func generateCerts()

in systemtest/apmservertest/server.go [305:376]

• 64 lines of code
• 14 McCabe index (conditional complexity)

func generateCerts(dir string, ca bool, keyUsage x509.ExtKeyUsage, hosts ...string) (string, string, error) {
	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	if err != nil {
		return "", "", fmt.Errorf("Failed to generate serial number: %w", err)
	}
	notBefore := time.Now()
	notAfter := notBefore.Add(24 * time.Hour)
	template := x509.Certificate{
		SerialNumber: serialNumber,
		Subject: pkix.Name{
			Organization: []string{"Org"},
		},
		NotBefore: notBefore,
		NotAfter:  notAfter,

		KeyUsage:              x509.KeyUsageDigitalSignature,
		ExtKeyUsage:           []x509.ExtKeyUsage{keyUsage},
		BasicConstraintsValid: true,
	}

	for _, h := range hosts {
		if ip := net.ParseIP(h); ip != nil {
			template.IPAddresses = append(template.IPAddresses, ip)
		}
	}

	if ca {
		template.IsCA = true
		template.KeyUsage |= x509.KeyUsageCertSign
	}

	clientKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return "", "", fmt.Errorf("failed to generate client key: %w", err)
	}
	privBytes, err := x509.MarshalPKCS8PrivateKey(clientKey)
	if err != nil {
		return "", "", fmt.Errorf("unable to marshal private key: %w", err)
	}

	h := sha256.Sum256(privBytes)
	template.SubjectKeyId = h[:]

	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, clientKey.Public(), clientKey)
	if err != nil {
		return "", "", fmt.Errorf("failed to create certificate: %w", err)
	}
	certOut, err := os.CreateTemp(dir, "client_cert.pem")
	if err != nil {
		return "", "", fmt.Errorf("failed to open client_cert.pem for writing: %w", err)
	}
	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
		return "", "", fmt.Errorf("failed to write data to client_cert.pem: %w", err)
	}
	if err := certOut.Close(); err != nil {
		return "", "", fmt.Errorf("error closing client_cert.pem: %w", err)
	}

	keyOut, err := os.CreateTemp(dir, "client_key.pem")
	if err != nil {
		return "", "", fmt.Errorf("failed to open client_key.pem for writing: %w", err)
	}
	if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil {
		return "", "", fmt.Errorf("failed to write data to client_key.pem: %w", err)
	}
	if err := keyOut.Close(); err != nil {
		return "", "", fmt.Errorf("error closing client_key.pem: %w", err)
	}

	return certOut.Name(), keyOut.Name(), nil
}