#product #validation #mio #company #signer #media-io

yanked mio_license

License validator for Media-IO company

0.0.1 Aug 30, 2020

#47 in #company

MIT license

32KB
620 lines

mio_license

The license library to check validity of Media-IO products.

pipeline status coverage report

Documentation

The documentation is available here

Develop the signer

With Cargo watch you can run the signer and code directly. For that run: cargo watch -x 'run --example signer'

and play with source code ;-)


lib.rs:

Mio License

mio_license will check Media-IO license products.

Architecture

It's based on AWS license validation (using V4 signature)
In that model, 3 parts are involved:

  • the licensed Media-IO project
  • a license validation (here the Support Platform)
  • the signer

This model is use due to the Player mode who runs in the web browser and interfaced with Javascript. So any body can access to the license passed to the player, so it can be very easy to hack our products with that.

Targets

The library can be use on every platform (OSX, Linux/Unix, Windows), but it also requires to works on WebAssembly target.

Generated data

To understand the mechaniscm, it requires first to describe what data is generated and where it's stored.

On the Support platform, a secret key is the based to generate hashed licenses.
Our licenses use the JWT model, simple and support in all languages A private key is generated at the same time, a random string.

Each Media-IO product is build using this library. It's used in the product to validate the JWT license. So each product needs to provide an API to pass:

  • the JWT license
  • the signer URL

For the signer, it requires to start with the private key.

Validation process

To validate a license, many steps are needed.

  1. Media-IO product get the JWT license.
  2. Media-IO product retrieve Claims from the JWT license.
  3. Media-IO product validate product with license product list.
  4. Media-IO product validate the domain name, for native platforms it will check is the license is not for a domain name.
  5. Media-IO product generate a datetime using the format: YYYYMMDD'T'HHMMSS'Z'.
  6. Media-IO product send a request to the signer to generate the signature.
  7. Signer will get datetime, JWT license and the private key to generate the signature.
  8. Media-IO product send a request to the Support Platform with the signature, the JWT license and the datetime.
  9. Support platform generate the same signature based on same information and compare the result (including an allowed delta time between the datetime and the current time)
  10. Media-IO product is now validated or not !

Security

The important thing to undestand here about the security is the fact of datetime inclusion in the hash signature information.
With that requests have a validity duration, so it's difficult to hack.

Dependencies

~6–22MB
~338K SLoC