Find out which cert was used for JWS siging from x5c header

main.go

package main

import (
	"crypto/x509"
	"encoding/base64"
	"errors"
	"fmt"
	"io/ioutil"

	"github.com/golang-jwt/jwt"
)

func main() {
	// Open the cert that we think is best
	certFile, err := ioutil.ReadFile("AppleWWDRCAG6.cer")
	if err != nil {
		fmt.Println("failed to read cert")
		return
	}
	applewwdrCer, err := x509.ParseCertificate(certFile)
	if err != nil {
		fmt.Println("failed to parse cert file")
		return
	}

	signedToken := "here goes the token you got"
	parsedToken, err := jwt.Parse(signedToken, func(token *jwt.Token) (interface{}, error) {
		if token.Method != jwt.SigningMethodES256 {
			return nil, errors.New("signing method was not ES256")
		}
		for _, v := range token.Header["x5c"].([]interface{}) {
			derBytesCert, err := base64.StdEncoding.DecodeString(v.(string))
			if err != nil {
				fmt.Printf("Decode err %s\n", err.Error())
				return nil, err
			}
			cert, err := x509.ParseCertificate(derBytesCert)
			if err != nil {
				fmt.Printf("x509 parse err %s\n", err.Error())
				return nil, err
			}
			
			// We can compare here if any of the certs are matching,
			// but we are trying to find the first one of the array,
			// since that's what they used to sign the token with.
			fmt.Printf("\n%s %s %s\n", applewwdrCer.Issuer, cert.SerialNumber, cert.NotAfter)
			fmt.Printf("\n%s %s %s\n", cert.Issuer, cert.SerialNumber, cert.NotAfter)
		}

		return nil, nil
	})
	
	fmt.Println(parsedToken.Raw)
}