From edee7030e4deee4e95e68daa1623ea305ce202e5 Mon Sep 17 00:00:00 2001
From: Piotr Mrowczynski <piotr.mrowczynski@cern.ch>
Date: Fri, 25 May 2018 12:29:38 +0200
Subject: [PATCH] Strip signed certificate

Certificate (ca.crt) has to be striped for some application parsers
as they might require pure base64 representation of
certificate itself, without empty characters
at the beginning nor the end of file

Change-Id: I5f58e19d03abdf040b9a5b5df2f4dd83b4c0e3a9
Closes-Bug: #1775342
---
 magnum/common/x509/operations.py                 |  2 +-
 magnum/tests/unit/common/x509/test_sign.py       | 16 ++++++++++++++++
 .../strip-ca-certificate-a09d0c31c45973df.yaml   |  7 +++++++
 3 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/strip-ca-certificate-a09d0c31c45973df.yaml

diff --git a/magnum/common/x509/operations.py b/magnum/common/x509/operations.py
index 5d3c5a850a..1b63b268d0 100644
--- a/magnum/common/x509/operations.py
+++ b/magnum/common/x509/operations.py
@@ -226,7 +226,7 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
     certificate = builder.sign(
         private_key=ca_key, algorithm=hashes.SHA256(),
         backend=default_backend()
-    ).public_bytes(serialization.Encoding.PEM)
+    ).public_bytes(serialization.Encoding.PEM).strip()
 
     return certificate
 
diff --git a/magnum/tests/unit/common/x509/test_sign.py b/magnum/tests/unit/common/x509/test_sign.py
index 19dcdbfaaa..501ed800a3 100644
--- a/magnum/tests/unit/common/x509/test_sign.py
+++ b/magnum/tests/unit/common/x509/test_sign.py
@@ -223,6 +223,22 @@ class TestX509(base.BaseTestCase):
                         skip_validation=True)
         mock_six.assert_called_once_with(csr)
 
+    @mock.patch('cryptography.x509.load_pem_x509_csr')
+    def test_sign_empty_chars(self, mock_load_pem):
+        ca_key = self._generate_private_key()
+        private_key = self._generate_private_key()
+        csr_obj = self._build_csr(private_key)
+        csr = csr_obj.public_bytes(serialization.Encoding.PEM)
+        csr = six.text_type(csr.decode('utf-8'))
+
+        mock_load_pem.return_value = csr_obj
+        certificate = operations.sign(csr, self.issuer_name,
+                                      ca_key, skip_validation=True)
+
+        # Certificate has to be striped for some parsers
+        self.assertEqual(certificate,
+                         certificate.strip())
+
     def test_sign_with_invalid_csr(self):
         ca_key = self._generate_private_key()
         csr = 'test'
diff --git a/releasenotes/notes/strip-ca-certificate-a09d0c31c45973df.yaml b/releasenotes/notes/strip-ca-certificate-a09d0c31c45973df.yaml
new file mode 100644
index 0000000000..efc3b7c456
--- /dev/null
+++ b/releasenotes/notes/strip-ca-certificate-a09d0c31c45973df.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Strip signed certificate. Certificate (ca.crt) has to be striped
+    for some application parsers as they might require pure base64
+    representation of the certificate itself, without empty characters
+    at the beginning nor the end of file.