diff --git a/sxt/ppkp_ops.c b/sxt/ppkp_ops.c
index d0f8cc9..26b956c 100644
--- a/sxt/ppkp_ops.c
+++ b/sxt/ppkp_ops.c
@@ -48,6 +48,10 @@
 #include <sxt/ciphers.h>
 #include <sxt/base64.h>
 
+#if 0
+#define blub(a)  printf("%s:%d -> %d\n", __FUNCTION__, __LINE__, (a))
+#endif
+
 /* locals */
 static int sxtkey_export_priv_ed25519(const sxtkey_t *key, const char *pass, sxtsafebuffer_t **bin);
 static int sxt_public_ed25519_2sb(const sxtkey_t *key, sxtsafebuffer_t **buf);
@@ -103,6 +107,7 @@ sxtkey_t *sxtkey_alloc(void)
   sxtkey_t *key = malloc(sizeof(sxtkey_t));
 
   if(!key) return NULL;
+  else memset(key, 0, sizeof(sxtkey_t));
 
   return key;
 }
@@ -183,10 +188,10 @@ int sxtkey_assign_hash(sxtkey_t *key, uint64_t hash)
 {
   if(!key) return SXT_EINVAL;
 
-  if(!sxtkey_private(key)) return SXT_EINVAL;
+  //  if(!sxtkey_private(key)) return SXT_EINVAL;
 
-  if(key->hash) return SXT_EKEY;
-  else key->hash = hash;
+  //if(key->hash) return SXT_EKEY;
+  key->hash = hash;
 
   return SXT_SUCCESS;
 }
@@ -332,7 +337,7 @@ int sxtkey_import_priv_file(const char *file, const char *passkey,
   char *rawfbuf = NULL, *tbuf, *tebuf, *tuple = NULL, *b64pk = NULL;
   struct stat stbuf;
   uint8_t keytype = 0;
-  int r = SXT_SUCCESS, tc = 0, tcc = 0, len;
+  int r = SXT_SUCCESS, tcc = 0, len;
 
   *ik = NULL;
 
@@ -345,9 +350,9 @@ int sxtkey_import_priv_file(const char *file, const char *passkey,
   if((stream = fopen(file, "r")) == NULL) return SXT_EIO;
 
   if(!(rawfbuf = malloc(stbuf.st_size + sizeof(char)))) goto __failed;
-  else rawfbuf[stbuf.st_size + sizeof(char)] = '\0';
+  else rawfbuf[stbuf.st_size] = '\0';
 
-  if(fread(rawfbuf, stbuf.st_size + sizeof(char), 1, stream) != 1) {
+  if(fread(rawfbuf, stbuf.st_size, 1, stream) != 1) {
     r = SXT_EIO;
     goto __failed;
   }
@@ -357,7 +362,7 @@ int sxtkey_import_priv_file(const char *file, const char *passkey,
   if(r != SXT_SUCCESS) goto __failed;
 
   /* now we need to get a keytype and decode b64blob */
-  for(tbuf = rawfbuf, tc = 0, tcc = 0, tebuf = NULL; *tbuf != '\0'; tbuf++) {
+  for(tbuf = rawfbuf, tcc = 0, tebuf = NULL; *tbuf != '\0'; tbuf++) {
     switch(tcc) {
     case 0: /* just entering */
       if(*tbuf == '(') tcc++;
@@ -365,7 +370,6 @@ int sxtkey_import_priv_file(const char *file, const char *passkey,
     case 1: /* first e.g. key type plain text description */
       if(!tebuf) tebuf = tbuf;
       else if(tebuf && *tbuf == ' ') {
-        if(!tebuf) goto __failed;
         len = (tbuf - tebuf) + sizeof(char);
         if(!(tuple = malloc(len))) {
           r = SXT_ENOMEM;
@@ -388,14 +392,13 @@ int sxtkey_import_priv_file(const char *file, const char *passkey,
       break;
     case 2: /* private key contents */
       if(!tebuf && *tbuf != ' ') tebuf = tbuf;
-      else if(tebuf && *tbuf == ' ') {
-        len = (tbuf - tebuf) + sizeof(char);
-        /* check format */
-        if(*tebuf != '"') tc = SXT_EKEYFMT;
-        if(!tc && tebuf[len - 2] != '"') tc = SXT_EKEYFMT;
-        len -= 2;
-        if(tc || len <= 0) {          r = tc; goto __failed;        }
+      else if(tebuf && *tbuf == '"') {
         tebuf++;
+        len = (tbuf - tebuf) + sizeof(char);
+        if(len <= 1) {
+          r = SXT_EKEYFMT;
+          goto __failed;
+        }
 
         if(!(tuple = malloc(len))) { r = SXT_ENOMEM; goto __failed; }
         else memset(tuple, 0, len);
@@ -418,7 +421,8 @@ int sxtkey_import_priv_file(const char *file, const char *passkey,
   }
 
   if(tcc < 3) {
-    r = SXT_EKEYFMT; goto __failed;
+    r = SXT_EKEYFMT;
+    goto __failed;
   }
 
   r = sxtkey_privkey_import_fbase64blob(b64pk, keytype, ask_passkey, priv, ik);
@@ -443,15 +447,15 @@ int sxtkey_privkey_import_rdbuf(sxtrdb_t *buf, uint8_t keytype,
   sxtkey_t *key = NULL;
   char *keyname = NULL, *ciphername = NULL, *kdfname = NULL, *magic = NULL;
   uint64_t hash = 0;
-  uint32_t r1 = 0, r2 = 0;
+  uint32_t r1 = 0, r2 = 0, ctrl_pklen = 0;
   int r = SXT_SUCCESS, decrypt = 0;
 
   if(!buf) return SXT_EINVAL;
   if(!sxtrdb_length(buf)) return SXT_EINVAL;
   if(keytype == 0) return SXT_EKEY;
 
-  r = sxtrdb_escan(buf, "sbsssRRR", &magic, &flags, &keyname, &ciphername, &kdfname,
-                   &kdfopt, &ctrl_pubkey, &privkey);
+  r = sxtrdb_escan(buf, "sbsssRdRR", &magic, &flags, &keyname, &ciphername, &kdfname,
+                   &kdfopt, &ctrl_pklen, &ctrl_pubkey, &privkey);
   if(r != SXT_SUCCESS) goto __failed;
 
   if(strcmp(PPKP_MAGIC, magic)) { /* magic should be right */
@@ -471,6 +475,11 @@ int sxtkey_privkey_import_rdbuf(sxtrdb_t *buf, uint8_t keytype,
 
   switch(keytype) {
   case PPKP_ED25519:
+    /* check public key length first */
+    if(ctrl_pklen != ED25519_PK_LEN + sizeof(uint32_t)) {
+      r = SXT_EKEY;
+      goto __failed;
+    }
     /* check for encryption details */
     if(decrypt) {
       if(strcmp(ciphername, "aes128-cbc") || strcmp(kdfname, "bcrypt")) {
@@ -506,9 +515,10 @@ int sxtkey_privkey_import_rdbuf(sxtrdb_t *buf, uint8_t keytype,
       goto __failed;
     }
     /* control check for random numbers */
-    if(r1 != r2) goto __invalid;
+    if(r1 != r2)       goto __invalid;
+
     /* control check of public keys */
-    if(sxtrdb_cmp(ctrl_pubkey, ed25519_privbuf)) {
+    if(sxtrdb_cmp(ctrl_pubkey, ed25519_pubbuf)) {
     __invalid:
       sxtrdb_free(ed25519_pubbuf);
       sxtrdb_free(ed25519_privbuf);
@@ -619,6 +629,7 @@ int sxtkey_pubkey_import_fbase64blob(const char *b64b, uint8_t keytype,
   sxtrdb_t *keybuf = NULL;
   char *blob = NULL, *ed25519pk = NULL;
   uint64_t hash;
+  uint32_t klen = 0;
   int len, r = SXT_SUCCESS;
 
   if(!b64b) return SXT_EINVAL;
@@ -643,7 +654,13 @@ int sxtkey_pubkey_import_fbase64blob(const char *b64b, uint8_t keytype,
     }
     /* <pubkey><hash> */
     sxtrdb_write_raw(keybuf, blob, len);
-    sxtrdb_escan(keybuf, "pq", ED25519_PK_LEN, ed25519pk, &hash);
+    sxtrdb_resetcur(keybuf);
+    sxtrdb_escan(keybuf, "dpq", &klen, ED25519_PK_LEN, ed25519pk, &hash);
+
+    if(klen != ED25519_PK_LEN) {
+      r = SXT_EKEY;
+      goto __failed;
+    }
 
     if(hash != ctrl_hash) {
       r = SXT_EKEY;
@@ -699,9 +716,9 @@ int sxtkey_import_public_file(const char *file, sxtkey_t **ik)
   if((stream = fopen(file, "r")) == NULL) return SXT_EIO;
 
   if(!(rawfbuf = malloc(stbuf.st_size + sizeof(char)))) goto __failed;
-  else rawfbuf[stbuf.st_size + sizeof(char)] = '\0';
+  else rawfbuf[stbuf.st_size] = '\0';
 
-  if(fread(rawfbuf, stbuf.st_size + sizeof(char), 1, stream) != 1) {
+  if(fread(rawfbuf, stbuf.st_size, 1, stream) != 1) {
     r = SXT_EIO;
     goto __failed;
   }
@@ -807,7 +824,7 @@ int sxtkey_import_public_file(const char *file, sxtkey_t **ik)
           free(tuple);
           r = SXT_ENOMEM; goto __failed;
         } else memset(tebuf, 0, len);
-        len = sxt_b64decode_in(tuple, len, tebuf, len);
+        len = sxt_b64decode_in(tuple, strlen(tuple), tebuf, len);
 
         free(tuple);
         if(!(chbuf = sxtrdb_new())) {
@@ -815,6 +832,7 @@ int sxtkey_import_public_file(const char *file, sxtkey_t **ik)
           r = SXT_ENOMEM; goto __failed;
         }
         sxtrdb_write_raw(chbuf, tebuf, len);
+        sxtrdb_resetcur(chbuf);
         sxtrdb_read_u64(chbuf, &ctrl_hash);
         sxtrdb_free(chbuf);
         free(tebuf);