npm - @matter/protocol - Versions diffs - 0.14.1-alpha.0-20250607-a93593303 → 0.15.0-alpha.0-20250613-a55f991d4 - Mend

@matter/protocol 0.14.1-alpha.0-20250607-a93593303 → 0.15.0-alpha.0-20250613-a55f991d4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (217) hide show

package/dist/cjs/certificate/AttestationCertificateManager.js +2 -2
package/dist/cjs/certificate/AttestationCertificateManager.js.map +1 -1
package/dist/cjs/certificate/CertificateAuthority.d.ts +2 -2
package/dist/cjs/certificate/CertificateAuthority.d.ts.map +1 -1
package/dist/cjs/certificate/CertificateAuthority.js +5 -5
package/dist/cjs/certificate/CertificateAuthority.js.map +1 -1
package/dist/cjs/certificate/CertificateManager.d.ts +1 -1
package/dist/cjs/certificate/CertificateManager.d.ts.map +1 -1
package/dist/cjs/certificate/CertificateManager.js +21 -10
package/dist/cjs/certificate/CertificateManager.js.map +1 -1
package/dist/cjs/certificate/CertificationDeclarationManager.d.ts +1 -1
package/dist/cjs/certificate/DeviceCertification.d.ts +1 -1
package/dist/cjs/certificate/DeviceCertification.d.ts.map +1 -1
package/dist/cjs/certificate/DeviceCertification.js +5 -3
package/dist/cjs/certificate/DeviceCertification.js.map +1 -1
package/dist/cjs/codec/BtpCodec.d.ts +1 -1
package/dist/cjs/codec/MessageCodec.d.ts +1 -1
package/dist/cjs/events/OccurrenceManager.d.ts +1 -0
package/dist/cjs/events/OccurrenceManager.d.ts.map +1 -1
package/dist/cjs/events/OccurrenceManager.js +14 -8
package/dist/cjs/events/OccurrenceManager.js.map +1 -1
package/dist/cjs/fabric/Fabric.d.ts +8 -6
package/dist/cjs/fabric/Fabric.d.ts.map +1 -1
package/dist/cjs/fabric/Fabric.js +22 -15
package/dist/cjs/fabric/Fabric.js.map +1 -1
package/dist/cjs/fabric/FabricAuthority.d.ts +4 -0
package/dist/cjs/fabric/FabricAuthority.d.ts.map +1 -1
package/dist/cjs/fabric/FabricAuthority.js +6 -0
package/dist/cjs/fabric/FabricAuthority.js.map +1 -1
package/dist/cjs/fabric/FabricManager.d.ts.map +1 -1
package/dist/cjs/fabric/FabricManager.js +9 -2
package/dist/cjs/fabric/FabricManager.js.map +1 -1
package/dist/cjs/fabric/TestFabric.d.ts +30 -0
package/dist/cjs/fabric/TestFabric.d.ts.map +1 -0
package/dist/cjs/fabric/TestFabric.js +70 -0
package/dist/cjs/fabric/TestFabric.js.map +6 -0
package/dist/cjs/fabric/index.d.ts +1 -0
package/dist/cjs/fabric/index.d.ts.map +1 -1
package/dist/cjs/fabric/index.js +1 -0
package/dist/cjs/fabric/index.js.map +1 -1
package/dist/cjs/groups/{FabricGroupsManager.d.ts → FabricGroups.d.ts} +2 -2
package/dist/cjs/groups/FabricGroups.d.ts.map +1 -0
package/dist/cjs/groups/{FabricGroupsManager.js → FabricGroups.js} +9 -9
package/dist/cjs/groups/FabricGroups.js.map +6 -0
package/dist/cjs/groups/KeySets.js +1 -1
package/dist/cjs/groups/KeySets.js.map +1 -1
package/dist/cjs/groups/index.d.ts +1 -1
package/dist/cjs/groups/index.d.ts.map +1 -1
package/dist/cjs/groups/index.js +1 -1
package/dist/cjs/groups/index.js.map +1 -1
package/dist/cjs/interaction/{AccessControlManager.d.ts → FabricAccessControl.d.ts} +12 -7
package/dist/cjs/interaction/FabricAccessControl.d.ts.map +1 -0
package/dist/cjs/interaction/{AccessControlManager.js → FabricAccessControl.js} +46 -21
package/dist/cjs/interaction/FabricAccessControl.js.map +6 -0
package/dist/cjs/interaction/index.d.ts +1 -1
package/dist/cjs/interaction/index.d.ts.map +1 -1
package/dist/cjs/interaction/index.js +1 -1
package/dist/cjs/interaction/index.js.map +1 -1
package/dist/cjs/mdns/MdnsScanner.d.ts +1 -1
package/dist/cjs/mdns/MdnsScanner.d.ts.map +1 -1
package/dist/cjs/mdns/MdnsScanner.js +2 -6
package/dist/cjs/mdns/MdnsScanner.js.map +1 -1
package/dist/cjs/peer/ControllerCommissioningFlow.d.ts.map +1 -1
package/dist/cjs/peer/ControllerCommissioningFlow.js +2 -4
package/dist/cjs/peer/ControllerCommissioningFlow.js.map +1 -1
package/dist/cjs/protocol/DeviceCommissioner.js +1 -1
package/dist/cjs/protocol/DeviceCommissioner.js.map +1 -1
package/dist/cjs/protocol/MessageExchange.d.ts +6 -0
package/dist/cjs/protocol/MessageExchange.d.ts.map +1 -1
package/dist/cjs/protocol/MessageExchange.js +13 -0
package/dist/cjs/protocol/MessageExchange.js.map +1 -1
package/dist/cjs/securechannel/SecureChannelStatusMessageSchema.d.ts +1 -1
package/dist/cjs/session/NodeSession.js +1 -1
package/dist/cjs/session/Session.d.ts +1 -1
package/dist/cjs/session/SessionManager.d.ts.map +1 -1
package/dist/cjs/session/SessionManager.js +1 -0
package/dist/cjs/session/SessionManager.js.map +1 -1
package/dist/cjs/session/case/CaseClient.d.ts.map +1 -1
package/dist/cjs/session/case/CaseClient.js +34 -30
package/dist/cjs/session/case/CaseClient.js.map +1 -1
package/dist/cjs/session/case/CaseMessages.d.ts +8 -8
package/dist/cjs/session/case/CaseMessages.js +8 -8
package/dist/cjs/session/case/CaseMessages.js.map +1 -1
package/dist/cjs/session/case/CaseServer.d.ts.map +1 -1
package/dist/cjs/session/case/CaseServer.js +26 -23
package/dist/cjs/session/case/CaseServer.js.map +1 -1
package/dist/cjs/session/pase/PaseClient.d.ts.map +1 -1
package/dist/cjs/session/pase/PaseClient.js +4 -1
package/dist/cjs/session/pase/PaseClient.js.map +1 -1
package/dist/cjs/session/pase/PaseServer.d.ts.map +1 -1
package/dist/cjs/session/pase/PaseServer.js +4 -1
package/dist/cjs/session/pase/PaseServer.js.map +1 -1
package/dist/esm/certificate/AttestationCertificateManager.js +2 -2
package/dist/esm/certificate/AttestationCertificateManager.js.map +1 -1
package/dist/esm/certificate/CertificateAuthority.d.ts +2 -2
package/dist/esm/certificate/CertificateAuthority.d.ts.map +1 -1
package/dist/esm/certificate/CertificateAuthority.js +5 -5
package/dist/esm/certificate/CertificateAuthority.js.map +1 -1
package/dist/esm/certificate/CertificateManager.d.ts +1 -1
package/dist/esm/certificate/CertificateManager.d.ts.map +1 -1
package/dist/esm/certificate/CertificateManager.js +22 -11
package/dist/esm/certificate/CertificateManager.js.map +1 -1
package/dist/esm/certificate/CertificationDeclarationManager.d.ts +1 -1
package/dist/esm/certificate/DeviceCertification.d.ts +1 -1
package/dist/esm/certificate/DeviceCertification.d.ts.map +1 -1
package/dist/esm/certificate/DeviceCertification.js +5 -3
package/dist/esm/certificate/DeviceCertification.js.map +1 -1
package/dist/esm/codec/BtpCodec.d.ts +1 -1
package/dist/esm/codec/MessageCodec.d.ts +1 -1
package/dist/esm/events/OccurrenceManager.d.ts +1 -0
package/dist/esm/events/OccurrenceManager.d.ts.map +1 -1
package/dist/esm/events/OccurrenceManager.js +14 -8
package/dist/esm/events/OccurrenceManager.js.map +1 -1
package/dist/esm/fabric/Fabric.d.ts +8 -6
package/dist/esm/fabric/Fabric.d.ts.map +1 -1
package/dist/esm/fabric/Fabric.js +22 -14
package/dist/esm/fabric/Fabric.js.map +1 -1
package/dist/esm/fabric/FabricAuthority.d.ts +4 -0
package/dist/esm/fabric/FabricAuthority.d.ts.map +1 -1
package/dist/esm/fabric/FabricAuthority.js +6 -0
package/dist/esm/fabric/FabricAuthority.js.map +1 -1
package/dist/esm/fabric/FabricManager.d.ts.map +1 -1
package/dist/esm/fabric/FabricManager.js +9 -2
package/dist/esm/fabric/FabricManager.js.map +1 -1
package/dist/esm/fabric/TestFabric.d.ts +30 -0
package/dist/esm/fabric/TestFabric.d.ts.map +1 -0
package/dist/esm/fabric/TestFabric.js +50 -0
package/dist/esm/fabric/TestFabric.js.map +6 -0
package/dist/esm/fabric/index.d.ts +1 -0
package/dist/esm/fabric/index.d.ts.map +1 -1
package/dist/esm/fabric/index.js +1 -0
package/dist/esm/fabric/index.js.map +1 -1
package/dist/esm/groups/{FabricGroupsManager.d.ts → FabricGroups.d.ts} +2 -2
package/dist/esm/groups/FabricGroups.d.ts.map +1 -0
package/dist/esm/groups/{FabricGroupsManager.js → FabricGroups.js} +6 -6
package/dist/esm/groups/FabricGroups.js.map +6 -0
package/dist/esm/groups/KeySets.js +1 -1
package/dist/esm/groups/KeySets.js.map +1 -1
package/dist/esm/groups/index.d.ts +1 -1
package/dist/esm/groups/index.d.ts.map +1 -1
package/dist/esm/groups/index.js +1 -1
package/dist/esm/interaction/{AccessControlManager.d.ts → FabricAccessControl.d.ts} +12 -7
package/dist/esm/interaction/FabricAccessControl.d.ts.map +1 -0
package/dist/esm/interaction/{AccessControlManager.js → FabricAccessControl.js} +44 -19
package/dist/esm/interaction/FabricAccessControl.js.map +6 -0
package/dist/esm/interaction/index.d.ts +1 -1
package/dist/esm/interaction/index.d.ts.map +1 -1
package/dist/esm/interaction/index.js +1 -1
package/dist/esm/mdns/MdnsScanner.d.ts +1 -1
package/dist/esm/mdns/MdnsScanner.d.ts.map +1 -1
package/dist/esm/mdns/MdnsScanner.js +2 -6
package/dist/esm/mdns/MdnsScanner.js.map +1 -1
package/dist/esm/peer/ControllerCommissioningFlow.d.ts.map +1 -1
package/dist/esm/peer/ControllerCommissioningFlow.js +2 -4
package/dist/esm/peer/ControllerCommissioningFlow.js.map +1 -1
package/dist/esm/protocol/DeviceCommissioner.js +1 -1
package/dist/esm/protocol/DeviceCommissioner.js.map +1 -1
package/dist/esm/protocol/MessageExchange.d.ts +6 -0
package/dist/esm/protocol/MessageExchange.d.ts.map +1 -1
package/dist/esm/protocol/MessageExchange.js +13 -0
package/dist/esm/protocol/MessageExchange.js.map +1 -1
package/dist/esm/securechannel/SecureChannelStatusMessageSchema.d.ts +1 -1
package/dist/esm/session/NodeSession.js +1 -1
package/dist/esm/session/Session.d.ts +1 -1
package/dist/esm/session/SessionManager.d.ts.map +1 -1
package/dist/esm/session/SessionManager.js +1 -0
package/dist/esm/session/SessionManager.js.map +1 -1
package/dist/esm/session/case/CaseClient.d.ts.map +1 -1
package/dist/esm/session/case/CaseClient.js +34 -30
package/dist/esm/session/case/CaseClient.js.map +1 -1
package/dist/esm/session/case/CaseMessages.d.ts +8 -8
package/dist/esm/session/case/CaseMessages.js +8 -8
package/dist/esm/session/case/CaseMessages.js.map +1 -1
package/dist/esm/session/case/CaseServer.d.ts.map +1 -1
package/dist/esm/session/case/CaseServer.js +26 -23
package/dist/esm/session/case/CaseServer.js.map +1 -1
package/dist/esm/session/pase/PaseClient.d.ts.map +1 -1
package/dist/esm/session/pase/PaseClient.js +4 -1
package/dist/esm/session/pase/PaseClient.js.map +1 -1
package/dist/esm/session/pase/PaseServer.d.ts.map +1 -1
package/dist/esm/session/pase/PaseServer.js +4 -1
package/dist/esm/session/pase/PaseServer.js.map +1 -1
package/package.json +6 -6
package/src/certificate/AttestationCertificateManager.ts +2 -2
package/src/certificate/CertificateAuthority.ts +7 -7
package/src/certificate/CertificateManager.ts +22 -11
package/src/certificate/DeviceCertification.ts +5 -3
package/src/events/OccurrenceManager.ts +16 -9
package/src/fabric/Fabric.ts +24 -15
package/src/fabric/FabricAuthority.ts +7 -0
package/src/fabric/FabricManager.ts +9 -2
package/src/fabric/TestFabric.ts +73 -0
package/src/fabric/index.ts +1 -0
package/src/groups/{FabricGroupsManager.ts → FabricGroups.ts} +4 -4
package/src/groups/KeySets.ts +1 -1
package/src/groups/index.ts +1 -1
package/src/interaction/{AccessControlManager.ts → FabricAccessControl.ts} +61 -25
package/src/interaction/index.ts +1 -1
package/src/mdns/MdnsScanner.ts +2 -6
package/src/peer/ControllerCommissioningFlow.ts +2 -4
package/src/protocol/DeviceCommissioner.ts +1 -1
package/src/protocol/MessageExchange.ts +14 -0
package/src/session/NodeSession.ts +1 -1
package/src/session/SessionManager.ts +1 -0
package/src/session/case/CaseClient.ts +34 -30
package/src/session/case/CaseMessages.ts +8 -8
package/src/session/case/CaseServer.ts +27 -23
package/src/session/pase/PaseClient.ts +4 -1
package/src/session/pase/PaseServer.ts +4 -1
package/dist/cjs/groups/FabricGroupsManager.d.ts.map +0 -1
package/dist/cjs/groups/FabricGroupsManager.js.map +0 -6
package/dist/cjs/interaction/AccessControlManager.d.ts.map +0 -1
package/dist/cjs/interaction/AccessControlManager.js.map +0 -6
package/dist/esm/groups/FabricGroupsManager.d.ts.map +0 -1
package/dist/esm/groups/FabricGroupsManager.js.map +0 -6
package/dist/esm/interaction/AccessControlManager.d.ts.map +0 -1
package/dist/esm/interaction/AccessControlManager.js.map +0 -6

package/src/fabric/FabricAuthority.ts CHANGED Viewed

@@ -66,6 +66,13 @@ export class FabricAuthority {
         this.#config = context.config;
     }
+    /**
+     * Access the certificate authority.
+     */
+    get ca() {
+        return this.#ca;
+    }
     /**
      * Obtain the default fabric for this authority.
      */

package/src/fabric/FabricManager.ts CHANGED Viewed

@@ -160,6 +160,9 @@ export class FabricManager {
         this.#fabrics.set(fabricIndex, fabric);
         fabric.addRemoveCallback(async () => this.removeFabric(fabricIndex));
         fabric.persistCallback = (isUpdate = true) => {
+            if (!this.#storage) {
+                return;
+            }
             const persistResult = this.persistFabrics();
             return MaybePromise.then(persistResult, () => {
                 if (isUpdate) {
@@ -184,7 +187,9 @@ export class FabricManager {
                 `Fabric with index ${fabricIndex} cannot be removed because it does not exist.`,
             );
         this.#fabrics.delete(fabricIndex);
-        await this.persistFabrics();
+        if (this.#storage) {
+            await this.persistFabrics();
+        }
         await fabric.storage?.clearAll();
         this.#events.deleted.emit(fabric);
     }
@@ -253,7 +258,9 @@ export class FabricManager {
             );
         }
         this.#fabrics.set(fabricIndex, fabric);
-        await this.persistFabrics();
+        if (this.#storage) {
+            await this.persistFabrics();
+        }
         this.#events.updated.emit(fabric);
     }

package/src/fabric/TestFabric.ts ADDED Viewed

@@ -0,0 +1,73 @@
+/**
+ * @license
+ * Copyright 2022-2025 Project CHIP Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { CertificateAuthority } from "#certificate/CertificateAuthority.js";
+import { ImplementationError, nonentropic } from "#general";
+import { FabricIndex, VendorId } from "#types";
+import { FabricAuthority } from "./FabricAuthority.js";
+import { FabricManager } from "./FabricManager.js";
+/**
+ * WARNING: ONLY FOR USE IN PROTECTED TESTING ENVIRONMENTS WHERE SECURITY IS NOT A CONCERN
+ *
+ * Generate a fabric useful for testing purposes.
+ *
+ * The properties of the fabric, including crypto matter, are stable with regards to {@link index}.
+ */
+export async function TestFabric(options: TestFabric.Options = {}) {
+    const authority = await TestFabric.Authority(options);
+    return authority.createFabric();
+}
+export namespace TestFabric {
+    /**
+     * WARNING: ONLY FOR USE IN PROTECTED TESTING ENVIRONMENTS WHERE SECURITY IS NOT A CONCERN
+     *
+     * Obtain a test authority.
+     *
+     * Crypto matter is stable with respect to {@link index}.
+     */
+    export async function Authority({ index, fabrics }: Options = {}) {
+        if (index === undefined) {
+            if (fabrics) {
+                index = fabrics.allocateFabricIndex();
+            } else {
+                index = 1;
+            }
+        }
+        return forFabric(index, async () => {
+            const authority = new FabricAuthority({
+                ca: await CertificateAuthority.create(),
+                config: {
+                    adminFabricLabel: `mock-fabric-${index}`,
+                    adminVendorId: VendorId(0xfff1),
+                    fabricIndex: FabricIndex(index),
+                },
+                fabrics: fabrics ?? new FabricManager(),
+            });
+            const createFabric = authority.createFabric.bind(authority);
+            authority.createFabric = () => forFabric(index ?? 1, createFabric);
+            return authority;
+        });
+    }
+    export interface Options {
+        index?: number;
+        fabrics?: FabricManager;
+    }
+}
+async function forFabric<T>(index: number, actor: () => Promise<T>): Promise<T> {
+    if (index < 1 || index > 254) {
+        throw new ImplementationError("Test fabric indexes must be in the range 1-254");
+    }
+    return nonentropic(index, actor);
+}

package/src/fabric/index.ts CHANGED Viewed

@@ -7,3 +7,4 @@
 export * from "./Fabric.js";
 export * from "./FabricAuthority.js";
 export * from "./FabricManager.js";
+export * from "./TestFabric.js";

package/src/groups/{FabricGroupsManager.ts → FabricGroups.ts} RENAMED Viewed

@@ -15,7 +15,7 @@ export const GROUP_SECURITY_INFO = Bytes.fromString("GroupKey v1.0");
 /**
  * Class that contains an operational view on the Group Keys for a fabric
  */
-export class FabricGroupsManager {
+export class FabricGroups {
     #fabric: Fabric;
     #groups: Groups;
     #messagingState: MessagingState;
@@ -122,11 +122,11 @@ export class FabricGroupsManager {
         // Lets pre-calculate the operational keys
         const operationalId = this.#fabric.operationalId;
-        const operationalEpochKey0 = await Crypto.hkdf(epochKey0, operationalId, GROUP_SECURITY_INFO);
+        const operationalEpochKey0 = await Crypto.createHkdfKey(epochKey0, operationalId, GROUP_SECURITY_INFO);
         const operationalEpochKey1 =
-            epochKey1 !== null ? await Crypto.hkdf(epochKey1, operationalId, GROUP_SECURITY_INFO) : null;
+            epochKey1 !== null ? await Crypto.createHkdfKey(epochKey1, operationalId, GROUP_SECURITY_INFO) : null;
         const operationalEpochKey2 =
-            epochKey2 !== null ? await Crypto.hkdf(epochKey2, operationalId, GROUP_SECURITY_INFO) : null;
+            epochKey2 !== null ? await Crypto.createHkdfKey(epochKey2, operationalId, GROUP_SECURITY_INFO) : null;
         this.#keySets.add({
             ...groupKeySet,
             operationalEpochKey0,

package/src/groups/KeySets.ts CHANGED Viewed

@@ -143,7 +143,7 @@ export class KeySets<T extends OperationalKeySet> extends BasicSet<T> {
     /** Calculates a group session id based on the operational group key. */
     async sessionIdFromKey(operationalGroupKey: Uint8Array) {
         // GroupKeyHash is an array of 2 bytes (16 bits) per Crypto_KDF
-        const groupKeyHash = await Crypto.hkdf(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
+        const groupKeyHash = await Crypto.createHkdfKey(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
         // GroupSessionId is computed by considering the GroupKeyHash as a Big-Endian value. GroupSessionId is a scalar.
         // Its use in fields within messages may cause a re-serialization into a different byte order than the one used

package/src/groups/index.ts CHANGED Viewed

@@ -4,5 +4,5 @@
  * SPDX-License-Identifier: Apache-2.0
  */
-export * from "./FabricGroupsManager.js";
+export * from "./FabricGroups.js";
 export * from "./KeySets.js";

package/src/interaction/{AccessControlManager.ts → FabricAccessControl.ts} RENAMED Viewed

@@ -5,7 +5,8 @@
  */
 import { Subject } from "#action/server/Subject.js";
 import { AccessControl } from "#clusters/access-control";
-import { MatterFlowError } from "#general";
+import { Fabric } from "#fabric/Fabric.js";
+import { InternalError, Logger, MatterFlowError } from "#general";
 import { AccessLevel } from "#model";
 import {
     CaseAuthenticatedTag,
@@ -20,6 +21,8 @@ import {
 } from "#types";
 import { AccessControl as AccessControlContext } from "../action/server/AccessControl.js";
+const logger = Logger.get("FabricAccessControl");
 export type AclEntry = Omit<AccessControl.AccessControlEntry, "privilege"> & {
     privilege: AccessLevel;
 };
@@ -59,10 +62,11 @@ export class AccessDeniedError extends StatusResponseError {
 }
 /**
- * Implements Access Control Logic as per Matter Specification @see {@link MatterSpecification.v12.Core} § 6.6.5.2.
+ * Implements Access Control Logic For one fabric as per Matter Specification @see {@link MatterSpecification.v12.Core} § 6.6.5.2.
  */
-export class AccessControlManager {
-    #aclList: AclList;
+export class FabricAccessControl {
+    #fabricIndex: FabricIndex;
+    #aclList: AclList = [];
     #extensionEntryAccessCheck: (
         aclList: AclList,
         aclEntry: AclEntry,
@@ -71,9 +75,36 @@ export class AccessControlManager {
         clusterId: ClusterId,
     ) => boolean = () => true;
-    constructor(
-        aclList: AccessControl.AccessControlEntry[] = [],
-        extensionEntryAccessCheck?: (
+    constructor(fabric?: Fabric) {
+        if (fabric === undefined) {
+            this.#fabricIndex = FabricIndex.NO_FABRIC;
+            // Add the implicit default PASE ACL entry for the fabric
+            this.#aclList.push(ImplicitDefaultPaseAclEntry);
+        } else {
+            this.#fabricIndex = fabric.fabricIndex;
+        }
+    }
+    set fabricIndex(fabricIndex: FabricIndex) {
+        if (this.#fabricIndex === undefined || this.#fabricIndex === FabricIndex.NO_FABRIC) {
+            this.#fabricIndex = fabricIndex;
+        }
+        throw new InternalError("Can not overwrite FabricIndex");
+    }
+    /**
+     * Public method used to update the Access Control List on changes.
+     */
+    set aclList(aclList: AccessControl.AccessControlEntry[]) {
+        if (aclList.some(({ fabricIndex }) => fabricIndex !== this.#fabricIndex)) {
+            throw new InternalError("ACL entries must match the fabric index of the manager");
+        }
+        this.#aclList = [...aclList] as unknown as AclList; // It is the same structure we just use an internal type for privilege
+        logger.info("ACL List updated for FabricIndex ", this.#fabricIndex, this.#aclList);
+    }
+    set extensionEntryAccessCheck(
+        func: (
             aclList: AclList,
             aclEntry: AclEntry,
             subjectDesc: IncomingSubjectDescriptor,
@@ -81,24 +112,31 @@ export class AccessControlManager {
             clusterId: ClusterId,
         ) => boolean,
     ) {
-        this.#aclList = aclList as unknown as AclList; // It is the same structure we just use an internal type for privilege
-        if (extensionEntryAccessCheck !== undefined) {
-            this.#extensionEntryAccessCheck = extensionEntryAccessCheck;
-        }
+        this.#extensionEntryAccessCheck = func;
     }
     /**
-     * Public method used to update the Access Control List on changes.
+     * Implements the access control check for the given context, location and endpoint and is called by the
+     * InteractionServer. The method returns the list of granted Access privileges for the given context, location and
+     * endpoint.
      */
-    updateAccessControlList(aclList: AccessControl.AccessControlEntry[] = []): void {
-        this.#aclList = [...aclList] as unknown as AclList; // It is the same structure we just use an internal type for privilege
-    }
+    accessLevelsFor(
+        context: AccessControlContext.Session,
+        location: AccessControlContext.Location,
+        endpoint?: AclEndpointContext,
+    ): AccessLevel[] {
+        if (location.cluster === undefined) {
+            // Without a cluster, internal behaviors are only accessible internally, so this is an irrelevant placeholder
+            logger.warn("Access control check without cluster, returning View access level");
+            return [AccessLevel.View];
+        }
+        if (endpoint === undefined) {
+            // Without an endpoint, we can't determine access levels, ???
+            logger.warn("Access control check without endpoint, returning View access level");
+            return [AccessLevel.View];
+        }
-    /**
-     * Get the Access Control List for a given fabric.
-     */
-    #getAccessControlEntriesForFabric(fabricIndex: FabricIndex): AclList {
-        return this.#aclList.filter(entry => entry.fabricIndex === fabricIndex);
+        return this.#getGrantedPrivileges(context, endpoint, location.cluster);
     }
     /**
@@ -152,15 +190,13 @@ export class AccessControlManager {
     /**
      * Determines the granted privileges for the given session, endpoint, and cluster ID and returns them.
      */
-    getGrantedPrivileges(
+    #getGrantedPrivileges(
         context: AccessControlContext.Session,
         endpoint: AclEndpointContext,
         clusterId: ClusterId,
     ): AccessLevel[] {
         const endpointId = endpoint.id;
-        const fabric = context.fabric;
         const subjectDesc = this.#getIsdFromMessage(context);
-        const acl = fabric ? this.#getAccessControlEntriesForFabric(fabric) : [ImplicitDefaultPaseAclEntry];
         // Granted privileges set is initially empty
         const grantedPrivileges = new Set<AccessLevel>();
@@ -170,7 +206,7 @@ export class AccessControlManager {
             this.#addGrantedPrivilege(grantedPrivileges, AccessLevel.Administer);
         }
-        for (const aclEntry of acl) {
+        for (const aclEntry of this.#aclList) {
             if (grantedPrivileges.has(AccessLevel.Administer)) {
                 // End checking if highest privilege is granted
                 break;
@@ -254,7 +290,7 @@ export class AccessControlManager {
             }
             // Extensions processing must not fail
-            if (!this.#extensionEntryAccessCheck(acl, aclEntry, subjectDesc, endpoint, clusterId)) {
+            if (!this.#extensionEntryAccessCheck(this.#aclList, aclEntry, subjectDesc, endpoint, clusterId)) {
                 continue;
             }

package/src/interaction/index.ts CHANGED Viewed

@@ -4,10 +4,10 @@
  * SPDX-License-Identifier: Apache-2.0
  */
-export * from "./AccessControlManager.js";
 export * from "./AttributeDataDecoder.js";
 export * from "./AttributeDataEncoder.js";
 export * from "./EventDataDecoder.js";
+export * from "./FabricAccessControl.js";
 export * from "./InteractionClient.js";
 export * from "./InteractionMessenger.js";
 export * from "./Subscription.js";

package/src/mdns/MdnsScanner.ts CHANGED Viewed

@@ -120,9 +120,7 @@ export interface MdnsScannerTargetCriteria {
  * queries to discover various types of Matter device types and listens for announcements.
  */
 export class MdnsScanner implements Scanner {
-    get type() {
-        return ChannelType.UDP;
-    }
+    readonly type = ChannelType.UDP;
     static async create(network: Network, options?: { enableIpv4?: boolean; netInterface?: string }) {
         const { enableIpv4, netInterface } = options ?? {};
@@ -502,9 +500,7 @@ export class MdnsScanner implements Scanner {
         const { timer, resolver, resolveOnUpdatedRecords, commissionable } = waiter;
         if (isUpdatedRecord && !resolveOnUpdatedRecords) return;
         logger.debug(`Finishing waiter for query ${queryId}, resolving: ${resolvePromise}`);
-        if (timer !== undefined) {
-            timer.stop();
-        }
+        timer?.stop();
         if (resolvePromise) {
             resolver();
         }

package/src/peer/ControllerCommissioningFlow.ts CHANGED Viewed

@@ -1274,10 +1274,8 @@ export class ControllerCommissioningFlow {
                 // Assume concurrent connections are supported if not know (which should not be the case when we came here)
                 isConcurrentFlow,
             );
-        } catch (error) {
-            const commError = new OperativeConnectionFailedError("Operative reconnection with device failed");
-            commError.cause = error;
-            throw commError;
+        } catch (cause) {
+            throw new OperativeConnectionFailedError("Operative reconnection with device failed", { cause });
         }
         reArmFailsafeInterval.stop();

package/src/protocol/DeviceCommissioner.ts CHANGED Viewed

@@ -153,7 +153,7 @@ export class DeviceCommissioner {
         this.#context.secureChannelProtocol.setPaseCommissioner(
             await PaseServer.fromPin(this.#context.sessions, this.#context.commissioningConfig.values.passcode, {
                 iterations: 1000,
-                salt: Crypto.get().getRandomData(32),
+                salt: Crypto.getRandomData(32),
             }),
         );

package/src/protocol/MessageExchange.ts CHANGED Viewed

@@ -202,6 +202,7 @@ export class MessageExchange {
     readonly #exchangeId: number;
     readonly #protocolId: number;
     readonly #closed = AsyncObservable<[]>();
+    readonly #closing = AsyncObservable<[]>();
     readonly #useMRP: boolean;
     constructor(
@@ -252,10 +253,19 @@ export class MessageExchange {
         );
     }
+    /** Emits when the exchange is actually closed. This happens after all Retries and Communication are done. */
     get closed() {
         return this.#closed;
     }
+    /**
+     * Emit when the exchange is closing, but not yet closed. We only wait for acks and retries to happen, but the
+     * actual interaction logic is already done.
+     */
+    get closing() {
+        return this.#closing;
+    }
     get isClosing() {
         return this.#isClosing;
     }
@@ -705,6 +715,7 @@ export class MessageExchange {
             return this.#close();
         }
         this.#isClosing = true;
+        this.#closing.emit();
         if (this.#receivedMessageToAck !== undefined) {
             this.#receivedMessageAckTimer.stop();
@@ -742,6 +753,9 @@ export class MessageExchange {
     }
     async #close() {
+        if (!this.#isClosing) {
+            this.#closing.emit();
+        }
         this.#isClosing = true;
         this.#retransmissionTimer?.stop();
         this.#closeTimer?.stop();

package/src/session/NodeSession.ts CHANGED Viewed

@@ -72,7 +72,7 @@ export class NodeSession extends SecureSession {
             peerSessionParameters,
             caseAuthenticatedTags,
         } = args;
-        const keys = await Crypto.hkdf(
+        const keys = await Crypto.createHkdfKey(
             sharedSecret,
             salt,
             isResumption ? SESSION_RESUMPTION_KEYS_INFO : SESSION_KEYS_INFO,

package/src/session/SessionManager.ts CHANGED Viewed

@@ -699,6 +699,7 @@ export class SessionManager {
     compressIdRange(upperBound: number) {
         this.#idUpperBound = upperBound;
         this.#nextSessionId = Crypto.getRandomUInt32() % upperBound;
+        if (this.#nextSessionId === 0) this.#nextSessionId++;
     }
 }

package/src/session/case/CaseClient.ts CHANGED Viewed

@@ -52,8 +52,8 @@ export class CaseClient {
         // Generate pairing info
         const initiatorRandom = Crypto.getRandom();
         const initiatorSessionId = await this.#sessions.getNextAvailableSessionId(); // Initiator Session Id
-        const { operationalIdentityProtectionKey, operationalCert: nodeOpCert, intermediateCACert } = fabric;
-        const { publicKey: initiatorEcdhPublicKey, ecdh } = await Crypto.ecdhGeneratePublicKey();
+        const { operationalIdentityProtectionKey, operationalCert: localNoc, intermediateCACert: localIcac } = fabric;
+        const localKey = await Crypto.createKeyPair();
         // Send sigma1
         let sigma1Bytes;
@@ -61,7 +61,7 @@ export class CaseClient {
         let resumptionRecord = this.#sessions.findResumptionRecordByAddress(fabric.addressOf(peerNodeId));
         if (resumptionRecord !== undefined) {
             const { sharedSecret, resumptionId } = resumptionRecord;
-            const resumeKey = await Crypto.hkdf(
+            const resumeKey = await Crypto.createHkdfKey(
                 sharedSecret,
                 Bytes.concat(initiatorRandom, resumptionId),
                 KDFSR1_KEY_INFO,
@@ -70,7 +70,7 @@ export class CaseClient {
             sigma1Bytes = await messenger.sendSigma1({
                 initiatorSessionId,
                 destinationId: await fabric.currentDestinationIdFor(peerNodeId, initiatorRandom),
-                initiatorEcdhPublicKey,
+                initiatorEcdhPublicKey: localKey.publicBits,
                 initiatorRandom,
                 resumptionId,
                 initiatorResumeMic,
@@ -80,7 +80,7 @@ export class CaseClient {
             sigma1Bytes = await messenger.sendSigma1({
                 initiatorSessionId,
                 destinationId: await fabric.currentDestinationIdFor(peerNodeId, initiatorRandom),
-                initiatorEcdhPublicKey,
+                initiatorEcdhPublicKey: localKey.publicBits,
                 initiatorRandom,
                 initiatorSessionParams: this.#sessions.sessionParameters,
             });
@@ -106,7 +106,7 @@ export class CaseClient {
             };
             const resumeSalt = Bytes.concat(initiatorRandom, resumptionId);
-            const resumeKey = await Crypto.hkdf(sharedSecret, resumeSalt, KDFSR2_KEY_INFO);
+            const resumeKey = await Crypto.createHkdfKey(sharedSecret, resumeSalt, KDFSR2_KEY_INFO);
             Crypto.decrypt(resumeKey, resumeMic, RESUME2_MIC_NONCE);
             const secureSessionSalt = Bytes.concat(initiatorRandom, resumptionRecord.resumptionId);
@@ -134,7 +134,7 @@ export class CaseClient {
         } else {
             // Process sigma2
             const {
-                responderEcdhPublicKey: peerEcdhPublicKey,
+                responderEcdhPublicKey: peerKey,
                 encrypted: peerEncrypted,
                 responderRandom,
                 responderSessionId: peerSessionId,
@@ -145,33 +145,33 @@ export class CaseClient {
                 ...exchange.session.parameters,
                 ...(responderSessionParams ?? {}),
             };
-            const sharedSecret = await Crypto.ecdhGenerateSecret(peerEcdhPublicKey, ecdh);
+            const sharedSecret = await Crypto.generateDhSecret(localKey, PublicKey(peerKey));
             const sigma2Salt = Bytes.concat(
                 operationalIdentityProtectionKey,
                 responderRandom,
-                peerEcdhPublicKey,
-                await Crypto.hash(sigma1Bytes),
+                peerKey,
+                await Crypto.computeSha256(sigma1Bytes),
             );
-            const sigma2Key = await Crypto.hkdf(sharedSecret, sigma2Salt, KDFSR2_INFO);
+            const sigma2Key = await Crypto.createHkdfKey(sharedSecret, sigma2Salt, KDFSR2_INFO);
             const peerEncryptedData = Crypto.decrypt(sigma2Key, peerEncrypted, TBE_DATA2_NONCE);
             const {
-                nodeOpCert: peerNewOpCert,
-                intermediateCACert: peerIntermediateCACert,
+                responderNoc: peerNoc,
+                responderIcac: peerIcac,
                 signature: peerSignature,
                 resumptionId: peerResumptionId,
             } = TlvEncryptedDataSigma2.decode(peerEncryptedData);
             const peerSignatureData = TlvSignedData.encode({
-                nodeOpCert: peerNewOpCert,
-                intermediateCACert: peerIntermediateCACert,
-                ecdhPublicKey: peerEcdhPublicKey,
-                peerEcdhPublicKey: initiatorEcdhPublicKey,
+                responderNoc: peerNoc,
+                responderIcac: peerIcac,
+                responderPublicKey: peerKey,
+                initiatorPublicKey: localKey.publicBits,
             });
             const {
                 ellipticCurvePublicKey: peerPublicKey,
                 subject: { fabricId: peerFabricIdNOCert, nodeId: peerNodeIdNOCert },
-            } = TlvOperationalCertificate.decode(peerNewOpCert);
+            } = TlvOperationalCertificate.decode(peerNoc);
-            await Crypto.verify(PublicKey(peerPublicKey), peerSignatureData, peerSignature);
+            await Crypto.verifyEcdsa(PublicKey(peerPublicKey), peerSignatureData, peerSignature);
             if (peerNodeIdNOCert !== peerNodeId) {
                 throw new UnexpectedDataError(
@@ -183,10 +183,10 @@ export class CaseClient {
                     `The fabric ID in the peer certificate ${peerFabricIdNOCert} doesn't match the expected fabric ID ${fabric.fabricId}`,
                 );
             }
-            if (peerIntermediateCACert !== undefined) {
+            if (peerIcac !== undefined) {
                 const {
                     subject: { fabricId: peerFabricIdIcaCert },
-                } = TlvIntermediateCertificate.decode(peerIntermediateCACert);
+                } = TlvIntermediateCertificate.decode(peerIcac);
                 if (peerFabricIdIcaCert !== undefined && peerFabricIdIcaCert !== fabric.fabricId) {
                     throw new UnexpectedDataError(
@@ -194,22 +194,26 @@ export class CaseClient {
                     );
                 }
             }
-            await fabric.verifyCredentials(peerNewOpCert, peerIntermediateCACert);
+            await fabric.verifyCredentials(peerNoc, peerIcac);
             // Generate and send sigma3
             const sigma3Salt = Bytes.concat(
                 operationalIdentityProtectionKey,
-                await Crypto.hash([sigma1Bytes, sigma2Bytes]),
+                await Crypto.computeSha256([sigma1Bytes, sigma2Bytes]),
             );
-            const sigma3Key = await Crypto.hkdf(sharedSecret, sigma3Salt, KDFSR3_INFO);
+            const sigma3Key = await Crypto.createHkdfKey(sharedSecret, sigma3Salt, KDFSR3_INFO);
             const signatureData = TlvSignedData.encode({
-                nodeOpCert,
-                intermediateCACert,
-                ecdhPublicKey: initiatorEcdhPublicKey,
-                peerEcdhPublicKey,
+                responderNoc: localNoc,
+                responderIcac: localIcac,
+                responderPublicKey: localKey.publicBits,
+                initiatorPublicKey: peerKey,
             });
             const signature = await fabric.sign(signatureData);
-            const encryptedData = TlvEncryptedDataSigma3.encode({ nodeOpCert, intermediateCACert, signature });
+            const encryptedData = TlvEncryptedDataSigma3.encode({
+                responderNoc: localNoc,
+                responderIcac: localIcac,
+                signature,
+            });
             const encrypted = Crypto.encrypt(sigma3Key, encryptedData, TBE_DATA3_NONCE);
             const sigma3Bytes = await messenger.sendSigma3({ encrypted });
             await messenger.waitForSuccess("Sigma3-Success");
@@ -218,7 +222,7 @@ export class CaseClient {
             const { caseAuthenticatedTags } = resumptionRecord ?? {}; // Even if resumption does not work try to reuse the caseAuthenticatedTags
             const secureSessionSalt = Bytes.concat(
                 operationalIdentityProtectionKey,
-                await Crypto.hash([sigma1Bytes, sigma2Bytes, sigma3Bytes]),
+                await Crypto.computeSha256([sigma1Bytes, sigma2Bytes, sigma3Bytes]),
             );
             secureSession = await this.#sessions.createSecureSession({
                 sessionId: initiatorSessionId,

package/src/session/case/CaseMessages.ts CHANGED Viewed

@@ -59,23 +59,23 @@ export const TlvCaseSigma3 = TlvObject({
 /** @see {@link MatterSpecification.v10.Core} § 4.13.2.3 */
 export const TlvSignedData = TlvObject({
-    nodeOpCert: TlvField(1, TlvByteString),
-    intermediateCACert: TlvOptionalField(2, TlvByteString),
-    ecdhPublicKey: TlvField(3, TlvByteString.bound({ length: CRYPTO_PUBLIC_KEY_SIZE_BYTES })),
-    peerEcdhPublicKey: TlvField(4, TlvByteString.bound({ length: CRYPTO_PUBLIC_KEY_SIZE_BYTES })),
+    responderNoc: TlvField(1, TlvByteString),
+    responderIcac: TlvOptionalField(2, TlvByteString),
+    responderPublicKey: TlvField(3, TlvByteString.bound({ length: CRYPTO_PUBLIC_KEY_SIZE_BYTES })),
+    initiatorPublicKey: TlvField(4, TlvByteString.bound({ length: CRYPTO_PUBLIC_KEY_SIZE_BYTES })),
 });
 /** @see {@link MatterSpecification.v10.Core} § 4.13.2.3 */
 export const TlvEncryptedDataSigma2 = TlvObject({
-    nodeOpCert: TlvField(1, TlvByteString),
-    intermediateCACert: TlvOptionalField(2, TlvByteString),
+    responderNoc: TlvField(1, TlvByteString),
+    responderIcac: TlvOptionalField(2, TlvByteString),
     signature: TlvField(3, TlvByteString.bound({ length: CASE_SIGNATURE_LENGTH })),
     resumptionId: TlvField(4, TlvByteString.bound({ length: 16 })),
 });
 /** @see {@link MatterSpecification.v10.Core} § 4.13.2.3 */
 export const TlvEncryptedDataSigma3 = TlvObject({
-    nodeOpCert: TlvField(1, TlvByteString),
-    intermediateCACert: TlvOptionalField(2, TlvByteString),
+    responderNoc: TlvField(1, TlvByteString),
+    responderIcac: TlvOptionalField(2, TlvByteString),
     signature: TlvField(3, TlvByteString.bound({ length: CASE_SIGNATURE_LENGTH })),
 });