Apply string obfuscation to license and provisioning strings

String obfuscation hides string literals from static analysis but requires string literals be used inside protected functions. - Enable string obfuscation for all function groups. - Change some global `std::string` to `const char[]` to ensure that the `std::string` is constructed inside a protected function so that string obfuscation correctly applies to the string literal. Bug: 270566889 Merged from https://widevine-internal-review.googlesource.com/168485 Merge conflicts were caused by formating changes. Resolved by taking the newer version. Merged from https://widevine-internal-review.googlesource.com/169511 Change-Id: Ie7f3e94f89671a34e4792efa174f96a17d713f9e
2023-03-20 15:47:09 -07:00
parent a28f8bcf19
commit 17a1de8d2d
2 changed files with 16 additions and 13 deletions
--- a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
+++ b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
@@ -23,18 +23,19 @@ const std::string kEmptyString;
 // URL for Google Provisioning Server.
 // The provisioning server supplies the certificate that is needed
 // to communicate with the License Server.
-const std::string kProvisioningServerUrl =
+const char kProvisioningServerUrl[] =
    "https://www.googleapis.com/"
    "certificateprovisioning/v1/devicecertificates/create"
    "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
+
 // In case of provisioning 4, the default url is used as a way to inform app of
 // the current provisioning stage. In the first stage, this suffix is appended
 // to kProvisioningServerUrl; in the second stage, there is no change to
 // kProvisioningServerUrl.
-const std::string kProv40FirstStageServerUrlSuffix = "&preProvisioning=true";
+const char kProv40FirstStageServerUrlSuffix[] = "&preProvisioning=true";

 // NOTE: Provider ID = widevine.com
-const std::string kCpProductionServiceCertificate = wvutil::a2bs_hex(
+const char kCpProductionServiceCertificate[] =
    "0ab9020803121051434fe2a44c763bcc2c826a2d6ef9a718f7d793d005228e02"
    "3082010a02820101009e27088659dbd9126bc6ed594caf652b0eaab82abb9862"
    "ada1ee6d2cb5247e94b28973fef5a3e11b57d0b0872c930f351b5694354a8c77"
@@ -56,12 +57,12 @@ const std::string kCpProductionServiceCertificate = wvutil::a2bs_hex(
    "76e6f76e2751fbefb669f05703cec8c64cf7a62908d5fb870375eb0cc96c508e"
    "26e0c050f3fd3ebe68cef9903ef6405b25fc6e31f93559fcff05657662b3653a"
    "8598ed5751b38694419242a875d9e00d5a5832933024b934859ec8be78adccbb"
-    "1ec7127ae9afeef9c5cd2e15bd3048e8ce652f7d8c5d595a0323238c598a28");
+    "1ec7127ae9afeef9c5cd2e15bd3048e8ce652f7d8c5d595a0323238c598a28";

 // Used in provisioning 4 client identification name value pairs.
-const std::string kKeyAppParameterSpoid = "spoid";
-const std::string kKeyAppParameterProviderId = "provider_id";
-const std::string kKeyAppParameterStableId = "stable_id";
+const char kKeyAppParameterSpoid[] = "spoid";
+const char kKeyAppParameterProviderId[] = "provider_id";
+const char kKeyAppParameterStableId[] = "stable_id";

 // Retrieves |stored_oem_cert| from |file_handle|, and load the OEM private key
 // to |crypto_session|. Returns true if all operations are successful.
@@ -109,8 +110,9 @@ void CertificateProvisioning::GetProvisioningServerUrl(

 CdmResponseType CertificateProvisioning::Init(
    const std::string& service_certificate) {
-  const std::string certificate = service_certificate.empty()
-                                      ? kCpProductionServiceCertificate
+  const std::string certificate =
+      service_certificate.empty()
+          ? wvutil::a2bs_hex(kCpProductionServiceCertificate)
          : service_certificate;
  return service_certificate_->Init(certificate);
 }
@@ -360,13 +362,14 @@ CdmResponseType CertificateProvisioning::GetProvisioning40RequestInternal(

  if (stored_oem_cert.empty()) {
    // This is the first stage provisioning.
-    default_url->assign(kProvisioningServerUrl +
+    default_url->assign(std::string(kProvisioningServerUrl) +
                        kProv40FirstStageServerUrlSuffix);

    // First-stage provisioning always uses the WV production service cert for
    // encryption.
    ServiceCertificate wv_service_cert;
-    status = wv_service_cert.Init(kCpProductionServiceCertificate);
+    status = wv_service_cert.Init(
+        wvutil::a2bs_hex(kCpProductionServiceCertificate));
    if (status != NO_ERROR) return status;

    // Since |stored_oem_cert| is empty, the client identification token will be
--- a/libwvdrmengine/cdm/core/src/system_id_extractor.cpp
+++ b/libwvdrmengine/cdm/core/src/system_id_extractor.cpp
@@ -19,7 +19,7 @@ constexpr size_t kKeyboxSystemIdOffset = 4;
 // system ID (0 = leaf/device cert, 1 = intermediate/device family cert).
 constexpr size_t kOemCertSystemIdIndex = 1;
 // OID of X.509 certificate extension containing the Widevine system ID.
-const std::string kWidevineSystemIdExtensionOid = "1.3.6.1.4.1.11129.4.1.1";
+const char kWidevineSystemIdExtensionOid[] = "1.3.6.1.4.1.11129.4.1.1";

 constexpr size_t kSystemIdLength = sizeof(uint32_t);