An author of a GDL object might want to sell it while also preventing buyers from sharing it with others. How is it done?
A GDL object cannot make HTTP requests and, to my knowledge, does not have access to any crypto libraries.
I have some ideas, but there may exist simpler solutions already:
The GDL author creates a C++ Add-On and sets up a license server. The sole purpose of the Add-On is to communicate with the license server, since the GDL object itself cannot make HTTP requests.
The flow:
- A GDL object is placed, and the Add-On gets notified through
ACAPI_Notify_CatchNewElement.
-
The Add-On queries the license server using:
- a unique ID for the GDL object (essentially a product ID)
- the Graphisoft user ID
The server responds with a signed license (for example containing expiry date etc.). The important part is that the license is signed with the license server’s private key (for example using RSA).
- The Add-On writes the license as a string parameter into the GDL object.
- The GDL object verifies the license signature internally using the public key of the license server, validates the contents of the license, and disables itself (for example by not drawing any geometry) if the signature or contents are invalid.
Since a GDL object can be password protected, a user would not be able to simply remove the license check from the script itself. And you cannot easily edit the GDL code outside of ArchiCAD either.
The problem is step 4.
How would you realistically verify RSA signatures inside a GDL object? It does not seem very feasible to implement RSA verification manually in GDL.
The simpler alternative would be to let the C++ Add-On perform the license validation and then simply write an is_valid parameter into the GDL object. However, that seems insecure because someone could create a fake Add-On that just writes is_valid = true without checking any license.
Operating system used: Windows
