8 files changed, 754 insertions, 72 deletions
diff --git a/src/libstrongswan/credentials/keys/key_encoding.c b/src/libstrongswan/credentials/keys/key_encoding.c
new file mode 100644
index 000000000..89b25226c
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/key_encoding.c
@@ -0,0 +1,299 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "key_encoding.h"
+
+#include <stdint.h>
+
+#include <utils/linked_list.h>
+#include <utils/hashtable.h>
+#include <threading/rwlock.h>
+
+typedef struct private_key_encoding_t private_key_encoding_t;
+
+/**
+ * Private data of an key_encoding_t object.
+ */
+struct private_key_encoding_t {
+
+	/**
+	 * Public key_encoding_t interface.
+	 */
+	key_encoding_t public;
+
+	/**
+	 * cached encodings, a table for each encoding_type_t, containing chunk_t*
+	 */
+	hashtable_t *cache[KEY_ENCODING_MAX];
+
+	/**
+	 * Registered encoding fuctions, key_encoder_t
+	 */
+	linked_list_t *encoders;
+
+	/**
+	 * lock to access cache/encoders
+	 */
+	rwlock_t *lock;
+};
+
+/**
+ * See header.
+ */
+bool key_encoding_args(va_list args, ...)
+{
+	va_list parts, copy;
+	bool failed = FALSE;
+
+	va_start(parts, args);
+
+	while (!failed)
+	{
+		key_encoding_part_t current, target;
+		chunk_t *out, data;
+
+		/* get the part we are looking for */
+		target = va_arg(parts, key_encoding_part_t);
+		if (target == KEY_PART_END)
+		{
+			break;
+		}
+		out = va_arg(parts, chunk_t*);
+
+		va_copy(copy, args);
+		while (!failed)
+		{
+			current = va_arg(copy, key_encoding_part_t);
+			if (current == KEY_PART_END)
+			{
+				failed = TRUE;
+				break;
+			}
+			data = va_arg(copy, chunk_t);
+			if (current == target)
+			{
+				*out = data;
+				break;
+			}
+		}
+		va_end(copy);
+	}
+	va_end(parts);
+	return !failed;
+}
+
+/**
+ * hashtable hash() function
+ */
+static u_int hash(void *key)
+{
+	return (uintptr_t)key;
+}
+
+/**
+ * hashtable equals() function
+ */
+static bool equals(void *key1, void *key2)
+{
+	return key1 == key2;
+}
+
+/**
+ * Implementation of key_encoding_t.get_cache
+ */
+static bool get_cache(private_key_encoding_t *this, key_encoding_type_t type,
+					  void *cache, chunk_t *encoding)
+{
+	chunk_t *chunk;
+
+	if (type >= KEY_ENCODING_MAX || type < 0)
+	{
+		return FALSE;
+	}
+	this->lock->read_lock(this->lock);
+	chunk = this->cache[type]->get(this->cache[type], cache);
+	if (chunk)
+	{
+		*encoding = *chunk;
+	}
+	this->lock->unlock(this->lock);
+	return !!chunk;
+}
+
+/**
+ * Implementation of key_encoding_t.encode
+ */
+static bool encode(private_key_encoding_t *this, key_encoding_type_t type,
+				   void *cache, chunk_t *encoding, ...)
+{
+	enumerator_t *enumerator;
+	va_list args, copy;
+	key_encoder_t encode;
+	bool success = FALSE;
+	chunk_t *chunk;
+
+	if (type >= KEY_ENCODING_MAX || type < 0)
+	{
+		return FALSE;
+	}
+	this->lock->read_lock(this->lock);
+	if (cache)
+	{
+		chunk = this->cache[type]->get(this->cache[type], cache);
+		if (chunk)
+		{
+			*encoding = *chunk;
+			this->lock->unlock(this->lock);
+			return TRUE;
+		}
+	}
+	va_start(args, encoding);
+	enumerator = this->encoders->create_enumerator(this->encoders);
+	while (enumerator->enumerate(enumerator, &encode))
+	{
+		va_copy(copy, args);
+		success = encode(type, encoding, copy);
+		va_end(copy);
+		if (success)
+		{
+			if (cache)
+			{
+				chunk = malloc_thing(chunk_t);
+				*chunk = *encoding;
+				this->lock->unlock(this->lock);
+				this->lock->write_lock(this->lock);
+				this->cache[type]->put(this->cache[type], cache, chunk);
+			}
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	va_end(args);
+	this->lock->unlock(this->lock);
+	return success;
+}
+
+/**
+ * Implementation of key_encoding_t.cache
+ */
+static void cache(private_key_encoding_t *this, key_encoding_type_t type,
+				  void *cache, chunk_t encoding)
+{
+	chunk_t *chunk;
+
+	if (type >= KEY_ENCODING_MAX || type < 0)
+	{
+		return free(encoding.ptr);
+	}
+	chunk = malloc_thing(chunk_t);
+	*chunk = encoding;
+	this->lock->write_lock(this->lock);
+	chunk = this->cache[type]->put(this->cache[type], cache, chunk);
+	this->lock->unlock(this->lock);
+	/* free an encoding already associated to the cache */
+	if (chunk)
+	{
+		free(chunk->ptr);
+		free(chunk);
+	}
+}
+
+/**
+ * Implementation of key_encoding_t.clear_cache
+ */
+static void clear_cache(private_key_encoding_t *this, void *cache)
+{
+	key_encoding_type_t type;
+	chunk_t *chunk;
+
+	this->lock->write_lock(this->lock);
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		chunk = this->cache[type]->remove(this->cache[type], cache);
+		if (chunk)
+		{
+			chunk_free(chunk);
+			free(chunk);
+		}
+	}
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of key_encoding_t.add_encoder
+ */
+static void add_encoder(private_key_encoding_t *this, key_encoder_t encoder)
+{
+	this->lock->write_lock(this->lock);
+	this->encoders->insert_last(this->encoders, encoder);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of key_encoding_t.remove_encoder
+ */
+static void remove_encoder(private_key_encoding_t *this, key_encoder_t encoder)
+{
+	this->lock->write_lock(this->lock);
+	this->encoders->remove(this->encoders, encoder, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of key_encoder_t.destroy.
+ */
+static void destroy(private_key_encoding_t *this)
+{
+	key_encoding_type_t type;
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		/* We explicitly do not free remaining encodings. All keys should
+		 * have gone now, and they are responsible for cleaning out their
+		 * cache entries. Not flushing here allows the leak detective to
+		 * complain if a key did not flush cached encodings. */
+		this->cache[type]->destroy(this->cache[type]);
+	}
+	this->encoders->destroy(this->encoders);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+key_encoding_t *key_encoding_create()
+{
+	private_key_encoding_t *this = malloc_thing(private_key_encoding_t);
+	key_encoding_type_t type;
+
+	this->public.encode = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode;
+	this->public.get_cache = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding))get_cache;
+	this->public.cache = (void(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t encoding))cache;
+	this->public.clear_cache = (void(*)(key_encoding_t*, void *cache))clear_cache;
+	this->public.add_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))add_encoder;
+	this->public.remove_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))remove_encoder;
+	this->public.destroy = (void(*)(key_encoding_t*))destroy;
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		this->cache[type] = hashtable_create(hash, equals, 8);
+	}
+	this->encoders = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+	return &this->public;
+}
+
diff --git a/src/libstrongswan/credentials/keys/key_encoding.h b/src/libstrongswan/credentials/keys/key_encoding.h
new file mode 100644
index 000000000..384117166
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/key_encoding.h
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup key_encoding key_encoding
+ * @{ @ingroup keys
+ */
+
+#ifndef KEY_ENCODING_H_
+#define KEY_ENCODING_H_
+
+typedef struct key_encoding_t key_encoding_t;
+typedef enum key_encoding_type_t key_encoding_type_t;
+typedef enum key_encoding_part_t key_encoding_part_t;
+
+#include <library.h>
+
+/**
+ * Key encoder function implementing encoding/fingerprinting.
+ *
+ * The variable argument list takes key_encoding_part_t, followed by part
+ * specific arguments, terminated by KEY_PART_END.
+ *
+ * @param type		format to encode the key to
+ * @param args		list of (key_encoding_part_t, data)
+ * @param encoding	encoding result, allocated
+ * @return			TRUE if encoding successful
+ */
+typedef bool (*key_encoder_t)(key_encoding_type_t type, chunk_t *encoding,
+							  va_list args);
+
+/**
+ * Helper function for key_encoder_t implementations to parse argument list.
+ *
+ * Key encoder functions get a variable argument list to parse. To simplify
+ * the job, this function reads the arguments and returns chunks for each
+ * part.
+ * The argument list of this function takes a key_encoding_part_t, followed
+ * by a data pointer receiving the value, terminated by KEY_PART_END.
+ *
+ * @param args		argument list passed to key encoder function
+ * @param ...		list of (key_encoding_part_t, data*)
+ * @return			TRUE if all parts found, FALSE otherwise
+ */
+bool key_encoding_args(va_list args, ...);
+
+/**
+ * Encoding type of a fingerprint/private-/public-key.
+ *
+ * Fingerprints have have the KEY_ID_*, public keys the KEY_PUB_* and
+ * private keys the KEY_PRIV_* prefix.
+ */
+enum key_encoding_type_t {
+	/** SHA1 fingerprint over subjectPublicKeyInfo */
+	KEY_ID_PUBKEY_INFO_SHA1 = 0,
+	/** SHA1 fingerprint over subjectPublicKey */
+	KEY_ID_PUBKEY_SHA1,
+	/** PGPv3 fingerprint */
+	KEY_ID_PGPV3,
+	/** PGPv4 fingerprint */
+	KEY_ID_PGPV4,
+
+	KEY_ID_MAX,
+
+	/** PKCS#1 and similar ASN.1 key encoding */
+	KEY_PUB_ASN1_DER,
+	KEY_PRIV_ASN1_DER,
+	/** subjectPublicKeyInfo encoding */
+	KEY_PUB_SPKI_ASN1_DER,
+	/** PEM oncoded PKCS#1 key */
+	KEY_PUB_PEM,
+	KEY_PRIV_PEM,
+	/** PGP key encoding */
+	KEY_PUB_PGP,
+	KEY_PRIV_PGP,
+
+	KEY_ENCODING_MAX,
+};
+
+/**
+ * Parts of a key to encode.
+ */
+enum key_encoding_part_t {
+	/** modulus of a RSA key, n */
+	KEY_PART_RSA_MODULUS,
+	/** public exponent of a RSA key, e */
+	KEY_PART_RSA_PUB_EXP,
+	/** private exponent of a RSA key, d */
+	KEY_PART_RSA_PRIV_EXP,
+	/** prime1 a RSA key, p */
+	KEY_PART_RSA_PRIME1,
+	/** prime2 a RSA key, q */
+	KEY_PART_RSA_PRIME2,
+	/** exponent1 a RSA key, exp1 */
+	KEY_PART_RSA_EXP1,
+	/** exponent1 a RSA key, exp2 */
+	KEY_PART_RSA_EXP2,
+	/** coefficient of RSA key, coeff */
+	KEY_PART_RSA_COEFF,
+	/** a DER encoded RSA public key */
+	KEY_PART_RSA_PUB_ASN1_DER,
+	/** a DER encoded RSA private key */
+	KEY_PART_RSA_PRIV_ASN1_DER,
+	/** a DER encoded ECDSA public key */
+	KEY_PART_ECDSA_PUB_ASN1_DER,
+	/** a DER encoded ECDSA private key */
+	KEY_PART_ECDSA_PRIV_ASN1_DER,
+
+	KEY_PART_END,
+};
+
+/**
+ * Private/Public key encoding and fingerprinting facility.
+ */
+struct key_encoding_t {
+
+	/**
+	 * Encode a key into a format using several key parts, optional caching.
+	 *
+	 * The variable argument list takes key_encoding_part_t, followed by part
+	 * specific arguments, terminated by KEY_PART_END.
+	 * If a cache key is given, the returned encoding points to internal data:
+	 * do not free or modify. If no cache key is given, the encoding is
+	 * allocated and must be freed by the caller.
+	 *
+	 * @param type			format the key should be encoded to
+	 * @param cache			key to use for caching, NULL to not cache
+	 * @param encoding		encoding result, allocated if caching disabled
+	 * @param ...			list of (key_encoding_part_t, data)
+	 * @return				TRUE if encoding successful
+	 */
+	bool (*encode)(key_encoding_t *this, key_encoding_type_t type, void *cache,
+				   chunk_t *encoding, ...);
+
+	/**
+	 * Clear all cached encodings of a given cache key.
+	 *
+	 * @param cache			key used in encode() for caching
+	 */
+	void (*clear_cache)(key_encoding_t *this, void *cache);
+
+	/**
+	 * Check for a cached encoding.
+	 *
+	 * @param type			format of the key encoding
+	 * @param cache			key to use for caching, as given to encode()
+	 * @param encoding		encoding result, internal data
+	 * @return				TRUE if cache entry found
+	 */
+	bool (*get_cache)(key_encoding_t *this, key_encoding_type_t type,
+					  void *cache, chunk_t *encoding);
+
+	/**
+	 * Cache a key encoding created externally.
+	 *
+	 * After calling cache(), the passed encoding is owned by the key encoding
+	 * facility.
+	 *
+	 * @param type			format of the key encoding
+	 * @param cache			key to use for caching, as given to encode()
+	 * @param encoding		encoding to cache, gets owned by this
+	 */
+	void (*cache)(key_encoding_t *this, key_encoding_type_t type, void *cache,
+				  chunk_t encoding);
+
+	/**
+	 * Register a key encoder function.
+	 *
+	 * @param encoder		key encoder function to add
+	 */
+	void (*add_encoder)(key_encoding_t *this, key_encoder_t encoder);
+
+	/**
+	 * Unregister a previously registered key encoder function.
+	 *
+	 * @param encoder		key encoder function to remove
+	 */
+	void (*remove_encoder)(key_encoding_t *this, key_encoder_t encoder);
+
+	/**
+	 * Destroy a key_encoding_t.
+	 */
+	void (*destroy)(key_encoding_t *this);
+};
+
+/**
+ * Create a key_encoding instance.
+ */
+key_encoding_t *key_encoding_create();
+
+#endif /** KEY_ENCODING_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/private_key.c b/src/libstrongswan/credentials/keys/private_key.c
index 0a01d0385..c3b5ac55b 100644
--- a/src/libstrongswan/credentials/keys/private_key.c
+++ b/src/libstrongswan/credentials/keys/private_key.c
@@ -15,3 +15,65 @@
 
 #include "private_key.h"
 
+/**
+ * See header.
+ */
+bool private_key_equals(private_key_t *this, private_key_t *other)
+{
+	key_encoding_type_t type;
+	chunk_t a, b;
+
+	if (this == other)
+	{
+		return TRUE;
+	}
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		if (this->get_fingerprint(this, type, &a) &&
+			other->get_fingerprint(other, type, &b))
+		{
+			return chunk_equals(a, b);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool private_key_belongs_to(private_key_t *private, public_key_t *public)
+{
+	key_encoding_type_t type;
+	chunk_t a, b;
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		if (private->get_fingerprint(private, type, &a) &&
+			public->get_fingerprint(public, type, &b))
+		{
+			return chunk_equals(a, b);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool private_key_has_fingerprint(private_key_t *private, chunk_t fingerprint)
+{
+	key_encoding_type_t type;
+	chunk_t current;
+
+	for (type = 0; type < KEY_ID_MAX; type++)
+	{
+		if (private->get_fingerprint(private, type, &current) &&
+			chunk_equals(current, fingerprint))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index f38af8ff4..d4517f296 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup private_key private_key
  * @{ @ingroup keys
@@ -23,7 +23,6 @@
 
 typedef struct private_key_t private_key_t;
 
-#include <utils/identification.h>
 #include <credentials/keys/public_key.h>
 
 /**
@@ -46,7 +45,7 @@ struct private_key_t {
 	 * @param signature	where to allocate created signature
 	 * @return			TRUE if signature created
 	 */
-	bool (*sign)(private_key_t *this, signature_scheme_t scheme, 
+	bool (*sign)(private_key_t *this, signature_scheme_t scheme,
 				 chunk_t data, chunk_t *signature);
 	/**
 	 * Decrypt a chunk of data.
@@ -56,32 +55,24 @@ struct private_key_t {
 	 * @return			TRUE if data decrypted and plaintext allocated
 	 */
 	bool (*decrypt)(private_key_t *this, chunk_t crypto, chunk_t *plain);
-	
+
 	/**
 	 * Get the strength of the key in bytes.
-	 * 
+	 *
 	 * @return			strength of the key in bytes
 	 */
 	size_t (*get_keysize) (private_key_t *this);
 
 	/**
-	 * Get a unique key identifier, such as a hash over the public key.
-	 * 
-	 * @param type		type of the key ID to get
-	 * @return			unique ID of the key as identification_t, or NULL
-	 */
-	identification_t* (*get_id) (private_key_t *this, id_type_t type);
-	
-	/**
 	 * Get the public part from the private key.
 	 *
 	 * @return			public key
 	 */
 	public_key_t* (*get_public_key)(private_key_t *this);
-	
+
 	/**
 	 * Check if two private keys are equal.
-	 * 
+	 *
 	 * @param other		other private key
 	 * @return			TRUE, if equality
 	 */
@@ -89,32 +80,78 @@ struct private_key_t {
 
 	/**
 	 * Check if a private key belongs to a public key.
-	 * 
+	 *
 	 * @param public	public key
 	 * @return			TRUE, if keys belong together
 	 */
 	bool (*belongs_to) (private_key_t *this, public_key_t *public);
-	
+
 	/**
-	 * Get an encoded form of the private key.
+	 * Get the fingerprint of the key.
 	 *
-	 * @todo Do we need a encoding type specification?
+	 * @param type		type of fingerprint, one of KEY_ID_*
+	 * @param fp		fingerprint, points to internal data
+	 * @return			TRUE if fingerprint type supported
+	 */
+	bool (*get_fingerprint)(private_key_t *this, key_encoding_type_t type,
+							chunk_t *fp);
+
+	/**
+	 * Check if a key has a given fingerprint of any kind.
 	 *
-	 * @return			allocated chunk containing encoded private key
+	 * @param fp		fingerprint to check
+	 * @return			TRUE if key has given fingerprint
 	 */
-	chunk_t (*get_encoding)(private_key_t *this);	
-	
+	bool (*has_fingerprint)(private_key_t *this, chunk_t fp);
+
+	/**
+	 * Get the key in an encoded form as a chunk.
+	 *
+	 * @param type		type of the encoding, one of KEY_PRIV_*
+	 * @param encoding	encoding of the key, allocated
+	 * @return			TRUE if encoding supported
+	 */
+	bool (*get_encoding)(private_key_t *this, key_encoding_type_t type,
+						 chunk_t *encoding);
+
 	/**
 	 * Increase the refcount to this private key.
 	 *
 	 * @return			this, with an increased refcount
 	 */
 	private_key_t* (*get_ref)(private_key_t *this);
-		
+
 	/**
-     * Decrease refcount, destroy private_key if no more references.
-     */
-    void (*destroy)(private_key_t *this);
+	 * Decrease refcount, destroy private_key if no more references.
+	 */
+	void (*destroy)(private_key_t *this);
 };
 
+/**
+ * Generic private key equals() implementation, usable by implementors.
+ *
+ * @param this			first key to compare
+ * @param other			second key to compare
+ * @return				TRUE if this is equal to other
+ */
+bool private_key_equals(private_key_t *this, private_key_t *other);
+
+/**
+ * Generic private key belongs_to() implementation, usable by implementors.
+ *
+ * @param private		private key to check
+ * @param public		public key to compare
+ * @return				TRUE if this is equal to other
+ */
+bool private_key_belongs_to(private_key_t *private, public_key_t *public);
+
+/**
+ * Generic private key has_fingerprint() implementation, usable by implementors.
+ *
+ * @param this			key to check fingerprint
+ * @param fingerprint	fingerprint to check
+ * @return				TRUE if key has given fingerprint
+ */
+bool private_key_has_fingerprint(private_key_t *this, chunk_t fingerprint);
+
 #endif /** PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index a5f547038..ba3036793 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -32,13 +32,59 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
 	"RSA_EMSA_PKCS1_SHA256",
 	"RSA_EMSA_PKCS1_SHA384",
 	"RSA_EMSA_PKCS1_SHA512",
+	"ECDSA_WITH_SHA1_DER",
+	"ECDSA_WITH_SHA256_DER",
+	"ECDSA_WITH_SHA384_DER",
+	"ECDSA_WITH_SHA512_DER",
 	"ECDSA_WITH_NULL",
-	"ECDSA_WITH_SHA1",
 	"ECDSA-256",
 	"ECDSA-384",
 	"ECDSA-521",
 );
 
+/**
+ * See header.
+ */
+bool public_key_equals(public_key_t *this, public_key_t *other)
+{
+	key_encoding_type_t type;
+	chunk_t a, b;
+
+	if (this == other)
+	{
+		return TRUE;
+	}
+
+	for (type = 0; type < KEY_ENCODING_MAX; type++)
+	{
+		if (this->get_fingerprint(this, type, &a) &&
+			other->get_fingerprint(other, type, &b))
+		{
+			return chunk_equals(a, b);
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint)
+{
+	key_encoding_type_t type;
+	chunk_t current;
+
+	for (type = 0; type < KEY_ID_MAX; type++)
+	{
+		if (public->get_fingerprint(public, type, &current) &&
+			chunk_equals(current, fingerprint))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
 /*
  * Defined in header.
  */
@@ -66,13 +112,13 @@ signature_scheme_t signature_scheme_from_oid(int oid)
 			return SIGN_RSA_EMSA_PKCS1_SHA512;
 		case OID_ECDSA_WITH_SHA1:
 		case OID_EC_PUBLICKEY:
-			return SIGN_ECDSA_WITH_SHA1;
+			return SIGN_ECDSA_WITH_SHA1_DER;
 		case OID_ECDSA_WITH_SHA256:
-			return SIGN_ECDSA_256;
+			return SIGN_ECDSA_WITH_SHA256_DER;
 		case OID_ECDSA_WITH_SHA384:
-			return SIGN_ECDSA_384;
+			return SIGN_ECDSA_WITH_SHA384_DER;
 		case OID_ECDSA_WITH_SHA512:
-			return SIGN_ECDSA_521;
+			return SIGN_ECDSA_WITH_SHA512_DER;
 		default:
 			return SIGN_UNKNOWN;
 	}
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index be5f3bde6..a421e7b5b 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
- 
+
 /**
  * @defgroup public_key public_key
  * @{ @ingroup keys
@@ -28,6 +28,7 @@ typedef enum signature_scheme_t signature_scheme_t;
 
 #include <library.h>
 #include <utils/identification.h>
+#include <credentials/keys/key_encoding.h>
 
 /**
  * Type of a key pair, the used crypto system
@@ -53,9 +54,8 @@ extern enum_name_t *key_type_names;
  * Signature scheme for signature creation
  *
  * EMSA-PKCS1 signatures are defined in PKCS#1 standard.
- * A prepended ASN.1 encoded digestInfo field contains the 
- * OID of the used hash algorithm. The ASN.1 type of the PKCS#7
- * variants is OCTET_STRING instead of the default BIT_STRING.
+ * A prepended ASN.1 encoded digestInfo field contains the
+ * OID of the used hash algorithm.
  */
 enum signature_scheme_t {
 	/** Unknown signature scheme                                       */
@@ -74,10 +74,16 @@ enum signature_scheme_t {
 	SIGN_RSA_EMSA_PKCS1_SHA384,
 	/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-512   */
 	SIGN_RSA_EMSA_PKCS1_SHA512,
-	/** ECDSA over precomputed digest                                  */
+	/** ECDSA with SHA-1 using DER encoding as in RFC 3279             */
+	SIGN_ECDSA_WITH_SHA1_DER,
+	/** ECDSA with SHA-256 using DER encoding as in RFC 3279           */
+	SIGN_ECDSA_WITH_SHA256_DER,
+	/** ECDSA with SHA-384 using DER encoding as in RFC 3279           */
+	SIGN_ECDSA_WITH_SHA384_DER,
+	/** ECDSA with SHA-1 using DER encoding as in RFC 3279             */
+	SIGN_ECDSA_WITH_SHA512_DER,
+	/** ECDSA over precomputed digest, signature as in RFC 4754        */
 	SIGN_ECDSA_WITH_NULL,
-	/** ECDSA with SHA-1                                               */
-	SIGN_ECDSA_WITH_SHA1,
 	/** ECDSA on the P-256 curve with SHA-256 as in RFC 4754           */
 	SIGN_ECDSA_256,
 	/** ECDSA on the P-384 curve with SHA-384 as in RFC 4754           */
@@ -102,7 +108,7 @@ struct public_key_t {
 	 * @return			type of the key
 	 */
 	key_type_t (*get_type)(public_key_t *this);
-	
+
 	/**
 	 * Verifies a signature against a chunk of data.
 	 *
@@ -111,9 +117,9 @@ struct public_key_t {
 	 * @param signature	signature to check
 	 * @return			TRUE if signature matches
 	 */
-	bool (*verify)(public_key_t *this, signature_scheme_t scheme, 
+	bool (*verify)(public_key_t *this, signature_scheme_t scheme,
 				   chunk_t data, chunk_t signature);
-	
+
 	/**
 	 * Encrypt a chunk of data.
 	 *
@@ -122,10 +128,10 @@ struct public_key_t {
 	 * @return 			TRUE if data successfully encrypted
 	 */
 	bool (*encrypt)(public_key_t *this, chunk_t plain, chunk_t *crypto);
-	
+
 	/**
 	 * Check if two public keys are equal.
-	 * 
+	 *
 	 * @param other		other public key
 	 * @return			TRUE, if equality
 	 */
@@ -133,35 +139,46 @@ struct public_key_t {
 
 	/**
 	 * Get the strength of the key in bytes.
-	 * 
+	 *
 	 * @return			strength of the key in bytes
 	 */
 	size_t (*get_keysize) (public_key_t *this);
 
 	/**
-	 * Get a unique key identifier, such as a hash over the key.
-	 * 
-	 * @param type		type of the key ID to get
-	 * @return			unique ID of the key as identification_t, or NULL
+	 * Get the fingerprint of the key.
+	 *
+	 * @param type		type of fingerprint, one of KEY_ID_*
+	 * @param fp		fingerprint, points to internal data
+	 * @return			TRUE if fingerprint type supported
 	 */
-	identification_t* (*get_id) (public_key_t *this, id_type_t type);
-	
+	bool (*get_fingerprint)(public_key_t *this, key_encoding_type_t type,
+							chunk_t *fp);
+
 	/**
-	 * Get an encoded form of the key.
+	 * Check if a key has a given fingerprint of any kind.
 	 *
-	 * @todo Do we need a encoding type specification?
+	 * @param fp		fingerprint to check
+	 * @return			TRUE if key has given fingerprint
+	 */
+	bool (*has_fingerprint)(public_key_t *this, chunk_t fp);
+
+	/**
+	 * Get the key in an encoded form as a chunk.
 	 *
-	 * @return			allocated chunk containing encoded key
+	 * @param type		type of the encoding, one of KEY_PRIV_*
+	 * @param encoding	encoding of the key, allocated
+	 * @return			TRUE if encoding supported
 	 */
-	chunk_t (*get_encoding)(public_key_t *this);	
-	
+	bool (*get_encoding)(public_key_t *this, key_encoding_type_t type,
+						 chunk_t *encoding);
+
 	/**
 	 * Increase the refcount of the key.
 	 *
 	 * @return			this with an increased refcount
 	 */
 	public_key_t* (*get_ref)(public_key_t *this);
-	
+
 	/**
 	 * Destroy a public_key instance.
 	 */
@@ -169,8 +186,26 @@ struct public_key_t {
 };
 
 /**
+ * Generic public key equals() implementation, usable by implementors.
+ *
+ * @param this			first key to compare
+ * @param other			second key to compare
+ * @return				TRUE if this is equal to other
+ */
+bool public_key_equals(public_key_t *this, public_key_t *other);
+
+/**
+ * Generic public key has_fingerprint() implementation, usable by implementors.
+ *
+ * @param this			key to check fingerprint
+ * @param fingerprint	fingerprint to check
+ * @return				TRUE if key has given fingerprint
+ */
+bool public_key_has_fingerprint(public_key_t *this, chunk_t fingerprint);
+
+/**
  * Conversion of ASN.1 signature or hash OID to signature scheme.
- * 
+ *
  * @param oid			ASN.1 OID
  * @return				signature_scheme, SIGN_UNKNOWN if OID is unsupported
  */
diff --git a/src/libstrongswan/credentials/keys/shared_key.c b/src/libstrongswan/credentials/keys/shared_key.c
index c6f141446..f695c078d 100644
--- a/src/libstrongswan/credentials/keys/shared_key.c
+++ b/src/libstrongswan/credentials/keys/shared_key.c
@@ -34,17 +34,17 @@ struct private_shared_key_t {
 	 * public functions
 	 */
 	shared_key_t public;
-	
+
 	/**
 	 * type of this shared key
 	 */
 	shared_key_type_t type;
-	
+
 	/**
 	 * associated shared key data
 	 */
 	chunk_t key;
-	
+
 	/**
 	 * reference counter
 	 */
@@ -94,16 +94,16 @@ static void destroy(private_shared_key_t *this)
 shared_key_t *shared_key_create(shared_key_type_t type, chunk_t key)
 {
 	private_shared_key_t *this = malloc_thing(private_shared_key_t);
-	
+
 	this->public.get_type = (shared_key_type_t (*)(shared_key_t *this))get_type;
 	this->public.get_key = (chunk_t (*)(shared_key_t *this))get_key;
 	this->public.get_ref = (shared_key_t* (*)(shared_key_t *this))get_ref;
 	this->public.destroy = (void(*)(shared_key_t*))destroy;
-	
+
 	this->type = type;
 	this->key = key;
 	this->ref = 1;
-	
+
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
index ceb1309b7..fe7bc86be 100644
--- a/src/libstrongswan/credentials/keys/shared_key.h
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -55,32 +55,32 @@ extern enum_name_t *shared_key_type_names;
  * reading.
  */
 struct shared_key_t {
-	
+
 	/**
 	 * Get the kind of this key.
 	 *
 	 * @return			type of the key
 	 */
 	shared_key_type_t (*get_type)(shared_key_t *this);
-	
+
 	/**
 	 * Get the shared key data.
 	 *
 	 * @return			chunk pointing to the internal key
 	 */
 	chunk_t (*get_key)(shared_key_t *this);
-	
-	/** 
+
+	/**
 	 * Increase refcount of the key.
 	 *
-	 * @return			this with an increased refcount 
+	 * @return			this with an increased refcount
 	 */
 	shared_key_t* (*get_ref)(shared_key_t *this);
-		
+
 	/**
-     * Destroy a shared_key instance if all references are gone.
-     */
-    void (*destroy)(shared_key_t *this);
+	 * Destroy a shared_key instance if all references are gone.
+	 */
+	void (*destroy)(shared_key_t *this);
 };
 
 /**