Merge "Strip signed certificate" into stable/queens

magnum/common/x509/operations.py

@@ -226,7 +226,7 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
     certificate = builder.sign(
         private_key=ca_key, algorithm=hashes.SHA256(),
         backend=default_backend()
-    ).public_bytes(serialization.Encoding.PEM)
+    ).public_bytes(serialization.Encoding.PEM).strip()
 
     return certificate
 

magnum/tests/unit/common/x509/test_sign.py

@@ -223,6 +223,22 @@ class TestX509(base.BaseTestCase):
                         skip_validation=True)
         mock_six.assert_called_once_with(csr)
 
+    @mock.patch('cryptography.x509.load_pem_x509_csr')
+    def test_sign_empty_chars(self, mock_load_pem):
+        ca_key = self._generate_private_key()
+        private_key = self._generate_private_key()
+        csr_obj = self._build_csr(private_key)
+        csr = csr_obj.public_bytes(serialization.Encoding.PEM)
+        csr = six.text_type(csr.decode('utf-8'))
+
+        mock_load_pem.return_value = csr_obj
+        certificate = operations.sign(csr, self.issuer_name,
+                                      ca_key, skip_validation=True)
+
+        # Certificate has to be striped for some parsers
+        self.assertEqual(certificate,
+                         certificate.strip())
+
     def test_sign_with_invalid_csr(self):
         ca_key = self._generate_private_key()
         csr = 'test'

releasenotes/notes/strip-ca-certificate-a09d0c31c45973df.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Strip signed certificate. Certificate (ca.crt) has to be striped
+    for some application parsers as they might require pure base64
+    representation of the certificate itself, without empty characters
+    at the beginning nor the end of file.