🔒 Software Licensing API

This is a university project developed with Python (Flask) and MongoDB, as a part of the Non-Relational Database Solutions course.

Getting Started

1. Create a virtual python environment

2. Install required packages
   Run the command listed below to install all of the required packages.

   pip install -r requirements.txt

3. Run the Setup Wizard
   The setup wizard will guide you through configuring the .env file for the API.

   py setup_wizard.py

4. Run the API
   API will be available at https://localhost:5000.

   py app.py

5. Check out the Project's Wiki
   For detailed documentation, visit the wiki.

API Endpoints

List of basic endpoints:

Endpoint	Description
GET /	A way to check if the API works
GET /users POST /users	CRUD operations for users GET: List users POST: Create a user (Other methods: PUT, DELETE)
GET /licenses POST /licenses	CRUD operations for licenses GET: List licenses POST: Create a license (Other methods: PUT, DELETE)
GET /checksums POST /checksums	CRUD operations for checksums GET: List checksums POST: Create a checksum (Other methods: PUT, DELETE)
POST /auth	Authentication endpoint
POST /activate	Endpoint to activate a software license

All endpoints are documented in the wiki:

• Endpoints
  • API Check
  • Authenticate
  • Activate a software license
  • Users Collection
  • Licenses Collection
  • Checksums Collection

API Security Overview

• Most endpoints are available only to authenticated users.
• Secrets are stored in a .env file.
• Each user authenticates using a JWT token which holds the user ID and an expiry date.
• Users acquire JWT tokens using the /auth endpoint by providing a valid username and password.
  • On top of that, admin user has to provide a one-time password when 2FA is enabled.
• Most CRUD operations are not available to normal users.
• Only the admin user created using the setup wizard can perform full CRUD operations.

Licensing System Overview

Project uses RSA 2048-bit cryptography keys for generating and veryfing signatures which are treated as license files.

• Each license key is tied to a unique hardware ID, preventing use on other machines.
• API uses a private key to sign licenses, and a matching public key is used to verify them.

API	Application
Holds the PRIVATE KEY 🔑	Holds the PUBLIC KEY 🔑

Activation Process

1. Application sends a request to the /activate endpoint. This request includes:
   • License key
   • Hardware information identifying the machine
2. API validates the provided information and uses its PRIVATE KEY 🔑 to generate a signature for the hardware data.
   • API creates a Base64-encoded hardware ID string composed of all the submitted parameters, joined by a pipe symbol (|):
     spec1|spec2|spec3|spec4|spec5
     Hardware ID string is stored in the database in its Base64-encoded form.
   • API generates a SHA256 (salt length of 32) signature for a string that combines the hardware ID string and the license key:
     c3BlYzF8c3BlYzJ8c3BlYzN8c3BlYzR8c3BlYzUXYYUG-AANZN-77824-50018
3. Application receives the signature and saves it in a license file.

Verification Process

1. Application grabs the following:
   • Signature from the license file
   • License key
   • Current hardware ID of the machine
2. Application uses its PUBLIC KEY 🔑 to verify the signature against the current hardware ID. If the verification is successful, the software is considered licensed.

Demo Application

You can find a demo application written in C# to test the licensing system here: Demo .NET 8 C# Application