Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to generate license-keys? #2

Open
nicroto opened this issue Apr 14, 2014 · 5 comments
Open

How to generate license-keys? #2

nicroto opened this issue Apr 14, 2014 · 5 comments
Labels
question

Comments

@nicroto
Copy link

nicroto commented Apr 14, 2014

There is no documentation on creating the licenses.
@sellout
Copy link

sellout commented Apr 16, 2014

Here is a recipe I concocted … hopefully all of it is standard on OS X:

python -c "import base64; print base64.b32encode(str(0x`echo "<CUSTOMER NAME>" | openssl dgst -dss1 -sign <PRIVATE KEY FILENAME> -hex`).encode())"

Let me know whether or not it works for you.

@konstantinpavlikhin
Copy link
Owner

I use Objective-C on the server-side.

This is how part of it looks like:
https://gist.github.com/konstantinpavlikhin/10933246

Note: the implementations of methods -SHA1Data and -base32String are not shown.

@konstantinpavlikhin
Copy link
Owner

The principle of generating a serial key is:

  1. Get a name of the customer.
  2. Trim the whitespace from the both sides of the string.
  3. Calculate SHA-1 digest of the string’s data.
  4. Sign it with your DSA/ECDSA private key.
  5. Transform the result into base32.
  6. Remove the “=“ symbols from the base32 string.
  7. Congrats, now you have a valid serial key.

@nicroto
Copy link
Author

nicroto commented Apr 17, 2014

Thanks sellout (this sounded weird) and konstantin.

What I currently do is:

  1. Get user's data (I am going for name, email + app version);
  2. Sign it with my ECDSA private key;
  3. Encode to base64 (I have changed the Watchdog's default decoding, too);
  4. Remove new lines.

Note: Remove "="-symbols? Are they like control symbols, not holding any part of the uniqueness of the signature?

If I have to get the sha-1 of the string and sign that, this (above) wouldn't be working, right Konstantin? Are you sure there is such a step involved?

I read the code, and sha1 is only used when checking with the server, if such license is generated by the app owner (I guess this is the way to check if it was made by a custom generator).

I will try that today and will further test something else that's bothering me and will probably make a separate issue about it, eventually - only the tested curves (these that are in the unit tests) work. I tried probably 10 other curves, but an exception occurs during parsing the serial. I will elaborate on that if there doesn't seem to be anything wrong on my end.

@nicroto
Copy link
Author

nicroto commented Apr 17, 2014

The "=" sign seem to be used for padding (towards reaching a certain length).

About the sha1, I didn't believe my eyes (so I made a screen reader repeat it, haha 😄 ), but Watchdog recognises serials derived through either of the procedure (with or without SHA1)... I am definitely missing something here...

Update:

  • I tried to verify it with or without sha directly using the openssl command and again - it passes either way:
#requires data.txt.
#not -base64.
#doesn't matter if you get sha or not - still verifies it
$ openssl dgst -sha1 -sign private.pem data.txt > serial.txt
$ openssl dgst -verify public.pem -signature serial.txt data.txt

#without sha1
$ openssl dgst -sign private.pem data.txt > serial.txt
$ openssl dgst -verify public.pem -signature serial.txt data.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sellout @konstantinpavlikhin @nicroto