nc_program_manager/Licensing/LicenseValidator.cs
dtrentin 4cd7715594 fix(robustness): null guard WMI reads, dispose SHA256, abort LSV2 timeout (ISS-001, ISS-005, ISS-006)
ISS-001: MachineFingerprint.GetFingerprint() — null-safe WMI property reads
  - processorID and SerialNumber accessed with ?. and ?? string.Empty
  - prevents NullReferenceException on machines with missing WMI properties

ISS-005: LicenseValidator.Validate() — SHA256CryptoServiceProvider in using block
  - disposed on all code paths (success and failure)

ISS-006: Lsv2Client.Connect() — close TcpClient on timeout
  - _tcp.Close() called when ConnectAsync.Wait() times out
  - aborts pending socket task instead of leaking thread-pool slot

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-18 23:00:08 +02:00

44 lines
1.7 KiB
C#

using System;
using System.Security.Cryptography;
using System.Text;
namespace NcProgramManager.Licensing
{
internal class LicenseValidator : ILicenseValidator
{
// Real vendor public key -- generated 2026-05-17 with LicenseGenerator keygen.
private const string PublicKeyXml = "<RSAKeyValue><Modulus>jym+FWWeMb4g2ijaPlMn427s36sdv0FkDp5mKX+wMYGgRSIwUoDnG6nVCj6Z9k25uDf7714BXbg0IaJ/C8KE5TMgqgqsWA9hT79CdJR1eADM5jwMCo43mIIMuDplzdlmgfaW/JwE7QsxzdpfpW1uxU5DVJzsV/RZaRabTK2nSsvzHclMvB+jIQ9VobwTAyYhrvF7nYLtSdGl4YvvZ1O2fzJudvrlCrl5nnRqfPZC+0YnEwcLW0BzWxMiH0UGR/Gz4h7L05OkEwiXYtO+vkslkxIA6jraU0qjoFfDCaZ6HajWZ8lphCpw00Nwa8nEvaiuCRqN/lVOm/9kHXFuAXtA/Q==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>";
private readonly string _publicKeyXml;
// Uses embedded vendor public key.
internal LicenseValidator() : this(PublicKeyXml) { }
// Accepts any public key XML — used in unit tests.
internal LicenseValidator(string publicKeyXml)
{
_publicKeyXml = publicKeyXml;
}
public bool Validate(string fingerprint, string licenseBase64)
{
try
{
byte[] signature = Convert.FromBase64String(licenseBase64);
byte[] data = Encoding.UTF8.GetBytes(fingerprint);
using (var rsa = new RSACryptoServiceProvider())
{
rsa.FromXmlString(_publicKeyXml);
using (var sha256 = new SHA256CryptoServiceProvider())
{
return rsa.VerifyData(data, sha256, signature);
}
}
}
catch
{
return false;
}
}
}
}