@matter/protocol 0.15.0-alpha.0-20250612-ddd428561 → 0.15.0-alpha.0-20250614-b9829e223

package/src/certificate/CertificateAuthority.ts

@@ -38,6 +38,7 @@ const logger = Logger.get("CertificateAuthority");
  * TODO: Add support for (optional) ICACs
  */
 export class CertificateAuthority {
+    #certs: CertificateManager;
     #rootCertId = BigInt(0);
     #rootKeyPair?: PrivateKey;
     #rootKeyIdentifier?: Uint8Array<ArrayBufferLike>;
@@ -45,21 +46,29 @@ export class CertificateAuthority {
     #nextCertificateId = BigInt(1);
     #construction: Construction<CertificateAuthority>;
 
+    get certs() {
+        return this.#certs;
+    }
+
     get construction() {
         return this.#construction;
     }
 
-    static async create(options?: StorageContext | CertificateAuthority.Configuration) {
-        return asyncNew(CertificateAuthority, options);
+    static async create(crypto: Crypto, options?: StorageContext | CertificateAuthority.Configuration) {
+        return asyncNew(CertificateAuthority, crypto, options);
     }
 
-    constructor(options?: StorageContext | CertificateAuthority.Configuration) {
+    constructor(crypto: Crypto, options?: StorageContext | CertificateAuthority.Configuration) {
+        this.#certs = new CertificateManager(crypto);
         this.#construction = Construction(this, async () => {
             // Use provided CA config or read from storage, otherwise initialize and store
             const certValues = options instanceof StorageContext ? await options.values() : (options ?? {});
 
-            this.#rootKeyPair = await Crypto.createKeyPair();
-            this.#rootKeyIdentifier = (await Crypto.computeSha256(this.#rootKeyPair.publicKey)).slice(0, 20);
+            this.#rootKeyPair = await this.#certs.crypto.createKeyPair();
+            this.#rootKeyIdentifier = (await this.#certs.crypto.computeSha256(this.#rootKeyPair.publicKey)).slice(
+                0,
+                20,
+            );
             this.#rootCertBytes = await this.#generateRootCert();
 
             if (
@@ -94,7 +103,7 @@ export class CertificateAuthority {
 
     static [Environmental.create](env: Environment) {
         const storage = env.get(StorageManager).createContext("certificates");
-        const instance = new CertificateAuthority(storage);
+        const instance = new CertificateAuthority(env.get(Crypto), storage);
         env.set(CertificateAuthority, instance);
         return instance;
     }
@@ -135,9 +144,9 @@ export class CertificateAuthority {
                 authorityKeyIdentifier: this.#initializedRootKeyIdentifier,
             },
         };
-        const signature = await Crypto.signEcdsa(
+        const signature = await this.#certs.crypto.signEcdsa(
             this.#initializedRootKeyPair,
-            CertificateManager.rootCertToAsn1(unsignedCertificate),
+            this.#certs.rootCertToAsn1(unsignedCertificate),
         );
         return TlvRootCertificate.encode({ ...unsignedCertificate, signature });
     }
@@ -166,14 +175,14 @@ export class CertificateAuthority {
                     digitalSignature: true,
                 },
                 extendedKeyUsage: [2, 1],
-                subjectKeyIdentifier: (await Crypto.computeSha256(publicKey)).slice(0, 20),
+                subjectKeyIdentifier: (await this.#certs.crypto.computeSha256(publicKey)).slice(0, 20),
                 authorityKeyIdentifier: this.#initializedRootKeyIdentifier,
             },
         };
 
-        const signature = await Crypto.signEcdsa(
+        const signature = await this.#certs.crypto.signEcdsa(
             this.#initializedRootKeyPair,
-            CertificateManager.nodeOperationalCertToAsn1(unsignedCertificate),
+            this.#certs.nodeOperationalCertToAsn1(unsignedCertificate),
         );
 
         return TlvOperationalCertificate.encode({ ...unsignedCertificate, signature });

package/src/certificate/CertificateManager.ts

@@ -578,52 +578,62 @@ function extensionsToAsn1(extensions: BaseCertificate["extensions"]) {
     return asn;
 }
 
-export namespace CertificateManager {
-    function assertCertificateDerSize(certBytes: Uint8Array) {
-        if (certBytes.length > MAX_DER_CERTIFICATE_SIZE) {
-            throw new ImplementationError(
-                `Certificate to generate is too big: ${certBytes.length} bytes instead of max ${MAX_DER_CERTIFICATE_SIZE} bytes`,
-            );
-        }
+function genericBuildAsn1Structure({
+    serialNumber,
+    notBefore,
+    notAfter,
+    issuer,
+    subject,
+    ellipticCurvePublicKey,
+    extensions,
+}: Unsigned<BaseCertificate>) {
+    const {
+        basicConstraints: { isCa, pathLen },
+    } = extensions;
+    if (!isCa && pathLen !== undefined) {
+        throw new CertificateError("Path length must be undefined for non-CA certificates.");
     }
+    return {
+        version: ContextTagged(0, 2), // v3
+        serialNumber: DatatypeOverride(DerType.Integer, serialNumber),
+        signatureAlgorithm: X962.EcdsaWithSHA256,
+        issuer: subjectOrIssuerToAsn1(issuer),
+        validity: {
+            notBefore: matterToJsDate(notBefore),
+            notAfter: matterToJsDate(notAfter),
+        },
+        subject: subjectOrIssuerToAsn1(subject),
+        publicKey: X962.PublicKeyEcPrime256v1(ellipticCurvePublicKey),
+        extensions: ContextTagged(3, extensionsToAsn1(extensions)),
+    };
+}
 
-    function genericBuildAsn1Structure({
-        serialNumber,
-        notBefore,
-        notAfter,
-        issuer,
-        subject,
-        ellipticCurvePublicKey,
-        extensions,
-    }: Unsigned<BaseCertificate>) {
-        const {
-            basicConstraints: { isCa, pathLen },
-        } = extensions;
-        if (!isCa && pathLen !== undefined) {
-            throw new CertificateError("Path length must be undefined for non-CA certificates.");
-        }
-        return {
-            version: ContextTagged(0, 2), // v3
-            serialNumber: DatatypeOverride(DerType.Integer, serialNumber),
-            signatureAlgorithm: X962.EcdsaWithSHA256,
-            issuer: subjectOrIssuerToAsn1(issuer),
-            validity: {
-                notBefore: matterToJsDate(notBefore),
-                notAfter: matterToJsDate(notAfter),
-            },
-            subject: subjectOrIssuerToAsn1(subject),
-            publicKey: X962.PublicKeyEcPrime256v1(ellipticCurvePublicKey),
-            extensions: ContextTagged(3, extensionsToAsn1(extensions)),
-        };
+function genericCertToAsn1(cert: Unsigned<BaseCertificate>) {
+    const certBytes = DerCodec.encode(genericBuildAsn1Structure(cert));
+    assertCertificateDerSize(certBytes);
+    return certBytes;
+}
+
+function assertCertificateDerSize(certBytes: Uint8Array) {
+    if (certBytes.length > MAX_DER_CERTIFICATE_SIZE) {
+        throw new ImplementationError(
+            `Certificate to generate is too big: ${certBytes.length} bytes instead of max ${MAX_DER_CERTIFICATE_SIZE} bytes`,
+        );
     }
+}
 
-    function genericCertToAsn1(cert: Unsigned<BaseCertificate>) {
-        const certBytes = DerCodec.encode(genericBuildAsn1Structure(cert));
-        assertCertificateDerSize(certBytes);
-        return certBytes;
+export class CertificateManager {
+    #crypto: Crypto;
+
+    constructor(crypto: Crypto) {
+        this.#crypto = crypto;
     }
 
-    export function rootCertToAsn1(cert: Unsigned<RootCertificate>) {
+    get crypto() {
+        return this.#crypto;
+    }
+
+    rootCertToAsn1(cert: Unsigned<RootCertificate>) {
         const {
             extensions: {
                 basicConstraints: { isCa },
@@ -635,7 +645,7 @@ export namespace CertificateManager {
         return genericCertToAsn1(cert);
     }
 
-    export function intermediateCaCertToAsn1(cert: Unsigned<IntermediateCertificate>) {
+    intermediateCaCertToAsn1(cert: Unsigned<IntermediateCertificate>) {
         const {
             extensions: {
                 basicConstraints: { isCa },
@@ -647,7 +657,7 @@ export namespace CertificateManager {
         return genericCertToAsn1(cert);
     }
 
-    export function nodeOperationalCertToAsn1(cert: Unsigned<OperationalCertificate>) {
+    nodeOperationalCertToAsn1(cert: Unsigned<OperationalCertificate>) {
         const {
             issuer: { icacId, rcacId },
             extensions: {
@@ -664,9 +674,9 @@ export namespace CertificateManager {
         return genericCertToAsn1(cert);
     }
 
-    export async function deviceAttestationCertToAsn1(cert: Unsigned<DeviceAttestationCertificate>, key: Key) {
+    async deviceAttestationCertToAsn1(cert: Unsigned<DeviceAttestationCertificate>, key: Key) {
         const certificate = genericBuildAsn1Structure(cert);
-        const signature = await Crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
+        const signature = await this.#crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
@@ -676,12 +686,12 @@ export namespace CertificateManager {
         return certBytes;
     }
 
-    export async function productAttestationIntermediateCertToAsn1(
+    async productAttestationIntermediateCertToAsn1(
         cert: Unsigned<ProductAttestationIntermediateCertificate>,
         key: Key,
     ) {
         const certificate = genericBuildAsn1Structure(cert);
-        const signature = await Crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
+        const signature = await this.#crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
@@ -691,21 +701,18 @@ export namespace CertificateManager {
         return certBytes;
     }
 
-    export async function productAttestationAuthorityCertToAsn1(
-        cert: Unsigned<ProductAttestationAuthorityCertificate>,
-        key: Key,
-    ) {
+    async productAttestationAuthorityCertToAsn1(cert: Unsigned<ProductAttestationAuthorityCertificate>, key: Key) {
         const certificate = genericBuildAsn1Structure(cert);
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: DerBitString(await Crypto.signEcdsa(key, DerCodec.encode(certificate), "der")),
+            signature: DerBitString(await this.#crypto.signEcdsa(key, DerCodec.encode(certificate), "der")),
         });
         assertCertificateDerSize(certBytes);
         return certBytes;
     }
 
-    export async function certificationDeclarationToAsn1(
+    async certificationDeclarationToAsn1(
         eContent: Uint8Array,
         subjectKeyIdentifier: Uint8Array,
         privateKey: JsonWebKey,
@@ -720,7 +727,7 @@ export namespace CertificateManager {
                     subjectKeyIdentifier: ContextTaggedBytes(0, subjectKeyIdentifier),
                     digestAlgorithm: SHA256_CMS,
                     signatureAlgorithm: X962.EcdsaWithSHA256,
-                    signature: await Crypto.signEcdsa(privateKey, eContent, "der"),
+                    signature: await this.#crypto.signEcdsa(privateKey, eContent, "der"),
                 },
             ],
         };
@@ -734,9 +741,7 @@ export namespace CertificateManager {
      * Validate general requirements a Matter certificate fields must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export function validateGeneralCertificateFields(
-        cert: RootCertificate | OperationalCertificate | IntermediateCertificate,
-    ) {
+    validateGeneralCertificateFields(cert: RootCertificate | OperationalCertificate | IntermediateCertificate) {
         if (cert.serialNumber.length > 20)
             throw new CertificateError(
                 `Serial number must not be longer then 20 octets. Current serial number has ${cert.serialNumber.length} octets.`,
@@ -779,8 +784,8 @@ export namespace CertificateManager {
      * Verify requirements a Matter Root certificate must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export async function verifyRootCertificate(rootCert: RootCertificate) {
-        CertificateManager.validateGeneralCertificateFields(rootCert);
+    async verifyRootCertificate(rootCert: RootCertificate) {
+        this.validateGeneralCertificateFields(rootCert);
 
         // The subject DN SHALL NOT encode any matter-node-id attribute.
         if ("nodeId" in rootCert.subject) {
@@ -863,9 +868,9 @@ export namespace CertificateManager {
             );
         }
 
-        await Crypto.verifyEcdsa(
+        await this.#crypto.verifyEcdsa(
             PublicKey(rootCert.ellipticCurvePublicKey),
-            rootCertToAsn1(rootCert),
+            this.rootCertToAsn1(rootCert),
             rootCert.signature,
         );
     }
@@ -874,12 +879,12 @@ export namespace CertificateManager {
      * Verify requirements a Matter Node Operational certificate must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export async function verifyNodeOperationalCertificate(
+    async verifyNodeOperationalCertificate(
         nocCert: OperationalCertificate,
         rootCert: RootCertificate,
         icaCert?: IntermediateCertificate,
     ) {
-        CertificateManager.validateGeneralCertificateFields(nocCert);
+        this.validateGeneralCertificateFields(nocCert);
 
         // The subject DN SHALL encode exactly one matter-node-id attribute.
         if (nocCert.subject.nodeId === undefined || Array.isArray(nocCert.subject.nodeId)) {
@@ -991,9 +996,9 @@ export namespace CertificateManager {
             );
         }
 
-        await Crypto.verifyEcdsa(
+        await this.#crypto.verifyEcdsa(
             PublicKey((icaCert ?? rootCert).ellipticCurvePublicKey),
-            nodeOperationalCertToAsn1(nocCert),
+            this.nodeOperationalCertToAsn1(nocCert),
             nocCert.signature,
         );
     }
@@ -1002,8 +1007,8 @@ export namespace CertificateManager {
      * Verify requirements a Matter Intermediate CA certificate must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export async function verifyIntermediateCaCertificate(rootCert: RootCertificate, icaCert: IntermediateCertificate) {
-        CertificateManager.validateGeneralCertificateFields(icaCert);
+    async verifyIntermediateCaCertificate(rootCert: RootCertificate, icaCert: IntermediateCertificate) {
+        this.validateGeneralCertificateFields(icaCert);
 
         // The subject DN SHALL NOT encode any matter-node-id attribute.
         if ("nodeId" in icaCert.subject) {
@@ -1109,14 +1114,14 @@ export namespace CertificateManager {
             );
         }
 
-        await Crypto.verifyEcdsa(
+        await this.#crypto.verifyEcdsa(
             PublicKey(rootCert.ellipticCurvePublicKey),
-            intermediateCaCertToAsn1(icaCert),
+            this.intermediateCaCertToAsn1(icaCert),
             icaCert.signature,
         );
     }
 
-    export async function createCertificateSigningRequest(key: Key) {
+    async createCertificateSigningRequest(key: Key) {
         const request = {
             version: 0,
             subject: { organization: X520.OrganisationName("CSR") },
@@ -1127,11 +1132,11 @@ export namespace CertificateManager {
         return DerCodec.encode({
             request,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: DerBitString(await Crypto.signEcdsa(key, DerCodec.encode(request), "der")),
+            signature: DerBitString(await this.#crypto.signEcdsa(key, DerCodec.encode(request), "der")),
         });
     }
 
-    export async function getPublicKeyFromCsr(csr: Uint8Array) {
+    async getPublicKeyFromCsr(csr: Uint8Array) {
         const { [DerKey.Elements]: rootElements } = DerCodec.decode(csr);
         if (rootElements?.length !== 3) throw new CertificateError("Invalid CSR data");
         const [requestNode, signAlgorithmNode, signatureNode] = rootElements;
@@ -1159,7 +1164,7 @@ export namespace CertificateManager {
             )
         )
             throw new CertificateError("Unsupported signature type");
-        await Crypto.verifyEcdsa(
+        await this.#crypto.verifyEcdsa(
             PublicKey(publicKey),
             DerCodec.encode(requestNode),
             signatureNode[DerKey.Bytes],

package/src/certificate/CertificationDeclarationManager.ts

@@ -3,7 +3,7 @@
  * Copyright 2022-2025 Matter.js Authors
  * SPDX-License-Identifier: Apache-2.0
  */
-import { Bytes, PrivateKey } from "#general";
+import { Bytes, Crypto, PrivateKey } from "#general";
 import { VendorId } from "#types";
 import { CertificateManager, TlvCertificationDeclaration } from "./CertificateManager.js";
 
@@ -30,7 +30,7 @@ const TestCMS_SignerPrivateKey = Bytes.fromHex("AEF3484116E9481EC57BE0472DF41BF4
 const TestCMS_SignerSubjectKeyIdentifier = Bytes.fromHex("62FA823359ACFAA9963E1CFA140ADDF504F37160");
 
 export class CertificationDeclarationManager {
-    static generate(vendorId: VendorId, productId: number, provisional = false) {
+    static generate(crypto: Crypto, vendorId: VendorId, productId: number, provisional = false) {
         const certificationElements = TlvCertificationDeclaration.encode({
             formatVersion: 1,
             vendorId,
@@ -43,7 +43,7 @@ export class CertificationDeclarationManager {
             certificationType: provisional ? 1 : 0, // 0 = Test, 1 = Provisional/In certification, 2 = official
         });
 
-        return CertificateManager.certificationDeclarationToAsn1(
+        return new CertificateManager(crypto).certificationDeclarationToAsn1(
             certificationElements,
             TestCMS_SignerSubjectKeyIdentifier,
             PrivateKey(TestCMS_SignerPrivateKey),

package/src/certificate/DeviceCertification.ts

@@ -14,6 +14,7 @@ import { CertificationDeclarationManager } from "./CertificationDeclarationManag
  * Device certification used by the OperationalCredentials cluster.
  */
 export class DeviceCertification {
+    #crypto: Crypto;
     #privateKey?: PrivateKey;
     #certificate?: Uint8Array;
     #intermediateCertificate?: Uint8Array;
@@ -36,7 +37,8 @@ export class DeviceCertification {
         return this.#assertInitialized().declaration;
     }
 
-    constructor(config?: DeviceCertification.Definition, product?: ProductDescription) {
+    constructor(crypto: Crypto, config?: DeviceCertification.Definition, product?: ProductDescription) {
+        this.#crypto = crypto;
         let configProvider;
         if (typeof config === "function") {
             configProvider = config;
@@ -48,14 +50,18 @@ export class DeviceCertification {
                     throw new ImplementationError(`Cannot generate device certification without product information`);
                 }
 
-                const paa = await AttestationCertificateManager.create(product.vendorId);
+                const paa = await AttestationCertificateManager.create(crypto, product.vendorId);
                 const { keyPair: dacKeyPair, dac } = await paa.getDACert(product.productId);
 
                 return {
                     privateKey: PrivateKey(dacKeyPair.privateKey),
                     certificate: dac,
                     intermediateCertificate: await paa.getPAICert(),
-                    declaration: await CertificationDeclarationManager.generate(product.vendorId, product.productId),
+                    declaration: await CertificationDeclarationManager.generate(
+                        crypto,
+                        product.vendorId,
+                        product.productId,
+                    ),
                 };
             };
         }
@@ -73,7 +79,7 @@ export class DeviceCertification {
 
     async sign(session: NodeSession, data: Uint8Array) {
         const { privateKey } = this.#assertInitialized();
-        const signature = await Crypto.signEcdsa(privateKey, [data, session.attestationChallengeKey]);
+        const signature = await this.#crypto.signEcdsa(privateKey, [data, session.attestationChallengeKey]);
         return signature;
     }
 

package/src/common/FailsafeContext.ts

@@ -52,7 +52,7 @@ export abstract class FailsafeContext {
         this.#associatedFabric = options.associatedFabric;
 
         this.#construction = Construction(this, async () => {
-            this.#fabricBuilder = await FabricBuilder.create();
+            this.#fabricBuilder = await FabricBuilder.create(this.#fabrics.crypto);
             // Ensure derived class construction is complete
             await Promise.resolve();
 

package/src/events/OccurrenceManager.ts

@@ -49,7 +49,6 @@ export interface OccurrenceManagerContext {
  */
 export class OccurrenceManager {
     #store: EventStore;
-    #storedEventCount = 0;
     #bufferConfig: OccurrenceManager.BufferConfig;
     #cull?: Promise<void>;
     #iteratingValuesInProgress = false;
@@ -87,7 +86,6 @@ export class OccurrenceManager {
 
         this.#construction = Construction(this, () => {
             return MaybePromise.then(this.#store.load(), index => {
-                this.#storedEventCount = index.length;
                 // To be sure, sort the entries by number
                 index.sort(
                     // sort that way because Bigint & Number mix
@@ -108,7 +106,6 @@ export class OccurrenceManager {
     async clear() {
         await this.construction;
         await this.#store.clear();
-        this.#storedEventCount = 0;
         this.#occurrences.length = 0;
     }
 
@@ -282,8 +279,7 @@ export class OccurrenceManager {
         return MaybePromise.then(this.#store.add(occurrence), entry => {
             logger.debug(`Recorded event #${entry.number}: ${Diagnostic.json(occurrence)}`);
             this.#occurrences.push(entry);
-            this.#storedEventCount++;
-            if (this.#storedEventCount > this.#bufferConfig.maxEventAllowance) {
+            if (this.#occurrences.length > this.#bufferConfig.maxEventAllowance) {
                 this.#startCull();
             }
             const numberedOccurrence = {
@@ -295,6 +291,19 @@ export class OccurrenceManager {
         });
     }
 
+    remove(number: EventNumber) {
+        const index = this.#occurrences.findIndex(entry => entry.number === number);
+        if (index === -1) {
+            // Should not happen but just in case
+            return;
+        }
+        this.#occurrences.splice(index, 1);
+        if (this.#cull) {
+            return this.#cull.then(() => this.#store.delete(number));
+        }
+        return this.#store.delete(number);
+    }
+
     #startCull() {
         if (this.#cull || this.#iteratingValuesInProgress) {
             return;
@@ -306,7 +315,7 @@ export class OccurrenceManager {
     }
 
     #dropOldOccurrences() {
-        let toDelete = this.#storedEventCount - this.#bufferConfig.minEventAllowance;
+        let toDelete = this.#occurrences.length - this.#bufferConfig.minEventAllowance;
         if (toDelete <= 0) {
             return;
         }
@@ -357,7 +366,7 @@ export class OccurrenceManager {
         const occurrences = this.#occurrences as Array<OccurrenceSummary | undefined>;
         for (const priority of [EventPriority.Debug, EventPriority.Info, EventPriority.Critical]) {
             const checkUpTo =
-                priority === EventPriority.Critical ? this.#storedEventCount : prioData[priority].minPosition;
+                priority === EventPriority.Critical ? this.#occurrences.length : prioData[priority].minPosition;
             if (checkUpTo === -1) {
                 // We have less than the minimum of this event type, so we can not remove any
                 continue;
@@ -382,8 +391,6 @@ export class OccurrenceManager {
         }
         this.#occurrences = occurrences.filter(entry => entry) as OccurrenceSummary[];
 
-        this.#storedEventCount = this.#occurrences.length;
-
         if (asyncDrops.length) {
             return MatterAggregateError.allSettled(asyncDrops, "Error dropping occurrences")
                 .then(() => {})