func GenerateGenericChildCert()

in testing/certutil/certutil.go [173:255]

• 70 lines of code
• 8 McCabe index (conditional complexity)

func GenerateGenericChildCert(
	name string,
	ips []net.IP,
	priv crypto.PrivateKey,
	pub crypto.PublicKey,
	caPrivKey crypto.PrivateKey,
	caCert *x509.Certificate,
	opts ...Option) (*tls.Certificate, Pair, error) {

	cfg := getCgf(opts)

	cn := "Police Public Call Box"
	if cfg.cnPrefix != "" {
		cn = fmt.Sprintf("[%s] %s", cfg.cnPrefix, cn)
	}

	dnsNames := append(cfg.dnsNames, name)
	notBefore, notAfter := makeNotBeforeAndAfter()
	certTemplate := &x509.Certificate{
		DNSNames:     dnsNames,
		IPAddresses:  ips,
		SerialNumber: big.NewInt(1658),
		Subject: pkix.Name{
			Locality:     []string{"anywhere in time and space"},
			Organization: []string{"TARDIS"},
			CommonName:   cn,
		},
		NotBefore: notBefore,
		NotAfter:  notAfter,
		KeyUsage: x509.KeyUsageDigitalSignature |
			x509.KeyUsageKeyEncipherment |
			x509.KeyUsageKeyAgreement,
		ExtKeyUsage: []x509.ExtKeyUsage{
			x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
	}

	if cfg.clientCert {
		certTemplate.IPAddresses = nil
		certTemplate.DNSNames = nil
	}

	certRawBytes, err := x509.CreateCertificate(
		rand.Reader, certTemplate, caCert, pub, caPrivKey)
	if err != nil {
		return nil, Pair{}, fmt.Errorf("could not create CA: %w", err)
	}

	privateKeyDER, err := x509.MarshalPKCS8PrivateKey(priv)
	if err != nil {
		return nil, Pair{}, fmt.Errorf("could not marshal private key: %w", err)
	}

	// PEM private key
	var privBytesOut []byte
	privateKeyBuff := bytes.NewBuffer(privBytesOut)
	err = pem.Encode(privateKeyBuff,
		&pem.Block{Type: keyBlockType(priv), Bytes: privateKeyDER})
	if err != nil {
		return nil, Pair{}, fmt.Errorf("could not pem.Encode private key: %w", err)
	}
	privateKeyPemBytes := privateKeyBuff.Bytes()

	// PEM certificate
	var certBytesOut []byte
	certBuff := bytes.NewBuffer(certBytesOut)
	err = pem.Encode(certBuff, &pem.Block{
		Type: "CERTIFICATE", Bytes: certRawBytes})
	if err != nil {
		return nil, Pair{}, fmt.Errorf("could not pem.Encode certificate: %w", err)
	}
	certPemBytes := certBuff.Bytes()

	// TLS Certificate
	tlsCert, err := tls.X509KeyPair(certPemBytes, privateKeyPemBytes)
	if err != nil {
		return nil, Pair{}, fmt.Errorf("could not create key pair: %w", err)
	}

	return &tlsCert, Pair{
		Cert: certPemBytes,
		Key:  privateKeyPemBytes,
	}, nil
}