rust-license-key 0.1.0

A production-grade Rust library for creating and validating offline software licenses using Ed25519 cryptography
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437

//! License parsing and decoding functionality.
//!
//! This module handles the loading and decoding of signed licenses.
//! It verifies cryptographic signatures and extracts the license payload.
//!
//! # Client-Side Usage
//!
//! This module is intended for use in client applications to load and
//! verify licenses issued by the software publisher.

use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine;

use crate::crypto::PublicKey;
use crate::error::{LicenseError, Result};
use crate::models::{
    LicensePayload, SignedLicense, MAX_SUPPORTED_LICENSE_VERSION, MIN_SUPPORTED_LICENSE_VERSION,
};

// =============================================================================
// License Parser
// =============================================================================

/// Parser for loading and verifying signed licenses.
///
/// The parser takes a public key and uses it to verify license signatures.
/// Only licenses signed by the corresponding private key will be accepted.
///
/// # Security
///
/// The parser only accepts licenses with valid signatures. Any tampering
/// with the license payload will cause signature verification to fail.
///
/// # Example
///
/// ```
/// use rust_license_key::parser::LicenseParser;
/// use rust_license_key::crypto::PublicKey;
///
/// // The public key embedded in your application
/// let public_key_base64 = "..."; // Your public key here
///
/// // In a real application:
/// // let public_key = PublicKey::from_base64(public_key_base64).unwrap();
/// // let parser = LicenseParser::new(public_key);
/// // let license = parser.parse_json(&license_file_contents).unwrap();
/// ```
#[derive(Debug, Clone)]
pub struct LicenseParser {
    /// The public key used to verify license signatures.
    public_key: PublicKey,
}

impl LicenseParser {
    /// Creates a new license parser with the given public key.
    ///
    /// # Arguments
    ///
    /// * `public_key` - The publisher's public key for signature verification.
    pub fn new(public_key: PublicKey) -> Self {
        Self { public_key }
    }

    /// Creates a new license parser from a base64-encoded public key.
    ///
    /// # Arguments
    ///
    /// * `public_key_base64` - The base64-encoded public key string.
    ///
    /// # Errors
    ///
    /// Returns an error if the public key is invalid or malformed.
    pub fn from_public_key_base64(public_key_base64: &str) -> Result<Self> {
        let public_key = PublicKey::from_base64(public_key_base64)?;
        Ok(Self::new(public_key))
    }

    /// Parses a signed license from a JSON string.
    ///
    /// This method:
    /// 1. Parses the JSON structure.
    /// 2. Verifies the cryptographic signature.
    /// 3. Decodes the license payload.
    /// 4. Validates the license format version.
    ///
    /// # Arguments
    ///
    /// * `json` - The JSON string containing the signed license.
    ///
    /// # Returns
    ///
    /// The verified and decoded license payload.
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - The JSON is malformed.
    /// - The signature is invalid.
    /// - The payload cannot be decoded.
    /// - The license version is not supported.
    pub fn parse_json(&self, json: &str) -> Result<LicensePayload> {
        // Step 1: Parse the signed license structure
        let signed_license = SignedLicense::from_json(json).map_err(|e| {
            LicenseError::JsonDeserializationFailed {
                reason: e.to_string(),
            }
        })?;

        self.parse_signed_license(&signed_license)
    }

    /// Parses a `SignedLicense` structure directly.
    ///
    /// Use this when you already have a `SignedLicense` object,
    /// for example from custom deserialization logic.
    ///
    /// # Arguments
    ///
    /// * `signed_license` - The signed license to verify and decode.
    ///
    /// # Returns
    ///
    /// The verified and decoded license payload.
    pub fn parse_signed_license(&self, signed_license: &SignedLicense) -> Result<LicensePayload> {
        // Step 2: Verify the signature
        // The signature is computed over the base64-encoded payload
        self.public_key
            .verify_base64(
                signed_license.encoded_payload.as_bytes(),
                &signed_license.encoded_signature,
            )
            .map_err(|_| LicenseError::InvalidSignature)?;

        // Step 3: Decode the payload from base64
        let payload_bytes = BASE64_STANDARD
            .decode(&signed_license.encoded_payload)
            .map_err(|e| LicenseError::Base64DecodingFailed {
                reason: e.to_string(),
            })?;

        // Step 4: Parse the JSON payload
        let payload: LicensePayload = serde_json::from_slice(&payload_bytes).map_err(|e| {
            LicenseError::JsonDeserializationFailed {
                reason: e.to_string(),
            }
        })?;

        // Step 5: Validate the license format version
        if payload.format_version < MIN_SUPPORTED_LICENSE_VERSION {
            return Err(LicenseError::UnsupportedLicenseVersion {
                found: payload.format_version,
                supported: format!(
                    "{} to {}",
                    MIN_SUPPORTED_LICENSE_VERSION, MAX_SUPPORTED_LICENSE_VERSION
                ),
            });
        }

        if payload.format_version > MAX_SUPPORTED_LICENSE_VERSION {
            return Err(LicenseError::UnsupportedLicenseVersion {
                found: payload.format_version,
                supported: format!(
                    "{} to {}",
                    MIN_SUPPORTED_LICENSE_VERSION, MAX_SUPPORTED_LICENSE_VERSION
                ),
            });
        }

        Ok(payload)
    }

    /// Attempts to decode a license without signature verification.
    ///
    /// # Warning
    ///
    /// This method bypasses security and should only be used for debugging
    /// or inspection purposes. Never use the returned payload for access
    /// control decisions.
    ///
    /// # Arguments
    ///
    /// * `json` - The JSON string containing the signed license.
    ///
    /// # Returns
    ///
    /// The decoded payload and a boolean indicating if the signature was valid.
    pub fn decode_unverified(&self, json: &str) -> Result<(LicensePayload, bool)> {
        // Parse the signed license structure
        let signed_license = SignedLicense::from_json(json).map_err(|e| {
            LicenseError::JsonDeserializationFailed {
                reason: e.to_string(),
            }
        })?;

        // Check signature validity
        let signature_valid = self
            .public_key
            .verify_base64(
                signed_license.encoded_payload.as_bytes(),
                &signed_license.encoded_signature,
            )
            .is_ok();

        // Decode the payload regardless of signature
        let payload_bytes = BASE64_STANDARD
            .decode(&signed_license.encoded_payload)
            .map_err(|e| LicenseError::Base64DecodingFailed {
                reason: e.to_string(),
            })?;

        let payload: LicensePayload = serde_json::from_slice(&payload_bytes).map_err(|e| {
            LicenseError::JsonDeserializationFailed {
                reason: e.to_string(),
            }
        })?;

        Ok((payload, signature_valid))
    }

    /// Returns a reference to the parser's public key.
    pub fn public_key(&self) -> &PublicKey {
        &self.public_key
    }
}

// =============================================================================
// Convenience Functions
// =============================================================================

/// Parses a signed license using a base64-encoded public key.
///
/// This is a convenience function for one-shot license parsing.
/// For multiple license parsing operations, create a `LicenseParser` instance.
///
/// # Arguments
///
/// * `license_json` - The JSON string containing the signed license.
/// * `public_key_base64` - The base64-encoded public key.
///
/// # Returns
///
/// The verified and decoded license payload.
pub fn parse_license(license_json: &str, public_key_base64: &str) -> Result<LicensePayload> {
    let parser = LicenseParser::from_public_key_base64(public_key_base64)?;
    parser.parse_json(license_json)
}

/// Extracts the raw payload from a signed license without verification.
///
/// # Warning
///
/// This function is for inspection only. Never trust unverified payload data.
///
/// # Arguments
///
/// * `license_json` - The JSON string containing the signed license.
///
/// # Returns
///
/// The raw payload JSON as a string.
pub fn extract_payload_unverified(license_json: &str) -> Result<String> {
    let signed_license = SignedLicense::from_json(license_json).map_err(|e| {
        LicenseError::JsonDeserializationFailed {
            reason: e.to_string(),
        }
    })?;

    let payload_bytes = BASE64_STANDARD
        .decode(&signed_license.encoded_payload)
        .map_err(|e| LicenseError::Base64DecodingFailed {
            reason: e.to_string(),
        })?;

    String::from_utf8(payload_bytes).map_err(|e| LicenseError::InvalidLicenseFormat {
        reason: format!("payload is not valid UTF-8: {}", e),
    })
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::builder::LicenseBuilder;
    use crate::crypto::KeyPair;
    use chrono::Duration;

    fn create_test_license(key_pair: &KeyPair) -> String {
        LicenseBuilder::new()
            .license_id("TEST-LIC-001")
            .customer_id("TEST-CUST-001")
            .customer_name("Test Customer")
            .expires_in(Duration::days(30))
            .allowed_feature("premium")
            .build_and_sign_to_json(key_pair)
            .expect("Should create test license")
    }

    #[test]
    fn test_parse_valid_license() {
        let key_pair = KeyPair::generate().expect("Key generation should succeed");
        let license_json = create_test_license(&key_pair);

        let parser = LicenseParser::new(key_pair.public_key());
        let payload = parser
            .parse_json(&license_json)
            .expect("Should parse license");

        assert_eq!(payload.license_id, "TEST-LIC-001");
        assert_eq!(payload.customer_id, "TEST-CUST-001");
        assert_eq!(payload.customer_name.as_deref(), Some("Test Customer"));
    }

    #[test]
    fn test_parse_with_wrong_key_fails() {
        let key_pair_1 = KeyPair::generate().expect("Key generation should succeed");
        let key_pair_2 = KeyPair::generate().expect("Key generation should succeed");

        // Create license with key_pair_1
        let license_json = create_test_license(&key_pair_1);

        // Try to parse with key_pair_2's public key
        let parser = LicenseParser::new(key_pair_2.public_key());
        let result = parser.parse_json(&license_json);

        assert!(result.is_err());
        assert!(matches!(
            result.unwrap_err(),
            LicenseError::InvalidSignature
        ));
    }

    #[test]
    fn test_parse_tampered_license_fails() {
        let key_pair = KeyPair::generate().expect("Key generation should succeed");
        let license_json = create_test_license(&key_pair);

        // Parse the license JSON to get the structure
        let mut signed: SignedLicense = serde_json::from_str(&license_json).expect("Should parse");

        // Tamper with the payload (modify a character in the base64)
        let mut chars: Vec<char> = signed.encoded_payload.chars().collect();
        if let Some(c) = chars.get_mut(10) {
            *c = if *c == 'A' { 'B' } else { 'A' };
        }
        signed.encoded_payload = chars.into_iter().collect();

        // Serialize back to JSON
        let tampered_json = serde_json::to_string(&signed).expect("Should serialize");

        // Try to parse the tampered license
        let parser = LicenseParser::new(key_pair.public_key());
        let result = parser.parse_json(&tampered_json);

        assert!(result.is_err());
    }

    #[test]
    fn test_parse_invalid_json() {
        let key_pair = KeyPair::generate().expect("Key generation should succeed");
        let parser = LicenseParser::new(key_pair.public_key());

        let result = parser.parse_json("not valid json");
        assert!(matches!(
            result.unwrap_err(),
            LicenseError::JsonDeserializationFailed { .. }
        ));
    }

    #[test]
    fn test_decode_unverified() {
        let key_pair = KeyPair::generate().expect("Key generation should succeed");
        let license_json = create_test_license(&key_pair);

        let parser = LicenseParser::new(key_pair.public_key());
        let (payload, signature_valid) = parser
            .decode_unverified(&license_json)
            .expect("Should decode");

        assert!(signature_valid);
        assert_eq!(payload.license_id, "TEST-LIC-001");
    }

    #[test]
    fn test_decode_unverified_with_wrong_key() {
        let key_pair_1 = KeyPair::generate().expect("Key generation should succeed");
        let key_pair_2 = KeyPair::generate().expect("Key generation should succeed");

        let license_json = create_test_license(&key_pair_1);

        let parser = LicenseParser::new(key_pair_2.public_key());
        let (payload, signature_valid) = parser
            .decode_unverified(&license_json)
            .expect("Should decode");

        // Signature should be invalid but payload still decoded
        assert!(!signature_valid);
        assert_eq!(payload.license_id, "TEST-LIC-001");
    }

    #[test]
    fn test_extract_payload_unverified() {
        let key_pair = KeyPair::generate().expect("Key generation should succeed");
        let license_json = create_test_license(&key_pair);

        let payload_json = extract_payload_unverified(&license_json).expect("Should extract");

        // Verify it's valid JSON containing expected fields
        let value: serde_json::Value =
            serde_json::from_str(&payload_json).expect("Should be valid JSON");
        assert_eq!(value["id"], "TEST-LIC-001");
    }

    #[test]
    fn test_from_public_key_base64() {
        let key_pair = KeyPair::generate().expect("Key generation should succeed");
        let public_key_base64 = key_pair.public_key_base64();

        let parser = LicenseParser::from_public_key_base64(&public_key_base64)
            .expect("Should create parser");

        let license_json = create_test_license(&key_pair);
        let payload = parser.parse_json(&license_json).expect("Should parse");

        assert_eq!(payload.license_id, "TEST-LIC-001");
    }

    #[test]
    fn test_parse_license_convenience_function() {
        let key_pair = KeyPair::generate().expect("Key generation should succeed");
        let public_key_base64 = key_pair.public_key_base64();
        let license_json = create_test_license(&key_pair);

        let payload =
            parse_license(&license_json, &public_key_base64).expect("Should parse license");

        assert_eq!(payload.license_id, "TEST-LIC-001");
    }
}