-
-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Authentic" license key forgery vulnerability #377
Labels
Comments
Possible remediation steps without having to manage separate keypairs for each signing subject:
|
This was referenced Oct 2, 2020
ezekg
changed the title
Use separate private keys for license keys, activation proofs and request/response signatures
"Authentic" license key forgery vulnerability
Oct 2, 2020
Let's include #362 in this convo so that it doesn't get lost. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is a possible vulnerability where if an account is simply validating a license key's signature "authenticity" and not utilizing the dataset within the license key at all, an attacker could potentially utilize a signed response payload and signature from a public endpoint, such as
/validate-key
, to forge a "license key" that would pass the cryptographic verification./validate-key
with a bogus license keyBODY.SIG
to craft a "license key"The text was updated successfully, but these errors were encountered: