@matter/protocol 0.15.0-alpha.0-20250613-a55f991d4 → 0.15.0-alpha.0-20250616-4b3754906

package/src/certificate/CertificateAuthority.ts

@@ -38,6 +38,7 @@ const logger = Logger.get("CertificateAuthority");
  * TODO: Add support for (optional) ICACs
  */
 export class CertificateAuthority {
+    #certs: CertificateManager;
     #rootCertId = BigInt(0);
     #rootKeyPair?: PrivateKey;
     #rootKeyIdentifier?: Uint8Array<ArrayBufferLike>;
@@ -45,21 +46,29 @@ export class CertificateAuthority {
     #nextCertificateId = BigInt(1);
     #construction: Construction<CertificateAuthority>;
 
+    get certs() {
+        return this.#certs;
+    }
+
     get construction() {
         return this.#construction;
     }
 
-    static async create(options?: StorageContext | CertificateAuthority.Configuration) {
-        return asyncNew(CertificateAuthority, options);
+    static async create(crypto: Crypto, options?: StorageContext | CertificateAuthority.Configuration) {
+        return asyncNew(CertificateAuthority, crypto, options);
     }
 
-    constructor(options?: StorageContext | CertificateAuthority.Configuration) {
+    constructor(crypto: Crypto, options?: StorageContext | CertificateAuthority.Configuration) {
+        this.#certs = new CertificateManager(crypto);
         this.#construction = Construction(this, async () => {
             // Use provided CA config or read from storage, otherwise initialize and store
             const certValues = options instanceof StorageContext ? await options.values() : (options ?? {});
 
-            this.#rootKeyPair = await Crypto.createKeyPair();
-            this.#rootKeyIdentifier = (await Crypto.computeSha256(this.#rootKeyPair.publicKey)).slice(0, 20);
+            this.#rootKeyPair = await this.#certs.crypto.createKeyPair();
+            this.#rootKeyIdentifier = (await this.#certs.crypto.computeSha256(this.#rootKeyPair.publicKey)).slice(
+                0,
+                20,
+            );
             this.#rootCertBytes = await this.#generateRootCert();
 
             if (
@@ -94,7 +103,7 @@ export class CertificateAuthority {
 
     static [Environmental.create](env: Environment) {
         const storage = env.get(StorageManager).createContext("certificates");
-        const instance = new CertificateAuthority(storage);
+        const instance = new CertificateAuthority(env.get(Crypto), storage);
         env.set(CertificateAuthority, instance);
         return instance;
     }
@@ -135,9 +144,9 @@ export class CertificateAuthority {
                 authorityKeyIdentifier: this.#initializedRootKeyIdentifier,
             },
         };
-        const signature = await Crypto.signEcdsa(
+        const signature = await this.#certs.crypto.signEcdsa(
             this.#initializedRootKeyPair,
-            CertificateManager.rootCertToAsn1(unsignedCertificate),
+            this.#certs.rootCertToAsn1(unsignedCertificate),
         );
         return TlvRootCertificate.encode({ ...unsignedCertificate, signature });
     }
@@ -166,14 +175,14 @@ export class CertificateAuthority {
                     digitalSignature: true,
                 },
                 extendedKeyUsage: [2, 1],
-                subjectKeyIdentifier: (await Crypto.computeSha256(publicKey)).slice(0, 20),
+                subjectKeyIdentifier: (await this.#certs.crypto.computeSha256(publicKey)).slice(0, 20),
                 authorityKeyIdentifier: this.#initializedRootKeyIdentifier,
             },
         };
 
-        const signature = await Crypto.signEcdsa(
+        const signature = await this.#certs.crypto.signEcdsa(
             this.#initializedRootKeyPair,
-            CertificateManager.nodeOperationalCertToAsn1(unsignedCertificate),
+            this.#certs.nodeOperationalCertToAsn1(unsignedCertificate),
         );
 
         return TlvOperationalCertificate.encode({ ...unsignedCertificate, signature });

package/src/certificate/CertificateManager.ts

@@ -578,52 +578,62 @@ function extensionsToAsn1(extensions: BaseCertificate["extensions"]) {
     return asn;
 }
 
-export namespace CertificateManager {
-    function assertCertificateDerSize(certBytes: Uint8Array) {
-        if (certBytes.length > MAX_DER_CERTIFICATE_SIZE) {
-            throw new ImplementationError(
-                `Certificate to generate is too big: ${certBytes.length} bytes instead of max ${MAX_DER_CERTIFICATE_SIZE} bytes`,
-            );
-        }
+function genericBuildAsn1Structure({
+    serialNumber,
+    notBefore,
+    notAfter,
+    issuer,
+    subject,
+    ellipticCurvePublicKey,
+    extensions,
+}: Unsigned<BaseCertificate>) {
+    const {
+        basicConstraints: { isCa, pathLen },
+    } = extensions;
+    if (!isCa && pathLen !== undefined) {
+        throw new CertificateError("Path length must be undefined for non-CA certificates.");
     }
+    return {
+        version: ContextTagged(0, 2), // v3
+        serialNumber: DatatypeOverride(DerType.Integer, serialNumber),
+        signatureAlgorithm: X962.EcdsaWithSHA256,
+        issuer: subjectOrIssuerToAsn1(issuer),
+        validity: {
+            notBefore: matterToJsDate(notBefore),
+            notAfter: matterToJsDate(notAfter),
+        },
+        subject: subjectOrIssuerToAsn1(subject),
+        publicKey: X962.PublicKeyEcPrime256v1(ellipticCurvePublicKey),
+        extensions: ContextTagged(3, extensionsToAsn1(extensions)),
+    };
+}
 
-    function genericBuildAsn1Structure({
-        serialNumber,
-        notBefore,
-        notAfter,
-        issuer,
-        subject,
-        ellipticCurvePublicKey,
-        extensions,
-    }: Unsigned<BaseCertificate>) {
-        const {
-            basicConstraints: { isCa, pathLen },
-        } = extensions;
-        if (!isCa && pathLen !== undefined) {
-            throw new CertificateError("Path length must be undefined for non-CA certificates.");
-        }
-        return {
-            version: ContextTagged(0, 2), // v3
-            serialNumber: DatatypeOverride(DerType.Integer, serialNumber),
-            signatureAlgorithm: X962.EcdsaWithSHA256,
-            issuer: subjectOrIssuerToAsn1(issuer),
-            validity: {
-                notBefore: matterToJsDate(notBefore),
-                notAfter: matterToJsDate(notAfter),
-            },
-            subject: subjectOrIssuerToAsn1(subject),
-            publicKey: X962.PublicKeyEcPrime256v1(ellipticCurvePublicKey),
-            extensions: ContextTagged(3, extensionsToAsn1(extensions)),
-        };
+function genericCertToAsn1(cert: Unsigned<BaseCertificate>) {
+    const certBytes = DerCodec.encode(genericBuildAsn1Structure(cert));
+    assertCertificateDerSize(certBytes);
+    return certBytes;
+}
+
+function assertCertificateDerSize(certBytes: Uint8Array) {
+    if (certBytes.length > MAX_DER_CERTIFICATE_SIZE) {
+        throw new ImplementationError(
+            `Certificate to generate is too big: ${certBytes.length} bytes instead of max ${MAX_DER_CERTIFICATE_SIZE} bytes`,
+        );
     }
+}
 
-    function genericCertToAsn1(cert: Unsigned<BaseCertificate>) {
-        const certBytes = DerCodec.encode(genericBuildAsn1Structure(cert));
-        assertCertificateDerSize(certBytes);
-        return certBytes;
+export class CertificateManager {
+    #crypto: Crypto;
+
+    constructor(crypto: Crypto) {
+        this.#crypto = crypto;
     }
 
-    export function rootCertToAsn1(cert: Unsigned<RootCertificate>) {
+    get crypto() {
+        return this.#crypto;
+    }
+
+    rootCertToAsn1(cert: Unsigned<RootCertificate>) {
         const {
             extensions: {
                 basicConstraints: { isCa },
@@ -635,7 +645,7 @@ export namespace CertificateManager {
         return genericCertToAsn1(cert);
     }
 
-    export function intermediateCaCertToAsn1(cert: Unsigned<IntermediateCertificate>) {
+    intermediateCaCertToAsn1(cert: Unsigned<IntermediateCertificate>) {
         const {
             extensions: {
                 basicConstraints: { isCa },
@@ -647,7 +657,7 @@ export namespace CertificateManager {
         return genericCertToAsn1(cert);
     }
 
-    export function nodeOperationalCertToAsn1(cert: Unsigned<OperationalCertificate>) {
+    nodeOperationalCertToAsn1(cert: Unsigned<OperationalCertificate>) {
         const {
             issuer: { icacId, rcacId },
             extensions: {
@@ -664,9 +674,9 @@ export namespace CertificateManager {
         return genericCertToAsn1(cert);
     }
 
-    export async function deviceAttestationCertToAsn1(cert: Unsigned<DeviceAttestationCertificate>, key: Key) {
+    async deviceAttestationCertToAsn1(cert: Unsigned<DeviceAttestationCertificate>, key: Key) {
         const certificate = genericBuildAsn1Structure(cert);
-        const signature = await Crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
+        const signature = await this.#crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
@@ -676,12 +686,12 @@ export namespace CertificateManager {
         return certBytes;
     }
 
-    export async function productAttestationIntermediateCertToAsn1(
+    async productAttestationIntermediateCertToAsn1(
         cert: Unsigned<ProductAttestationIntermediateCertificate>,
         key: Key,
     ) {
         const certificate = genericBuildAsn1Structure(cert);
-        const signature = await Crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
+        const signature = await this.#crypto.signEcdsa(key, DerCodec.encode(certificate), "der");
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
@@ -691,21 +701,18 @@ export namespace CertificateManager {
         return certBytes;
     }
 
-    export async function productAttestationAuthorityCertToAsn1(
-        cert: Unsigned<ProductAttestationAuthorityCertificate>,
-        key: Key,
-    ) {
+    async productAttestationAuthorityCertToAsn1(cert: Unsigned<ProductAttestationAuthorityCertificate>, key: Key) {
         const certificate = genericBuildAsn1Structure(cert);
         const certBytes = DerCodec.encode({
             certificate,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: DerBitString(await Crypto.signEcdsa(key, DerCodec.encode(certificate), "der")),
+            signature: DerBitString(await this.#crypto.signEcdsa(key, DerCodec.encode(certificate), "der")),
         });
         assertCertificateDerSize(certBytes);
         return certBytes;
     }
 
-    export async function certificationDeclarationToAsn1(
+    async certificationDeclarationToAsn1(
         eContent: Uint8Array,
         subjectKeyIdentifier: Uint8Array,
         privateKey: JsonWebKey,
@@ -720,7 +727,7 @@ export namespace CertificateManager {
                     subjectKeyIdentifier: ContextTaggedBytes(0, subjectKeyIdentifier),
                     digestAlgorithm: SHA256_CMS,
                     signatureAlgorithm: X962.EcdsaWithSHA256,
-                    signature: await Crypto.signEcdsa(privateKey, eContent, "der"),
+                    signature: await this.#crypto.signEcdsa(privateKey, eContent, "der"),
                 },
             ],
         };
@@ -734,9 +741,7 @@ export namespace CertificateManager {
      * Validate general requirements a Matter certificate fields must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export function validateGeneralCertificateFields(
-        cert: RootCertificate | OperationalCertificate | IntermediateCertificate,
-    ) {
+    validateGeneralCertificateFields(cert: RootCertificate | OperationalCertificate | IntermediateCertificate) {
         if (cert.serialNumber.length > 20)
             throw new CertificateError(
                 `Serial number must not be longer then 20 octets. Current serial number has ${cert.serialNumber.length} octets.`,
@@ -779,8 +784,8 @@ export namespace CertificateManager {
      * Verify requirements a Matter Root certificate must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export async function verifyRootCertificate(rootCert: RootCertificate) {
-        CertificateManager.validateGeneralCertificateFields(rootCert);
+    async verifyRootCertificate(rootCert: RootCertificate) {
+        this.validateGeneralCertificateFields(rootCert);
 
         // The subject DN SHALL NOT encode any matter-node-id attribute.
         if ("nodeId" in rootCert.subject) {
@@ -863,9 +868,9 @@ export namespace CertificateManager {
             );
         }
 
-        await Crypto.verifyEcdsa(
+        await this.#crypto.verifyEcdsa(
             PublicKey(rootCert.ellipticCurvePublicKey),
-            rootCertToAsn1(rootCert),
+            this.rootCertToAsn1(rootCert),
             rootCert.signature,
         );
     }
@@ -874,12 +879,12 @@ export namespace CertificateManager {
      * Verify requirements a Matter Node Operational certificate must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export async function verifyNodeOperationalCertificate(
+    async verifyNodeOperationalCertificate(
         nocCert: OperationalCertificate,
         rootCert: RootCertificate,
         icaCert?: IntermediateCertificate,
     ) {
-        CertificateManager.validateGeneralCertificateFields(nocCert);
+        this.validateGeneralCertificateFields(nocCert);
 
         // The subject DN SHALL encode exactly one matter-node-id attribute.
         if (nocCert.subject.nodeId === undefined || Array.isArray(nocCert.subject.nodeId)) {
@@ -991,9 +996,9 @@ export namespace CertificateManager {
             );
         }
 
-        await Crypto.verifyEcdsa(
+        await this.#crypto.verifyEcdsa(
             PublicKey((icaCert ?? rootCert).ellipticCurvePublicKey),
-            nodeOperationalCertToAsn1(nocCert),
+            this.nodeOperationalCertToAsn1(nocCert),
             nocCert.signature,
         );
     }
@@ -1002,8 +1007,8 @@ export namespace CertificateManager {
      * Verify requirements a Matter Intermediate CA certificate must fulfill.
      * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
      */
-    export async function verifyIntermediateCaCertificate(rootCert: RootCertificate, icaCert: IntermediateCertificate) {
-        CertificateManager.validateGeneralCertificateFields(icaCert);
+    async verifyIntermediateCaCertificate(rootCert: RootCertificate, icaCert: IntermediateCertificate) {
+        this.validateGeneralCertificateFields(icaCert);
 
         // The subject DN SHALL NOT encode any matter-node-id attribute.
         if ("nodeId" in icaCert.subject) {
@@ -1109,14 +1114,14 @@ export namespace CertificateManager {
             );
         }
 
-        await Crypto.verifyEcdsa(
+        await this.#crypto.verifyEcdsa(
             PublicKey(rootCert.ellipticCurvePublicKey),
-            intermediateCaCertToAsn1(icaCert),
+            this.intermediateCaCertToAsn1(icaCert),
             icaCert.signature,
         );
     }
 
-    export async function createCertificateSigningRequest(key: Key) {
+    async createCertificateSigningRequest(key: Key) {
         const request = {
             version: 0,
             subject: { organization: X520.OrganisationName("CSR") },
@@ -1127,11 +1132,11 @@ export namespace CertificateManager {
         return DerCodec.encode({
             request,
             signAlgorithm: X962.EcdsaWithSHA256,
-            signature: DerBitString(await Crypto.signEcdsa(key, DerCodec.encode(request), "der")),
+            signature: DerBitString(await this.#crypto.signEcdsa(key, DerCodec.encode(request), "der")),
         });
     }
 
-    export async function getPublicKeyFromCsr(csr: Uint8Array) {
+    async getPublicKeyFromCsr(csr: Uint8Array) {
         const { [DerKey.Elements]: rootElements } = DerCodec.decode(csr);
         if (rootElements?.length !== 3) throw new CertificateError("Invalid CSR data");
         const [requestNode, signAlgorithmNode, signatureNode] = rootElements;
@@ -1159,7 +1164,7 @@ export namespace CertificateManager {
             )
         )
             throw new CertificateError("Unsupported signature type");
-        await Crypto.verifyEcdsa(
+        await this.#crypto.verifyEcdsa(
             PublicKey(publicKey),
             DerCodec.encode(requestNode),
             signatureNode[DerKey.Bytes],

package/src/certificate/CertificationDeclarationManager.ts

@@ -3,7 +3,7 @@
  * Copyright 2022-2025 Matter.js Authors
  * SPDX-License-Identifier: Apache-2.0
  */
-import { Bytes, PrivateKey } from "#general";
+import { Bytes, Crypto, PrivateKey } from "#general";
 import { VendorId } from "#types";
 import { CertificateManager, TlvCertificationDeclaration } from "./CertificateManager.js";
 
@@ -30,7 +30,7 @@ const TestCMS_SignerPrivateKey = Bytes.fromHex("AEF3484116E9481EC57BE0472DF41BF4
 const TestCMS_SignerSubjectKeyIdentifier = Bytes.fromHex("62FA823359ACFAA9963E1CFA140ADDF504F37160");
 
 export class CertificationDeclarationManager {
-    static generate(vendorId: VendorId, productId: number, provisional = false) {
+    static generate(crypto: Crypto, vendorId: VendorId, productId: number, provisional = false) {
         const certificationElements = TlvCertificationDeclaration.encode({
             formatVersion: 1,
             vendorId,
@@ -43,7 +43,7 @@ export class CertificationDeclarationManager {
             certificationType: provisional ? 1 : 0, // 0 = Test, 1 = Provisional/In certification, 2 = official
         });
 
-        return CertificateManager.certificationDeclarationToAsn1(
+        return new CertificateManager(crypto).certificationDeclarationToAsn1(
             certificationElements,
             TestCMS_SignerSubjectKeyIdentifier,
             PrivateKey(TestCMS_SignerPrivateKey),

package/src/certificate/DeviceCertification.ts

@@ -14,6 +14,7 @@ import { CertificationDeclarationManager } from "./CertificationDeclarationManag
  * Device certification used by the OperationalCredentials cluster.
  */
 export class DeviceCertification {
+    #crypto: Crypto;
     #privateKey?: PrivateKey;
     #certificate?: Uint8Array;
     #intermediateCertificate?: Uint8Array;
@@ -36,7 +37,8 @@ export class DeviceCertification {
         return this.#assertInitialized().declaration;
     }
 
-    constructor(config?: DeviceCertification.Definition, product?: ProductDescription) {
+    constructor(crypto: Crypto, config?: DeviceCertification.Definition, product?: ProductDescription) {
+        this.#crypto = crypto;
         let configProvider;
         if (typeof config === "function") {
             configProvider = config;
@@ -48,14 +50,18 @@ export class DeviceCertification {
                     throw new ImplementationError(`Cannot generate device certification without product information`);
                 }
 
-                const paa = await AttestationCertificateManager.create(product.vendorId);
+                const paa = await AttestationCertificateManager.create(crypto, product.vendorId);
                 const { keyPair: dacKeyPair, dac } = await paa.getDACert(product.productId);
 
                 return {
                     privateKey: PrivateKey(dacKeyPair.privateKey),
                     certificate: dac,
                     intermediateCertificate: await paa.getPAICert(),
-                    declaration: await CertificationDeclarationManager.generate(product.vendorId, product.productId),
+                    declaration: await CertificationDeclarationManager.generate(
+                        crypto,
+                        product.vendorId,
+                        product.productId,
+                    ),
                 };
             };
         }
@@ -73,7 +79,7 @@ export class DeviceCertification {
 
     async sign(session: NodeSession, data: Uint8Array) {
         const { privateKey } = this.#assertInitialized();
-        const signature = await Crypto.signEcdsa(privateKey, [data, session.attestationChallengeKey]);
+        const signature = await this.#crypto.signEcdsa(privateKey, [data, session.attestationChallengeKey]);
         return signature;
     }
 

package/src/common/FailsafeContext.ts

@@ -52,7 +52,7 @@ export abstract class FailsafeContext {
         this.#associatedFabric = options.associatedFabric;
 
         this.#construction = Construction(this, async () => {
-            this.#fabricBuilder = await FabricBuilder.create();
+            this.#fabricBuilder = await FabricBuilder.create(this.#fabrics.crypto);
             // Ensure derived class construction is complete
             await Promise.resolve();
 

package/src/fabric/Fabric.ts

@@ -49,6 +49,7 @@ export type ExposedFabricInformation = {
 };
 
 export class Fabric {
+    readonly #certs: CertificateManager;
     readonly fabricIndex: FabricIndex;
     readonly fabricId: FabricId;
     readonly nodeId: NodeId;
@@ -63,14 +64,18 @@ export class Fabric {
     readonly operationalCert: Uint8Array;
     readonly #keyPair: Key;
     readonly #sessions = new Set<Session>();
-    readonly #groupManager: FabricGroups;
+    readonly #groups: FabricGroups;
     readonly #aclManager: FabricAccessControl;
     #label: string;
     #removeCallbacks = new Array<() => MaybePromise<void>>();
     #persistCallback: ((isUpdate?: boolean) => MaybePromise<void>) | undefined;
     #storage?: StorageContext;
 
-    constructor(config: Fabric.Config) {
+    constructor(certs: CertificateManager | Crypto, config: Fabric.Config) {
+        if (!(certs instanceof CertificateManager)) {
+            certs = new CertificateManager(certs);
+        }
+        this.#certs = certs;
         this.fabricIndex = config.fabricIndex;
         this.fabricId = config.fabricId;
         this.nodeId = config.nodeId;
@@ -86,7 +91,11 @@ export class Fabric {
         this.#label = config.label;
         this.#keyPair = PrivateKey(config.keyPair);
         this.#aclManager = new FabricAccessControl(this);
-        this.#groupManager = new FabricGroups(this);
+        this.#groups = new FabricGroups(this);
+    }
+
+    get crypto() {
+        return this.#certs.crypto;
     }
 
     get config(): Fabric.Config {
@@ -125,7 +134,7 @@ export class Fabric {
 
     set storage(storage: StorageContext) {
         this.#storage = storage;
-        this.#groupManager.storage = storage;
+        this.#groups.storage = storage;
     }
 
     get storage(): StorageContext | undefined {
@@ -133,7 +142,7 @@ export class Fabric {
     }
 
     get groups() {
-        return this.#groupManager;
+        return this.#groups;
     }
 
     get acl() {
@@ -145,7 +154,7 @@ export class Fabric {
     }
 
     sign(data: Uint8Array) {
-        return Crypto.signEcdsa(this.#keyPair, data);
+        return this.#certs.crypto.signEcdsa(this.#keyPair, data);
     }
 
     async verifyCredentials(operationalCert: Uint8Array, intermediateCACert?: Uint8Array) {
@@ -155,10 +164,10 @@ export class Fabric {
             intermediateCACert !== undefined ? TlvIntermediateCertificate.decode(intermediateCACert) : undefined;
         if (icaCert !== undefined) {
             // Validate ICACertificate against Root Certificate
-            await CertificateManager.verifyIntermediateCaCertificate(rootCert, icaCert);
+            await this.#certs.verifyIntermediateCaCertificate(rootCert, icaCert);
         }
         // Validate NOC Certificate against ICA Certificate
-        await CertificateManager.verifyNodeOperationalCertificate(nocCert, rootCert, icaCert);
+        await this.#certs.verifyNodeOperationalCertificate(nocCert, rootCert, icaCert);
     }
 
     matchesFabricIdAndRootPublicKey(fabricId: FabricId, rootPublicKey: Uint8Array) {
@@ -186,7 +195,10 @@ export class Fabric {
      * returns the time-wise valid operational keys for that groupId.
      */
     async currentDestinationIdFor(nodeId: NodeId, random: Uint8Array) {
-        return await Crypto.signHmac(this.groups.keySets.currentKeyForId(0).key, this.#generateSalt(nodeId, random));
+        return await this.#certs.crypto.signHmac(
+            this.groups.keySets.currentKeyForId(0).key,
+            this.#generateSalt(nodeId, random),
+        );
     }
 
     /**
@@ -196,7 +208,9 @@ export class Fabric {
     async destinationIdsFor(nodeId: NodeId, random: Uint8Array) {
         const salt = this.#generateSalt(nodeId, random);
         // Check all keys of keyset 0 - typically it is only the IPK
-        const destinationIds = this.groups.keySets.allKeysForId(0).map(({ key }) => Crypto.signHmac(key, salt));
+        const destinationIds = this.groups.keySets
+            .allKeysForId(0)
+            .map(({ key }) => this.#certs.crypto.signHmac(key, salt));
         return await Promise.all(destinationIds);
     }
 
@@ -260,6 +274,7 @@ export class Fabric {
 }
 
 export class FabricBuilder {
+    #certs: CertificateManager;
     #keyPair: PrivateKey;
     #rootVendorId?: VendorId;
     #rootCert?: Uint8Array;
@@ -273,12 +288,13 @@ export class FabricBuilder {
     #fabricIndex?: FabricIndex;
     #label = "";
 
-    constructor(key: PrivateKey) {
+    constructor(crypto: Crypto, key: PrivateKey) {
+        this.#certs = new CertificateManager(crypto);
         this.#keyPair = key;
     }
 
-    static async create() {
-        return new FabricBuilder(await Crypto.createKeyPair());
+    static async create(crypto: Crypto) {
+        return new FabricBuilder(crypto, await crypto.createKeyPair());
     }
 
     get publicKey() {
@@ -290,12 +306,12 @@ export class FabricBuilder {
     }
 
     createCertificateSigningRequest() {
-        return CertificateManager.createCertificateSigningRequest(this.#keyPair);
+        return this.#certs.createCertificateSigningRequest(this.#keyPair);
     }
 
     async setRootCert(rootCert: Uint8Array) {
         const decodedRootCertificate = TlvRootCertificate.decode(rootCert);
-        await CertificateManager.verifyRootCertificate(decodedRootCertificate);
+        await this.#certs.verifyRootCertificate(decodedRootCertificate);
         this.#rootCert = rootCert;
         this.#rootPublicKey = decodedRootCertificate.ellipticCurvePublicKey;
         return this;
@@ -334,9 +350,9 @@ export class FabricBuilder {
         const icaCert =
             intermediateCACert !== undefined ? TlvIntermediateCertificate.decode(intermediateCACert) : undefined;
         if (icaCert !== undefined) {
-            await CertificateManager.verifyIntermediateCaCertificate(rootCert, icaCert);
+            await this.#certs.verifyIntermediateCaCertificate(rootCert, icaCert);
         }
-        await CertificateManager.verifyNodeOperationalCertificate(nocCert, rootCert, icaCert);
+        await this.#certs.verifyNodeOperationalCertificate(nocCert, rootCert, icaCert);
 
         this.#operationalCert = operationalCert;
         this.#intermediateCACert = intermediateCACert;
@@ -410,14 +426,14 @@ export class FabricBuilder {
         this.#fabricIndex = fabricIndex;
         const saltWriter = new DataWriter();
         saltWriter.writeUInt64(this.#fabricId);
-        const operationalId = await Crypto.createHkdfKey(
+        const operationalId = await this.#certs.crypto.createHkdfKey(
             this.#rootPublicKey.slice(1),
             saltWriter.toByteArray(),
             COMPRESSED_FABRIC_ID_INFO,
             8,
         );
 
-        return new Fabric({
+        return new Fabric(this.#certs, {
             fabricIndex: this.#fabricIndex,
             fabricId: this.#fabricId,
             nodeId: this.#nodeId,
@@ -428,7 +444,7 @@ export class FabricBuilder {
             rootVendorId: this.#rootVendorId,
             rootCert: this.#rootCert,
             identityProtectionKey: this.#identityProtectionKey, // Epoch Key
-            operationalIdentityProtectionKey: await Crypto.createHkdfKey(
+            operationalIdentityProtectionKey: await this.#certs.crypto.createHkdfKey(
                 this.#identityProtectionKey,
                 operationalId,
                 GROUP_SECURITY_INFO,