Hello, I have a requirement to verify license signature offline (with license only without replicated pod) while startign the app,
is there any way to verify the signature and verify specific field ?
let say I have below license and wanted to check if v8_engine_max_core
has correct value and no tampering with that field.
apiVersion: kots.io/v1beta1
kind: License
metadata:
name:
spec:
appSlug: ..
channelID: ..
channelName: Alpha
...
customerEmail: ..
customerName: ..
endpoint:
entitlements:
deployment:
isHidden: true
signature: {}
title: Deployment Type (saas/onprem)
value: onprem
valueType: String
v8_engine_max_core:
isHidden: true
signature: {}
title: Maximum allowed VCPU for V8 engine
value: 96
valueType: Integer
licenseID: **
licenseSequence:
licenseType: dev
replicatedProxyDomain:
signature: MWMzUnZiV1Z5UlcxaGFXd2lPaUp0WVhsMWNpNXdRSFJ2Y21GdVlXbHVZeTVqYjIwaU***
I am refrerring to Verifying License Field Signatures with the Replicated SDK API (Beta) | Replicated Docs
but not sure whats the message
you are referring to ? is it full license or any specific field? do you have any sample ? and How can I get the signature of specific field in license ?
import * as crypto from 'crypto';
function verifySignature(message: string, signature: string, publicKeyPEM: string): boolean {
const encodedMessage: Uint8Array = new TextEncoder().encode(message);
const publicKey: crypto.KeyObject = crypto.createPublicKey({ key: publicKeyPEM });
const decodedSignature: Buffer = Buffer.from(signature, 'base64');
return crypto.verify(
'md5',
encodedMessage,
{
key: publicKey,
padding: crypto.constants.RSA_PKCS1_PSS_PADDING
},
decodedSignature);
}
function main() {
const message = `<value>`
const signature = `<signature>`
const publicKeyPEM = `<public-key-pem>`
if (!verifySignature(message, signature, publicKeyPEM)) {
console.log("Invalid signature");
return;
}
console.log("Signature is valid!");
}
main();