//ValidateToken validate a token signed by the given certificate with the subject hostname
func ValidateToken(userToken string, certificate *pkix.Certificate, hostname *string) error {
cert, err := certificate.Export()
if err != nil {
return err
}
token, err := jwt.Parse(userToken, func(token *jwt.Token) (interface{}, error) {
// Don't forget to validate the alg is what you expect:
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
jti := token.Claims["jti"].(string)
if _, exists := jtiCache[jti]; exists == true {
return nil, fmt.Errorf("Replay attack!!! jti= %s", jti)
}
jtiCache[jti] = token.Claims["exp"].(float64)
//validate hostname if any
subject := token.Claims["sub"].(string)
if subject != "" && subject != *hostname {
return nil, fmt.Errorf("Mismatch hostname: %s", subject)
}
return cert, nil
})
if err == nil && token.Valid {
return nil
}
return fmt.Errorf("Token is invalid, %s", err)
}
func CheckCertificate(hostCert *pkix.Certificate, hostname string, rootCertificate *pkix.Certificate) error {
err := rootCertificate.VerifyHost(hostCert, hostname)
return err
}