func newClientCertificate()

in internal/alloydb/refresh.go [164:223]

• 54 lines of code
• 6 McCabe index (conditional complexity)

func newClientCertificate(
	inst InstanceURI,
	keyPEM []byte,
	chain []string,
	caCertRaw string,
) (cc *clientCertificate, err error) {
	certPEMBlock := []byte(strings.Join(chain, "\n"))
	cert, err := tls.X509KeyPair(certPEMBlock, keyPEM)
	if err != nil {
		return nil, errtype.NewRefreshError(
			"create ephemeral cert failed",
			inst.String(),
			err,
		)
	}

	caCertPEMBlock, _ := pem.Decode([]byte(caCertRaw))
	if caCertPEMBlock == nil {
		return nil, errtype.NewRefreshError(
			"create ephemeral cert failed",
			inst.String(),
			errors.New("no PEM data found in the ca cert"),
		)
	}
	caCert, err := x509.ParseCertificate(caCertPEMBlock.Bytes)
	if err != nil {
		return nil, errtype.NewRefreshError(
			"create ephemeral cert failed",
			inst.String(),
			err,
		)
	}

	// Extract expiry from client certificate.
	clientCertPEMBlock, _ := pem.Decode([]byte(chain[0]))
	if clientCertPEMBlock == nil {
		return nil, errtype.NewRefreshError(
			"create ephemeral cert failed",
			inst.String(),
			errors.New("no PEM data found in the client cert"),
		)
	}
	clientCert, err := x509.ParseCertificate(clientCertPEMBlock.Bytes)
	if err != nil {
		return nil, errtype.NewRefreshError(
			"create ephemeral cert failed",
			inst.String(),
			err,
		)
	}
	// Save the parsed certificate as the leaf certificate, to avoid additional
	// parsing costs as part of the TLS connection.
	cert.Leaf = clientCert

	return &clientCertificate{
		certChain: cert,
		caCert:    caCert,
		expiry:    clientCert.NotAfter,
	}, nil
}