Application Licensing
This licensing server was designed to support "sometimes on" applications. These are applications that are not always connected to the internet. They require offline license verification. For example, a user may launch a desktop application, but may not be connected to the internet.
Obtaining Licenses
License holders (users) must obtain their identifying key from the user management server. This key is available.
Explain how the files are retrieved.
License Verification Process
Three assets are required to validate a license:
The license file is a JSON Web Token (JWT), which contains the entitlements, valid date range, application metadata, and a signature. To verify a license, its signature must be verified.
Verifying the License Signature
License files and keys are issued by the licensing server using asymmetric ECDSA keypairs. The server provides a JWT (license) and an encrypted file (public key).
The key for signaure verification is then encrypted, using the public key license holder. This file is delivered as the "license key". The private key capable of decrypting this is delivered to the license holder separately.
In order to verify the JWT signature, applications need the unencrypted contents of the license key. Therefore, the first step is for the owner's key to decrypt the license key. This creates an une