# Decrypt enc_key = HKDF(...).derive(master_key + lic_id.encode()) raw = base64url_decode(payload_b64) nonce, ciphertext = raw[:12], raw[12:] claims_json = AESGCM(enc_key).decrypt(nonce, ciphertext, None) claims = json.loads(claims_json)
from cryptography.hazmat.primitives.kdf.hkdf import HKDF from cryptography.hazmat.primitives.ciphers.aead import AESGCM import nacl.signing def generate_license(claims: dict, product_master_key: bytes, signing_key: nacl.signing.SigningKey): # 1. JSON claims -> bytes claims_json = json.dumps(claims).encode('utf-8') modern csv license key
LIC-2026-001,eyJhbGciOiJFUzI1NiIsImVuYyI6IkEyNTZHQ00ifQ.eyJleHAiOjE5M..., 3f8a9b2c...,2 The payload column contains a JWE-like encrypted JSON object. After decryption, the JSON MUST have the following schema: # Decrypt enc_key = HKDF(
# 2. Derive per-license encryption key hkdf = HKDF(algorithm=hashes.SHA256(), length=32, salt=None, info=b"license-v2") enc_key = hkdf.derive(product_master_key + claims['license_id'].encode()) "node_lock": "type": "machine_id
# 4. Sign payload signature = signing_key.sign(payload.encode()).signature sig_b64 = base64url_encode(signature)
# 3. Encrypt aesgcm = AESGCM(enc_key) nonce = os.urandom(12) ciphertext = aesgcm.encrypt(nonce, claims_json, None) payload = base64url_encode(nonce + ciphertext)
"version": "1.0", "issued_at": "2026-04-16T10:00:00Z", "expires_at": "2027-04-16T10:00:00Z", "features": ["PRO", "API_ACCESS", "AUDIT_LOG"], "seats": 5, "node_lock": "type": "machine_id, "licensee": "Acme Corp", "metadata": "sales_order": "SO-4421"