@matter/protocol 0.15.0-alpha.0-20250613-a55f991d4 → 0.15.0-alpha.0-20250616-4b3754906

package/src/fabric/FabricAuthority.ts

@@ -5,15 +5,7 @@
  */
 
 import { CertificateAuthority } from "#certificate/CertificateAuthority.js";
-import {
-    Bytes,
-    Crypto,
-    CRYPTO_SYMMETRIC_KEY_LENGTH,
-    Environment,
-    Environmental,
-    ImplementationError,
-    Logger,
-} from "#general";
+import { Bytes, CRYPTO_SYMMETRIC_KEY_LENGTH, Environment, Environmental, ImplementationError, Logger } from "#general";
 import { CaseAuthenticatedTag, FabricId, FabricIndex, NodeId, VendorId } from "#types";
 import { Fabric, FabricBuilder } from "./Fabric.js";
 import { FabricManager } from "./FabricManager.js";
@@ -60,10 +52,10 @@ export class FabricAuthority {
     #fabrics: FabricManager;
     #config: FabricAuthorityConfiguration;
 
-    constructor(context: FabricAuthorityContext) {
-        this.#ca = context.ca;
-        this.#fabrics = context.fabrics;
-        this.#config = context.config;
+    constructor({ ca, fabrics, config }: FabricAuthorityContext) {
+        this.#ca = ca;
+        this.#fabrics = fabrics;
+        this.#config = config;
     }
 
     /**
@@ -108,8 +100,8 @@ export class FabricAuthority {
      * Create a new fabric under our control.
      */
     async createFabric() {
-        const rootNodeId = NodeId.randomOperationalNodeId();
-        const ipkValue = Crypto.getRandomData(CRYPTO_SYMMETRIC_KEY_LENGTH);
+        const rootNodeId = NodeId.randomOperationalNodeId(this.#fabrics.crypto);
+        const ipkValue = this.#fabrics.crypto.randomBytes(CRYPTO_SYMMETRIC_KEY_LENGTH);
 
         let vendorId = this.#config.adminVendorId;
         if (vendorId === undefined) {
@@ -117,7 +109,7 @@ export class FabricAuthority {
             logger.warn(`Using test vendor ID 0x${vendorId.toString(16)} for controller fabric`);
         }
 
-        const fabricBuilder = await FabricBuilder.create();
+        const fabricBuilder = await FabricBuilder.create(this.#fabrics.crypto);
         await fabricBuilder.setRootCert(this.#ca.rootCert);
         fabricBuilder
             .setRootNodeId(rootNodeId)

package/src/fabric/FabricManager.ts

@@ -7,6 +7,7 @@
 import {
     Bytes,
     Construction,
+    Crypto,
     Environment,
     Environmental,
     ImplementationError,
@@ -33,6 +34,7 @@ export enum FabricAction {
 }
 
 export class FabricManager {
+    #crypto: Crypto;
     #nextFabricIndex = 1;
     readonly #fabrics = new Map<FabricIndex, Fabric>();
     #initializationDone = false;
@@ -45,7 +47,8 @@ export class FabricManager {
     };
     #construction: Construction<FabricManager>;
 
-    constructor(storage?: StorageContext) {
+    constructor(crypto: Crypto, storage?: StorageContext) {
+        this.#crypto = crypto;
         this.#storage = storage;
 
         let construct;
@@ -60,7 +63,7 @@ export class FabricManager {
 
                 const fabrics = await this.#storage.get<Fabric.Config[]>("fabrics", []);
                 for (const fabricConfig of fabrics) {
-                    this.#addFabric(new Fabric(fabricConfig));
+                    this.#addFabric(new Fabric(crypto, fabricConfig));
                 }
 
                 this.#nextFabricIndex = await this.#storage.get("nextFabricIndex", this.#nextFabricIndex);
@@ -72,6 +75,10 @@ export class FabricManager {
         this.#construction = Construction(this, construct);
     }
 
+    get crypto() {
+        return this.#crypto;
+    }
+
     get construction() {
         return this.#construction;
     }
@@ -81,7 +88,7 @@ export class FabricManager {
     }
 
     static [Environmental.create](env: Environment) {
-        const instance = new FabricManager(env.get(StorageManager).createContext("fabrics"));
+        const instance = new FabricManager(env.get(Crypto), env.get(StorageManager).createContext("fabrics"));
         env.set(FabricManager, instance);
         return instance;
     }

package/src/fabric/TestFabric.ts

@@ -5,7 +5,7 @@
  */
 
 import { CertificateAuthority } from "#certificate/CertificateAuthority.js";
-import { ImplementationError, nonentropic } from "#general";
+import { ImplementationError, MockCrypto } from "#general";
 import { FabricIndex, VendorId } from "#types";
 import { FabricAuthority } from "./FabricAuthority.js";
 import { FabricManager } from "./FabricManager.js";
@@ -40,22 +40,25 @@ export namespace TestFabric {
             }
         }
 
-        return forFabric(index, async () => {
-            const authority = new FabricAuthority({
-                ca: await CertificateAuthority.create(),
-                config: {
-                    adminFabricLabel: `mock-fabric-${index}`,
-                    adminVendorId: VendorId(0xfff1),
-                    fabricIndex: FabricIndex(index),
-                },
-                fabrics: fabrics ?? new FabricManager(),
-            });
+        if (index < 1 || index > 254) {
+            throw new ImplementationError("Test fabric indexes must be in the range 1-254");
+        }
 
-            const createFabric = authority.createFabric.bind(authority);
-            authority.createFabric = () => forFabric(index ?? 1, createFabric);
+        if (!fabrics) {
+            fabrics = new FabricManager(MockCrypto(index));
+        }
 
-            return authority;
+        const authority = new FabricAuthority({
+            ca: await CertificateAuthority.create(fabrics.crypto),
+            config: {
+                adminFabricLabel: `mock-fabric-${index}`,
+                adminVendorId: VendorId(0xfff1),
+                fabricIndex: FabricIndex(index),
+            },
+            fabrics,
         });
+
+        return authority;
     }
 
     export interface Options {
@@ -63,11 +66,3 @@ export namespace TestFabric {
         fabrics?: FabricManager;
     }
 }
-
-async function forFabric<T>(index: number, actor: () => Promise<T>): Promise<T> {
-    if (index < 1 || index > 254) {
-        throw new ImplementationError("Test fabric indexes must be in the range 1-254");
-    }
-
-    return nonentropic(index, actor);
-}

package/src/groups/FabricGroups.ts

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 import { Fabric } from "#fabric/Fabric.js";
-import { BasicMap, Bytes, Crypto, InternalError, MatterFlowError, StorageContext } from "#general";
+import { BasicMap, Bytes, InternalError, MatterFlowError, StorageContext } from "#general";
 import { GroupKeySet, KeySets, OperationalKeySet } from "#groups/KeySets.js";
 import { MessagingState } from "#groups/MessagingState.js";
 import { GroupId } from "#types";
@@ -26,7 +26,7 @@ export class FabricGroups {
     constructor(fabric: Fabric, storage?: StorageContext) {
         this.#fabric = fabric;
         this.#groups = new Groups(fabric, this.#keySets);
-        this.#messagingState = new MessagingState(storage);
+        this.#messagingState = new MessagingState(fabric.crypto, storage);
 
         // KeySet with ID 0 is always the Fabric IPK, so we initialize from there because this is not stored
         // in Key Management Cluster
@@ -122,21 +122,33 @@ export class FabricGroups {
 
         // Lets pre-calculate the operational keys
         const operationalId = this.#fabric.operationalId;
-        const operationalEpochKey0 = await Crypto.createHkdfKey(epochKey0, operationalId, GROUP_SECURITY_INFO);
+        const operationalEpochKey0 = await this.#fabric.crypto.createHkdfKey(
+            epochKey0,
+            operationalId,
+            GROUP_SECURITY_INFO,
+        );
         const operationalEpochKey1 =
-            epochKey1 !== null ? await Crypto.createHkdfKey(epochKey1, operationalId, GROUP_SECURITY_INFO) : null;
+            epochKey1 !== null
+                ? await this.#fabric.crypto.createHkdfKey(epochKey1, operationalId, GROUP_SECURITY_INFO)
+                : null;
         const operationalEpochKey2 =
-            epochKey2 !== null ? await Crypto.createHkdfKey(epochKey2, operationalId, GROUP_SECURITY_INFO) : null;
+            epochKey2 !== null
+                ? await this.#fabric.crypto.createHkdfKey(epochKey2, operationalId, GROUP_SECURITY_INFO)
+                : null;
         this.#keySets.add({
             ...groupKeySet,
             operationalEpochKey0,
-            groupSessionId0: await this.#keySets.sessionIdFromKey(operationalEpochKey0),
+            groupSessionId0: await this.#keySets.sessionIdFromKey(this.#fabric.crypto, operationalEpochKey0),
             operationalEpochKey1,
             groupSessionId1:
-                operationalEpochKey1 !== null ? await this.#keySets.sessionIdFromKey(operationalEpochKey1) : null,
+                operationalEpochKey1 !== null
+                    ? await this.#keySets.sessionIdFromKey(this.#fabric.crypto, operationalEpochKey1)
+                    : null,
             operationalEpochKey2,
             groupSessionId2:
-                operationalEpochKey2 !== null ? await this.#keySets.sessionIdFromKey(operationalEpochKey2) : null,
+                operationalEpochKey2 !== null
+                    ? await this.#keySets.sessionIdFromKey(this.#fabric.crypto, operationalEpochKey2)
+                    : null,
         });
     }
 

package/src/groups/KeySets.ts

@@ -141,9 +141,9 @@ export class KeySets<T extends OperationalKeySet> extends BasicSet<T> {
     }
 
     /** Calculates a group session id based on the operational group key. */
-    async sessionIdFromKey(operationalGroupKey: Uint8Array) {
+    async sessionIdFromKey(crypto: Crypto, operationalGroupKey: Uint8Array) {
         // GroupKeyHash is an array of 2 bytes (16 bits) per Crypto_KDF
-        const groupKeyHash = await Crypto.createHkdfKey(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
+        const groupKeyHash = await crypto.createHkdfKey(operationalGroupKey, new Uint8Array(), GROUP_KEY_INFO, 2);
 
         // GroupSessionId is computed by considering the GroupKeyHash as a Big-Endian value. GroupSessionId is a scalar.
         // Its use in fields within messages may cause a re-serialization into a different byte order than the one used

package/src/groups/MessagingState.ts

@@ -3,7 +3,7 @@
  * Copyright 2022-2025 Matter.js Authors
  * SPDX-License-Identifier: Apache-2.0
  */
-import { Bytes, ImplementationError, InternalError, StorageContext } from "#general";
+import { Bytes, Crypto, ImplementationError, InternalError, StorageContext } from "#general";
 import { PersistedMessageCounter } from "#protocol/MessageCounter.js";
 import { MessageReceptionStateEncryptedWithRollover } from "#protocol/MessageReceptionState.js";
 import { NodeId } from "#types";
@@ -19,9 +19,12 @@ export class MessagingState {
 
     /** Message reception state for data messages per Operational key and source node. */
     readonly #messageDataReceptionState = new Map<string, Map<NodeId, MessageReceptionStateEncryptedWithRollover>>();
+
+    #crypto: Crypto;
     #storage?: StorageContext;
 
-    constructor(storage?: StorageContext) {
+    constructor(crypto: Crypto, storage?: StorageContext) {
+        this.#crypto = crypto;
         if (storage !== undefined) {
             this.#storage = storage;
         }
@@ -44,7 +47,7 @@ export class MessagingState {
         const operationalKeyHex = Bytes.toHex(operationalKey);
         let counter = this.#groupDataCounters.get(operationalKeyHex);
         if (counter === undefined) {
-            counter = new PersistedMessageCounter(this.#storage, `${operationalKeyHex}-data`);
+            counter = new PersistedMessageCounter(this.#crypto, this.#storage, `${operationalKeyHex}-data`);
             this.#groupDataCounters.set(operationalKeyHex, counter);
         }
         return counter;

package/src/mdns/MdnsBroadcaster.ts

@@ -68,21 +68,28 @@ const DEFAULT_PAIRING_HINT = {
 export class MdnsBroadcaster {
     readonly #activeCommissioningAnnouncements = new Set<number>();
     readonly #activeOperationalAnnouncements = new Map<number, { fabricIndex: FabricIndex; forInstance: string }[]>();
+    readonly #crypto: Crypto;
     readonly #network: Network;
     readonly #mdnsServer: MdnsServer;
     readonly #enableIpv4?: boolean;
     readonly #instances = new BasicSet<MdnsInstanceBroadcaster>();
 
-    static async create(network: Network, options?: { enableIpv4?: boolean; multicastInterface?: string }) {
+    static async create(
+        crypto: Crypto,
+        network: Network,
+        options?: { enableIpv4?: boolean; multicastInterface?: string },
+    ) {
         const { enableIpv4, multicastInterface } = options ?? {};
         return new MdnsBroadcaster(
+            crypto,
             network,
             await MdnsServer.create(network, { enableIpv4, netInterface: multicastInterface }),
             enableIpv4,
         );
     }
 
-    constructor(network: Network, mdnsServer: MdnsServer, enableIpv4?: boolean) {
+    constructor(crypto: Crypto, network: Network, mdnsServer: MdnsServer, enableIpv4?: boolean) {
+        this.#crypto = crypto;
         this.#network = network;
         this.#mdnsServer = mdnsServer;
         this.#enableIpv4 = enableIpv4;
@@ -182,7 +189,7 @@ export class MdnsBroadcaster {
         this.#activeCommissioningAnnouncements.add(announcedNetPort);
 
         const shortDiscriminator = (discriminator >> 8) & 0x0f;
-        const instanceId = Bytes.toHex(Crypto.getRandomData(8)).toUpperCase();
+        const instanceId = Bytes.toHex(this.#crypto.randomBytes(8)).toUpperCase();
         const vendorQname = getVendorQname(vendorId);
         const deviceTypeQname = getDeviceTypeQname(deviceType);
         const shortDiscriminatorQname = getShortDiscriminatorQname(shortDiscriminator);
@@ -360,7 +367,7 @@ export class MdnsBroadcaster {
             }),
         );
 
-        const instanceId = Bytes.toHex(Crypto.getRandomData(8)).toUpperCase();
+        const instanceId = Bytes.toHex(this.#crypto.randomBytes(8)).toUpperCase();
         const deviceTypeQname = `_T${deviceType}._sub.${MATTER_COMMISSIONER_SERVICE_QNAME}`;
         const vendorQname = `_V${vendorId}._sub.${MATTER_COMMISSIONER_SERVICE_QNAME}`;
         const deviceQname = `${instanceId}.${MATTER_COMMISSIONER_SERVICE_QNAME}`;

package/src/mdns/MdnsService.ts

@@ -6,6 +6,7 @@
 
 import {
     Construction,
+    Crypto,
     Diagnostic,
     Environment,
     Environmental,
@@ -43,9 +44,10 @@ export class MdnsService {
         this.limitedToNetInterface = vars.get("mdns.networkInterface", options?.networkInterface);
 
         this.#construction = Construction(this, async () => {
+            const crypto = environment.get(Crypto);
             const network = environment.get(Network);
 
-            this.#broadcaster = await MdnsBroadcaster.create(network, {
+            this.#broadcaster = await MdnsBroadcaster.create(crypto, network, {
                 enableIpv4: this.enableIpv4,
                 multicastInterface: this.limitedToNetInterface,
             });

package/src/peer/ControllerCommissioner.ts

@@ -381,7 +381,7 @@ export class ControllerCommissioner {
     /** Finds an unused random Node-ID to use for commissioning if not already provided. */
     #determineAddress(fabric: Fabric, nodeId?: NodeId) {
         while (true) {
-            const address = fabric.addressOf(nodeId ?? NodeId.randomOperationalNodeId());
+            const address = fabric.addressOf(nodeId ?? NodeId.randomOperationalNodeId(fabric.crypto));
             try {
                 this.#assertPeerAddress(address);
             } catch (error) {

package/src/peer/ControllerCommissioningFlow.ts

@@ -13,7 +13,6 @@ import { TimeSynchronizationCluster } from "#clusters/time-synchronization";
 import {
     Bytes,
     ChannelType,
-    Crypto,
     Diagnostic,
     Logger,
     MatterError,
@@ -32,7 +31,6 @@ import {
     VendorId,
 } from "#types";
 import { CertificateAuthority } from "../certificate/CertificateAuthority.js";
-import { CertificateManager } from "../certificate/CertificateManager.js";
 import { ClusterClient } from "../cluster/client/ClusterClient.js";
 import { ClusterClientObj } from "../cluster/client/ClusterClientTypes.js";
 import { TlvCertSigningRequest } from "../common/OperationalCredentialsTypes.js";
@@ -207,7 +205,7 @@ export class ControllerCommissioningFlow {
         /** InteractionClient for the initiated PASE session */
         interactionClient: InteractionClient,
 
-        /** CertificateManager of the controller. */
+        /** CertificateAuthority of the controller. */
         ca: CertificateAuthority,
 
         /** Fabric of the controller. */
@@ -759,7 +757,7 @@ export class ControllerCommissioningFlow {
         const { attestationElements, attestationSignature } =
             await operationalCredentialsClusterClient.attestationRequest(
                 {
-                    attestationNonce: Crypto.getRandomData(32),
+                    attestationNonce: this.fabric.crypto.randomBytes(32),
                 },
                 { useExtendedFailSafeMessageResponseTimeout: true },
             );
@@ -801,7 +799,7 @@ export class ControllerCommissioningFlow {
         const operationalCredentialsClusterClient = this.#getClusterClient(OperationalCredentials.Cluster);
         const { nocsrElements, attestationSignature: csrSignature } =
             await operationalCredentialsClusterClient.csrRequest(
-                { csrNonce: Crypto.getRandomData(32) },
+                { csrNonce: this.fabric.crypto.randomBytes(32) },
                 { useExtendedFailSafeMessageResponseTimeout: true },
             );
         if (nocsrElements.length === 0 || csrSignature.length === 0) {
@@ -810,7 +808,7 @@ export class ControllerCommissioningFlow {
         }
         // TODO: validate csrSignature using device public key
         const { certSigningRequest } = TlvCertSigningRequest.decode(nocsrElements);
-        const operationalPublicKey = await CertificateManager.getPublicKeyFromCsr(certSigningRequest);
+        const operationalPublicKey = await this.ca.certs.getPublicKeyFromCsr(certSigningRequest);
 
         await operationalCredentialsClusterClient.addTrustedRootCertificate(
             {

package/src/protocol/DeviceCommissioner.ts

@@ -9,7 +9,6 @@ import { FailsafeContext } from "#common/FailsafeContext.js";
 import { CommissioningMode } from "#common/InstanceBroadcaster.js";
 import { FabricManager } from "#fabric/FabricManager.js";
 import {
-    Crypto,
     Diagnostic,
     Environment,
     Environmental,
@@ -153,7 +152,7 @@ export class DeviceCommissioner {
         this.#context.secureChannelProtocol.setPaseCommissioner(
             await PaseServer.fromPin(this.#context.sessions, this.#context.commissioningConfig.values.passcode, {
                 iterations: 1000,
-                salt: Crypto.getRandomData(32),
+                salt: this.#context.fabrics.crypto.randomBytes(32),
             }),
         );
 

package/src/protocol/ExchangeManager.ts

@@ -104,6 +104,7 @@ export class MessageChannel implements Channel<Message> {
  * Interfaces {@link ExchangeManager} with other components.
  */
 export interface ExchangeManagerContext {
+    crypto: Crypto;
     transportInterfaces: TransportInterfaceSet;
     sessionManager: SessionManager;
     channelManager: ChannelManager;
@@ -113,7 +114,7 @@ export class ExchangeManager {
     readonly #transportInterfaces: TransportInterfaceSet;
     readonly #sessionManager: SessionManager;
     readonly #channelManager: ChannelManager;
-    readonly #exchangeCounter = new ExchangeCounter();
+    readonly #exchangeCounter: ExchangeCounter;
     readonly #exchanges = new Map<number, MessageExchange>();
     readonly #protocols = new Map<number, ProtocolHandler>();
     readonly #listeners = new Map<TransportInterface, TransportInterface.Listener>();
@@ -125,6 +126,7 @@ export class ExchangeManager {
         this.#transportInterfaces = context.transportInterfaces;
         this.#sessionManager = context.sessionManager;
         this.#channelManager = context.channelManager;
+        this.#exchangeCounter = new ExchangeCounter(context.crypto);
 
         for (const transportInterface of this.#transportInterfaces) {
             this.#addListener(transportInterface);
@@ -143,6 +145,7 @@ export class ExchangeManager {
 
     static [Environmental.create](env: Environment) {
         const instance = new ExchangeManager({
+            crypto: env.get(Crypto),
             transportInterfaces: env.get(TransportInterfaceSet),
             sessionManager: env.get(SessionManager),
             channelManager: env.get(ChannelManager),
@@ -515,13 +518,17 @@ export class ExchangeManager {
 }
 
 export class ExchangeCounter {
-    private exchangeCounter = Crypto.getRandomUInt16();
+    #exchangeCounter: number;
+
+    constructor(crypto: Crypto) {
+        this.#exchangeCounter = crypto.randomUint16;
+    }
 
     getIncrementedCounter() {
-        this.exchangeCounter++;
-        if (this.exchangeCounter > 0xffff) {
-            this.exchangeCounter = 0;
+        this.#exchangeCounter++;
+        if (this.#exchangeCounter > 0xffff) {
+            this.#exchangeCounter = 0;
         }
-        return this.exchangeCounter;
+        return this.#exchangeCounter;
     }
 }

package/src/protocol/MessageCounter.ts

@@ -43,7 +43,7 @@ export enum MessageCounterTypes {
  * Rollover can be allowed or forbidden and a callback can be provided to be notified before a rollover would happen.
  */
 export class MessageCounter {
-    protected messageCounter = (Crypto.getRandomUInt32() >>> 4) + 1; // 28 bit random number plus 1
+    protected messageCounter: number;
 
     /**
      * Creates a new message counter with a random start value. If a aboutToRolloverCallback is provided this
@@ -51,9 +51,14 @@ export class MessageCounter {
      * a number of messages before the rollover callback is called (Default 1000).
      */
     constructor(
+        crypto: Crypto,
         protected readonly aboutToRolloverCallback?: () => void,
+
+        // Counter is a 28 bit random number plus 1
         protected readonly rolloverInfoDifference = ROLLOVER_INFO_DIFFERENCE,
-    ) {}
+    ) {
+        this.messageCounter = (crypto.randomUint32 >>> 4) + 1;
+    }
 
     async getIncrementedCounter() {
         this.messageCounter++;
@@ -82,6 +87,7 @@ export class PersistedMessageCounter extends MessageCounter {
     }
 
     static async create(
+        crypto: Crypto,
         storageContext: StorageContext,
         storageKey: string,
         aboutToRolloverCallback?: () => void,
@@ -89,6 +95,7 @@ export class PersistedMessageCounter extends MessageCounter {
     ) {
         return asyncNew(
             PersistedMessageCounter,
+            crypto,
             storageContext,
             storageKey,
             aboutToRolloverCallback,
@@ -97,12 +104,13 @@ export class PersistedMessageCounter extends MessageCounter {
     }
 
     constructor(
+        crypto: Crypto,
         private readonly storageContext: StorageContext,
         private readonly storageKey: string,
         aboutToRolloverCallback?: () => void,
         rolloverInfoDifference = ROLLOVER_INFO_DIFFERENCE,
     ) {
-        super(aboutToRolloverCallback, rolloverInfoDifference);
+        super(crypto, aboutToRolloverCallback, rolloverInfoDifference);
         this.#construction = Construction(this, async () => {
             if (await storageContext.has(storageKey)) {
                 this.messageCounter = await storageContext.get<number>(storageKey);

package/src/session/GroupSession.ts

@@ -9,7 +9,6 @@ import { Fabric } from "#fabric/Fabric.js";
 import { FabricManager } from "#fabric/FabricManager.js";
 import {
     Bytes,
-    Crypto,
     CryptoDecryptError,
     ImplementationError,
     InternalError,
@@ -126,7 +125,12 @@ export class GroupSession extends SecureSession {
 
         return {
             header,
-            applicationPayload: Crypto.encrypt(this.#operationalGroupKey, applicationPayload, nonce, headerBytes),
+            applicationPayload: this.#fabric.crypto.encrypt(
+                this.#operationalGroupKey,
+                applicationPayload,
+                nonce,
+                headerBytes,
+            ),
         };
     }
 
@@ -179,7 +183,7 @@ export class GroupSession extends SecureSession {
             try {
                 message = MessageCodec.decodePayload({
                     header,
-                    applicationPayload: Crypto.decrypt(key, applicationPayload, nonce, aad),
+                    applicationPayload: fabric.crypto.decrypt(key, applicationPayload, nonce, aad),
                 });
                 found = true;
                 break; // Exit loop on first successful decryption

package/src/session/InsecureSession.ts

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { Logger, MatterFlowError } from "#general";
+import { Crypto, Logger, MatterFlowError } from "#general";
 import { NodeId } from "#types";
 import { DecodedMessage, DecodedPacket, Message, MessageCodec, Packet, SessionType } from "../codec/MessageCodec.js";
 import { Fabric } from "../fabric/Fabric.js";
@@ -23,19 +23,20 @@ export class InsecureSession extends Session {
     readonly type = SessionType.Unicast;
 
     constructor(args: {
+        crypto: Crypto;
         manager?: SessionManager;
         messageCounter: MessageCounter;
         initiatorNodeId?: NodeId;
         sessionParameters?: SessionParameterOptions;
         isInitiator?: boolean;
     }) {
-        const { initiatorNodeId, isInitiator } = args;
+        const { crypto, initiatorNodeId, isInitiator } = args;
         super({
             ...args,
             setActiveTimestamp: !isInitiator, // When we are the initiator we assume the node is in idle mode
             messageReceptionState: new MessageReceptionStateUnencryptedWithRollover(),
         });
-        this.#initiatorNodeId = initiatorNodeId ?? NodeId.randomOperationalNodeId();
+        this.#initiatorNodeId = initiatorNodeId ?? NodeId.randomOperationalNodeId(crypto);
     }
 
     get isSecure() {