I've asp.net MVC website hosted within docker container. The site needs to read the certificates stored on cert:\currentuser\my and present it to the Azure AD for app authentication.
I've loaded the pfx certs on to docker as part of image build per below:
# Install cert, located at certs folder in the host machine, relative to the path of the Solution Dockerfile
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
WORKDIR C:\certs
COPY ./certs .\
RUN Get-ChildItem -File | Foreach { Import-PfxCertificate -Password (ConvertTo-SecureString -String "xyz1234" -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My -FilePath $_.fullname }
Then have this simple test aspx to read the cert by thumprint:
public X509Certificate2 FindCertificateByThumbprint(string findValue, bool validateCertificate)
{
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindByThumbprint,
findValue, validateCertificate);
if (col == null || col.Count == 0)
return null;
return col[0];
}
finally
{
store.Close();
}
}
Note:
On non docker (local laptop), This works perfectly OK for web.
On docker container, console app can find the certificate but not web app.
I tried all these but no luck:
https://newbedev.com/how-to-grant-permission-to-user-on-certificate-private-key-using-powershell
How to Grant permission to user on Certificate private key using powershell?
https://www.codyhosterman.com/2019/06/assigning-read-access-to-windows-private-key/
Feels like I'm missing a step here but not sure what. Has anyone got
I'm testing for lto6 tar encrypted backup
I'm using one G only for the test
tar cMpf - --tape-length=1G --blocking-factor 4096 -X /etc/file.exclude /| openssl enc -e -aes256 -salt -pass file:unixpass -out /dev/st0
The first tape work fine
Ask me for second..I insert press return and...
display content of a file!
"<custom_item>type : SQL_POLICYdescription : "2.11 sqlnet.ora settings - 'Setting for the remote_os_authent parameter'""....
this for thousand of lines,like cat command
Using a file for testing it cat /opt/nessus...
opt/nessus/var/nessus/audits/audit_warehouse.audit01402604000014563
Solution found: must insert tape name,i though was automatic generated
I'm currently working on a project that must be a platform signed system app to be privileged to communicate on the I2C bus of a proprietary Android device.
The manifest contains android:sharedUserId="android.uid.system" and the resulting unsigned apk is signed, zipaligned and installed with this batch...
java -jar signapk.jar platform.x509.pem platform.pk8 unsigned.apk signed.apk
zipalign -f -v 4 signed.apk aligned.apk
adb install -rg aligned.apk
This works fine. However, I need to do extensive development running with this privilege requiring the debugger to be attached. I have tried using a custom Configuration that retains the debugger symbols while including the Mono runtime in the package only to find out that you cannot attach to an already running Android app from Xamarin.
Is there a way to create a keystore that is signed with the platform signature that I could put in ...\AppData\Local\Xamarin\Mono for Android\ to replace debug.keystore? The idea being that the debug build-deploy process would pick this up and I'd have the privileges I need AND have attachment to the debugger.
Any help much appreciated.
You can create a JKS keystore from a DER-encoded PKCS #8 private key and the corresponding PEM-encoded X.509 certificate as follows:
openssl pkcs8 -inform der -in platform.pk8 -nocrypt -out platform.key
openssl pkcs12 -export -in platform.x509.pem -inkey platform.key -out platform.p12
keytool -importkeystore \
-srckeystore platform.p12 -srcstoretype pkcs12 \
-destkeystore platform.keystore \
-deststorepass android -destkeypass android
shred -u platform.key platform.p12
For those following, after I performed the steps from Alex, I added this to the .csproj file to get Visual Studio to use it for this specific example.
<PropertyGroup Condition="'$(Configuration)' == 'Debug'">
<AndroidKeyStore>True</AndroidKeyStore>
<AndroidSigningKeyStore>(path)\platform.keystore</AndroidSigningKeyStore>
<AndroidSigningStorePass>android</AndroidSigningStorePass>
<AndroidSigningKeyAlias>1</AndroidSigningKeyAlias>
<AndroidSigningKeyPass>android</AndroidSigningKeyPass>
</PropertyGroup>
I am able to create a new node via the Jenkins web GUI and then have the node running in a container connect back to the Jenkins master via the name and -secret value
ex.
docker run jenkinsci/jnlp-slave -url http://jenkins-server:port <secret> <slave name>
Is there a way to programmatically create a Jenkins node and get the secret and slave name so I don't have to do it via the GUI?
Creating an agent programmatically
You can use the create-node CLI command to create new agents with a given configuration.
For example, given this minimal JNLP agent configuration in a file config.xml:
<slave>
<remoteFS>/opt/jenkins</remoteFS>
<numExecutors>2</numExecutors>
<launcher class="hudson.slaves.JNLPLauncher" />
</slave>
you can run the create-node command via the CLI client, or the SSH interface:
cat config.xml | java -jar jenkins-cli.jar -s https://jenkins/ create-node my-agent
Viewing agent configuration
To see what the XML configuration looks like for an existing agent, you can append config.xml to an agent URL, e.g. https://jenkins/computer/some-agent-name/config.xml, or you can use the get-node CLI command.
Fetching the per-agent secret programmatically
To fetch the secret hex value without using the Jenkins web UI, you can run a script via the groovy CLI command:
echo 'println jenkins.model.Jenkins.instance.nodesObject.getNode("my-agent")?.computer?.jnlpMac' \
| java -jar ~/Downloads/jenkins-cli.jar -s https://jenkins/ groovy =
This will return the secret value directly. Note that in order to use the groovy command via the SSH interface, you need Jenkins 2.46 or newer. In earlier versions, it only works via the CLI client.
You can also create an agent using the REST API. This is especially useful when having an apache proxy in front (see issue JENKINS47279) and no direct access to the jenkins otherwise (e.g. in a corporate network) where CLI will not work.
I recommend to create an API token for this purpose. Then you can do something like this
Linux (Bash)
export JENKINS_URL=https://jenkins.intra
export JENKINS_USER=papanito
export JENKINS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxx
export NODE_NAME=testnode
export JSON_OBJECT="{ 'name':+'${NODE_NAME}',+'nodeDescription':+'Linux+slave',+'numExecutors':+'5',+'remoteFS':+'/home/jenkins/agent',+'labelString':+'SLAVE-DOCKER+linux',+'mode':+'EXCLUSIVE',+'':+['hudson.slaves.JNLPLauncher',+'hudson.slaves.RetentionStrategy\$Always'],+'launcher':+{'stapler-class':+'hudson.slaves.JNLPLauncher',+'\$class':+'hudson.slaves.JNLPLauncher',+'workDirSettings':+{'disabled':+true,+'workDirPath':+'',+'internalDir':+'remoting',+'failIfWorkDirIsMissing':+false},+'tunnel':+'',+'vmargs':+'-Xmx1024m'},+'retentionStrategy':+{'stapler-class':+'hudson.slaves.RetentionStrategy\$Always',+'\$class':+'hudson.slaves.RetentionStrategy\$Always'},+'nodeProperties':+{'stapler-class-bag':+'true',+'hudson-slaves-EnvironmentVariablesNodeProperty':+{'env':+[{'key':+'JAVA_HOME',+'value':+'/docker-java-home'},+{'key':+'JENKINS_HOME',+'value':+'/home/jenkins'}]},+'hudson-tools-ToolLocationNodeProperty':+{'locations':+[{'key':+'hudson.plugins.git.GitTool\$DescriptorImpl#Default',+'home':+'/usr/bin/git'},+{'key':+'hudson.model.JDK\$DescriptorImpl#JAVA-8',+'home':+'/usr/bin/java'},+{'key':+'hudson.tasks.Maven\$MavenInstallation\$DescriptorImpl#MAVEN-3.5.2',+'home':+'/usr/bin/mvn'}]}}}"
curl -L -s -o /dev/null -v -k -w "%{http_code}" -u "${JENKINS_USER}:${JENKINS_API_TOKEN}" -H "Content-Type:application/x-www-form-urlencoded" -X POST -d "json=${JSON_OBJECT}" "${JENKINS_URL}/computer/doCreateItem?name=${NODE_NAME}&type=hudson.slaves.DumbSlave"
In order to get the agent secret via REST API checkout this, which would look something like this:
curl -L -s -u ${JENKINS_USER}:${JENKINS_API_TOKEN} -X GET ${JENKINS_URL}/computer/${NODE_NAME}/slave-agent.jnlp | sed "s/.*<application-desc main-class=\"hudson.remoting.jnlp.Main\"><argument>\([a-z0-9]*\).*/\1/"
Windows (PS)
And here my solution for Windows using Powershell:
$JENKINS_URL="https://jenkins.intra"
$JENKINS_USER="papanito"
$JENKINS_API_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxx"
$NODE_NAME="testnode-ps"
# https://stackoverflow.com/questions/27951561/use-invoke-webrequest-with-a-username-and-password-for-basic-authentication-on-t
$bytes = [System.Text.Encoding]::ASCII.GetBytes("${JENKINS_USER}:${JENKINS_API_TOKEN}")
$base64 = [System.Convert]::ToBase64String($bytes)
$basicAuthValue = "Basic $base64"
$headers = #{ Authorization = $basicAuthValue; }
$hash=#{
name="${NODE_NAME}";
nodeDescription="Linux slave";
numExecutors="5";
remoteFS="/home/jenkins/agent";
labelString="SLAVE-DOCKER linux";
mode="EXCLUSIVE";
""=#(
"hudson.slaves.JNLPLauncher";
'hudson.slaves.RetentionStrategy$Always'
);
launcher=#{
"stapler-class"="hudson.slaves.JNLPLauncher";
"\$class"="hudson.slaves.JNLPLauncher";
"workDirSettings"=#{
"disabled"="true";
"workDirPath"="";
"internalDir"="remoting";
"failIfWorkDirIsMissing"="false"
};
"tunnel"="";
"vmargs"="-Xmx1024m"
};
"retentionStrategy"=#{
"stapler-class"= 'hudson.slaves.RetentionStrategy$Always';
'$class'= 'hudson.slaves.RetentionStrategy$Always'
};
"nodeProperties"=#{
"stapler-class-bag"= "true";
"hudson-slaves-EnvironmentVariablesNodeProperty"=#{
"env"=#(
#{
"key"="JAVA_HOME";
"value"="/docker-java-home"
};
#{
"key"="JENKINS_HOME";
"value"="/home/jenkins"
}
)
};
"hudson-tools-ToolLocationNodeProperty"=#{
"locations"=#(
#{
"key"= 'hudson.plugins.git.GitTool$DescriptorImpl#Default';
"home"= "/usr/bin/git"
};
#{
"key"= 'hudson.model.JDK\$DescriptorImpl#JAVA-8';
"home"= "/usr/bin/java"
};
#{
"key"= 'hudson.tasks.Maven$MavenInstallation$DescriptorImpl#MAVEN-3.5.2';
"home"= "/usr/bin/mvn"
}
)
}
}
}
#https://stackoverflow.com/questions/17929494/powershell-convertto-json-with-embedded-hashtable
$JSON_OBJECT = $hash | convertto-json -Depth 5
$JSON_OBJECT
Invoke-WebRequest -Headers $headers -ContentType "application/x-www-form-urlencoded" -Method POST -Body "json=${JSON_OBJECT}" -Uri "${JENKINS_URL}/computer/doCreateItem?name=${NODE_NAME}&type=hudson.slaves.DumbSlave"
Just chiming in a bit late to the party here, but I would highly recommend looking at the Jenkins Client plugin instead. Once the plugin is installed, you need only to start the client JAR from the build node and give it the IP address of the master.
As far as the master goes, you don't need to bother configuring anything. Nodes that register with the master are available automatically to start executing jobs. This is much easier than any of the slave.jar-based approaches.
I developed a driver an with makecert, certmgr and signtool. I created a digital signature (for Win 7 64 bit) and sign it to the driver (.sys-File). In the settings of the sys-file I see that he has the digital-File which is also value.
In the mmc->certificates I see the creates signature under trusted certificates.
When I start the driver with sc start then come the error 577 that the digital signature cannot be checked.
What am I doing wrong?
I created the signature with the following command line statements:
makecert.exe -$ individual -r -pe -ss "my Certificates" -n CN="certmaker" "myfirstcert.cer"
certmgr.exe /add "myfirstcert.cer" /s /r localMachine root
SignTool.exe sign /v /s "my Certificates" /n "certmaker" /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\Windows\System32\driversMyFirstDriver.sys"