Use cryptographically secure generador for private keys (#118)

* Use cryptographically secure generador for pkeys The random module should not be used for security purposes, therefore the use of this module to generate private keys is a security flaw. Since this project is not targeting an specific python version, I'm not sure if it's wise to use the `secrets` module, because this module first appeared on in python 3.6. Instead I'm using `_get_random_bytes()` (which is os.urandom under the hood) to generate cryptographically secure numbers. On the other hand and I'm not sure if this logic of generating random private keys is entirely secure. In my opinion, the right way of doing this is using ECDSA or using the library we already have in this project: from Crypto.PublicKey import RSA key = RSA.generate(2048) private_key = key.export_key() public_key = key.publickey().export_key() * Use os.urandom directly --------- Co-authored-by: MrNaif2018 <chuff184@gmail.com>
andelf · Mar 14, 2024 · 6789aa0 · 6789aa0
1 parent 167ad29
commit 6789aa0
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/tronpy/keys/__init__.py b/tronpy/keys/__init__.py
@@ -1,5 +1,5 @@
 import hashlib
-import random
+import os
 from collections.abc import ByteString, Hashable
 from typing import Any, Iterator, Union
 
@@ -274,7 +274,7 @@ def sign_msg_hash(self, message_hash: bytes) -> "Signature":
     @classmethod
     def random(cls) -> "PrivateKey":
         """Generate a random private key."""
-        return cls(bytes([random.randint(0, 255) for _ in range(32)]))
+        return cls(os.urandom(32))
 
     @classmethod
     def from_passphrase(cls, passphrase: bytes) -> "PrivateKey":