@matter/protocol 0.15.0-alpha.0-20250612-ddd428561 → 0.15.0-alpha.0-20250614-b9829e223

package/src/fabric/Fabric.ts

@@ -49,6 +49,7 @@ export type ExposedFabricInformation = {
 };
 
 export class Fabric {
+    readonly #certs: CertificateManager;
     readonly fabricIndex: FabricIndex;
     readonly fabricId: FabricId;
     readonly nodeId: NodeId;
@@ -63,14 +64,18 @@ export class Fabric {
     readonly operationalCert: Uint8Array;
     readonly #keyPair: Key;
     readonly #sessions = new Set<Session>();
-    readonly #groupManager: FabricGroups;
+    readonly #groups: FabricGroups;
     readonly #aclManager: FabricAccessControl;
     #label: string;
     #removeCallbacks = new Array<() => MaybePromise<void>>();
     #persistCallback: ((isUpdate?: boolean) => MaybePromise<void>) | undefined;
     #storage?: StorageContext;
 
-    constructor(config: Fabric.Config) {
+    constructor(certs: CertificateManager | Crypto, config: Fabric.Config) {
+        if (!(certs instanceof CertificateManager)) {
+            certs = new CertificateManager(certs);
+        }
+        this.#certs = certs;
         this.fabricIndex = config.fabricIndex;
         this.fabricId = config.fabricId;
         this.nodeId = config.nodeId;
@@ -86,7 +91,11 @@ export class Fabric {
         this.#label = config.label;
         this.#keyPair = PrivateKey(config.keyPair);
         this.#aclManager = new FabricAccessControl(this);
-        this.#groupManager = new FabricGroups(this);
+        this.#groups = new FabricGroups(this);
+    }
+
+    get crypto() {
+        return this.#certs.crypto;
     }
 
     get config(): Fabric.Config {
@@ -125,7 +134,7 @@ export class Fabric {
 
     set storage(storage: StorageContext) {
         this.#storage = storage;
-        this.#groupManager.storage = storage;
+        this.#groups.storage = storage;
     }
 
     get storage(): StorageContext | undefined {
@@ -133,7 +142,7 @@ export class Fabric {
     }
 
     get groups() {
-        return this.#groupManager;
+        return this.#groups;
     }
 
     get acl() {
@@ -145,7 +154,7 @@ export class Fabric {
     }
 
     sign(data: Uint8Array) {
-        return Crypto.signEcdsa(this.#keyPair, data);
+        return this.#certs.crypto.signEcdsa(this.#keyPair, data);
     }
 
     async verifyCredentials(operationalCert: Uint8Array, intermediateCACert?: Uint8Array) {
@@ -155,10 +164,10 @@ export class Fabric {
             intermediateCACert !== undefined ? TlvIntermediateCertificate.decode(intermediateCACert) : undefined;
         if (icaCert !== undefined) {
             // Validate ICACertificate against Root Certificate
-            await CertificateManager.verifyIntermediateCaCertificate(rootCert, icaCert);
+            await this.#certs.verifyIntermediateCaCertificate(rootCert, icaCert);
         }
         // Validate NOC Certificate against ICA Certificate
-        await CertificateManager.verifyNodeOperationalCertificate(nocCert, rootCert, icaCert);
+        await this.#certs.verifyNodeOperationalCertificate(nocCert, rootCert, icaCert);
     }
 
     matchesFabricIdAndRootPublicKey(fabricId: FabricId, rootPublicKey: Uint8Array) {
@@ -186,7 +195,10 @@ export class Fabric {
      * returns the time-wise valid operational keys for that groupId.
      */
     async currentDestinationIdFor(nodeId: NodeId, random: Uint8Array) {
-        return await Crypto.signHmac(this.groups.keySets.currentKeyForId(0).key, this.#generateSalt(nodeId, random));
+        return await this.#certs.crypto.signHmac(
+            this.groups.keySets.currentKeyForId(0).key,
+            this.#generateSalt(nodeId, random),
+        );
     }
 
     /**
@@ -196,7 +208,9 @@ export class Fabric {
     async destinationIdsFor(nodeId: NodeId, random: Uint8Array) {
         const salt = this.#generateSalt(nodeId, random);
         // Check all keys of keyset 0 - typically it is only the IPK
-        const destinationIds = this.groups.keySets.allKeysForId(0).map(({ key }) => Crypto.signHmac(key, salt));
+        const destinationIds = this.groups.keySets
+            .allKeysForId(0)
+            .map(({ key }) => this.#certs.crypto.signHmac(key, salt));
         return await Promise.all(destinationIds);
     }
 
@@ -260,6 +274,7 @@ export class Fabric {
 }
 
 export class FabricBuilder {
+    #certs: CertificateManager;
     #keyPair: PrivateKey;
     #rootVendorId?: VendorId;
     #rootCert?: Uint8Array;
@@ -273,12 +288,13 @@ export class FabricBuilder {
     #fabricIndex?: FabricIndex;
     #label = "";
 
-    constructor(key: PrivateKey) {
+    constructor(crypto: Crypto, key: PrivateKey) {
+        this.#certs = new CertificateManager(crypto);
         this.#keyPair = key;
     }
 
-    static async create() {
-        return new FabricBuilder(await Crypto.createKeyPair());
+    static async create(crypto: Crypto) {
+        return new FabricBuilder(crypto, await crypto.createKeyPair());
     }
 
     get publicKey() {
@@ -290,12 +306,12 @@ export class FabricBuilder {
     }
 
     createCertificateSigningRequest() {
-        return CertificateManager.createCertificateSigningRequest(this.#keyPair);
+        return this.#certs.createCertificateSigningRequest(this.#keyPair);
     }
 
     async setRootCert(rootCert: Uint8Array) {
         const decodedRootCertificate = TlvRootCertificate.decode(rootCert);
-        await CertificateManager.verifyRootCertificate(decodedRootCertificate);
+        await this.#certs.verifyRootCertificate(decodedRootCertificate);
         this.#rootCert = rootCert;
         this.#rootPublicKey = decodedRootCertificate.ellipticCurvePublicKey;
         return this;
@@ -334,9 +350,9 @@ export class FabricBuilder {
         const icaCert =
             intermediateCACert !== undefined ? TlvIntermediateCertificate.decode(intermediateCACert) : undefined;
         if (icaCert !== undefined) {
-            await CertificateManager.verifyIntermediateCaCertificate(rootCert, icaCert);
+            await this.#certs.verifyIntermediateCaCertificate(rootCert, icaCert);
         }
-        await CertificateManager.verifyNodeOperationalCertificate(nocCert, rootCert, icaCert);
+        await this.#certs.verifyNodeOperationalCertificate(nocCert, rootCert, icaCert);
 
         this.#operationalCert = operationalCert;
         this.#intermediateCACert = intermediateCACert;
@@ -410,14 +426,14 @@ export class FabricBuilder {
         this.#fabricIndex = fabricIndex;
         const saltWriter = new DataWriter();
         saltWriter.writeUInt64(this.#fabricId);
-        const operationalId = await Crypto.createHkdfKey(
+        const operationalId = await this.#certs.crypto.createHkdfKey(
             this.#rootPublicKey.slice(1),
             saltWriter.toByteArray(),
             COMPRESSED_FABRIC_ID_INFO,
             8,
         );
 
-        return new Fabric({
+        return new Fabric(this.#certs, {
             fabricIndex: this.#fabricIndex,
             fabricId: this.#fabricId,
             nodeId: this.#nodeId,
@@ -428,7 +444,7 @@ export class FabricBuilder {
             rootVendorId: this.#rootVendorId,
             rootCert: this.#rootCert,
             identityProtectionKey: this.#identityProtectionKey, // Epoch Key
-            operationalIdentityProtectionKey: await Crypto.createHkdfKey(
+            operationalIdentityProtectionKey: await this.#certs.crypto.createHkdfKey(
                 this.#identityProtectionKey,
                 operationalId,
                 GROUP_SECURITY_INFO,

package/src/fabric/FabricAuthority.ts

@@ -5,15 +5,7 @@
  */
 
 import { CertificateAuthority } from "#certificate/CertificateAuthority.js";
-import {
-    Bytes,
-    Crypto,
-    CRYPTO_SYMMETRIC_KEY_LENGTH,
-    Environment,
-    Environmental,
-    ImplementationError,
-    Logger,
-} from "#general";
+import { Bytes, CRYPTO_SYMMETRIC_KEY_LENGTH, Environment, Environmental, ImplementationError, Logger } from "#general";
 import { CaseAuthenticatedTag, FabricId, FabricIndex, NodeId, VendorId } from "#types";
 import { Fabric, FabricBuilder } from "./Fabric.js";
 import { FabricManager } from "./FabricManager.js";
@@ -60,10 +52,10 @@ export class FabricAuthority {
     #fabrics: FabricManager;
     #config: FabricAuthorityConfiguration;
 
-    constructor(context: FabricAuthorityContext) {
-        this.#ca = context.ca;
-        this.#fabrics = context.fabrics;
-        this.#config = context.config;
+    constructor({ ca, fabrics, config }: FabricAuthorityContext) {
+        this.#ca = ca;
+        this.#fabrics = fabrics;
+        this.#config = config;
     }
 
     /**
@@ -108,8 +100,8 @@ export class FabricAuthority {
      * Create a new fabric under our control.
      */
     async createFabric() {
-        const rootNodeId = NodeId.randomOperationalNodeId();
-        const ipkValue = Crypto.getRandomData(CRYPTO_SYMMETRIC_KEY_LENGTH);
+        const rootNodeId = NodeId.randomOperationalNodeId(this.#fabrics.crypto);
+        const ipkValue = this.#fabrics.crypto.randomBytes(CRYPTO_SYMMETRIC_KEY_LENGTH);
 
         let vendorId = this.#config.adminVendorId;
         if (vendorId === undefined) {
@@ -117,7 +109,7 @@ export class FabricAuthority {
             logger.warn(`Using test vendor ID 0x${vendorId.toString(16)} for controller fabric`);
         }
 
-        const fabricBuilder = await FabricBuilder.create();
+        const fabricBuilder = await FabricBuilder.create(this.#fabrics.crypto);
         await fabricBuilder.setRootCert(this.#ca.rootCert);
         fabricBuilder
             .setRootNodeId(rootNodeId)

package/src/fabric/FabricManager.ts

@@ -7,6 +7,7 @@
 import {
     Bytes,
     Construction,
+    Crypto,
     Environment,
     Environmental,
     ImplementationError,
@@ -33,6 +34,7 @@ export enum FabricAction {
 }
 
 export class FabricManager {
+    #crypto: Crypto;
     #nextFabricIndex = 1;
     readonly #fabrics = new Map<FabricIndex, Fabric>();
     #initializationDone = false;
@@ -45,7 +47,8 @@ export class FabricManager {
     };
     #construction: Construction<FabricManager>;
 
-    constructor(storage?: StorageContext) {
+    constructor(crypto: Crypto, storage?: StorageContext) {
+        this.#crypto = crypto;
         this.#storage = storage;
 
         let construct;
@@ -60,7 +63,7 @@ export class FabricManager {
 
                 const fabrics = await this.#storage.get<Fabric.Config[]>("fabrics", []);
                 for (const fabricConfig of fabrics) {
-                    this.#addFabric(new Fabric(fabricConfig));
+                    this.#addFabric(new Fabric(crypto, fabricConfig));
                 }
 
                 this.#nextFabricIndex = await this.#storage.get("nextFabricIndex", this.#nextFabricIndex);
@@ -72,6 +75,10 @@ export class FabricManager {
         this.#construction = Construction(this, construct);
     }
 
+    get crypto() {
+        return this.#crypto;
+    }
+
     get construction() {
         return this.#construction;
     }
@@ -81,7 +88,7 @@ export class FabricManager {
     }
 
     static [Environmental.create](env: Environment) {
-        const instance = new FabricManager(env.get(StorageManager).createContext("fabrics"));
+        const instance = new FabricManager(env.get(Crypto), env.get(StorageManager).createContext("fabrics"));
         env.set(FabricManager, instance);
         return instance;
     }

package/src/fabric/TestFabric.ts

@@ -5,7 +5,7 @@
  */
 
 import { CertificateAuthority } from "#certificate/CertificateAuthority.js";
-import { ImplementationError, nonentropic } from "#general";
+import { ImplementationError, MockCrypto } from "#general";
 import { FabricIndex, VendorId } from "#types";
 import { FabricAuthority } from "./FabricAuthority.js";
 import { FabricManager } from "./FabricManager.js";
@@ -40,22 +40,25 @@ export namespace TestFabric {
             }
         }
 
-        return forFabric(index, async () => {
-            const authority = new FabricAuthority({
-                ca: await CertificateAuthority.create(),
-                config: {
-                    adminFabricLabel: `mock-fabric-${index}`,
-                    adminVendorId: VendorId(0xfff1),
-                    fabricIndex: FabricIndex(index),
-                },
-                fabrics: fabrics ?? new FabricManager(),
-            });
+        if (index < 1 || index > 254) {
+            throw new ImplementationError("Test fabric indexes must be in the range 1-254");
+        }
 
-            const createFabric = authority.createFabric.bind(authority);
-            authority.createFabric = () => forFabric(index ?? 1, createFabric);
+        if (!fabrics) {
+            fabrics = new FabricManager(MockCrypto(index));
+        }
 
-            return authority;
+        const authority = new FabricAuthority({
+            ca: await CertificateAuthority.create(fabrics.crypto),
+            config: {
+                adminFabricLabel: `mock-fabric-${index}`,
+                adminVendorId: VendorId(0xfff1),
+                fabricIndex: FabricIndex(index),
+            },
+            fabrics,
         });
+
+        return authority;
     }
 
     export interface Options {
@@ -63,11 +66,3 @@ export namespace TestFabric {
         fabrics?: FabricManager;
     }
 }
-
-async function forFabric<T>(index: number, actor: () => Promise<T>): Promise<T> {
-    if (index < 1 || index > 254) {
-        throw new ImplementationError("Test fabric indexes must be in the range 1-254");
-    }
-
-    return nonentropic(index, actor);
-}

package/src/groups/FabricGroups.ts

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 import { Fabric } from "#fabric/Fabric.js";
-import { BasicMap, Bytes, Crypto, InternalError, MatterFlowError, StorageContext } from "#general";
+import { BasicMap, Bytes, InternalError, MatterFlowError, StorageContext } from "#general";
 import { GroupKeySet, KeySets, OperationalKeySet } from "#groups/KeySets.js";
 import { MessagingState } from "#groups/MessagingState.js";
 import { GroupId } from "#types";
@@ -26,7 +26,7 @@ export class FabricGroups {
     constructor(fabric: Fabric, storage?: StorageContext) {
         this.#fabric = fabric;
         this.#groups = new Groups(fabric, this.#keySets);
-        this.#messagingState = new MessagingState(storage);
+        this.#messagingState = new MessagingState(fabric.crypto, storage);
 
         // KeySet with ID 0 is always the Fabric IPK, so we initialize from there because this is not stored
         // in Key Management Cluster
@@ -122,21 +122,33 @@ export class FabricGroups {
 
         // Lets pre-calculate the operational keys
         const operationalId = this.#fabric.operationalId;
-        const operationalEpochKey0 = await Crypto.createHkdfKey(epochKey0, operationalId, GROUP_SECURITY_INFO);
+        const operationalEpochKey0 = await this.#fabric.crypto.createHkdfKey(
+            epochKey0,
+            operationalId,
+            GROUP_SECURITY_INFO,
+        );
         const operationalEpochKey1 =
-            epochKey1 !== null ? await Crypto.createHkdfKey(epochKey1, operationalId, GROUP_SECURITY_INFO) : null;
+            epochKey1 !== null
+                ? await this.#fabric.crypto.createHkdfKey(epochKey1, operationalId, GROUP_SECURITY_INFO)
+                : null;
         const operationalEpochKey2 =
-            epochKey2 !== null ? await Crypto.createHkdfKey(epochKey2, operationalId, GROUP_SECURITY_INFO) : null;
+            epochKey2 !== null
+                ? await this.#fabric.crypto.createHkdfKey(epochKey2, operationalId, GROUP_SECURITY_INFO)
+                : null;
         this.#keySets.add({
             ...groupKeySet,
             operationalEpochKey0,
-            groupSessionId0: await this.#keySets.sessionIdFromKey(operationalEpochKey0),
+            groupSessionId0: await this.#keySets.sessionIdFromKey(this.#fabric.crypto, operationalEpochKey0),
             operationalEpochKey1,
             groupSessionId1:
-                operationalEpochKey1 !== null ? await this.#keySets.sessionIdFromKey(operationalEpochKey1) : null,
+                operationalEpochKey1 !== null
+                    ? await this.#keySets.sessionIdFromKey(this.#fabric.crypto, operationalEpochKey1)
+                    : null,
             operationalEpochKey2,
             groupSessionId2:
-                operationalEpochKey2 !== null ? await this.#keySets.sessionIdFromKey(operationalEpochKey2) : null,
+                operationalEpochKey2 !== null
+                    ? await this.#keySets.sessionIdFromKey(this.#fabric.crypto, operationalEpochKey2)
+                    : null,
         });
     }
 

package/src/groups/KeySets.ts

@@ -141,9 +141,9 @@ export class KeySets<T extends OperationalKeySet> extends BasicSet<T> {
     }
 
     /** Calculates a group session id based on the operational group key. */
-    async sessionIdFromKey(operationalGroupKey: Uint8Array) {
+    async sessionIdFromKey(crypto: Crypto, operationalGroupKey: Uint8Array) {
         // GroupKeyHash is an array of 2 bytes (16 bits) per Crypto_KDF
-        const groupKeyHash = await Crypto.createHkdfKey(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
+        const groupKeyHash = await crypto.createHkdfKey(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
 
         // GroupSessionId is computed by considering the GroupKeyHash as a Big-Endian value. GroupSessionId is a scalar.
         // Its use in fields within messages may cause a re-serialization into a different byte order than the one used

package/src/groups/MessagingState.ts

@@ -3,7 +3,7 @@
  * Copyright 2022-2025 Matter.js Authors
  * SPDX-License-Identifier: Apache-2.0
  */
-import { Bytes, ImplementationError, InternalError, StorageContext } from "#general";
+import { Bytes, Crypto, ImplementationError, InternalError, StorageContext } from "#general";
 import { PersistedMessageCounter } from "#protocol/MessageCounter.js";
 import { MessageReceptionStateEncryptedWithRollover } from "#protocol/MessageReceptionState.js";
 import { NodeId } from "#types";
@@ -19,9 +19,12 @@ export class MessagingState {
 
     /** Message reception state for data messages per Operational key and source node. */
     readonly #messageDataReceptionState = new Map<string, Map<NodeId, MessageReceptionStateEncryptedWithRollover>>();
+
+    #crypto: Crypto;
     #storage?: StorageContext;
 
-    constructor(storage?: StorageContext) {
+    constructor(crypto: Crypto, storage?: StorageContext) {
+        this.#crypto = crypto;
         if (storage !== undefined) {
             this.#storage = storage;
         }
@@ -44,7 +47,7 @@ export class MessagingState {
         const operationalKeyHex = Bytes.toHex(operationalKey);
         let counter = this.#groupDataCounters.get(operationalKeyHex);
         if (counter === undefined) {
-            counter = new PersistedMessageCounter(this.#storage, `${operationalKeyHex}-data`);
+            counter = new PersistedMessageCounter(this.#crypto, this.#storage, `${operationalKeyHex}-data`);
             this.#groupDataCounters.set(operationalKeyHex, counter);
         }
         return counter;

package/src/interaction/FabricAccessControl.ts

@@ -21,7 +21,7 @@ import {
 } from "#types";
 import { AccessControl as AccessControlContext } from "../action/server/AccessControl.js";
 
-const logger = Logger.get("FabricAccessControlManager");
+const logger = Logger.get("FabricAccessControl");
 
 export type AclEntry = Omit<AccessControl.AccessControlEntry, "privilege"> & {
     privilege: AccessLevel;

package/src/mdns/MdnsBroadcaster.ts

@@ -68,21 +68,28 @@ const DEFAULT_PAIRING_HINT = {
 export class MdnsBroadcaster {
     readonly #activeCommissioningAnnouncements = new Set<number>();
     readonly #activeOperationalAnnouncements = new Map<number, { fabricIndex: FabricIndex; forInstance: string }[]>();
+    readonly #crypto: Crypto;
     readonly #network: Network;
     readonly #mdnsServer: MdnsServer;
     readonly #enableIpv4?: boolean;
     readonly #instances = new BasicSet<MdnsInstanceBroadcaster>();
 
-    static async create(network: Network, options?: { enableIpv4?: boolean; multicastInterface?: string }) {
+    static async create(
+        crypto: Crypto,
+        network: Network,
+        options?: { enableIpv4?: boolean; multicastInterface?: string },
+    ) {
         const { enableIpv4, multicastInterface } = options ?? {};
         return new MdnsBroadcaster(
+            crypto,
             network,
             await MdnsServer.create(network, { enableIpv4, netInterface: multicastInterface }),
             enableIpv4,
         );
     }
 
-    constructor(network: Network, mdnsServer: MdnsServer, enableIpv4?: boolean) {
+    constructor(crypto: Crypto, network: Network, mdnsServer: MdnsServer, enableIpv4?: boolean) {
+        this.#crypto = crypto;
         this.#network = network;
         this.#mdnsServer = mdnsServer;
         this.#enableIpv4 = enableIpv4;
@@ -182,7 +189,7 @@ export class MdnsBroadcaster {
         this.#activeCommissioningAnnouncements.add(announcedNetPort);
 
         const shortDiscriminator = (discriminator >> 8) & 0x0f;
-        const instanceId = Bytes.toHex(Crypto.getRandomData(8)).toUpperCase();
+        const instanceId = Bytes.toHex(this.#crypto.randomBytes(8)).toUpperCase();
         const vendorQname = getVendorQname(vendorId);
         const deviceTypeQname = getDeviceTypeQname(deviceType);
         const shortDiscriminatorQname = getShortDiscriminatorQname(shortDiscriminator);
@@ -360,7 +367,7 @@ export class MdnsBroadcaster {
             }),
         );
 
-        const instanceId = Bytes.toHex(Crypto.getRandomData(8)).toUpperCase();
+        const instanceId = Bytes.toHex(this.#crypto.randomBytes(8)).toUpperCase();
         const deviceTypeQname = `_T${deviceType}._sub.${MATTER_COMMISSIONER_SERVICE_QNAME}`;
         const vendorQname = `_V${vendorId}._sub.${MATTER_COMMISSIONER_SERVICE_QNAME}`;
         const deviceQname = `${instanceId}.${MATTER_COMMISSIONER_SERVICE_QNAME}`;

package/src/mdns/MdnsScanner.ts

@@ -120,9 +120,7 @@ export interface MdnsScannerTargetCriteria {
  * queries to discover various types of Matter device types and listens for announcements.
  */
 export class MdnsScanner implements Scanner {
-    get type() {
-        return ChannelType.UDP;
-    }
+    readonly type = ChannelType.UDP;
 
     static async create(network: Network, options?: { enableIpv4?: boolean; netInterface?: string }) {
         const { enableIpv4, netInterface } = options ?? {};
@@ -502,9 +500,7 @@ export class MdnsScanner implements Scanner {
         const { timer, resolver, resolveOnUpdatedRecords, commissionable } = waiter;
         if (isUpdatedRecord && !resolveOnUpdatedRecords) return;
         logger.debug(`Finishing waiter for query ${queryId}, resolving: ${resolvePromise}`);
-        if (timer !== undefined) {
-            timer.stop();
-        }
+        timer?.stop();
         if (resolvePromise) {
             resolver();
         }

package/src/mdns/MdnsService.ts

@@ -6,6 +6,7 @@
 
 import {
     Construction,
+    Crypto,
     Diagnostic,
     Environment,
     Environmental,
@@ -43,9 +44,10 @@ export class MdnsService {
         this.limitedToNetInterface = vars.get("mdns.networkInterface", options?.networkInterface);
 
         this.#construction = Construction(this, async () => {
+            const crypto = environment.get(Crypto);
             const network = environment.get(Network);
 
-            this.#broadcaster = await MdnsBroadcaster.create(network, {
+            this.#broadcaster = await MdnsBroadcaster.create(crypto, network, {
                 enableIpv4: this.enableIpv4,
                 multicastInterface: this.limitedToNetInterface,
             });

package/src/peer/ControllerCommissioner.ts

@@ -381,7 +381,7 @@ export class ControllerCommissioner {
     /** Finds an unused random Node-ID to use for commissioning if not already provided. */
     #determineAddress(fabric: Fabric, nodeId?: NodeId) {
         while (true) {
-            const address = fabric.addressOf(nodeId ?? NodeId.randomOperationalNodeId());
+            const address = fabric.addressOf(nodeId ?? NodeId.randomOperationalNodeId(fabric.crypto));
             try {
                 this.#assertPeerAddress(address);
             } catch (error) {

package/src/peer/ControllerCommissioningFlow.ts

@@ -13,7 +13,6 @@ import { TimeSynchronizationCluster } from "#clusters/time-synchronization";
 import {
     Bytes,
     ChannelType,
-    Crypto,
     Diagnostic,
     Logger,
     MatterError,
@@ -32,7 +31,6 @@ import {
     VendorId,
 } from "#types";
 import { CertificateAuthority } from "../certificate/CertificateAuthority.js";
-import { CertificateManager } from "../certificate/CertificateManager.js";
 import { ClusterClient } from "../cluster/client/ClusterClient.js";
 import { ClusterClientObj } from "../cluster/client/ClusterClientTypes.js";
 import { TlvCertSigningRequest } from "../common/OperationalCredentialsTypes.js";
@@ -207,7 +205,7 @@ export class ControllerCommissioningFlow {
         /** InteractionClient for the initiated PASE session */
         interactionClient: InteractionClient,
 
-        /** CertificateManager of the controller. */
+        /** CertificateAuthority of the controller. */
         ca: CertificateAuthority,
 
         /** Fabric of the controller. */
@@ -759,7 +757,7 @@ export class ControllerCommissioningFlow {
         const { attestationElements, attestationSignature } =
             await operationalCredentialsClusterClient.attestationRequest(
                 {
-                    attestationNonce: Crypto.getRandomData(32),
+                    attestationNonce: this.fabric.crypto.randomBytes(32),
                 },
                 { useExtendedFailSafeMessageResponseTimeout: true },
             );
@@ -801,7 +799,7 @@ export class ControllerCommissioningFlow {
         const operationalCredentialsClusterClient = this.#getClusterClient(OperationalCredentials.Cluster);
         const { nocsrElements, attestationSignature: csrSignature } =
             await operationalCredentialsClusterClient.csrRequest(
-                { csrNonce: Crypto.getRandomData(32) },
+                { csrNonce: this.fabric.crypto.randomBytes(32) },
                 { useExtendedFailSafeMessageResponseTimeout: true },
             );
         if (nocsrElements.length === 0 || csrSignature.length === 0) {
@@ -810,7 +808,7 @@ export class ControllerCommissioningFlow {
         }
         // TODO: validate csrSignature using device public key
         const { certSigningRequest } = TlvCertSigningRequest.decode(nocsrElements);
-        const operationalPublicKey = await CertificateManager.getPublicKeyFromCsr(certSigningRequest);
+        const operationalPublicKey = await this.ca.certs.getPublicKeyFromCsr(certSigningRequest);
 
         await operationalCredentialsClusterClient.addTrustedRootCertificate(
             {

package/src/protocol/DeviceCommissioner.ts

@@ -9,7 +9,6 @@ import { FailsafeContext } from "#common/FailsafeContext.js";
 import { CommissioningMode } from "#common/InstanceBroadcaster.js";
 import { FabricManager } from "#fabric/FabricManager.js";
 import {
-    Crypto,
     Diagnostic,
     Environment,
     Environmental,
@@ -153,7 +152,7 @@ export class DeviceCommissioner {
         this.#context.secureChannelProtocol.setPaseCommissioner(
             await PaseServer.fromPin(this.#context.sessions, this.#context.commissioningConfig.values.passcode, {
                 iterations: 1000,
-                salt: Crypto.getRandomData(32),
+                salt: this.#context.fabrics.crypto.randomBytes(32),
             }),
         );