0.0.1 |
|
---|
#47 in #company
32KB
620 lines
mio_license
The license library to check validity of Media-IO products.
Documentation
The documentation is available here
Develop the signer
With Cargo watch you can run the signer and code directly.
For that run:
cargo watch -x 'run --example signer'
and play with source code ;-)
lib.rs
:
Mio License
mio_license
will check Media-IO license products.
Architecture
It's based on AWS license validation (using V4 signature)
In that model, 3 parts are involved:
- the licensed Media-IO project
- a license validation (here the Support Platform)
- the signer
This model is use due to the Player mode who runs in the web browser and interfaced with Javascript. So any body can access to the license passed to the player, so it can be very easy to hack our products with that.
Targets
The library can be use on every platform (OSX, Linux/Unix, Windows), but it also requires to works on WebAssembly target.
Generated data
To understand the mechaniscm, it requires first to describe what data is generated and where it's stored.
On the Support platform, a secret key
is the based to generate hashed licenses.
Our licenses use the JWT model, simple and support in all languages
A private key
is generated at the same time, a random string.
Each Media-IO product is build using this library. It's used in the product to validate the JWT license. So each product needs to provide an API to pass:
- the JWT license
- the signer URL
For the signer, it requires to start with the private key
.
Validation process
To validate a license, many steps are needed.
- Media-IO product get the JWT license.
- Media-IO product retrieve Claims from the JWT license.
- Media-IO product validate product with license product list.
- Media-IO product validate the domain name, for native platforms it will check is the license is not for a domain name.
- Media-IO product generate a
datetime
using the format:YYYYMMDD'T'HHMMSS'Z'
. - Media-IO product send a request to the signer to generate the signature.
- Signer will get
datetime
, JWT license and theprivate key
to generate thesignature
. - Media-IO product send a request to the Support Platform with the
signature
, theJWT license
and the datetime. - Support platform generate the same signature based on same information and compare the result (including an allowed delta time between the
datetime
and the current time) - Media-IO product is now validated or not !
Security
The important thing to undestand here about the security is the fact of datetime
inclusion in the hash signature information.
With that requests have a validity duration, so it's difficult to hack.
Dependencies
~6–22MB
~338K SLoC