feat(F4): add PIN hashing utilities with PBKDF2-SHA256

2026-04-03 17:37:42 -04:00
parent 2c72743bec
commit 3f2a59c11e
2 changed files with 61 additions and 0 deletions
--- a/vigilar/alerts/pin.py
+++ b/vigilar/alerts/pin.py
@@ -0,0 +1,22 @@
+"""PIN hashing and verification using PBKDF2-SHA256."""
+
+import hashlib
+import os
+
+
+def hash_pin(pin: str) -> str:
+    salt = os.urandom(16)
+    dk = hashlib.pbkdf2_hmac("sha256", pin.encode(), salt, iterations=600_000)
+    return f"pbkdf2_sha256${salt.hex()}${dk.hex()}"
+
+
+def verify_pin(pin: str, stored_hash: str) -> bool:
+    if not stored_hash:
+        return True
+    parts = stored_hash.split("$")
+    if len(parts) != 3 or parts[0] != "pbkdf2_sha256":
+        return False
+    salt = bytes.fromhex(parts[1])
+    expected = parts[2]
+    dk = hashlib.pbkdf2_hmac("sha256", pin.encode(), salt, iterations=600_000)
+    return dk.hex() == expected