search

open-license-manager / licensecc

Software licensing, copy protection in C++. It has few dependencies and it's cross-platform.
http://open-license-manager.github.io/licensecc/
BSD 3-Clause "New" or "Revised" License
947 stars 300 forks source link

Pass private key? #133

Open Psy-Kai opened 2 years ago

Psy-Kai commented 2 years ago

Hello,

I would really like to use this library. But since the rsa key and library configuration is compiled into the library I have to create workarounds when packaging the library.

Would it be possible to change the library interface to pass the rsa key and configuration into the library?

I would contribute these changes if this proposal would be accepted :)

Thanks

gcontini commented 2 years ago

Well just to be precise, the private key never leaves the key generator machine. What is compiled into the code is the public key. But ok...

That said i don't see why you would want to pass a key from outside, it looks to me complicating the software and adding security risks (the pointer is intercepted when you call the api, an attacker could replace the public key).

Please describe the feature you are implementing on your application (you want to verify multiple licenses? dynamic licenses?), let's see if what you request is useful.

Psy-Kai commented 2 years ago

Yeah, sorry, I meant the public key.

I just want to compile and distribute one single licensecc library (via a package manager like conan). With the current model this is just not possible.

One could compile and distribute a library for every key-pair. But just passing the public key feels like a more easy solution which also would simplify building (just) the library.

How would passing the public key to a static linked library be a security risk? One could also hook into the openssl calls since you also pass a pointer there.

I don't have a specific new feature in mind. I am just a fan of dependency injection and loose coupling. The currents library design with the pregenerated public key header violates these principles.

gcontini commented 2 years ago

Well the original idea was that you have to compile and modify the library on your own before you use it, that's why the current model makes it impossible to deploy it on package managers. If you look closely there is an automated code generation step that in future may be extended. This is to prevent a "generic patch util" to be released via package manager too ;-)

But i agree with you, a distributed version of the library for the people that don't have extreme security needs is a nice to have. Contributions are welcome. If you implement it please make the new parameter in the api activable with a cmake flag.