From 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 7 Apr 2017 19:45:10 +0200
Subject: Added FIPS-compliant password generator.

A new function has been added to generate a random password that
meets FIPS requirements for a strong password. This function is
used to generate NSS database password during installation.

https://pagure.io/dogtagpki/issue/2556

Change-Id: I64dd36125ec968f6253f90835e6065325d720032
---
 base/server/python/pki/server/deployment/pkiparser.py | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

(limited to 'base/server/python')

diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index e05e0be31..df04ff8f0 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -583,12 +583,6 @@ class PKIConfigParser:
 
             self.deployer.flatten_master_dict()
 
-            # Generate random 'pin's for use as security database passwords
-            # and add these to the "sensitive" key value pairs read in from
-            # the configuration file
-            pin_low = 100000000000
-            pin_high = 999999999999
-
             instance = pki.server.PKIInstance(self.mdict['pki_instance_name'])
             instance.load()
 
@@ -604,11 +598,9 @@ class PKIConfigParser:
 
             # otherwise, generate a random password
             else:
-                self.mdict['pki_pin'] = \
-                    random.randint(pin_low, pin_high)
+                self.mdict['pki_pin'] = pki.generate_password()
 
-            self.mdict['pki_client_pin'] = \
-                random.randint(pin_low, pin_high)
+            self.mdict['pki_client_pin'] = pki.generate_password()
 
             pkilogging.sensitive_parameters = \
                 self.mdict['sensitive_parameters'].split()
-- 
cgit