8 files changed, 1973 insertions, 0 deletions
diff --git a/src/plugin/reclaim/Makefile.am b/src/plugin/reclaim/Makefile.am
new file mode 100644
index 000000000..e8ac2f94d
--- /dev/null
+++ b/src/plugin/reclaim/Makefile.am
@@ -0,0 +1,70 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+ plugindir = $(libdir)/gnunet
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+CREDENTIAL_PLUGIN = \
+  libgnunet_plugin_reclaim_credential_jwt.la
+if HAVE_PABC
+  CREDENTIAL_PLUGIN += libgnunet_plugin_reclaim_credential_pabc.la
+endif
+plugin_LTLIBRARIES = \
+  libgnunet_plugin_gnsrecord_reclaim.la \
+  libgnunet_plugin_reclaim_attribute_basic.la \
+  $(CREDENTIAL_PLUGIN)
+pkgcfgdir= $(pkgdatadir)/config.d/
+libexecdir= $(pkglibdir)/libexec/
+libgnunet_plugin_gnsrecord_reclaim_la_SOURCES = \
+  plugin_gnsrecord_reclaim.c
+libgnunet_plugin_gnsrecord_reclaim_la_LIBADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(LTLIBINTL)
+libgnunet_plugin_gnsrecord_reclaim_la_LDFLAGS = \
+ $(GN_PLUGIN_LDFLAGS)
+libgnunet_plugin_reclaim_attribute_basic_la_SOURCES = \
+  plugin_reclaim_attribute_basic.c
+libgnunet_plugin_reclaim_attribute_basic_la_LIBADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(LTLIBINTL)
+libgnunet_plugin_reclaim_attribute_basic_la_LDFLAGS = \
+ $(GN_PLUGIN_LDFLAGS)
+if HAVE_PABC
+libgnunet_plugin_reclaim_credential_pabc_la_SOURCES = \
+  plugin_reclaim_credential_pabc.c \
+  pabc_helper.c \
+        pabc_helper.h
+libgnunet_plugin_reclaim_credential_pabc_la_LIBADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(top_builddir)/src/service/reclaim/libgnunetreclaim.la \
+  -ljansson\
+  -lpabc \
+  $(LTLIBINTL)
+libgnunet_plugin_reclaim_credential_pabc_la_LDFLAGS = \
+ $(GN_PLUGIN_LDFLAGS)
+endif
+libgnunet_plugin_reclaim_credential_jwt_la_SOURCES = \
+  plugin_reclaim_credential_jwt.c \
+        $(top_builddir)/src/service/reclaim/reclaim_attribute.c \
+        $(top_builddir)/src/service/reclaim/reclaim_credential.c
+libgnunet_plugin_reclaim_credential_jwt_la_LIBADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  -ljansson\
+  $(LTLIBINTL)
+libgnunet_plugin_reclaim_credential_jwt_la_LDFLAGS = \
+ $(GN_PLUGIN_LDFLAGS)
diff --git a/src/plugin/reclaim/meson.build b/src/plugin/reclaim/meson.build
new file mode 100644
index 000000000..cde9fc726
--- /dev/null
+++ b/src/plugin/reclaim/meson.build
@@ -0,0 +1,28 @@
+shared_module('gnunet_plugin_gnsrecord_reclaim',
+              ['plugin_gnsrecord_reclaim.c'],
+              dependencies: [libgnunetutil_dep, libgnunetgnsrecord_dep],
+              include_directories: [incdir, configuration_inc],
+              install: true,
+              install_dir: get_option('libdir')/'gnunet')
+shared_module('gnunet_plugin_reclaim_attribute_basic',
+              ['plugin_reclaim_attribute_basic.c'],
+              dependencies: [
+                             libgnunetjson_dep,
+                             libgnunetutil_dep,
+                             json_dep],
+              include_directories: [incdir, configuration_inc],
+              install: true,
+              install_dir: get_option('libdir') / 'gnunet')
+shared_module('gnunet_plugin_reclaim_credential_jwt',
+              ['plugin_reclaim_credential_jwt.c',
+                '../../service/reclaim/reclaim_attribute.c',
+                '../../service/reclaim/reclaim_credential.c'],
+              dependencies: [
+                             libgnunetjson_dep,
+                             libgnunetutil_dep,
+                             json_dep],
+              include_directories: [incdir, configuration_inc],
+              install: true,
+              install_dir: get_option('libdir') / 'gnunet')
diff --git a/src/plugin/reclaim/pabc_helper.c b/src/plugin/reclaim/pabc_helper.c
new file mode 100644
index 000000000..d7688e9e1
--- /dev/null
+++ b/src/plugin/reclaim/pabc_helper.c
@@ -0,0 +1,374 @@
+// maximilian.kaul@aisec.fraunhofer.de
+// WIP implementation of
+// https://github.com/ontio/ontology-crypto/wiki/Anonymous-Credential
+// using the relic library https://github.com/relic-toolkit/relic/
+#include "platform.h"
+#include "pabc_helper.h"
+#include <pwd.h>
+#include <stdlib.h>
+#include <unistd.h>
+static char pabc_dir[PATH_MAX + 1];
+static const char *
+get_homedir ()
+{
+  const char *homedir;
+  if ((homedir = getenv ("HOME")) == NULL)
+  {
+    homedir = getpwuid (getuid ())->pw_dir;
+  }
+  return homedir;
+}
+static enum GNUNET_GenericReturnValue
+write_file (char const *const filename, const char *buffer)
+{
+  struct GNUNET_DISK_FileHandle *fh;
+  fh = GNUNET_DISK_file_open (filename,
+                              GNUNET_DISK_OPEN_WRITE
+                              | GNUNET_DISK_OPEN_TRUNCATE
+                              | GNUNET_DISK_OPEN_CREATE,
+                              GNUNET_DISK_PERM_USER_WRITE
+                              | GNUNET_DISK_PERM_USER_READ);
+  if (fh == NULL)
+    return GNUNET_SYSERR;
+  if (GNUNET_SYSERR == GNUNET_DISK_file_write (fh,
+                                               buffer, strlen (buffer) + 1))
+    goto fail;
+  GNUNET_DISK_file_close (fh);
+  return GNUNET_OK;
+fail:
+  GNUNET_DISK_file_close (fh);
+  return GNUNET_SYSERR;
+}
+static enum GNUNET_GenericReturnValue
+init_pabc_dir ()
+{
+  size_t filename_size = strlen (get_homedir ()) + 1 + strlen (".local") + 1
+                         + strlen ("pabc-reclaim") + 1;
+  snprintf (pabc_dir, filename_size, "%s/%s/%s",
+            get_homedir (), ".local", "pabc-reclaim");
+  return GNUNET_DISK_directory_create (pabc_dir);
+}
+static const char *
+get_pabcdir ()
+{
+  init_pabc_dir ();
+  return pabc_dir;
+}
+enum GNUNET_GenericReturnValue
+read_file (char const *const filename, char **buffer)
+{
+  struct GNUNET_DISK_FileHandle *fh;
+  if (GNUNET_YES != GNUNET_DISK_file_test (filename))
+    return GNUNET_SYSERR;
+  fh = GNUNET_DISK_file_open (filename,
+                              GNUNET_DISK_OPEN_READ,
+                              GNUNET_DISK_PERM_USER_READ);
+  if (fh == NULL)
+    return GNUNET_SYSERR;
+  long lSize = GNUNET_DISK_file_seek (fh, 0, GNUNET_DISK_SEEK_END);
+  if (lSize < 0)
+    goto fail;
+  GNUNET_DISK_file_seek (fh, 0, GNUNET_DISK_SEEK_SET);
+  *buffer = calloc ((size_t) lSize + 1, sizeof(char));
+  if (*buffer == NULL)
+    goto fail;
+  // copy the file into the buffer:
+  size_t r = GNUNET_DISK_file_read (fh, *buffer, (size_t) lSize);
+  if (r != (size_t) lSize)
+    goto fail;
+  GNUNET_DISK_file_close (fh);
+  return GNUNET_OK;
+fail:
+  GNUNET_DISK_file_close (fh);
+  GNUNET_free (*buffer);
+  return GNUNET_SYSERR;
+}
+struct pabc_public_parameters *
+PABC_read_issuer_ppfile (const char *f, struct pabc_context *const ctx)
+{
+  if (NULL == ctx)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No global context provided\n");
+    return NULL;
+  }
+  struct pabc_public_parameters *pp;
+  char *buffer;
+  int r;
+  r = read_file (f, &buffer);
+  if (GNUNET_OK != r)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Error reading file\n");
+    return NULL;
+  }
+  if (PABC_OK != pabc_decode_and_new_public_parameters (ctx, &pp, buffer))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to decode public parameters\n");
+    PABC_FREE_NULL (buffer);
+    return NULL;
+  }
+  PABC_FREE_NULL (buffer);
+  return pp;
+}
+enum GNUNET_GenericReturnValue
+PABC_load_public_parameters (struct pabc_context *const ctx,
+                             char const *const pp_name,
+                             struct pabc_public_parameters **pp)
+{
+  char fname[PATH_MAX];
+  char *pp_filename;
+  const char *pdir = get_pabcdir ();
+  if (ctx == NULL)
+    return GNUNET_SYSERR;
+  if (pp_name == NULL)
+    return GNUNET_SYSERR;
+  GNUNET_STRINGS_urlencode (strlen (pp_name),
+                            pp_name,
+                            &pp_filename);
+  if (GNUNET_YES != GNUNET_DISK_directory_test (pdir, GNUNET_YES))
+  {
+    GNUNET_free (pp_filename);
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Error reading %s\n", pdir);
+    return GNUNET_SYSERR;
+  }
+  snprintf (fname, PATH_MAX, "%s/%s%s", pdir, pp_filename, PABC_PP_EXT);
+  if (GNUNET_YES != GNUNET_DISK_file_test (fname))
+  {
+    GNUNET_free (pp_filename);
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Error testing %s\n", fname);
+    return GNUNET_SYSERR;
+  }
+  *pp = PABC_read_issuer_ppfile (fname, ctx);
+  if (*pp)
+    return GNUNET_OK;
+  else
+    return GNUNET_SYSERR;
+}
+enum GNUNET_GenericReturnValue
+PABC_write_public_parameters (char const *const pp_name,
+                              struct pabc_public_parameters *const pp)
+{
+  char *json;
+  char *filename;
+  char *pp_filename;
+  enum pabc_status status;
+  struct pabc_context *ctx = NULL;
+  GNUNET_STRINGS_urlencode (strlen (pp_name),
+                            pp_name,
+                            &pp_filename);
+  PABC_ASSERT (pabc_new_ctx (&ctx));
+  // store in json file
+  status = pabc_encode_public_parameters (ctx, pp, &json);
+  if (status != PABC_OK)
+  {
+    GNUNET_free (pp_filename);
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to encode public parameters.\n");
+    pabc_free_ctx (&ctx);
+    return GNUNET_SYSERR;
+  }
+  size_t filename_size =
+    strlen (get_pabcdir ()) + 1 + strlen (pp_filename) + strlen (PABC_PP_EXT)
+    + 1;
+  filename = GNUNET_malloc (filename_size);
+  if (! filename)
+  {
+    GNUNET_free (pp_filename);
+    PABC_FREE_NULL (json);
+    pabc_free_ctx (&ctx);
+    return GNUNET_SYSERR;
+  }
+  snprintf (filename, filename_size, "%s/%s%s", get_pabcdir (), pp_filename,
+            PABC_PP_EXT);
+  GNUNET_free (pp_filename);
+  if (GNUNET_OK != write_file (filename, json))
+  {
+    PABC_FREE_NULL (filename);
+    PABC_FREE_NULL (json);
+    pabc_free_ctx (&ctx);
+    return GNUNET_SYSERR;
+  }
+  PABC_FREE_NULL (filename);
+  PABC_FREE_NULL (json);
+  pabc_free_ctx (&ctx);
+  return GNUNET_OK;
+}
+enum GNUNET_GenericReturnValue
+PABC_write_usr_ctx (char const *const usr_name,
+                    char const *const pp_name,
+                    struct pabc_context const *const ctx,
+                    struct pabc_public_parameters const *const pp,
+                    struct pabc_user_context *const usr_ctx)
+{
+  char *pp_filename;
+  char *json = NULL;
+  enum pabc_status status;
+  char *fname = NULL;
+  if (NULL == usr_name)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No issuer given.\n");
+    return GNUNET_SYSERR;
+  }
+  if (NULL == pp_name)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No user given.\n");
+    return GNUNET_SYSERR;
+  }
+  if (NULL == ctx)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No context given.\n");
+    return GNUNET_SYSERR;
+  }
+  if (NULL == pp)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No public parameters given.\n");
+    return GNUNET_SYSERR;
+  }
+  if (NULL == usr_ctx)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No user context given.\n");
+    return GNUNET_SYSERR;
+  }
+  GNUNET_STRINGS_urlencode (strlen (pp_name),
+                            pp_name,
+                            &pp_filename);
+  status = pabc_encode_user_ctx (ctx, pp, usr_ctx, &json);
+  if (PABC_OK != status)
+  {
+    GNUNET_free (pp_filename);
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Failed to encode user context.\n");
+    return status;
+  }
+  size_t fname_size = strlen (get_pabcdir ()) + 1 + strlen (usr_name) + 1
+                      + strlen (pp_filename) + strlen (PABC_USR_EXT) + 1;
+  fname = GNUNET_malloc (fname_size);
+  snprintf (fname, fname_size, "%s/%s_%s%s", get_pabcdir (), usr_name,
+            pp_filename,
+            PABC_USR_EXT);
+  GNUNET_free (pp_filename);
+  if (GNUNET_OK == write_file (fname, json))
+  {
+    GNUNET_free (fname);
+    GNUNET_free (json);
+    return GNUNET_OK;
+  }
+  else
+  {
+    GNUNET_free (fname);
+    GNUNET_free (json);
+    return GNUNET_SYSERR;
+  }
+}
+enum GNUNET_GenericReturnValue
+PABC_read_usr_ctx (char const *const usr_name,
+                   char const *const pp_name,
+                   struct pabc_context const *const ctx,
+                   struct pabc_public_parameters const *const pp,
+                   struct pabc_user_context **usr_ctx)
+{
+  char *json = NULL;
+  char *pp_filename;
+  enum pabc_status status;
+  char *fname = NULL;
+  if (NULL == usr_name)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No issuer given.\n");
+    return GNUNET_SYSERR;
+  }
+  if (NULL == pp_name)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No user given.\n");
+    return GNUNET_SYSERR;
+  }
+  if (NULL == ctx)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No context given.\n");
+    return GNUNET_SYSERR;
+  }
+  if (NULL == pp)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No public parameters given.\n");
+    return GNUNET_SYSERR;
+  }
+  if (NULL == usr_ctx)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No user context given.\n");
+    return GNUNET_SYSERR;
+  }
+  GNUNET_STRINGS_urlencode (strlen (pp_name),
+                            pp_name,
+                            &pp_filename);
+  size_t fname_size = strlen (get_pabcdir ()) + 1 + strlen (usr_name) + 1
+                      + strlen (pp_filename) + strlen (PABC_USR_EXT) + 1;
+  fname = GNUNET_malloc (fname_size);
+  snprintf (fname, fname_size, "%s/%s_%s%s", get_pabcdir (), usr_name,
+            pp_filename,
+            PABC_USR_EXT);
+  GNUNET_free (pp_filename);
+  if (GNUNET_OK != read_file (fname, &json))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to read `%s'\n", fname);
+    PABC_FREE_NULL (fname);
+    return GNUNET_SYSERR;
+  }
+  GNUNET_free (fname);
+  status = pabc_new_user_context (ctx, pp, usr_ctx);
+  if (PABC_OK != status)
+  {
+    GNUNET_free (json);
+    return GNUNET_SYSERR;
+  }
+  status = pabc_decode_user_ctx (ctx, pp, *usr_ctx, json);
+  GNUNET_free (json);
+  if (PABC_OK != status)
+  {
+    pabc_free_user_context (ctx, pp, usr_ctx);
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Failed to encode user context.\n");
+    return GNUNET_SYSERR;
+  }
+  return GNUNET_OK;
+}
diff --git a/src/plugin/reclaim/pabc_helper.h b/src/plugin/reclaim/pabc_helper.h
new file mode 100644
index 000000000..045ad5dda
--- /dev/null
+++ b/src/plugin/reclaim/pabc_helper.h
@@ -0,0 +1,41 @@
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include <pabc/pabc.h>
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+#define PABC_ISK_EXT ".isk"
+#define PABC_PP_EXT ".pp"
+#define PABC_USR_EXT ".usr"
+#define PABC_ATTR_DELIM "="
+enum GNUNET_GenericReturnValue
+PABC_write_public_parameters (char const *const pp_name,
+                              struct pabc_public_parameters *const pp);
+enum GNUNET_GenericReturnValue
+PABC_load_public_parameters (struct pabc_context *const ctx,
+                             char const *const pp_name,
+                             struct pabc_public_parameters **pp);
+enum GNUNET_GenericReturnValue
+PABC_write_usr_ctx (char const *const user_name,
+                    char const *const pp_name,
+                    struct pabc_context const *const ctx,
+                    struct pabc_public_parameters const *const
+                    pp,
+                    struct pabc_user_context *const usr_ctx);
+enum GNUNET_GenericReturnValue
+PABC_read_usr_ctx (char const *const user_name,
+                   char const *const pp_name,
+                   struct pabc_context const *const ctx,
+                   struct pabc_public_parameters const *const
+                   pp,
+                   struct pabc_user_context **usr_ctx);
diff --git a/src/plugin/reclaim/plugin_gnsrecord_reclaim.c b/src/plugin/reclaim/plugin_gnsrecord_reclaim.c
new file mode 100644
index 000000000..baf2fc37a
--- /dev/null
+++ b/src/plugin/reclaim/plugin_gnsrecord_reclaim.c
@@ -0,0 +1,195 @@
+/*
+     This file is part of GNUnet
+     Copyright (C) 2013, 2014 GNUnet e.V.
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file reclaim/plugin_gnsrecord_reclaim.c
+ * @brief gnsrecord plugin to provide the API for identity records
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_gnsrecord_lib.h"
+#include "gnunet_gnsrecord_plugin.h"
+/**
+ * Convert the 'value' of a record to a string.
+ *
+ * @param cls closure, unused
+ * @param type type of the record
+ * @param data value in binary encoding
+ * @param data_size number of bytes in @a data
+ * @return NULL on error, otherwise human-readable representation of the value
+ */
+static char *
+value_to_string (void *cls, uint32_t type, const void *data, size_t data_size)
+{
+  switch (type)
+  {
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_TICKET:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_REDIRECT:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_CLIENT:
+    return GNUNET_strndup (data, data_size);
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_ATTRIBUTE:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_ATTRIBUTE_REF:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_CREDENTIAL:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_PRESENTATION:
+    return GNUNET_STRINGS_data_to_string_alloc (data, data_size);
+  default:
+    return NULL;
+  }
+}
+/**
+ * Convert human-readable version of a 'value' of a record to the binary
+ * representation.
+ *
+ * @param cls closure, unused
+ * @param type type of the record
+ * @param s human-readable string
+ * @param data set to value in binary encoding (will be allocated)
+ * @param data_size set to number of bytes in @a data
+ * @return #GNUNET_OK on success
+ */
+static int
+string_to_value (void *cls, uint32_t type, const char *s, void **data,
+                 size_t *data_size)
+{
+  if (NULL == s)
+    return GNUNET_SYSERR;
+  switch (type)
+  {
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_TICKET:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_REDIRECT:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_CLIENT:
+    *data = GNUNET_strdup (s);
+    *data_size = strlen (s);
+    return GNUNET_OK;
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_ATTRIBUTE:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_ATTRIBUTE_REF:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_CREDENTIAL:
+  case GNUNET_GNSRECORD_TYPE_RECLAIM_PRESENTATION:
+    return GNUNET_STRINGS_string_to_data (s, strlen (s), *data, *data_size);
+  default:
+    return GNUNET_SYSERR;
+  }
+}
+/**
+ * Mapping of record type numbers to human-readable
+ * record type names.
+ */
+static struct
+{
+  const char *name;
+  uint32_t number;
+} name_map[] = {
+  { "RECLAIM_ATTRIBUTE", GNUNET_GNSRECORD_TYPE_RECLAIM_ATTRIBUTE },
+  { "RECLAIM_ATTRIBUTE_REF", GNUNET_GNSRECORD_TYPE_RECLAIM_ATTRIBUTE_REF },
+  { "RECLAIM_CREDENTIAL", GNUNET_GNSRECORD_TYPE_RECLAIM_CREDENTIAL },
+  { "RECLAIM_PRESENTATION", GNUNET_GNSRECORD_TYPE_RECLAIM_PRESENTATION },
+  { "RECLAIM_OIDC_CLIENT", GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_CLIENT },
+  { "RECLAIM_OIDC_REDIRECT", GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_REDIRECT },
+  { "RECLAIM_TICKET", GNUNET_GNSRECORD_TYPE_RECLAIM_TICKET },
+  { NULL, UINT32_MAX }
+};
+/**
+ * Convert a type name (e.g. "AAAA") to the corresponding number.
+ *
+ * @param cls closure, unused
+ * @param dns_typename name to convert
+ * @return corresponding number, UINT32_MAX on error
+ */
+static uint32_t
+typename_to_number (void *cls, const char *dns_typename)
+{
+  unsigned int i;
+  i = 0;
+  while ((NULL != name_map[i].name) &&
+         (0 != strcasecmp (dns_typename, name_map[i].name)))
+    i++;
+  return name_map[i].number;
+}
+/**
+ * Convert a type number to the corresponding type string (e.g. 1 to "A")
+ *
+ * @param cls closure, unused
+ * @param type number of a type to convert
+ * @return corresponding typestring, NULL on error
+ */
+static const char *
+number_to_typename (void *cls, uint32_t type)
+{
+  unsigned int i;
+  i = 0;
+  while ((NULL != name_map[i].name) && (type != name_map[i].number))
+    i++;
+  return name_map[i].name;
+}
+/**
+ * Entry point for the plugin.
+ *
+ * @param cls NULL
+ * @return the exported block API
+ */
+void *
+libgnunet_plugin_gnsrecord_reclaim_init (void *cls)
+{
+  struct GNUNET_GNSRECORD_PluginFunctions *api;
+  api = GNUNET_new (struct GNUNET_GNSRECORD_PluginFunctions);
+  api->value_to_string = &value_to_string;
+  api->string_to_value = &string_to_value;
+  api->typename_to_number = &typename_to_number;
+  api->number_to_typename = &number_to_typename;
+  return api;
+}
+/**
+ * Exit point from the plugin.
+ *
+ * @param cls the return value from #libgnunet_plugin_block_test_init
+ * @return NULL
+ */
+void *
+libgnunet_plugin_gnsrecord_reclaim_done (void *cls)
+{
+  struct GNUNET_GNSRECORD_PluginFunctions *api = cls;
+  GNUNET_free (api);
+  return NULL;
+}
+/* end of plugin_gnsrecord_dns.c */
diff --git a/src/plugin/reclaim/plugin_reclaim_attribute_basic.c b/src/plugin/reclaim/plugin_reclaim_attribute_basic.c
new file mode 100644
index 000000000..66f59998a
--- /dev/null
+++ b/src/plugin/reclaim/plugin_reclaim_attribute_basic.c
@@ -0,0 +1,181 @@
+/*
+     This file is part of GNUnet
+     Copyright (C) 2013, 2014, 2016 GNUnet e.V.
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file reclaim-attribute/plugin_reclaim_attribute_gnuid.c
+ * @brief reclaim-attribute-plugin-gnuid attribute plugin to provide the API for
+ *                                       fundamental
+ *                                       attribute types.
+ *
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_reclaim_plugin.h"
+#include <inttypes.h>
+/**
+ * Convert the 'value' of an attribute to a string.
+ *
+ * @param cls closure, unused
+ * @param type type of the attribute
+ * @param data value in binary encoding
+ * @param data_size number of bytes in @a data
+ * @return NULL on error, otherwise human-readable representation of the value
+ */
+static char *
+basic_value_to_string (void *cls,
+                       uint32_t type,
+                       const void *data,
+                       size_t data_size)
+{
+  switch (type)
+  {
+  case GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING:
+    return GNUNET_strndup (data, data_size);
+  default:
+    return NULL;
+  }
+}
+/**
+ * Convert human-readable version of a 'value' of an attribute to the binary
+ * representation.
+ *
+ * @param cls closure, unused
+ * @param type type of the attribute
+ * @param s human-readable string
+ * @param data set to value in binary encoding (will be allocated)
+ * @param data_size set to number of bytes in @a data
+ * @return #GNUNET_OK on success
+ */
+static int
+basic_string_to_value (void *cls,
+                       uint32_t type,
+                       const char *s,
+                       void **data,
+                       size_t *data_size)
+{
+  if (NULL == s)
+    return GNUNET_SYSERR;
+  switch (type)
+  {
+  case GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING:
+    *data = GNUNET_strdup (s);
+    *data_size = strlen (s) + 1;
+    return GNUNET_OK;
+  default:
+    return GNUNET_SYSERR;
+  }
+}
+/**
+ * Mapping of attribute type numbers to human-readable
+ * attribute type names.
+ */
+static struct
+{
+  const char *name;
+  uint32_t number;
+} basic_name_map[] = { { "STRING", GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING },
+                       { NULL, UINT32_MAX } };
+/**
+ * Convert a type name to the corresponding number.
+ *
+ * @param cls closure, unused
+ * @param basic_typename name to convert
+ * @return corresponding number, UINT32_MAX on error
+ */
+static uint32_t
+basic_typename_to_number (void *cls, const char *basic_typename)
+{
+  unsigned int i;
+  i = 0;
+  while ((NULL != basic_name_map[i].name) &&
+         (0 != strcasecmp (basic_typename, basic_name_map[i].name)))
+    i++;
+  return basic_name_map[i].number;
+}
+/**
+ * Convert a type number to the corresponding type string (e.g. 1 to "A")
+ *
+ * @param cls closure, unused
+ * @param type number of a type to convert
+ * @return corresponding typestring, NULL on error
+ */
+static const char *
+basic_number_to_typename (void *cls, uint32_t type)
+{
+  unsigned int i;
+  i = 0;
+  while ((NULL != basic_name_map[i].name) && (type != basic_name_map[i].number))
+    i++;
+  return basic_name_map[i].name;
+}
+/**
+ * Entry point for the plugin.
+ *
+ * @param cls NULL
+ * @return the exported block API
+ */
+void *
+libgnunet_plugin_reclaim_attribute_basic_init (void *cls)
+{
+  struct GNUNET_RECLAIM_AttributePluginFunctions *api;
+  api = GNUNET_new (struct GNUNET_RECLAIM_AttributePluginFunctions);
+  api->value_to_string = &basic_value_to_string;
+  api->string_to_value = &basic_string_to_value;
+  api->typename_to_number = &basic_typename_to_number;
+  api->number_to_typename = &basic_number_to_typename;
+  return api;
+}
+/**
+ * Exit point from the plugin.
+ *
+ * @param cls the return value from #libgnunet_plugin_block_test_init()
+ * @return NULL
+ */
+void *
+libgnunet_plugin_reclaim_attribute_basic_done (void *cls)
+{
+  struct GNUNET_RECLAIM_AttributePluginFunctions *api = cls;
+  GNUNET_free (api);
+  return NULL;
+}
+/* end of plugin_reclaim_attribute_type_gnuid.c */
diff --git a/src/plugin/reclaim/plugin_reclaim_credential_jwt.c b/src/plugin/reclaim/plugin_reclaim_credential_jwt.c
new file mode 100644
index 000000000..3eb4bfebf
--- /dev/null
+++ b/src/plugin/reclaim/plugin_reclaim_credential_jwt.c
@@ -0,0 +1,512 @@
+/*
+     This file is part of GNUnet
+     Copyright (C) 2013, 2014, 2016 GNUnet e.V.
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file reclaim/plugin_reclaim_credential_jwt.c
+ * @brief reclaim-credential-plugin-jwt attribute plugin to provide the API for
+ *                                      JWT credentials.
+ *
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_reclaim_plugin.h"
+#include <inttypes.h>
+#include <jansson.h>
+/**
+   * Convert the 'value' of an credential to a string.
+   *
+   * @param cls closure, unused
+   * @param type type of the credential
+   * @param data value in binary encoding
+   * @param data_size number of bytes in @a data
+   * @return NULL on error, otherwise human-readable representation of the value
+   */
+static char *
+jwt_value_to_string (void *cls,
+                     uint32_t type,
+                     const void *data,
+                     size_t data_size)
+{
+  switch (type)
+  {
+  case GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT:
+    return GNUNET_strndup (data, data_size);
+  default:
+    return NULL;
+  }
+}
+/**
+ * Convert human-readable version of a 'value' of an credential to the binary
+ * representation.
+ *
+ * @param cls closure, unused
+ * @param type type of the credential
+ * @param s human-readable string
+ * @param data set to value in binary encoding (will be allocated)
+ * @param data_size set to number of bytes in @a data
+ * @return #GNUNET_OK on success
+ */
+static int
+jwt_string_to_value (void *cls,
+                     uint32_t type,
+                     const char *s,
+                     void **data,
+                     size_t *data_size)
+{
+  if (NULL == s)
+    return GNUNET_SYSERR;
+  switch (type)
+  {
+  case GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT:
+    *data = GNUNET_strdup (s);
+    *data_size = strlen (s) + 1;
+    return GNUNET_OK;
+  default:
+    return GNUNET_SYSERR;
+  }
+}
+/**
+ * Mapping of credential type numbers to human-readable
+ * credential type names.
+ */
+static struct
+{
+  const char *name;
+  uint32_t number;
+} jwt_cred_name_map[] = { { "JWT", GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT },
+                          { NULL, UINT32_MAX } };
+/**
+   * Convert a type name to the corresponding number.
+   *
+   * @param cls closure, unused
+   * @param jwt_typename name to convert
+   * @return corresponding number, UINT32_MAX on error
+   */
+static uint32_t
+jwt_typename_to_number (void *cls, const char *jwt_typename)
+{
+  unsigned int i;
+  i = 0;
+  while ((NULL != jwt_cred_name_map[i].name) &&
+         (0 != strcasecmp (jwt_typename, jwt_cred_name_map[i].name)))
+    i++;
+  return jwt_cred_name_map[i].number;
+}
+/**
+ * Convert a type number to the corresponding type string (e.g. 1 to "A")
+ *
+ * @param cls closure, unused
+ * @param type number of a type to convert
+ * @return corresponding typestring, NULL on error
+ */
+static const char *
+jwt_number_to_typename (void *cls, uint32_t type)
+{
+  unsigned int i;
+  i = 0;
+  while ((NULL != jwt_cred_name_map[i].name) && (type !=
+                                                 jwt_cred_name_map[i].
+                                                 number))
+    i++;
+  return jwt_cred_name_map[i].name;
+}
+/**
+ * Parse a JWT and return the respective claim value as Attribute
+ *
+ * @param cls the plugin
+ * @param cred the jwt credential
+ * @return a GNUNET_RECLAIM_Attribute, containing the new value
+ */
+struct GNUNET_RECLAIM_AttributeList *
+jwt_parse_attributes (void *cls,
+                      const char *data,
+                      size_t data_size)
+{
+  char *jwt_string;
+  struct GNUNET_RECLAIM_AttributeList *attrs;
+  char delim[] = ".";
+  char *val_str = NULL;
+  char *decoded_jwt;
+  char *tmp;
+  json_t *json_val;
+  json_error_t json_err;
+  attrs = GNUNET_new (struct GNUNET_RECLAIM_AttributeList);
+  jwt_string = GNUNET_strndup (data, data_size);
+  const char *jwt_body = strtok (jwt_string, delim);
+  if (NULL == jwt_body)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to parse JSON %s\n", jwt_string);
+    return attrs;
+  }
+  jwt_body = strtok (NULL, delim);
+  if (NULL == jwt_body)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to parse JSON %s\n", jwt_string);
+    GNUNET_free (jwt_string);
+    return attrs;
+  }
+  GNUNET_STRINGS_base64url_decode (jwt_body, strlen (jwt_body),
+                                   (void **) &decoded_jwt);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Decoded JWT: %s\n", decoded_jwt);
+  GNUNET_assert (NULL != decoded_jwt);
+  json_val = json_loads (decoded_jwt, JSON_DECODE_ANY, &json_err);
+  GNUNET_free (decoded_jwt);
+  const char *key;
+  const char *addr_key;
+  json_t *value;
+  json_t *addr_value;
+  json_object_foreach (json_val, key, value) {
+    if (0 == strcmp ("iss", key))
+      continue;
+    if (0 == strcmp ("jti", key))
+      continue;
+    if (0 == strcmp ("exp", key))
+      continue;
+    if (0 == strcmp ("iat", key))
+      continue;
+    if (0 == strcmp ("nbf", key))
+      continue;
+    if (0 == strcmp ("aud", key))
+      continue;
+    if (0 == strcmp ("address", key))
+    {
+      if (! json_is_object (value))
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                    "address claim in wrong format!");
+        continue;
+      }
+      json_object_foreach (value, addr_key, addr_value) {
+        val_str = json_dumps (addr_value, JSON_ENCODE_ANY);
+        tmp = val_str;
+        // Remove leading " from jasson conversion
+        if (tmp[0] == '"')
+          tmp++;
+        // Remove trailing " from jansson conversion
+        if (tmp[strlen (tmp) - 1] == '"')
+          tmp[strlen (tmp) - 1] = '\0';
+        GNUNET_RECLAIM_attribute_list_add (attrs,
+                                           addr_key,
+                                           NULL,
+                                           GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
+                                           tmp,
+                                           strlen (val_str));
+        GNUNET_free (val_str);
+      }
+      continue;
+    }
+    val_str = json_dumps (value, JSON_ENCODE_ANY);
+    tmp = val_str;
+    // Remove leading " from jasson conversion
+    if (tmp[0] == '"')
+      tmp++;
+    // Remove trailing " from jansson conversion
+    if (tmp[strlen (tmp) - 1] == '"')
+      tmp[strlen (tmp) - 1] = '\0';
+    GNUNET_RECLAIM_attribute_list_add (attrs,
+                                       key,
+                                       NULL,
+                                       GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,// FIXME
+                                       tmp,
+                                       strlen (val_str));
+    GNUNET_free (val_str);
+  }
+  json_decref (json_val);
+  GNUNET_free (jwt_string);
+  return attrs;
+}
+/**
+ * Parse a JWT and return the respective claim value as Attribute
+ *
+ * @param cls the plugin
+ * @param cred the jwt credential
+ * @return a GNUNET_RECLAIM_Attribute, containing the new value
+ */
+struct GNUNET_RECLAIM_AttributeList *
+jwt_parse_attributes_c (void *cls,
+                        const struct GNUNET_RECLAIM_Credential *cred)
+{
+  if (cred->type != GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT)
+    return NULL;
+  return jwt_parse_attributes (cls, cred->data, cred->data_size);
+}
+/**
+ * Parse a JWT and return the respective claim value as Attribute
+ *
+ * @param cls the plugin
+ * @param cred the jwt credential
+ * @return a GNUNET_RECLAIM_Attribute, containing the new value
+ */
+struct GNUNET_RECLAIM_AttributeList *
+jwt_parse_attributes_p (void *cls,
+                        const struct GNUNET_RECLAIM_Presentation *cred)
+{
+  if (cred->type != GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT)
+    return NULL;
+  return jwt_parse_attributes (cls, cred->data, cred->data_size);
+}
+/**
+ * Parse a JWT and return the issuer
+ *
+ * @param cls the plugin
+ * @param cred the jwt credential
+ * @return a string, containing the isser
+ */
+char *
+jwt_get_issuer (void *cls,
+                const char *data,
+                size_t data_size)
+{
+  const char *jwt_body;
+  char *jwt_string;
+  char delim[] = ".";
+  char *issuer = NULL;
+  char *decoded_jwt;
+  json_t *issuer_json;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Parsing JWT attributes.\n");
+  json_t *json_val;
+  json_error_t json_err;
+  jwt_string = GNUNET_strndup (data, data_size);
+  jwt_body = strtok (jwt_string, delim);
+  jwt_body = strtok (NULL, delim);
+  GNUNET_STRINGS_base64url_decode (jwt_body, strlen (jwt_body),
+                                   (void **) &decoded_jwt);
+  json_val = json_loads (decoded_jwt, JSON_DECODE_ANY, &json_err);
+  GNUNET_free (decoded_jwt);
+  GNUNET_free (jwt_string);
+  if (NULL == json_val)
+    return NULL;
+  issuer_json = json_object_get (json_val, "iss");
+  if ((NULL == issuer_json) || (! json_is_string (issuer_json)))
+  {
+    json_decref (json_val);
+    return NULL;
+  }
+  issuer = GNUNET_strdup (json_string_value (issuer_json));
+  json_decref (json_val);
+  return issuer;
+}
+/**
+ * Parse a JWT and return the issuer
+ *
+ * @param cls the plugin
+ * @param cred the jwt credential
+ * @return a string, containing the isser
+ */
+char *
+jwt_get_issuer_c (void *cls,
+                  const struct GNUNET_RECLAIM_Credential *cred)
+{
+  if (GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT != cred->type)
+    return NULL;
+  return jwt_get_issuer (cls, cred->data, cred->data_size);
+}
+/**
+ * Parse a JWT and return the issuer
+ *
+ * @param cls the plugin
+ * @param cred the jwt credential
+ * @return a string, containing the isser
+ */
+char *
+jwt_get_issuer_p (void *cls,
+                  const struct GNUNET_RECLAIM_Presentation *cred)
+{
+  if (GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT != cred->type)
+    return NULL;
+  return jwt_get_issuer (cls, cred->data, cred->data_size);
+}
+/**
+ * Parse a JWT and return the expiration
+ *
+ * @param cls the plugin
+ * @param cred the jwt credential
+ * @return a string, containing the isser
+ */
+enum GNUNET_GenericReturnValue
+jwt_get_expiration (void *cls,
+                    const char *data,
+                    size_t data_size,
+                    struct GNUNET_TIME_Absolute *exp)
+{
+  const char *jwt_body;
+  char *jwt_string;
+  char delim[] = ".";
+  char *decoded_jwt;
+  json_t *exp_json;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Parsing JWT attributes.\n");
+  json_t *json_val;
+  json_error_t json_err;
+  jwt_string = GNUNET_strndup (data, data_size);
+  jwt_body = strtok (jwt_string, delim);
+  jwt_body = strtok (NULL, delim);
+  GNUNET_STRINGS_base64url_decode (jwt_body, strlen (jwt_body),
+                                   (void **) &decoded_jwt);
+  json_val = json_loads (decoded_jwt, JSON_DECODE_ANY, &json_err);
+  GNUNET_free (decoded_jwt);
+  GNUNET_free (jwt_string);
+  if (NULL == json_val)
+    return GNUNET_SYSERR;
+  exp_json = json_object_get (json_val, "exp");
+  if ((NULL == exp_json) || (! json_is_integer (exp_json)))
+  {
+    json_decref (json_val);
+    return GNUNET_SYSERR;
+  }
+  exp->abs_value_us = json_integer_value (exp_json) * 1000 * 1000;
+  json_decref (json_val);
+  return GNUNET_OK;
+}
+/**
+ * Parse a JWT and return the expiration
+ *
+ * @param cls the plugin
+ * @param cred the jwt credential
+ * @return the expirati
+ */
+enum GNUNET_GenericReturnValue
+jwt_get_expiration_c (void *cls,
+                      const struct GNUNET_RECLAIM_Credential *cred,
+                      struct GNUNET_TIME_Absolute *exp)
+{
+  if (GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT != cred->type)
+    return GNUNET_NO;
+  return jwt_get_expiration (cls, cred->data, cred->data_size, exp);
+}
+/**
+ * Parse a JWT and return the expiration
+ *
+ * @param cls the plugin
+ * @param cred the jwt credential
+ * @return a string, containing the isser
+ */
+enum GNUNET_GenericReturnValue
+jwt_get_expiration_p (void *cls,
+                      const struct GNUNET_RECLAIM_Presentation *cred,
+                      struct GNUNET_TIME_Absolute *exp)
+{
+  if (GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT != cred->type)
+    return GNUNET_NO;
+  return jwt_get_expiration (cls, cred->data, cred->data_size, exp);
+}
+enum GNUNET_GenericReturnValue
+jwt_create_presentation (void *cls,
+                         const struct GNUNET_RECLAIM_Credential *cred,
+                         const struct GNUNET_RECLAIM_AttributeList *attrs,
+                         struct GNUNET_RECLAIM_Presentation **presentation)
+{
+  if (GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT != cred->type)
+    return GNUNET_NO;
+  *presentation = GNUNET_RECLAIM_presentation_new (
+    GNUNET_RECLAIM_CREDENTIAL_TYPE_JWT,
+    cred->data,
+    cred->data_size);
+  return GNUNET_OK;
+}
+/**
+ * Entry point for the plugin.
+ *
+ * @param cls NULL
+ * @return the exported block API
+ */
+void *
+libgnunet_plugin_reclaim_credential_jwt_init (void *cls)
+{
+  struct GNUNET_RECLAIM_CredentialPluginFunctions *api;
+  api = GNUNET_new (struct GNUNET_RECLAIM_CredentialPluginFunctions);
+  api->value_to_string = &jwt_value_to_string;
+  api->string_to_value = &jwt_string_to_value;
+  api->typename_to_number = &jwt_typename_to_number;
+  api->number_to_typename = &jwt_number_to_typename;
+  api->get_attributes = &jwt_parse_attributes_c;
+  api->get_issuer = &jwt_get_issuer_c;
+  api->get_expiration = &jwt_get_expiration_c;
+  api->value_to_string_p = &jwt_value_to_string;
+  api->string_to_value_p = &jwt_string_to_value;
+  api->typename_to_number_p = &jwt_typename_to_number;
+  api->number_to_typename_p = &jwt_number_to_typename;
+  api->get_attributes_p = &jwt_parse_attributes_p;
+  api->get_issuer_p = &jwt_get_issuer_p;
+  api->get_expiration_p = &jwt_get_expiration_p;
+  api->create_presentation = &jwt_create_presentation;
+  return api;
+}
+/**
+ * Exit point from the plugin.
+ *
+ * @param cls the return value from #libgnunet_plugin_block_test_init()
+ * @return NULL
+ */
+void *
+libgnunet_plugin_reclaim_credential_jwt_done (void *cls)
+{
+  struct GNUNET_RECLAIM_CredentialPluginFunctions *api = cls;
+  GNUNET_free (api);
+  return NULL;
+}
+/* end of plugin_reclaim_credential_type_jwt.c */
diff --git a/src/plugin/reclaim/plugin_reclaim_credential_pabc.c b/src/plugin/reclaim/plugin_reclaim_credential_pabc.c
new file mode 100644
index 000000000..a906805fb
--- /dev/null
+++ b/src/plugin/reclaim/plugin_reclaim_credential_pabc.c
@@ -0,0 +1,572 @@
+/*
+     This file is part of GNUnet
+     Copyright (C) 2013, 2014, 2016 GNUnet e.V.
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file reclaim/plugin_reclaim_credential_pabc.c
+ * @brief reclaim-credential-plugin-pabc attribute plugin to provide the API for
+ *                                      pabc credentials.
+ *
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_reclaim_plugin.h"
+#include <inttypes.h>
+#include <jansson.h>
+#include <pabc/pabc.h>
+#include "pabc_helper.h"
+/**
+   * Convert the 'value' of an credential to a string.
+   *
+   * @param cls closure, unused
+   * @param type type of the credential
+   * @param data value in binary encoding
+   * @param data_size number of bytes in @a data
+   * @return NULL on error, otherwise human-readable representation of the value
+   */
+static char *
+pabc_value_to_string (void *cls,
+                      uint32_t type,
+                      const void *data,
+                      size_t data_size)
+{
+  switch (type)
+  {
+  case GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC:
+    return GNUNET_strndup (data, data_size);
+  default:
+    return NULL;
+  }
+}
+/**
+ * Convert human-readable version of a 'value' of an credential to the binary
+ * representation.
+ *
+ * @param cls closure, unused
+ * @param type type of the credential
+ * @param s human-readable string
+ * @param data set to value in binary encoding (will be allocated)
+ * @param data_size set to number of bytes in @a data
+ * @return #GNUNET_OK on success
+ */
+static int
+pabc_string_to_value (void *cls,
+                      uint32_t type,
+                      const char *s,
+                      void **data,
+                      size_t *data_size)
+{
+  if (NULL == s)
+    return GNUNET_SYSERR;
+  switch (type)
+  {
+  case GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC:
+    *data = GNUNET_strdup (s);
+    *data_size = strlen (s) + 1;
+    return GNUNET_OK;
+  default:
+    return GNUNET_SYSERR;
+  }
+}
+/**
+ * Mapping of credential type numbers to human-readable
+ * credential type names.
+ */
+static struct
+{
+  const char *name;
+  uint32_t number;
+} pabc_cred_name_map[] = { { "PABC", GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC },
+                           { NULL, UINT32_MAX } };
+/**
+   * Convert a type name to the corresponding number.
+   *
+   * @param cls closure, unused
+   * @param pabc_typename name to convert
+   * @return corresponding number, UINT32_MAX on error
+   */
+static uint32_t
+pabc_typename_to_number (void *cls, const char *pabc_typename)
+{
+  unsigned int i;
+  i = 0;
+  while ((NULL != pabc_cred_name_map[i].name) &&
+         (0 != strcasecmp (pabc_typename, pabc_cred_name_map[i].name)))
+    i++;
+  return pabc_cred_name_map[i].number;
+}
+/**
+ * Convert a type number (i.e. 1) to the corresponding type string
+ *
+ * @param cls closure, unused
+ * @param type number of a type to convert
+ * @return corresponding typestring, NULL on error
+ */
+static const char *
+pabc_number_to_typename (void *cls, uint32_t type)
+{
+  unsigned int i;
+  i = 0;
+  while ((NULL != pabc_cred_name_map[i].name) && (type !=
+                                                  pabc_cred_name_map[i].
+                                                  number))
+    i++;
+  return pabc_cred_name_map[i].name;
+}
+static void
+inspect_attrs (char const *const key,
+               char const *const value,
+               void *ctx)
+{
+  struct GNUNET_RECLAIM_AttributeList *attrs = ctx;
+  if (NULL == value)
+    return;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Found attribute in PABC credential: `%s': `%s'\n",
+              key, value);
+  if (0 == strcmp (key, "expiration"))
+    return;
+  if (0 == strcmp (key, "issuer"))
+    return;
+  if (0 == strcmp (key, "subject"))
+    return;
+  GNUNET_RECLAIM_attribute_list_add (attrs,
+                                     key,
+                                     NULL,
+                                     GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
+                                     value,
+                                     strlen (value));
+}
+/**
+ * Parse a pabc and return the respective claim value as Attribute
+ *
+ * @param cls the plugin
+ * @param cred the pabc credential
+ * @return a GNUNET_RECLAIM_Attribute, containing the new value
+ */
+struct GNUNET_RECLAIM_AttributeList *
+pabc_parse_attributes (void *cls,
+                       const char *data,
+                       size_t data_size)
+{
+  struct GNUNET_RECLAIM_AttributeList *attrs;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Collecting PABC attributes...\n");
+  attrs = GNUNET_new (struct GNUNET_RECLAIM_AttributeList);
+  GNUNET_assert (PABC_OK ==
+                 pabc_cred_inspect_credential (data,
+                                               &inspect_attrs, attrs));
+  return attrs;
+}
+/**
+ * Parse a pabc and return the respective claim value as Attribute
+ *
+ * @param cls the plugin
+ * @param cred the pabc credential
+ * @return a GNUNET_RECLAIM_Attribute, containing the new value
+ */
+struct GNUNET_RECLAIM_AttributeList *
+pabc_parse_attributes_c (void *cls,
+                         const struct GNUNET_RECLAIM_Credential *cred)
+{
+  if (cred->type != GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC)
+    return NULL;
+  return pabc_parse_attributes (cls, cred->data, cred->data_size);
+}
+/**
+ * Parse a pabc and return the respective claim value as Attribute
+ *
+ * @param cls the plugin
+ * @param cred the pabc credential
+ * @return a GNUNET_RECLAIM_Attribute, containing the new value
+ */
+struct GNUNET_RECLAIM_AttributeList *
+pabc_parse_attributes_p (void *cls,
+                         const struct GNUNET_RECLAIM_Presentation *cred)
+{
+  if (cred->type != GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC)
+    return NULL;
+  return pabc_parse_attributes (cls, cred->data, cred->data_size);
+}
+/**
+ * Parse a pabc and return the issuer
+ *
+ * @param cls the plugin
+ * @param cred the pabc credential
+ * @return a string, containing the isser
+ */
+char*
+pabc_get_issuer (void *cls,
+                 const char *data,
+                 size_t data_size)
+{
+  char *res;
+  if (PABC_OK != pabc_cred_get_attr_by_name_from_cred (data,
+                                                       "issuer",
+                                                       &res))
+    return NULL;
+  return res;
+}
+/**
+ * Parse a pabc and return the issuer
+ *
+ * @param cls the plugin
+ * @param cred the pabc credential
+ * @return a string, containing the isser
+ */
+char *
+pabc_get_issuer_c (void *cls,
+                   const struct GNUNET_RECLAIM_Credential *cred)
+{
+  if (GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC != cred->type)
+    return NULL;
+  return pabc_get_issuer (cls, cred->data, cred->data_size);
+}
+/**
+ * Parse a pabc and return the issuer
+ *
+ * @param cls the plugin
+ * @param cred the pabc credential
+ * @return a string, containing the isser
+ */
+char *
+pabc_get_issuer_p (void *cls,
+                   const struct GNUNET_RECLAIM_Presentation *cred)
+{
+  if (GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC != cred->type)
+    return NULL;
+  return pabc_get_issuer (cls, cred->data, cred->data_size);
+}
+/**
+ * Parse a pabc and return the expiration
+ *
+ * @param cls the plugin
+ * @param cred the pabc credential
+ * @return a string, containing the isser
+ */
+enum GNUNET_GenericReturnValue
+pabc_get_expiration (void *cls,
+                     const char *data,
+                     size_t data_size,
+                     struct GNUNET_TIME_Absolute *exp)
+{
+  char *exp_str;
+  uint64_t exp_i;
+  if (PABC_OK != pabc_cred_get_attr_by_name_from_cred (data,
+                                                       "expiration",
+                                                       &exp_str))
+    return GNUNET_SYSERR;
+  if (1 != sscanf (exp_str, "%llu", &exp_i))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Invalid expiration `%s'\n", exp_str);
+    GNUNET_free (exp_str);
+    return GNUNET_SYSERR;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Converted expiration string `%s' to %llu",
+              exp_str, exp_i);
+  GNUNET_free (exp_str);
+  exp->abs_value_us = exp_i * 1000 * 1000;
+  return GNUNET_OK;
+}
+/**
+ * Parse a pabc and return the expiration
+ *
+ * @param cls the plugin
+ * @param cred the pabc credential
+ * @return a string, containing the isser
+ */
+enum GNUNET_GenericReturnValue
+pabc_get_expiration_c (void *cls,
+                       const struct GNUNET_RECLAIM_Credential *cred,
+                       struct GNUNET_TIME_Absolute *exp)
+{
+  if (cred->type != GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC)
+    return GNUNET_NO;
+  return pabc_get_expiration (cls, cred->data, cred->data_size, exp);
+}
+/**
+ * Parse a pabc and return the expiration
+ *
+ * @param cls the plugin
+ * @param cred the pabc credential
+ * @return a string, containing the isser
+ */
+enum GNUNET_GenericReturnValue
+pabc_get_expiration_p (void *cls,
+                       const struct GNUNET_RECLAIM_Presentation *cred,
+                       struct GNUNET_TIME_Absolute *exp)
+{
+  if (cred->type != GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC)
+    return GNUNET_NO;
+  return pabc_get_expiration (cls, cred->data, cred->data_size, exp);
+}
+int
+pabc_create_presentation (void *cls,
+                          const struct GNUNET_RECLAIM_Credential *credential,
+                          const struct GNUNET_RECLAIM_AttributeList *attrs,
+                          struct GNUNET_RECLAIM_Presentation **presentation)
+{
+  struct pabc_context *ctx = NULL;
+  struct pabc_user_context *usr_ctx = NULL;
+  struct pabc_public_parameters *pp = NULL;
+  struct pabc_credential *cred = NULL;
+  struct pabc_blinded_proof *proof = NULL;
+  struct GNUNET_RECLAIM_AttributeListEntry *ale;
+  char *issuer;
+  char *subject;
+  enum pabc_status status;
+  if (GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC != credential->type)
+    return GNUNET_NO;
+  PABC_ASSERT (pabc_new_ctx (&ctx));
+  issuer = pabc_get_issuer_c (cls, credential);
+  if (NULL == issuer)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "No issuer found in credential\n");
+    pabc_free_ctx (&ctx);
+    return GNUNET_SYSERR;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Got issuer for credential: %s\n", issuer);
+  status = PABC_load_public_parameters (ctx, issuer, &pp);
+  if (status != PABC_OK)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to read public parameters.\n");
+    pabc_free_ctx (&ctx);
+    GNUNET_free (issuer);
+    return GNUNET_SYSERR;
+  }
+  if (PABC_OK != pabc_cred_get_attr_by_name_from_cred (credential->data,
+                                                       "subject",
+                                                       &subject))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to get subject.\n");
+    pabc_free_ctx (&ctx);
+    GNUNET_free (issuer);
+    return GNUNET_SYSERR;
+  }
+  status = PABC_read_usr_ctx (subject, issuer, ctx, pp, &usr_ctx);
+  GNUNET_free (issuer);
+  GNUNET_free (subject);
+  if (PABC_OK != status)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to read user context.\n");
+    pabc_free_public_parameters (ctx, &pp);
+    return GNUNET_SYSERR;
+  }
+  status = pabc_new_credential (ctx, pp, &cred);
+  if (status != PABC_OK)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to allocate credential.\n");
+    pabc_free_user_context (ctx, pp, &usr_ctx);
+    pabc_free_public_parameters (ctx, &pp);
+    return GNUNET_SYSERR;
+  }
+  status = pabc_decode_credential (ctx, pp, cred, credential->data);
+  if (status != PABC_OK)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to decode credential.\n");
+    pabc_free_credential (ctx, pp, &cred);
+    pabc_free_user_context (ctx, pp, &usr_ctx);
+    pabc_free_public_parameters (ctx, &pp);
+    return GNUNET_SYSERR;
+  }
+  status = pabc_new_proof (ctx, pp, &proof);
+  if (status != PABC_OK)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to allocate proof.\n");
+    pabc_free_credential (ctx, pp, &cred);
+    pabc_free_user_context (ctx, pp, &usr_ctx);
+    pabc_free_public_parameters (ctx, &pp);
+    return GNUNET_SYSERR;
+  }
+  // now we can parse the attributes to disclose and configure the proof
+  for (ale = attrs->list_head; NULL != ale; ale = ale->next)
+  {
+    status = pabc_set_disclosure_by_attribute_name (ctx, pp, proof,
+                                                    ale->attribute->name,
+                                                    PABC_DISCLOSED, cred);
+    if (status != PABC_OK)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Failed to configure proof.\n");
+      pabc_free_credential (ctx, pp, &cred);
+      pabc_free_user_context (ctx, pp, &usr_ctx);
+      pabc_free_public_parameters (ctx, &pp);
+      return GNUNET_SYSERR;
+    }
+  }
+  // and finally -> sign the proof
+  status = pabc_gen_proof (ctx, usr_ctx, pp, proof, cred);
+  if (status != PABC_OK)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to sign proof.\n");
+    pabc_free_proof (ctx, pp, &proof);
+    pabc_free_credential (ctx, pp, &cred);
+    pabc_free_user_context (ctx, pp, &usr_ctx);
+    pabc_free_public_parameters (ctx, &pp);
+    return GNUNET_SYSERR;
+  }
+  // print the result
+  char *json = NULL;
+  char *ppid = NULL;
+  char *userid = NULL;
+  GNUNET_assert (PABC_OK == pabc_cred_get_userid_from_cred (credential->data,
+                                                            &userid));
+  GNUNET_assert (PABC_OK == pabc_cred_get_ppid_from_cred (credential->data,
+                                                          &ppid));
+  pabc_cred_encode_proof (ctx, pp, proof, userid, ppid,  &json);
+  GNUNET_free (ppid);
+  GNUNET_free (userid);
+  if (PABC_OK != status)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to serialize proof.\n");
+    pabc_free_proof (ctx, pp, &proof);
+    pabc_free_credential (ctx, pp, &cred);
+    pabc_free_user_context (ctx, pp, &usr_ctx);
+    pabc_free_public_parameters (ctx, &pp);
+    return GNUNET_SYSERR;
+  }
+  char *json_enc;
+  GNUNET_STRINGS_base64_encode (json,
+                                strlen (json) + 1,
+                                &json_enc);
+  GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+              "Presentation: %s\n", json_enc);
+  // clean up
+  *presentation = GNUNET_RECLAIM_presentation_new (
+    GNUNET_RECLAIM_CREDENTIAL_TYPE_PABC,
+    json_enc,
+    strlen (json_enc) + 1);
+  GNUNET_free (json_enc);
+  PABC_FREE_NULL (json);
+  pabc_free_proof (ctx, pp, &proof);
+  pabc_free_credential (ctx, pp, &cred);
+  pabc_free_user_context (ctx, pp, &usr_ctx);
+  pabc_free_public_parameters (ctx, &pp);
+  return GNUNET_OK;
+}
+/**
+ * Entry point for the plugin.
+ *
+ * @param cls NULL
+ * @return the exported block API
+ */
+void *
+libgnunet_plugin_reclaim_credential_pabc_init (void *cls)
+{
+  struct GNUNET_RECLAIM_CredentialPluginFunctions *api;
+  api = GNUNET_new (struct GNUNET_RECLAIM_CredentialPluginFunctions);
+  api->value_to_string = &pabc_value_to_string;
+  api->string_to_value = &pabc_string_to_value;
+  api->typename_to_number = &pabc_typename_to_number;
+  api->number_to_typename = &pabc_number_to_typename;
+  api->get_attributes = &pabc_parse_attributes_c;
+  api->get_issuer = &pabc_get_issuer_c;
+  api->get_expiration = &pabc_get_expiration_c;
+  api->value_to_string_p = &pabc_value_to_string;
+  api->string_to_value_p = &pabc_string_to_value;
+  api->typename_to_number_p = &pabc_typename_to_number;
+  api->number_to_typename_p = &pabc_number_to_typename;
+  api->get_attributes_p = &pabc_parse_attributes_p;
+  api->get_issuer_p = &pabc_get_issuer_p;
+  api->get_expiration_p = &pabc_get_expiration_p;
+  api->create_presentation = &pabc_create_presentation;
+  return api;
+}
+/**
+ * Exit point from the plugin.
+ *
+ * @param cls the return value from #libgnunet_plugin_block_test_init()
+ * @return NULL
+ */
+void *
+libgnunet_plugin_reclaim_credential_pabc_done (void *cls)
+{
+  struct GNUNET_RECLAIM_CredentialPluginFunctions *api = cls;
+  GNUNET_free (api);
+  return NULL;
+}
+/* end of plugin_reclaim_credential_type_pabc.c */