3

I am using a test Jenkins 1.644 setup where I created a user called admin.

The web interface says the user API token is aa13769c03d0ef0618380ae6940b5e3a.

The user configuration file users/admin/config.xml contains the following.

<jenkins.security.ApiTokenProperty>
  <apiToken>JvzeeQeyI/p/93m3+Cmb1k0j+js7voeJSFbef77eBRy8ItQH5BJoIsYgXTelX7sC</apiToken>
</jenkins.security.ApiTokenProperty>

Would anyone know what encoding/decoding algorithm is used to go from one value to the other?

marcv81
  • 381
  • 1
    it looks like its HMACSHA384 (48Bytes) then Base64 encoded (64bytes), but the secret key is unknown so I can't reverse engineer it to be sure. likely there is a value embedded in the program that is padded and concatenated onto the message during hashing, so in effect its a hash only that software knows how to create. HMAC hashing is significantly more secure than traditional SHA as a result. https://en.wikipedia.org/wiki/Hash-based_message_authentication_code this site has some interesting converters: http://hash.online-convert.com/sha384-generator – Frank Thomas Jan 14 '16 at 05:08
  • Thanks for the guess that it might be a transformation to a 48 bytes value which is then Base64 encoded. It makes sense with the characters used and the string length. However there can be no hash in the process as the operation is reversible (i.e.: I can use the same config file on 2 different setups and Jenkins can work out the actual API token). – marcv81 Jan 14 '16 at 05:55
  • Having a look at the code I think the API token is concatenated with ::::MAGIC:::: then AES128 encrypted with a key I could not recover, but which is the same across all the Jenkins instances. – marcv81 Jan 14 '16 at 07:32
  • The Jenkins home directory contains a file call secret.key. That might be the secret key. – derfred Oct 29 '17 at 10:54

0 Answers0