// checkTokenWithTime checks token using the given time.
func checkTokenWithTime(c context.Context, token, user, action string, now time.Time) error {
if token == "" {
return fmt.Errorf("token is not given")
}
d, err := base64.URLEncoding.DecodeString(token)
sig := &sigData{}
if err = json.Unmarshal(d, sig); err != nil {
return err
}
issueTime := time.Unix(0, sig.IssueTime)
if now.Sub(issueTime) >= Timeout {
return fmt.Errorf("signature has already expired")
}
if issueTime.After(now.Add(validFuture)) {
return fmt.Errorf("token come from future")
}
toVerify := toData(user, action, sig.IssueTime)
certs, err := signature.PublicCerts(c)
if err != nil {
return err
}
cert := signature.X509CertByName(certs, sig.Key)
if cert == nil {
return fmt.Errorf("cannot find cert")
}
return signature.Check(toVerify, cert, sig.Signature)
}
func TestShouldSignAndCheck(t *testing.T) {
c := context.Background()
blob := []byte("blob")
key, sig, err := signature.Sign(c, blob)
if err != nil {
t.Fatalf("Sign(_, %v)=_,_,%v; want <nil>", blob, err)
}
pc, err := signature.PublicCerts(c)
if err != nil {
t.Fatalf("PublicCerts(_)=%v; want <nil>", err)
}
cert := signature.X509CertByName(pc, key)
if cert == nil {
t.Fatalf("X509CertByName(%v, %v)=<nil>; want non nil", pc, key)
}
err = signature.Check(blob, cert, sig)
if err != nil {
t.Errorf("Check(%v, %v, %v)=%v; want <nil>", blob, cert, sig, err)
}
}