@matter/protocol 0.16.0-alpha.0-20250812-285b75d83 → 0.16.0-alpha.0-20250815-ac9fd6eb0

package/src/ble/BtpSessionHandler.ts

@@ -26,7 +26,7 @@ const logger = Logger.get("BtpSessionHandler");
 
 export class BtpSessionHandler {
     private currentIncomingSegmentedMsgLength: number | undefined;
-    private currentIncomingSegmentedPayload: Uint8Array | undefined;
+    private currentIncomingSegmentedPayload: Bytes | undefined;
     private prevIncomingSequenceNumber = 255; // Incoming Sequence Number received. Set to 255 to start at 0
     private prevIncomingAckNumber = -1; // Previous ackNumber received
     private readonly ackReceiveTimer = Time.getTimer("BTP ack timeout", BTP_ACK_TIMEOUT_MS, () =>
@@ -49,10 +49,10 @@ export class BtpSessionHandler {
     /** Factory method to create a new BTPSessionHandler from a received handshake request */
     static async createFromHandshakeRequest(
         maxDataSize: number | undefined,
-        handshakeRequestPayload: Uint8Array,
-        writeBleCallback: (data: Uint8Array) => Promise<void>,
+        handshakeRequestPayload: Bytes,
+        writeBleCallback: (data: Bytes) => Promise<void>,
         disconnectBleCallback: () => Promise<void>,
-        handleMatterMessagePayload: (data: Uint8Array) => Promise<void>,
+        handleMatterMessagePayload: (data: Bytes) => Promise<void>,
     ): Promise<BtpSessionHandler> {
         // Decode handshake request
         const handshakeRequest = BtpCodec.decodeBtpHandshakeRequest(handshakeRequestPayload);
@@ -117,10 +117,10 @@ export class BtpSessionHandler {
     }
 
     static async createAsCentral(
-        handshakeResponsePayload: Uint8Array,
-        writeBleCallback: (data: Uint8Array) => Promise<void>,
+        handshakeResponsePayload: Bytes,
+        writeBleCallback: (data: Bytes) => Promise<void>,
         disconnectBleCallback: () => Promise<void>,
-        handleMatterMessagePayload: (data: Uint8Array) => Promise<void>,
+        handleMatterMessagePayload: (data: Bytes) => Promise<void>,
     ) {
         const handshakeRequest = BtpCodec.decodeBtpHandshakeResponsePayload(handshakeResponsePayload);
 
@@ -156,9 +156,9 @@ export class BtpSessionHandler {
         btpVersion: number,
         private readonly fragmentSize: number,
         private readonly clientWindowSize: number,
-        private readonly writeBleCallback: (data: Uint8Array) => Promise<void>,
+        private readonly writeBleCallback: (data: Bytes) => Promise<void>,
         private readonly disconnectBleCallback: () => Promise<void>,
-        private readonly handleMatterMessagePayload: (data: Uint8Array) => Promise<void>,
+        private readonly handleMatterMessagePayload: (data: Bytes) => Promise<void>,
     ) {
         if (btpVersion !== 4) {
             throw new BtpProtocolError(`Unsupported BTP version ${btpVersion}`);
@@ -179,21 +179,21 @@ export class BtpSessionHandler {
      *
      * @param data ByteArray containing the data
      */
-    public async handleIncomingBleData(data: Uint8Array) {
+    public async handleIncomingBleData(data: Bytes) {
         if (!this.isActive) {
             logger.debug(`BTP session is not active, ignoring incoming BLE data`);
             return;
         }
         try {
-            if (data.length > this.fragmentSize) {
+            if (data.byteLength > this.fragmentSize) {
                 // Apple seems to interpret the ATT_MTU as the maximum size of a single ATT packet
-                if (data.length > this.fragmentSize + 3) {
+                if (data.byteLength > this.fragmentSize + 3) {
                     throw new BtpProtocolError(
-                        `Received data ${data.length} bytes exceeds fragment size of ${this.fragmentSize} bytes`,
+                        `Received data ${data.byteLength} bytes exceeds fragment size of ${this.fragmentSize} bytes`,
                     );
                 } else {
                     logger.warn(
-                        `Received data ${data.length} bytes exceeds fragment size of ${this.fragmentSize} bytes, still accepting`,
+                        `Received data ${data.byteLength} bytes exceeds fragment size of ${this.fragmentSize} bytes, still accepting`,
                     );
                 }
             }
@@ -214,7 +214,7 @@ export class BtpSessionHandler {
             if (isHandshakeRequest || hasManagementOpcode) {
                 throw new BtpProtocolError("BTP packet must not be a handshake request or have a management opcode.");
             }
-            if (segmentPayload.length === 0 && !hasAckNumber) {
+            if (segmentPayload.byteLength === 0 && !hasAckNumber) {
                 throw new BtpProtocolError("BTP packet must have a segment payload or an ack number.");
             }
 
@@ -261,7 +261,7 @@ export class BtpSessionHandler {
                 if (this.currentIncomingSegmentedPayload === undefined) {
                     throw new BtpProtocolError(`BTP Continuing or ending packet received without beginning packet.`);
                 }
-                if (segmentPayload.length === 0) {
+                if (segmentPayload.byteLength === 0) {
                     throw new BtpProtocolError(`BTP Continuing or ending packet received without payload.`);
                 }
                 this.currentIncomingSegmentedPayload = Bytes.concat(
@@ -277,9 +277,9 @@ export class BtpSessionHandler {
                 ) {
                     throw new BtpProtocolError("BTP beginning packet missing but ending packet received.");
                 }
-                if (this.currentIncomingSegmentedPayload.length !== this.currentIncomingSegmentedMsgLength) {
+                if (this.currentIncomingSegmentedPayload.byteLength !== this.currentIncomingSegmentedMsgLength) {
                     throw new BtpProtocolError(
-                        `BTP packet payload length does not match message length: ${this.currentIncomingSegmentedPayload.length} !== ${this.currentIncomingSegmentedMsgLength}`,
+                        `BTP packet payload length does not match message length: ${this.currentIncomingSegmentedPayload.byteLength} !== ${this.currentIncomingSegmentedMsgLength}`,
                     );
                 }
 
@@ -306,13 +306,13 @@ export class BtpSessionHandler {
      *
      * @param data ByteArray containing the Matter message
      */
-    public async sendMatterMessage(data: Uint8Array) {
+    public async sendMatterMessage(data: Bytes) {
         if (!this.isActive) {
             throw new BtpFlowError("BTP session is not active");
         }
         logger.debug(`Got Matter message to send via BLE transport: ${Bytes.toHex(data)}`);
 
-        if (data.length === 0) {
+        if (data.byteLength === 0) {
             throw new BtpFlowError("BTP packet must not be empty");
         }
         const dataReader = new DataReader(data, Endian.Little);

package/src/certificate/AttestationCertificateManager.ts

@@ -40,13 +40,13 @@ export class AttestationCertificateManager {
     readonly #crypto: Crypto;
     readonly #vendorId: VendorId;
     readonly #paiKeyPair: PrivateKey;
-    readonly #paiKeyIdentifier: Uint8Array;
+    readonly #paiKeyIdentifier: Bytes;
     readonly #paaKeyIdentifier = TestCert_PAA_NoVID_SKID;
     readonly #paiCertId = BigInt(1);
     readonly #paiCertBytes;
     #nextCertificateId = 2;
 
-    constructor(crypto: Crypto, vendorId: VendorId, paiKeyPair: PrivateKey, paiKeyIdentifier: Uint8Array) {
+    constructor(crypto: Crypto, vendorId: VendorId, paiKeyPair: PrivateKey, paiKeyIdentifier: Bytes) {
         this.#crypto = crypto;
         this.#vendorId = vendorId;
         this.#paiKeyPair = paiKeyPair;
@@ -56,7 +56,7 @@ export class AttestationCertificateManager {
 
     static async create(crypto: Crypto, vendorId: VendorId) {
         const key = await crypto.createKeyPair();
-        const identifier = await crypto.computeSha256(key.publicKey);
+        const identifier = Bytes.of(await crypto.computeSha256(key.publicKey));
         return new AttestationCertificateManager(crypto, vendorId, key, identifier.slice(0, 20));
     }
 
@@ -145,7 +145,7 @@ export class AttestationCertificateManager {
         return cert.asSignedAsn1();
     }
 
-    async generateDaCert(publicKey: Uint8Array, vendorId: VendorId, productId: number) {
+    async generateDaCert(publicKey: Bytes, vendorId: VendorId, productId: number) {
         const now = Time.get().now();
         const certId = this.#nextCertificateId++;
         const cert = new Dac({
@@ -172,7 +172,7 @@ export class AttestationCertificateManager {
                 keyUsage: {
                     digitalSignature: true,
                 },
-                subjectKeyIdentifier: (await this.#crypto.computeSha256(publicKey)).slice(0, 20),
+                subjectKeyIdentifier: Bytes.of(await this.#crypto.computeSha256(publicKey)).slice(0, 20),
                 authorityKeyIdentifier: this.#paiKeyIdentifier,
             },
         });

package/src/certificate/CertificateAuthority.ts

@@ -35,8 +35,8 @@ export class CertificateAuthority {
     #crypto: Crypto;
     #rootCertId = BigInt(0);
     #rootKeyPair?: PrivateKey;
-    #rootKeyIdentifier?: Uint8Array<ArrayBufferLike>;
-    #rootCertBytes?: Uint8Array<ArrayBufferLike>;
+    #rootKeyIdentifier?: Bytes;
+    #rootCertBytes?: Bytes;
     #nextCertificateId = BigInt(1);
     #construction: Construction<CertificateAuthority>;
 
@@ -59,14 +59,17 @@ export class CertificateAuthority {
             const certValues = options instanceof StorageContext ? await options.values() : (options ?? {});
 
             this.#rootKeyPair = await this.#crypto.createKeyPair();
-            this.#rootKeyIdentifier = (await this.#crypto.computeSha256(this.#rootKeyPair.publicKey)).slice(0, 20);
+            this.#rootKeyIdentifier = Bytes.of(await this.#crypto.computeSha256(this.#rootKeyPair.publicKey)).slice(
+                0,
+                20,
+            );
             this.#rootCertBytes = await this.#generateRootCert();
 
             if (
                 (typeof certValues.rootCertId === "number" || typeof certValues.rootCertId === "bigint") &&
-                (ArrayBuffer.isView(certValues.rootKeyPair) || typeof certValues.rootKeyPair === "object") &&
-                ArrayBuffer.isView(certValues.rootKeyIdentifier) &&
-                ArrayBuffer.isView(certValues.rootCertBytes) &&
+                (Bytes.isBytes(certValues.rootKeyPair) || typeof certValues.rootKeyPair === "object") &&
+                Bytes.isBytes(certValues.rootKeyIdentifier) &&
+                Bytes.isBytes(certValues.rootCertBytes) &&
                 (typeof certValues.nextCertificateId === "number" || typeof certValues.nextCertificateId === "bigint")
             ) {
                 this.#rootCertId = BigInt(certValues.rootCertId);
@@ -99,7 +102,7 @@ export class CertificateAuthority {
         return instance;
     }
 
-    get rootCert() {
+    get rootCert(): Bytes {
         return this.#construction.assert("root cert", this.#rootCertBytes);
     }
 
@@ -140,7 +143,7 @@ export class CertificateAuthority {
     }
 
     async generateNoc(
-        publicKey: Uint8Array,
+        publicKey: Bytes,
         fabricId: FabricId,
         nodeId: NodeId,
         caseAuthenticatedTags?: CaseAuthenticatedTag[],
@@ -163,7 +166,7 @@ export class CertificateAuthority {
                     digitalSignature: true,
                 },
                 extendedKeyUsage: [2, 1],
-                subjectKeyIdentifier: (await this.#crypto.computeSha256(publicKey)).slice(0, 20),
+                subjectKeyIdentifier: Bytes.of(await this.#crypto.computeSha256(publicKey)).slice(0, 20),
                 authorityKeyIdentifier: this.#initializedRootKeyIdentifier,
             },
         });
@@ -190,8 +193,8 @@ export namespace CertificateAuthority {
     export type Configuration = {
         rootCertId: bigint;
         rootKeyPair: BinaryKeyPair;
-        rootKeyIdentifier: Uint8Array;
-        rootCertBytes: Uint8Array;
+        rootKeyIdentifier: Bytes;
+        rootCertBytes: Bytes;
         nextCertificateId: bigint;
     };
 }

package/src/certificate/DeviceCertification.ts

@@ -5,7 +5,7 @@
  */
 
 import { CertificationDeclaration } from "#certificate/kinds/CertificationDeclaration.js";
-import { Construction, Crypto, ImplementationError, InternalError, PrivateKey } from "#general";
+import { Bytes, Construction, Crypto, ImplementationError, InternalError, PrivateKey } from "#general";
 import { NodeSession } from "#session/NodeSession.js";
 import { ProductDescription } from "#types";
 import { AttestationCertificateManager } from "./AttestationCertificateManager.js";
@@ -16,9 +16,9 @@ import { AttestationCertificateManager } from "./AttestationCertificateManager.j
 export class DeviceCertification {
     #crypto: Crypto;
     #privateKey?: PrivateKey;
-    #certificate?: Uint8Array;
-    #intermediateCertificate?: Uint8Array;
-    #declaration?: Uint8Array;
+    #certificate?: Bytes;
+    #intermediateCertificate?: Bytes;
+    #declaration?: Bytes;
     readonly #construction: Construction<DeviceCertification>;
 
     get construction() {
@@ -65,18 +65,16 @@ export class DeviceCertification {
         this.#construction = Construction(this, async () => {
             const config = await configProvider();
 
-            this.#privateKey =
-                config.privateKey instanceof Uint8Array ? PrivateKey(config.privateKey) : config.privateKey;
+            this.#privateKey = Bytes.isBytes(config.privateKey) ? PrivateKey(config.privateKey) : config.privateKey;
             this.#certificate = config.certificate;
             this.#intermediateCertificate = config.intermediateCertificate;
             this.#declaration = config.declaration;
         });
     }
 
-    async sign(session: NodeSession, data: Uint8Array) {
+    async sign(session: NodeSession, data: Bytes) {
         const { privateKey } = this.#assertInitialized();
-        const signature = await this.#crypto.signEcdsa(privateKey, [data, session.attestationChallengeKey]);
-        return signature;
+        return this.#crypto.signEcdsa(privateKey, [data, session.attestationChallengeKey]);
     }
 
     /**
@@ -106,10 +104,10 @@ export class DeviceCertification {
 
 export namespace DeviceCertification {
     export interface Configuration {
-        privateKey: PrivateKey | Uint8Array;
-        certificate: Uint8Array;
-        intermediateCertificate: Uint8Array;
-        declaration: Uint8Array;
+        privateKey: PrivateKey | Bytes;
+        certificate: Bytes;
+        intermediateCertificate: Bytes;
+        declaration: Bytes;
     }
 
     export type Definition = Configuration | (() => Promise<Configuration>);

package/src/certificate/kinds/AttestationCertificates.ts

@@ -26,7 +26,7 @@ export abstract class AttestationBaseCertificate<CT extends X509Certificate> ext
      * Returns the signed certificate in ASN.1 DER format.
      * If the certificate is not signed, it throws a CertificateError.
      */
-    asSignedAsn1(): Uint8Array<ArrayBufferLike> {
+    asSignedAsn1() {
         const certificate = this.genericBuildAsn1Structure(this.cert);
         const certBytes = DerCodec.encode({
             certificate,

package/src/certificate/kinds/CertificationDeclaration.ts

@@ -32,8 +32,8 @@ const TestCMS_SignerSubjectKeyIdentifier = Bytes.fromHex("62FA823359ACFAA9963E1C
 
 /** A Matter Certification Declaration */
 export class CertificationDeclaration {
-    #eContent: Uint8Array;
-    #subjectKeyIdentifier: Uint8Array;
+    #eContent: Bytes;
+    #subjectKeyIdentifier: Bytes;
 
     /**
      * Generator which is the main usage for the class from outside.
@@ -58,10 +58,7 @@ export class CertificationDeclaration {
         return cd.asSignedAsn1(crypto, PrivateKey(TestCMS_SignerPrivateKey));
     }
 
-    constructor(
-        content: TypeFromBitmapSchema<typeof CertificationDeclarationDef.TlvDc>,
-        subjectKeyIdentifier: Uint8Array,
-    ) {
+    constructor(content: TypeFromBitmapSchema<typeof CertificationDeclarationDef.TlvDc>, subjectKeyIdentifier: Bytes) {
         this.#eContent = CertificationDeclarationDef.TlvDc.encode(content);
         this.#subjectKeyIdentifier = subjectKeyIdentifier;
     }

package/src/certificate/kinds/Icac.ts

@@ -17,7 +17,7 @@ import { Rcac } from "./Rcac.js";
  */
 export class Icac extends OperationalBase<OperationalCertificate.Icac> {
     /** Construct the class from a Tlv version of the certificate */
-    static fromTlv(tlv: Uint8Array): Icac {
+    static fromTlv(tlv: Bytes): Icac {
         return new Icac(OperationalCertificate.TlvIcac.decode(tlv));
     }
 
@@ -132,7 +132,7 @@ export class Icac extends OperationalBase<OperationalCertificate.Icac> {
         if (subjectKeyIdentifier === undefined) {
             throw new CertificateError(`Ica certificate must have subjectKeyIdentifier set.`);
         }
-        if (subjectKeyIdentifier.length !== 20) {
+        if (subjectKeyIdentifier.byteLength !== 20) {
             throw new CertificateError(`Ica certificate subjectKeyIdentifier must be 160 bit.`);
         }
 
@@ -140,7 +140,7 @@ export class Icac extends OperationalBase<OperationalCertificate.Icac> {
         if (authorityKeyIdentifier === undefined) {
             throw new CertificateError(`Ica certificate must have authorityKeyIdentifier set.`);
         }
-        if (authorityKeyIdentifier.length !== 20) {
+        if (authorityKeyIdentifier.byteLength !== 20) {
             throw new CertificateError(`Ica certificate authorityKeyIdentifier must be 160 bit.`);
         }
 

package/src/certificate/kinds/Noc.ts

@@ -14,7 +14,7 @@ import { Rcac } from "./Rcac.js";
 
 export class Noc extends OperationalBase<OperationalCertificate.Noc> {
     /** Construct the class from a Tlv version of the certificate */
-    static fromTlv(tlv: Uint8Array) {
+    static fromTlv(tlv: Bytes) {
         return new Noc(OperationalCertificate.TlvNoc.decode(tlv));
     }
 
@@ -136,7 +136,7 @@ export class Noc extends OperationalBase<OperationalCertificate.Noc> {
         if (subjectKeyIdentifier === undefined) {
             throw new CertificateError(`Noc certificate must have subjectKeyIdentifier set.`);
         }
-        if (subjectKeyIdentifier.length !== 20) {
+        if (subjectKeyIdentifier.byteLength !== 20) {
             throw new CertificateError(`Noc certificate subjectKeyIdentifier must be 160 bit.`);
         }
 
@@ -144,7 +144,7 @@ export class Noc extends OperationalBase<OperationalCertificate.Noc> {
         if (authorityKeyIdentifier === undefined) {
             throw new CertificateError(`Noc certificate must have authorityKeyIdentifier set.`);
         }
-        if (authorityKeyIdentifier.length !== 20) {
+        if (authorityKeyIdentifier.byteLength !== 20) {
             throw new CertificateError(`Noc certificate authorityKeyIdentifier must be 160 bit.`);
         }
 

package/src/certificate/kinds/OperationalBase.ts

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { Logger, Time } from "#general";
+import { Bytes, Logger, Time } from "#general";
 import { X509Base } from "./X509Base.js";
 import { CertificateError, Unsigned } from "./common.js";
 import { X509Certificate } from "./definitions/base.js";
@@ -24,7 +24,7 @@ export abstract class OperationalBase<CT extends X509Certificate> extends X509Ba
     protected abstract validateFields(): void;
 
     /** Encodes the signed certificate into the Matter TLV format. */
-    abstract asSignedTlv(signature: Uint8Array<ArrayBufferLike>): Uint8Array;
+    abstract asSignedTlv(signature: Bytes): Bytes;
 
     /**
      * Verifies general requirements a Matter certificate fields must fulfill.
@@ -32,9 +32,9 @@ export abstract class OperationalBase<CT extends X509Certificate> extends X509Ba
      */
     generalVerify() {
         const cert = this.cert;
-        if (cert.serialNumber.length > 20)
+        if (cert.serialNumber.byteLength > 20)
             throw new CertificateError(
-                `Serial number must not be longer then 20 octets. Current serial number has ${cert.serialNumber.length} octets.`,
+                `Serial number must not be longer then 20 octets. Current serial number has ${cert.serialNumber.byteLength} octets.`,
             );
 
         if (cert.signatureAlgorithm !== 1) {

package/src/certificate/kinds/Rcac.ts

@@ -13,7 +13,7 @@ import { OperationalBase } from "./OperationalBase.js";
 
 export class Rcac extends OperationalBase<OperationalCertificate.Rcac> {
     /** Construct the class from a Tlv version of the certificate */
-    static fromTlv(tlv: Uint8Array): Rcac {
+    static fromTlv(tlv: Bytes): Rcac {
         return new Rcac(OperationalCertificate.TlvRcac.decode(tlv));
     }
 
@@ -102,7 +102,7 @@ export class Rcac extends OperationalBase<OperationalCertificate.Rcac> {
         if (subjectKeyIdentifier === undefined) {
             throw new CertificateError(`Root certificate must have subjectKeyIdentifier set.`);
         }
-        if (subjectKeyIdentifier.length !== 20) {
+        if (subjectKeyIdentifier.byteLength !== 20) {
             throw new CertificateError(`Root certificate subjectKeyIdentifier must be 160 bit.`);
         }
 
@@ -110,7 +110,7 @@ export class Rcac extends OperationalBase<OperationalCertificate.Rcac> {
         if (authorityKeyIdentifier === undefined) {
             throw new CertificateError(`Root certificate must have authorityKeyIdentifier set.`);
         }
-        if (authorityKeyIdentifier.length !== 20) {
+        if (authorityKeyIdentifier.byteLength !== 20) {
             throw new CertificateError(`Root certificate authorityKeyIdentifier must be 160 bit.`);
         }
 

package/src/certificate/kinds/X509Base.ts

@@ -42,7 +42,7 @@ import { CertificateExtension } from "./definitions/operational.js";
  * from a CSR.
  */
 export abstract class X509Base<CT extends X509Certificate> {
-    #signature?: Uint8Array;
+    #signature?: Bytes;
     #cert: Unsigned<CT>;
 
     constructor(cert: CT | Unsigned<CT>) {
@@ -75,7 +75,7 @@ export abstract class X509Base<CT extends X509Certificate> {
      * Set the signature of the certificate.
      * If the certificate is already signed, it throws a CertificateError.
      */
-    set signature(signature: Uint8Array) {
+    set signature(signature: Bytes) {
         if (this.isSigned) {
             throw new CertificateError("Certificate is already signed");
         }
@@ -93,7 +93,7 @@ export abstract class X509Base<CT extends X509Certificate> {
     /**
      * Convert the certificate to ASN.1 DER format without signature.
      */
-    asUnsignedAsn1(): Uint8Array<ArrayBufferLike> {
+    asUnsignedAsn1(): Bytes {
         const certBytes = DerCodec.encode(this.genericBuildAsn1Structure(this.cert));
         assertCertificateDerSize(certBytes);
         return certBytes;
@@ -273,10 +273,10 @@ export abstract class X509Base<CT extends X509Certificate> {
                     asn.extendedKeyUsage = X509.ExtendedKeyUsage(value as number[] | undefined);
                     break;
                 case "subjectKeyIdentifier":
-                    asn.subjectKeyIdentifier = X509.SubjectKeyIdentifier(value as Uint8Array);
+                    asn.subjectKeyIdentifier = X509.SubjectKeyIdentifier(value as Bytes);
                     break;
                 case "authorityKeyIdentifier":
-                    asn.authorityKeyIdentifier = X509.AuthorityKeyIdentifier(value as Uint8Array);
+                    asn.authorityKeyIdentifier = X509.AuthorityKeyIdentifier(value as Bytes);
                     break;
                 case "futureExtension":
                     asn.futureExtension = RawBytes(Bytes.concat(...((value as Uint8Array[] | undefined) ?? [])));
@@ -340,7 +340,7 @@ export abstract class X509Base<CT extends X509Certificate> {
     /**
      * Extract the public key from a Certificate Signing Request (CSR) in ASN.1 DER format.
      */
-    static async getPublicKeyFromCsr(crypto: Crypto, encodedCsr: Uint8Array) {
+    static async getPublicKeyFromCsr(crypto: Crypto, encodedCsr: Bytes) {
         const { [DerKey.Elements]: rootElements } = DerCodec.decode(encodedCsr);
         if (rootElements?.length !== 3) {
             throw new CertificateError("Invalid CSR data");
@@ -353,7 +353,7 @@ export abstract class X509Base<CT extends X509Certificate> {
             throw new CertificateError("Invalid CSR data");
         }
         const [versionNode, subjectNode, publicKeyNode] = requestElements;
-        const requestVersionBytes = versionNode[DerKey.Bytes];
+        const requestVersionBytes = Bytes.of(versionNode[DerKey.Bytes]);
         if (requestVersionBytes.length !== 1 || requestVersionBytes[0] !== 0) {
             throw new CertificateError(`Unsupported CSR version ${requestVersionBytes[0]}`);
         }

package/src/certificate/kinds/common.ts

@@ -3,7 +3,7 @@
  * Copyright 2022-2025 Matter.js Authors
  * SPDX-License-Identifier: Apache-2.0
  */
-import { ImplementationError, MatterError } from "#general";
+import { Bytes, ImplementationError, MatterError } from "#general";
 
 /**
  * Matter specific Certificate Sizes
@@ -15,10 +15,10 @@ export class CertificateError extends MatterError {}
 
 export type Unsigned<Type> = { [Property in keyof Type as Exclude<Property, "signature">]: Type[Property] };
 
-export function assertCertificateDerSize(certBytes: Uint8Array) {
-    if (certBytes.length > MAX_DER_CERTIFICATE_SIZE) {
+export function assertCertificateDerSize(certBytes: Bytes) {
+    if (certBytes.byteLength > MAX_DER_CERTIFICATE_SIZE) {
         throw new ImplementationError(
-            `Certificate to generate is too big: ${certBytes.length} bytes instead of max ${MAX_DER_CERTIFICATE_SIZE} bytes`,
+            `Certificate to generate is too big: ${certBytes.byteLength} bytes instead of max ${MAX_DER_CERTIFICATE_SIZE} bytes`,
         );
     }
 }

package/src/certificate/kinds/definitions/base.ts

@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 import { BitFlag, BitmapSchema, TypeFromPartialBitSchema } from "#types";
+import { Bytes } from "@matter/general";
 
 export const ExtensionKeyUsageBitmap = {
     digitalSignature: BitFlag(0),
@@ -19,7 +20,7 @@ export const ExtensionKeyUsageBitmap = {
 export const ExtensionKeyUsageSchema = BitmapSchema(ExtensionKeyUsageBitmap);
 
 export interface X509Certificate {
-    serialNumber: Uint8Array;
+    serialNumber: Bytes;
     signatureAlgorithm: number;
     issuer: {};
     notBefore: number;
@@ -27,7 +28,7 @@ export interface X509Certificate {
     subject: {};
     publicKeyAlgorithm: number;
     ellipticCurveIdentifier: number;
-    ellipticCurvePublicKey: Uint8Array;
+    ellipticCurvePublicKey: Bytes;
     extensions: {
         basicConstraints: {
             isCa: boolean;
@@ -35,9 +36,9 @@ export interface X509Certificate {
         };
         keyUsage: TypeFromPartialBitSchema<typeof ExtensionKeyUsageBitmap>;
         extendedKeyUsage?: number[];
-        subjectKeyIdentifier: Uint8Array;
-        authorityKeyIdentifier: Uint8Array;
-        futureExtension?: Uint8Array[];
+        subjectKeyIdentifier: Bytes;
+        authorityKeyIdentifier: Bytes;
+        futureExtension?: Bytes[];
     };
-    signature: Uint8Array;
+    signature: Bytes;
 }

package/src/codec/BtpCodec.ts

@@ -24,11 +24,11 @@ export interface BtpPacketPayload {
     ackNumber?: number;
     sequenceNumber: number;
     messageLength?: number;
-    segmentPayload?: Uint8Array;
+    segmentPayload?: Bytes;
 }
 
 export interface DecodedBtpPacketPayload extends BtpPacketPayload {
-    segmentPayload: Uint8Array;
+    segmentPayload: Bytes;
 }
 
 export interface BtpHeader {
@@ -66,12 +66,12 @@ export enum BtpOpcode {
 const HANDSHAKE_HEADER = 0b01100101;
 
 export class BtpCodec {
-    static decodeBtpHandshakeRequest(data: Uint8Array): BtpHandshakeRequest {
+    static decodeBtpHandshakeRequest(data: Bytes): BtpHandshakeRequest {
         const reader = new DataReader(data, Endian.Little);
         return this.decodeHandshakeRequestPayload(reader);
     }
 
-    static decodeBtpPacket(data: Uint8Array): DecodedBtpPacket {
+    static decodeBtpPacket(data: Bytes): DecodedBtpPacket {
         const reader = new DataReader(data, Endian.Little);
 
         const header = this.decodeBtpPacketHeader(reader);
@@ -82,11 +82,11 @@ export class BtpCodec {
         };
     }
 
-    static encodeBtpPacket({ header, payload }: BtpPacket): Uint8Array {
+    static encodeBtpPacket({ header, payload }: BtpPacket): Bytes {
         return Bytes.concat(this.encodeBtpPacketHeader(header), this.encodeBtpPacketPayload(header, payload));
     }
 
-    static encodeBtpHandshakeRequest({ versions, attMtu, clientWindowSize }: BtpHandshakeRequest): Uint8Array {
+    static encodeBtpHandshakeRequest({ versions, attMtu, clientWindowSize }: BtpHandshakeRequest): Bytes {
         const writer = new DataWriter(Endian.Little);
         writer.writeUInt8(HANDSHAKE_HEADER);
         writer.writeUInt8(BtpOpcode.HandshakeManagementOpcode);
@@ -99,7 +99,7 @@ export class BtpCodec {
         return writer.toByteArray();
     }
 
-    static encodeBtpHandshakeResponse({ version, attMtu, windowSize }: BtpHandshakeResponse): Uint8Array {
+    static encodeBtpHandshakeResponse({ version, attMtu, windowSize }: BtpHandshakeResponse): Bytes {
         const writer = new DataWriter(Endian.Little);
         writer.writeUInt8(HANDSHAKE_HEADER);
         writer.writeUInt8(BtpOpcode.HandshakeManagementOpcode);
@@ -125,7 +125,7 @@ export class BtpCodec {
     private static encodeBtpPacketPayload(
         { hasAckNumber, isBeginningSegment, isContinuingSegment, isEndingSegment }: BtpHeader,
         { ackNumber, sequenceNumber, messageLength, segmentPayload }: BtpPacketPayload,
-    ): Uint8Array {
+    ): Bytes {
         const writer = new DataWriter(Endian.Little);
 
         // Validate Header against Payload fields to make sure they match together
@@ -143,7 +143,7 @@ export class BtpCodec {
         }
         if (
             (isBeginningSegment || isContinuingSegment) &&
-            (segmentPayload === undefined || segmentPayload.length === 0)
+            (segmentPayload === undefined || segmentPayload.byteLength === 0)
         ) {
             throw new BtpProtocolError("Payload needs to be set because header flag indicates a message with payload.");
         }
@@ -211,7 +211,7 @@ export class BtpCodec {
         return { versions, attMtu, clientWindowSize };
     }
 
-    static decodeBtpHandshakeResponsePayload(data: Uint8Array): BtpHandshakeResponse {
+    static decodeBtpHandshakeResponsePayload(data: Bytes): BtpHandshakeResponse {
         const reader = new DataReader(data, Endian.Little);
         const header = reader.readUInt8();
         if (header !== HANDSHAKE_HEADER) {
@@ -259,7 +259,7 @@ export class BtpCodec {
         isEndingSegment,
         isContinuingSegment,
         isBeginningSegment,
-    }: BtpHeader): Uint8Array {
+    }: BtpHeader): Bytes {
         const writer = new DataWriter(Endian.Little);
 
         if (isHandshakeRequest || hasManagementOpcode) {
@@ -300,7 +300,7 @@ export class BtpCodec {
         return writer.toByteArray();
     }
 
-    static decodeBleAdvertisementData(data: Uint8Array) {
+    static decodeBleAdvertisementData(data: Bytes) {
         const reader = new DataReader(data, Endian.Little);
         if (
             reader.readUInt8() !== 0x02 ||
@@ -320,7 +320,7 @@ export class BtpCodec {
         return { discriminator, vendorId, productId, hasAdditionalAdvertisementData };
     }
 
-    static decodeBleAdvertisementServiceData(data: Uint8Array) {
+    static decodeBleAdvertisementServiceData(data: Bytes) {
         const reader = new DataReader(data, Endian.Little);
         if (reader.readUInt8() !== 0x00) {
             throw new BleError("Invalid BLE advertisement data");