From 6004a21f35188fb36c726c248d94bf3e68834f68 Mon Sep 17 00:00:00 2001
From: FFMMM <FFMMM@users.noreply.github.com>
Date: Wed, 3 Nov 2021 12:21:24 -0700
Subject: [PATCH] fix aws pca certs (#11470)

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
---
 agent/connect/ca/provider_aws.go      | 14 +++++++-------
 agent/connect/ca/provider_aws_test.go | 25 ++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/agent/connect/ca/provider_aws.go b/agent/connect/ca/provider_aws.go
index 92d19267cf..170728a0a2 100644
--- a/agent/connect/ca/provider_aws.go
+++ b/agent/connect/ca/provider_aws.go
@@ -359,15 +359,15 @@ func (a *AWSProvider) loadCACerts() error {
 
 	if a.isPrimary {
 		// Just use the cert as a root
-		a.rootPEM = *output.Certificate
+		a.rootPEM = EnsureTrailingNewline(*output.Certificate)
 	} else {
-		a.intermediatePEM = *output.Certificate
+		a.intermediatePEM = EnsureTrailingNewline(*output.Certificate)
 		// TODO(banks) support user-supplied CA being a Subordinate even in the
 		// primary DC. For now this assumes there is only one cert in the chain
 		if output.CertificateChain == nil {
 			return fmt.Errorf("Subordinate CA %s returned no chain", a.arn)
 		}
-		a.rootPEM = *output.CertificateChain
+		a.rootPEM = EnsureTrailingNewline(*output.CertificateChain)
 	}
 	return nil
 }
@@ -485,7 +485,7 @@ func (a *AWSProvider) signCSR(csrPEM string, templateARN string, ttl time.Durati
 			}
 
 			if certOutput.Certificate != nil {
-				return true, *certOutput.Certificate, nil
+				return true, EnsureTrailingNewline(*certOutput.Certificate), nil
 			}
 
 			return false, "", nil
@@ -540,9 +540,9 @@ func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string) er
 		return err
 	}
 
-	// We succsefully initialized, keep track of the root and intermediate certs.
-	a.rootPEM = rootPEM
-	a.intermediatePEM = intermediatePEM
+	// We successfully initialized, keep track of the root and intermediate certs.
+	a.rootPEM = EnsureTrailingNewline(rootPEM)
+	a.intermediatePEM = EnsureTrailingNewline(intermediatePEM)
 
 	return nil
 }
diff --git a/agent/connect/ca/provider_aws_test.go b/agent/connect/ca/provider_aws_test.go
index 4a5436caa1..23d64d474b 100644
--- a/agent/connect/ca/provider_aws_test.go
+++ b/agent/connect/ca/provider_aws_test.go
@@ -3,6 +3,7 @@ package ca
 import (
 	"os"
 	"strconv"
+	"strings"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -114,7 +115,7 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {
 
 	// TEST LOAD FROM PREVIOUS STATE
 	{
-		// Now create new providers fromthe state of the first ones simulating
+		// Now create new providers from the state of the first ones simulating
 		// leadership change in both DCs
 		t.Log("Restarting Providers with State")
 
@@ -179,6 +180,28 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {
 		testSignAndValidate(t, p1, rootPEM, nil)
 		testSignAndValidate(t, p2, rootPEM, []string{intPEM})
 	}
+
+	// Test that SetIntermediate() gives back certs with trailing new lines
+	{
+
+		// "Set" root, intermediate certs without a trailing new line
+		newIntPEM := strings.TrimSuffix(intPEM, "\n")
+		newRootPEM := strings.TrimSuffix(rootPEM, "\n")
+
+		cfg2 := testProviderConfigSecondary(t, map[string]interface{}{
+			"ExistingARN": p2State[AWSStateCAARNKey],
+		})
+		p2 = testAWSProvider(t, cfg2)
+		require.NoError(t, p2.SetIntermediate(newIntPEM, newRootPEM))
+
+		newRootPEM, err = p1.ActiveRoot()
+		require.NoError(t, err)
+		newIntPEM, err = p2.ActiveIntermediate()
+		require.NoError(t, err)
+
+		require.Equal(t, rootPEM, newRootPEM)
+		require.Equal(t, intPEM, newIntPEM)
+	}
 }
 
 func TestAWSBootstrapAndSignSecondaryConsul(t *testing.T) {