JIVE Note 3 ---- JIVE2.1.1 License Protection Principle Analysis

Starting with JIVE2.0, you need to purchase license to use JIVE for business applications. Now simply analyze the implementation of license verification in jive2. To access the forum, you will inevitably use forumFactory.getInstance (Authorization). J IVE is a license verification in this function. Look at the code corresponding Jive_2_1_1 version: ForumFactory getInstance (Authorization authorization) {... // Note, the software license expressely forbids // tampering with this check LicenseManager.validateLicense ( "Jive Forums Basic", "2.0");. // If the verification fails, LicenseManager will throw a licenseException ...}, so if you want to use the crack version of the Jive, we can just shield the statement of the above. However, look at the comment above, if you are a gentleman, you shouldn't change this source. Of course, I am not willing to be a small person, so if I can engage a large quantity of production of the Enterprise level of the Enterprise level. Next, what is LICENSE is going on. First, download a trial version of the Jive.License file from Jivesoftware.com. Opened it, a bunch of data: D94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxsaWNlbnNlP ................ MzEwMjRmY2EzNGRlYTFkOGMwNWFhOGFhMWIxYTk4MDRiZGEyM2E1PC9zaWduYXR1cmU PC9saWNlbnNlPg0K looks base64 encrypted, they still look at the code first. OK, study the class of LicenseManager. But looking for jive2_1_1source, just didn't find it. It turns out that Jivesoftware did not provide Source, I had to find the corresponding Class contrast. Reverse compiles to get two class LicenseManager.java and license.java. By analyzing, the function loadingLicense () is called to load the license file. Find the following code in LoadLicense: String S1 = StringUTils.DecodeBase64 (StringBuffer.tostring ()); license = license.fromxml (S1); thus determined Java.License is an XML file encoded through the base64.

At the same time, the license content decrypted in the license class is as follows: 3 Jive Forums Basic Evaluation 2.1 1 2001/11/01 2001/10/13 302d02145a27545abb3c89bbc34a3900476dfd3fd9495047021500831024fca34dea1d8c05aa8aa1b1a9804bda23a5 we just seem to modify the contents of is able to obtain a Commercial License. Is it really so simple? Continue to look down. After analyzing licensemanager.validate (License), finding the Jivesoft used the DSA digital signature algorithm to ensure that License is not modified. fAINT ... static boolean validate (License license1) throws Exception {// generate public String s = "308201b ...... d06d854a"; byte abyte0 [] = StringUtils.decodeHex (s); X509EncodedKeySpec x509encodedkeyspec = new X509EncodedKeySpec (abyte0); KeyFactory keyfactory = KeyFactory.getInstance ( "DSA"); java.security.PublicKey publickey = keyfactory.generatePublic (x509encodedkeyspec); Signature signature = Signature.getInstance ( "DSA"); signature.initVerify (publickey); / / Update fingerprint, that is, all content in license (except for the last signature). Signature.Update (license1.getfingerprint ()); // Take a check, return false; return signal.verify (StringUtils.Decodeature ());} It can be seen, Jivesoftware passed The DSA algorithm generates a key pair, signed license with private key, generates Signagure, and is issued along with Jive.License. The key to the key pair in the program is also saved, and the API in java.security. * Is verified. If you want to make License you, you must get that private key, which is generally unlikely.