Example #1
0
//ValidateToken validate a token signed by the given certificate with the subject hostname
func ValidateToken(userToken string, certificate *pkix.Certificate, hostname *string) error {
	cert, err := certificate.Export()
	if err != nil {
		return err
	}

	token, err := jwt.Parse(userToken, func(token *jwt.Token) (interface{}, error) {
		// Don't forget to validate the alg is what you expect:
		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
		}
		jti := token.Claims["jti"].(string)
		if _, exists := jtiCache[jti]; exists == true {
			return nil, fmt.Errorf("Replay attack!!! jti= %s", jti)
		}
		jtiCache[jti] = token.Claims["exp"].(float64)

		//validate hostname if any
		subject := token.Claims["sub"].(string)
		if subject != "" && subject != *hostname {
			return nil, fmt.Errorf("Mismatch hostname: %s", subject)
		}

		return cert, nil
	})

	if err == nil && token.Valid {
		return nil
	}
	return fmt.Errorf("Token is invalid, %s", err)
}
Example #2
0
func CheckCertificate(hostCert *pkix.Certificate, hostname string, rootCertificate *pkix.Certificate) error {
	err := rootCertificate.VerifyHost(hostCert, hostname)
	return err
}