well not really.
further down the line, we realised after pushing to github that people would poke around at our code. Find vulnerabilities and send pirate copies of the system to others
YES I KNOW IT'S OPEN SOURCE! BUT YOU NEED TO BE PREPARED!
We needed a name that sounded professional but friendly, in the end we settled for the name EN_LICE_ULOCK. It was a bad name but we didn't have a lot of time.
There needed to be a way to stop execution on startup if something was missing, licelock 1.0 looked like this:
import os import sys import logging from datetime import datetime from time import * f = open("LICENSE.txt", "r")
it was bad, really bad...
all it does is look for a LICENSE.txt file, and python throws the tantrum when it can't be found, we needed to change and fast.
First, we needed to change the way licelock works...
instead of putting it in the main code, we turn it into a module and ship with every copy.
change what it looks for, or at least seperate into levels of protection.
get the update out fast.
so our new proccedure worked like this:
def keylock(): from base64 import ( b64encode, b64decode, ) from Crypto.Hash import SHA256 from Crypto.Signature import PKCS1_v1_5 from Crypto.PublicKey import RSA message = "Validated" digest = SHA256.new() digest.update(message) # Read shared key from file private_key = False with open ("superpy.pem", "r") as myfile: private_key = RSA.importKey(myfile.read()) # Load private key and sign message signer = PKCS1_v1_5.new(private_key) sig = signer.sign(digest) # Load public key and verify message verifier = PKCS1_v1_5.new(private_key.publickey()) verified = verifier.verify(digest, sig) assert verified, ("Signature verification failed") print("Successfully verified signature, booting...") os.system("python3 boot.py")
look for secure keys instead of editable text files!
just for ref- the keys are generated through openSSL:
openssl genrsa -out private_key.pem 1024
now with that sorted, we needed to import it into the code. We saved it as licelock.py and in our main file we added-
import licelock licelock.keylock()
and there we go, a simple but secure mechanism that shuts off the script if there isn't a key. I WOULD NOT use this in production if I was you!