Re: licence key validation method
Re: licence key validation method
- Subject: Re: licence key validation method
- From: Dave Fernandes <email@hidden>
- Date: Mon, 12 Jan 2015 09:40:54 -0500
> On Jan 12, 2015, at 6:39 AM, Uli Kusterer <email@hidden> wrote:
>
> On 12 Jan 2015, at 10:52, 2551 <email@hidden> wrote:
>> Given that my licences are being generated with OpenSSL in the FastSpring website,
>
> Didn't FastSpring have an SDK that you just drop into your app to validate their licenses?
No, they support a couple third party solutions out of the box, or let you supply your own generator script. They were also nice enough to add a JavaScript API for me to support my own scheme since AquaticPrime and CocoaFOB didn’t work for me. Very helpful folks!
>
>> does that mean I HAVE TO use OpenSSL to validate them? I'm thinking the "DUH" answer here has to be "YES", but given my lack of knowledge about this topic, I'm taking nothing for granted.
>
> OpenSSL is just a security library that implements several standards and algorithms. You can use any other library that implements the same standard and algorithm as you are using. I.e. Windows AFAIK has its own security library, yet can still read browser certificates that are (were?) validated using OpenSSL on Mac and other platforms.
If you use AquaticPrime, unfortunately, it does not generate standard signatures. It manually hashes and then encrypts using the private key. This sounds like a normal signature, but it is missing some information stored in standard PKCS #1 v2.0 signatures. This means that Security.framework WILL NOT be able to verify an AquaticPrime signature. The verify transform does not work for the above reason; and the decrypt transform does not work either because that would require you to decrypt using the public key. Security.framework enforces cryptographic hygiene - you can only decrypt with a private key and verify a signature with a public key.
> LibreSSL is essentially OpenSSL, just a fixed version, so you should just hear "LibreSSL" when anyone suggests using OpenSSL for anything and you'll be fine. Security.framework is what Apple recommends and supports, so sounds like a good idea. The only problem is that it is very limited. If it does what you need it to (i.e. offers whatever algorithm FastSpring use), it's probably the best choice as long as you don't plan going cross-platform anytime soon.
>
> -- Uli
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden