Jenkins Decrypt API Token

Question

I'm using Jenkins with DC/OS (Mesos) and the service doesn't have a standard login but instead uses Mesos/Zookeeper for authentication. I'm can access JENKINS_HOME and have the config files for each user. I see the config.xml and also see the secret.key. I found this code:

https://github.com/abrindeyev/jenkins-helpers/blob/master/bin/get_api_token.rb

whose purpose is to decode the Jenkins API Token from the config. However, when I run this I get the following error:

/root/decrypt_api.rb:28:in `final': wrong final block length (OpenSSL::Cipher::CipherError)
from /root/decrypt_api.rb:28:in `decrypt'
from /root/decrypt_api.rb:35:in `<main>'

Here's an example Token and Key (from a Docker Jenkins test container):

Cipher in config.xml:

<jenkins.security.ApiTokenProperty>
<apiToken>{AQAAABAAAAAwrkIhJkGOx+QkqgJ/Ep8NhecxeWcqAs78RI9v5kr8y1FSCJBA4YFHrneQGxmetsj3/xSywFRXItIbtuCufWR6ng==}</apiToken>
</jenkins.security.ApiTokenProperty>

Secret Key:

bdafc86eae946c35ca57d3af02a82b733741d59e1eca44e0a3f7ef0b8f25f8e6

How can I decode the Token with the cipher and the key?

Answer 1

You can decode Jenkins token by going to Script Console in your master node (or go to /script), then run the following command:

println(hudson.util.Secret.decrypt("{XXX=}"))

^{Note: Replace {XXX=} with your token string.}

---

To decrypt it without using Jenkins, checkout these scripts: tweksteen/jenkins-decrypt, menski/jenkins-decrypt.py.

---

Related:

• Extract passphrase from Jenkins' credentials.xml
• What password encryption Jenkins is using?
• How to decrypt Jenkins passwords from credentials.xml?

Answer 2

go to http://jenkins-host/script

hashed_pw='your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J'
passwd = hudson.util.Secret.decrypt(hashed_pw)
println(passwd)

it should decrypt your token