteractionMessenger.js";
 export * from "./Subscription.js";

package/src/peer/ControllerCommissioningFlow.ts

@@ -1274,10 +1274,8 @@ export class ControllerCommissioningFlow {
                 // Assume concurrent connections are supported if not know (which should not be the case when we came here)
                 isConcurrentFlow,
             );
-        } catch (error) {
-            const commError = new OperativeConnectionFailedError("Operative reconnection with device failed");
-            commError.cause = error;
-            throw commError;
+        } catch (cause) {
+            throw new OperativeConnectionFailedError("Operative reconnection with device failed", { cause });
         }
 
         reArmFailsafeInterval.stop();

package/src/protocol/DeviceCommissioner.ts

@@ -153,7 +153,7 @@ export class DeviceCommissioner {
         this.#context.secureChannelProtocol.setPaseCommissioner(
             await PaseServer.fromPin(this.#context.sessions, this.#context.commissioningConfig.values.passcode, {
                 iterations: 1000,
-                salt: Crypto.get().getRandomData(32),
+                salt: Crypto.getRandomData(32),
             }),
         );