[PATCH] Use secrets and fall back to random.SystemRandom for keys

Daniel Axtens dja at axtens.net
Thu Oct 10 09:30:50 AEDT 2019


Hi Jeremy,

> The random module uses the Mersenne Twister pseudorandom number
> generator and is not a cryptographically secure random number
> generator[0]. The secrets[1] module is intended for generating
> cryptographically strong random numbers, so recommend using that to
> generate the secret key. It's new in Python 3, so if it's unavailable
> fall back to using the ``os.urandom()`` backed implementation of random.
>
> [0] https://docs.python.org/3/library/random.html
> [1] https://docs.python.org/3/library/secrets.html
>

Thanks for your patch.

I agree that correctly generated randomness is the right way to go.

Do you think we need to advise existing implementations to roll their
secret? My feeling is that given the way the twister has been seeded
since Python 2.4 (os.urandom if available), existing installations are
probably OK, but I'd be interested in your take.

> Signed-off-by: Jeremy Cline <jcline at redhat.com>
> ---
>  docs/deployment/installation.rst                     | 10 ++++++++--
>  patchwork/settings/production.example.py             | 12 +++++++++---
>  ...andom.SystemRandom-for-keys-9ceb496919a1bb6f.yaml |  5 +++++
>  3 files changed, 22 insertions(+), 5 deletions(-)
>  create mode 100644 releasenotes/notes/use-secrets-and-fall-back-to-random.SystemRandom-for-keys-9ceb496919a1bb6f.yaml
>
> diff --git a/docs/deployment/installation.rst b/docs/deployment/installation.rst
> index d422573..f477a11 100644
> --- a/docs/deployment/installation.rst
> +++ b/docs/deployment/installation.rst
> @@ -254,9 +254,15 @@ This should be a random value and kept secret. You can generate and a value for
>  
>  .. code-block:: python
>  
> -   import string, random
> +   import string
> +   try:
> +       import secrets
> +   except ImportError:  # Python < 3.6
> +       import random
> +       secrets = random.SystemRandom()

We're dropping Python 2 soon, not in the next version coming out Real
Soon Now, but in the version after that. Would it be worth holding this
patch until then so as we can avoid this messy try:import? I have a
topic branch for this and I'd be happy to include this patch in it.

> +
>     chars = string.ascii_letters + string.digits + string.punctuation
> -   print(repr("".join([random.choice(chars) for i in range(0,50)])))
> +   print("".join([secrets.choice(chars) for i in range(50)]))
>  
>  Once again, store this in ``production.py``.

Regards,
Daniel

>  
> diff --git a/patchwork/settings/production.example.py b/patchwork/settings/production.example.py
> index c6aa2f2..8058537 100644
> --- a/patchwork/settings/production.example.py
> +++ b/patchwork/settings/production.example.py
> @@ -21,9 +21,15 @@ from .base import *  # noqa
>  # You'll need to replace this to a random string. The following python code can
>  # be used to generate a secret key:
>  #
> -#      import string, random
> -#      chars = string.letters + string.digits + string.punctuation
> -#      print repr("".join([random.choice(chars) for i in range(0,50)]))
> +#      import string
> +#      try:
> +#          import secrets
> +#      except ImportError:  # Python < 3.6
> +#          import random
> +#          secrets = random.SystemRandom()
> +#
> +#      chars = string.ascii_letters + string.digits + string.punctuation
> +#      print("".join([secrets.choice(chars) for i in range(50)]))
>  
>  SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
>  
> diff --git a/releasenotes/notes/use-secrets-and-fall-back-to-random.SystemRandom-for-keys-9ceb496919a1bb6f.yaml b/releasenotes/notes/use-secrets-and-fall-back-to-random.SystemRandom-for-keys-9ceb496919a1bb6f.yaml
> new file mode 100644
> index 0000000..7b101cb
> --- /dev/null
> +++ b/releasenotes/notes/use-secrets-and-fall-back-to-random.SystemRandom-for-keys-9ceb496919a1bb6f.yaml
> @@ -0,0 +1,5 @@
> +---
> +security:
> +  - |
> +    Change the recommended method for generating the Django secret key to use a
> +    cryptographically secure random number generator.
> -- 
> 2.21.0
>
> _______________________________________________
> Patchwork mailing list
> Patchwork at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/patchwork


More information about the Patchwork mailing list