Cryptographic Signing of Licenses - Amazon License Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cryptographic Signing of Licenses

License Manager can cryptographically sign licenses issued by an ISV or through Amazon Web Services Marketplace on behalf of an ISV. Signing permits vendors to validate the integrity and origin of a license within the application itself, even in an offline environment.

To sign licenses, License Manager uses an asymmetric Amazon KMS key belonging to an ISV and protected in Amazon Key Management Service (Amazon KMS). This customer managed CMK consists of a mathematically related public key and private key pair. When a user requests a license, License Manager generates a JSON object listing the license entitlements, and signs this object with the private key. The signature and the plaintext JSON object are returned to the user. Any party presented with these objects can use the public key to validate that the text of the license has not been altered and that the license was signed by the owner of the private key. The private part of the key pair never leaves Amazon KMS. For more information about asymmetric cryptography in Amazon KMS, see Using symmetric and asymmetric keys.

Note

License Manager calls the Amazon KMS Sign and Verify API operations when signing and verifying licenses. The CMK must have a key usage value of SIGN_VERIFY for it to be used by these operations. This variety of CMK cannot be used for encryption and decryption.

The following workflow describes the issuance of cryptographically signed licenses:

  1. In the Amazon KMS console, API, or SDK, the license administrator creates an asymmetric customer managed CMK. The CMK must have a key usage of sign and verify, and support the RSASSA-PSS SHA-256 signing algorithm. For more information, see Creating asymmetric CMKs and How to choose your CMK configuration.

  2. In License Manager, the license administrator creates a consumption configuration that includes an Amazon KMS ARN or ID. The configuration may specify either or both the Borrow and Provisional options. For more information, see Creating a block of seller issued licenses.

  3. An end-user obtains the license using the CheckoutLicense or CheckoutBorrowLicense API operation. The CheckoutBorrowLicense operation is allowed only on licenses with Borrow configured. It returns a digital signature as part of its response along with the JSON object listing entitlements. The plaintext JSON resembles the following:

    {
   "entitlementsAllowed":[
      {
         "name":"EntitlementCount",
         "unit":"Count",
         "value":"1"
      }
   ],
   "expiration":"2020-12-01T00:47:35",
   "issuedAt":"2020-11-30T23:47:35",
   "licenseArn":"arn:aws:license-manager::123456789012:license:l-6585590917ad46858328ff02dEXAMPLE",
   "licenseConsumptionToken":"306eb19afd354ba79c3687b9bEXAMPLE",
   "nodeId":"100.20.15.10",
   "checkoutMetadata":{
      "Mac":"ABCDEFGHI"
   }
}