14 files changed, 617 insertions, 140 deletions
diff --git a/src/conversation/conversation.h b/src/conversation/conversation.h
index 9eedbeb91..d244f5163 100644
--- a/src/conversation/conversation.h
+++ b/src/conversation/conversation.h
@@ -313,7 +313,7 @@ struct CadetPhoneRingMessage
  /**
   * Signature over a `struct CadetPhoneRingInfoPS`
   */
-  struct GNUNET_CRYPTO_EcdsaSignature signature;
+  struct GNUNET_IDENTITY_Signature signature;
 };
diff --git a/src/conversation/gnunet-service-conversation.c b/src/conversation/gnunet-service-conversation.c
index b1a629217..a69c95a80 100644
--- a/src/conversation/gnunet-service-conversation.c
+++ b/src/conversation/gnunet-service-conversation.c
@@ -752,10 +752,11 @@ handle_cadet_ring_message (void *cls, const struct CadetPhoneRingMessage *msg)
  rs.expiration_time = msg->expiration_time;
  if (GNUNET_OK !=
-      GNUNET_CRYPTO_ecdsa_verify (GNUNET_SIGNATURE_PURPOSE_CONVERSATION_RING,
+      GNUNET_IDENTITY_signature_verify (
-                                  &rs,
+        GNUNET_SIGNATURE_PURPOSE_CONVERSATION_RING,
-                                  &msg->signature,
+        &rs,
-                                  &msg->caller_id.ecdsa_key))
+        &msg->signature,
+        &msg->caller_id))
  {
    GNUNET_break_op (0);
    destroy_line_cadet_channels (ch);
@@ -1138,9 +1139,7 @@ handle_client_call_message (void *cls, const struct ClientCallMessage *msg)
  e = GNUNET_MQ_msg (ring, GNUNET_MESSAGE_TYPE_CONVERSATION_CADET_PHONE_RING);
  GNUNET_IDENTITY_key_get_public (&msg->caller_id, &ring->caller_id);
  ring->expiration_time = rs.expiration_time;
-  GNUNET_CRYPTO_ecdsa_sign (&msg->caller_id.ecdsa_key,
+  GNUNET_IDENTITY_sign (&msg->caller_id, &rs, &ring->signature);
-                            &rs,
-                            &ring->signature);
  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Sending RING message via CADET\n");
  GNUNET_MQ_send (ch->mq, e);
  GNUNET_SERVICE_client_continue (line->client);
diff --git a/src/fs/gnunet-publish.c b/src/fs/gnunet-publish.c
index 518192283..dea467669 100644
--- a/src/fs/gnunet-publish.c
+++ b/src/fs/gnunet-publish.c
@@ -591,13 +591,12 @@ directory_trim_complete (struct GNUNET_FS_ShareTreeItem *directory_scan_result)
    GNUNET_SCHEDULER_shutdown ();
    return;
  }
-  if (NULL == namespace)
+  priv = NULL;
-    priv = NULL;
+  if (NULL != namespace)
-  else
  {
    pk = GNUNET_IDENTITY_ego_get_private_key (namespace);
-    if (GNUNET_IDENTITY_TYPE_ECDSA == ntohl (pk->type))
+    GNUNET_assert (GNUNET_IDENTITY_TYPE_ECDSA == ntohl (pk->type));
-      priv = &pk->ecdsa_key;
+    priv = &pk->ecdsa_key;
  }
  pc = GNUNET_FS_publish_start (ctx,
                                fi,
diff --git a/src/gnsrecord/gnsrecord_misc.c b/src/gnsrecord/gnsrecord_misc.c
index ba8803850..82c38f19a 100644
--- a/src/gnsrecord/gnsrecord_misc.c
+++ b/src/gnsrecord/gnsrecord_misc.c
@@ -107,8 +107,8 @@ GNUNET_GNSRECORD_records_cmp (const struct GNUNET_GNSRECORD_Data *a,
  {
    LOG (GNUNET_ERROR_TYPE_DEBUG,
         "Expiration time %llu != %llu\n",
-         a->expiration_time,
+         (unsigned long long) a->expiration_time,
-         b->expiration_time);
+         (unsigned long long) b->expiration_time);
    return GNUNET_NO;
  }
  if ((a->flags & GNUNET_GNSRECORD_RF_RCMP_FLAGS)
@@ -282,11 +282,13 @@ GNUNET_GNSRECORD_identity_from_data (const char *data,
    return GNUNET_SYSERR;
  if (data_size > sizeof (struct GNUNET_IDENTITY_PublicKey))
    return GNUNET_SYSERR;
-  key->type = type;
+  return (GNUNET_IDENTITY_read_key_from_buffer (key, data, data_size) ==
-  memcpy (key, data, data_size);
+          data_size?
-  return GNUNET_OK;
+          GNUNET_OK :
+          GNUNET_SYSERR);
 }
 enum GNUNET_GenericReturnValue
 GNUNET_GNSRECORD_data_from_identity (const struct
                                     GNUNET_IDENTITY_PublicKey *key,
@@ -294,13 +296,15 @@ GNUNET_GNSRECORD_data_from_identity (const struct
                                     size_t *data_size,
                                     uint32_t *type)
 {
-  *type = key->type;
+  *type = ntohl (key->type);
  *data_size = GNUNET_IDENTITY_key_get_length (key);
  if (0 == *data_size)
    return GNUNET_SYSERR;
  *data = GNUNET_malloc (*data_size);
-  memcpy (*data, key, *data_size);
+  return (GNUNET_IDENTITY_write_key_to_buffer (key, *data, *data_size) ==
-  return GNUNET_OK;
+          *data_size?
+          GNUNET_OK :
+          GNUNET_SYSERR);
 }
@@ -309,14 +313,15 @@ GNUNET_GNSRECORD_is_zonekey_type (uint32_t type)
 {
  switch (type)
  {
-    case GNUNET_GNSRECORD_TYPE_PKEY:
+  case GNUNET_GNSRECORD_TYPE_PKEY:
-    case GNUNET_GNSRECORD_TYPE_EDKEY:
+  case GNUNET_GNSRECORD_TYPE_EDKEY:
-      return GNUNET_YES;
+    return GNUNET_YES;
-    default:
+  default:
-      return GNUNET_NO;
+    return GNUNET_NO;
  }
 }
 size_t
 GNUNET_GNSRECORD_block_get_size (const struct GNUNET_GNSRECORD_Block *block)
 {
diff --git a/src/identity/identity_api.c b/src/identity/identity_api.c
index 213b6966e..d44e8da96 100644
--- a/src/identity/identity_api.c
+++ b/src/identity/identity_api.c
@@ -953,6 +953,7 @@ GNUNET_IDENTITY_disconnect (struct GNUNET_IDENTITY_Handle *h)
  GNUNET_free (h);
 }
 ssize_t
 private_key_get_length (const struct GNUNET_IDENTITY_PrivateKey *key)
 {
@@ -971,7 +972,6 @@ private_key_get_length (const struct GNUNET_IDENTITY_PrivateKey *key)
 }
 ssize_t
 GNUNET_IDENTITY_key_get_length (const struct GNUNET_IDENTITY_PublicKey *key)
 {
@@ -990,6 +990,229 @@ GNUNET_IDENTITY_key_get_length (const struct GNUNET_IDENTITY_PublicKey *key)
 }
+ssize_t
+GNUNET_IDENTITY_read_key_from_buffer (struct GNUNET_IDENTITY_PublicKey *key,
+                                      const void*buffer,
+                                      size_t len)
+{
+  if (len < sizeof (key->type))
+    return -1;
+  GNUNET_memcpy (&(key->type), buffer, sizeof (key->type));
+  const ssize_t length = GNUNET_IDENTITY_key_get_length (key);
+  if (len < length)
+    return -1;
+  if (length < 0)
+    return -2;
+  GNUNET_memcpy (&(key->ecdsa_key), buffer + sizeof (key->type), length
+                 - sizeof (key->type));
+  return length;
+}
+ssize_t
+GNUNET_IDENTITY_write_key_to_buffer (const struct
+                                     GNUNET_IDENTITY_PublicKey *key,
+                                     void*buffer,
+                                     size_t len)
+{
+  const ssize_t length = GNUNET_IDENTITY_key_get_length (key);
+  if (len < length)
+    return -1;
+  if (length < 0)
+    return -2;
+  GNUNET_memcpy (buffer, key, length);
+  return length;
+}
+ssize_t
+GNUNET_IDENTITY_signature_get_length (const struct
+                                      GNUNET_IDENTITY_Signature *sig)
+{
+  switch (ntohl (sig->type))
+  {
+  case GNUNET_IDENTITY_TYPE_ECDSA:
+    return sizeof (sig->type) + sizeof (sig->ecdsa_signature);
+    break;
+  case GNUNET_IDENTITY_TYPE_EDDSA:
+    return sizeof (sig->type) + sizeof (sig->eddsa_signature);
+    break;
+  default:
+    GNUNET_break (0);
+  }
+  return -1;
+}
+ssize_t
+GNUNET_IDENTITY_read_signature_from_buffer (struct
+                                            GNUNET_IDENTITY_Signature *sig,
+                                            const void*buffer,
+                                            size_t len)
+{
+  if (len < sizeof (sig->type))
+    return -1;
+  GNUNET_memcpy (&(sig->type), buffer, sizeof (sig->type));
+  const ssize_t length = GNUNET_IDENTITY_signature_get_length (sig);
+  if (len < length)
+    return -1;
+  if (length < 0)
+    return -2;
+  GNUNET_memcpy (&(sig->ecdsa_signature), buffer + sizeof (sig->type), length
+                 - sizeof (sig->type));
+  return length;
+}
+ssize_t
+GNUNET_IDENTITY_write_signature_to_buffer (const struct
+                                           GNUNET_IDENTITY_Signature *sig,
+                                           void*buffer,
+                                           size_t len)
+{
+  const ssize_t length = GNUNET_IDENTITY_signature_get_length (sig);
+  if (len < length)
+    return -1;
+  if (length < 0)
+    return -2;
+  GNUNET_memcpy (buffer, &(sig->type), sizeof (sig->type));
+  GNUNET_memcpy (buffer + sizeof (sig->type), &(sig->ecdsa_signature), length
+                 - sizeof (sig->type));
+  return length;
+}
+int
+GNUNET_IDENTITY_sign_ (const struct
+                       GNUNET_IDENTITY_PrivateKey *priv,
+                       const struct
+                       GNUNET_CRYPTO_EccSignaturePurpose *purpose,
+                       struct GNUNET_IDENTITY_Signature *sig)
+{
+  sig->type = priv->type;
+  switch (ntohl (priv->type))
+  {
+  case GNUNET_IDENTITY_TYPE_ECDSA:
+    return GNUNET_CRYPTO_ecdsa_sign_ (&(priv->ecdsa_key), purpose,
+                                      &(sig->ecdsa_signature));
+    break;
+  case GNUNET_IDENTITY_TYPE_EDDSA:
+    return GNUNET_CRYPTO_eddsa_sign_ (&(priv->eddsa_key), purpose,
+                                      &(sig->eddsa_signature));
+    break;
+  default:
+    GNUNET_break (0);
+  }
+  return GNUNET_SYSERR;
+}
+int
+GNUNET_IDENTITY_signature_verify_ (uint32_t purpose,
+                                   const struct
+                                   GNUNET_CRYPTO_EccSignaturePurpose *validate,
+                                   const struct GNUNET_IDENTITY_Signature *sig,
+                                   const struct GNUNET_IDENTITY_PublicKey *pub)
+{
+  /* check type matching of 'sig' and 'pub' */
+  GNUNET_assert (ntohl (pub->type) == ntohl (sig->type));
+  switch (ntohl (pub->type))
+  {
+  case GNUNET_IDENTITY_TYPE_ECDSA:
+    return GNUNET_CRYPTO_ecdsa_verify_ (purpose, validate,
+                                        &(sig->ecdsa_signature),
+                                        &(pub->ecdsa_key));
+    break;
+  case GNUNET_IDENTITY_TYPE_EDDSA:
+    return GNUNET_CRYPTO_eddsa_verify_ (purpose, validate,
+                                        &(sig->eddsa_signature),
+                                        &(pub->eddsa_key));
+    break;
+  default:
+    GNUNET_break (0);
+  }
+  return GNUNET_SYSERR;
+}
+ssize_t
+GNUNET_IDENTITY_public_key_encrypt (const void *block,
+                                    size_t size,
+                                    const struct GNUNET_IDENTITY_PublicKey *pub,
+                                    struct GNUNET_CRYPTO_EcdhePublicKey *ecc,
+                                    void *result)
+{
+  struct GNUNET_CRYPTO_EcdhePrivateKey pk;
+  GNUNET_CRYPTO_ecdhe_key_create (&pk);
+  struct GNUNET_HashCode hash;
+  switch (ntohl (pub->type))
+  {
+  case GNUNET_IDENTITY_TYPE_ECDSA:
+    if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdh_ecdsa (&pk, &(pub->ecdsa_key),
+                                                   &hash))
+      return -1;
+    break;
+  case GNUNET_IDENTITY_TYPE_EDDSA:
+    if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdh_eddsa (&pk, &(pub->eddsa_key),
+                                                   &hash))
+      return -1;
+    break;
+  default:
+    return -1;
+  }
+  GNUNET_CRYPTO_ecdhe_key_get_public (&pk, ecc);
+  GNUNET_CRYPTO_ecdhe_key_clear (&pk);
+  struct GNUNET_CRYPTO_SymmetricSessionKey key;
+  struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+  GNUNET_CRYPTO_hash_to_aes_key (&hash, &key, &iv);
+  GNUNET_CRYPTO_zero_keys (&hash, sizeof(hash));
+  const ssize_t encrypted = GNUNET_CRYPTO_symmetric_encrypt (block, size, &key,
+                                                             &iv, result);
+  GNUNET_CRYPTO_zero_keys (&key, sizeof(key));
+  GNUNET_CRYPTO_zero_keys (&iv, sizeof(iv));
+  return encrypted;
+}
+ssize_t
+GNUNET_IDENTITY_private_key_decrypt (const void *block,
+                                     size_t size,
+                                     const struct
+                                     GNUNET_IDENTITY_PrivateKey *priv,
+                                     const struct
+                                     GNUNET_CRYPTO_EcdhePublicKey *ecc,
+                                     void *result)
+{
+  struct GNUNET_HashCode hash;
+  switch (ntohl (priv->type))
+  {
+  case GNUNET_IDENTITY_TYPE_ECDSA:
+    if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdsa_ecdh (&(priv->ecdsa_key), ecc,
+                                                   &hash))
+      return -1;
+    break;
+  case GNUNET_IDENTITY_TYPE_EDDSA:
+    if (GNUNET_SYSERR == GNUNET_CRYPTO_eddsa_ecdh (&(priv->eddsa_key), ecc,
+                                                   &hash))
+      return -1;
+    break;
+  default:
+    return -1;
+  }
+  struct GNUNET_CRYPTO_SymmetricSessionKey key;
+  struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
+  GNUNET_CRYPTO_hash_to_aes_key (&hash, &key, &iv);
+  GNUNET_CRYPTO_zero_keys (&hash, sizeof(hash));
+  const ssize_t decrypted = GNUNET_CRYPTO_symmetric_decrypt (block, size, &key,
+                                                             &iv, result);
+  GNUNET_CRYPTO_zero_keys (&key, sizeof(key));
+  GNUNET_CRYPTO_zero_keys (&iv, sizeof(iv));
+  return decrypted;
+}
 char *
 GNUNET_IDENTITY_public_key_to_string (const struct
                                      GNUNET_IDENTITY_PublicKey *key)
@@ -1023,7 +1246,7 @@ GNUNET_IDENTITY_public_key_from_string (const char *str,
  if (GNUNET_OK != ret)
    return GNUNET_SYSERR;
  ktype = ntohl (key->type);
-  return (GNUNET_IDENTITY_TYPE_ECDSA == ktype) ? GNUNET_OK : GNUNET_SYSERR; //FIXME other keys, cleaner way?
+  return (GNUNET_IDENTITY_TYPE_ECDSA == ktype) ? GNUNET_OK : GNUNET_SYSERR; // FIXME other keys, cleaner way?
 }
@@ -1041,7 +1264,7 @@ GNUNET_IDENTITY_private_key_from_string (const char *str,
  if (GNUNET_OK != ret)
    return GNUNET_SYSERR;
  ktype = ntohl (key->type);
-  return (GNUNET_IDENTITY_TYPE_ECDSA == ktype) ? GNUNET_OK : GNUNET_SYSERR; //FIXME other keys, cleaner way?
+  return (GNUNET_IDENTITY_TYPE_ECDSA == ktype) ? GNUNET_OK : GNUNET_SYSERR; // FIXME other keys, cleaner way?
 }
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 03fb16a43..2bbf2b1e7 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -1700,7 +1700,7 @@ GNUNET_CRYPTO_eddsa_sign_ (
 */
 #define GNUNET_CRYPTO_eddsa_sign(priv,ps,sig) do {                 \
    /* check size is set correctly */                              \
-    GNUNET_assert (htonl ((ps)->purpose.size) == sizeof (*ps));    \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*ps));    \
    /* check 'ps' begins with the purpose */                       \
    GNUNET_static_assert (((void*) (ps)) ==                        \
                          ((void*) &(ps)->purpose));               \
@@ -1747,7 +1747,7 @@ GNUNET_CRYPTO_ecdsa_sign_ (
 */
 #define GNUNET_CRYPTO_ecdsa_sign(priv,ps,sig) do {                 \
    /* check size is set correctly */                              \
-    GNUNET_assert (htonl ((ps)->purpose.size) == sizeof (*(ps)));  \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps)));  \
    /* check 'ps' begins with the purpose */                       \
    GNUNET_static_assert (((void*) (ps)) ==                        \
                          ((void*) &(ps)->purpose));               \
@@ -1853,7 +1853,7 @@ GNUNET_CRYPTO_ecdsa_verify_ (
 */
 #define GNUNET_CRYPTO_ecdsa_verify(purp,ps,sig,pub) ({             \
    /* check size is set correctly */                              \
-    GNUNET_assert (htonl ((ps)->purpose.size) == sizeof (*(ps)));  \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps)));  \
    /* check 'ps' begins with the purpose */                       \
    GNUNET_static_assert (((void*) (ps)) ==                        \
                          ((void*) &(ps)->purpose));               \
diff --git a/src/include/gnunet_identity_service.h b/src/include/gnunet_identity_service.h
index 17714fec4..2974568db 100644
--- a/src/include/gnunet_identity_service.h
+++ b/src/include/gnunet_identity_service.h
@@ -138,6 +138,33 @@ struct GNUNET_IDENTITY_PublicKey
 /**
+ * An identity signature as per LSD0001.
+ */
+struct GNUNET_IDENTITY_Signature
+{
+  /**
+   * Type of signature.
+   * Defined by the GNS zone type value.
+   * In NBO.
+   */
+  uint32_t type;
+  union
+  {
+    /**
+     * An ECDSA signature
+     */
+    struct GNUNET_CRYPTO_EcdsaSignature ecdsa_signature;
+    /**
+     * AN EdDSA signature
+     */
+    struct GNUNET_CRYPTO_EddsaSignature eddsa_signature;
+  };
+};
+/**
 * Handle for an operation with the identity service.
 */
 struct GNUNET_IDENTITY_Operation;
@@ -379,6 +406,240 @@ GNUNET_IDENTITY_key_get_length (const struct GNUNET_IDENTITY_PublicKey *key);
 /**
+ * Reads a #GNUNET_IDENTITY_PublicKey from a compact buffer.
+ * The buffer has to contain at least the compacted length of
+ * a #GNUNET_IDENTITY_PublicKey in bytes.
+ * If the buffer is too small, the function returns -1 as error.
+ * If the buffer does not contain a valid key, it returns -2 as error.
+ *
+ * @param key the key
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @return -1 or -2 on error, else the amount of bytes read from the buffer
+ */
+ssize_t
+GNUNET_IDENTITY_read_key_from_buffer (struct GNUNET_IDENTITY_PublicKey *key,
+                                      const void*buffer,
+                                      size_t len);
+/**
+ * Writes a #GNUNET_IDENTITY_PublicKey to a compact buffer.
+ * The buffer requires space for at least the compacted length of
+ * a #GNUNET_IDENTITY_PublicKey in bytes.
+ * If the buffer is too small, the function returns -1 as error.
+ * If the key is not valid, it returns -2 as error.
+ *
+ * @param key the key
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @return -1 or -2 on error, else the amount of bytes written to the buffer
+ */
+ssize_t
+GNUNET_IDENTITY_write_key_to_buffer (const struct
+                                     GNUNET_IDENTITY_PublicKey *key,
+                                     void*buffer,
+                                     size_t len);
+/**
+ * Get the compacted length of a #GNUNET_IDENTITY_Signature.
+ * Compacted means that it returns the minimum number of bytes this
+ * signature is long, as opposed to the union structure inside
+ * #GNUNET_IDENTITY_Signature.
+ * Useful for compact serializations.
+ *
+ * @param sig the signature.
+ * @return -1 on error, else the compacted length of the signature.
+ */
+ssize_t
+GNUNET_IDENTITY_signature_get_length (const struct
+                                      GNUNET_IDENTITY_Signature *sig);
+/**
+ * Reads a #GNUNET_IDENTITY_Signature from a compact buffer.
+ * The buffer has to contain at least the compacted length of
+ * a #GNUNET_IDENTITY_Signature in bytes.
+ * If the buffer is too small, the function returns -1 as error.
+ * If the buffer does not contain a valid key, it returns -2 as error.
+ *
+ * @param sig the signature
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @return -1 or -2 on error, else the amount of bytes read from the buffer
+ */
+ssize_t
+GNUNET_IDENTITY_read_signature_from_buffer (struct
+                                            GNUNET_IDENTITY_Signature *sig,
+                                            const void*buffer,
+                                            size_t len);
+/**
+ * Writes a #GNUNET_IDENTITY_Signature to a compact buffer.
+ * The buffer requires space for at least the compacted length of
+ * a #GNUNET_IDENTITY_Signature in bytes.
+ * If the buffer is too small, the function returns -1 as error.
+ * If the key is not valid, it returns -2 as error.
+ *
+ * @param sig the signature
+ * @param buffer the buffer
+ * @param len the length of buffer
+ * @return -1 or -2 on error, else the amount of bytes written to the buffer
+ */
+ssize_t
+GNUNET_IDENTITY_write_signature_to_buffer (const struct
+                                           GNUNET_IDENTITY_Signature *sig,
+                                           void*buffer,
+                                           size_t len);
+/**
+ * @brief Sign a given block.
+ *
+ * The @a purpose data is the beginning of the data of which the signature is
+ * to be created. The `size` field in @a purpose must correctly indicate the
+ * number of bytes of the data structure, including its header. If possible,
+ * use #GNUNET_IDENTITY_sign() instead of this function.
+ *
+ * @param priv private key to use for the signing
+ * @param purpose what to sign (size, purpose)
+ * @param[out] sig where to write the signature
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+int
+GNUNET_IDENTITY_sign_ (const struct
+                       GNUNET_IDENTITY_PrivateKey *priv,
+                       const struct
+                       GNUNET_CRYPTO_EccSignaturePurpose *purpose,
+                       struct GNUNET_IDENTITY_Signature *sig);
+/**
+ * @brief Sign a given block with #GNUNET_IDENTITY_PrivateKey.
+ *
+ * The @a ps data must be a fixed-size struct for which the signature is to be
+ * created. The `size` field in @a ps->purpose must correctly indicate the
+ * number of bytes of the data structure, including its header.
+ *
+ * @param priv private key to use for the signing
+ * @param ps packed struct with what to sign, MUST begin with a purpose
+ * @param[out] sig where to write the signature
+ */
+#define GNUNET_IDENTITY_sign(priv,ps,sig) do {                \
+    /* check size is set correctly */                                     \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps)));         \
+    /* check 'ps' begins with the purpose */                              \
+    GNUNET_static_assert (((void*) (ps)) ==                               \
+                          ((void*) &(ps)->purpose));                      \
+    GNUNET_assert (GNUNET_OK ==                                           \
+                   GNUNET_IDENTITY_sign_ (priv,               \
+                                          &(ps)->purpose,             \
+                                          sig));                      \
+} while (0)
+/**
+ * @brief Verify a given signature.
+ *
+ * The @a validate data is the beginning of the data of which the signature
+ * is to be verified. The `size` field in @a validate must correctly indicate
+ * the number of bytes of the data structure, including its header.  If @a
+ * purpose does not match the purpose given in @a validate (the latter must be
+ * in big endian), signature verification fails.  If possible,
+ * use #GNUNET_IDENTITY_signature_verify() instead of this function (only if @a validate
+ * is not fixed-size, you must use this function directly).
+ *
+ * @param purpose what is the purpose that the signature should have?
+ * @param validate block to validate (size, purpose, data)
+ * @param sig signature that is being validated
+ * @param pub public key of the signer
+ * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid
+ */
+int
+GNUNET_IDENTITY_signature_verify_ (uint32_t purpose,
+                                   const struct
+                                   GNUNET_CRYPTO_EccSignaturePurpose *validate,
+                                   const struct GNUNET_IDENTITY_Signature *sig,
+                                   const struct
+                                   GNUNET_IDENTITY_PublicKey *pub);
+/**
+ * @brief Verify a given signature with #GNUNET_IDENTITY_PublicKey.
+ *
+ * The @a ps data must be a fixed-size struct for which the signature is to be
+ * created. The `size` field in @a ps->purpose must correctly indicate the
+ * number of bytes of the data structure, including its header.
+ *
+ * @param purp purpose of the signature, must match 'ps->purpose.purpose'
+ *              (except in host byte order)
+ * @param ps packed struct with what to sign, MUST begin with a purpose
+ * @param sig where to read the signature from
+ * @param pub public key to use for the verifying
+ */
+#define GNUNET_IDENTITY_signature_verify(purp,ps,sig,pub) ({             \
+    /* check size is set correctly */                                     \
+    GNUNET_assert (ntohl ((ps)->purpose.size) == sizeof (*(ps)));         \
+    /* check 'ps' begins with the purpose */                              \
+    GNUNET_static_assert (((void*) (ps)) ==                               \
+                          ((void*) &(ps)->purpose));                      \
+    GNUNET_IDENTITY_signature_verify_ (purp,                              \
+                                       &(ps)->purpose,                    \
+                                       sig,                               \
+                                       pub);                              \
+  })
+/**
+ * Encrypt a block with #GNUNET_IDENTITY_PublicKey and derives a
+ * #GNUNET_CRYPTO_EcdhePublicKey which is required for decryption
+ * using ecdh to derive a symmetric key.
+ *
+ * @param block the block to encrypt
+ * @param size the size of the @a block
+ * @param pub public key to use for ecdh
+ * @param ecc where to write the ecc public key
+ * @param result the output parameter in which to store the encrypted result
+ *               can be the same or overlap with @c block
+ * @returns the size of the encrypted block, -1 for errors.
+ *          Due to the use of CFB and therefore an effective stream cipher,
+ *          this size should be the same as @c len.
+ */
+ssize_t
+GNUNET_IDENTITY_encrypt (const void *block,
+                         size_t size,
+                         const struct GNUNET_IDENTITY_PublicKey *pub,
+                         struct GNUNET_CRYPTO_EcdhePublicKey *ecc,
+                         void *result);
+/**
+ * Decrypt a given block with #GNUNET_IDENTITY_PrivateKey and a given
+ * #GNUNET_CRYPTO_EcdhePublicKey using ecdh to derive a symmetric key.
+ *
+ * @param block the data to decrypt, encoded as returned by encrypt
+ * @param size the size of the @a block to decrypt
+ * @param priv private key to use for ecdh
+ * @param ecc the ecc public key
+ * @param result address to store the result at
+ *               can be the same or overlap with @c block
+ * @return -1 on failure, size of decrypted block on success.
+ *         Due to the use of CFB and therefore an effective stream cipher,
+ *         this size should be the same as @c size.
+ */
+ssize_t
+GNUNET_IDENTITY_decrypt (const void *block,
+                         size_t size,
+                         const struct
+                         GNUNET_IDENTITY_PrivateKey *priv,
+                         const struct
+                         GNUNET_CRYPTO_EcdhePublicKey *ecc,
+                         void *result);
+/**
 * Creates a (Base32) string representation of the public key.
 * The resulting string encodes a compacted representation of the key.
 * See also #GNUNET_IDENTITY_key_get_length.
@@ -438,7 +699,8 @@ GNUNET_IDENTITY_private_key_from_string (const char*str,
 * @return GNUNET_SYSERR on error.
 */
 enum GNUNET_GenericReturnValue
-GNUNET_IDENTITY_key_get_public (const struct GNUNET_IDENTITY_PrivateKey *privkey,
+GNUNET_IDENTITY_key_get_public (const struct
+                                GNUNET_IDENTITY_PrivateKey *privkey,
                                struct GNUNET_IDENTITY_PublicKey *key);
diff --git a/src/include/gnunet_revocation_service.h b/src/include/gnunet_revocation_service.h
index 18c1f2674..d56116914 100644
--- a/src/include/gnunet_revocation_service.h
+++ b/src/include/gnunet_revocation_service.h
@@ -95,7 +95,7 @@ struct GNUNET_REVOCATION_PowP
 /**
 * The signature object we use for the PoW
 */
-struct GNUNET_REVOCATION_EcdsaSignaturePurposePS
+struct GNUNET_REVOCATION_SignaturePurposePS
 {
  /**
   * The signature purpose
@@ -103,19 +103,11 @@ struct GNUNET_REVOCATION_EcdsaSignaturePurposePS
  struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
  /**
-   * Type of the key
-   */
-  uint32_t ktype;
-  /**
-   * The revoked public key
-   */
-  struct GNUNET_CRYPTO_EcdsaPublicKey key;
-  /**
   * The timestamp of the revocation
   */
  struct GNUNET_TIME_AbsoluteNBO timestamp;
+  /** Followed by the zone public key type and key **/
 };
 GNUNET_NETWORK_STRUCT_END
diff --git a/src/namestore/test_namestore_api_zone_to_name.c b/src/namestore/test_namestore_api_zone_to_name.c
index e5ede6bcd..3fd10e4a1 100644
--- a/src/namestore/test_namestore_api_zone_to_name.c
+++ b/src/namestore/test_namestore_api_zone_to_name.c
@@ -212,12 +212,13 @@ run (void *cls,
  GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
                              &s_zone_value,
                              sizeof(s_zone_value));
+  s_zone_value.type = htonl (GNUNET_GNSRECORD_TYPE_PKEY);
  {
    struct GNUNET_GNSRECORD_Data rd;
    rd.expiration_time = GNUNET_TIME_absolute_get ().abs_value_us;
    rd.record_type = GNUNET_GNSRECORD_TYPE_PKEY;
-    rd.data_size = sizeof(s_zone_value);
+    rd.data_size = GNUNET_IDENTITY_key_get_length (&s_zone_value);
    rd.data = &s_zone_value;
    rd.flags = 0;
diff --git a/src/namestore/test_plugin_rest_namestore.sh b/src/namestore/test_plugin_rest_namestore.sh
index 12a7fa50c..8a45cebf5 100755
--- a/src/namestore/test_plugin_rest_namestore.sh
+++ b/src/namestore/test_plugin_rest_namestore.sh
@@ -84,14 +84,15 @@ gnunet-identity -C $TEST_ID -c test_namestore_api.conf
 test="$(gnunet-namestore -D -z $TEST_ID -c test_namestore_api.conf)"
 name=$TEST_ID
 public="$(gnunet-identity -d -c test_namestore_api.conf | grep $TEST_ID | awk 'NR==1{print $3}')"
-gnunet-namestore -z $name -p -a -n "test_entry" -e "1d" -V "HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG" -t "PKEY" -c test_namestore_api.conf
+echo "$name $public"
+valgrind gnunet-namestore -z $name -p -a -n "test_entry" -e "1d" -V "000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8" -t "PKEY" -c test_namestore_api.conf
 #curl_get "${namestore_link}" "HTTP/1.1 200 OK"
 curl_get "${namestore_link}/$name" "HTTP/1.1 200 OK"
 curl_get "${namestore_link}/$public" "error"
 gnunet-namestore -z $name -d -n "test_entry" -c test_namestore_api.conf
 #Test POST with NAME
-curl_post "${namestore_link}/$name" '{"data": [{"value":"HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG", "record_type":"PKEY", "expiration_time":"1d","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "HTTP/1.1 204 No Content"
+curl_post "${namestore_link}/$name" '{"data": [{"value":"000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8", "record_type":"PKEY", "expiration_time":"1d","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "HTTP/1.1 204 No Content"
 gnunet-namestore -z $name -d -n "test_entry" -c test_namestore_api.conf > /dev/null 2>&1
 # invalid values
@@ -106,29 +107,29 @@ curl_post "${namestore_link}/$name" '{"data": [{"record_type":"PKEY", "expiratio
 gnunet-namestore -z $name -d -n "test_entry" -c test_namestore_api.conf > /dev/null 2>&1
 #expirations
-curl_post "${namestore_link}/$name" '{"data": [{"value":"HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG", "record_type":"PKEY", "expiration_time":"0d","private": false, "relative_expiration": true, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "HTTP/1.1 204"
+curl_post "${namestore_link}/$name" '{"data": [{"value":"000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8", "record_type":"PKEY", "expiration_time":"0d","private": false, "relative_expiration": true, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "HTTP/1.1 204"
 gnunet-namestore -z $name -d -n "test_entry" -c test_namestore_api.conf > /dev/null 2>&1
-curl_post "${namestore_link}/$name" '{"data": [{"value":"HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG", "record_type":"PKEY", "expiration_time":"10000d","private": false, "relative_expiration": true, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "HTTP/1.1 204"
+curl_post "${namestore_link}/$name" '{"data": [{"value":"000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8", "record_type":"PKEY", "expiration_time":"10000d","private": false, "relative_expiration": true, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "HTTP/1.1 204"
 gnunet-namestore -z $name -d -n "test_entry" -c test_namestore_api.conf > /dev/null 2>&1
-curl_post "${namestore_link}/$name" '{"data": [{"value":"HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG", "record_type":"PKEY", "expiration_time":"now","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "error"
+curl_post "${namestore_link}/$name" '{"data": [{"value":"000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8", "record_type":"PKEY", "expiration_time":"now","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "error"
 gnunet-namestore -z $name -d -n "test_entry" -c test_namestore_api.conf > /dev/null 2>&1
-curl_post "${namestore_link}/$name" '{"data": [{"value":"HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG", "record_type":"PKEY", "expiration_time_missing":"1d","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "error"
+curl_post "${namestore_link}/$name" '{"data": [{"value":"000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8", "record_type":"PKEY", "expiration_time_missing":"1d","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name":"test_entry"}' "error"
 gnunet-namestore -z $name -d -n "test_entry" -c test_namestore_api.conf > /dev/null 2>&1
 #record_name
-curl_post "${namestore_link}/$name" '{"data": [{"value":"HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG", "record_type":"PKEY", "expiration_time":"1d","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name":""}' "error"
+curl_post "${namestore_link}/$name" '{"data": [{"value":"000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8", "record_type":"PKEY", "expiration_time":"1d","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name":""}' "error"
 gnunet-namestore -z $name -d -n "test_entry"  -c test_namestore_api.conf > /dev/null 2>&1
-curl_post "${namestore_link}/$name" '{"data": [{"value":"HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG", "record_type":"PKEY", "expiration_time":"1d","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name_missing":"test_entry"}' "error"
+curl_post "${namestore_link}/$name" '{"data": [{"value":"000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8", "record_type":"PKEY", "expiration_time":"1d","private": false, "relative_expiration": false, "supplemental": false, "shadow": false}],"record_name_missing":"test_entry"}' "error"
 gnunet-namestore -z $name -d -n "test_entry"  -c test_namestore_api.conf > /dev/null 2>&1
 #Test DELETE
-gnunet-namestore -z $name -p -a -n "test_entry" -e "1d" -V "HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG" -t "PKEY"  -c test_namestore_api.conf
+gnunet-namestore -z $name -p -a -n "test_entry" -e "1d" -V "000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8" -t "PKEY"  -c test_namestore_api.conf
 curl_delete "${namestore_link}/$name/test_entry" "HTTP/1.1 204" 
 curl_delete "${namestore_link}/$name/test_entry" "error" 
-gnunet-namestore -z $name -p -a -n "test_entry" -e "1d" -V "HVX38H2CB7WJM0WCPWT9CFX6GASMYJVR65RN75SJSSKAYVYXHMRG" -t "PKEY"  -c test_namestore_api.conf
+gnunet-namestore -z $name -p -a -n "test_entry" -e "1d" -V "000G006WVZ8HQ5YTVFNX09HK0VJVVQ9ZCBYDSCH3ERT04N5ZRBKEB82EP8" -t "PKEY"  -c test_namestore_api.conf
 curl_delete "${namestore_link}/$public/test_entry" "error" 
 gnunet-arm -e  -c test_namestore_api.conf
diff --git a/src/pt/test_gns_vpn.c b/src/pt/test_gns_vpn.c
index cf0455477..7b4abaec2 100644
--- a/src/pt/test_gns_vpn.c
+++ b/src/pt/test_gns_vpn.c
@@ -560,7 +560,7 @@ identity_cb (void *cls,
             void **ctx,
             const char *name)
 {
-  const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone_key;
+  const struct GNUNET_IDENTITY_PrivateKey *zone_key;
  struct GNUNET_GNSRECORD_Data rd;
  char *rd_string;
  char *peername;
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c
index c3ff07976..c6d56e02d 100644
--- a/src/reclaim/oidc_helper.c
+++ b/src/reclaim/oidc_helper.c
@@ -154,10 +154,12 @@ fix_base64 (char *str)
  replace_char (str, '/', '_');
 }
 static json_t*
-generate_userinfo_json(const struct GNUNET_IDENTITY_PublicKey *sub_key,
+generate_userinfo_json (const struct GNUNET_IDENTITY_PublicKey *sub_key,
-                       const struct GNUNET_RECLAIM_AttributeList *attrs,
+                        const struct GNUNET_RECLAIM_AttributeList *attrs,
-                       const struct GNUNET_RECLAIM_PresentationList *presentations)
+                        const struct
+                        GNUNET_RECLAIM_PresentationList *presentations)
 {
  struct GNUNET_RECLAIM_AttributeListEntry *le;
  struct GNUNET_RECLAIM_PresentationListEntry *ple;
@@ -206,7 +208,8 @@ generate_userinfo_json(const struct GNUNET_IDENTITY_PublicKey *sub_key,
                                                   ple->presentation->data,
                                                   ple->presentation->data_size);
    json_object_set_new (aggr_sources_jwt,
-                         GNUNET_RECLAIM_presentation_number_to_typename (ple->presentation->type),
+                         GNUNET_RECLAIM_presentation_number_to_typename (
+                           ple->presentation->type),
                         json_string (pres_val_str) );
    json_object_set_new (aggr_sources, source_name, aggr_sources_jwt);
    GNUNET_free (pres_val_str);
@@ -286,6 +289,7 @@ generate_userinfo_json(const struct GNUNET_IDENTITY_PublicKey *sub_key,
  return body;
 }
 /**
 * Generate userinfo JSON as string
 *
@@ -297,12 +301,13 @@ generate_userinfo_json(const struct GNUNET_IDENTITY_PublicKey *sub_key,
 char *
 OIDC_generate_userinfo (const struct GNUNET_IDENTITY_PublicKey *sub_key,
                        const struct GNUNET_RECLAIM_AttributeList *attrs,
-                        const struct GNUNET_RECLAIM_PresentationList *presentations)
+                        const struct
+                        GNUNET_RECLAIM_PresentationList *presentations)
 {
  char *body_str;
-  json_t* body = generate_userinfo_json (sub_key,
+  json_t*body = generate_userinfo_json (sub_key,
-                                         attrs,
+                                        attrs,
-                                         presentations);
+                                        presentations);
  body_str = json_dumps (body, JSON_INDENT (0) | JSON_COMPACT);
  json_decref (body);
  return body_str;
@@ -324,7 +329,8 @@ char *
 OIDC_generate_id_token (const struct GNUNET_IDENTITY_PublicKey *aud_key,
                        const struct GNUNET_IDENTITY_PublicKey *sub_key,
                        const struct GNUNET_RECLAIM_AttributeList *attrs,
-                        const struct GNUNET_RECLAIM_PresentationList *presentations,
+                        const struct
+                        GNUNET_RECLAIM_PresentationList *presentations,
                        const struct GNUNET_TIME_Relative *expiration_time,
                        const char *nonce,
                        const char *secret_key)
@@ -441,7 +447,8 @@ char *
 OIDC_build_authz_code (const struct GNUNET_IDENTITY_PrivateKey *issuer,
                       const struct GNUNET_RECLAIM_Ticket *ticket,
                       const struct GNUNET_RECLAIM_AttributeList *attrs,
-                       const struct GNUNET_RECLAIM_PresentationList *presentations,
+                       const struct
+                       GNUNET_RECLAIM_PresentationList *presentations,
                       const char *nonce_str,
                       const char *code_challenge)
 {
@@ -525,7 +532,7 @@ OIDC_build_authz_code (const struct GNUNET_IDENTITY_PrivateKey *issuer,
  // Get length
  code_payload_len = sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
                     + payload_len + sizeof(struct
-                                            GNUNET_CRYPTO_EcdsaSignature);
+                                            GNUNET_IDENTITY_Signature);
  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
              "Length of data to encode: %lu\n",
              code_payload_len);
@@ -544,10 +551,10 @@ OIDC_build_authz_code (const struct GNUNET_IDENTITY_PrivateKey *issuer,
  buf_ptr += payload_len;
  // Sign and store signature
  if (GNUNET_SYSERR ==
-      GNUNET_CRYPTO_ecdsa_sign_ (&issuer->ecdsa_key,
+      GNUNET_IDENTITY_sign_ (issuer,
-                                 purpose,
+                             purpose,
-                                 (struct GNUNET_CRYPTO_EcdsaSignature *)
+                             (struct GNUNET_IDENTITY_Signature *)
-                                 buf_ptr))
+                             buf_ptr))
  {
    GNUNET_break (0);
    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Unable to sign code\n");
@@ -593,7 +600,7 @@ OIDC_parse_authz_code (const struct GNUNET_IDENTITY_PublicKey *audience,
  char *code_challenge;
  char *code_verifier_hash;
  struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
-  struct GNUNET_CRYPTO_EcdsaSignature *signature;
+  struct GNUNET_IDENTITY_Signature *signature;
  uint32_t code_challenge_len;
  uint32_t attrs_ser_len;
  uint32_t pres_ser_len;
@@ -609,7 +616,7 @@ OIDC_parse_authz_code (const struct GNUNET_IDENTITY_PublicKey *audience,
                                     (void **) &code_payload);
  if (code_payload_len < sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
      + sizeof(struct OIDC_Parameters)
-      + sizeof(struct GNUNET_CRYPTO_EcdsaSignature))
+      + sizeof(struct GNUNET_IDENTITY_Signature))
  {
    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Authorization code malformed\n");
    GNUNET_free (code_payload);
@@ -620,10 +627,10 @@ OIDC_parse_authz_code (const struct GNUNET_IDENTITY_PublicKey *audience,
  plaintext_len = code_payload_len;
  plaintext_len -= sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose);
  ptr = (char *) &purpose[1];
-  plaintext_len -= sizeof(struct GNUNET_CRYPTO_EcdsaSignature);
+  plaintext_len -= sizeof(struct GNUNET_IDENTITY_Signature);
  plaintext = ptr;
  ptr += plaintext_len;
-  signature = (struct GNUNET_CRYPTO_EcdsaSignature *) ptr;
+  signature = (struct GNUNET_IDENTITY_Signature *) ptr;
  params = (struct OIDC_Parameters *) plaintext;
  // cmp code_challenge code_verifier
@@ -684,10 +691,11 @@ OIDC_parse_authz_code (const struct GNUNET_IDENTITY_PublicKey *audience,
    return GNUNET_SYSERR;
  }
  if (GNUNET_OK !=
-      GNUNET_CRYPTO_ecdsa_verify_ (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN,
+      GNUNET_IDENTITY_signature_verify_ (
-                                   purpose,
+        GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN,
-                                   signature,
+        purpose,
-                                   &ticket->identity.ecdsa_key))
+        signature,
+        &(ticket->identity)))
  {
    GNUNET_free (code_payload);
    if (NULL != *nonce_str)
@@ -840,7 +848,8 @@ OIDC_check_scopes_for_claim_request (const char*scopes,
        }
      }
-    } else if (0 == strcmp (attr, scope_variable))
+    }
+    else if (0 == strcmp (attr, scope_variable))
    {
      /** attribute matches requested scope **/
      GNUNET_free (scope_variables);
diff --git a/src/revocation/revocation_api.c b/src/revocation/revocation_api.c
index 94fbc7022..791c3d008 100644
--- a/src/revocation/revocation_api.c
+++ b/src/revocation/revocation_api.c
@@ -423,33 +423,33 @@ calculate_score (const struct GNUNET_REVOCATION_PowCalculationHandle *ph)
 enum GNUNET_GenericReturnValue
-check_signature_ecdsa (const struct GNUNET_REVOCATION_PowP *pow,
+check_signature_identity (const struct GNUNET_REVOCATION_PowP *pow,
-                       const struct GNUNET_CRYPTO_EcdsaPublicKey *key)
+                          const struct GNUNET_IDENTITY_PublicKey *key)
 {
-  struct GNUNET_REVOCATION_EcdsaSignaturePurposePS spurp;
+  struct GNUNET_REVOCATION_SignaturePurposePS *spurp;
-  struct GNUNET_CRYPTO_EcdsaSignature *sig;
+  struct GNUNET_IDENTITY_Signature *sig;
  const struct GNUNET_IDENTITY_PublicKey *pk;
  size_t ksize;
  pk = (const struct GNUNET_IDENTITY_PublicKey *) &pow[1];
  ksize = GNUNET_IDENTITY_key_get_length (pk);
-  spurp.ktype = pk->type;
+  spurp = GNUNET_malloc (sizeof (*spurp) + ksize);
-  spurp.key = pk->ecdsa_key;
+  spurp->timestamp = pow->timestamp;
-  spurp.timestamp = pow->timestamp;
+  spurp->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_REVOCATION);
-  spurp.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_REVOCATION);
+  spurp->purpose.size = htonl (sizeof(*spurp) + ksize);
-  spurp.purpose.size = htonl (sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
+  GNUNET_IDENTITY_write_key_to_buffer (pk,
-                              + GNUNET_IDENTITY_key_get_length (pk)
+                                       (char*) &spurp[1],
-                              + sizeof (struct GNUNET_TIME_AbsoluteNBO));
+                                       ksize);
  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
              "Expected signature payload len: %u\n",
-              ntohl (spurp.purpose.size));
+              ntohl (spurp->purpose.size));
-  sig = (struct GNUNET_CRYPTO_EcdsaSignature *) ((char*)&pow[1] + ksize);
+  sig = (struct GNUNET_IDENTITY_Signature *) ((char*) &pow[1] + ksize);
  if (GNUNET_OK !=
-      GNUNET_CRYPTO_ecdsa_verify_ (GNUNET_SIGNATURE_PURPOSE_REVOCATION,
+      GNUNET_IDENTITY_signature_verify_ (GNUNET_SIGNATURE_PURPOSE_REVOCATION,
-                                   &spurp.purpose,
+                                         &spurp->purpose,
-                                   sig,
+                                         sig,
-                                   key))
+                                         key))
  {
    return GNUNET_SYSERR;
  }
@@ -463,14 +463,7 @@ check_signature (const struct GNUNET_REVOCATION_PowP *pow)
  const struct GNUNET_IDENTITY_PublicKey *pk;
  pk = (const struct GNUNET_IDENTITY_PublicKey *) &pow[1];
-  switch (ntohl (pk->type))
+  return check_signature_identity (pow, pk);
-  {
-  case GNUNET_IDENTITY_TYPE_ECDSA:
-    return check_signature_ecdsa (pow, &pk->ecdsa_key);
-  default:
-    return GNUNET_SYSERR;
-  }
-  return GNUNET_SYSERR;
 }
@@ -576,11 +569,11 @@ GNUNET_REVOCATION_check_pow (const struct GNUNET_REVOCATION_PowP *pow,
 enum GNUNET_GenericReturnValue
-sign_pow_ecdsa (const struct GNUNET_CRYPTO_EcdsaPrivateKey *key,
+sign_pow_identity (const struct GNUNET_IDENTITY_PrivateKey *key,
-                struct GNUNET_REVOCATION_PowP *pow)
+                   struct GNUNET_REVOCATION_PowP *pow)
 {
  struct GNUNET_TIME_Absolute ts = GNUNET_TIME_absolute_get ();
-  struct GNUNET_REVOCATION_EcdsaSignaturePurposePS rp;
+  struct GNUNET_REVOCATION_SignaturePurposePS *rp;
  const struct GNUNET_IDENTITY_PublicKey *pk;
  size_t ksize;
  char *sig;
@@ -594,21 +587,24 @@ sign_pow_ecdsa (const struct GNUNET_CRYPTO_EcdsaPrivateKey *key,
  pk = (const struct GNUNET_IDENTITY_PublicKey *) &pow[1];
  ksize = GNUNET_IDENTITY_key_get_length (pk);
  pow->timestamp = GNUNET_TIME_absolute_hton (ts);
-  rp.timestamp = pow->timestamp;
+  rp = GNUNET_malloc (sizeof (*rp) + ksize);
-  rp.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_REVOCATION);
+  rp->timestamp = pow->timestamp;
-  rp.purpose.size = htonl (sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
+  rp->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_REVOCATION);
-                           + ksize
+  rp->purpose.size = htonl (sizeof(*rp) + ksize);
-                           + sizeof (struct GNUNET_TIME_AbsoluteNBO));
  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
              "Signature payload len: %u\n",
-              ntohl (rp.purpose.size));
+              ntohl (rp->purpose.size));
-  rp.ktype = pk->type;
+  GNUNET_IDENTITY_write_key_to_buffer (pk,
-  rp.key = pk->ecdsa_key;
+                                       ((char*) &rp[1]),
-  sig = ((char*)&pow[1]) + ksize;
+                                       ksize);
-  return GNUNET_CRYPTO_ecdsa_sign_ (key,
+  sig = ((char*) &pow[1]) + ksize;
-                                    &rp.purpose,
+  int result = GNUNET_IDENTITY_sign_ (key,
-                                    (void*) sig);
+                                      &rp->purpose,
+                                      (void*) sig);
+  if (result == GNUNET_SYSERR)
+    return GNUNET_NO;
+  else
+    return result;
 }
@@ -620,14 +616,7 @@ sign_pow (const struct GNUNET_IDENTITY_PrivateKey *key,
  pk = (struct GNUNET_IDENTITY_PublicKey *) &pow[1];
  GNUNET_IDENTITY_key_get_public (key, pk);
-  switch (ntohl (pk->type))
+  return sign_pow_identity (key, pow);
-  {
-  case GNUNET_IDENTITY_TYPE_ECDSA:
-    return sign_pow_ecdsa (&key->ecdsa_key, pow);
-  default:
-    return GNUNET_NO;
-  }
-  return GNUNET_NO;
 }
@@ -777,20 +766,17 @@ size_t
 GNUNET_REVOCATION_proof_get_size (const struct GNUNET_REVOCATION_PowP *pow)
 {
  size_t size;
+  size_t ksize;
  const struct GNUNET_IDENTITY_PublicKey *pk;
+  const struct GNUNET_IDENTITY_Signature *sig;
  size = sizeof (struct GNUNET_REVOCATION_PowP);
  pk = (const struct GNUNET_IDENTITY_PublicKey *) &pow[1];
-  size += GNUNET_IDENTITY_key_get_length (pk);
+  ksize = GNUNET_IDENTITY_key_get_length (pk);
+  size += ksize;
-  switch (ntohl (pk->type))
+  sig = (struct GNUNET_IDENTITY_Signature *) ((char*) &pow[1] + ksize);
-  {
+  size += GNUNET_IDENTITY_signature_get_length (sig);
-  case GNUNET_IDENTITY_TYPE_ECDSA:
+  return size;
-    return size + sizeof (struct GNUNET_CRYPTO_EcdsaSignature);
-  default:
-    return 0;
-  }
-  return 0;
 }
diff --git a/src/testbed/test_testbed_api_template.conf b/src/testbed/test_testbed_api_template.conf
index 255c1b766..ae0368a8b 100644
--- a/src/testbed/test_testbed_api_template.conf
+++ b/src/testbed/test_testbed_api_template.conf
@@ -32,7 +32,7 @@ WAN_QUOTA_IN = 3932160
 USE_EPHEMERAL_KEYS = NO
 IMMEDIATE_START = YES
-[transport-udp]
+[transport-tcp]
 TIMEOUT = 300 s
 [PATHS]