cert-request: accept CSRs with extraneous data

The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR.  Recent commits that switch to using python-cryptography for
cert and CSR handling broke this.  Our acceptance tests use such
CSRs, hence the tests are now failing.

To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM.  This avoids re-using the
user-supplied data, in case it has extraneous data.

Fixes: https://fedorahosted.org/freeipa/ticket/6472
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

ipalib/pkcs10.py

@@ -26,7 +26,7 @@ import cryptography.x509
 
 def strip_header(csr):
     """
-    Remove the header and footer from a CSR.
+    Remove the header and footer (and surrounding material) from a CSR.
     """
     headerlen = 40
     s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----")

ipaserver/plugins/cert.py

@@ -26,7 +26,7 @@ from operator import attrgetter
 import os
 
 import cryptography.x509
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
 import six
 
 from ipalib import Command, Str, Int, Flag
@@ -750,8 +750,11 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
 
         # Request the certificate
         try:
+            # re-serialise to PEM, in case the user-supplied data has
+            # extraneous material that will cause Dogtag to freak out
+            csr_pem = csr_obj.public_bytes(serialization.Encoding.PEM)
             result = self.Backend.ra.request_certificate(
-                csr, profile_id, ca_id, request_type=request_type)
+                csr_pem, profile_id, ca_id, request_type=request_type)
         except errors.HTTPRequestError as e:
             if e.status == 409:  # pylint: disable=no-member
                 raise errors.CertificateOperationError(