python的模块itsdangerous

Posted 2020-10-05

这个模块主要用来签名和序列化

使用场景：

一、给字符串添加签名：

　　发送方和接收方拥有相同的密钥--"secret-key",发送方使用密钥对发送内容进行签名，接收方使用相同的密钥对接收到的内容进行验证，看是否是发送方发送的内容

 1 >>> from itsdangerous import Signer
 2 >>> s = Signer(‘secret-key‘)
 3 >>> s.sign(‘my string, ssssssssss,dddddddddddddlsd‘)
 4 ‘my string, ssssssssss,dddddddddddddlsd.nSXTxgO_UMN4gkLZcFCioa-dZSo‘
 5 >>>
 6 >>> s.unsign(‘my string, ssssssssss,dddddddddddddlsd.nSXTxgO_UMN4gkLZcFCioa-dZSo‘)
 7 ‘my string, ssssssssss,dddddddddddddlsd‘
 8 >>> s.unsign(‘my string, ssss.nSXTxgO_UMN4gkLZcFCioa-dZSo‘)
 9 Traceback (most recent call last):
10   File "<stdin>", line 1, in <module>
11   File "/usr/local/lib/python2.7/site-packages/itsdangerous.py", line 374, in unsign
12     payload=value)
13 itsdangerous.BadSignature: Signature ‘nSXTxgO_UMN4gkLZcFCioa-dZSo‘ does not match
14 >>> s.unsign(‘my string, ssssssssss,dddddddddddddlsd.nSXTxgO_UMN4gkLZcFCioa-dZSP‘)
15 Traceback (most recent call last):
16   File "<stdin>", line 1, in <module>
17   File "/usr/local/lib/python2.7/site-packages/itsdangerous.py", line 374, in unsign
18     payload=value)
19 itsdangerous.BadSignature: Signature ‘nSXTxgO_UMN4gkLZcFCioa-dZSP‘ does not match
20 >>>

二、带时间戳的签名：

　　签名有一定的时效性，发送方发送时，带上时间信息，接收方判断多长时间内是否失效

>>> from itsdangerous import TimestampSigner
>>> s = TimestampSigner(‘secret-key‘)
>>> string = s.sign(‘foo‘)
>>> s.unsign(string, max_age=5)
foo
>>> s.unsign(string, max_age=5)
Traceback (most recent call last):
  ...
itsdangerous.SignatureExpired: Signature age 15 > 5 seconds

三、序列化

>>> from itsdangerous import Serializer
>>> s = Serializer(‘secret-key‘)
>>> s.dumps([1, 2, 3, 4])
‘[1, 2, 3, 4].r7R9RhGgDPvvWl3iNzLuIIfELmo‘
And it can of course also load:

>>> s.loads(‘[1, 2, 3, 4].r7R9RhGgDPvvWl3iNzLuIIfELmo‘)
[1, 2, 3, 4]
If you want to have the timestamp attached you can use the TimedSerializer.

四、带时间戳的序列化：

>>> from itsdangerous import TimedSerializer
>>> s=TimedSerializer(‘secret-key‘)
>>> s.dumps([1,2,3,4])
‘[1, 2, 3, 4].DI7WHQ.yVOjwQWau5mVRGuVkoqa7654VXc‘
>>> s.loads(‘[1, 2, 3, 4].DI7WHQ.yVOjwQWau5mVRGuVkoqa7654VXc‘)
[1, 2, 3, 4]
>>> s.loads(‘[1, 2, 3, 4].DI7WHQ.yVOjwQWau5mVRGuVkoqa7654VXc‘,max_age=10)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/itsdangerous.py", line 643, in loads
    .unsign(s, max_age, return_timestamp=True)
  File "/usr/local/lib/python2.7/site-packages/itsdangerous.py", line 463, in unsign
    date_signed=self.timestamp_to_datetime(timestamp))
itsdangerous.SignatureExpired: Signature age 28 > 10 seconds
>>> s.loads(‘[1, 2, 3, 4].DI7WHQ.yVOjwQWau5mVRGuVkoqa7654VXc‘,max_age=40)
[1, 2, 3, 4]
>>>

五、URL安全序列化

对于限定字符串的场景，你可以使用URL安全序列化

>>> from itsdangerous import URLSafeSerializer
>>> s = URLSafeSerializer(‘secret-key‘)
>>> s.dumps([1, 2, 3, 4])
‘WzEsMiwzLDRd.wSPHqC0gR7VUqivlSukJ0IeTDgo‘
>>> s.loads(‘WzEsMiwzLDRd.wSPHqC0gR7VUqivlSukJ0IeTDgo‘)
[1, 2, 3, 4]

六、JSON Web签名

JSON Web Signatures

Starting with “itsdangerous” 0.18 JSON Web Signatures are also supported. They generally work very similar to the already existing URL safe serializer but will emit headers according to the current draft (10) of the JSON Web Signature (JWS) [draft-ietf-jose-json-web-signature].

>>> from itsdangerous import JSONWebSignatureSerializer
>>> s = JSONWebSignatureSerializer(‘secret-key‘)
>>> s.dumps({‘x‘: 42})
‘eyJhbGciOiJIUzI1NiJ9.eyJ4Ijo0Mn0.ZdTn1YyGz9Yx5B5wNpWRL221G1WpVE5fPCPKNuc6UAo‘

 

When loading the value back the header will not be returned by default like with the other serializers. However it is possible to also ask for the header by passing return_header=True. Custom header fields can be provided upon serialization:

>>> s.dumps(0, header_fields={‘v‘: 1})
‘eyJhbGciOiJIUzI1NiIsInYiOjF9.MA.wT-RZI9YU06R919VBdAfTLn82_iIQD70J_j-3F4z_aM‘
>>> s.loads(‘eyJhbGciOiJIUzI1NiIsInYiOjF9.MA.wT-RZI9YU06R919VBdAf‘
...         ‘TLn82_iIQD70J_j-3F4z_aM‘, return_header=True)
...
(0, {u‘alg‘: u‘HS256‘, u‘v‘: 1})

“itsdangerous” only provides HMAC SHA derivatives and the none algorithm at the moment and does not support the ECC based ones. The algorithm in the header is checked against the one of the serializer and on a mismatch a BadSignatureexception is raised.

 

七、带时间戳的JSON Web签名

from itsdangerous import TimedJSONWebSignatureSerializer as Serializer 
s = Serializer(‘secret-key‘, expires_in=60)
s.dumps({‘id‘: user.id}) # user为model中封装过的对象

 

八、盐值

这里的盐值和加密算法里的盐值概念不一样，这里的盐值(salt)可以应用到上面所有情形中，不同的盐值，生成的签名或者序列化的数值不一样

 

>>> s1 = URLSafeSerializer(‘secret-key‘, salt=‘activate-salt‘)
>>> s1.dumps(42)
‘NDI.kubVFOOugP5PAIfEqLJbXQbfTxs‘
>>> s2 = URLSafeSerializer(‘secret-key‘, salt=‘upgrade-salt‘)
>>> s2.dumps(42)
‘NDI.7lx-N1P-z2veJ7nT1_2bnTkjGTE‘
>>> s2.loads(s1.dumps(42))
Traceback (most recent call last):
  ...
itsdangerous.BadSignature: Signature "kubVFOOugP5PAIfEqLJbXQbfTxs" does not match
Only the serializer with the same salt can load the value:

>>> s2.loads(s2.dumps(42))
42

 

refer:

1、https://pythonhosted.org/itsdangerous/

2、http://itsdangerous.readthedocs.io/en/latest/

3、http://cxymrzero.github.io/blog/2015/03/18/flask-token/