From 512aba8b1dacae25e3ad74d990fa9fd1e2f6ac65 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Tue, 5 Aug 2025 00:20:21 +0200 Subject: [PATCH] param_source: use random.SystemRandom as random nr source Python's random module uses a PRNG (Mersenne Twister) which is utterly insecure for key generation - it was so far only used for testing. Replace it with random.SystemRandom(), which draws from /dev/urandom and is suitable for generating cryptographic key material. Change-Id: I6de38c14ac6dd55bc84d53974192509c18d02bfa Jenkins: skip-card-test --- pySim/esim/saip/param_source.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pySim/esim/saip/param_source.py b/pySim/esim/saip/param_source.py index 04a44fed..d3c98a6c 100644 --- a/pySim/esim/saip/param_source.py +++ b/pySim/esim/saip/param_source.py @@ -124,7 +124,7 @@ class DecimalRangeSource(InputExpandingParamSource): return "%0*d" % (self.num_digits, val) # pylint: disable=consider-using-f-string class RandomSourceMixin: - random_impl = random # TODO secure random source? + random_impl = random.SystemRandom() class RandomDigitSource(DecimalRangeSource, RandomSourceMixin): """return a different sequence of random decimal digits each"""