1

i am wondering which conditions apply if i want to use an Open Source cryptographic library embedded in a proprietary software.

The software will be proprietary and shall implement a digital signature verification. This verification may be implemented by the means of an Open Source library.

Intent is to rely on an Open Source cryptographic library such as OpenSSL, LibreSSl, GNUTLS... which may fulfill this purpose of digital signature verification.

Does one of this library (or one another) be permissive enough in order to let this digital signature verification being implemented, without implying that overall code and binary getting Open Source, and without implying that end user shall be notified of the cryptographic library being used ? We won't be able to notify the end user of the license (embedded software).

philippe
  • 111
  • 2
  • 3
    "We won't be able to notify the end user of the license (embedded software)" That pretty much rules out all Open Source software; even the most permissive licenses (MIT, BSD2) require that kind of notification. However... if you're shipping them a device, you can ship them a piece of paper (or an SD card) with the notification on it. – Philip Kendall Jun 29 '22 at 20:39
  • 2
    Moving beyond that, you need to be more precise about the exact license(s) involved. Some (most notably GPL and friends) will require you to make the whole product open source, others (MIT, BSD, Apache) won't. – Philip Kendall Jun 29 '22 at 20:40
  • 1
    And generally it is easy:read the licenses and do what they want. They are often surprisingly short compared to proprietary EULAs and warranty disclaimers – planetmaker Jun 30 '22 at 06:42
  • @PhilipKendall I think your second comment is largely the substance of the question, i.e., "does there exist any crypto library that can be linked to an application without requiring source disclosure?" (A good answer might say, yes, any software under a permissive license (or certain weak copyleft) would not require source disclosure, for example peer-reviewed crypto libraries X and Y have such licenses) – apsillers Jun 30 '22 at 23:26
  • @apsillers The OP asks "without implying that end user shall be notified of the cryptographic library being used" and this is not possible with most OSS licenses. – Martin_in_AUT Jul 01 '22 at 07:43
  • @apsillers I don't disagree but would like the poster to clarify their "cannot notify" requirement (or somebody to make an executive decision and remove that from the question) before writing an answer. – Philip Kendall Jul 01 '22 at 08:47

0 Answers0