From 17a1de8d2dbe959fbc0d079ea9186c096cf1ea43 Mon Sep 17 00:00:00 2001 From: Geoffrey Alexander Date: Mon, 20 Mar 2023 15:47:09 -0700 Subject: [PATCH] Apply string obfuscation to license and provisioning strings String obfuscation hides string literals from static analysis but requires string literals be used inside protected functions. - Enable string obfuscation for all function groups. - Change some global `std::string` to `const char[]` to ensure that the `std::string` is constructed inside a protected function so that string obfuscation correctly applies to the string literal. Bug: 270566889 Merged from https://widevine-internal-review.googlesource.com/168485 Merge conflicts were caused by formating changes. Resolved by taking the newer version. Merged from https://widevine-internal-review.googlesource.com/169511 Change-Id: Ie7f3e94f89671a34e4792efa174f96a17d713f9e --- .../cdm/core/src/certificate_provisioning.cpp | 27 ++++++++++--------- .../cdm/core/src/system_id_extractor.cpp | 2 +- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp index 4f1df07f..256f7b99 100644 --- a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp +++ b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp @@ -23,18 +23,19 @@ const std::string kEmptyString; // URL for Google Provisioning Server. // The provisioning server supplies the certificate that is needed // to communicate with the License Server. -const std::string kProvisioningServerUrl = +const char kProvisioningServerUrl[] = "https://www.googleapis.com/" "certificateprovisioning/v1/devicecertificates/create" "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE"; + // In case of provisioning 4, the default url is used as a way to inform app of // the current provisioning stage. In the first stage, this suffix is appended // to kProvisioningServerUrl; in the second stage, there is no change to // kProvisioningServerUrl. -const std::string kProv40FirstStageServerUrlSuffix = "&preProvisioning=true"; +const char kProv40FirstStageServerUrlSuffix[] = "&preProvisioning=true"; // NOTE: Provider ID = widevine.com -const std::string kCpProductionServiceCertificate = wvutil::a2bs_hex( +const char kCpProductionServiceCertificate[] = "0ab9020803121051434fe2a44c763bcc2c826a2d6ef9a718f7d793d005228e02" "3082010a02820101009e27088659dbd9126bc6ed594caf652b0eaab82abb9862" "ada1ee6d2cb5247e94b28973fef5a3e11b57d0b0872c930f351b5694354a8c77" @@ -56,12 +57,12 @@ const std::string kCpProductionServiceCertificate = wvutil::a2bs_hex( "76e6f76e2751fbefb669f05703cec8c64cf7a62908d5fb870375eb0cc96c508e" "26e0c050f3fd3ebe68cef9903ef6405b25fc6e31f93559fcff05657662b3653a" "8598ed5751b38694419242a875d9e00d5a5832933024b934859ec8be78adccbb" - "1ec7127ae9afeef9c5cd2e15bd3048e8ce652f7d8c5d595a0323238c598a28"); + "1ec7127ae9afeef9c5cd2e15bd3048e8ce652f7d8c5d595a0323238c598a28"; // Used in provisioning 4 client identification name value pairs. -const std::string kKeyAppParameterSpoid = "spoid"; -const std::string kKeyAppParameterProviderId = "provider_id"; -const std::string kKeyAppParameterStableId = "stable_id"; +const char kKeyAppParameterSpoid[] = "spoid"; +const char kKeyAppParameterProviderId[] = "provider_id"; +const char kKeyAppParameterStableId[] = "stable_id"; // Retrieves |stored_oem_cert| from |file_handle|, and load the OEM private key // to |crypto_session|. Returns true if all operations are successful. @@ -109,9 +110,10 @@ void CertificateProvisioning::GetProvisioningServerUrl( CdmResponseType CertificateProvisioning::Init( const std::string& service_certificate) { - const std::string certificate = service_certificate.empty() - ? kCpProductionServiceCertificate - : service_certificate; + const std::string certificate = + service_certificate.empty() + ? wvutil::a2bs_hex(kCpProductionServiceCertificate) + : service_certificate; return service_certificate_->Init(certificate); } @@ -360,13 +362,14 @@ CdmResponseType CertificateProvisioning::GetProvisioning40RequestInternal( if (stored_oem_cert.empty()) { // This is the first stage provisioning. - default_url->assign(kProvisioningServerUrl + + default_url->assign(std::string(kProvisioningServerUrl) + kProv40FirstStageServerUrlSuffix); // First-stage provisioning always uses the WV production service cert for // encryption. ServiceCertificate wv_service_cert; - status = wv_service_cert.Init(kCpProductionServiceCertificate); + status = wv_service_cert.Init( + wvutil::a2bs_hex(kCpProductionServiceCertificate)); if (status != NO_ERROR) return status; // Since |stored_oem_cert| is empty, the client identification token will be diff --git a/libwvdrmengine/cdm/core/src/system_id_extractor.cpp b/libwvdrmengine/cdm/core/src/system_id_extractor.cpp index 4ca2c639..edfdd3f0 100644 --- a/libwvdrmengine/cdm/core/src/system_id_extractor.cpp +++ b/libwvdrmengine/cdm/core/src/system_id_extractor.cpp @@ -19,7 +19,7 @@ constexpr size_t kKeyboxSystemIdOffset = 4; // system ID (0 = leaf/device cert, 1 = intermediate/device family cert). constexpr size_t kOemCertSystemIdIndex = 1; // OID of X.509 certificate extension containing the Widevine system ID. -const std::string kWidevineSystemIdExtensionOid = "1.3.6.1.4.1.11129.4.1.1"; +const char kWidevineSystemIdExtensionOid[] = "1.3.6.1.4.1.11129.4.1.1"; constexpr size_t kSystemIdLength = sizeof(uint32_t);