Expand description
§Licenz Core
A powerful offline software license management library for Rust.
§Security Witness Pattern
This library follows the Security Witness Pattern, separating:
- Attestation (this crate): Observes, measures, and reports facts about licenses
- Enforcement (licenz-policy): Decides and enforces based on attestations
The core library is open source and auditable. All verification logic is transparent.
Policy enforcement is handled by the separate licenz-policy crate.
§Features
- Offline License Validation: Generate licenses that can be verified without internet connectivity
- Hardware Binding: Bind licenses to specific hardware identifiers (MAC address, disk ID, hostname)
- Digital Signatures: Secure licenses with RSA-SHA256 cryptographic signatures
- Expiration Management: Set and enforce license expiration dates
- Binary Format: Compact, tamper-resistant binary license format
- JSON Support: Legacy JSON format for backward compatibility
- Security Witness: Comprehensive attestation of license and system state
§Quick Start
§Generating a License (Server-Side)
use licenz_core::{KeyPair, KeySize, LicenseGenerator, LicenseData};
// Generate RSA key pair
let keypair = KeyPair::generate(KeySize::Bits2048).unwrap();
// Create a license generator
let generator = LicenseGenerator::new(keypair.into_private_key());
// Build license data
let license_data = LicenseData::builder()
.id("LIC-001")
.serial("SN-12345")
.customer_id("ACME-CORP")
.product_id("MY-APP")
.valid_days(365)
.feature("basic")
.feature("premium")
.build()
.unwrap();
// Generate signed license
let signed_license = generator.generate(license_data).unwrap();
// Save to binary file
generator.save_binary(&signed_license, "license.lic".as_ref()).unwrap();§Attestation (Recommended - Security Witness Pattern)
ⓘ
use licenz_core::{SecurityWitness, WitnessConfig};
// Public key embedded at compile time
const PUBLIC_KEY: &str = include_str!("../keys/public.pem");
fn main() {
let witness = SecurityWitness::new(PUBLIC_KEY).unwrap();
let attestation = witness.attest("license.lic", &WitnessConfig::default()).unwrap();
// Attestation provides facts - your app decides what to do
println!("Signature valid: {}", attestation.signature_valid);
println!("Days remaining: {}", attestation.expiration.days_remaining);
println!("Anomalies: {:?}", attestation.anomalies);
// Pass to licenz-policy for enforcement, or handle yourself
if !attestation.is_valid {
eprintln!("License invalid");
std::process::exit(1);
}
}§Legacy: Direct Validation (Deprecated)
ⓘ
use licenz_core::require_license;
// This pattern is deprecated - use SecurityWitness + licenz-policy instead
let license = require_license("license.lic", PUBLIC_KEY)
.expect("Valid license required to run");§Feature Flags
cloud-metadata: Enable cloud container detection (AWS, GCP, Azure)post-quantum: Enable post-quantum cryptography (ML-DSA-65/FIPS 204, ML-KEM-768/FIPS 203)
Re-exports§
pub use anti_tamper::ClockStatus;pub use anti_tamper::HardwareFingerprint;pub use anti_tamper::LicenseState;pub use anti_tamper::MatchResult;pub use anti_tamper::STATE_HMAC_PREFIX;pub use container::ContainerBinding;pub use container::InstanceIdSource;pub use container::RuntimeEnvironment;pub use encrypted_store::validate_passphrase;pub use encrypted_store::EncryptedKeyStore;pub use encrypted_store::ENCRYPTED_STORE_VERSION;pub use encrypted_store::MIN_PASSPHRASE_LENGTH;pub use error::LicenseError;pub use error::Result;pub use generator::CryptoGenerator;pub use generator::LicenseGenerator;pub use guard::require_license;pub use guard::require_license_with_verifier;pub use guard::validate_license_bytes;pub use guard::ValidatedLicense;pub use hardware::default_hardware_environment;pub use hardware::detect_hardware;pub use hardware::DefaultHardwareEnvironment;pub use hardware::FixedHardwareEnvironment;pub use hardware::HardwareEnvironment;pub use hardware::HardwareInfo;pub use keys::parse_private_key;pub use keys::parse_public_key;pub use keys::CryptoKeyPair;pub use keys::KeyPair;pub use keys::KeySize;pub use license::HardwareBinding;pub use license::LicenseData;pub use license::LicenseDataBuilder;pub use license::LicenseFormat;pub use license::SignedLicense;pub use state_manager::StateManager;pub use state_manager::StateObservations;pub use verifier::detect_license_format;pub use verifier::CryptoVerifier;pub use verifier::LicenseVerifier;pub use verifier::ValidationResult;pub use crypto::algorithm_ids;pub use crypto::CryptoRegistry;pub use crypto::EncryptionAlgorithm;pub use crypto::SignatureAlgorithm;pub use witness::ClockAttestation;pub use witness::ClockStatusAttestation;pub use witness::EnvironmentAttestation;pub use witness::ExpirationAttestation;pub use witness::ExpirationIssue;pub use witness::HardwareAttestation;pub use witness::SecurityAnomaly;pub use witness::SecurityAttestation;pub use witness::SecurityWitness;pub use witness::StateFileAttestation;pub use witness::StateFileObservation;pub use witness::StateFileStatus;pub use witness::WitnessConfig;pub use sneakernet::detect_format as detect_sneakernet_format;pub use sneakernet::ActivationRequest;pub use sneakernet::ActivationRequestBuilder;pub use sneakernet::ActivationResponse;pub use sneakernet::SneakernetFormat;pub use sneakernet::MAX_SNEAKERNET_JSON_PAYLOAD;pub use sneakernet::REQUEST_MAGIC;pub use sneakernet::REQUEST_TEXT_PREFIX;pub use sneakernet::REQUEST_TEXT_SUFFIX;pub use sneakernet::REQUEST_VERSION;pub use sneakernet::RESPONSE_MAGIC;pub use sneakernet::RESPONSE_TEXT_PREFIX;pub use sneakernet::RESPONSE_TEXT_SUFFIX;pub use sneakernet::RESPONSE_VERSION;pub use support_bundle::ClockState;pub use support_bundle::ClockStatusSummary;pub use support_bundle::EnvironmentInfo;pub use support_bundle::HardwareMatchStatus;pub use support_bundle::HardwareSummary;pub use support_bundle::LicenseStatusSummary;pub use support_bundle::RuntimeEnvironmentSummary;pub use support_bundle::StateFileLocation;pub use support_bundle::StateFileLocationStatus;pub use support_bundle::StateFileSummary;pub use support_bundle::SupportBundle;pub use support_bundle::SupportBundleBuilder;pub use support_bundle::VerificationEvent;pub use support_bundle::VerificationEventType;pub use support_bundle::BUNDLE_VERSION;pub use support_bundle::ENCRYPTED_BUNDLE_MAGIC;pub use unlock::generate_challenge_from_state;pub use unlock::get_lockout_status;pub use unlock::validate_response_code;pub use unlock::LockoutStatus;pub use unlock::UnlockChallenge;pub use unlock::UnlockResult;pub use unlock::UnlockType;
Modules§
- anti_
tamper - Anti-tamper and clock manipulation detection
- container
- Container and cloud-aware licensing
- crypto
- Pluggable cryptographic architecture using the strategy pattern.
- encrypted_
store - Encrypted key storage for secure backups
- error
- Error types for the license system
- generator
- License generation functionality (server-side)
- guard
- License guard pattern for enforced validation
- hardware
- Hardware detection for license binding
- keys
- Key management for license signing and verification
- license
- License data structures and types
- sneakernet
- Sneakernet (offline) license activation support
- state_
manager - Multi-location state management for tamper resistance
- support_
bundle - Support Bundle Generation
- unlock
- Admin Time Unlock - Client-side unlock verification
- verifier
- License verification functionality (client-side)
- witness
- Security Witness Pattern
Macros§
- feature_
gate - Feature gate macro for conditional code execution.
- load_
license - Macro to load and validate a license at compile time.
- require_
valid_ license Deprecated - DEPRECATED: Use
load_license!instead, which returns a Result.
Constants§
- VERSION
- Library version
Functions§
- embedded_
public_ key - Get a public key embedded at compile time via environment variable.