Merge branch 'master' of ssh://gnunet.org/gnunet

9 files changed, 658 insertions, 135 deletions

diff --git a/src/gns/gnunet-gns.c b/src/gns/gnunet-gns.c
index eb1d4f23f..5cf496808 100644
--- a/src/gns/gnunet-gns.c
+++ b/src/gns/gnunet-gns.c
@@ -279,7 +279,7 @@ run (void *cls,
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                 _ ("Cannot resolve using GNS: GNUnet peer not running\n"));
-    global_ret = 2;
+    global_ret = 5;
     return;
   }
   to_task = GNUNET_SCHEDULER_add_delayed (timeout,
diff --git a/src/gns/gnunet-service-gns_resolver.c b/src/gns/gnunet-service-gns_resolver.c
index 751cc226e..7d398c168 100644
--- a/src/gns/gnunet-service-gns_resolver.c
+++ b/src/gns/gnunet-service-gns_resolver.c
@@ -1763,8 +1763,7 @@ recursive_gns2dns_resolution (struct GNS_ResolverHandle *rh,
       /**
        * Records other than GNS2DNS not allowed
        */
-      fail_resolution (rh);
-      return;
+      return GNUNET_SYSERR;
     }
     off = 0;
     n = GNUNET_DNSPARSER_parse_name (rd[i].data,
diff --git a/src/gns/nss/nss_gns_query.c b/src/gns/nss/nss_gns_query.c
index 7f6bef90d..11e46ad7f 100644
--- a/src/gns/nss/nss_gns_query.c
+++ b/src/gns/nss/nss_gns_query.c
@@ -60,16 +60,16 @@ gns_resolve_name (int af, const char *name, struct userdata *u)
   FILE *p;
   char line[128];
   int ret;
+  int retry = 0;
   int out[2];
-  int tried_arm_start = 0;
   pid_t pid;
 
   if (0 == getuid ())
     return -2; /* GNS via NSS is NEVER for root */
-  if (0 != pipe (out))
-    return -1;
 
 query_gns:
+  if (0 != pipe (out))
+    return -1;
   pid = fork ();
   if (-1 == pid)
     return -1;
@@ -141,56 +141,23 @@ query_gns:
   }
   (void) fclose (p);
   waitpid (pid, &ret, 0);
-
   if (! WIFEXITED (ret))
     return -1;
   if (4 == WEXITSTATUS (ret))
     return -2; /* not for GNS */
-  if ((3 == ret) &&
-      (1 != tried_arm_start))
-    return -3; /* timeout -> try restart */
-  if ((3 == ret) &&
-      (1 == tried_arm_start))
+  if (5 == WEXITSTATUS (ret))
+  {
+    if (1 == retry)
+      return -2; /* no go -> service unavailable */
+    retry = 1;
+    system("gnunet-arm -s");
+    goto query_gns; /* Try again */
+  }
+  if (3 == WEXITSTATUS (ret))
     return -2; /* timeout -> service unavailable */
   if ((2 == WEXITSTATUS (ret)) || (1 == WEXITSTATUS (ret)))
     return -2; /* launch failure -> service unavailable */
   return 0;
-
-  pid = fork ();
-  if (-1 == pid)
-    return -1;
-  if (0 == pid)
-  {
-    char *argv[] = { "gnunet-arm",
-                     "-s", /* Raw output for easier parsing */
-                     NULL };
-
-    (void) close (STDOUT_FILENO);
-    if ((0 != close (out[0])) ||
-        (STDOUT_FILENO != dup2 (out[1], STDOUT_FILENO)))
-      _exit (1);
-    (void) execvp ("gnunet-arm", argv);
-    _exit (1);
-  }
-  (void) close (out[1]);
-  p = fdopen (out[0], "r");
-  if (NULL == p)
-  {
-    kwait (pid);
-    return -1;
-  }
-  while (NULL != fgets (line, sizeof(line), p))
-  {
-    /**
-     * Read output
-     */
-  }
-  (void) fclose (p);
-  waitpid (pid, &ret, 0);
-  tried_arm_start = 1;
-  goto query_gns;
-
-
 }
 
 
diff --git a/src/gnsrecord/Makefile.am b/src/gnsrecord/Makefile.am
index 3da9af9ca..2e6eca7ba 100644
--- a/src/gnsrecord/Makefile.am
+++ b/src/gnsrecord/Makefile.am
@@ -12,6 +12,10 @@ if USE_COVERAGE
   XLIBS = -lgcov
 endif
 
+bin_PROGRAMS = \
+  gnunet-gnsrecord-tvg
+
+
 check_PROGRAMS = \
  test_gnsrecord_crypto \
  test_gnsrecord_serialization \
@@ -28,6 +32,14 @@ endif
 lib_LTLIBRARIES = \
   libgnunetgnsrecord.la
 
+gnunet_gnsrecord_tvg_SOURCES = \
+ gnunet-gnsrecord-tvg.c
+gnunet_gnsrecord_tvg_LDADD = \
+  $(top_builddir)/src/util/libgnunetutil.la \
+  libgnunetgnsrecord.la \
+  $(GN_LIBINTL)
+
+
 libgnunetgnsrecord_la_SOURCES = \
   gnsrecord.c \
   gnsrecord_serialization.c \
diff --git a/src/gnsrecord/gnunet-gnsrecord-tvg.c b/src/gnsrecord/gnunet-gnsrecord-tvg.c
new file mode 100644
index 000000000..cf815d629
--- /dev/null
+++ b/src/gnsrecord/gnunet-gnsrecord-tvg.c
@@ -0,0 +1,202 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2020 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-gns-tvg.c
+ * @brief Generate test vectors for GNS.
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_signatures.h"
+#include "gnunet_gns_service.h"
+#include "gnunet_gnsrecord_lib.h"
+#include "gnunet_dnsparser_lib.h"
+#include "gnunet_testing_lib.h"
+#include <inttypes.h>
+
+#define TEST_RECORD_LABEL "test"
+#define TEST_RECORD_A "1.2.3.4"
+#define TEST_RRCOUNT 2
+
+static void
+print_record(const struct GNUNET_GNSRECORD_Data *rd)
+{
+  char *data_enc;
+  char *string_v;
+  string_v = GNUNET_GNSRECORD_value_to_string (rd->record_type,
+                                               rd->data,
+                                               rd->data_size);
+    fprintf (stdout,
+           "EXPIRATION: %"PRIu64"\n", rd->expiration_time);
+  fprintf (stdout,
+           "DATA_SIZE: %"PRIu64"\n", rd->data_size);
+  fprintf (stdout,
+           "TYPE: %d\n", rd->record_type);
+  fprintf (stdout,
+           "FLAGS: %d\n", rd->flags);
+  GNUNET_STRINGS_base64_encode (rd->data,
+                                rd->data_size,
+                                &data_enc);
+  fprintf (stdout,
+           "DATA (base64):\n%s\n",
+           data_enc);
+  fprintf (stdout,
+           "DATA (Human readable):\n%s\n\n", string_v);
+  GNUNET_free (string_v);
+
+  GNUNET_free (data_enc);
+}
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_GNSRECORD_Data rd[2];
+  struct GNUNET_TIME_Absolute exp_abs = GNUNET_TIME_absolute_get();
+  struct GNUNET_GNSRECORD_Block *rrblock;
+  char *bdata;
+  struct GNUNET_CRYPTO_EcdsaPrivateKey id_priv;
+  struct GNUNET_CRYPTO_EcdsaPublicKey id_pub;
+  struct GNUNET_CRYPTO_EcdsaPrivateKey pkey_data_p;
+  struct GNUNET_CRYPTO_EcdsaPublicKey pkey_data;
+  void *data;
+  size_t data_size;
+  char *rdata;
+  size_t rdata_size;
+  char* data_enc;
+
+  GNUNET_CRYPTO_ecdsa_key_create (&id_priv);
+  GNUNET_CRYPTO_ecdsa_key_get_public (&id_priv,
+                                      &id_pub);
+  GNUNET_STRINGS_base64_encode (&id_priv,
+                                sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey),
+                                &data_enc);
+  fprintf(stdout, "Zone private key (d):\n%s\n", data_enc);
+  GNUNET_free (data_enc);
+  GNUNET_STRINGS_base64_encode (&id_pub,
+                                sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey),
+                                &data_enc);
+  fprintf(stdout, "Zone public key (zk):\n%s\n", data_enc);
+  GNUNET_free (data_enc);
+
+
+  GNUNET_CRYPTO_ecdsa_key_create (&pkey_data_p);
+  GNUNET_CRYPTO_ecdsa_key_get_public (&pkey_data_p,
+                                      &pkey_data);
+  fprintf (stdout,
+           "Label: %s\nRRCOUNT: %d\n\n", TEST_RECORD_LABEL, TEST_RRCOUNT);
+  memset (rd, 0, sizeof (struct GNUNET_GNSRECORD_Data) * 2);
+  GNUNET_assert (GNUNET_OK == GNUNET_GNSRECORD_string_to_value (GNUNET_DNSPARSER_TYPE_A, TEST_RECORD_A, &data, &data_size));
+  rd[0].data = data;
+  rd[0].data_size = data_size;
+  rd[0].expiration_time = exp_abs.abs_value_us;
+  rd[0].record_type = GNUNET_DNSPARSER_TYPE_A;
+  fprintf (stdout, "Record #0\n");
+  print_record (&rd[0]);
+
+  rd[1].data = &pkey_data;
+  rd[1].data_size = sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey);
+  rd[1].expiration_time = exp_abs.abs_value_us;
+  rd[1].record_type = GNUNET_GNSRECORD_TYPE_PKEY;
+  rd[1].flags = GNUNET_GNSRECORD_RF_PRIVATE;
+  fprintf (stdout, "Record #1\n");
+  print_record (&rd[1]);
+
+  rdata_size = GNUNET_GNSRECORD_records_get_size (2,
+                                                  rd);
+  rdata = GNUNET_malloc (rdata_size);
+  GNUNET_GNSRECORD_records_serialize (2,
+                                      rd,
+                                      rdata_size,
+                                      rdata);
+  GNUNET_STRINGS_base64_encode (rdata,
+                                rdata_size,
+                                &data_enc);
+  fprintf(stdout, "RDATA:\n%s\n\n", data_enc);
+  GNUNET_free (data_enc);
+  rrblock = GNUNET_GNSRECORD_block_create (&id_priv,
+                                         exp_abs,
+                                         TEST_RECORD_LABEL,
+                                         rd,
+                                         TEST_RRCOUNT);
+  size_t bdata_size = ntohl (rrblock->purpose.size) -
+    sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose) -
+    sizeof(struct GNUNET_TIME_AbsoluteNBO);
+  size_t rrblock_size = ntohl (rrblock->purpose.size) +
+    sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey) +
+    sizeof(struct GNUNET_CRYPTO_EcdsaSignature);
+
+  bdata = (char*)&rrblock[1];
+  GNUNET_STRINGS_base64_encode (bdata,
+                                bdata_size,
+                                &data_enc);
+  fprintf(stdout, "BDATA:\n%s\n\n", data_enc);
+  GNUNET_free (data_enc);
+  GNUNET_STRINGS_base64_encode (rrblock,
+                                rrblock_size,
+                                &data_enc);
+  fprintf(stdout, "RRBLOCK:\n%s\n", data_enc);
+  GNUNET_free (data_enc);
+
+}
+
+
+/**
+ * The main function of the test vector generation tool.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_log_setup ("gnunet-gns-tvg",
+                                   "INFO",
+                                   NULL));
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc, argv,
+                          "gnunet-gns-tvg",
+                          "Generate test vectors for GNS",
+                          options,
+                          &run, NULL))
+    return 1;
+  return 0;
+}
+
+
+/* end of gnunet-gns-tvg.c */
diff --git a/src/namestore/plugin_rest_namestore.c b/src/namestore/plugin_rest_namestore.c
index 4184d93a1..95b9b428f 100644
--- a/src/namestore/plugin_rest_namestore.c
+++ b/src/namestore/plugin_rest_namestore.c
@@ -163,7 +163,7 @@ struct RequestHandle
   /**
    * NAMESTORE Operation
    */
-  struct GNUNET_NAMESTORE_QueueEntry *add_qe;
+  struct GNUNET_NAMESTORE_QueueEntry *ns_qe;
 
   /**
    * Response object
@@ -292,8 +292,8 @@ cleanup_handle (void *cls)
     GNUNET_SCHEDULER_cancel (handle->timeout_task);
   if (NULL != handle->list_it)
     GNUNET_NAMESTORE_zone_iteration_stop (handle->list_it);
-  if (NULL != handle->add_qe)
-    GNUNET_NAMESTORE_cancel (handle->add_qe);
+  if (NULL != handle->ns_qe)
+    GNUNET_NAMESTORE_cancel (handle->ns_qe);
   if (NULL != handle->identity_handle)
     GNUNET_IDENTITY_disconnect (handle->identity_handle);
   if (NULL != handle->ns_handle)
@@ -410,7 +410,7 @@ create_finished (void *cls, int32_t success, const char *emsg)
   struct RequestHandle *handle = cls;
   struct MHD_Response *resp;
 
-  handle->add_qe = NULL;
+  handle->ns_qe = NULL;
   if (GNUNET_YES != success)
   {
     if (NULL != emsg)
@@ -441,7 +441,7 @@ del_finished (void *cls, int32_t success, const char *emsg)
 {
   struct RequestHandle *handle = cls;
 
-  handle->add_qe = NULL;
+  handle->ns_qe = NULL;
   if (GNUNET_NO == success)
   {
     handle->response_code = MHD_HTTP_NOT_FOUND;
@@ -525,13 +525,70 @@ namestore_list_iteration (void *cls,
     rd_filtered[j].data = rd[i].data;
     j++;
   }
-  record_obj = GNUNET_JSON_from_gnsrecord (rname,
-                                           rd_filtered,
-                                           j);
-  json_array_append_new (handle->resp_object, record_obj);
+  /** Only add if not empty **/
+  if (j > 0)
+  {
+    record_obj = GNUNET_JSON_from_gnsrecord (rname,
+                                             rd_filtered,
+                                             j);
+    json_array_append_new (handle->resp_object, record_obj);
+  }
   GNUNET_NAMESTORE_zone_iterator_next (handle->list_it, 1);
 }
 
+/**
+ * Handle lookup error
+ *
+ * @param cls the request handle
+ */
+static void
+ns_lookup_error_cb (void *cls)
+{
+  struct RequestHandle *handle = cls;
+
+  handle->emsg = GNUNET_strdup (GNUNET_REST_NAMESTORE_FAILED);
+  GNUNET_SCHEDULER_add_now (&do_error, handle);
+}
+
+
+static void
+ns_get_lookup_cb (void *cls,
+              const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone,
+              const char *label,
+              unsigned int rd_len,
+              const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct RequestHandle *handle = cls;
+  struct GNUNET_GNSRECORD_Data rd_filtered[rd_len];
+  json_t *record_obj;
+  int i = 0;
+  int j = 0;
+
+  handle->ns_qe = NULL;
+  if (NULL == handle->resp_object)
+    handle->resp_object = json_array ();
+  for (i = 0; i < rd_len; i++)
+  {
+    if ((GNUNET_GNSRECORD_TYPE_ANY != handle->record_type) &&
+        (rd[i].record_type != handle->record_type))
+      continue; /* Apply filter */
+    rd_filtered[j] = rd[i];
+    rd_filtered[j].data = rd[i].data;
+    j++;
+  }
+  /** Only add if not empty **/
+  if (j > 0)
+  {
+    record_obj = GNUNET_JSON_from_gnsrecord (label,
+                                             rd_filtered,
+                                             j);
+    json_array_append_new (handle->resp_object, record_obj);
+  }
+  GNUNET_SCHEDULER_add_now (&namestore_list_finished, handle);
+}
+
+
+
 
 /**
  * Handle namestore GET request
@@ -549,6 +606,7 @@ namestore_get (struct GNUNET_REST_RequestHandle *con_handle,
   struct EgoEntry *ego_entry;
   struct GNUNET_HashCode key;
   char *egoname;
+  char *labelname;
   char *typename;
 
   egoname = NULL;
@@ -585,17 +643,36 @@ namestore_get (struct GNUNET_REST_RequestHandle *con_handle,
                                                   &key);
     handle->record_type = GNUNET_GNSRECORD_typename_to_number (typename);
   }
-
-  handle->list_it =
-    GNUNET_NAMESTORE_zone_iteration_start (handle->ns_handle,
-                                           handle->zone_pkey,
-                                           &namestore_iteration_error,
-                                           handle,
-                                           &namestore_list_iteration,
-                                           handle,
-                                           &namestore_list_finished,
-                                           handle);
-  if (NULL == handle->list_it)
+  labelname = &egoname[strlen (ego_entry->identifier)];
+  // set zone to name if given
+  if (1 >= strlen (labelname))
+  {
+    handle->list_it =
+      GNUNET_NAMESTORE_zone_iteration_start (handle->ns_handle,
+                                             handle->zone_pkey,
+                                             &namestore_iteration_error,
+                                             handle,
+                                             &namestore_list_iteration,
+                                             handle,
+                                             &namestore_list_finished,
+                                             handle);
+    if (NULL == handle->list_it)
+    {
+      handle->emsg = GNUNET_strdup (GNUNET_REST_NAMESTORE_FAILED);
+      GNUNET_SCHEDULER_add_now (&do_error, handle);
+      return;
+    }
+    return;
+  }
+  handle->record_name = GNUNET_strdup (labelname + 1);
+  handle->ns_qe = GNUNET_NAMESTORE_records_lookup (handle->ns_handle,
+                                                    handle->zone_pkey,
+                                                    handle->record_name,
+                                                    &ns_lookup_error_cb,
+                                                    handle,
+                                                    &ns_get_lookup_cb,
+                                                    handle);
+  if (NULL == handle->ns_qe)
   {
     handle->emsg = GNUNET_strdup (GNUNET_REST_NAMESTORE_FAILED);
     GNUNET_SCHEDULER_add_now (&do_error, handle);
@@ -604,15 +681,6 @@ namestore_get (struct GNUNET_REST_RequestHandle *con_handle,
 }
 
 
-static void
-ns_lookup_error_cb (void *cls)
-{
-  struct RequestHandle *handle = cls;
-
-  handle->emsg = GNUNET_strdup (GNUNET_REST_NAMESTORE_FAILED);
-  GNUNET_SCHEDULER_add_now (&do_error, handle);
-}
-
 
 static void
 ns_lookup_cb (void *cls,
@@ -633,14 +701,14 @@ ns_lookup_cb (void *cls,
   }
   for (j = 0; j < handle->rd_count; j++)
     rd_new[i + j] = handle->rd[j];
-  handle->add_qe = GNUNET_NAMESTORE_records_store (handle->ns_handle,
+  handle->ns_qe = GNUNET_NAMESTORE_records_store (handle->ns_handle,
                                                    handle->zone_pkey,
                                                    handle->record_name,
                                                    i + j,
                                                    rd_new,
                                                    &create_finished,
                                                    handle);
-  if (NULL == handle->add_qe)
+  if (NULL == handle->ns_qe)
   {
     handle->emsg = GNUNET_strdup (GNUNET_REST_NAMESTORE_FAILED);
     GNUNET_SCHEDULER_add_now (&do_error, handle);
@@ -725,14 +793,14 @@ namestore_add_or_update (struct GNUNET_REST_RequestHandle *con_handle,
     return;
   }
   handle->zone_pkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
-  handle->add_qe = GNUNET_NAMESTORE_records_lookup (handle->ns_handle,
+  handle->ns_qe = GNUNET_NAMESTORE_records_lookup (handle->ns_handle,
                                                     handle->zone_pkey,
                                                     handle->record_name,
                                                     &ns_lookup_error_cb,
                                                     handle,
                                                     &ns_lookup_cb,
                                                     handle);
-  if (NULL == handle->add_qe)
+  if (NULL == handle->ns_qe)
   {
     handle->emsg = GNUNET_strdup (GNUNET_REST_NAMESTORE_FAILED);
     GNUNET_SCHEDULER_add_now (&do_error, handle);
@@ -826,14 +894,14 @@ namestore_delete (struct GNUNET_REST_RequestHandle *con_handle,
   }
 
   handle->record_name = GNUNET_strdup (labelname + 1);
-  handle->add_qe = GNUNET_NAMESTORE_records_store (handle->ns_handle,
-                                                   handle->zone_pkey,
-                                                   handle->record_name,
-                                                   0,
+  handle->ns_qe = GNUNET_NAMESTORE_records_store (handle->ns_handle,
+                                                  handle->zone_pkey,
+                                                  handle->record_name,
+                                                  0,
                                                    NULL,
                                                    &del_finished,
                                                    handle);
-  if (NULL == handle->add_qe)
+  if (NULL == handle->ns_qe)
   {
     handle->emsg = GNUNET_strdup (GNUNET_REST_NAMESTORE_FAILED);
     GNUNET_SCHEDULER_add_now (&do_error, handle);
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index ad8e373fe..563bdd749 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -426,9 +426,14 @@ struct RequestHandle
   struct GNUNET_NAMESTORE_ZoneIterator *namestore_handle_it;
 
   /**
-   * Attribute claim list
+   * Attribute claim list for id_token
    */
-  struct GNUNET_RECLAIM_AttributeList *attr_list;
+  struct GNUNET_RECLAIM_AttributeList *attr_idtoken_list;
+
+  /**
+   * Attribute claim list for userinfo
+   */
+  struct GNUNET_RECLAIM_AttributeList *attr_userinfo_list;
 
   /**
    * Attestation list
@@ -577,8 +582,10 @@ cleanup_handle (struct RequestHandle *handle)
     json_decref (handle->oidc->response);
     GNUNET_free (handle->oidc);
   }
-  if (NULL!=handle->attr_list)
-    GNUNET_RECLAIM_attribute_list_destroy (handle->attr_list);
+  if (NULL!=handle->attr_idtoken_list)
+    GNUNET_RECLAIM_attribute_list_destroy (handle->attr_idtoken_list);
+  if (NULL!=handle->attr_userinfo_list)
+    GNUNET_RECLAIM_attribute_list_destroy (handle->attr_userinfo_list);
   if (NULL!=handle->attests_list)
     GNUNET_RECLAIM_attestation_list_destroy (handle->attests_list);
 
@@ -935,7 +942,7 @@ oidc_ticket_issue_cb (void *cls, const struct GNUNET_RECLAIM_Ticket *ticket)
                                          sizeof(struct GNUNET_RECLAIM_Ticket));
   code_string = OIDC_build_authz_code (&handle->priv_key,
                                        &handle->ticket,
-                                       handle->attr_list,
+                                       handle->attr_idtoken_list,
                                        handle->attests_list,
                                        handle->oidc->nonce,
                                        handle->oidc->code_challenge);
@@ -970,18 +977,77 @@ oidc_ticket_issue_cb (void *cls, const struct GNUNET_RECLAIM_Ticket *ticket)
 }
 
 
+static struct GNUNET_RECLAIM_AttributeList*
+attribute_list_merge (struct GNUNET_RECLAIM_AttributeList *list_a,
+                      struct GNUNET_RECLAIM_AttributeList *list_b)
+{
+  struct GNUNET_RECLAIM_AttributeList *merged_list;
+  struct GNUNET_RECLAIM_AttributeListEntry *le_a;
+  struct GNUNET_RECLAIM_AttributeListEntry *le_b;
+  struct GNUNET_RECLAIM_AttributeListEntry *le_m;
+
+  merged_list = GNUNET_new (struct GNUNET_RECLAIM_AttributeList);
+  for (le_a = list_a->list_head; NULL != le_a; le_a = le_a->next)
+  {
+    le_m = GNUNET_new (struct GNUNET_RECLAIM_AttributeListEntry);
+    le_m->attribute = GNUNET_RECLAIM_attribute_new (le_a->attribute->name,
+                                                    &le_a->attribute->
+                                                    attestation,
+                                                    le_a->attribute->type,
+                                                    le_a->attribute->data,
+                                                    le_a->attribute->data_size);
+    le_m->attribute->id = le_a->attribute->id;
+    le_m->attribute->flag = le_a->attribute->flag;
+    le_m->attribute->attestation = le_a->attribute->attestation;
+    GNUNET_CONTAINER_DLL_insert (merged_list->list_head,
+                                 merged_list->list_tail,
+                                 le_m);
+  }
+  le_m = NULL;
+  for (le_b = list_b->list_head; NULL != le_b; le_b = le_b->next)
+  {
+    for (le_m = merged_list->list_head; NULL != le_m; le_m = le_m->next)
+    {
+      if (GNUNET_YES == GNUNET_RECLAIM_id_is_equal (&le_m->attribute->id,
+                                                    &le_b->attribute->id))
+        break; /** Attribute already in list **/
+    }
+    if (NULL != le_m)
+      continue; /** Attribute already in list **/
+    le_m = GNUNET_new (struct GNUNET_RECLAIM_AttributeListEntry);
+    le_m->attribute = GNUNET_RECLAIM_attribute_new (le_b->attribute->name,
+                                                    &le_b->attribute->
+                                                    attestation,
+                                                    le_b->attribute->type,
+                                                    le_b->attribute->data,
+                                                    le_b->attribute->data_size);
+    le_m->attribute->id = le_b->attribute->id;
+    le_m->attribute->flag = le_b->attribute->flag;
+    le_m->attribute->attestation = le_b->attribute->attestation;
+    GNUNET_CONTAINER_DLL_insert (merged_list->list_head,
+                                 merged_list->list_tail,
+                                 le_m);
+  }
+  return merged_list;
+}
+
+
 static void
 oidc_attest_collect_finished_cb (void *cls)
 {
   struct RequestHandle *handle = cls;
+  struct GNUNET_RECLAIM_AttributeList *merged_list;
 
   handle->attest_it = NULL;
+  merged_list = attribute_list_merge (handle->attr_idtoken_list,
+                                      handle->attr_userinfo_list);
   handle->idp_op = GNUNET_RECLAIM_ticket_issue (handle->idp,
                                                 &handle->priv_key,
                                                 &handle->oidc->client_pkey,
-                                                handle->attr_list,
+                                                merged_list,
                                                 &oidc_ticket_issue_cb,
                                                 handle);
+  GNUNET_RECLAIM_attribute_list_destroy (merged_list);
 }
 
 
@@ -995,22 +1061,32 @@ oidc_attest_collect (void *cls,
 {
   struct RequestHandle *handle = cls;
   struct GNUNET_RECLAIM_AttributeListEntry *le;
+  struct GNUNET_RECLAIM_AttestationListEntry *ale;
 
-  for (le = handle->attr_list->list_head; NULL != le; le = le->next)
+  for (ale = handle->attests_list->list_head; NULL != ale; ale = ale->next)
+  {
+    if (GNUNET_NO == GNUNET_RECLAIM_id_is_equal (&ale->attestation->id,
+                                                 &attest->id))
+      continue;
+    /** Attestation already in list **/
+    GNUNET_RECLAIM_get_attestations_next (handle->attest_it);
+    return;
+  }
+
+  for (le = handle->attr_idtoken_list->list_head; NULL != le; le = le->next)
   {
     if (GNUNET_NO == GNUNET_RECLAIM_id_is_equal (&le->attribute->attestation,
                                                  &attest->id))
-    {
-      struct GNUNET_RECLAIM_AttestationListEntry *ale;
-      ale = GNUNET_new (struct GNUNET_RECLAIM_AttestationListEntry);
-      ale->attestation = GNUNET_RECLAIM_attestation_new (attest->name,
-                                                         attest->type,
-                                                         attest->data,
-                                                         attest->data_size);
-      GNUNET_CONTAINER_DLL_insert (handle->attests_list->list_head,
-                                   handle->attests_list->list_tail,
-                                   ale);
-    }
+      continue;
+    /** Attestation matches for attribute, add **/
+    ale = GNUNET_new (struct GNUNET_RECLAIM_AttestationListEntry);
+    ale->attestation = GNUNET_RECLAIM_attestation_new (attest->name,
+                                                       attest->type,
+                                                       attest->data,
+                                                       attest->data_size);
+    GNUNET_CONTAINER_DLL_insert (handle->attests_list->list_head,
+                                 handle->attests_list->list_tail,
+                                 ale);
   }
   GNUNET_RECLAIM_get_attestations_next (handle->attest_it);
 }
@@ -1023,7 +1099,7 @@ oidc_attr_collect_finished_cb (void *cls)
 
   handle->attr_it = NULL;
   handle->ticket_it = NULL;
-  if (NULL == handle->attr_list->list_head)
+  if (NULL == handle->attr_idtoken_list->list_head)
   {
     handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_SCOPE);
     handle->edesc = GNUNET_strdup ("The requested scope is not available.");
@@ -1044,48 +1120,112 @@ oidc_attr_collect_finished_cb (void *cls)
 }
 
 
-/**
- * Collects all attributes for an ego if in scope parameter
- */
-static void
-oidc_attr_collect (void *cls,
-                   const struct GNUNET_CRYPTO_EcdsaPublicKey *identity,
-                   const struct GNUNET_RECLAIM_Attribute *attr)
+static int
+attr_in_claims_request (struct RequestHandle *handle,
+                        const char *attr_name,
+                        const char *claims_parameter)
 {
-  struct RequestHandle *handle = cls;
-  struct GNUNET_RECLAIM_AttributeListEntry *le;
   char *scope_variables;
   char *scope_variable;
   char delimiter[] = " ";
+  int ret = GNUNET_NO;
+  json_t *root;
+  json_error_t error;
+  json_t *claims_j;
+  const char *key;
+  json_t *value;
 
   scope_variables = GNUNET_strdup (handle->oidc->scope);
   scope_variable = strtok (scope_variables, delimiter);
   while (NULL != scope_variable)
   {
-    if (0 == strcmp (attr->name, scope_variable))
+    if (0 == strcmp (attr_name, scope_variable))
       break;
     scope_variable = strtok (NULL, delimiter);
   }
-  if (NULL == scope_variable)
+  if (NULL != scope_variable)
+    ret = GNUNET_YES;
+  GNUNET_free (scope_variables);
+
+  /** Try claims parameter if no in scope */
+  if ((NULL != handle->oidc->claims) &&
+      (GNUNET_YES != ret))
   {
-    GNUNET_RECLAIM_get_attributes_next (handle->attr_it);
-    GNUNET_free (scope_variables);
-    // We can ignore this
-    return;
+    root = json_loads (handle->oidc->claims, JSON_DECODE_ANY, &error);
+    claims_j = json_object_get (root, claims_parameter);
+    /* obj is a JSON object */
+    if (NULL != claims_j)
+    {
+      json_object_foreach (claims_j, key, value) {
+        if (0 != strcmp (attr_name, key))
+          continue;
+        ret = GNUNET_YES;
+        break;
+      }
+    }
+    json_decref (root);
   }
-  GNUNET_free (scope_variables);
-  le = GNUNET_new (struct GNUNET_RECLAIM_AttributeListEntry);
-  le->attribute = GNUNET_RECLAIM_attribute_new (attr->name,
-                                                &attr->attestation,
-                                                attr->type,
-                                                attr->data,
-                                                attr->data_size);
-  le->attribute->id = attr->id;
-  le->attribute->flag = attr->flag;
-  le->attribute->attestation = attr->attestation;
-  GNUNET_CONTAINER_DLL_insert (handle->attr_list->list_head,
-                               handle->attr_list->list_tail,
-                               le);
+  return ret;
+}
+
+
+static int
+attr_in_idtoken_request (struct RequestHandle *handle,
+                         const char *attr_name)
+{
+  return attr_in_claims_request (handle, attr_name, "id_token");
+}
+
+
+static int
+attr_in_userinfo_request (struct RequestHandle *handle,
+                          const char *attr_name)
+{
+  return attr_in_claims_request (handle, attr_name, "userinfo");
+}
+
+
+/**
+ * Collects all attributes for an ego if in scope parameter
+ */
+static void
+oidc_attr_collect (void *cls,
+                   const struct GNUNET_CRYPTO_EcdsaPublicKey *identity,
+                   const struct GNUNET_RECLAIM_Attribute *attr)
+{
+  struct RequestHandle *handle = cls;
+  struct GNUNET_RECLAIM_AttributeListEntry *le;
+  if (GNUNET_YES == attr_in_idtoken_request (handle, attr->name))
+  {
+    le = GNUNET_new (struct GNUNET_RECLAIM_AttributeListEntry);
+    le->attribute = GNUNET_RECLAIM_attribute_new (attr->name,
+                                                  &attr->attestation,
+                                                  attr->type,
+                                                  attr->data,
+                                                  attr->data_size);
+    le->attribute->id = attr->id;
+    le->attribute->flag = attr->flag;
+    le->attribute->attestation = attr->attestation;
+    GNUNET_CONTAINER_DLL_insert (handle->attr_idtoken_list->list_head,
+                                 handle->attr_idtoken_list->list_tail,
+                                 le);
+  }
+  if (GNUNET_YES == attr_in_userinfo_request (handle, attr->name))
+  {
+    le = GNUNET_new (struct GNUNET_RECLAIM_AttributeListEntry);
+    le->attribute = GNUNET_RECLAIM_attribute_new (attr->name,
+                                                  &attr->attestation,
+                                                  attr->type,
+                                                  attr->data,
+                                                  attr->data_size);
+    le->attribute->id = attr->id;
+    le->attribute->flag = attr->flag;
+    le->attribute->attestation = attr->attestation;
+    GNUNET_CONTAINER_DLL_insert (handle->attr_userinfo_list->list_head,
+                                 handle->attr_userinfo_list->list_tail,
+                                 le);
+  }
+
   GNUNET_RECLAIM_get_attributes_next (handle->attr_it);
 }
 
@@ -1143,7 +1283,9 @@ code_redirect (void *cls)
           handle->priv_key =
             *GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego);
           handle->idp = GNUNET_RECLAIM_connect (cfg);
-          handle->attr_list =
+          handle->attr_idtoken_list =
+            GNUNET_new (struct GNUNET_RECLAIM_AttributeList);
+          handle->attr_userinfo_list =
             GNUNET_new (struct GNUNET_RECLAIM_AttributeList);
           handle->attr_it =
             GNUNET_RECLAIM_get_attributes_start (handle->idp,
diff --git a/src/revocation/Makefile.am b/src/revocation/Makefile.am
index b3b2877ca..6efd461c1 100644
--- a/src/revocation/Makefile.am
+++ b/src/revocation/Makefile.am
@@ -16,7 +16,8 @@ pkgcfg_DATA = \
   revocation.conf
 
 bin_PROGRAMS = \
- gnunet-revocation
+ gnunet-revocation \
+ gnunet-revocation-tvg
 
 
 plugin_LTLIBRARIES = \
@@ -41,6 +42,15 @@ gnunet_revocation_LDADD = \
   $(top_builddir)/src/util/libgnunetutil.la \
   $(GN_LIBINTL)
 
+gnunet_revocation_tvg_SOURCES = \
+ gnunet-revocation-tvg.c
+gnunet_revocation_tvg_LDADD = \
+  libgnunetrevocation.la \
+  $(top_builddir)/src/identity/libgnunetidentity.la \
+  $(top_builddir)/src/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+
 lib_LTLIBRARIES = libgnunetrevocation.la
 
 libgnunetrevocation_la_SOURCES = \
diff --git a/src/revocation/gnunet-revocation-tvg.c b/src/revocation/gnunet-revocation-tvg.c
new file mode 100644
index 000000000..23a4bf020
--- /dev/null
+++ b/src/revocation/gnunet-revocation-tvg.c
@@ -0,0 +1,123 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2020 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-revocation-tvg.c
+ * @brief Generate test vectors for revocation.
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_signatures.h"
+#include "gnunet_revocation_service.h"
+#include "gnunet_dnsparser_lib.h"
+#include "gnunet_testing_lib.h"
+#include <inttypes.h>
+
+#define TEST_EPOCHS 2
+#define TEST_DIFFICULTY 5
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_CRYPTO_EcdsaPrivateKey id_priv;
+  struct GNUNET_CRYPTO_EcdsaPublicKey id_pub;
+  struct GNUNET_REVOCATION_PowP pow;
+  struct GNUNET_REVOCATION_PowCalculationHandle *ph;
+  char* data_enc;
+
+  GNUNET_CRYPTO_ecdsa_key_create (&id_priv);
+  GNUNET_CRYPTO_ecdsa_key_get_public (&id_priv,
+                                      &id_pub);
+  GNUNET_STRINGS_base64_encode (&id_priv,
+                                sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey),
+                                &data_enc);
+  fprintf(stdout, "Zone private key (d):\n%s\n\n", data_enc);
+  GNUNET_free (data_enc);
+  GNUNET_STRINGS_base64_encode (&id_pub,
+                                sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey),
+                                &data_enc);
+  fprintf(stdout, "Zone public key (zk):\n%s\n\n", data_enc);
+  GNUNET_free (data_enc);
+
+  GNUNET_REVOCATION_pow_init (&id_priv,
+                              &pow);
+  ph = GNUNET_REVOCATION_pow_start (&pow,
+                                    TEST_EPOCHS,
+                                    TEST_DIFFICULTY);
+  fprintf (stdout, "Difficulty (%d base difficulty + %d epochs): %d\n\n",
+           TEST_DIFFICULTY,
+           TEST_EPOCHS,
+           TEST_DIFFICULTY + TEST_EPOCHS);
+  uint64_t pow_passes = 0;
+  while (GNUNET_YES != GNUNET_REVOCATION_pow_round (ph))
+  {
+    pow_passes++;
+  }
+  GNUNET_STRINGS_base64_encode (&pow,
+                                sizeof (struct GNUNET_REVOCATION_PowP),
+                                &data_enc);
+  fprintf(stdout, "Proof:\n%s\n", data_enc);
+  GNUNET_free (data_enc);
+}
+
+
+/**
+ * The main function of the test vector generation tool.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_log_setup ("gnunet-revocation-tvg",
+                                   "INFO",
+                                   NULL));
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc, argv,
+                          "gnunet-revocation-tvg",
+                          "Generate test vectors for revocation",
+                          options,
+                          &run, NULL))
+    return 1;
+  return 0;
+}
+
+
+/* end of gnunet-revocation-tvg.c */