Allow generation of no-ICAC cert chains in Python tests (project-chip#38445)

* Allow generation of no-ICAC cert chains in Python tests

- Allow generation of no-ICAC cert chains (valid) in Python tests
- Cache steps list to avoid possible recursive calls in upcoming
  PR in matter_testing_support.py

Testing done:

- All existing tests still pass

* Restyled by clang-format

* Fix lint

* Backport project-chip#38467

---------

Co-authored-by: Restyled.io <[email protected]>

Author: tcarmelveilleux

src/controller/ExampleOperationalCredentialsIssuer.cpp

@@ -182,8 +182,8 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::Initialize(PersistentStorageDele
     {
         ChipLogProgress(Controller, "Couldn't get %s from storage: %s", kOperationalCredentialsIssuerKeypairStorage, ErrorStr(err));
         // Storage doesn't have an existing keypair. Let's create one and add it to the storage.
-        ReturnErrorOnFailure(mIssuer.Initialize(Crypto::ECPKeyTarget::ECDSA));
-        ReturnErrorOnFailure(mIssuer.Serialize(serializedKey));
+        ReturnErrorOnFailure(mRootIssuer.Initialize(Crypto::ECPKeyTarget::ECDSA));
+        ReturnErrorOnFailure(mRootIssuer.Serialize(serializedKey));
 
         PERSISTENT_KEY_OP(mIndex, kOperationalCredentialsIssuerKeypairStorage, key,
                           ReturnErrorOnFailure(
@@ -192,7 +192,7 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::Initialize(PersistentStorageDele
     else
     {
         // Use the keypair from the storage
-        ReturnErrorOnFailure(mIssuer.Deserialize(serializedKey));
+        ReturnErrorOnFailure(mRootIssuer.Deserialize(serializedKey));
     }
 
     {
@@ -251,16 +251,16 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
         rcac.reduce_size(rcacBufLen);
         ReturnErrorOnFailure(ExtractSubjectDNFromX509Cert(rcac, rcac_dn));
         ReturnErrorOnFailure(rcac_dn.GetCertChipId(rcacId));
-        VerifyOrReturnError(rcacId == mIssuerId, CHIP_ERROR_INTERNAL);
+        VerifyOrReturnError(rcacId == mRootIssuerId, CHIP_ERROR_INTERNAL);
     }
     // If root certificate not found in the storage, generate new root certificate.
     else
     {
-        ReturnErrorOnFailure(rcac_dn.AddAttribute_MatterRCACId(mIssuerId));
+        ReturnErrorOnFailure(rcac_dn.AddAttribute_MatterRCACId(mRootIssuerId));
 
         ChipLogProgress(Controller, "Generating RCAC");
         ReturnErrorOnFailure(IssueX509Cert(mNow, mValidity, rcac_dn, rcac_dn, CertType::kRcac, mUseMaximallySizedCerts,
-                                           mIssuer.Pubkey(), mIssuer, rcac));
+                                           mRootIssuer.Pubkey(), mRootIssuer, rcac));
         VerifyOrReturnError(CanCastTo<uint16_t>(rcac.size()), CHIP_ERROR_INTERNAL);
 
         // Re-extract DN based on final generated cert
@@ -296,7 +296,7 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
 
         ChipLogProgress(Controller, "Generating ICAC");
         ReturnErrorOnFailure(IssueX509Cert(mNow, mValidity, rcac_dn, icac_dn, CertType::kIcac, mUseMaximallySizedCerts,
-                                           mIntermediateIssuer.Pubkey(), mIssuer, icac));
+                                           mIntermediateIssuer.Pubkey(), mRootIssuer, icac));
         VerifyOrReturnError(CanCastTo<uint16_t>(icac.size()), CHIP_ERROR_INTERNAL);
 
         // Re-extract DN based on final generated cert
@@ -313,8 +313,22 @@ CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChainAfterValidation(
     ReturnErrorOnFailure(noc_dn.AddCATs(cats));
 
     ChipLogProgress(Controller, "Generating NOC");
-    return IssueX509Cert(mNow, mValidity, icac_dn, noc_dn, CertType::kNoc, mUseMaximallySizedCerts, pubkey, mIntermediateIssuer,
-                         noc);
+    if (mAlwaysOmitIcac)
+    {
+        icac.reduce_size(0);
+        err = IssueX509Cert(mNow, mValidity, rcac_dn, noc_dn, CertType::kNoc, mUseMaximallySizedCerts, pubkey, mRootIssuer, noc);
+    }
+    else
+    {
+        err = IssueX509Cert(mNow, mValidity, icac_dn, noc_dn, CertType::kNoc, mUseMaximallySizedCerts, pubkey, mIntermediateIssuer,
+                            noc);
+    }
+
+    if (err != CHIP_NO_ERROR)
+    {
+        ChipLogError(Controller, "Failed to Generate NOC: %" CHIP_ERROR_FORMAT, err.Format());
+    }
+    return err;
 }
 
 CHIP_ERROR ExampleOperationalCredentialsIssuer::GenerateNOCChain(const ByteSpan & csrElements, const ByteSpan & csrNonce,

src/controller/ExampleOperationalCredentialsIssuer.h

@@ -67,6 +67,9 @@ class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredent
 
     void SetMaximallyLargeCertsUsed(bool areMaximallyLargeCertsUsed) { mUseMaximallySizedCerts = areMaximallyLargeCertsUsed; }
 
+    // When enabled, chains will be Root -> NOC, for the given fabric ID, and not include an ICAC.
+    void SetAlwaysOmitIcac(bool enabled) { mAlwaysOmitIcac = enabled; }
+
     void SetFabricIdForNextNOCRequest(FabricId fabricId) override { mNextFabricId = fabricId; }
 
     void SetCATValuesForNextNOCRequest(CATValues cats) { mNextCATs = cats; }
@@ -84,7 +87,7 @@ class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredent
     [[deprecated("This class stores the encryption key in clear storage. Don't use it for production code.")]] CHIP_ERROR
     Initialize(PersistentStorageDelegate & storage);
 
-    void SetIssuerId(uint32_t id) { mIssuerId = id; }
+    void SetIssuerId(uint32_t id) { mRootIssuerId = id; }
 
     void SetCurrentEpoch(uint32_t epoch) { mNow = epoch; }
 
@@ -109,10 +112,10 @@ class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredent
                                                MutableByteSpan & noc);
 
 private:
-    Crypto::P256Keypair mIssuer;
+    Crypto::P256Keypair mRootIssuer;
     Crypto::P256Keypair mIntermediateIssuer;
     bool mInitialized              = false;
-    uint32_t mIssuerId             = 1;
+    uint32_t mRootIssuerId         = 1;
     uint32_t mIntermediateIssuerId = 2;
     uint32_t mNow                  = 0;
 
@@ -122,6 +125,7 @@ class DLL_EXPORT ExampleOperationalCredentialsIssuer : public OperationalCredent
     NodeId mNextAvailableNodeId          = 1;
     PersistentStorageDelegate * mStorage = nullptr;
     bool mUseMaximallySizedCerts         = false;
+    bool mAlwaysOmitIcac                 = false;
 
     NodeId mNextRequestedNodeId = 1;
     FabricId mNextFabricId      = 1;

src/controller/python/ChipDeviceController-IssueNocChain.cpp

@@ -80,9 +80,17 @@ void pychip_DeviceController_IssueNOCChainCallback(void * context, CHIP_ERROR st
     chipRcacSpan = MutableByteSpan(chipRcac.Get(), Credentials::kMaxCHIPCertLength);
 
     SuccessOrExit(err = ConvertX509CertToChipCert(noc, chipNocSpan));
-    SuccessOrExit(err = ConvertX509CertToChipCert(icac, chipIcacSpan));
     SuccessOrExit(err = ConvertX509CertToChipCert(rcac, chipRcacSpan));
 
+    if (!icac.empty())
+    {
+        SuccessOrExit(err = ConvertX509CertToChipCert(icac, chipIcacSpan));
+    }
+    else
+    {
+        chipIcacSpan.reduce_size(0);
+    }
+
 exit:
     if (err == CHIP_NO_ERROR)
     {

src/controller/python/OpCredsBinding.cpp

@@ -92,6 +92,8 @@ class OperationalCredentialsAdapter : public OperationalCredentialsDelegate
         return mExampleOpCredsIssuer.GenerateNOCChainAfterValidation(nodeId, fabricId, cats, pubKey, rcac, icac, noc);
     }
 
+    void SetAlwaysOmitIcac(bool enabled) { mExampleOpCredsIssuer.SetAlwaysOmitIcac(enabled); }
+
     void SetMaximallyLargeCertsUsed(bool enabled) { mExampleOpCredsIssuer.SetMaximallyLargeCertsUsed(enabled); }
 
     void SetCertificateValidityPeriod(uint32_t validity) { mExampleOpCredsIssuer.SetCertificateValidityPeriod(validity); }
@@ -652,6 +654,15 @@ PyChipError pychip_OpCreds_SetMaximallyLargeCertsUsed(OpCredsContext * context,
     return ToPyChipError(CHIP_NO_ERROR);
 }
 
+PyChipError pychip_OpCreds_SetAlwaysOmitIcac(OpCredsContext * context, bool enabled)
+{
+    VerifyOrReturnError(context != nullptr && context->mAdapter != nullptr, ToPyChipError(CHIP_ERROR_INCORRECT_STATE));
+
+    context->mAdapter->SetAlwaysOmitIcac(enabled);
+
+    return ToPyChipError(CHIP_NO_ERROR);
+}
+
 PyChipError pychip_OpCreds_SetCertificateValidityPeriod(OpCredsContext * context, uint32_t validity)
 {
     VerifyOrReturnError(context != nullptr && context->mAdapter != nullptr, ToPyChipError(CHIP_ERROR_INCORRECT_STATE));

src/controller/python/chip/CertificateAuthority.py

@@ -80,6 +80,9 @@ def __init__(self, chipStack: ChipStack.ChipStack, caIndex: int, persistentStora
         self._Handle().pychip_OpCreds_SetMaximallyLargeCertsUsed.restype = PyChipError
         self._Handle().pychip_OpCreds_SetMaximallyLargeCertsUsed.argtypes = [ctypes.c_void_p, ctypes.c_bool]
 
+        self._Handle().pychip_OpCreds_SetAlwaysOmitIcac.restype = PyChipError
+        self._Handle().pychip_OpCreds_SetAlwaysOmitIcac.argtypes = [ctypes.c_void_p, ctypes.c_bool]
+
         self._Handle().pychip_OpCreds_SetCertificateValidityPeriod.restype = PyChipError
         self._Handle().pychip_OpCreds_SetCertificateValidityPeriod.argtypes = [ctypes.c_void_p, ctypes.c_uint32]
 
@@ -88,6 +91,7 @@ def __init__(self, chipStack: ChipStack.ChipStack, caIndex: int, persistentStora
 
         self._persistentStorage = persistentStorage
         self._maximizeCertChains = False
+        self._alwaysOmitIcac = False
         self._certificateValidityPeriodSec = CERTIFICATE_VALIDITY_PERIOD_SEC
 
         self._closure = self._chipStack.Call(
@@ -196,6 +200,10 @@ def adminList(self) -> list[FabricAdmin.FabricAdmin]:
     def maximizeCertChains(self) -> bool:
         return self._maximizeCertChains
 
+    @property
+    def alwaysOmitIcac(self) -> bool:
+        return self._alwaysOmitIcac
+
     @property
     def certificateValidityPeriodSec(self) -> int:
         return self._certificateValidityPeriodSec
@@ -208,6 +216,14 @@ def maximizeCertChains(self, enabled: bool):
 
         self._maximizeCertChains = enabled
 
+    @alwaysOmitIcac.setter
+    def alwaysOmitIcac(self, enabled: bool):
+        self._chipStack.Call(
+            lambda: self._Handle().pychip_OpCreds_SetAlwaysOmitIcac(ctypes.c_void_p(self._closure), ctypes.c_bool(enabled))
+        ).raise_on_error()
+
+        self._alwaysOmitIcac = enabled
+
     @certificateValidityPeriodSec.setter
     def certificateValidityPeriodSec(self, validity: int):
         if validity < 0: