//ValidateToken validate a token signed by the given certificate with the subject hostname func ValidateToken(userToken string, certificate *pkix.Certificate, hostname *string) error { cert, err := certificate.Export() if err != nil { return err } token, err := jwt.Parse(userToken, func(token *jwt.Token) (interface{}, error) { // Don't forget to validate the alg is what you expect: if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } jti := token.Claims["jti"].(string) if _, exists := jtiCache[jti]; exists == true { return nil, fmt.Errorf("Replay attack!!! jti= %s", jti) } jtiCache[jti] = token.Claims["exp"].(float64) //validate hostname if any subject := token.Claims["sub"].(string) if subject != "" && subject != *hostname { return nil, fmt.Errorf("Mismatch hostname: %s", subject) } return cert, nil }) if err == nil && token.Valid { return nil } return fmt.Errorf("Token is invalid, %s", err) }
func CheckCertificate(hostCert *pkix.Certificate, hostname string, rootCertificate *pkix.Certificate) error { err := rootCertificate.VerifyHost(hostCert, hostname) return err }