I've created a fake authentication server for Minecraft.
The reasons? Because I can do it and it is "safer" this way.
But let's start from the beginning...
Minecraft is a sandbox FPS/exploration/building game.
Almost endless possibilities in an almost endless world.
Written in Java ;)
Usually you get a client and you can play on dedicated servers.
But in Minecraft you can get and maintain a server as well!
I want to use the old client and server together without depending on the vendor.
So I need an authentication server for it (to stay in online mode).
Then I've found the API documentation of the auth server.
And I know the architecture!
An API documentation with:
This should be a piece of cake!
The endpoints are simple REST-JSON.
This makes the backend language obvious: Node.js (awesomely faaast)
The database will be MongoDB (future plan)
The server's endpoints are hard-coded.
The server uses a signed HTTPS connection.
A few packets are signed with a private key.
How to redirect the data from a valid domain to another?
Easy: put a new entry in the hosts file!
Works like a charm. :)
We can create a self-signed certificate only.
Java doesn't accept a self signed certificate. :(
I had to find a way to sign that certificate somehow,
but how can I sign a certificate for a domain, I don't own? :)
Fortunately, you don't have to sign it.
You can simply trust it!
Solution: download the certificate and add it as a trusted certificate (keychain).
A small Java program to download and store it is created.
There are a few endpoints which are signed with a private key.
Obviously, there is no way to obtain the private key.
Then how to sign it?!
Then I've found the public key in the jar file.
This should be easy now; I just have to replace the public key!
I want to create this server for the users, right?
Create a (relatively) easy-to-use tool, a Swiss army knife!
But in which language? We should use a cross platform language which is probably pre-installed on most machines.
We want to replace the private key. Which steps are required?
Unfortunately not :( I had to face with this:
So, during the repacking phase we have to calculate a new digest and replace it.
But still no... did we miss something?
Fortunately, Java doesn't mind if I skip "a few" files from the archive, e.g. the signatures.
However, I'm still not done yet.
I've found a public key in the server's jar and in a library too!
But the same replacement method worked everywhere. :)
What about a demo?