security: In key-chain.cpp, added a static utility function verifySha256WithRsaSignature.
diff --git a/src/security/key-chain.cpp b/src/security/key-chain.cpp
index e3980a9..4d82f06 100644
--- a/src/security/key-chain.cpp
+++ b/src/security/key-chain.cpp
@@ -25,6 +25,49 @@
 
 namespace ndn {
 
+/**
+ * Verify the signature on the data packet using the given public key.  If there is no data.getDefaultWireEncoding(),
+ * this calls data.wireEncode() to set it.
+ * @param data The data packet with the signed portion and the signature to verify.  The data packet must have a
+ * Sha256WithRsaSignature.
+ * @param publicKey The public key used to verify the signature.
+ * @return true if the signature verifies, false if not.
+ * @throw SecurityException if data does not have a Sha256WithRsaSignature.
+ */
+static bool
+verifySha256WithRsaSignature(const Data& data, const PublicKey& publicKey)
+{
+  const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(data.getSignature());
+  if (!signature)
+    throw SecurityException("signature is not Sha256WithRsaSignature.");
+  
+  // Set the data packet's default wire encoding if it is not already there.
+  if (signature->getDigestAlgorithm().size() != 0)
+    // TODO: Allow a non-default digest algorithm.
+    throw UnrecognizedDigestAlgorithmException("Cannot verify a data packet with a non-default digest algorithm.");
+  if (!data.getDefaultWireEncoding())
+    data.wireEncode();
+  
+  // Set signedPortionDigest to the digest of the signed portion of the wire encoding.
+  uint8_t signedPortionDigest[SHA256_DIGEST_LENGTH];
+  ndn_digestSha256(data.getDefaultWireEncoding().signedBuf(), data.getDefaultWireEncoding().signedSize(), signedPortionDigest);
+  
+  // Verify the signedPortionDigest.
+  // Use a temporary pointer since d2i updates it.
+  const uint8_t *derPointer = publicKey.getKeyDer().buf();
+  RSA *rsaPublicKey = d2i_RSA_PUBKEY(NULL, &derPointer, publicKey.getKeyDer().size());
+  if (!rsaPublicKey)
+    throw UnrecognizedKeyFormatException("Error decoding public key in d2i_RSAPublicKey");
+  int success = RSA_verify
+    (NID_sha256, signedPortionDigest, sizeof(signedPortionDigest), (uint8_t *)signature->getSignature().buf(),
+     signature->getSignature().size(), rsaPublicKey);
+  // Free the public key before checking for success.
+  RSA_free(rsaPublicKey);
+  
+  // RSA_verify returns 1 for a valid signature.
+  return (success == 1);
+}
+  
 KeyChain::KeyChain(const shared_ptr<IdentityManager>& identityManager, const shared_ptr<PolicyManager>& policyManager)
 : identityManager_(identityManager), policyManager_(policyManager), face_(0), maxSteps_(100)
 {