func GetCertStoreSigner()

in aws_signing_helper/cert_store_signer_darwin.go [133:209]

• 69 lines of code
• 15 McCabe index (conditional complexity)

func GetCertStoreSigner(certIdentifier CertIdentifier, useLatestExpiringCert bool) (signer Signer, signingAlgorithm string, err error) {
	var (
		selectedCertContainer CertificateContainer
		cert                  *x509.Certificate
		identRef              C.SecIdentityRef
		certRef               C.SecCertificateRef
		keyRef                C.SecKeyRef
	)

	identRefs, certRefs, certContainers, err := GetMatchingCertsAndIdentity(certIdentifier)
	if err != nil {
		goto fail
	}
	if len(certContainers) == 0 {
		err = errors.New("no matching identities")
		goto fail
	}
	if useLatestExpiringCert {
		sort.Sort(CertificateContainerList(certContainers))
		// Release the `SecIdentityRef`s and `SecCertificateRef`s that won't be used
		for i, certContainer := range certContainers {
			if i != len(certContainers)-1 {
				C.CFRelease(C.CFTypeRef(identRefs[certContainer.Index]))
				C.CFRelease(C.CFTypeRef(certRefs[certContainer.Index]))

				identRefs[certContainer.Index] = 0
				certRefs[certContainer.Index] = 0
			}
		}
	} else {
		if len(certContainers) > 1 {
			err = errors.New("multiple matching identities")
			goto fail
		}
	}
	selectedCertContainer = certContainers[len(certContainers)-1]
	if Debug {
		log.Print(fmt.Sprintf("selected certificate: %s", DefaultCertContainerToString(selectedCertContainer)))
	}
	cert = selectedCertContainer.Cert
	certRef = certRefs[selectedCertContainer.Index]
	identRef = identRefs[selectedCertContainer.Index]

	// Find the signing algorithm
	switch cert.PublicKey.(type) {
	case *ecdsa.PublicKey:
		signingAlgorithm = aws4_x509_ecdsa_sha256
	case *rsa.PublicKey:
		signingAlgorithm = aws4_x509_rsa_sha256
	default:
		err = errors.New("unsupported algorithm")
		goto fail
	}

	keyRef, err = getKeyRef(identRef)
	if err != nil {
		err = errors.New("unable to get key reference")
		goto fail
	}

	return &DarwinCertStoreSigner{identRef, keyRef, certRef, cert, nil}, signingAlgorithm, nil

fail:
	for i, identRef := range identRefs {
		if identRef != 0 {
			C.CFRelease(C.CFTypeRef(identRef))
			identRefs[i] = 0
		}
	}
	for i, certRef := range certRefs {
		if certRef != 0 {
			C.CFRelease(C.CFTypeRef(certRef))
			certRefs[i] = 0
		}
	}
	return nil, "", err
}