search

bdrister / AquaticPrime

Mac software licensing code using cryptographically signed license files
http://github.com/bdrister/AquaticPrime
307 stars 91 forks source link

Update to use Apple Security framework and remove dependency on deprecated openssl functions #26

Closed ghost closed 12 years ago

ghost commented 12 years ago

Build settings updated to target Lion and later Added the Apple Security framework

Re-write of the class using the same interface, and compatible RSA 1024 bit keys for existing apps (such as mine).

ghost commented 12 years ago

(I should point out the code is really targeted at migrating existing apps with public+private keys that are already in use. The class accepts a 1024 bit public key in the AquaticPrime format of 0xABCD... and can verify signatures in your app's code. It isn't yet ready to import the private key in that format, neither will it export the keys in the raw format: it exports PEM encoded keys which then means other code (PHP, Ruby etc) will need to be updated to accept these key formats. Luckily this is now the more normal method of distributing keys so that shouldn't be too bad.

Building the AquaticPrime Developer project currently fails, which I didn't check before creating the pull request. I'm going to close this request for now and carry on with the work to update the Developer tool as well.

I am continuing to work on the class and the AquaticPrime Developer project to see if I can produce a fully compatible version of the code, including the import/export of private keys as raw 1024 bit. For now we should continue using the original AquaticPrime Developer based on openssl to generate the keys, then ship this updated class in apps built on OSX 10.7+.

I hope that all makes sense.

bdrister commented 11 years ago

Hey—I'm sorry about this getting lost. Due to a technical issue email sent to the address github has hasn't been reaching me for quite some time now so I didn't know that this happened. I'm happy to continue to merge pull requests into my branch when I know they exist. Is this still useful to merge?

ghost commented 11 years ago

I'm not sure it is yet. For my use of the code I'm happy: the Cocoa class is able to verify signatures using the Apple security framework and I've got rid of all the dependencies on openssl and the compiler warnings. However, the security framework is not able to sign data with only a raw 1024 bit key; it needs to use a full PEM encoded private key which I don't have because I generated my keys using the openssl version. So there are some downsides to my code so far: works fine for verification, but for signing I'm using openssl on my servers which can use the raw private key.

I'd say it would benefit people wanting to do as I did and get rid of the openssl dependency on OS X Lion and Mountain Lion apps, but it might not be a good idea after all for you to take it yet.

All the best, Mathew