fraud - verhas/License3j GitHub Wiki

Fraud license3j

There is no 100% secure license handling. License3j can be also be defeated. The question how to make it total secure is useless. There is no way leading to absolute security. The question we have to ask is how much the code can do to make it so secure that there will be no reason to brake the license enforcement.

License3j runs in a Java environment. The easiest way to store the key ring file is in a resource file inside a jar or war file. The format of this file is simple and a ZIP program can be used even by a novice user to replace the ring file to their own ring file and generate their own licenses. In some cases this threat can be accepted. In most cases however we need a bit more security.

To avoid this simple attack license3j provides an API to check the checksum of the key ring file and also the id of the key that is used to decode the license. That way if somebody replaces the key-ring file in the JAR file the license conrol will fail because the key-ring file checksum does not match the one the API checks it against.

The checksum of the key ring file has to be copied into the Java source code and you may even apply (if you want) some obfuscation code so it will be hard to replace. When the key ring is loaded it ensures that the ring itself was not tampered.

   4.       lic.loadKeyRingFromResource("pubring.gpg", digest);

License3j also provides easy way to get this byte array in Java syntax. Just dump an ecoded license onto your screen using the program license3j.bat and you will get not only the license text but also the ID of the key that was used to encode the key and also the digest of the key ring.

In case you have more than one signing key for licenses you can also check which key was used to sign the license. You may limit the functionality of your program based on the signing key. For example you will not accept a commercial license that was signed by a demo license key. To do that you can access the key ID calling the method getDecodeKeyId():

        assert -3623885160523215197L == lic.getDecodeKeyId();

The code above you can see in its environment in the unit test TestEncoding.java available in the source distribution of license3j.