epcim of DevOps
8/17/2017 - 4:04 PM

Jenkins password hashing & encoding

Jenkins password hashing & encoding

import bcrypt
import math
import re
import sys
import base64
from hashlib import sha256
from Crypto.Cipher import AES

MAGIC = "::::MAGIC::::"


def hash_password(password):
    if isinstance(password, str):
        return bcrypt.hashpw(password, bcrypt.gensalt(prefix=b"2a"))


def encode_password(password):
    master_key = open(sys.argv[1]).read()
    hudson_secret_key = open(sys.argv[2], 'rb').read()
    hashed_master_key = sha256(master_key).digest()[:16]
    o = AES.new(hashed_master_key, AES.MODE_ECB)
    x = o.decrypt(hudson_secret_key)
    assert MAGIC in x

    k = x[:-16]
    k = k[:16]
    target_length = int(math.ceil(float(len(password + MAGIC)) / 16) * 16)
    password_extended = password + MAGIC + "".join(
        [chr(11) for i in range(0, target_length - len(password + MAGIC))])
    o = AES.new(k, AES.MODE_ECB)
    x = o.encrypt(password_extended)
    return base64.encodestring(x)


def decode_password(encoded_password):
    master_key = open(sys.argv[1]).read()
    hudson_secret_key = open(sys.argv[2], 'rb').read()
    hashed_master_key = sha256(master_key).digest()[:16]
    o = AES.new(hashed_master_key, AES.MODE_ECB)
    x = o.decrypt(hudson_secret_key)
    assert MAGIC in x

    k = x[:-16]
    k = k[:16]
    p = base64.decodestring(encoded_password)
    o = AES.new(k, AES.MODE_ECB)
    x = o.decrypt(p)
    assert MAGIC in x
    return re.findall('(.*)' + MAGIC, x)[0]