0.0.1	~~Aug 30, 2020~~

#47 in #company

MIT license

32KB
620 lines

mio_license

The license library to check validity of Media-IO products.

Documentation

The documentation is available here

Develop the signer

With Cargo watch you can run the signer and code directly. For that run: cargo watch -x 'run --example signer'

and play with source code ;-)

`lib.rs`:

Mio License

mio_license will check Media-IO license products.

Architecture

It's based on AWS license validation (using V4 signature)
In that model, 3 parts are involved:

the licensed Media-IO project
a license validation (here the Support Platform)
the signer

This model is use due to the Player mode who runs in the web browser and interfaced with Javascript. So any body can access to the license passed to the player, so it can be very easy to hack our products with that.

Targets

The library can be use on every platform (OSX, Linux/Unix, Windows), but it also requires to works on WebAssembly target.

Generated data

To understand the mechaniscm, it requires first to describe what data is generated and where it's stored.

On the Support platform, a secret key is the based to generate hashed licenses.
Our licenses use the JWT model, simple and support in all languages A private key is generated at the same time, a random string.

Each Media-IO product is build using this library. It's used in the product to validate the JWT license. So each product needs to provide an API to pass:

the JWT license
the signer URL

For the signer, it requires to start with the private key.

Validation process

To validate a license, many steps are needed.

Media-IO product get the JWT license.
Media-IO product retrieve Claims from the JWT license.
Media-IO product validate product with license product list.
Media-IO product validate the domain name, for native platforms it will check is the license is not for a domain name.
Media-IO product generate a datetime using the format: YYYYMMDD'T'HHMMSS'Z'.
Media-IO product send a request to the signer to generate the signature.
Signer will get datetime, JWT license and the private key to generate the signature.
Media-IO product send a request to the Support Platform with the signature, the JWT license and the datetime.
Support platform generate the same signature based on same information and compare the result (including an allowed delta time between the datetime and the current time)
Media-IO product is now validated or not !

Security

The important thing to undestand here about the security is the fact of datetime inclusion in the hash signature information.
With that requests have a validity duration, so it's difficult to hack.

Dependencies

~6–22MB
~338K SLoC

async-trait
base64 0.12
chrono
clap 2.33
futures
futures-channel not wasm32
futures-util +async-await +sink +std
hex
log
native-tls not wasm32
reqwest 0.10+json
serde
serde_derive
serde_json
time 0.2
tokio 0.2+io-std +macros +stream +time not wasm32
tokio-tls 0.3 not wasm32
tokio-tungstenite 0.10+tls not wasm32
tungstenite 0.10 not wasm32
url
console_error_panic_hook wasm32
console_log wasm32
js-sys wasm32
wasm-bindgen wasm32
wasm-bindgen-futures wasm32
web-sys +Location +WebSocket +Window wasm32

build build.rs
build built 0.4
dev hmac 0.8 not wasm32
dev iron 0.6 not wasm32
dev jsonwebtoken 7.0 not wasm32
dev mockito 0.26
dev mount 0.4 not wasm32
dev params 0.8
dev router 0.6 not wasm32
dev rusoto_credential 0.44
dev rusoto_s3 0.44
dev rusoto_signature 0.44
dev sha2 0.9 not wasm32
dev simple_logger 1.5 not wasm32
dev wasm-bindgen-test wasm32