5 files changed, 1014 insertions, 0 deletions

diff --git a/src/cli/revocation/Makefile.am b/src/cli/revocation/Makefile.am
new file mode 100644
index 000000000..ffd76effa
--- /dev/null
+++ b/src/cli/revocation/Makefile.am
@@ -0,0 +1,52 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+plugindir = $(libdir)/gnunet
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+bin_PROGRAMS = \
+ gnunet-revocation
+
+gnunet_revocation_SOURCES = \
+ gnunet-revocation.c
+gnunet_revocation_LDADD = \
+  $(top_builddir)/src/service/revocation/libgnunetrevocation.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+gnunet_revocation_tvg_SOURCES = \
+ gnunet-revocation-tvg.c
+gnunet_revocation_tvg_LDADD = \
+  $(top_builddir)/src/service/revocation/libgnunetrevocation.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+noinst_PROGRAMS = \
+ gnunet-revocation-tvg
+
+check_SCRIPTS = \
+ #test_local_revocation.py
+
+if ENABLE_TEST_RUN
+ AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+ TESTS = \
+ $(check_SCRIPTS) \
+ $(check_PROGRAMS)
+endif
+
+test_local_revocation.py: test_local_revocation.py.in Makefile
+        $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/test_local_revocation.py.in > test_local_revocation.py
+        chmod +x test_local_revocation.py
+
+EXTRA_DIST = test_local_revocation.py.in
diff --git a/src/cli/revocation/gnunet-revocation-tvg.c b/src/cli/revocation/gnunet-revocation-tvg.c
new file mode 100644
index 000000000..5c2bfbe45
--- /dev/null
+++ b/src/cli/revocation/gnunet-revocation-tvg.c
@@ -0,0 +1,230 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2020 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-revocation-tvg.c
+ * @brief Generate test vectors for revocation.
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_signatures.h"
+#include "gnunet_revocation_service.h"
+#include "gnunet_testing_lib.h"
+// FIXME try to avoid this include somehow
+#include "../../lib/gnsrecord/gnsrecord_crypto.h"
+#include <inttypes.h>
+
+#define TEST_EPOCHS 2
+#define TEST_DIFFICULTY 5
+
+static char*d_pkey =
+  "6fea32c05af58bfa979553d188605fd57d8bf9cc263b78d5f7478c07b998ed70";
+
+static char *d_edkey =
+  "5af7020ee19160328832352bbc6a68a8d71a7cbe1b929969a7c66d415a0d8f65";
+
+int
+parsehex (char *src, char *dst, size_t dstlen, int invert)
+{
+  char *line = src;
+  char *data = line;
+  int off;
+  int read_byte;
+  int data_len = 0;
+
+  while (sscanf (data, " %02x%n", &read_byte, &off) == 1)
+  {
+    if (invert)
+      dst[dstlen - 1 - data_len++] = read_byte;
+    else
+      dst[data_len++] = read_byte;
+    data += off;
+  }
+  return data_len;
+}
+
+
+static void
+print_bytes_ (void *buf,
+              size_t buf_len,
+              int fold,
+              int in_be)
+{
+  int i;
+
+  for (i = 0; i < buf_len; i++)
+  {
+    if (0 != i)
+    {
+      if ((0 != fold) && (i % fold == 0))
+        printf ("\n  ");
+      else
+        printf (" ");
+    }
+    else
+    {
+      printf ("  ");
+    }
+    if (in_be)
+      printf ("%02x", ((unsigned char*) buf)[buf_len - 1 - i]);
+    else
+      printf ("%02x", ((unsigned char*) buf)[i]);
+  }
+  printf ("\n");
+}
+
+
+static void
+print_bytes (void *buf,
+             size_t buf_len,
+             int fold)
+{
+  print_bytes_ (buf, buf_len, fold, 0);
+}
+
+
+static void
+run_with_key (struct GNUNET_CRYPTO_PrivateKey *id_priv)
+{
+  struct GNUNET_CRYPTO_PublicKey id_pub;
+  struct GNUNET_GNSRECORD_PowP *pow;
+  struct GNUNET_GNSRECORD_PowCalculationHandle *ph;
+  struct GNUNET_TIME_Relative exp;
+  char ztld[128];
+  ssize_t key_len;
+
+  GNUNET_CRYPTO_key_get_public (id_priv,
+                                  &id_pub);
+  GNUNET_STRINGS_data_to_string (&id_pub,
+                                 GNUNET_CRYPTO_public_key_get_length (
+                                   &id_pub),
+                                 ztld,
+                                 sizeof (ztld));
+  fprintf (stdout, "\n");
+  fprintf (stdout, "Zone identifier (ztype|zkey):\n");
+  key_len = GNUNET_CRYPTO_public_key_get_length (&id_pub);
+  GNUNET_assert (0 < key_len);
+  print_bytes (&id_pub, key_len, 8);
+  fprintf (stdout, "\n");
+  fprintf (stdout, "Encoded zone identifier (zkl = zTLD):\n");
+  fprintf (stdout, "%s\n", ztld);
+  fprintf (stdout, "\n");
+  pow = GNUNET_malloc (GNUNET_MAX_POW_SIZE);
+  GNUNET_GNSRECORD_pow_init (id_priv,
+                              pow);
+  ph = GNUNET_GNSRECORD_pow_start (pow,
+                                    TEST_EPOCHS,
+                                    TEST_DIFFICULTY);
+  fprintf (stdout, "Difficulty (%d base difficulty + %d epochs): %d\n\n",
+           TEST_DIFFICULTY,
+           TEST_EPOCHS,
+           TEST_DIFFICULTY + TEST_EPOCHS);
+  uint64_t pow_passes = 0;
+  while (GNUNET_YES != GNUNET_GNSRECORD_pow_round (ph))
+  {
+    pow_passes++;
+  }
+  struct GNUNET_GNSRECORD_SignaturePurposePS *purp;
+  purp = GNR_create_signature_message (pow);
+  fprintf (stdout, "Signed message:\n");
+  print_bytes (purp,
+               ntohl (purp->purpose.size),
+               8);
+  printf ("\n");
+  GNUNET_free (purp);
+
+  exp = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_YEARS,
+                                       TEST_EPOCHS);
+  GNUNET_assert (GNUNET_OK == GNUNET_GNSRECORD_check_pow (pow,
+                                                           TEST_DIFFICULTY,
+                                                           exp));
+  fprintf (stdout, "Proof:\n");
+  print_bytes (pow,
+               GNUNET_GNSRECORD_proof_get_size (pow),
+               8);
+  GNUNET_free (ph);
+
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_CRYPTO_PrivateKey id_priv;
+
+  id_priv.type = htonl (GNUNET_PUBLIC_KEY_TYPE_ECDSA);
+  parsehex (d_pkey,(char*) &id_priv.ecdsa_key, sizeof (id_priv.ecdsa_key), 1);
+
+  fprintf (stdout, "Zone private key (d, big-endian):\n");
+  print_bytes_ (&id_priv.ecdsa_key, sizeof(id_priv.ecdsa_key), 8, 1);
+  run_with_key (&id_priv);
+  printf ("\n");
+  id_priv.type = htonl (GNUNET_PUBLIC_KEY_TYPE_EDDSA);
+  parsehex (d_edkey,(char*) &id_priv.eddsa_key, sizeof (id_priv.eddsa_key), 0);
+
+  fprintf (stdout, "Zone private key (d):\n");
+  print_bytes (&id_priv.eddsa_key, sizeof(id_priv.eddsa_key), 8);
+  run_with_key (&id_priv);
+}
+
+
+/**
+ * The main function of the test vector generation tool.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_log_setup ("gnunet-revocation-tvg",
+                                   "INFO",
+                                   NULL));
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc, argv,
+                          "gnunet-revocation-tvg",
+                          "Generate test vectors for revocation",
+                          options,
+                          &run, NULL))
+    return 1;
+  return 0;
+}
+
+
+/* end of gnunet-revocation-tvg.c */
diff --git a/src/cli/revocation/gnunet-revocation.c b/src/cli/revocation/gnunet-revocation.c
new file mode 100644
index 000000000..add9a003b
--- /dev/null
+++ b/src/cli/revocation/gnunet-revocation.c
@@ -0,0 +1,581 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file revocation/gnunet-revocation.c
+ * @brief tool for revoking public keys
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_gnsrecord_lib.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_revocation_service.h"
+
+/**
+ * Pow passes
+ */
+static unsigned int pow_passes = 1;
+
+/**
+ * Final status code.
+ */
+static int ret;
+
+/**
+ * Was "-p" specified?
+ */
+static int perform;
+
+/**
+ * -f option.
+ */
+static char *filename;
+
+/**
+ * -R option
+ */
+static char *revoke_ego;
+
+/**
+ * -t option.
+ */
+static char *test_ego;
+
+/**
+ * -e option.
+ */
+static unsigned int epochs = 1;
+
+/**
+ * Handle for revocation query.
+ */
+static struct GNUNET_REVOCATION_Query *q;
+
+/**
+ * Handle for revocation.
+ */
+static struct GNUNET_REVOCATION_Handle *h;
+
+/**
+ * Handle for our ego lookup.
+ */
+static struct GNUNET_IDENTITY_EgoLookup *el;
+
+/**
+ * Our configuration.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Number of matching bits required for revocation.
+ */
+static unsigned long long matching_bits;
+
+/**
+ * Epoch length
+ */
+static struct GNUNET_TIME_Relative epoch_duration;
+
+/**
+ * Task used for proof-of-work calculation.
+ */
+static struct GNUNET_SCHEDULER_Task *pow_task;
+
+/**
+ * Proof-of-work object
+ */
+static struct GNUNET_GNSRECORD_PowP *proof_of_work;
+
+/**
+ * Function run if the user aborts with CTRL-C.
+ *
+ * @param cls closure
+ */
+static void
+do_shutdown (void *cls)
+{
+  fprintf (stderr, "%s", _ ("Shutting down...\n"));
+  if (NULL != el)
+  {
+    GNUNET_IDENTITY_ego_lookup_cancel (el);
+    el = NULL;
+  }
+  if (NULL != q)
+  {
+    GNUNET_REVOCATION_query_cancel (q);
+    q = NULL;
+  }
+  if (NULL != h)
+  {
+    GNUNET_REVOCATION_revoke_cancel (h);
+    h = NULL;
+  }
+}
+
+
+/**
+ * Print the result from a revocation query.
+ *
+ * @param cls NULL
+ * @param is_valid #GNUNET_YES if the key is still valid, #GNUNET_NO if not, #GNUNET_SYSERR on error
+ */
+static void
+print_query_result (void *cls, int is_valid)
+{
+  q = NULL;
+  switch (is_valid)
+  {
+  case GNUNET_YES:
+    fprintf (stdout, _ ("Key `%s' is valid\n"), test_ego);
+    break;
+
+  case GNUNET_NO:
+    fprintf (stdout, _ ("Key `%s' has been revoked\n"), test_ego);
+    break;
+
+  case GNUNET_SYSERR:
+    fprintf (stdout, "%s", _ ("Internal error\n"));
+    break;
+
+  default:
+    GNUNET_break (0);
+    break;
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Print the result from a revocation request.
+ *
+ * @param cls NULL
+ * @param is_valid #GNUNET_YES if the key is still valid, #GNUNET_NO if not, #GNUNET_SYSERR on error
+ */
+static void
+print_revocation_result (void *cls, int is_valid)
+{
+  h = NULL;
+  switch (is_valid)
+  {
+  case GNUNET_YES:
+    if (NULL != revoke_ego)
+      fprintf (stdout,
+               _ ("Key for ego `%s' is still valid, revocation failed (!)\n"),
+               revoke_ego);
+    else
+      fprintf (stdout, "%s", _ ("Revocation failed (!)\n"));
+    break;
+
+  case GNUNET_NO:
+    if (NULL != revoke_ego)
+      fprintf (stdout,
+               _ ("Key for ego `%s' has been successfully revoked\n"),
+               revoke_ego);
+    else
+      fprintf (stdout, "%s", _ ("Revocation successful.\n"));
+    break;
+
+  case GNUNET_SYSERR:
+    fprintf (stdout,
+             "%s",
+             _ ("Internal error, key revocation might have failed\n"));
+    break;
+
+  default:
+    GNUNET_break (0);
+    break;
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Perform the revocation.
+ */
+static void
+perform_revocation ()
+{
+  h = GNUNET_REVOCATION_revoke (cfg,
+                                proof_of_work,
+                                &print_revocation_result,
+                                NULL);
+}
+
+
+/**
+ * Write the current state of the revocation data
+ * to disk.
+ *
+ * @param rd data to sync
+ */
+static void
+sync_pow ()
+{
+  size_t psize = GNUNET_GNSRECORD_proof_get_size (proof_of_work);
+  if ((NULL != filename) &&
+      (GNUNET_OK !=
+       GNUNET_DISK_fn_write (filename,
+                             proof_of_work,
+                             psize,
+                             GNUNET_DISK_PERM_USER_READ
+                             | GNUNET_DISK_PERM_USER_WRITE)))
+    GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, "write", filename);
+}
+
+
+/**
+ * Perform the proof-of-work calculation.
+ *
+ * @param cls the `struct RevocationData`
+ */
+static void
+calculate_pow_shutdown (void *cls)
+{
+  struct GNUNET_GNSRECORD_PowCalculationHandle *ph = cls;
+  fprintf (stderr, "%s", _ ("Cancelling calculation.\n"));
+  sync_pow ();
+  if (NULL != pow_task)
+  {
+    GNUNET_SCHEDULER_cancel (pow_task);
+    pow_task = NULL;
+  }
+  if (NULL != ph)
+    GNUNET_GNSRECORD_pow_stop (ph);
+}
+
+
+/**
+ * Perform the proof-of-work calculation.
+ *
+ * @param cls the `struct RevocationData`
+ */
+static void
+calculate_pow (void *cls)
+{
+  struct GNUNET_GNSRECORD_PowCalculationHandle *ph = cls;
+  size_t psize;
+
+  /* store temporary results */
+  pow_task = NULL;
+  if (0 == (pow_passes % 128))
+    sync_pow ();
+  /* actually do POW calculation */
+  if (GNUNET_OK == GNUNET_GNSRECORD_pow_round (ph))
+  {
+    psize = GNUNET_GNSRECORD_proof_get_size (proof_of_work);
+    if (NULL != filename)
+    {
+      (void) GNUNET_DISK_directory_remove (filename);
+      if (GNUNET_OK !=
+          GNUNET_DISK_fn_write (filename,
+                                proof_of_work,
+                                psize,
+                                GNUNET_DISK_PERM_USER_READ
+                                | GNUNET_DISK_PERM_USER_WRITE))
+        GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, "write", filename);
+    }
+    if (perform)
+    {
+      perform_revocation ();
+    }
+    else
+    {
+      fprintf (stderr, "%s", "\n");
+      fprintf (stderr,
+               _ ("Revocation certificate for `%s' stored in `%s'\n"),
+               revoke_ego,
+               filename);
+      GNUNET_SCHEDULER_shutdown ();
+    }
+    return;
+  }
+  pow_passes++;
+  pow_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_MILLISECONDS,
+                                           &calculate_pow,
+                                           ph);
+
+}
+
+
+/**
+ * Function called with the result from the ego lookup.
+ *
+ * @param cls closure
+ * @param ego the ego, NULL if not found
+ */
+static void
+ego_callback (void *cls, struct GNUNET_IDENTITY_Ego *ego)
+{
+  struct GNUNET_CRYPTO_PublicKey key;
+  const struct GNUNET_CRYPTO_PrivateKey *privkey;
+  struct GNUNET_GNSRECORD_PowCalculationHandle *ph = NULL;
+  size_t psize;
+
+  el = NULL;
+  if (NULL == ego)
+  {
+    fprintf (stdout, _ ("Ego `%s' not found.\n"), revoke_ego);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_IDENTITY_ego_get_public_key (ego, &key);
+  privkey = GNUNET_IDENTITY_ego_get_private_key (ego);
+  proof_of_work = GNUNET_malloc (GNUNET_MAX_POW_SIZE);
+  if ((NULL != filename) && (GNUNET_YES == GNUNET_DISK_file_test (filename)) &&
+      (0 < (psize =
+              GNUNET_DISK_fn_read (filename, proof_of_work,
+                                   GNUNET_MAX_POW_SIZE))))
+  {
+    ssize_t ksize = GNUNET_CRYPTO_public_key_get_length (&key);
+    if (0 > ksize)
+    {
+      fprintf (stderr,
+               _ ("Error: Key is invalid\n"));
+      return;
+    }
+    if (((psize - sizeof (*proof_of_work)) < ksize) || // Key too small
+        (0 != memcmp (&proof_of_work[1], &key, ksize))) // Keys do not match
+    {
+      fprintf (stderr,
+               _ ("Error: revocation certificate in `%s' is not for `%s'\n"),
+               filename,
+               revoke_ego);
+      return;
+    }
+    if (GNUNET_YES ==
+        GNUNET_GNSRECORD_check_pow (proof_of_work,
+                                    (unsigned int) matching_bits,
+                                    epoch_duration))
+    {
+      fprintf (stderr, "%s", _ ("Revocation certificate ready\n"));
+      if (perform)
+        perform_revocation ();
+      else
+        GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    /**
+     * Certificate not yet ready
+     */
+    fprintf (stderr,
+             "%s",
+             _ ("Continuing calculation where left off...\n"));
+    ph = GNUNET_GNSRECORD_pow_start (proof_of_work,
+                                     epochs,
+                                     matching_bits);
+  }
+  fprintf (stderr,
+           "%s",
+           _ ("Revocation certificate not ready, calculating proof of work\n"));
+  if (NULL == ph)
+  {
+    GNUNET_GNSRECORD_pow_init (privkey,
+                               proof_of_work);
+    ph = GNUNET_GNSRECORD_pow_start (proof_of_work,
+                                     epochs,  /* Epochs */
+                                     matching_bits);
+  }
+  pow_task = GNUNET_SCHEDULER_add_now (&calculate_pow, ph);
+  GNUNET_SCHEDULER_add_shutdown (&calculate_pow_shutdown, ph);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  struct GNUNET_CRYPTO_PublicKey pk;
+  size_t psize;
+
+  cfg = c;
+  if (NULL != test_ego)
+  {
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_public_key_from_string (test_ego,
+                                              &pk))
+    {
+      fprintf (stderr, _ ("Public key `%s' malformed\n"), test_ego);
+      return;
+    }
+    GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+    q = GNUNET_REVOCATION_query (cfg, &pk, &print_query_result, NULL);
+    if (NULL != revoke_ego)
+      fprintf (
+        stderr,
+        "%s",
+        _ (
+          "Testing and revoking at the same time is not allowed, only executing test.\n"));
+    return;
+  }
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_number (cfg,
+                                                          "REVOCATION",
+                                                          "WORKBITS",
+                                                          &matching_bits))
+  {
+    GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+                               "REVOCATION",
+                               "WORKBITS");
+    return;
+  }
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg,
+                                                        "REVOCATION",
+                                                        "EPOCH_DURATION",
+                                                        &epoch_duration))
+  {
+    GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+                               "REVOCATION",
+                               "EPOCH_DURATION");
+    return;
+  }
+
+  if (NULL != revoke_ego)
+  {
+    if (! perform && (NULL == filename))
+    {
+      fprintf (stderr,
+               "%s",
+               _ ("No filename to store revocation certificate given.\n"));
+      return;
+    }
+    /* main code here */
+    el = GNUNET_IDENTITY_ego_lookup (cfg, revoke_ego, &ego_callback, NULL);
+    GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+    return;
+  }
+  if ((NULL != filename) && (perform))
+  {
+    size_t bread;
+    proof_of_work = GNUNET_malloc (GNUNET_MAX_POW_SIZE);
+    if (0 < (bread = GNUNET_DISK_fn_read (filename,
+                                          proof_of_work,
+                                          GNUNET_MAX_POW_SIZE)))
+    {
+      fprintf (stderr,
+               _ ("Failed to read revocation certificate from `%s'\n"),
+               filename);
+      return;
+    }
+    psize = GNUNET_GNSRECORD_proof_get_size (proof_of_work);
+    if (bread != psize)
+    {
+      fprintf (stderr,
+               _ ("Revocation certificate corrupted in `%s'\n"),
+               filename);
+      return;
+    }
+    GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+    if (GNUNET_YES !=
+        GNUNET_GNSRECORD_check_pow (proof_of_work,
+                                    (unsigned int) matching_bits,
+                                    epoch_duration))
+    {
+      struct GNUNET_GNSRECORD_PowCalculationHandle *ph;
+      ph = GNUNET_GNSRECORD_pow_start (proof_of_work,
+                                       epochs,  /* Epochs */
+                                       matching_bits);
+
+      pow_task = GNUNET_SCHEDULER_add_now (&calculate_pow, ph);
+      GNUNET_SCHEDULER_add_shutdown (&calculate_pow_shutdown, ph);
+      return;
+    }
+    perform_revocation ();
+    return;
+  }
+  fprintf (stderr, "%s", _ ("No action specified. Nothing to do.\n"));
+}
+
+
+/**
+ * The main function of gnunet-revocation.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string ('f',
+                                 "filename",
+                                 "NAME",
+                                 gettext_noop (
+                                   "use NAME for the name of the revocation file"),
+                                 &filename),
+
+    GNUNET_GETOPT_option_string (
+      'R',
+      "revoke",
+      "NAME",
+      gettext_noop (
+        "revoke the private key associated for the the private key associated with the ego NAME "),
+      &revoke_ego),
+
+    GNUNET_GETOPT_option_flag (
+      'p',
+      "perform",
+      gettext_noop (
+        "actually perform revocation, otherwise we just do the precomputation"),
+      &perform),
+
+    GNUNET_GETOPT_option_string ('t',
+                                 "test",
+                                 "KEY",
+                                 gettext_noop (
+                                   "test if the public key KEY has been revoked"),
+                                 &test_ego),
+    GNUNET_GETOPT_option_uint ('e',
+                               "epochs",
+                               "EPOCHS",
+                               gettext_noop (
+                                 "number of epochs to calculate for"),
+                               &epochs),
+
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  ret = (GNUNET_OK == GNUNET_PROGRAM_run (argc,
+                                          argv,
+                                          "gnunet-revocation",
+                                          gettext_noop ("help text"),
+                                          options,
+                                          &run,
+                                          NULL))
+        ? ret
+        : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-revocation.c */
diff --git a/src/cli/revocation/meson.build b/src/cli/revocation/meson.build
new file mode 100644
index 000000000..090b381df
--- /dev/null
+++ b/src/cli/revocation/meson.build
@@ -0,0 +1,22 @@
+executable ('gnunet-revocation',
+            ['gnunet-revocation.c'],
+            dependencies: [libgnunetrevocation_dep,
+                           libgnunetutil_dep,
+                           libgnunetstatistics_dep,
+                           libgnunetcore_dep,
+                           libgnunetgnsrecord_dep,
+                           libgnunetsetu_dep,
+                           libgnunetidentity_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
+executable ('gnunet-revocation-tvg',
+            ['gnunet-revocation.c'],
+            dependencies: [libgnunetrevocation_dep,
+                           libgnunetutil_dep,
+                           libgnunetgnsrecord_dep,
+                           libgnunetidentity_dep],
+            include_directories: [incdir, configuration_inc],
+            install: false)
+
diff --git a/src/cli/revocation/test_local_revocation.py.in b/src/cli/revocation/test_local_revocation.py.in
new file mode 100644
index 000000000..e667c10ce
--- /dev/null
+++ b/src/cli/revocation/test_local_revocation.py.in
@@ -0,0 +1,129 @@
+#!@PYTHONEXE@
+#    This file is part of GNUnet.
+#    (C) 2010, 2018 Christian Grothoff (and other contributing authors)
+#
+#    GNUnet is free software: you can redistribute it and/or modify it
+#    under the terms of the GNU Affero General Public License as published
+#    by the Free Software Foundation, either version 3 of the License,
+#    or (at your option) any later version.
+#
+#    GNUnet is distributed in the hope that it will be useful, but
+#    WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#    Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#    SPDX-License-Identifier: AGPL3.0-or-later
+#
+# Testcase for ego revocation
+
+import sys
+import os
+import subprocess
+import re
+import shutil
+
+if os.name == 'posix':
+    config = 'gnunet-config'
+    gnunetarm = 'gnunet-arm'
+    ident = 'gnunet-identity'
+    revoc = './gnunet-revocation'
+elif os.name == 'nt':
+    config = 'gnunet-config.exe'
+    gnunetarm = 'gnunet-arm.exe'
+    ident = 'gnunet-identity.exe'
+    revoc = './gnunet-revocation.exe'
+
+TEST_CONFIGURATION = "test_revocation.conf"
+TEST_REVOCATION_EGO = "revoc_test"
+
+get_clean = subprocess.Popen([
+    config, '-c', TEST_CONFIGURATION, '-s', 'PATHS', '-o', 'GNUNET_HOME', '-f'
+],
+                             stdout=subprocess.PIPE)
+cleandir, x = get_clean.communicate()
+cleandir = cleandir.decode("utf-8")
+cleandir = cleandir.rstrip('\n').rstrip('\r')
+
+if os.path.isdir(cleandir):
+    shutil.rmtree(cleandir, True)
+
+res = 0
+arm = subprocess.Popen([gnunetarm, '-s', '-c', TEST_CONFIGURATION])
+arm.communicate()
+
+try:
+    print("Creating an ego " + TEST_REVOCATION_EGO)
+    sys.stdout.flush()
+    sys.stderr.flush()
+    idc = subprocess.Popen([
+        ident, '-C', TEST_REVOCATION_EGO, '-c', TEST_CONFIGURATION
+    ])
+    idc.communicate()
+    if idc.returncode != 0:
+        raise Exception(
+            "gnunet-identity failed to create an ego `" + TEST_REVOCATION_EGO +
+            "'"
+        )
+
+    sys.stdout.flush()
+    sys.stderr.flush()
+    idd = subprocess.Popen([ident, '-d'], stdout=subprocess.PIPE)
+    rev_key, x = idd.communicate()
+    rev_key = rev_key.decode("utf-8")
+    if len(rev_key.split()) < 3:
+        raise Exception("can't get revocation key out of `" + rev_key + "'")
+    rev_key = rev_key.split()[2]
+
+    print("Testing key " + rev_key)
+    sys.stdout.flush()
+    sys.stderr.flush()
+    tst = subprocess.Popen([revoc, '-t', rev_key, '-c', TEST_CONFIGURATION],
+                           stdout=subprocess.PIPE)
+    output_not_revoked, x = tst.communicate()
+    output_not_revoked = output_not_revoked.decode("utf-8")
+    if tst.returncode != 0:
+        raise Exception(
+            "gnunet-revocation failed to test a key - " + str(tst.returncode) +
+            ": " + output_not_revoked
+        )
+    if 'valid' not in output_not_revoked:
+        res = 1
+        print("Key was not valid")
+    else:
+        print("Key was valid")
+
+    print("Revoking key " + rev_key)
+    sys.stdout.flush()
+    sys.stderr.flush()
+    rev = subprocess.Popen([
+        revoc, '-R', TEST_REVOCATION_EGO, '-p', '-c', TEST_CONFIGURATION
+    ])
+    rev.communicate()
+    if rev.returncode != 0:
+        raise Exception("gnunet-revocation failed to revoke a key")
+
+    print("Testing revoked key " + rev_key)
+    sys.stdout.flush()
+    sys.stderr.flush()
+    tst = subprocess.Popen([revoc, '-t', rev_key, '-c', TEST_CONFIGURATION],
+                           stdout=subprocess.PIPE)
+    output_revoked, x = tst.communicate()
+    output_revoked = output_revoked.decode("utf-8")
+    if tst.returncode != 0:
+        raise Exception("gnunet-revocation failed to test a revoked key")
+    if 'revoked' not in output_revoked:
+        res = 1
+        print("Key was not revoked")
+    else:
+        print("Key was revoked")
+
+finally:
+    arm = subprocess.Popen([gnunetarm, '-e', '-c', TEST_CONFIGURATION])
+    arm.communicate()
+    if os.path.isdir(cleandir):
+        shutil.rmtree(cleandir, True)
+
+sys.exit(res)