diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2017-04-07 19:45:10 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2017-04-11 18:05:26 +0200 |
| commit | 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32 (patch) | |
| tree | 2c94843b6dbceb9aa635625d0e0605cb799a1e6d /base/common/python | |
| parent | 0c8aedd8a79841751005c531cf6cfbc08a4fd4dd (diff) | |
| download | pki-9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32.tar.gz pki-9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32.tar.xz pki-9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32.zip | |
Added FIPS-compliant password generator.
A new function has been added to generate a random password that
meets FIPS requirements for a strong password. This function is
used to generate NSS database password during installation.
https://pagure.io/dogtagpki/issue/2556
Change-Id: I64dd36125ec968f6253f90835e6065325d720032
Diffstat (limited to 'base/common/python')
| -rw-r--r-- | base/common/python/pki/__init__.py | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py index c0151260b..1fc538547 100644 --- a/base/common/python/pki/__init__.py +++ b/base/common/python/pki/__init__.py @@ -26,7 +26,9 @@ from __future__ import print_function from functools import wraps import os +import random import re +import string import sys import requests @@ -124,6 +126,67 @@ def implementation_version(): raise Exception('Missing implementation version.') +def generate_password(): + """ + This function generates FIPS-compliant password. + + See sftk_newPinCheck() in the following file: + https://dxr.mozilla.org/nss/source/nss/lib/softoken/fipstokn.c + + The minimum password length is FIPS_MIN_PIN Unicode characters. + + The password must contain at least 3 character classes: + * digits (string.digits) + * ASCII lowercase letters (string.ascii_lowercase) + * ASCII uppercase letters (string.ascii_uppercase) + * ASCII non-alphanumeric characters (string.punctuation) + * non-ASCII characters + + If an ASCII uppercase letter is the first character of the password, + the uppercase letter is not counted toward its character class. + + If a digit is the last character of the password, the digit is not + counted toward its character class. + + The FIPS_MIN_PIN is defined in the following file: + https://dxr.mozilla.org/nss/source/nss/lib/softoken/pkcs11i.h + + #define FIPS_MIN_PIN 7 + """ + + rnd = random.SystemRandom() + + valid_chars = string.digits +\ + string.ascii_lowercase +\ + string.ascii_uppercase +\ + string.punctuation + + chars = [] + + # add 1 random char from each char class to meet + # the minimum number of char class requirement + chars.append(rnd.choice(string.digits)) + chars.append(rnd.choice(string.ascii_lowercase)) + chars.append(rnd.choice(string.ascii_uppercase)) + chars.append(rnd.choice(string.punctuation)) + + # add 6 additional random chars + chars.extend(rnd.choice(valid_chars) for i in range(6)) + + # randomize the char order + rnd.shuffle(chars) + + # add 2 random chars at the beginning and the end + # to maintain the minimum number of char class + chars.insert(0, rnd.choice(valid_chars)) + chars.append(rnd.choice(valid_chars)) + + # final password is 12 chars + password = ''.join(chars) + + return password + + # pylint: disable=R0903 class Attribute(object): """ |