Ensure we can transfer SecretBytes via remoting

jtnord · jtnord · commit 95622b39baec · 2026-02-01T12:20:37.000Z
If we tried to transfer SecretBytes via Remoting then the remote side would end up with the encrypted byte[] but not the key needed to decrypt the data. Sending the decryption key would be a bad thing, but we can send the data in plain text to the agent and then re-encrypt it with the remoting (agent) sides key. As generally the remoting side would not be a Jenkins the mock encryption key would be used in this case. Whilst the mock key is static, it is not expected that ian agent persists these SecretBytes. fixes: #1013
diff --git a/src/main/java/com/cloudbees/plugins/credentials/SecretBytes.java b/src/main/java/com/cloudbees/plugins/credentials/SecretBytes.java
@@ -35,7 +35,9 @@
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Util;
+import hudson.remoting.Channel;
 import hudson.util.Secret;
+import java.io.ObjectStreamException;
 import java.io.Serializable;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
@@ -78,7 +80,8 @@ public class SecretBytes implements Serializable {
      */
     private static final Logger LOGGER = Logger.getLogger(SecretBytes.class.getName());
     /**
-     * The encrypted bytes.
+     * The (usually) encrypted bytes.
+     * Will be in plain text during remoting calls.
      */
     @NonNull
     private final byte[] value;
@@ -119,6 +122,14 @@ private SecretBytes(boolean encrypted, @NonNull byte[] value) {
         }
     }
 
+    /**
+     * Construct a SecretBytes with the specified value (that may or may not be encrypted) that is used raw without any transformation.
+     * @param value explicit value to use for the data.  No encryption or dencryption is performed on this value and it is used as is.
+     */
+    private SecretBytes(@NonNull byte[] value) {
+        this.value = value;
+    }
+
     /**
      * Returns the raw unencrypted data. The caller is responsible for zeroing out the returned {@code byte[]} after
      * use.
@@ -343,6 +354,23 @@ public static String toString(SecretBytes s) {
         return s == null ? "" : s.toString();
     }
 
+    protected Object writeReplace() throws ObjectStreamException {
+        if (Channel.current() == null) {
+            return this;
+        }
+        // we need plain text during remoting serialisation as the remote side will not have the confidential key
+        return new SecretBytes(this.getPlainData());
+    }
+
+    protected Object readResolve() throws ObjectStreamException {
+        if (Channel.current() == null) {
+            return this;
+        }
+        // re-encrypt the byte array after serialisation.
+        // The remote side may have its own confidential key (for Jenkins to Jenkins remoting, or will use the mock key for an agent)
+        return SecretBytes.fromRawBytes(value);
+    }
+
     /**
      * Our XStream converter.
      */
