security: Added initial port of OSXPrivateKeyStorage
diff --git a/ndn-cpp/security/identity/osx-private-key-storage.cpp b/ndn-cpp/security/identity/osx-private-key-storage.cpp
new file mode 100644
index 0000000..2840e64
--- /dev/null
+++ b/ndn-cpp/security/identity/osx-private-key-storage.cpp
@@ -0,0 +1,517 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+// Only compile if config.h defines HAVE_OSX_SECKEYCHAIN 1.
+#include "../../c/common.h"
+#if 0 // temporarily disable.
+//#if HAVE_OSX_SECKEYCHAIN
+
+
+#include <fstream>
+#include <sstream>
+#include <CoreFoundation/CoreFoundation.h>
+
+#include "../../util/logging.hpp"
+#include "osx-private-key-storage.hpp"
+#include "../security-exception.hpp"
+
+using namespace std;
+using namespace ndn::ptr_lib;
+
+INIT_LOGGER("ndn.OSXPrivateKeyStorage");
+
+namespace ndn
+{
+  OSXPrivateKeyStorage::OSXPrivateKeyStorage(const string & keychainName)
+    : keyChainName_("" == keychainName ?  "NDN.keychain" : keychainName)
+  {
+    OSStatus res = SecKeychainCreate(keyChainName_.c_str(), //Keychain path
+                                      0,                       //Keychain password length
+                                      NULL,                    //Keychain password
+                                      true,                    //User prompt
+                                      NULL,                    //Initial access of Keychain
+                                      &keyChainRef_);         //Keychain reference
+
+    if (res == errSecDuplicateKeychain)
+      res = SecKeychainOpen(keyChainName_.c_str(),
+                             &keyChainRef_);
+
+    if (res != errSecSuccess){
+      _LOG_DEBUG("Fail to initialize keychain ref: " << res);
+      throw SecurityException("Fail to initialize keychain ref");
+    }
+
+    res = SecKeychainCopyDefault(&originalDefaultKeyChain_);
+
+    res = SecKeychainSetDefault(keyChainRef_);
+    if (res != errSecSuccess){
+      _LOG_DEBUG("Fail to set default keychain: " << res);
+      throw SecurityException("Fail to set default keychain");
+    }
+  }
+
+  OSXPrivateKeyStorage::~OSXPrivateKeyStorage(){
+    //TODO: implement
+  }
+
+  void 
+  OSXPrivateKeyStorage::generateKeyPair(const Name & keyName, KeyType keyType, int keySize)
+  { 
+    
+    if(doesKeyExist(keyName, KEY_CLASS_PUBLIC)){
+      _LOG_DEBUG("keyName has existed");
+      throw SecurityException("keyName has existed");
+    }
+
+    string keyNameUri = toInternalKeyName(keyName, KEY_CLASS_PUBLIC);
+
+    SecKeyRef publicKey, privateKey;
+
+    CFStringRef keyLabel = CFStringCreateWithCString(NULL, 
+                                                      keyNameUri.c_str(), 
+                                                      keyNameUri.size());
+    
+    CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL,
+                                                             3,
+                                                             &kCFTypeDictionaryKeyCallBacks,
+                                                             NULL);
+
+    CFDictionaryAddValue(attrDict, kSecAttrKeyType, getAsymKeyType(keyType));
+    CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(NULL, kCFNumberIntType, &keySize));
+    CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
+
+    OSStatus res = SecKeyGeneratePair((CFDictionaryRef)attrDict, &publicKey, &privateKey);
+
+    CFRelease(publicKey);
+    CFRelease(privateKey);
+
+    if (res != errSecSuccess){
+      _LOG_DEBUG("Fail to create a key pair: " << res);
+      throw SecurityException("Fail to create a key pair");
+    }
+  }
+
+  void 
+  OSXPrivateKeyStorage::generateKey(const Name & keyName, KeyType keyType, int keySize)
+  {
+
+    if(doesKeyExist(keyName, KEY_CLASS_SYMMETRIC))
+        throw SecurityException("keyName has existed!");
+
+    string keyNameUri =  toInternalKeyName(keyName, KEY_CLASS_SYMMETRIC);
+
+    CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(kCFAllocatorDefault,
+                                                                0,
+                                                                &kCFTypeDictionaryKeyCallBacks,
+                                                                &kCFTypeDictionaryValueCallBacks);
+
+    CFStringRef keyLabel = CFStringCreateWithCString(NULL, 
+                                                      keyNameUri.c_str(), 
+                                                      keyNameUri.size());
+
+    CFDictionaryAddValue(attrDict, kSecAttrKeyType, getSymKeyType(keyType));
+    CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &keySize));
+    CFDictionaryAddValue(attrDict, kSecAttrIsPermanent, kCFBooleanTrue);
+    CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
+
+    CFErrorRef error = NULL;
+
+    SecKeyRef symmetricKey = SecKeyGenerateSymmetric(attrDict, &error);
+
+    if (error) 
+        throw SecurityException("Fail to create a symmetric key");
+  }
+
+  shared_ptr<PublicKey> OSXPrivateKeyStorage::getPublicKey(const Name & keyName)
+  {
+    _LOG_TRACE("OSXPrivateKeyStorage::getPublickey");
+
+    SecKeychainItemRef publicKey = getKey(keyName, KEY_CLASS_PUBLIC);
+
+    CFDataRef exportedKey;
+
+    OSStatus res = SecItemExport(publicKey,
+                                  kSecFormatOpenSSL,
+                                  0,
+                                  NULL,
+                                  &exportedKey);
+    
+    Blob blob(CFDataGetBytePtr(exportedKey), CFDataGetLength(exportedKey));
+
+    return PublicKey::fromDer(blob);
+  }
+
+  Blob OSXPrivateKeyStorage::sign(const uint8_t *data, size_t dataLength, const Name & keyName, DigestAlgorithm digestAlgo)
+  {
+    _LOG_TRACE("OSXPrivateKeyStorage::Sign");
+    
+    CFDataRef dataRef = CFDataCreate(NULL,
+                                      reinterpret_cast<const unsigned char*>(data),
+                                      dataLength
+                                      );
+
+    SecKeyRef privateKey = (SecKeyRef)getKey(keyName, KEY_CLASS_PRIVATE);
+    
+    CFErrorRef error;
+    SecTransformRef signer = SecSignTransformCreate((SecKeyRef)privateKey, &error);
+    if (error) throw SecurityException("Fail to create signer");
+    
+    Boolean set_res = SecTransformSetAttribute(signer,
+                                               kSecTransformInputAttributeName,
+                                               dataRef,
+                                               &error);
+    if (error) throw SecurityException("Fail to configure input of signer");
+
+    set_res = SecTransformSetAttribute(signer,
+                                       kSecDigestTypeAttribute,
+                                       getDigestAlgorithm(digestAlgo),
+                                       &error);
+    if (error) throw SecurityException("Fail to configure digest algorithm of signer");
+
+    long digestSize = getDigestSize(digestAlgo);
+
+    set_res = SecTransformSetAttribute(signer,
+                                       kSecDigestLengthAttribute,
+                                       CFNumberCreate(NULL, kCFNumberLongType, &digestSize),
+                                       &error);
+    if (error) throw SecurityException("Fail to configure digest size of signer");
+
+    CFDataRef signature = (CFDataRef) SecTransformExecute(signer, &error);
+    if (error) {
+      CFShow(error);
+      throw SecurityException("Fail to sign data");
+    }
+
+    if (!signature) throw SecurityException("Signature is NULL!\n");
+
+    return Blob(CFDataGetBytePtr(signature), CFDataGetLength(signature));
+  }
+
+  Blob OSXPrivateKeyStorage::decrypt(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym)
+  {
+    _LOG_TRACE("OSXPrivateKeyStorage::Decrypt");
+
+    KeyClass keyClass;
+    if(sym)
+        keyClass = KEY_CLASS_SYMMETRIC;
+    else
+        keyClass = KEY_CLASS_PRIVATE;
+
+    CFDataRef dataRef = CFDataCreate(NULL,
+                                      reinterpret_cast<const unsigned char*>(data),
+                                      dataLength
+                                      );
+
+    // _LOG_DEBUG("CreateData");
+    
+    SecKeyRef decryptKey = (SecKeyRef)getKey(keyName, keyClass);
+
+    // _LOG_DEBUG("GetKey");
+
+    CFErrorRef error;
+    SecTransformRef decrypt = SecDecryptTransformCreate(decryptKey, &error);
+    if (error) throw SecurityException("Fail to create decrypt");
+
+    Boolean set_res = SecTransformSetAttribute(decrypt,
+                                               kSecTransformInputAttributeName,
+                                               dataRef,
+                                               &error);
+    if (error) throw SecurityException("Fail to configure decrypt");
+
+    CFDataRef output = (CFDataRef) SecTransformExecute(decrypt, &error);
+    if (error)
+      {
+        CFShow(error);
+        throw SecurityException("Fail to decrypt data");
+      }
+    if (!output) throw SecurityException("Output is NULL!\n");
+
+    return Blob(CFDataGetBytePtr(output), CFDataGetLength(output));
+  }
+  
+  bool OSXPrivateKeyStorage::setACL(const Name & keyName, KeyClass keyClass, int acl, const string & appPath)
+  {
+    SecKeychainItemRef privateKey = getKey(keyName, keyClass);
+    
+    SecAccessRef accRef;
+    OSStatus acc_res = SecKeychainItemCopyAccess(privateKey, &accRef);
+
+    CFArrayRef signACL = SecAccessCopyMatchingACLList(accRef,
+                                                       kSecACLAuthorizationSign);
+
+    SecACLRef aclRef = (SecACLRef) CFArrayGetValueAtIndex(signACL, 0);
+
+    CFArrayRef appList;
+    CFStringRef description;
+    SecKeychainPromptSelector promptSelector;
+    OSStatus acl_res = SecACLCopyContents(aclRef,
+                                           &appList,
+                                           &description,
+                                           &promptSelector);
+
+    CFMutableArrayRef newAppList = CFArrayCreateMutableCopy(NULL,
+                                                            0,
+                                                            appList);
+
+    SecTrustedApplicationRef trustedApp;
+    acl_res = SecTrustedApplicationCreateFromPath(appPath.c_str(),
+                                                   &trustedApp);
+    
+    CFArrayAppendValue(newAppList, trustedApp);
+
+
+    CFArrayRef authList = SecACLCopyAuthorizations(aclRef);
+    
+    acl_res = SecACLRemove(aclRef);
+
+    SecACLRef newACL;
+    acl_res = SecACLCreateWithSimpleContents(accRef,
+                                              newAppList,
+                                              description,
+                                              promptSelector,
+                                              &newACL);
+
+    acl_res = SecACLUpdateAuthorizations(newACL, authList);
+
+    acc_res = SecKeychainItemSetAccess(privateKey, accRef);
+
+    return true;
+  }
+
+  bool OSXPrivateKeyStorage::verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo)
+  {
+    _LOG_TRACE("OSXPrivateKeyStorage::Verify");
+    
+    CFDataRef dataRef = CFDataCreate(NULL,
+                                      reinterpret_cast<const unsigned char*>(pData.buf()),
+                                      pData.size());
+
+    CFDataRef sigRef = CFDataCreate(NULL,
+                                     reinterpret_cast<const unsigned char*>(pSig.buf()),
+                                     pSig.size());
+
+    SecKeyRef publicKey = (SecKeyRef)getKey(keyName, KEY_CLASS_PUBLIC);
+    
+    CFErrorRef error;
+    SecTransformRef verifier = SecVerifyTransformCreate(publicKey, sigRef, &error);
+    if (error) throw SecurityException("Fail to create verifier");
+    
+    Boolean set_res = SecTransformSetAttribute(verifier,
+                                               kSecTransformInputAttributeName,
+                                               dataRef,
+                                               &error);
+    if (error) throw SecurityException("Fail to configure input of verifier");
+
+    set_res = SecTransformSetAttribute(verifier,
+                                       kSecDigestTypeAttribute,
+                                       getDigestAlgorithm(digestAlgo),
+                                       &error);
+    if (error) throw SecurityException("Fail to configure digest algorithm of verifier");
+
+    long digestSize = getDigestSize(digestAlgo);
+    set_res = SecTransformSetAttribute(verifier,
+                                       kSecDigestLengthAttribute,
+                                       CFNumberCreate(NULL, kCFNumberLongType, &digestSize),
+                                       &error);
+    if (error) throw SecurityException("Fail to configure digest size of verifier");
+
+    CFBooleanRef result = (CFBooleanRef) SecTransformExecute(verifier, &error);
+    if (error) throw SecurityException("Fail to verify data");
+
+    if (result == kCFBooleanTrue)
+      return true;
+    else
+      return false;
+  }
+
+  Blob OSXPrivateKeyStorage::encrypt(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym)
+  {
+    _LOG_TRACE("OSXPrivateKeyStorage::Encrypt");
+
+    KeyClass keyClass;
+    if(sym)
+        keyClass = KEY_CLASS_SYMMETRIC;
+    else
+        keyClass = KEY_CLASS_PUBLIC;
+    
+    CFDataRef dataRef = CFDataCreate(NULL,
+                                      reinterpret_cast<const unsigned char*>(data),
+                                      dataLength
+                                      );
+    
+    SecKeyRef encryptKey = (SecKeyRef)getKey(keyName, keyClass);
+
+    CFErrorRef error;
+    SecTransformRef encrypt = SecEncryptTransformCreate(encryptKey, &error);
+    if (error) throw SecurityException("Fail to create encrypt");
+
+    Boolean set_res = SecTransformSetAttribute(encrypt,
+                                               kSecTransformInputAttributeName,
+                                               dataRef,
+                                               &error);
+    if (error) throw SecurityException("Fail to configure encrypt");
+
+    CFDataRef output = (CFDataRef) SecTransformExecute(encrypt, &error);
+    if (error) throw SecurityException("Fail to encrypt data");
+
+    if (!output) throw SecurityException("Output is NULL!\n");
+
+    return Blob(CFDataGetBytePtr(output), CFDataGetLength(output));
+  }
+
+  bool OSXPrivateKeyStorage::doesKeyExist(const Name & keyName, KeyClass keyClass)
+  {
+    _LOG_TRACE("OSXPrivateKeyStorage::doesKeyExist");
+
+    string keyNameUri = toInternalKeyName(keyName, keyClass);
+
+    CFStringRef keyLabel = CFStringCreateWithCString(NULL, 
+                                                      keyNameUri.c_str(), 
+                                                      keyNameUri.size());
+    
+    CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL,
+                                                                3,
+                                                                &kCFTypeDictionaryKeyCallBacks,
+                                                                NULL);
+
+    CFDictionaryAddValue(attrDict, kSecAttrKeyClass, getKeyClass(keyClass));
+    CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
+    CFDictionaryAddValue(attrDict, kSecReturnRef, kCFBooleanTrue);
+    
+    SecKeychainItemRef itemRef;
+    OSStatus res = SecItemCopyMatching((CFDictionaryRef)attrDict, (CFTypeRef*)&itemRef);
+    
+    if(res == errSecItemNotFound)
+      return true;
+    else
+      return false;
+
+  }
+
+  SecKeychainItemRef OSXPrivateKeyStorage::getKey(const Name & keyName, KeyClass keyClass)
+  {
+    string keyNameUri = toInternalKeyName(keyName, keyClass);
+
+    CFStringRef keyLabel = CFStringCreateWithCString (NULL, 
+                                                      keyNameUri.c_str(), 
+                                                      keyNameUri.size());
+    
+    CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL,
+                                                             5,
+                                                             &kCFTypeDictionaryKeyCallBacks,
+                                                             NULL);
+
+    CFDictionaryAddValue(attrDict, kSecClass, kSecClassKey);
+    CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
+    CFDictionaryAddValue(attrDict, kSecAttrKeyClass, getKeyClass(keyClass));
+    CFDictionaryAddValue(attrDict, kSecReturnRef, kCFBooleanTrue);
+    
+    SecKeychainItemRef keyItem;
+
+    OSStatus res = SecItemCopyMatching((CFDictionaryRef) attrDict, (CFTypeRef*)&keyItem);
+    
+    if(res != errSecSuccess){
+      _LOG_DEBUG("Fail to find the key!");
+      return NULL;
+    }
+    else
+      return keyItem;
+  }
+  
+  string OSXPrivateKeyStorage::toInternalKeyName(const Name & keyName, KeyClass keyClass)
+  {
+    string keyUri = keyName.toUri();
+
+    if(KEY_CLASS_SYMMETRIC == keyClass)
+      return keyUri + "/symmetric";
+    else
+      return keyUri;
+  }
+
+  const CFTypeRef OSXPrivateKeyStorage::getAsymKeyType(KeyType keyType)
+  {
+    switch(keyType){
+    case KEY_TYPE_RSA:
+      return kSecAttrKeyTypeRSA;
+    default:
+      _LOG_DEBUG("Unrecognized key type!")
+      return NULL;
+    }
+  }
+
+  const CFTypeRef OSXPrivateKeyStorage::getSymKeyType(KeyType keyType)
+  {
+    switch(keyType){
+    case KEY_TYPE_AES:
+      return kSecAttrKeyTypeAES;
+    default:
+      _LOG_DEBUG("Unrecognized key type!")
+      return NULL;
+    }
+  }
+
+  const CFTypeRef OSXPrivateKeyStorage::getKeyClass(KeyClass keyClass)
+  {
+    switch(keyClass){
+    case KEY_CLASS_PRIVATE:
+      return kSecAttrKeyClassPrivate;
+    case KEY_CLASS_PUBLIC:
+      return kSecAttrKeyClassPublic;
+    case KEY_CLASS_SYMMETRIC:
+      return kSecAttrKeyClassSymmetric;
+    default:
+      _LOG_DEBUG("Unrecognized key class!");
+      return NULL;
+    }
+  }
+
+  SecExternalFormat OSXPrivateKeyStorage::getFormat(KeyFormat format)
+  {
+    switch(format){
+    case KEY_FORMAT_PUBLIC_OPENSSL:
+      return kSecFormatOpenSSL;
+    default:
+      _LOG_DEBUG("Unrecognized output format!");
+      return 0;
+    }
+  }
+
+  const CFStringRef OSXPrivateKeyStorage::getDigestAlgorithm(DigestAlgorithm digestAlgo)
+  {
+    switch(digestAlgo){
+    // case DIGEST_MD2:
+    //   return kSecDigestMD2;
+    // case DIGEST_MD5:
+    //   return kSecDigestMD5;
+    // case DIGEST_SHA1:
+    //   return kSecDigestSHA1;
+    case DIGEST_ALGORITHM_SHA256:
+      return kSecDigestSHA2;
+    default:
+      _LOG_DEBUG("Unrecognized digest algorithm!");
+      return NULL;
+    }
+  }
+
+  long OSXPrivateKeyStorage::getDigestSize(DigestAlgorithm digestAlgo)
+  {
+    switch(digestAlgo){
+    case DIGEST_ALGORITHM_SHA256:
+      return 256;
+    // case DIGEST_SHA1:
+    // case DIGEST_MD2:
+    // case DIGEST_MD5:
+    //   return 0;
+    default:
+      _LOG_DEBUG("Unrecognized digest algorithm! Unknown digest size");
+      return -1;
+    }
+  }
+  
+}
+
+#endif HAVE_OSX_SECKEYCHAIN
diff --git a/ndn-cpp/security/identity/osx-private-key-storage.hpp b/ndn-cpp/security/identity/osx-private-key-storage.hpp
new file mode 100644
index 0000000..a7febc2
--- /dev/null
+++ b/ndn-cpp/security/identity/osx-private-key-storage.hpp
@@ -0,0 +1,206 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_OSX_PRIVATEKEY_STORAGE_H
+#define NDN_OSX_PRIVATEKEY_STORAGE_H
+
+// Only compile if config.h defines HAVE_OSX_SECKEYCHAIN 1.
+#include "../../c/common.h"
+#if 0 // temporarily disable.
+//#if HAVE_OSX_SECKEYCHAIN
+
+#include "../../common.hpp"
+#include "private-key-storage.hpp"
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <CoreServices/CoreServices.h>
+
+namespace ndn
+{
+  
+class OSXPrivateKeyStorage : public PrivateKeyStorage {
+public:
+  /**
+   * constructor of OSXPrivateKeyStorage
+   * @param keychainName the name of keychain
+   */
+  OSXPrivateKeyStorage(const std::string & keychainName = "");
+
+  /**
+   * destructor of OSXPrivateKeyStore
+   */    
+  virtual 
+  ~OSXPrivateKeyStorage();
+
+  /**
+   * Generate a pair of asymmetric keys.
+   * @param keyName The name of the key pair.
+   * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+   * @param keySize The size of the key pair.
+   */
+  virtual void 
+  generateKeyPair(const Name& keyName, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048);
+
+  /**
+   * Get the public key
+   * @param keyName The name of public key.
+   * @return The public key.
+   */
+  virtual ptr_lib::shared_ptr<PublicKey> 
+  getPublicKey(const Name& keyName);
+  
+  /**
+   * Fetch the private key for keyName and sign the data, returning a signature Blob.
+   * @param data Pointer to the input byte array.
+   * @param dataLength The length of data.
+   * @param keyName The name of the signing key.
+   * @param digestAlgorithm the digest algorithm.
+   * @return The signature, or a null pointer if signing fails.
+   */  
+  virtual Blob 
+  sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256);
+      
+  /**
+   * Decrypt data.
+   * @param keyName The name of the decrypting key.
+   * @param data The byte to be decrypted.
+   * @param dataLength the length of data.
+   * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+   * @return The decrypted data.
+   */
+  virtual Blob 
+  decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false);
+
+  /**
+   * Encrypt data.
+   * @param keyName The name of the encrypting key.
+   * @param data The byte to be encrypted.
+   * @param dataLength the length of data.
+   * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+   * @return The encrypted data.
+   */
+  virtual Blob
+  encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false);
+
+  /**
+   * Generate a symmetric key.
+   * @param keyName The name of the key.
+   * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+   * @param keySize The size of the key.
+   */
+  virtual void 
+  generateKey(const Name& keyName, KeyType keyType = KEY_TYPE_AES, int keySize = 256);
+
+  /**
+   * Check if a particular key exists.
+   * @param keyName The name of the key.
+   * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+   * @return True if the key exists, otherwise false.
+   */
+  virtual bool
+  doesKeyExist(const Name& keyName, KeyClass keyClass);  
+
+  /**
+   * configure ACL of a particular key
+   * @param keyName the name of key
+   * @param keyClass the class of key, e.g. Private Key
+   * @param acl the new acl of the key
+   * @param appPath the absolute path to the application
+   * @returns true if setting succeeds
+   */
+  bool 
+  setACL(const Name & keyName, KeyClass keyClass, int acl, const std::string & appPath);
+
+  /**
+   * verify data (test only)
+   * @param keyName the name of key
+   * @param pData the data to be verified
+   * @param pSig the signature associated with the data
+   * @param digestAlgo digest algorithm
+   * @return true if signature can be verified, otherwise false
+   */
+  bool 
+  verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo = DIGEST_ALGORITHM_SHA256);
+
+ private:
+  /**
+   * convert NDN name of a key to internal name of the key
+   * @param keyName the NDN name of the key
+   * @param keyClass the class of the key
+   * @return the internal key name
+   */
+  std::string 
+  toInternalKeyName(const Name & keyName, KeyClass keyClass);
+
+  /**
+   * Get key
+   * @param keyName the name of the key
+   * @param keyClass the class of the key
+   * @returns pointer to the key
+   */
+  SecKeychainItemRef 
+  getKey(const Name & keyName, KeyClass keyClass);
+      
+  /**
+   * convert keyType to MAC OS symmetric key key type
+   * @param keyType
+   * @returns MAC OS key type
+   */
+  const CFTypeRef 
+  getSymKeyType(KeyType keyType);
+
+  /**
+   * convert keyType to MAC OS asymmetirc key type
+   * @param keyType
+   * @returns MAC OS key type
+   */
+  const CFTypeRef 
+  getAsymKeyType(KeyType keyType);
+
+  /**
+   * convert keyClass to MAC OS key class
+   * @param keyClass
+   * @returns MAC OS key class
+   */
+  const CFTypeRef 
+  getKeyClass(KeyClass keyClass);
+
+  /**
+   * convert digestAlgo to MAC OS algorithm id
+   * @param digestAlgo
+   * @returns MAC OS algorithm id
+   */
+  const CFStringRef 
+  getDigestAlgorithm(DigestAlgorithm digestAlgo);
+
+  /**
+   * convert format to MAC OS key format
+   * @param format
+   * @returns MAC OS keyformat
+   */
+  SecExternalFormat 
+  getFormat(KeyFormat format);
+
+  /**
+   * get the digest size of the corresponding algorithm
+   * @param digestAlgo the digest algorithm
+   * @return digest size
+   */
+  long 
+  getDigestSize(DigestAlgorithm digestAlgo);
+
+  const std::string keyChainName_;
+  SecKeychainRef keyChainRef_;
+  SecKeychainRef originalDefaultKeyChain_;
+};
+  
+}
+
+#endif HAVE_OSX_SECKEYCHAIN
+
+#endif