// checkTokenWithTime checks token using the given time. func checkTokenWithTime(c context.Context, token, user, action string, now time.Time) error { if token == "" { return fmt.Errorf("token is not given") } d, err := base64.URLEncoding.DecodeString(token) sig := &sigData{} if err = json.Unmarshal(d, sig); err != nil { return err } issueTime := time.Unix(0, sig.IssueTime) if now.Sub(issueTime) >= Timeout { return fmt.Errorf("signature has already expired") } if issueTime.After(now.Add(validFuture)) { return fmt.Errorf("token come from future") } toVerify := toData(user, action, sig.IssueTime) certs, err := signature.PublicCerts(c) if err != nil { return err } cert := signature.X509CertByName(certs, sig.Key) if cert == nil { return fmt.Errorf("cannot find cert") } return signature.Check(toVerify, cert, sig.Signature) }
func TestShouldSignAndCheck(t *testing.T) { c := context.Background() blob := []byte("blob") key, sig, err := signature.Sign(c, blob) if err != nil { t.Fatalf("Sign(_, %v)=_,_,%v; want <nil>", blob, err) } pc, err := signature.PublicCerts(c) if err != nil { t.Fatalf("PublicCerts(_)=%v; want <nil>", err) } cert := signature.X509CertByName(pc, key) if cert == nil { t.Fatalf("X509CertByName(%v, %v)=<nil>; want non nil", pc, key) } err = signature.Check(blob, cert, sig) if err != nil { t.Errorf("Check(%v, %v, %v)=%v; want <nil>", blob, cert, sig, err) } }