security: Added initial port of OSXPrivateKeyStorage
diff --git a/ndn-cpp/security/identity/osx-private-key-storage.cpp b/ndn-cpp/security/identity/osx-private-key-storage.cpp
new file mode 100644
index 0000000..2840e64
--- /dev/null
+++ b/ndn-cpp/security/identity/osx-private-key-storage.cpp
@@ -0,0 +1,517 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+// Only compile if config.h defines HAVE_OSX_SECKEYCHAIN 1.
+#include "../../c/common.h"
+#if 0 // temporarily disable.
+//#if HAVE_OSX_SECKEYCHAIN
+
+
+#include <fstream>
+#include <sstream>
+#include <CoreFoundation/CoreFoundation.h>
+
+#include "../../util/logging.hpp"
+#include "osx-private-key-storage.hpp"
+#include "../security-exception.hpp"
+
+using namespace std;
+using namespace ndn::ptr_lib;
+
+INIT_LOGGER("ndn.OSXPrivateKeyStorage");
+
+namespace ndn
+{
+ OSXPrivateKeyStorage::OSXPrivateKeyStorage(const string & keychainName)
+ : keyChainName_("" == keychainName ? "NDN.keychain" : keychainName)
+ {
+ OSStatus res = SecKeychainCreate(keyChainName_.c_str(), //Keychain path
+ 0, //Keychain password length
+ NULL, //Keychain password
+ true, //User prompt
+ NULL, //Initial access of Keychain
+ &keyChainRef_); //Keychain reference
+
+ if (res == errSecDuplicateKeychain)
+ res = SecKeychainOpen(keyChainName_.c_str(),
+ &keyChainRef_);
+
+ if (res != errSecSuccess){
+ _LOG_DEBUG("Fail to initialize keychain ref: " << res);
+ throw SecurityException("Fail to initialize keychain ref");
+ }
+
+ res = SecKeychainCopyDefault(&originalDefaultKeyChain_);
+
+ res = SecKeychainSetDefault(keyChainRef_);
+ if (res != errSecSuccess){
+ _LOG_DEBUG("Fail to set default keychain: " << res);
+ throw SecurityException("Fail to set default keychain");
+ }
+ }
+
+ OSXPrivateKeyStorage::~OSXPrivateKeyStorage(){
+ //TODO: implement
+ }
+
+ void
+ OSXPrivateKeyStorage::generateKeyPair(const Name & keyName, KeyType keyType, int keySize)
+ {
+
+ if(doesKeyExist(keyName, KEY_CLASS_PUBLIC)){
+ _LOG_DEBUG("keyName has existed");
+ throw SecurityException("keyName has existed");
+ }
+
+ string keyNameUri = toInternalKeyName(keyName, KEY_CLASS_PUBLIC);
+
+ SecKeyRef publicKey, privateKey;
+
+ CFStringRef keyLabel = CFStringCreateWithCString(NULL,
+ keyNameUri.c_str(),
+ keyNameUri.size());
+
+ CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL,
+ 3,
+ &kCFTypeDictionaryKeyCallBacks,
+ NULL);
+
+ CFDictionaryAddValue(attrDict, kSecAttrKeyType, getAsymKeyType(keyType));
+ CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(NULL, kCFNumberIntType, &keySize));
+ CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
+
+ OSStatus res = SecKeyGeneratePair((CFDictionaryRef)attrDict, &publicKey, &privateKey);
+
+ CFRelease(publicKey);
+ CFRelease(privateKey);
+
+ if (res != errSecSuccess){
+ _LOG_DEBUG("Fail to create a key pair: " << res);
+ throw SecurityException("Fail to create a key pair");
+ }
+ }
+
+ void
+ OSXPrivateKeyStorage::generateKey(const Name & keyName, KeyType keyType, int keySize)
+ {
+
+ if(doesKeyExist(keyName, KEY_CLASS_SYMMETRIC))
+ throw SecurityException("keyName has existed!");
+
+ string keyNameUri = toInternalKeyName(keyName, KEY_CLASS_SYMMETRIC);
+
+ CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(kCFAllocatorDefault,
+ 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ CFStringRef keyLabel = CFStringCreateWithCString(NULL,
+ keyNameUri.c_str(),
+ keyNameUri.size());
+
+ CFDictionaryAddValue(attrDict, kSecAttrKeyType, getSymKeyType(keyType));
+ CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &keySize));
+ CFDictionaryAddValue(attrDict, kSecAttrIsPermanent, kCFBooleanTrue);
+ CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
+
+ CFErrorRef error = NULL;
+
+ SecKeyRef symmetricKey = SecKeyGenerateSymmetric(attrDict, &error);
+
+ if (error)
+ throw SecurityException("Fail to create a symmetric key");
+ }
+
+ shared_ptr<PublicKey> OSXPrivateKeyStorage::getPublicKey(const Name & keyName)
+ {
+ _LOG_TRACE("OSXPrivateKeyStorage::getPublickey");
+
+ SecKeychainItemRef publicKey = getKey(keyName, KEY_CLASS_PUBLIC);
+
+ CFDataRef exportedKey;
+
+ OSStatus res = SecItemExport(publicKey,
+ kSecFormatOpenSSL,
+ 0,
+ NULL,
+ &exportedKey);
+
+ Blob blob(CFDataGetBytePtr(exportedKey), CFDataGetLength(exportedKey));
+
+ return PublicKey::fromDer(blob);
+ }
+
+ Blob OSXPrivateKeyStorage::sign(const uint8_t *data, size_t dataLength, const Name & keyName, DigestAlgorithm digestAlgo)
+ {
+ _LOG_TRACE("OSXPrivateKeyStorage::Sign");
+
+ CFDataRef dataRef = CFDataCreate(NULL,
+ reinterpret_cast<const unsigned char*>(data),
+ dataLength
+ );
+
+ SecKeyRef privateKey = (SecKeyRef)getKey(keyName, KEY_CLASS_PRIVATE);
+
+ CFErrorRef error;
+ SecTransformRef signer = SecSignTransformCreate((SecKeyRef)privateKey, &error);
+ if (error) throw SecurityException("Fail to create signer");
+
+ Boolean set_res = SecTransformSetAttribute(signer,
+ kSecTransformInputAttributeName,
+ dataRef,
+ &error);
+ if (error) throw SecurityException("Fail to configure input of signer");
+
+ set_res = SecTransformSetAttribute(signer,
+ kSecDigestTypeAttribute,
+ getDigestAlgorithm(digestAlgo),
+ &error);
+ if (error) throw SecurityException("Fail to configure digest algorithm of signer");
+
+ long digestSize = getDigestSize(digestAlgo);
+
+ set_res = SecTransformSetAttribute(signer,
+ kSecDigestLengthAttribute,
+ CFNumberCreate(NULL, kCFNumberLongType, &digestSize),
+ &error);
+ if (error) throw SecurityException("Fail to configure digest size of signer");
+
+ CFDataRef signature = (CFDataRef) SecTransformExecute(signer, &error);
+ if (error) {
+ CFShow(error);
+ throw SecurityException("Fail to sign data");
+ }
+
+ if (!signature) throw SecurityException("Signature is NULL!\n");
+
+ return Blob(CFDataGetBytePtr(signature), CFDataGetLength(signature));
+ }
+
+ Blob OSXPrivateKeyStorage::decrypt(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym)
+ {
+ _LOG_TRACE("OSXPrivateKeyStorage::Decrypt");
+
+ KeyClass keyClass;
+ if(sym)
+ keyClass = KEY_CLASS_SYMMETRIC;
+ else
+ keyClass = KEY_CLASS_PRIVATE;
+
+ CFDataRef dataRef = CFDataCreate(NULL,
+ reinterpret_cast<const unsigned char*>(data),
+ dataLength
+ );
+
+ // _LOG_DEBUG("CreateData");
+
+ SecKeyRef decryptKey = (SecKeyRef)getKey(keyName, keyClass);
+
+ // _LOG_DEBUG("GetKey");
+
+ CFErrorRef error;
+ SecTransformRef decrypt = SecDecryptTransformCreate(decryptKey, &error);
+ if (error) throw SecurityException("Fail to create decrypt");
+
+ Boolean set_res = SecTransformSetAttribute(decrypt,
+ kSecTransformInputAttributeName,
+ dataRef,
+ &error);
+ if (error) throw SecurityException("Fail to configure decrypt");
+
+ CFDataRef output = (CFDataRef) SecTransformExecute(decrypt, &error);
+ if (error)
+ {
+ CFShow(error);
+ throw SecurityException("Fail to decrypt data");
+ }
+ if (!output) throw SecurityException("Output is NULL!\n");
+
+ return Blob(CFDataGetBytePtr(output), CFDataGetLength(output));
+ }
+
+ bool OSXPrivateKeyStorage::setACL(const Name & keyName, KeyClass keyClass, int acl, const string & appPath)
+ {
+ SecKeychainItemRef privateKey = getKey(keyName, keyClass);
+
+ SecAccessRef accRef;
+ OSStatus acc_res = SecKeychainItemCopyAccess(privateKey, &accRef);
+
+ CFArrayRef signACL = SecAccessCopyMatchingACLList(accRef,
+ kSecACLAuthorizationSign);
+
+ SecACLRef aclRef = (SecACLRef) CFArrayGetValueAtIndex(signACL, 0);
+
+ CFArrayRef appList;
+ CFStringRef description;
+ SecKeychainPromptSelector promptSelector;
+ OSStatus acl_res = SecACLCopyContents(aclRef,
+ &appList,
+ &description,
+ &promptSelector);
+
+ CFMutableArrayRef newAppList = CFArrayCreateMutableCopy(NULL,
+ 0,
+ appList);
+
+ SecTrustedApplicationRef trustedApp;
+ acl_res = SecTrustedApplicationCreateFromPath(appPath.c_str(),
+ &trustedApp);
+
+ CFArrayAppendValue(newAppList, trustedApp);
+
+
+ CFArrayRef authList = SecACLCopyAuthorizations(aclRef);
+
+ acl_res = SecACLRemove(aclRef);
+
+ SecACLRef newACL;
+ acl_res = SecACLCreateWithSimpleContents(accRef,
+ newAppList,
+ description,
+ promptSelector,
+ &newACL);
+
+ acl_res = SecACLUpdateAuthorizations(newACL, authList);
+
+ acc_res = SecKeychainItemSetAccess(privateKey, accRef);
+
+ return true;
+ }
+
+ bool OSXPrivateKeyStorage::verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo)
+ {
+ _LOG_TRACE("OSXPrivateKeyStorage::Verify");
+
+ CFDataRef dataRef = CFDataCreate(NULL,
+ reinterpret_cast<const unsigned char*>(pData.buf()),
+ pData.size());
+
+ CFDataRef sigRef = CFDataCreate(NULL,
+ reinterpret_cast<const unsigned char*>(pSig.buf()),
+ pSig.size());
+
+ SecKeyRef publicKey = (SecKeyRef)getKey(keyName, KEY_CLASS_PUBLIC);
+
+ CFErrorRef error;
+ SecTransformRef verifier = SecVerifyTransformCreate(publicKey, sigRef, &error);
+ if (error) throw SecurityException("Fail to create verifier");
+
+ Boolean set_res = SecTransformSetAttribute(verifier,
+ kSecTransformInputAttributeName,
+ dataRef,
+ &error);
+ if (error) throw SecurityException("Fail to configure input of verifier");
+
+ set_res = SecTransformSetAttribute(verifier,
+ kSecDigestTypeAttribute,
+ getDigestAlgorithm(digestAlgo),
+ &error);
+ if (error) throw SecurityException("Fail to configure digest algorithm of verifier");
+
+ long digestSize = getDigestSize(digestAlgo);
+ set_res = SecTransformSetAttribute(verifier,
+ kSecDigestLengthAttribute,
+ CFNumberCreate(NULL, kCFNumberLongType, &digestSize),
+ &error);
+ if (error) throw SecurityException("Fail to configure digest size of verifier");
+
+ CFBooleanRef result = (CFBooleanRef) SecTransformExecute(verifier, &error);
+ if (error) throw SecurityException("Fail to verify data");
+
+ if (result == kCFBooleanTrue)
+ return true;
+ else
+ return false;
+ }
+
+ Blob OSXPrivateKeyStorage::encrypt(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym)
+ {
+ _LOG_TRACE("OSXPrivateKeyStorage::Encrypt");
+
+ KeyClass keyClass;
+ if(sym)
+ keyClass = KEY_CLASS_SYMMETRIC;
+ else
+ keyClass = KEY_CLASS_PUBLIC;
+
+ CFDataRef dataRef = CFDataCreate(NULL,
+ reinterpret_cast<const unsigned char*>(data),
+ dataLength
+ );
+
+ SecKeyRef encryptKey = (SecKeyRef)getKey(keyName, keyClass);
+
+ CFErrorRef error;
+ SecTransformRef encrypt = SecEncryptTransformCreate(encryptKey, &error);
+ if (error) throw SecurityException("Fail to create encrypt");
+
+ Boolean set_res = SecTransformSetAttribute(encrypt,
+ kSecTransformInputAttributeName,
+ dataRef,
+ &error);
+ if (error) throw SecurityException("Fail to configure encrypt");
+
+ CFDataRef output = (CFDataRef) SecTransformExecute(encrypt, &error);
+ if (error) throw SecurityException("Fail to encrypt data");
+
+ if (!output) throw SecurityException("Output is NULL!\n");
+
+ return Blob(CFDataGetBytePtr(output), CFDataGetLength(output));
+ }
+
+ bool OSXPrivateKeyStorage::doesKeyExist(const Name & keyName, KeyClass keyClass)
+ {
+ _LOG_TRACE("OSXPrivateKeyStorage::doesKeyExist");
+
+ string keyNameUri = toInternalKeyName(keyName, keyClass);
+
+ CFStringRef keyLabel = CFStringCreateWithCString(NULL,
+ keyNameUri.c_str(),
+ keyNameUri.size());
+
+ CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL,
+ 3,
+ &kCFTypeDictionaryKeyCallBacks,
+ NULL);
+
+ CFDictionaryAddValue(attrDict, kSecAttrKeyClass, getKeyClass(keyClass));
+ CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
+ CFDictionaryAddValue(attrDict, kSecReturnRef, kCFBooleanTrue);
+
+ SecKeychainItemRef itemRef;
+ OSStatus res = SecItemCopyMatching((CFDictionaryRef)attrDict, (CFTypeRef*)&itemRef);
+
+ if(res == errSecItemNotFound)
+ return true;
+ else
+ return false;
+
+ }
+
+ SecKeychainItemRef OSXPrivateKeyStorage::getKey(const Name & keyName, KeyClass keyClass)
+ {
+ string keyNameUri = toInternalKeyName(keyName, keyClass);
+
+ CFStringRef keyLabel = CFStringCreateWithCString (NULL,
+ keyNameUri.c_str(),
+ keyNameUri.size());
+
+ CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL,
+ 5,
+ &kCFTypeDictionaryKeyCallBacks,
+ NULL);
+
+ CFDictionaryAddValue(attrDict, kSecClass, kSecClassKey);
+ CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
+ CFDictionaryAddValue(attrDict, kSecAttrKeyClass, getKeyClass(keyClass));
+ CFDictionaryAddValue(attrDict, kSecReturnRef, kCFBooleanTrue);
+
+ SecKeychainItemRef keyItem;
+
+ OSStatus res = SecItemCopyMatching((CFDictionaryRef) attrDict, (CFTypeRef*)&keyItem);
+
+ if(res != errSecSuccess){
+ _LOG_DEBUG("Fail to find the key!");
+ return NULL;
+ }
+ else
+ return keyItem;
+ }
+
+ string OSXPrivateKeyStorage::toInternalKeyName(const Name & keyName, KeyClass keyClass)
+ {
+ string keyUri = keyName.toUri();
+
+ if(KEY_CLASS_SYMMETRIC == keyClass)
+ return keyUri + "/symmetric";
+ else
+ return keyUri;
+ }
+
+ const CFTypeRef OSXPrivateKeyStorage::getAsymKeyType(KeyType keyType)
+ {
+ switch(keyType){
+ case KEY_TYPE_RSA:
+ return kSecAttrKeyTypeRSA;
+ default:
+ _LOG_DEBUG("Unrecognized key type!")
+ return NULL;
+ }
+ }
+
+ const CFTypeRef OSXPrivateKeyStorage::getSymKeyType(KeyType keyType)
+ {
+ switch(keyType){
+ case KEY_TYPE_AES:
+ return kSecAttrKeyTypeAES;
+ default:
+ _LOG_DEBUG("Unrecognized key type!")
+ return NULL;
+ }
+ }
+
+ const CFTypeRef OSXPrivateKeyStorage::getKeyClass(KeyClass keyClass)
+ {
+ switch(keyClass){
+ case KEY_CLASS_PRIVATE:
+ return kSecAttrKeyClassPrivate;
+ case KEY_CLASS_PUBLIC:
+ return kSecAttrKeyClassPublic;
+ case KEY_CLASS_SYMMETRIC:
+ return kSecAttrKeyClassSymmetric;
+ default:
+ _LOG_DEBUG("Unrecognized key class!");
+ return NULL;
+ }
+ }
+
+ SecExternalFormat OSXPrivateKeyStorage::getFormat(KeyFormat format)
+ {
+ switch(format){
+ case KEY_FORMAT_PUBLIC_OPENSSL:
+ return kSecFormatOpenSSL;
+ default:
+ _LOG_DEBUG("Unrecognized output format!");
+ return 0;
+ }
+ }
+
+ const CFStringRef OSXPrivateKeyStorage::getDigestAlgorithm(DigestAlgorithm digestAlgo)
+ {
+ switch(digestAlgo){
+ // case DIGEST_MD2:
+ // return kSecDigestMD2;
+ // case DIGEST_MD5:
+ // return kSecDigestMD5;
+ // case DIGEST_SHA1:
+ // return kSecDigestSHA1;
+ case DIGEST_ALGORITHM_SHA256:
+ return kSecDigestSHA2;
+ default:
+ _LOG_DEBUG("Unrecognized digest algorithm!");
+ return NULL;
+ }
+ }
+
+ long OSXPrivateKeyStorage::getDigestSize(DigestAlgorithm digestAlgo)
+ {
+ switch(digestAlgo){
+ case DIGEST_ALGORITHM_SHA256:
+ return 256;
+ // case DIGEST_SHA1:
+ // case DIGEST_MD2:
+ // case DIGEST_MD5:
+ // return 0;
+ default:
+ _LOG_DEBUG("Unrecognized digest algorithm! Unknown digest size");
+ return -1;
+ }
+ }
+
+}
+
+#endif HAVE_OSX_SECKEYCHAIN
diff --git a/ndn-cpp/security/identity/osx-private-key-storage.hpp b/ndn-cpp/security/identity/osx-private-key-storage.hpp
new file mode 100644
index 0000000..a7febc2
--- /dev/null
+++ b/ndn-cpp/security/identity/osx-private-key-storage.hpp
@@ -0,0 +1,206 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_OSX_PRIVATEKEY_STORAGE_H
+#define NDN_OSX_PRIVATEKEY_STORAGE_H
+
+// Only compile if config.h defines HAVE_OSX_SECKEYCHAIN 1.
+#include "../../c/common.h"
+#if 0 // temporarily disable.
+//#if HAVE_OSX_SECKEYCHAIN
+
+#include "../../common.hpp"
+#include "private-key-storage.hpp"
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <CoreServices/CoreServices.h>
+
+namespace ndn
+{
+
+class OSXPrivateKeyStorage : public PrivateKeyStorage {
+public:
+ /**
+ * constructor of OSXPrivateKeyStorage
+ * @param keychainName the name of keychain
+ */
+ OSXPrivateKeyStorage(const std::string & keychainName = "");
+
+ /**
+ * destructor of OSXPrivateKeyStore
+ */
+ virtual
+ ~OSXPrivateKeyStorage();
+
+ /**
+ * Generate a pair of asymmetric keys.
+ * @param keyName The name of the key pair.
+ * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+ * @param keySize The size of the key pair.
+ */
+ virtual void
+ generateKeyPair(const Name& keyName, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048);
+
+ /**
+ * Get the public key
+ * @param keyName The name of public key.
+ * @return The public key.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName);
+
+ /**
+ * Fetch the private key for keyName and sign the data, returning a signature Blob.
+ * @param data Pointer to the input byte array.
+ * @param dataLength The length of data.
+ * @param keyName The name of the signing key.
+ * @param digestAlgorithm the digest algorithm.
+ * @return The signature, or a null pointer if signing fails.
+ */
+ virtual Blob
+ sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256);
+
+ /**
+ * Decrypt data.
+ * @param keyName The name of the decrypting key.
+ * @param data The byte to be decrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The decrypted data.
+ */
+ virtual Blob
+ decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false);
+
+ /**
+ * Encrypt data.
+ * @param keyName The name of the encrypting key.
+ * @param data The byte to be encrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The encrypted data.
+ */
+ virtual Blob
+ encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false);
+
+ /**
+ * Generate a symmetric key.
+ * @param keyName The name of the key.
+ * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+ * @param keySize The size of the key.
+ */
+ virtual void
+ generateKey(const Name& keyName, KeyType keyType = KEY_TYPE_AES, int keySize = 256);
+
+ /**
+ * Check if a particular key exists.
+ * @param keyName The name of the key.
+ * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+ * @return True if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExist(const Name& keyName, KeyClass keyClass);
+
+ /**
+ * configure ACL of a particular key
+ * @param keyName the name of key
+ * @param keyClass the class of key, e.g. Private Key
+ * @param acl the new acl of the key
+ * @param appPath the absolute path to the application
+ * @returns true if setting succeeds
+ */
+ bool
+ setACL(const Name & keyName, KeyClass keyClass, int acl, const std::string & appPath);
+
+ /**
+ * verify data (test only)
+ * @param keyName the name of key
+ * @param pData the data to be verified
+ * @param pSig the signature associated with the data
+ * @param digestAlgo digest algorithm
+ * @return true if signature can be verified, otherwise false
+ */
+ bool
+ verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo = DIGEST_ALGORITHM_SHA256);
+
+ private:
+ /**
+ * convert NDN name of a key to internal name of the key
+ * @param keyName the NDN name of the key
+ * @param keyClass the class of the key
+ * @return the internal key name
+ */
+ std::string
+ toInternalKeyName(const Name & keyName, KeyClass keyClass);
+
+ /**
+ * Get key
+ * @param keyName the name of the key
+ * @param keyClass the class of the key
+ * @returns pointer to the key
+ */
+ SecKeychainItemRef
+ getKey(const Name & keyName, KeyClass keyClass);
+
+ /**
+ * convert keyType to MAC OS symmetric key key type
+ * @param keyType
+ * @returns MAC OS key type
+ */
+ const CFTypeRef
+ getSymKeyType(KeyType keyType);
+
+ /**
+ * convert keyType to MAC OS asymmetirc key type
+ * @param keyType
+ * @returns MAC OS key type
+ */
+ const CFTypeRef
+ getAsymKeyType(KeyType keyType);
+
+ /**
+ * convert keyClass to MAC OS key class
+ * @param keyClass
+ * @returns MAC OS key class
+ */
+ const CFTypeRef
+ getKeyClass(KeyClass keyClass);
+
+ /**
+ * convert digestAlgo to MAC OS algorithm id
+ * @param digestAlgo
+ * @returns MAC OS algorithm id
+ */
+ const CFStringRef
+ getDigestAlgorithm(DigestAlgorithm digestAlgo);
+
+ /**
+ * convert format to MAC OS key format
+ * @param format
+ * @returns MAC OS keyformat
+ */
+ SecExternalFormat
+ getFormat(KeyFormat format);
+
+ /**
+ * get the digest size of the corresponding algorithm
+ * @param digestAlgo the digest algorithm
+ * @return digest size
+ */
+ long
+ getDigestSize(DigestAlgorithm digestAlgo);
+
+ const std::string keyChainName_;
+ SecKeychainRef keyChainRef_;
+ SecKeychainRef originalDefaultKeyChain_;
+};
+
+}
+
+#endif HAVE_OSX_SECKEYCHAIN
+
+#endif