From 6f6e7c0bccfa4c73f33462cfaab69deff9724292 Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Thu, 3 Nov 2016 20:19:24 +0200 Subject: [PATCH 1/7] device: allow loading identities from a file (instead of argument) --- trezor_agent/device/__init__.py | 4 +- trezor_agent/device/interface.py | 68 ++++++++++++++++++-------------- trezor_agent/device/keepkey.py | 10 +---- trezor_agent/device/trezor.py | 31 +++++++-------- 4 files changed, 56 insertions(+), 57 deletions(-) diff --git a/trezor_agent/device/__init__.py b/trezor_agent/device/__init__.py index 65e915c..d37e6db 100644 --- a/trezor_agent/device/__init__.py +++ b/trezor_agent/device/__init__.py @@ -16,11 +16,11 @@ DEVICE_TYPES = [ ] -def detect(identity_str, curve_name): +def detect(): """Detect the first available device and return it to the user.""" for device_type in DEVICE_TYPES: try: - with device_type(identity_str, curve_name) as d: + with device_type() as d: return d except interface.NotFoundError as e: log.debug('device not found: %s', e) diff --git a/trezor_agent/device/interface.py b/trezor_agent/device/interface.py index 5baa21e..32bd44e 100644 --- a/trezor_agent/device/interface.py +++ b/trezor_agent/device/interface.py @@ -45,20 +45,6 @@ def identity_to_string(identity_dict): return ''.join(result) -def get_bip32_address(identity_dict, ecdh=False): - """Compute BIP32 derivation address according to SLIP-0013/0017.""" - index = struct.pack(''.format(identity_to_string(self.identity_dict), self.curve_name) + + def get_bip32_address(self, ecdh=False): + """Compute BIP32 derivation address according to SLIP-0013/0017.""" + index = struct.pack(' Date: Thu, 3 Nov 2016 22:00:43 +0200 Subject: [PATCH 2/7] ssh: decouple identity from device --- trezor_agent/__main__.py | 25 +++++++++++++++---------- trezor_agent/client.py | 18 +++++++++--------- trezor_agent/protocol.py | 2 +- 3 files changed, 25 insertions(+), 20 deletions(-) diff --git a/trezor_agent/__main__.py b/trezor_agent/__main__.py index 0a291c3..f526060 100644 --- a/trezor_agent/__main__.py +++ b/trezor_agent/__main__.py @@ -93,13 +93,11 @@ def git_host(remote_name, attributes): return '{user}@{host}'.format(**match.groupdict()) -def run_server(conn, public_key, command, debug, timeout): +def run_server(conn, public_keys, command, debug, timeout): """Common code for run_agent and run_git below.""" try: signer = conn.sign_ssh_challenge - public_key = formats.import_public_key(public_key) - log.info('using SSH public key: %s', public_key['fingerprint']) - handler = protocol.Handler(keys=[public_key], signer=signer, + handler = protocol.Handler(keys=public_keys, signer=signer, debug=debug) with server.serve(handler=handler, timeout=timeout) as env: return server.run_process(command=command, environ=env) @@ -125,12 +123,15 @@ def run_agent(client_factory=client.Client): args = create_agent_parser().parse_args() util.setup_logging(verbosity=args.verbose) - d = device.detect(identity_str=args.identity, - curve_name=args.ecdsa_curve_name) - conn = client_factory(device=d) + conn = client_factory(device=device.detect()) + identities = [device.interface.Identity(identity_str=args.identity, + curve_name=args.ecdsa_curve_name)] + for identity in identities: + identity.identity_dict['proto'] = 'ssh' command = args.command - public_key = conn.get_public_key() + + public_keys = [conn.get_public_key(i) for i in identities] if args.connect: command = ssh_args(args.identity) + args.command @@ -142,10 +143,14 @@ def run_agent(client_factory=client.Client): log.debug('using shell: %r', command) if not command: - sys.stdout.write(public_key) + for pk in public_keys: + sys.stdout.write(pk) return - return run_server(conn=conn, public_key=public_key, command=command, + public_keys = [formats.import_public_key(pk) for pk in public_keys] + for pk, identity in zip(public_keys, identities): + pk['identity'] = identity + return run_server(conn=conn, public_keys=public_keys, command=command, debug=args.debug, timeout=args.timeout) diff --git a/trezor_agent/client.py b/trezor_agent/client.py index 2e5b074..30dfb40 100644 --- a/trezor_agent/client.py +++ b/trezor_agent/client.py @@ -16,34 +16,34 @@ class Client(object): def __init__(self, device): """Connect to hardware device.""" - device.identity_dict['proto'] = 'ssh' self.device = device - def get_public_key(self): + def get_public_key(self, identity): """Get SSH public key from the device.""" with self.device: - pubkey = self.device.pubkey() + pubkey = self.device.pubkey(identity) vk = formats.decompress_pubkey(pubkey=pubkey, - curve_name=self.device.curve_name) + curve_name=identity.curve_name) return formats.export_public_key(vk=vk, - label=self.device.identity_str()) + label=str(identity)) - def sign_ssh_challenge(self, blob): + def sign_ssh_challenge(self, blob, identity): """Sign given blob using a private key on the device.""" msg = _parse_ssh_blob(blob) log.debug('%s: user %r via %r (%r)', msg['conn'], msg['user'], msg['auth'], msg['key_type']) log.debug('nonce: %r', msg['nonce']) - log.debug('fingerprint: %s', msg['public_key']['fingerprint']) + fp = msg['public_key']['fingerprint'] + log.debug('fingerprint: %s', fp) log.debug('hidden challenge size: %d bytes', len(blob)) log.info('please confirm user "%s" login to "%s" using %s...', - msg['user'].decode('ascii'), self.device.identity_str(), + msg['user'].decode('ascii'), identity, self.device) with self.device: - return self.device.sign(blob=blob) + return self.device.sign(blob=blob, identity=identity) def _parse_ssh_blob(data): diff --git a/trezor_agent/protocol.py b/trezor_agent/protocol.py index e1a763f..987bece 100644 --- a/trezor_agent/protocol.py +++ b/trezor_agent/protocol.py @@ -140,7 +140,7 @@ class Handler(object): label = key['name'].decode('ascii') # label should be a string log.debug('signing %d-byte blob with "%s" key', len(blob), label) try: - signature = self.signer(blob=blob) + signature = self.signer(blob=blob, identity=key['identity']) except IOError: return failure() log.debug('signature: %r', signature) From 6a5acba0b0ef989f152e7ec87ecd0a370ad6b3ad Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Thu, 3 Nov 2016 22:00:56 +0200 Subject: [PATCH 3/7] gpg: decouple identity from device --- trezor_agent/gpg/__main__.py | 2 +- trezor_agent/gpg/client.py | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/trezor_agent/gpg/__main__.py b/trezor_agent/gpg/__main__.py index b41dceb..4aa92b6 100755 --- a/trezor_agent/gpg/__main__.py +++ b/trezor_agent/gpg/__main__.py @@ -123,5 +123,5 @@ def auto_unlock(): args = p.parse_args() util.setup_logging(verbosity=args.verbose) - d = device.detect(identity_str='', curve_name='') + d = device.detect() log.info('unlocked %s device', d) diff --git a/trezor_agent/gpg/client.py b/trezor_agent/gpg/client.py index f431d54..042f99b 100644 --- a/trezor_agent/gpg/client.py +++ b/trezor_agent/gpg/client.py @@ -12,28 +12,28 @@ class Client(object): def __init__(self, user_id, curve_name): """Connect to the device and retrieve required public key.""" - self.device = device.detect(identity_str='', - curve_name=curve_name) - self.device.identity_dict['proto'] = 'gpg' - self.device.identity_dict['host'] = user_id + self.device = device.detect() self.user_id = user_id + self.identity = device.interface.Identity( + identity_str='gpg://{}'.format(user_id), + curve_name=curve_name) def pubkey(self, ecdh=False): """Return public key as VerifyingKey object.""" with self.device: - pubkey = self.device.pubkey(ecdh=ecdh) + pubkey = self.device.pubkey(ecdh=ecdh, identity=self.identity) return formats.decompress_pubkey( - pubkey=pubkey, curve_name=self.device.curve_name) + pubkey=pubkey, curve_name=self.identity.curve_name) def sign(self, digest): """Sign the digest and return a serialized signature.""" log.info('please confirm GPG signature on %s for "%s"...', self.device, self.user_id) - if self.device.curve_name == formats.CURVE_NIST256: + if self.identity.curve_name == formats.CURVE_NIST256: digest = digest[:32] # sign the first 256 bits log.debug('signing digest: %s', util.hexlify(digest)) with self.device: - sig = self.device.sign(blob=digest) + sig = self.device.sign(blob=digest, identity=self.identity) return (util.bytes2num(sig[:32]), util.bytes2num(sig[32:])) def ecdh(self, pubkey): @@ -41,4 +41,4 @@ class Client(object): log.info('please confirm GPG decryption on %s for "%s"...', self.device, self.user_id) with self.device: - return self.device.ecdh(pubkey=pubkey) + return self.device.ecdh(pubkey=pubkey, identity=self.identity) From 021831073ed4bd525e020fd7d6207d9a45b1a6d3 Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Thu, 3 Nov 2016 22:23:14 +0200 Subject: [PATCH 4/7] ssh: simple support for multiple public keys loading --- trezor_agent/__main__.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/trezor_agent/__main__.py b/trezor_agent/__main__.py index f526060..ed90778 100644 --- a/trezor_agent/__main__.py +++ b/trezor_agent/__main__.py @@ -117,6 +117,14 @@ def handle_connection_error(func): return wrapper +def parse_config(fname): + """Parse config file into a list of Identity objects.""" + contents = open(fname).read() + for identity_str, curve_name in re.findall('\<(.*?)\|(.*?)\>', contents): + yield device.interface.Identity(identity_str=identity_str, + curve_name=curve_name) + + @handle_connection_error def run_agent(client_factory=client.Client): """Run ssh-agent using given hardware client factory.""" @@ -124,10 +132,14 @@ def run_agent(client_factory=client.Client): util.setup_logging(verbosity=args.verbose) conn = client_factory(device=device.detect()) - identities = [device.interface.Identity(identity_str=args.identity, - curve_name=args.ecdsa_curve_name)] - for identity in identities: + if args.identity.startswith('/'): + identities = list(parse_config(fname=args.identity)) + else: + identities = [device.interface.Identity( + identity_str=args.identity, curve_name=args.ecdsa_curve_name)] + for index, identity in enumerate(identities): identity.identity_dict['proto'] = 'ssh' + log.info('identity #%d: %s', index, identity) command = args.command From ac4a86d3125c07fbcdf5a0986423e3fdceca848f Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Thu, 3 Nov 2016 23:12:59 +0200 Subject: [PATCH 5/7] ssh: remove git utility --- setup.py | 1 - trezor_agent/__main__.py | 28 ---------------------------- 2 files changed, 29 deletions(-) diff --git a/setup.py b/setup.py index 1c94e6e..97c7b9f 100644 --- a/setup.py +++ b/setup.py @@ -31,7 +31,6 @@ setup( ], entry_points={'console_scripts': [ 'trezor-agent = trezor_agent.__main__:run_agent', - 'trezor-git = trezor_agent.__main__:run_git', 'trezor-gpg-create = trezor_agent.gpg.__main__:main_create', 'trezor-gpg-agent = trezor_agent.gpg.__main__:main_agent', 'trezor-gpg-unlock = trezor_agent.gpg.__main__:auto_unlock', diff --git a/trezor_agent/__main__.py b/trezor_agent/__main__.py index ed90778..7fd0f37 100644 --- a/trezor_agent/__main__.py +++ b/trezor_agent/__main__.py @@ -164,31 +164,3 @@ def run_agent(client_factory=client.Client): pk['identity'] = identity return run_server(conn=conn, public_keys=public_keys, command=command, debug=args.debug, timeout=args.timeout) - - -@handle_connection_error -def run_git(client_factory=client.Client): - """Run git under ssh-agent using given hardware client factory.""" - args = create_git_parser().parse_args() - util.setup_logging(verbosity=args.verbose) - - with client_factory(curve=args.ecdsa_curve_name) as conn: - label = git_host(args.remote, ['pushurl', 'url']) - if not label: - log.error('Could not find "%s" SSH remote in .git/config', - args.remote) - return - - public_key = conn.get_public_key(label=label) - - if not args.test: - if args.command: - command = ['git'] + args.command - else: - sys.stdout.write(public_key) - return - else: - command = ['ssh', '-T', label] - - return run_server(conn=conn, public_key=public_key, command=command, - debug=args.debug, timeout=args.timeout) From dbed773e548135146e47c8cb90f3a9096e50b17d Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Thu, 3 Nov 2016 23:29:45 +0200 Subject: [PATCH 6/7] fix pylint and tests --- trezor_agent/__main__.py | 2 +- trezor_agent/device/__init__.py | 3 +-- trezor_agent/device/keepkey.py | 1 - trezor_agent/device/ledger.py | 29 +++++++++++++---------------- trezor_agent/tests/test_client.py | 20 ++++++++++---------- trezor_agent/tests/test_protocol.py | 21 +++++++++++++-------- 6 files changed, 38 insertions(+), 38 deletions(-) diff --git a/trezor_agent/__main__.py b/trezor_agent/__main__.py index 7fd0f37..3fa81c3 100644 --- a/trezor_agent/__main__.py +++ b/trezor_agent/__main__.py @@ -120,7 +120,7 @@ def handle_connection_error(func): def parse_config(fname): """Parse config file into a list of Identity objects.""" contents = open(fname).read() - for identity_str, curve_name in re.findall('\<(.*?)\|(.*?)\>', contents): + for identity_str, curve_name in re.findall(r'\<(.*?)\|(.*?)\>', contents): yield device.interface.Identity(identity_str=identity_str, curve_name=curve_name) diff --git a/trezor_agent/device/__init__.py b/trezor_agent/device/__init__.py index d37e6db..613c1cf 100644 --- a/trezor_agent/device/__init__.py +++ b/trezor_agent/device/__init__.py @@ -24,5 +24,4 @@ def detect(): return d except interface.NotFoundError as e: log.debug('device not found: %s', e) - raise IOError('No device found: "{}" ({})'.format(identity_str, - curve_name)) + raise IOError('No device found!') diff --git a/trezor_agent/device/keepkey.py b/trezor_agent/device/keepkey.py index 23ccf61..75e3958 100644 --- a/trezor_agent/device/keepkey.py +++ b/trezor_agent/device/keepkey.py @@ -1,7 +1,6 @@ """KeepKey-related code (see https://www.keepkey.com/).""" from . import interface, trezor -from .. import formats class KeepKey(trezor.Trezor): diff --git a/trezor_agent/device/ledger.py b/trezor_agent/device/ledger.py index 1745fba..e54c83d 100644 --- a/trezor_agent/device/ledger.py +++ b/trezor_agent/device/ledger.py @@ -44,11 +44,10 @@ class LedgerNanoS(interface.Device): raise interface.NotFoundError( '{} not connected: "{}"'.format(self, e)) - def pubkey(self, ecdh=False): + def pubkey(self, identity, ecdh=False): """Get PublicKey object for specified BIP32 address and elliptic curve.""" - curve_name = self.get_curve_name(ecdh) - path = _expand_path(interface.get_bip32_address(self.identity_dict, - ecdh=ecdh)) + curve_name = identity.get_curve_name(ecdh) + path = _expand_path(identity.get_bip32_address(ecdh)) if curve_name == 'nist256p1': p2 = '01' else: @@ -60,27 +59,26 @@ class LedgerNanoS(interface.Device): result = bytearray(self.conn.exchange(bytes(apdu)))[1:] return _convert_public_key(curve_name, result) - def sign(self, blob): + def sign(self, identity, blob): """Sign given blob and return the signature (as bytes).""" - path = _expand_path(interface.get_bip32_address(self.identity_dict, - ecdh=False)) - if self.identity_dict['proto'] == 'ssh': + path = _expand_path(identity.get_bip32_address(ecdh=False)) + if identity.identity_dict['proto'] == 'ssh': ins = '04' p1 = '00' else: ins = '08' p1 = '00' - if self.curve_name == 'nist256p1': - p2 = '81' if self.identity_dict['proto'] == 'ssh' else '01' + if identity.curve_name == 'nist256p1': + p2 = '81' if identity.identity_dict['proto'] == 'ssh' else '01' else: - p2 = '82' if self.identity_dict['proto'] == 'ssh' else '02' + p2 = '82' if identity.identity_dict['proto'] == 'ssh' else '02' apdu = '80' + ins + p1 + p2 apdu = binascii.unhexlify(apdu) apdu += bytearray([len(blob) + len(path) + 1]) apdu += bytearray([len(path) // 4]) + path apdu += blob result = bytearray(self.conn.exchange(bytes(apdu))) - if self.curve_name == 'nist256p1': + if identity.curve_name == 'nist256p1': offset = 3 length = result[offset] r = result[offset+1:offset+1+length] @@ -96,11 +94,10 @@ class LedgerNanoS(interface.Device): else: return bytes(result[:64]) - def ecdh(self, pubkey): + def ecdh(self, identity, pubkey): """Get shared session key using Elliptic Curve Diffie-Hellman.""" - path = _expand_path(interface.get_bip32_address(self.identity_dict, - ecdh=True)) - if self.curve_name == 'nist256p1': + path = _expand_path(identity.get_bip32_address(ecdh=True)) + if identity.curve_name == 'nist256p1': p2 = '01' else: p2 = '02' diff --git a/trezor_agent/tests/test_client.py b/trezor_agent/tests/test_client.py index b3f4bad..fb9d2b7 100644 --- a/trezor_agent/tests/test_client.py +++ b/trezor_agent/tests/test_client.py @@ -12,7 +12,7 @@ PUBKEY = (b'\x03\xd8(\xb5\xa6`\xbet0\x95\xac:[;]\xdc,\xbd\xdc?\xd7\xc0\xec' b'\xdd\xbc+\xfar~\x9dAis') PUBKEY_TEXT = ('ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd' 'HAyNTYAAABBBNgotaZgvnQwlaw6Wztd3Cy93D/XwOzdvCv6cn6dQWlzNMEQeW' - 'VUfhvrGljR2Z/CMRONY6ejB+9PnpUOPuzYqi8= ssh://localhost:22\n') + 'VUfhvrGljR2Z/CMRONY6ejB+9PnpUOPuzYqi8= \n') class MockDevice(device.interface.Device): # pylint: disable=abstract-method @@ -23,11 +23,11 @@ class MockDevice(device.interface.Device): # pylint: disable=abstract-method def close(self): self.conn = None - def pubkey(self, ecdh=False): # pylint: disable=unused-argument + def pubkey(self, identity, ecdh=False): # pylint: disable=unused-argument assert self.conn return PUBKEY - def sign(self, blob): + def sign(self, identity, blob): """Sign given blob and return the signature (as bytes).""" assert self.conn assert blob == BLOB @@ -59,11 +59,11 @@ SIG = (b'R\x19T\xf2\x84$\xef#\x0e\xee\x04X\xc6\xc3\x99T`\xd1\xd8\xf7!' def test_ssh_agent(): - identity_str = 'localhost:22' - c = client.Client(device=MockDevice(identity_str=identity_str, - curve_name=CURVE)) - assert c.get_public_key() == PUBKEY_TEXT - signature = c.sign_ssh_challenge(blob=BLOB) + identity = device.interface.Identity(identity_str='localhost:22', + curve_name=CURVE) + c = client.Client(device=MockDevice()) + assert c.get_public_key(identity) == PUBKEY_TEXT + signature = c.sign_ssh_challenge(blob=BLOB, identity=identity) key = formats.import_public_key(PUBKEY_TEXT) serialized_sig = key['verifier'](sig=signature, msg=BLOB) @@ -77,9 +77,9 @@ def test_ssh_agent(): assert r[1:] + s[1:] == SIG # pylint: disable=unused-argument - def cancel_sign(blob): + def cancel_sign(identity, blob): raise IOError(42, 'ERROR') c.device.sign = cancel_sign with pytest.raises(IOError): - c.sign_ssh_challenge(blob=BLOB) + c.sign_ssh_challenge(blob=BLOB, identity=identity) diff --git a/trezor_agent/tests/test_protocol.py b/trezor_agent/tests/test_protocol.py index 17a1001..2d8b0dc 100644 --- a/trezor_agent/tests/test_protocol.py +++ b/trezor_agent/tests/test_protocol.py @@ -1,6 +1,6 @@ import pytest -from .. import formats, protocol +from .. import device, formats, protocol # pylint: disable=line-too-long @@ -17,6 +17,7 @@ NIST256_SIGN_REPLY = b'\x00\x00\x00j\x0e\x00\x00\x00e\x00\x00\x00\x13ecdsa-sha2- def test_list(): key = formats.import_public_key(NIST256_KEY) + key['identity'] = device.interface.Identity('ssh://localhost', 'nist256p1') h = protocol.Handler(keys=[key], signer=None) reply = h.handle(LIST_MSG) assert reply == LIST_NIST256_REPLY @@ -28,13 +29,15 @@ def test_unsupported(): assert reply == b'\x00\x00\x00\x01\x05' -def ecdsa_signer(blob): +def ecdsa_signer(identity, blob): + assert str(identity) == '' assert blob == NIST256_BLOB return NIST256_SIG def test_ecdsa_sign(): key = formats.import_public_key(NIST256_KEY) + key['identity'] = device.interface.Identity('ssh://localhost', 'nist256p1') h = protocol.Handler(keys=[key], signer=ecdsa_signer) reply = h.handle(NIST256_SIGN_MSG) assert reply == NIST256_SIGN_REPLY @@ -42,30 +45,30 @@ def test_ecdsa_sign(): def test_sign_missing(): h = protocol.Handler(keys=[], signer=ecdsa_signer) - with pytest.raises(KeyError): h.handle(NIST256_SIGN_MSG) def test_sign_wrong(): - def wrong_signature(blob): + def wrong_signature(identity, blob): + assert str(identity) == '' assert blob == NIST256_BLOB return b'\x00' * 64 key = formats.import_public_key(NIST256_KEY) + key['identity'] = device.interface.Identity('ssh://localhost', 'nist256p1') h = protocol.Handler(keys=[key], signer=wrong_signature) - with pytest.raises(ValueError): h.handle(NIST256_SIGN_MSG) def test_sign_cancel(): - def cancel_signature(blob): # pylint: disable=unused-argument + def cancel_signature(identity, blob): # pylint: disable=unused-argument raise IOError() key = formats.import_public_key(NIST256_KEY) + key['identity'] = device.interface.Identity('ssh://localhost', 'nist256p1') h = protocol.Handler(keys=[key], signer=cancel_signature) - assert h.handle(NIST256_SIGN_MSG) == protocol.failure() @@ -77,13 +80,15 @@ ED25519_BLOB = b'''\x00\x00\x00 i3\xae}yk\\\xa1L\xb9\xe1\xbf\xbc\x8e\x87\r\x0e\x ED25519_SIG = b'''\x8eb)\xa6\xe9P\x83VE\xfbq\xc6\xbf\x1dV3\xe3' assert blob == ED25519_BLOB return ED25519_SIG def test_ed25519_sign(): key = formats.import_public_key(ED25519_KEY) + key['identity'] = device.interface.Identity('ssh://localhost', 'ed25519') h = protocol.Handler(keys=[key], signer=ed25519_signer) reply = h.handle(ED25519_SIGN_MSG) assert reply == ED25519_SIGN_REPLY From ee593bc66e212770e0fda5409a50547dc84856ff Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Thu, 3 Nov 2016 23:35:48 +0200 Subject: [PATCH 7/7] gpg: show user ID on a single line --- trezor_agent/gpg/client.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/trezor_agent/gpg/client.py b/trezor_agent/gpg/client.py index 042f99b..e585d9c 100644 --- a/trezor_agent/gpg/client.py +++ b/trezor_agent/gpg/client.py @@ -15,8 +15,8 @@ class Client(object): self.device = device.detect() self.user_id = user_id self.identity = device.interface.Identity( - identity_str='gpg://{}'.format(user_id), - curve_name=curve_name) + identity_str='gpg://', curve_name=curve_name) + self.identity.identity_dict['host'] = user_id def pubkey(self, ecdh=False): """Return public key as VerifyingKey object."""