Simplify loading of the emscripten lib.

This removes an ugly hack and makes it possible to access the emscripten
compiled library from within nodejs test cases more easily.

7 files changed, 2393 insertions, 0 deletions

diff --git a/src/crypto/cryptoApi-test.ts b/src/crypto/cryptoApi-test.ts
new file mode 100644
index 000000000..89b74d776
--- /dev/null
+++ b/src/crypto/cryptoApi-test.ts
@@ -0,0 +1,84 @@
+import {CryptoApi} from "./cryptoApi";
+import {ReserveRecord, DenominationRecord, DenominationStatus} from "../types";
+import {test, TestLib} from "talertest";
+
+let masterPub1: string = "CQQZ9DY3MZ1ARMN5K1VKDETS04Y2QCKMMCFHZSWJWWVN82BTTH00";
+
+let denomValid1: DenominationRecord = {
+  masterSig: "CJFJCQ48Q45PSGJ5KY94N6M2TPARESM2E15BSPBD95YVVPEARAEQ6V6G4Z2XBMS0QM0F3Y9EYVP276FCS90EQ1578ZC8JHFBZ3NGP3G",
+  stampStart: "/Date(1473148381)/",
+  stampExpireWithdraw: "/Date(2482300381)/",
+  stampExpireDeposit: "/Date(1851580381)/",
+  denomPub: "51R7ARKCD5HJTTV5F4G0M818E9SP280A40G2GVH04CR30GHS84R3JHHP6GSM2D9Q6514CGT568R32C9J6CWM4DSH64TM4DSM851K0CA48CVKAC1P6H144C2160T46DHK8CVM4HJ274S38C1M6S338D9N6GWM8DT684T3JCT36S13EC9G88R3EGHQ8S0KJGSQ60SKGD216N33AGJ2651K2E9S60TMCD1N75244HHQ6X33EDJ570R3GGJ2651MACA38D130DA560VK4HHJ68WK2CA26GW3ECSH6D13EC9S88VK2GT66WVK8D9G750K0D9R8RRK4DHQ71332GHK8D23GE26710M2H9K6WVK8HJ38MVKEGA66N23AC9H88VKACT58MV3CCSJ6H1K4DT38GRK0C9M8N33CE1R60V4AHA38H1KECSH6S33JH9N8GRKGH1K68S36GH354520818CMG26C1H60R30C935452081918G2J2G0",
+  stampExpireLegal: "/Date(1567756381)/",
+  value: {
+    "currency": "PUDOS",
+    "value": 0,
+    "fraction": 100000
+  },
+  feeWithdraw: {
+    "currency": "PUDOS",
+    "value": 0,
+    "fraction": 10000
+  },
+  feeDeposit: {
+    "currency": "PUDOS",
+    "value": 0,
+    "fraction": 10000
+  },
+  feeRefresh: {
+    "currency": "PUDOS",
+    "value": 0,
+    "fraction": 10000
+  },
+  feeRefund: {
+    "currency": "PUDOS",
+    "value": 0,
+    "fraction": 10000
+  },
+  denomPubHash: "dummy",
+  status: DenominationStatus.Unverified,
+  isOffered: true,
+  exchangeBaseUrl: "https://exchange.example.com/",
+};
+
+let denomInvalid1 = JSON.parse(JSON.stringify(denomValid1));
+denomInvalid1.value.value += 1;
+
+test("string hashing", async (t: TestLib) => {
+  let crypto = new CryptoApi();
+  let s = await crypto.hashString("hello taler");
+  let sh = "8RDMADB3YNF3QZBS3V467YZVJAMC2QAQX0TZGVZ6Q5PFRRAJFT70HHN0QF661QR9QWKYMMC7YEMPD679D2RADXCYK8Y669A2A5MKQFR";
+  t.assert(s == sh);
+  t.pass();
+});
+
+test("precoin creation", async (t: TestLib) => {
+  let crypto = new CryptoApi();
+  let {priv, pub} = await crypto.createEddsaKeypair();
+  let r: ReserveRecord = {
+    reserve_pub: pub,
+    reserve_priv: priv,
+    hasPayback: false,
+    exchange_base_url: "https://example.com/exchange",
+    created: 0,
+    requested_amount: {currency: "PUDOS", value: 0, fraction: 0},
+    precoin_amount: {currency: "PUDOS", value: 0, fraction: 0},
+    current_amount: null,
+    confirmed: false,
+    last_query: null,
+  };
+
+  let precoin = await crypto.createPreCoin(denomValid1, r);
+  t.pass();
+});
+
+test("denom validation", async (t: TestLib) => {
+  let crypto = new CryptoApi();
+  let v: boolean;
+  v = await crypto.isValidDenom(denomValid1, masterPub1);
+  t.assert(v);
+  v = await crypto.isValidDenom(denomInvalid1, masterPub1);
+  t.assert(!v);
+  t.pass();
+});
diff --git a/src/crypto/cryptoApi.ts b/src/crypto/cryptoApi.ts
new file mode 100644
index 000000000..a386eab42
--- /dev/null
+++ b/src/crypto/cryptoApi.ts
@@ -0,0 +1,292 @@
+/*
+ This file is part of TALER
+ (C) 2016 GNUnet e.V.
+
+ TALER is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+
+/**
+ * API to access the Taler crypto worker thread.
+ * @author Florian Dold
+ */
+
+/**
+ * Imports.
+ */
+import {
+  PreCoinRecord,
+  CoinRecord,
+  ReserveRecord,
+  AmountJson,
+  DenominationRecord,
+  PaybackRequest,
+  RefreshSessionRecord,
+  WireFee,
+  PayCoinInfo,
+} from "../types";
+import {
+  OfferRecord,
+  CoinWithDenom,
+} from "../wallet";
+
+
+/**
+ * State of a crypto worker.
+ */
+interface WorkerState {
+  /**
+   * The actual worker thread.
+   */
+  w: Worker|null;
+
+  /**
+   * Work we're currently executing or null if not busy.
+   */
+  currentWorkItem: WorkItem|null;
+
+  /**
+   * Timer to terminate the worker if it's not busy enough.
+   */
+  terminationTimerHandle: number|null;
+}
+
+interface WorkItem {
+  operation: string;
+  args: any[];
+  resolve: any;
+  reject: any;
+
+  /**
+   * Serial id to identify a matching response.
+   */
+  rpcId: number;
+}
+
+
+/**
+ * Number of different priorities. Each priority p
+ * must be 0 <= p < NUM_PRIO.
+ */
+const NUM_PRIO = 5;
+
+export class CryptoApi {
+  private nextRpcId: number = 1;
+  private workers: WorkerState[];
+  private workQueues: WorkItem[][];
+  /**
+   * Number of busy workers.
+   */
+  private numBusy: number = 0;
+
+  /**
+   * Start a worker (if not started) and set as busy.
+   */
+  wake<T>(ws: WorkerState, work: WorkItem): void {
+    if (ws.currentWorkItem != null) {
+      throw Error("assertion failed");
+    }
+    ws.currentWorkItem = work;
+    this.numBusy++;
+    if (!ws.w) {
+      let w = new Worker("/dist/cryptoWorker-bundle.js");
+      w.onmessage = (m: MessageEvent) => this.handleWorkerMessage(ws, m);
+      w.onerror = (e: ErrorEvent) => this.handleWorkerError(ws, e);
+      ws.w = w;
+    }
+
+    let msg: any = {
+      operation: work.operation, args: work.args,
+      id: work.rpcId
+    };
+    this.resetWorkerTimeout(ws);
+    ws.w!.postMessage(msg);
+  }
+
+  resetWorkerTimeout(ws: WorkerState) {
+    if (ws.terminationTimerHandle != null) {
+      clearTimeout(ws.terminationTimerHandle);
+    }
+    let destroy = () => {
+      // terminate worker if it's idle
+      if (ws.w && ws.currentWorkItem == null) {
+        ws.w!.terminate();
+        ws.w = null;
+      }
+    };
+    ws.terminationTimerHandle = window.setTimeout(destroy, 20 * 1000);
+  }
+
+  handleWorkerError(ws: WorkerState, e: ErrorEvent) {
+    if (ws.currentWorkItem) {
+      console.error(`error in worker during ${ws.currentWorkItem!.operation}`,
+                    e);
+    } else {
+      console.error("error in worker", e);
+    }
+    console.error(e.message);
+    try {
+      ws.w!.terminate();
+      ws.w = null;
+    } catch (e) {
+      console.error(e);
+    }
+    if (ws.currentWorkItem != null) {
+      ws.currentWorkItem.reject(e);
+      ws.currentWorkItem = null;
+      this.numBusy--;
+    }
+    this.findWork(ws);
+  }
+
+  findWork(ws: WorkerState) {
+    // try to find more work for this worker
+    for (let i = 0; i < NUM_PRIO; i++) {
+      let q = this.workQueues[NUM_PRIO - i - 1];
+      if (q.length != 0) {
+        let work: WorkItem = q.shift()!;
+        this.wake(ws, work);
+        return;
+      }
+    }
+  }
+
+  handleWorkerMessage(ws: WorkerState, msg: MessageEvent) {
+    let id = msg.data.id;
+    if (typeof id !== "number") {
+      console.error("rpc id must be number");
+      return;
+    }
+    let currentWorkItem = ws.currentWorkItem;
+    ws.currentWorkItem = null;
+    this.numBusy--;
+    this.findWork(ws);
+    if (!currentWorkItem) {
+      console.error("unsolicited response from worker");
+      return;
+    }
+    if (id != currentWorkItem.rpcId) {
+      console.error(`RPC with id ${id} has no registry entry`);
+      return;
+    }
+    currentWorkItem.resolve(msg.data.result);
+  }
+
+  constructor() {
+    this.workers = new Array<WorkerState>((navigator as any)["hardwareConcurrency"] || 2);
+
+    for (let i = 0; i < this.workers.length; i++) {
+      this.workers[i] = {
+        w: null,
+        terminationTimerHandle: null,
+        currentWorkItem: null,
+      };
+    }
+    this.workQueues = [];
+    for (let i = 0; i < NUM_PRIO; i++) {
+      this.workQueues.push([]);
+    }
+  }
+
+  private doRpc<T>(operation: string, priority: number,
+                   ...args: any[]): Promise<T> {
+    let start = performance.now();
+
+    let p = new Promise((resolve, reject) => {
+      let rpcId = this.nextRpcId++;
+      let workItem: WorkItem = {operation, args, resolve, reject, rpcId};
+
+      if (this.numBusy == this.workers.length) {
+        let q = this.workQueues[priority];
+        if (!q) {
+          throw Error("assertion failed");
+        }
+        this.workQueues[priority].push(workItem);
+        return;
+      }
+
+      for (let i = 0; i < this.workers.length; i++) {
+        let ws = this.workers[i];
+        if (ws.currentWorkItem != null) {
+          continue;
+        }
+
+        this.wake<T>(ws, workItem);
+        return;
+      }
+
+      throw Error("assertion failed");
+    });
+
+    return p.then((r: T) => {
+      console.log(`rpc ${operation} took ${performance.now() - start}ms`);
+      return r;
+    });
+  }
+
+
+  createPreCoin(denom: DenominationRecord, reserve: ReserveRecord): Promise<PreCoinRecord> {
+    return this.doRpc<PreCoinRecord>("createPreCoin", 1, denom, reserve);
+  }
+
+  hashString(str: string): Promise<string> {
+    return this.doRpc<string>("hashString", 1, str);
+  }
+
+  hashDenomPub(denomPub: string): Promise<string> {
+    return this.doRpc<string>("hashDenomPub", 1, denomPub);
+  }
+
+  isValidDenom(denom: DenominationRecord,
+               masterPub: string): Promise<boolean> {
+    return this.doRpc<boolean>("isValidDenom", 2, denom, masterPub);
+  }
+
+  isValidWireFee(type: string, wf: WireFee, masterPub: string): Promise<boolean> {
+    return this.doRpc<boolean>("isValidWireFee", 2, type, wf, masterPub);
+  }
+
+  isValidPaymentSignature(sig: string, contractHash: string, merchantPub: string) {
+    return this.doRpc<PayCoinInfo>("isValidPaymentSignature", 1, sig, contractHash, merchantPub);
+  }
+
+  signDeposit(offer: OfferRecord,
+              cds: CoinWithDenom[]): Promise<PayCoinInfo> {
+    return this.doRpc<PayCoinInfo>("signDeposit", 3, offer, cds);
+  }
+
+  createEddsaKeypair(): Promise<{priv: string, pub: string}> {
+    return this.doRpc<{priv: string, pub: string}>("createEddsaKeypair", 1);
+  }
+
+  rsaUnblind(sig: string, bk: string, pk: string): Promise<string> {
+    return this.doRpc<string>("rsaUnblind", 4, sig, bk, pk);
+  }
+
+  createPaybackRequest(coin: CoinRecord): Promise<PaybackRequest> {
+    return this.doRpc<PaybackRequest>("createPaybackRequest", 1, coin);
+  }
+
+  createRefreshSession(exchangeBaseUrl: string,
+                       kappa: number,
+                       meltCoin: CoinRecord,
+                       newCoinDenoms: DenominationRecord[],
+                       meltFee: AmountJson): Promise<RefreshSessionRecord> {
+    return this.doRpc<RefreshSessionRecord>("createRefreshSession",
+                      4,
+                      exchangeBaseUrl,
+                      kappa,
+                      meltCoin,
+                      newCoinDenoms,
+                      meltFee);
+  }
+}
diff --git a/src/crypto/cryptoWorker.ts b/src/crypto/cryptoWorker.ts
new file mode 100644
index 000000000..36b3b924a
--- /dev/null
+++ b/src/crypto/cryptoWorker.ts
@@ -0,0 +1,431 @@
+/*
+ This file is part of TALER
+ (C) 2016 GNUnet e.V.
+
+ TALER is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+/**
+ * Web worker for crypto operations.
+ */
+
+
+/**
+ * Imports.
+ */
+import {
+  AmountJson,
+  Amounts,
+  CoinPaySig,
+  CoinRecord,
+  CoinStatus,
+  DenominationRecord,
+  PayCoinInfo,
+  PaybackRequest,
+  PreCoinRecord,
+  RefreshPreCoinRecord,
+  RefreshSessionRecord,
+  ReserveRecord,
+  WireFee,
+} from "../types";
+import create = chrome.alarms.create;
+import {
+  CoinWithDenom,
+  OfferRecord,
+} from "../wallet";
+import * as native from "./emscInterface";
+import {
+  Amount,
+  EddsaPublicKey,
+  HashCode,
+  HashContext,
+  RefreshMeltCoinAffirmationPS,
+} from "./emscInterface";
+
+
+namespace RpcFunctions {
+
+  /**
+   * Create a pre-coin of the given denomination to be withdrawn from then given
+   * reserve.
+   */
+  export function createPreCoin(denom: DenominationRecord,
+                                reserve: ReserveRecord): PreCoinRecord {
+    let reservePriv = new native.EddsaPrivateKey();
+    reservePriv.loadCrock(reserve.reserve_priv);
+    let reservePub = new native.EddsaPublicKey();
+    reservePub.loadCrock(reserve.reserve_pub);
+    let denomPub = native.RsaPublicKey.fromCrock(denom.denomPub);
+    let coinPriv = native.EddsaPrivateKey.create();
+    let coinPub = coinPriv.getPublicKey();
+    let blindingFactor = native.RsaBlindingKeySecret.create();
+    let pubHash: native.HashCode = coinPub.hash();
+    let ev = native.rsaBlind(pubHash,
+                             blindingFactor,
+                             denomPub);
+
+    if (!ev) {
+      throw Error("couldn't blind (malicious exchange key?)");
+    }
+
+    if (!denom.feeWithdraw) {
+      throw Error("Field fee_withdraw missing");
+    }
+
+    let amountWithFee = new native.Amount(denom.value);
+    amountWithFee.add(new native.Amount(denom.feeWithdraw));
+    let withdrawFee = new native.Amount(denom.feeWithdraw);
+
+    // Signature
+    let withdrawRequest = new native.WithdrawRequestPS({
+      reserve_pub: reservePub,
+      amount_with_fee: amountWithFee.toNbo(),
+      withdraw_fee: withdrawFee.toNbo(),
+      h_denomination_pub: denomPub.encode().hash(),
+      h_coin_envelope: ev.hash()
+    });
+
+    var sig = native.eddsaSign(withdrawRequest.toPurpose(), reservePriv);
+
+    let preCoin: PreCoinRecord = {
+      reservePub: reservePub.toCrock(),
+      blindingKey: blindingFactor.toCrock(),
+      coinPub: coinPub.toCrock(),
+      coinPriv: coinPriv.toCrock(),
+      denomPub: denomPub.encode().toCrock(),
+      exchangeBaseUrl: reserve.exchange_base_url,
+      withdrawSig: sig.toCrock(),
+      coinEv: ev.toCrock(),
+      coinValue: denom.value
+    };
+    return preCoin;
+  }
+
+  export function createPaybackRequest(coin: CoinRecord): PaybackRequest {
+    let p = new native.PaybackRequestPS({
+      coin_pub: native.EddsaPublicKey.fromCrock(coin.coinPub),
+      h_denom_pub: native.RsaPublicKey.fromCrock(coin.denomPub).encode().hash(),
+      coin_blind: native.RsaBlindingKeySecret.fromCrock(coin.blindingKey),
+    });
+    let coinPriv = native.EddsaPrivateKey.fromCrock(coin.coinPriv);
+    let coinSig = native.eddsaSign(p.toPurpose(), coinPriv);
+    let paybackRequest: PaybackRequest = {
+      denom_pub: coin.denomPub,
+      denom_sig: coin.denomSig,
+      coin_blind_key_secret: coin.blindingKey,
+      coin_pub: coin.coinPub,
+      coin_sig: coinSig.toCrock(),
+    };
+    return paybackRequest;
+  }
+
+
+  export function isValidPaymentSignature(sig: string, contractHash: string, merchantPub: string): boolean {
+    let p = new native.PaymentSignaturePS({
+      contract_hash: native.HashCode.fromCrock(contractHash),
+    });
+    let nativeSig = new native.EddsaSignature();
+    nativeSig.loadCrock(sig);
+    let nativePub = native.EddsaPublicKey.fromCrock(merchantPub);
+    return native.eddsaVerify(native.SignaturePurpose.MERCHANT_PAYMENT_OK,
+                              p.toPurpose(),
+                              nativeSig,
+                              nativePub);
+  }
+
+  export function isValidWireFee(type: string, wf: WireFee, masterPub: string): boolean {
+    let p = new native.MasterWireFeePS({
+      h_wire_method: native.ByteArray.fromStringWithNull(type).hash(),
+      start_date: native.AbsoluteTimeNbo.fromStampSeconds(wf.startStamp),
+      end_date: native.AbsoluteTimeNbo.fromStampSeconds(wf.endStamp),
+      wire_fee: (new native.Amount(wf.wireFee)).toNbo(),
+      closing_fee: (new native.Amount(wf.closingFee)).toNbo(),
+    });
+
+    let nativeSig = new native.EddsaSignature();
+    nativeSig.loadCrock(wf.sig);
+    let nativePub = native.EddsaPublicKey.fromCrock(masterPub);
+
+    return native.eddsaVerify(native.SignaturePurpose.MASTER_WIRE_FEES,
+                              p.toPurpose(),
+                              nativeSig,
+                              nativePub);
+  }
+
+
+  export function isValidDenom(denom: DenominationRecord,
+                               masterPub: string): boolean {
+    let p = new native.DenominationKeyValidityPS({
+      master: native.EddsaPublicKey.fromCrock(masterPub),
+      denom_hash: native.RsaPublicKey.fromCrock(denom.denomPub)
+                        .encode()
+                        .hash(),
+      expire_legal: native.AbsoluteTimeNbo.fromTalerString(denom.stampExpireLegal),
+      expire_spend: native.AbsoluteTimeNbo.fromTalerString(denom.stampExpireDeposit),
+      expire_withdraw: native.AbsoluteTimeNbo.fromTalerString(denom.stampExpireWithdraw),
+      start: native.AbsoluteTimeNbo.fromTalerString(denom.stampStart),
+      value: (new native.Amount(denom.value)).toNbo(),
+      fee_deposit: (new native.Amount(denom.feeDeposit)).toNbo(),
+      fee_refresh: (new native.Amount(denom.feeRefresh)).toNbo(),
+      fee_withdraw: (new native.Amount(denom.feeWithdraw)).toNbo(),
+      fee_refund: (new native.Amount(denom.feeRefund)).toNbo(),
+    });
+
+    let nativeSig = new native.EddsaSignature();
+    nativeSig.loadCrock(denom.masterSig);
+
+    let nativePub = native.EddsaPublicKey.fromCrock(masterPub);
+
+    return native.eddsaVerify(native.SignaturePurpose.MASTER_DENOMINATION_KEY_VALIDITY,
+                              p.toPurpose(),
+                              nativeSig,
+                              nativePub);
+
+  }
+
+
+  export function createEddsaKeypair(): {priv: string, pub: string} {
+    const priv = native.EddsaPrivateKey.create();
+    const pub = priv.getPublicKey();
+    return {priv: priv.toCrock(), pub: pub.toCrock()};
+  }
+
+
+  export function rsaUnblind(sig: string, bk: string, pk: string): string {
+    let denomSig = native.rsaUnblind(native.RsaSignature.fromCrock(sig),
+                                     native.RsaBlindingKeySecret.fromCrock(bk),
+                                     native.RsaPublicKey.fromCrock(pk));
+    return denomSig.encode().toCrock()
+  }
+
+
+  /**
+   * Generate updated coins (to store in the database)
+   * and deposit permissions for each given coin.
+   */
+  export function signDeposit(offer: OfferRecord,
+                              cds: CoinWithDenom[]): PayCoinInfo {
+    let ret: PayCoinInfo = [];
+
+
+    let feeList: AmountJson[] = cds.map((x) => x.denom.feeDeposit);
+    let fees = Amounts.add(Amounts.getZero(feeList[0].currency), ...feeList).amount;
+    // okay if saturates
+    fees = Amounts.sub(fees, offer.contract.max_fee).amount;
+    let total = Amounts.add(fees, offer.contract.amount).amount;
+
+    let amountSpent = native.Amount.getZero(cds[0].coin.currentAmount.currency);
+    let amountRemaining = new native.Amount(total);
+    for (let cd of cds) {
+      let coinSpend: Amount;
+
+      if (amountRemaining.value == 0 && amountRemaining.fraction == 0) {
+        break;
+      }
+
+      if (amountRemaining.cmp(new native.Amount(cd.coin.currentAmount)) < 0) {
+        coinSpend = new native.Amount(amountRemaining.toJson());
+      } else {
+        coinSpend = new native.Amount(cd.coin.currentAmount);
+      }
+
+      amountSpent.add(coinSpend);
+      amountRemaining.sub(coinSpend);
+
+      let feeDeposit: Amount = new native.Amount(cd.denom.feeDeposit);
+
+      // Give the merchant at least the deposit fee, otherwise it'll reject
+      // the coin.
+      if (coinSpend.cmp(feeDeposit) < 0) {
+        coinSpend = feeDeposit;
+      }
+
+      let newAmount = new native.Amount(cd.coin.currentAmount);
+      newAmount.sub(coinSpend);
+      cd.coin.currentAmount = newAmount.toJson();
+      cd.coin.status = CoinStatus.TransactionPending;
+
+      let d = new native.DepositRequestPS({
+        h_contract: native.HashCode.fromCrock(offer.H_contract),
+        h_wire: native.HashCode.fromCrock(offer.contract.H_wire),
+        amount_with_fee: coinSpend.toNbo(),
+        coin_pub: native.EddsaPublicKey.fromCrock(cd.coin.coinPub),
+        deposit_fee: new native.Amount(cd.denom.feeDeposit).toNbo(),
+        merchant: native.EddsaPublicKey.fromCrock(offer.contract.merchant_pub),
+        refund_deadline: native.AbsoluteTimeNbo.fromTalerString(offer.contract.refund_deadline),
+        timestamp: native.AbsoluteTimeNbo.fromTalerString(offer.contract.timestamp),
+      });
+
+      let coinSig = native.eddsaSign(d.toPurpose(),
+                                     native.EddsaPrivateKey.fromCrock(cd.coin.coinPriv))
+                          .toCrock();
+
+      let s: CoinPaySig = {
+        coin_sig: coinSig,
+        coin_pub: cd.coin.coinPub,
+        ub_sig: cd.coin.denomSig,
+        denom_pub: cd.coin.denomPub,
+        f: coinSpend.toJson(),
+      };
+      ret.push({sig: s, updatedCoin: cd.coin});
+    }
+    return ret;
+  }
+
+
+  export function createRefreshSession(exchangeBaseUrl: string,
+                                       kappa: number,
+                                       meltCoin: CoinRecord,
+                                       newCoinDenoms: DenominationRecord[],
+                                       meltFee: AmountJson): RefreshSessionRecord {
+
+    let valueWithFee = Amounts.getZero(newCoinDenoms[0].value.currency);
+
+    for (let ncd of newCoinDenoms) {
+      valueWithFee = Amounts.add(valueWithFee,
+                                 ncd.value,
+                                 ncd.feeWithdraw).amount;
+    }
+
+    // melt fee
+    valueWithFee = Amounts.add(valueWithFee, meltFee).amount;
+
+    let sessionHc = new HashContext();
+
+    let transferPubs: string[] = [];
+    let transferPrivs: string[] = [];
+
+    let preCoinsForGammas: RefreshPreCoinRecord[][] = [];
+
+    for (let i = 0; i < kappa; i++) {
+      let t = native.EcdhePrivateKey.create();
+      let pub = t.getPublicKey();
+      sessionHc.read(pub);
+      transferPrivs.push(t.toCrock());
+      transferPubs.push(pub.toCrock());
+    }
+
+    for (let i = 0; i < newCoinDenoms.length; i++) {
+      let r = native.RsaPublicKey.fromCrock(newCoinDenoms[i].denomPub);
+      sessionHc.read(r.encode());
+    }
+
+    sessionHc.read(native.EddsaPublicKey.fromCrock(meltCoin.coinPub));
+    sessionHc.read((new native.Amount(valueWithFee)).toNbo());
+
+    for (let i = 0; i < kappa; i++) {
+      let preCoins: RefreshPreCoinRecord[] = [];
+      for (let j = 0; j < newCoinDenoms.length; j++) {
+
+        let transferPriv = native.EcdhePrivateKey.fromCrock(transferPrivs[i]);
+        let oldCoinPub = native.EddsaPublicKey.fromCrock(meltCoin.coinPub);
+        let transferSecret = native.ecdhEddsa(transferPriv, oldCoinPub);
+
+        let fresh = native.setupFreshCoin(transferSecret, j);
+
+        let coinPriv = fresh.priv;
+        let coinPub = coinPriv.getPublicKey();
+        let blindingFactor = fresh.blindingKey;
+        let pubHash: native.HashCode = coinPub.hash();
+        let denomPub = native.RsaPublicKey.fromCrock(newCoinDenoms[j].denomPub);
+        let ev = native.rsaBlind(pubHash,
+                                 blindingFactor,
+                                 denomPub);
+        if (!ev) {
+          throw Error("couldn't blind (malicious exchange key?)");
+        }
+        let preCoin: RefreshPreCoinRecord = {
+          blindingKey: blindingFactor.toCrock(),
+          coinEv: ev.toCrock(),
+          publicKey: coinPub.toCrock(),
+          privateKey: coinPriv.toCrock(),
+        };
+        preCoins.push(preCoin);
+        sessionHc.read(ev);
+      }
+      preCoinsForGammas.push(preCoins);
+    }
+
+    let sessionHash = new HashCode();
+    sessionHash.alloc();
+    sessionHc.finish(sessionHash);
+
+    let confirmData = new RefreshMeltCoinAffirmationPS({
+      coin_pub: EddsaPublicKey.fromCrock(meltCoin.coinPub),
+      amount_with_fee: (new Amount(valueWithFee)).toNbo(),
+      session_hash: sessionHash,
+      melt_fee: (new Amount(meltFee)).toNbo()
+    });
+
+
+    let confirmSig: string = native.eddsaSign(confirmData.toPurpose(),
+                                              native.EddsaPrivateKey.fromCrock(
+                                                meltCoin.coinPriv)).toCrock();
+
+    let valueOutput = Amounts.getZero(newCoinDenoms[0].value.currency);
+    for (let denom of newCoinDenoms) {
+      valueOutput = Amounts.add(valueOutput, denom.value).amount;
+    }
+
+    let refreshSession: RefreshSessionRecord = {
+      meltCoinPub: meltCoin.coinPub,
+      newDenoms: newCoinDenoms.map((d) => d.denomPub),
+      confirmSig,
+      valueWithFee,
+      transferPubs,
+      preCoinsForGammas,
+      hash: sessionHash.toCrock(),
+      norevealIndex: undefined,
+      exchangeBaseUrl,
+      transferPrivs,
+      finished: false,
+      valueOutput,
+    };
+
+    return refreshSession;
+  }
+
+  /**
+   * Hash a string including the zero terminator.
+   */
+  export function hashString(str: string): string {
+    const b = native.ByteArray.fromStringWithNull(str);
+    return b.hash().toCrock();
+  }
+
+  export function hashDenomPub(denomPub: string): string {
+    return native.RsaPublicKey.fromCrock(denomPub).encode().hash().toCrock();
+  }
+}
+
+
+let worker: Worker = (self as any) as Worker;
+
+worker.onmessage = (msg: MessageEvent) => {
+  if (!Array.isArray(msg.data.args)) {
+    console.error("args must be array");
+    return;
+  }
+  if (typeof msg.data.id != "number") {
+    console.error("RPC id must be number");
+  }
+  if (typeof msg.data.operation != "string") {
+    console.error("RPC operation must be string");
+  }
+  let f = (RpcFunctions as any)[msg.data.operation];
+  if (!f) {
+    console.error(`unknown operation: '${msg.data.operation}'`);
+    return;
+  }
+  let res = f(...msg.data.args);
+  worker.postMessage({result: res, id: msg.data.id});
+}
diff --git a/src/crypto/emscInterface-test.ts b/src/crypto/emscInterface-test.ts
new file mode 100644
index 000000000..4f57bf802
--- /dev/null
+++ b/src/crypto/emscInterface-test.ts
@@ -0,0 +1,102 @@
+import {test, TestLib} from "talertest";
+import * as native from "./emscInterface";
+
+test("string hashing", (t: TestLib) => {
+  let x = native.ByteArray.fromStringWithNull("hello taler");
+  let h = "8RDMADB3YNF3QZBS3V467YZVJAMC2QAQX0TZGVZ6Q5PFRRAJFT70HHN0QF661QR9QWKYMMC7YEMPD679D2RADXCYK8Y669A2A5MKQFR"
+  let hc = x.hash().toCrock();
+  console.log(`# hc ${hc}`);
+  t.assert(h === hc, "must equal");
+  t.pass();
+});
+
+test("signing", (t: TestLib) => {
+  let x = native.ByteArray.fromStringWithNull("hello taler");
+  let priv = native.EddsaPrivateKey.create();
+  let pub = priv.getPublicKey();
+  let purpose = new native.EccSignaturePurpose(native.SignaturePurpose.TEST, x);
+  let sig = native.eddsaSign(purpose, priv);
+  t.assert(native.eddsaVerify(native.SignaturePurpose.TEST, purpose, sig, pub));
+  t.pass();
+});
+
+test("signing-fixed-data", (t: TestLib) => {
+  let x = native.ByteArray.fromStringWithNull("hello taler");
+  let purpose = new native.EccSignaturePurpose(native.SignaturePurpose.TEST, x);
+  const privStr = "G9R8KRRCAFKPD0KW7PW48CC2T03VQ8K2AN9J6J6K2YW27J5MHN90";
+  const pubStr = "YHCZB442FQFJ0ET20MWA8YJ53M61EZGJ6QKV1KTJZMRNXDY45WT0";
+  const sigStr = "7V6XY4QGC1406GPMT305MZQ1HDCR7R0S5BP02GTGDQFPSXB6YD2YDN5ZS7NJQCNP61Y39MRHXNXQ1Z15JY4CJY4CPDA6CKQ3313WG38";
+  let priv = native.EddsaPrivateKey.fromCrock(privStr);
+  t.assert(privStr == priv.toCrock())
+  let pub = priv.getPublicKey();
+  t.assert(pubStr == pub.toCrock());
+  let sig = native.EddsaSignature.fromCrock(sigStr);
+  t.assert(sigStr == sig.toCrock())
+  let sig2 = native.eddsaSign(purpose, priv);
+  t.assert(sig.toCrock() == sig2.toCrock());
+  t.assert(native.eddsaVerify(native.SignaturePurpose.TEST, purpose, sig, pub));
+  t.pass();
+});
+
+const denomPubStr1 = "51R7ARKCD5HJTTV5F4G0M818E9SP280A40G2GVH04CR30G9R64VK6HHS6MW42DSN8MVKJGHK6WR3CGT18MWMCDSM75138E1K8S0MADSQ68W34DHH6MW4CHA270W4CG9J6GW48DHG8MVK4E9S7523GEA56H0K4E1Q891KCCSG752KGC1M88VMCDSQ6D23CHHG8H33AGHG6MSK8GT26CRKAC1M64V3JCJ56CVKCC228MWMCHA26MS30H1J8MVKEDHJ70TMADHK892KJC1H60TKJDHM710KGGT584T38H9K851KCDHG60W30HJ28CT4CC1G8CR3JGJ28H236DJ28H330H9S890M2D9S8S14AGA369344GA36S248CHS70RKEDSS6MWKGDJ26D136GT465348CSS8S232CHM6GS34C9N8CS3GD9H60W36H1R8MSK2GSQ8MSM6C9R70SKCHHN6MW3ACJ28N0K2CA58RS3GCA26MV42G9P891KAG9Q8N0KGD9M850KEHJ16S130CA27124AE1G852KJCHR6S1KGDSJ8RTKED1S8RR3CCHP68W4CH9Q6GT34GT18GS36EA46N24AGSP6933GCHM60VMAE1S8GV3EHHN74W3GC1J651KEH9N8MSK0CSG6S2KEEA460R32C1M8D144GSR6RWKEC218S0KEGJ4611KEEA36CSKJC2564TM4CSJ6H230E1N74TM8C1P61342CSG60WKCGHH64VK2G9S8CRKAHHK88W30HJ388R3CH1Q6X2K2DHK8GSM4D1Q74WM4HA461146H9S6D33JDJ26D234C9Q6923ECSS60RM6CT46CSKCH1M6S13EH9J8S33GCSN4CMGM81051JJ08SG64R30C1H4CMGM81054520A8A00";
+
+test("rsa-encode", (t: TestLib) => {
+  const pubHashStr = "JM63YM5X7X547164QJ3MGJZ4WDD47GEQR5DW5SH35G4JFZXEJBHE5JBNZM5K8XN5C4BRW25BE6GSVAYBF790G2BZZ13VW91D41S4DS0"
+  let denomPub = native.RsaPublicKey.fromCrock(denomPubStr1);
+  let pubHash = denomPub.encode().hash();
+  t.assert(pubHashStr == pubHash.toCrock());
+  t.pass();
+});
+
+
+test("withdraw-request", (t: TestLib) => {
+  const reservePrivStr = "G9R8KRRCAFKPD0KW7PW48CC2T03VQ8K2AN9J6J6K2YW27J5MHN90";
+  const reservePriv = native.EddsaPrivateKey.fromCrock(reservePrivStr);
+  const reservePub = reservePriv.getPublicKey();
+  const amountWithFee = new native.Amount({currency: "KUDOS", value: 1, fraction: 10000});
+  amountWithFee.add(new native.Amount({currency: "KUDOS", value: 0, fraction: 20000}));
+  const withdrawFee = new native.Amount({currency: "KUDOS", value: 0, fraction: 20000})
+  const denomPub = native.RsaPublicKey.fromCrock(denomPubStr1);
+  const ev = native.ByteArray.fromStringWithNull("hello, world");
+
+
+  // Signature
+  let withdrawRequest = new native.WithdrawRequestPS({
+    reserve_pub: reservePub,
+    amount_with_fee: amountWithFee.toNbo(),
+    withdraw_fee: withdrawFee.toNbo(),
+    h_denomination_pub: denomPub.encode().hash(),
+    h_coin_envelope: ev.hash()
+  });
+
+  var sigStr = "AD3T8W44NV193J19RAN3NAJHPP6RVB0R3NWV7ZK5G8Q946YDK0B6F8YJBNRRBXSPVTKY31S7BVZPJFFTJJRMY61DH51X4JSXK677428";
+
+  var sig = native.eddsaSign(withdrawRequest.toPurpose(), reservePriv);
+  t.assert(native.eddsaVerify(native.SignaturePurpose.RESERVE_WITHDRAW, withdrawRequest.toPurpose(), sig, reservePub));
+  t.assert(sig.toCrock() == sigStr);
+  t.pass();
+});
+
+test("withdraw-request", (t: TestLib) => {
+  const a1 = new native.Amount({currency: "KUDOS", value: 1, fraction: 50000000});
+  const a2 = new native.Amount({currency: "KUDOS", value: 1, fraction: 50000000});
+  a1.add(a2);
+  let x = a1.toJson();
+  t.assert(x.currency == "KUDOS");
+  t.assert(x.fraction == 0);
+  t.assert(x.value == 3);
+  t.pass();
+});
+
+
+test("ecdsa", (t: TestLib) => {
+  const priv = native.EcdsaPrivateKey.create();
+  const pub1 = priv.getPublicKey();
+  t.pass();
+});
+
+test("ecdhe", (t: TestLib) => {
+  const priv = native.EcdhePrivateKey.create();
+  const pub = priv.getPublicKey();
+  t.pass();
+});
diff --git a/src/crypto/emscInterface.ts b/src/crypto/emscInterface.ts
new file mode 100644
index 000000000..52c6c965e
--- /dev/null
+++ b/src/crypto/emscInterface.ts
@@ -0,0 +1,1392 @@
+/*
+ This file is part of TALER
+ (C) 2015 GNUnet e.V.
+
+ TALER is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+
+/**
+ * Medium-level interface to emscripten-compiled modules used
+ * by the wallet.  Handles memory management by allocating by allocating
+ * objects in arenas that then can be disposed of all at once.
+ *
+ * The high-level interface (using WebWorkers) is exposed in src/cryptoApi.ts.
+ */
+
+/**
+ * Imports.
+ */
+import {AmountJson} from "../types";
+import {getLib, EmscFunGen} from "./emscLoader";
+
+
+const emscLib = getLib();
+
+
+/**
+ * Size of a native pointer.  Must match the size
+ * use when compiling via emscripten.
+ */
+const PTR_SIZE = 4;
+
+const GNUNET_OK = 1;
+const GNUNET_YES = 1;
+const GNUNET_NO = 0;
+const GNUNET_SYSERR = -1;
+
+
+/**
+ * Get an emscripten-compiled function.
+ */
+const getEmsc: EmscFunGen = (name: string, ret: any, argTypes: any[]) => {
+  return (...args: any[]) => {
+    return emscLib.ccall(name, ret, argTypes, args);
+  }
+};
+
+
+/**
+ * Wrapped emscripten functions that do not allocate any memory.
+ */
+const emsc = {
+  free: (ptr: number) => emscLib._free(ptr),
+  get_value: getEmsc("TALER_WR_get_value",
+                     "number",
+                     ["number"]),
+  get_fraction: getEmsc("TALER_WR_get_fraction",
+                        "number",
+                        ["number"]),
+  get_currency: getEmsc("TALER_WR_get_currency",
+                        "string",
+                        ["number"]),
+  amount_add: getEmsc("TALER_amount_add",
+                      "number",
+                      ["number", "number", "number"]),
+  amount_subtract: getEmsc("TALER_amount_subtract",
+                           "number",
+                           ["number", "number", "number"]),
+  amount_normalize: getEmsc("TALER_amount_normalize",
+                            "void",
+                            ["number"]),
+  amount_get_zero: getEmsc("TALER_amount_get_zero",
+                           "number",
+                           ["string", "number"]),
+  amount_cmp: getEmsc("TALER_amount_cmp",
+                      "number",
+                      ["number", "number"]),
+  amount_hton: getEmsc("TALER_amount_hton",
+                       "void",
+                       ["number", "number"]),
+  amount_ntoh: getEmsc("TALER_amount_ntoh",
+                       "void",
+                       ["number", "number"]),
+  hash: getEmsc("GNUNET_CRYPTO_hash",
+                "void",
+                ["number", "number", "number"]),
+  memmove: getEmsc("memmove",
+                   "number",
+                   ["number", "number", "number"]),
+  rsa_public_key_free: getEmsc("GNUNET_CRYPTO_rsa_public_key_free",
+                               "void",
+                               ["number"]),
+  rsa_signature_free: getEmsc("GNUNET_CRYPTO_rsa_signature_free",
+                              "void",
+                              ["number"]),
+  string_to_data: getEmsc("GNUNET_STRINGS_string_to_data",
+                          "number",
+                          ["number", "number", "number", "number"]),
+  eddsa_sign: getEmsc("GNUNET_CRYPTO_eddsa_sign",
+                      "number",
+                      ["number", "number", "number"]),
+  eddsa_verify: getEmsc("GNUNET_CRYPTO_eddsa_verify",
+                        "number",
+                        ["number", "number", "number", "number"]),
+  hash_create_random: getEmsc("GNUNET_CRYPTO_hash_create_random",
+                              "void",
+                              ["number", "number"]),
+  rsa_blinding_key_destroy: getEmsc("GNUNET_CRYPTO_rsa_blinding_key_free",
+                                    "void",
+                                    ["number"]),
+  random_block: getEmsc("GNUNET_CRYPTO_random_block",
+                        "void",
+                        ["number", "number", "number"]),
+  hash_context_abort: getEmsc("GNUNET_CRYPTO_hash_context_abort",
+                              "void",
+                              ["number"]),
+  hash_context_read: getEmsc("GNUNET_CRYPTO_hash_context_read",
+                             "void",
+                             ["number", "number", "number"]),
+  hash_context_finish: getEmsc("GNUNET_CRYPTO_hash_context_finish",
+                               "void",
+                               ["number", "number"]),
+  ecdh_eddsa: getEmsc("GNUNET_CRYPTO_ecdh_eddsa",
+                      "number",
+                     ["number", "number", "number"]),
+
+  setup_fresh_coin: getEmsc(
+    "TALER_setup_fresh_coin",
+    "void",
+    ["number", "number", "number"]),
+};
+
+
+/**
+ * Emscripten functions that allocate memory.
+ */
+const emscAlloc = {
+  get_amount: getEmsc("TALER_WRALL_get_amount",
+                      "number",
+                      ["number", "number", "number", "string"]),
+  eddsa_key_create: getEmsc("GNUNET_CRYPTO_eddsa_key_create",
+                            "number", []),
+  ecdsa_key_create: getEmsc("GNUNET_CRYPTO_ecdsa_key_create",
+                            "number", []),
+  ecdhe_key_create: getEmsc("GNUNET_CRYPTO_ecdhe_key_create",
+                            "number", []),
+  eddsa_public_key_from_private: getEmsc(
+    "TALER_WRALL_eddsa_public_key_from_private",
+    "number",
+    ["number"]),
+  ecdsa_public_key_from_private: getEmsc(
+    "TALER_WRALL_ecdsa_public_key_from_private",
+    "number",
+    ["number"]),
+  ecdhe_public_key_from_private: getEmsc(
+    "TALER_WRALL_ecdhe_public_key_from_private",
+    "number",
+    ["number"]),
+  data_to_string_alloc: getEmsc("GNUNET_STRINGS_data_to_string_alloc",
+                                "number",
+                                ["number", "number"]),
+  purpose_create: getEmsc("TALER_WRALL_purpose_create",
+                          "number",
+                          ["number", "number", "number"]),
+  rsa_blind: getEmsc("GNUNET_CRYPTO_rsa_blind",
+                     "number",
+                     ["number", "number", "number", "number", "number"]),
+  rsa_blinding_key_create: getEmsc("GNUNET_CRYPTO_rsa_blinding_key_create",
+                                   "number",
+                                   ["number"]),
+  rsa_blinding_key_encode: getEmsc("GNUNET_CRYPTO_rsa_blinding_key_encode",
+                                   "number",
+                                   ["number", "number"]),
+  rsa_signature_encode: getEmsc("GNUNET_CRYPTO_rsa_signature_encode",
+                                "number",
+                                ["number", "number"]),
+  rsa_blinding_key_decode: getEmsc("GNUNET_CRYPTO_rsa_blinding_key_decode",
+                                   "number",
+                                   ["number", "number"]),
+  rsa_public_key_decode: getEmsc("GNUNET_CRYPTO_rsa_public_key_decode",
+                                 "number",
+                                 ["number", "number"]),
+  rsa_signature_decode: getEmsc("GNUNET_CRYPTO_rsa_signature_decode",
+                                "number",
+                                ["number", "number"]),
+  rsa_public_key_encode: getEmsc("GNUNET_CRYPTO_rsa_public_key_encode",
+                                 "number",
+                                 ["number", "number"]),
+  rsa_unblind: getEmsc("GNUNET_CRYPTO_rsa_unblind",
+                       "number",
+                       ["number", "number", "number"]),
+  hash_context_start: getEmsc("GNUNET_CRYPTO_hash_context_start",
+                              "number",
+                              []),
+  malloc: (size: number) => emscLib._malloc(size),
+};
+
+
+/**
+ * Constants for signatures purposes, define what the signatures vouches for.
+ */
+export enum SignaturePurpose {
+  RESERVE_WITHDRAW = 1200,
+  WALLET_COIN_DEPOSIT = 1201,
+  MASTER_DENOMINATION_KEY_VALIDITY = 1025,
+  WALLET_COIN_MELT = 1202,
+  TEST = 4242,
+  MERCHANT_PAYMENT_OK = 1104,
+  MASTER_WIRE_FEES = 1028,
+  WALLET_COIN_PAYBACK = 1203,
+}
+
+
+/**
+ * Desired quality levels for random numbers.
+ */
+export enum RandomQuality {
+  WEAK = 0,
+  STRONG = 1,
+  NONCE = 2
+}
+
+
+/**
+ * Object that is allocated in some arena.
+ */
+interface ArenaObject {
+  destroy(): void;
+}
+
+
+/**
+ * Context for cummulative hashing.
+ */
+export class HashContext implements ArenaObject {
+  private hashContextPtr: number | undefined;
+
+  constructor() {
+    this.hashContextPtr = emscAlloc.hash_context_start();
+  }
+
+  /**
+   * Add data to be hashed.
+   */
+  read(obj: PackedArenaObject): void {
+    if (!this.hashContextPtr) {
+      throw Error("assertion failed");
+    }
+    emsc.hash_context_read(this.hashContextPtr, obj.nativePtr, obj.size());
+  }
+
+  /**
+   * Finish the hash computation.
+   */
+  finish(h: HashCode) {
+    if (!this.hashContextPtr) {
+      throw Error("assertion failed");
+    }
+    h.alloc();
+    emsc.hash_context_finish(this.hashContextPtr, h.nativePtr);
+  }
+
+  /**
+   * Abort hashing without computing the result.
+   */
+  destroy(): void {
+    if (this.hashContextPtr) {
+      emsc.hash_context_abort(this.hashContextPtr);
+    }
+    this.hashContextPtr = undefined;
+  }
+}
+
+
+/**
+ * Arena object that points to an allocaed block of memory.
+ */
+abstract class MallocArenaObject implements ArenaObject {
+  protected _nativePtr: number | undefined = undefined;
+
+  /**
+   * Is this a weak reference to the underlying memory?
+   */
+  isWeak = false;
+
+  destroy(): void {
+    if (this._nativePtr && !this.isWeak) {
+      emsc.free(this.nativePtr);
+      this._nativePtr = undefined;
+    }
+  }
+
+  constructor(arena?: Arena) {
+    if (!arena) {
+      if (arenaStack.length == 0) {
+        throw Error("No arena available")
+      }
+      arena = arenaStack[arenaStack.length - 1];
+    }
+    arena.put(this);
+  }
+
+  alloc(size: number) {
+    if (this._nativePtr !== undefined) {
+      throw Error("Double allocation");
+    }
+    this.nativePtr = emscAlloc.malloc(size);
+  }
+
+  set nativePtr(v: number) {
+    if (v === undefined) {
+      throw Error("Native pointer must be a number or null");
+    }
+    this._nativePtr = v;
+  }
+
+  get nativePtr() {
+    // We want to allow latent allocation
+    // of native wrappers, but we never want to
+    // pass 'undefined' to emscripten.
+    if (this._nativePtr === undefined) {
+      throw Error("Native pointer not initialized");
+    }
+    return this._nativePtr;
+  }
+}
+
+
+/**
+ * An arena stores objects that will be deallocated
+ * at the same time.
+ */
+interface Arena {
+  put(obj: ArenaObject): void;
+  destroy(): void;
+}
+
+
+/**
+ * Arena that must be manually destroyed.
+ */
+class SimpleArena implements Arena {
+  heap: Array<ArenaObject>;
+
+  constructor() {
+    this.heap = [];
+  }
+
+  put(obj: ArenaObject) {
+    this.heap.push(obj);
+  }
+
+  destroy() {
+    for (let obj of this.heap) {
+      obj.destroy();
+    }
+    this.heap = []
+  }
+}
+
+
+/**
+ * Arena that destroys all its objects once control has returned to the message
+ * loop.
+ */
+class SyncArena extends SimpleArena {
+  private isScheduled: boolean;
+
+  constructor() {
+    super();
+  }
+
+  pub(obj: MallocArenaObject) {
+    super.put(obj);
+    if (!this.isScheduled) {
+      this.schedule();
+    }
+    this.heap.push(obj);
+  }
+
+  private schedule() {
+    this.isScheduled = true;
+    Promise.resolve().then(() => {
+      this.isScheduled = false;
+      this.destroy();
+    });
+  }
+}
+
+let arenaStack: Arena[] = [];
+arenaStack.push(new SyncArena());
+
+
+/**
+ * Representation of monetary value in a given currency.
+ */
+export class Amount extends MallocArenaObject {
+  constructor(args?: AmountJson, arena?: Arena) {
+    super(arena);
+    if (args) {
+      this.nativePtr = emscAlloc.get_amount(args.value,
+                                            0,
+                                            args.fraction,
+                                            args.currency);
+    } else {
+      this.nativePtr = emscAlloc.get_amount(0, 0, 0, "");
+    }
+  }
+
+  static getZero(currency: string, a?: Arena): Amount {
+    let am = new Amount(undefined, a);
+    let r = emsc.amount_get_zero(currency, am.nativePtr);
+    if (r != GNUNET_OK) {
+      throw Error("invalid currency");
+    }
+    return am;
+  }
+
+
+  toNbo(a?: Arena): AmountNbo {
+    let x = new AmountNbo(a);
+    x.alloc();
+    emsc.amount_hton(x.nativePtr, this.nativePtr);
+    return x;
+  }
+
+  fromNbo(nbo: AmountNbo): void {
+    emsc.amount_ntoh(this.nativePtr, nbo.nativePtr);
+  }
+
+  get value() {
+    return emsc.get_value(this.nativePtr);
+  }
+
+  get fraction() {
+    return emsc.get_fraction(this.nativePtr);
+  }
+
+  get currency(): String {
+    return emsc.get_currency(this.nativePtr);
+  }
+
+  toJson(): AmountJson {
+    return {
+      value: emsc.get_value(this.nativePtr),
+      fraction: emsc.get_fraction(this.nativePtr),
+      currency: emsc.get_currency(this.nativePtr)
+    };
+  }
+
+  /**
+   * Add an amount to this amount.
+   */
+  add(a: Amount) {
+    let res = emsc.amount_add(this.nativePtr, a.nativePtr, this.nativePtr);
+    if (res < 1) {
+      // Overflow
+      return false;
+    }
+    return true;
+  }
+
+  /**
+   * Perform saturating subtraction on amounts.
+   */
+  sub(a: Amount) {
+    // this = this - a
+    let res = emsc.amount_subtract(this.nativePtr, this.nativePtr, a.nativePtr);
+    if (res == 0) {
+      // Underflow
+      return false;
+    }
+    if (res > 0) {
+      return true;
+    }
+    throw Error("Incompatible currencies");
+  }
+
+  cmp(a: Amount) {
+    // If we don't check this, the c code aborts.
+    if (this.currency !== a.currency) {
+      throw Error(`incomparable currencies (${this.currency} and ${a.currency})`);
+    }
+    return emsc.amount_cmp(this.nativePtr, a.nativePtr);
+  }
+
+  normalize() {
+    emsc.amount_normalize(this.nativePtr);
+  }
+}
+
+
+/**
+ * Count the UTF-8 characters in a JavaScript string.
+ */
+function countUtf8Bytes(str: string): number {
+  var s = str.length;
+  // JavaScript strings are UTF-16 arrays
+  for (let i = str.length - 1; i >= 0; i--) {
+    var code = str.charCodeAt(i);
+    if (code > 0x7f && code <= 0x7ff) {
+      // We need an extra byte in utf-8 here
+      s++;
+    } else if (code > 0x7ff && code <= 0xffff) {
+      // We need two extra bytes in utf-8 here
+      s += 2;
+    }
+    // Skip over the other surrogate
+    if (code >= 0xDC00 && code <= 0xDFFF) {
+      i--;
+    }
+  }
+  return s;
+}
+
+
+/**
+ * Managed reference to a contiguous block of memory in the Emscripten heap.
+ * Can be converted from / to a serialized representation.
+ * Should contain only data, not pointers.
+ */
+abstract class PackedArenaObject extends MallocArenaObject {
+  abstract size(): number;
+
+  constructor(a?: Arena) {
+    super(a);
+  }
+
+  randomize(qual: RandomQuality = RandomQuality.STRONG): void {
+    emsc.random_block(qual, this.nativePtr, this.size());
+  }
+
+  toCrock(): string {
+    var d = emscAlloc.data_to_string_alloc(this.nativePtr, this.size());
+    var s = emscLib.Pointer_stringify(d);
+    emsc.free(d);
+    return s;
+  }
+
+  toJson(): any {
+    // Per default, the json encoding of
+    // packed arena objects is just the crockford encoding.
+    // Subclasses typically want to override this.
+    return this.toCrock();
+  }
+
+  loadCrock(s: string) {
+    this.alloc();
+    // We need to get the javascript string
+    // to the emscripten heap first.
+    let buf = ByteArray.fromStringWithNull(s);
+    let res = emsc.string_to_data(buf.nativePtr,
+                                  s.length,
+                                  this.nativePtr,
+                                  this.size());
+    buf.destroy();
+    if (res < 1) {
+      throw {error: "wrong encoding"};
+    }
+  }
+
+  alloc() {
+    // FIXME: should the client be allowed to call alloc multiple times?
+    if (!this._nativePtr) {
+      this.nativePtr = emscAlloc.malloc(this.size());
+    }
+  }
+
+  hash(): HashCode {
+    var x = new HashCode();
+    x.alloc();
+    emsc.hash(this.nativePtr, this.size(), x.nativePtr);
+    return x;
+  }
+
+  hexdump() {
+    let bytes: string[] = [];
+    for (let i = 0; i < this.size(); i++) {
+      let b = emscLib.getValue(this.nativePtr + i, "i8");
+      b = (b + 256) % 256;
+      bytes.push("0".concat(b.toString(16)).slice(-2));
+    }
+    let lines: string[] = [];
+    for (let i = 0; i < bytes.length; i += 8) {
+      lines.push(bytes.slice(i, i + 8).join(","));
+    }
+    return lines.join("\n");
+  }
+}
+
+
+/**
+ * Amount, encoded for network transmission.
+ */
+export class AmountNbo extends PackedArenaObject {
+  size() {
+    return 24;
+  }
+
+  toJson(): any {
+    let a = new SimpleArena();
+    let am = new Amount(undefined, a);
+    am.fromNbo(this);
+    let json = am.toJson();
+    a.destroy();
+    return json;
+  }
+}
+
+
+/**
+ * Create a packed arena object from the base32 crockford encoding.
+ */
+function fromCrock<T extends PackedArenaObject>(s: string, ctor: Ctor<T>): T {
+  let x: T = new ctor();
+  x.alloc();
+  x.loadCrock(s);
+  return x;
+}
+
+
+/**
+ * Create a packed arena object from the base32 crockford encoding for objects
+ * that have a special decoding function.
+ */
+function fromCrockDecoded<T extends MallocArenaObject>(s: string, ctor: Ctor<T>, decodeFn: (p: number, s: number) => number): T {
+  let obj = new ctor();
+  let buf = ByteArray.fromCrock(s);
+  obj.nativePtr = decodeFn(buf.nativePtr, buf.size());
+  buf.destroy();
+  return obj;
+}
+
+
+/**
+ * Encode an object using a special encoding function.
+ */
+function encode<T extends MallocArenaObject>(obj: T, encodeFn: any, arena?: Arena): ByteArray {
+  let ptr = emscAlloc.malloc(PTR_SIZE);
+  let len = encodeFn(obj.nativePtr, ptr);
+  let res = new ByteArray(len, undefined, arena);
+  res.nativePtr = emscLib.getValue(ptr, '*');
+  emsc.free(ptr);
+  return res;
+}
+
+
+/**
+ * Private EdDSA key.
+ */
+export class EddsaPrivateKey extends PackedArenaObject {
+  static create(a?: Arena): EddsaPrivateKey {
+    let obj = new EddsaPrivateKey(a);
+    obj.nativePtr = emscAlloc.eddsa_key_create();
+    return obj;
+  }
+
+  size() {
+    return 32;
+  }
+
+  getPublicKey(a?: Arena): EddsaPublicKey {
+    let obj = new EddsaPublicKey(a);
+    obj.nativePtr = emscAlloc.eddsa_public_key_from_private(this.nativePtr);
+    return obj;
+  }
+
+  static fromCrock(s: string): EddsaPrivateKey {
+    return fromCrock(s, this);
+  }
+}
+
+
+export class EcdsaPrivateKey extends PackedArenaObject {
+  static create(a?: Arena): EcdsaPrivateKey {
+    let obj = new EcdsaPrivateKey(a);
+    obj.nativePtr = emscAlloc.ecdsa_key_create();
+    return obj;
+  }
+
+  size() {
+    return 32;
+  }
+
+  getPublicKey(a?: Arena): EcdsaPublicKey {
+    let obj = new EcdsaPublicKey(a);
+    obj.nativePtr = emscAlloc.ecdsa_public_key_from_private(this.nativePtr);
+    return obj;
+  }
+
+  static fromCrock(s: string): EcdsaPrivateKey {
+    return fromCrock(s, this);
+  }
+}
+
+
+export class EcdhePrivateKey extends PackedArenaObject {
+  static create(a?: Arena): EcdhePrivateKey {
+    let obj = new EcdhePrivateKey(a);
+    obj.nativePtr = emscAlloc.ecdhe_key_create();
+    return obj;
+  }
+
+  size() {
+    return 32;
+  }
+
+  getPublicKey(a?: Arena): EcdhePublicKey {
+    let obj = new EcdhePublicKey(a);
+    obj.nativePtr = emscAlloc.ecdhe_public_key_from_private(this.nativePtr);
+    return obj;
+  }
+
+  static fromCrock(s: string): EcdhePrivateKey {
+    return fromCrock(s, this);
+  }
+}
+
+
+/**
+ * Constructor for a given type.
+ */
+interface Ctor<T> {
+  new(): T
+}
+
+
+export class EddsaPublicKey extends PackedArenaObject {
+  size() {
+    return 32;
+  }
+
+  static fromCrock(s: string): EddsaPublicKey {
+    return fromCrock(s, this);
+  }
+}
+
+export class EcdsaPublicKey extends PackedArenaObject {
+  size() {
+    return 32;
+  }
+
+  static fromCrock(s: string): EcdsaPublicKey {
+    return fromCrock(s, this);
+  }
+}
+
+
+export class EcdhePublicKey extends PackedArenaObject {
+  size() {
+    return 32;
+  }
+
+  static fromCrock(s: string): EcdhePublicKey {
+    return fromCrock(s, this);
+  }
+}
+
+export class RsaBlindingKeySecret extends PackedArenaObject {
+  size() {
+    return 32;
+  }
+
+  /**
+   * Create a random blinding key secret.
+   */
+  static create(a?: Arena): RsaBlindingKeySecret {
+    let o = new RsaBlindingKeySecret(a);
+    o.alloc();
+    o.randomize();
+    return o;
+  }
+
+  static fromCrock(s: string): RsaBlindingKeySecret {
+    return fromCrock(s, this);
+  }
+}
+
+
+export class HashCode extends PackedArenaObject {
+  size() {
+    return 64;
+  }
+
+  static fromCrock(s: string): HashCode {
+    return fromCrock(s, this);
+  }
+
+  random(qual: RandomQuality = RandomQuality.STRONG) {
+    this.alloc();
+    emsc.hash_create_random(qual, this.nativePtr);
+  }
+}
+
+
+export class ByteArray extends PackedArenaObject {
+  private allocatedSize: number;
+
+  size() {
+    return this.allocatedSize;
+  }
+
+  constructor(desiredSize: number, init?: number, a?: Arena) {
+    super(a);
+    if (init === undefined) {
+      this.nativePtr = emscAlloc.malloc(desiredSize);
+    } else {
+      this.nativePtr = init;
+    }
+    this.allocatedSize = desiredSize;
+  }
+
+  static fromStringWithoutNull(s: string, a?: Arena): ByteArray {
+    // UTF-8 bytes, including 0-terminator
+    let terminatedByteLength = countUtf8Bytes(s) + 1;
+    let hstr = emscAlloc.malloc(terminatedByteLength);
+    emscLib.stringToUTF8(s, hstr, terminatedByteLength);
+    return new ByteArray(terminatedByteLength - 1, hstr, a);
+  }
+
+  static fromStringWithNull(s: string, a?: Arena): ByteArray {
+    // UTF-8 bytes, including 0-terminator
+    let terminatedByteLength = countUtf8Bytes(s) + 1;
+    let hstr = emscAlloc.malloc(terminatedByteLength);
+    emscLib.stringToUTF8(s, hstr, terminatedByteLength);
+    return new ByteArray(terminatedByteLength, hstr, a);
+  }
+
+  static fromCrock(s: string, a?: Arena): ByteArray {
+    // this one is a bit more complicated than the other fromCrock functions,
+    // since we don't have a fixed size
+    let byteLength = countUtf8Bytes(s);
+    let hstr = emscAlloc.malloc(byteLength + 1);
+    emscLib.stringToUTF8(s, hstr, byteLength + 1);
+    let decodedLen = Math.floor((byteLength * 5) / 8);
+    let ba = new ByteArray(decodedLen, undefined, a);
+    let res = emsc.string_to_data(hstr, byteLength, ba.nativePtr, decodedLen);
+    emsc.free(hstr);
+    if (res != GNUNET_OK) {
+      throw Error("decoding failed");
+    }
+    return ba;
+  }
+}
+
+
+/**
+ * Data to sign, together with a header that includes a purpose id
+ * and size.
+ */
+export class EccSignaturePurpose extends PackedArenaObject {
+  size() {
+    return this.payloadSize + 8;
+  }
+
+  payloadSize: number;
+
+  constructor(purpose: SignaturePurpose,
+              payload: PackedArenaObject,
+              a?: Arena) {
+    super(a);
+    this.nativePtr = emscAlloc.purpose_create(purpose,
+                                              payload.nativePtr,
+                                              payload.size());
+    this.payloadSize = payload.size();
+  }
+}
+
+
+abstract class SignatureStruct {
+  abstract fieldTypes(): Array<any>;
+
+  abstract purpose(): SignaturePurpose;
+
+  private members: any = {};
+
+  constructor(x: { [name: string]: any }) {
+    for (let k in x) {
+      this.set(k, x[k]);
+    }
+  }
+
+  toPurpose(a?: Arena): EccSignaturePurpose {
+    let totalSize = 0;
+    for (let f of this.fieldTypes()) {
+      let name = f[0];
+      let member = this.members[name];
+      if (!member) {
+        throw Error(`Member ${name} not set`);
+      }
+      totalSize += member.size();
+    }
+
+    let buf = emscAlloc.malloc(totalSize);
+    let ptr = buf;
+    for (let f of this.fieldTypes()) {
+      let name = f[0];
+      let member = this.members[name];
+      let size = member.size();
+      emsc.memmove(ptr, member.nativePtr, size);
+      ptr += size;
+    }
+    let ba = new ByteArray(totalSize, buf, a);
+    return new EccSignaturePurpose(this.purpose(), ba);
+  }
+
+
+  toJson() {
+    let res: any = {};
+    for (let f of this.fieldTypes()) {
+      let name = f[0];
+      let member = this.members[name];
+      if (!member) {
+        throw Error(`Member ${name} not set`);
+      }
+      res[name] = member.toJson();
+    }
+    res["purpose"] = this.purpose();
+    return res;
+  }
+
+  protected set(name: string, value: PackedArenaObject) {
+    let typemap: any = {};
+    for (let f of this.fieldTypes()) {
+      typemap[f[0]] = f[1];
+    }
+    if (!(name in typemap)) {
+      throw Error(`Key ${name} not found`);
+    }
+    if (!(value instanceof typemap[name])) {
+      throw Error("Wrong type for ${name}");
+    }
+    this.members[name] = value;
+  }
+}
+
+
+// It's redundant, but more type safe.
+export interface WithdrawRequestPS_Args {
+  reserve_pub: EddsaPublicKey;
+  amount_with_fee: AmountNbo;
+  withdraw_fee: AmountNbo;
+  h_denomination_pub: HashCode;
+  h_coin_envelope: HashCode;
+}
+
+
+export class WithdrawRequestPS extends SignatureStruct {
+  constructor(w: WithdrawRequestPS_Args) {
+    super(w);
+  }
+
+  purpose() {
+    return SignaturePurpose.RESERVE_WITHDRAW;
+  }
+
+  fieldTypes() {
+    return [
+      ["reserve_pub", EddsaPublicKey],
+      ["amount_with_fee", AmountNbo],
+      ["withdraw_fee", AmountNbo],
+      ["h_denomination_pub", HashCode],
+      ["h_coin_envelope", HashCode]
+    ];
+  }
+}
+
+
+export interface PaybackRequestPS_args {
+  coin_pub: EddsaPublicKey;
+  h_denom_pub: HashCode;
+  coin_blind: RsaBlindingKeySecret;
+}
+
+
+export class PaybackRequestPS extends SignatureStruct {
+  constructor(w: PaybackRequestPS_args) {
+    super(w);
+  }
+
+  purpose() {
+    return SignaturePurpose.WALLET_COIN_PAYBACK;
+  }
+
+  fieldTypes() {
+    return [
+      ["coin_pub", EddsaPublicKey],
+      ["h_denom_pub", HashCode],
+      ["coin_blind", RsaBlindingKeySecret],
+    ];
+  }
+}
+
+
+interface RefreshMeltCoinAffirmationPS_Args {
+  session_hash: HashCode;
+  amount_with_fee: AmountNbo;
+  melt_fee: AmountNbo;
+  coin_pub: EddsaPublicKey;
+}
+
+export class RefreshMeltCoinAffirmationPS extends SignatureStruct {
+
+  constructor(w: RefreshMeltCoinAffirmationPS_Args) {
+    super(w);
+  }
+
+  purpose() {
+    return SignaturePurpose.WALLET_COIN_MELT;
+  }
+
+  fieldTypes() {
+    return [
+      ["session_hash", HashCode],
+      ["amount_with_fee", AmountNbo],
+      ["melt_fee", AmountNbo],
+      ["coin_pub", EddsaPublicKey]
+    ];
+  }
+}
+
+
+interface MasterWireFeePS_Args {
+  h_wire_method: HashCode;
+  start_date: AbsoluteTimeNbo;
+  end_date: AbsoluteTimeNbo;
+  wire_fee: AmountNbo;
+  closing_fee: AmountNbo;
+}
+
+export class MasterWireFeePS extends SignatureStruct {
+  constructor(w: MasterWireFeePS_Args) {
+    super(w);
+  }
+
+  purpose() {
+    return SignaturePurpose.MASTER_WIRE_FEES;
+  }
+
+  fieldTypes() {
+    return [
+      ["h_wire_method", HashCode],
+      ["start_date", AbsoluteTimeNbo],
+      ["end_date", AbsoluteTimeNbo],
+      ["wire_fee", AmountNbo],
+      ["closing_fee", AmountNbo],
+    ];
+  }
+}
+
+
+export class AbsoluteTimeNbo extends PackedArenaObject {
+  static fromTalerString(s: string): AbsoluteTimeNbo {
+    let x = new AbsoluteTimeNbo();
+    x.alloc();
+    let r = /Date\(([0-9]+)\)/;
+    let m = r.exec(s);
+    if (!m || m.length != 2) {
+      throw Error();
+    }
+    let n = parseInt(m[1]) * 1000000;
+    // XXX: This only works up to 54 bit numbers.
+    set64(x.nativePtr, n);
+    return x;
+  }
+
+  static fromStampSeconds(stamp: number): AbsoluteTimeNbo {
+    let x = new AbsoluteTimeNbo();
+    x.alloc();
+    // XXX: This only works up to 54 bit numbers.
+    set64(x.nativePtr, stamp * 1000000);
+    return x;
+  }
+
+
+  size() {
+    return 8;
+  }
+}
+
+
+// XXX: This only works up to 54 bit numbers.
+function set64(p: number, n: number) {
+  for (let i = 0; i < 8; ++i) {
+    emscLib.setValue(p + (7 - i), n & 0xFF, "i8");
+    n = Math.floor(n / 256);
+  }
+}
+
+// XXX: This only works up to 54 bit numbers.
+function set32(p: number, n: number) {
+  for (let i = 0; i < 4; ++i) {
+    emscLib.setValue(p + (3 - i), n & 0xFF, "i8");
+    n = Math.floor(n / 256);
+  }
+}
+
+
+export class UInt64 extends PackedArenaObject {
+  static fromNumber(n: number): UInt64 {
+    let x = new UInt64();
+    x.alloc();
+    set64(x.nativePtr, n);
+    return x;
+  }
+
+  size() {
+    return 8;
+  }
+}
+
+
+export class UInt32 extends PackedArenaObject {
+  static fromNumber(n: number): UInt64 {
+    let x = new UInt32();
+    x.alloc();
+    set32(x.nativePtr, n);
+    return x;
+  }
+
+  size() {
+    return 4;
+  }
+}
+
+
+// It's redundant, but more type safe.
+export interface DepositRequestPS_Args {
+  h_contract: HashCode;
+  h_wire: HashCode;
+  timestamp: AbsoluteTimeNbo;
+  refund_deadline: AbsoluteTimeNbo;
+  amount_with_fee: AmountNbo;
+  deposit_fee: AmountNbo;
+  merchant: EddsaPublicKey;
+  coin_pub: EddsaPublicKey;
+}
+
+
+export class DepositRequestPS extends SignatureStruct {
+  constructor(w: DepositRequestPS_Args) {
+    super(w);
+  }
+
+  purpose() {
+    return SignaturePurpose.WALLET_COIN_DEPOSIT;
+  }
+
+  fieldTypes() {
+    return [
+      ["h_contract", HashCode],
+      ["h_wire", HashCode],
+      ["timestamp", AbsoluteTimeNbo],
+      ["refund_deadline", AbsoluteTimeNbo],
+      ["amount_with_fee", AmountNbo],
+      ["deposit_fee", AmountNbo],
+      ["merchant", EddsaPublicKey],
+      ["coin_pub", EddsaPublicKey],
+    ];
+  }
+}
+
+export interface DenominationKeyValidityPS_args {
+  master: EddsaPublicKey;
+  start: AbsoluteTimeNbo;
+  expire_withdraw: AbsoluteTimeNbo;
+  expire_spend: AbsoluteTimeNbo;
+  expire_legal: AbsoluteTimeNbo;
+  value: AmountNbo;
+  fee_withdraw: AmountNbo;
+  fee_deposit: AmountNbo;
+  fee_refresh: AmountNbo;
+  fee_refund: AmountNbo;
+  denom_hash: HashCode;
+}
+
+export class DenominationKeyValidityPS extends SignatureStruct {
+  constructor(w: DenominationKeyValidityPS_args) {
+    super(w);
+  }
+
+  purpose() {
+    return SignaturePurpose.MASTER_DENOMINATION_KEY_VALIDITY;
+  }
+
+  fieldTypes() {
+    return [
+      ["master", EddsaPublicKey],
+      ["start", AbsoluteTimeNbo],
+      ["expire_withdraw", AbsoluteTimeNbo],
+      ["expire_spend", AbsoluteTimeNbo],
+      ["expire_legal", AbsoluteTimeNbo],
+      ["value", AmountNbo],
+      ["fee_withdraw", AmountNbo],
+      ["fee_deposit", AmountNbo],
+      ["fee_refresh", AmountNbo],
+      ["fee_refund", AmountNbo],
+      ["denom_hash", HashCode]
+    ];
+  }
+}
+
+export interface PaymentSignaturePS_args {
+  contract_hash: HashCode;
+}
+
+export class PaymentSignaturePS extends SignatureStruct {
+  constructor(w: PaymentSignaturePS_args) {
+    super(w);
+  }
+
+  purpose() {
+    return SignaturePurpose.MERCHANT_PAYMENT_OK;
+  }
+
+  fieldTypes() {
+    return [
+      ["contract_hash", HashCode],
+    ];
+  }
+}
+
+
+export class RsaPublicKey extends MallocArenaObject {
+  static fromCrock(s: string): RsaPublicKey {
+    return fromCrockDecoded(s, this, emscAlloc.rsa_public_key_decode);
+  }
+
+  toCrock() {
+    return this.encode().toCrock();
+  }
+
+  destroy() {
+    emsc.rsa_public_key_free(this.nativePtr);
+    this.nativePtr = 0;
+  }
+
+  encode(arena?: Arena): ByteArray {
+    return encode(this, emscAlloc.rsa_public_key_encode);
+  }
+}
+
+
+export class EddsaSignature extends PackedArenaObject {
+  size() {
+    return 64;
+  }
+  static fromCrock(s: string): EddsaSignature {
+    return fromCrock(s, this);
+  }
+}
+
+
+export class RsaSignature extends MallocArenaObject {
+  static fromCrock(s: string, a?: Arena) {
+    return fromCrockDecoded(s, this, emscAlloc.rsa_signature_decode);
+  }
+
+  encode(arena?: Arena): ByteArray {
+    return encode(this, emscAlloc.rsa_signature_encode);
+  }
+
+  destroy() {
+    emsc.rsa_signature_free(this.nativePtr);
+    this.nativePtr = 0;
+  }
+}
+
+
+/**
+ * Blind a value so it can be blindly signed.
+ */
+export function rsaBlind(hashCode: HashCode,
+                         blindingKey: RsaBlindingKeySecret,
+                         pkey: RsaPublicKey,
+                         arena?: Arena): ByteArray|null {
+  let buf_ptr_out = emscAlloc.malloc(PTR_SIZE);
+  let buf_size_out = emscAlloc.malloc(PTR_SIZE);
+  let res = emscAlloc.rsa_blind(hashCode.nativePtr,
+                                blindingKey.nativePtr,
+                                pkey.nativePtr,
+                                buf_ptr_out,
+                                buf_size_out);
+  let buf_ptr = emscLib.getValue(buf_ptr_out, '*');
+  let buf_size = emscLib.getValue(buf_size_out, '*');
+  emsc.free(buf_ptr_out);
+  emsc.free(buf_size_out);
+  if (res != GNUNET_OK) {
+    // malicious key
+    return null;
+  }
+  return new ByteArray(buf_size, buf_ptr, arena);
+}
+
+
+/**
+ * Sign data using EdDSA.
+ */
+export function eddsaSign(purpose: EccSignaturePurpose,
+                          priv: EddsaPrivateKey,
+                          a?: Arena): EddsaSignature {
+  let sig = new EddsaSignature(a);
+  sig.alloc();
+  let res = emsc.eddsa_sign(priv.nativePtr, purpose.nativePtr, sig.nativePtr);
+  if (res < 1) {
+    throw Error("EdDSA signing failed");
+  }
+  return sig;
+}
+
+
+/**
+ * Verify EdDSA-signed data.
+ */
+export function eddsaVerify(purposeNum: number,
+                            verify: EccSignaturePurpose,
+                            sig: EddsaSignature,
+                            pub: EddsaPublicKey,
+                            a?: Arena): boolean {
+  let r = emsc.eddsa_verify(purposeNum,
+                            verify.nativePtr,
+                            sig.nativePtr,
+                            pub.nativePtr);
+  return r === GNUNET_OK;
+}
+
+
+/**
+ * Unblind a blindly signed value.
+ */
+export function rsaUnblind(sig: RsaSignature,
+                           bk: RsaBlindingKeySecret,
+                           pk: RsaPublicKey,
+                           a?: Arena): RsaSignature {
+  let x = new RsaSignature(a);
+  x.nativePtr = emscAlloc.rsa_unblind(sig.nativePtr,
+                                      bk.nativePtr,
+                                      pk.nativePtr);
+  return x;
+}
+
+
+type TransferSecretP = HashCode;
+
+export interface FreshCoin {
+  priv: EddsaPrivateKey;
+  blindingKey: RsaBlindingKeySecret;
+}
+
+/**
+ * Diffie-Hellman operation between an ECDHE private key
+ * and an EdDSA public key.
+ */
+export function ecdhEddsa(priv: EcdhePrivateKey,
+                          pub: EddsaPublicKey): HashCode {
+  let h = new HashCode();
+  h.alloc();
+  let res = emsc.ecdh_eddsa(priv.nativePtr, pub.nativePtr, h.nativePtr);
+  if (res != GNUNET_OK) {
+    throw Error("ecdh_eddsa failed");
+  }
+  return h;
+}
+
+
+/**
+ * Derive a fresh coin from the given seed.  Used during refreshing.
+ */
+export function setupFreshCoin(secretSeed: TransferSecretP,
+                               coinIndex: number): FreshCoin {
+  let priv = new EddsaPrivateKey();
+  priv.isWeak = true;
+  let blindingKey = new RsaBlindingKeySecret();
+  blindingKey.isWeak = true;
+  let buf = new ByteArray(priv.size() + blindingKey.size());
+
+  emsc.setup_fresh_coin(secretSeed.nativePtr, coinIndex, buf.nativePtr);
+
+  priv.nativePtr = buf.nativePtr;
+  blindingKey.nativePtr = buf.nativePtr + priv.size();
+
+  return {priv, blindingKey};
+}
diff --git a/src/crypto/emscLoader.d.ts b/src/crypto/emscLoader.d.ts
new file mode 100644
index 000000000..e46ed7f13
--- /dev/null
+++ b/src/crypto/emscLoader.d.ts
@@ -0,0 +1,54 @@
+/*
+ This file is part of TALER
+ (C) 2016 GNUnet e.V.
+
+ TALER is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+
+declare function getLib(): EmscLib;
+
+export interface EmscFunGen {
+  (name: string,
+   ret: string,
+   args: string[]): ((...x: (number|string)[]) => any);
+  (name: string,
+   ret: "number",
+   args: string[]): ((...x: (number|string)[]) => number);
+  (name: string,
+   ret: "void",
+   args: string[]): ((...x: (number|string)[]) => void);
+  (name: string,
+   ret: "string",
+   args: string[]): ((...x: (number|string)[]) => string);
+}
+
+
+interface EmscLib {
+  cwrap: EmscFunGen;
+
+  ccall(name: string, ret:"number"|"string", argTypes: any[], args: any[]): any
+
+  stringToUTF8(s: string, addr: number, maxLength: number): void
+
+  _free(ptr: number): void;
+
+  _malloc(n: number): number;
+
+  Pointer_stringify(p: number, len?: number): string;
+
+  getValue(ptr: number, type: string, noSafe?: boolean): number;
+
+  setValue(ptr: number, value: number, type: string, noSafe?: boolean): void;
+
+  writeStringToMemory(s: string, buffer: number, dontAddNull?: boolean): void;
+}
diff --git a/src/crypto/emscLoader.js b/src/crypto/emscLoader.js
new file mode 100644
index 000000000..723b8ae36
--- /dev/null
+++ b/src/crypto/emscLoader.js
@@ -0,0 +1,38 @@
+/*
+ This file is part of TALER
+ (C) 2017 Inria and GNUnet e.V.
+
+ TALER is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+
+// @ts-nocheck
+
+/**
+ * Load the taler emscripten lib.
+ *
+ * If in a WebWorker, importScripts is used.  Inside a browser,
+ * the module must be globally available.
+ */
+export default function getLib() {
+  if (window.TalerEmscriptenLib) {
+    return TalerEmscriptenLib;
+  }
+  if (importScripts) {
+    importScripts('/src/emscripten/taler-emscripten-lib.js')
+    if (TalerEmscriptenLib) {
+      throw Error("can't import TalerEmscriptenLib");
+    }
+    return TalerEmscriptenLib
+  }
+  throw Error("Can't find TalerEmscriptenLib.");
+}