security: Move KeyChain to security::v1 namespace and deprecated it

Change-Id: Ic4b6915ca15998a83b410f3f8fac027f797ee7ca
Refs: #3098
diff --git a/src/face.cpp b/src/face.cpp
index 430f65e..9f78680 100644
--- a/src/face.cpp
+++ b/src/face.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -23,7 +23,6 @@
 #include "detail/face-impl.hpp"
 
 #include "encoding/tlv.hpp"
-#include "security/key-chain.hpp"
 #include "security/signing-helpers.hpp"
 #include "util/time.hpp"
 #include "util/random.hpp"
diff --git a/src/face.hpp b/src/face.hpp
index 6c6c957..1940928 100644
--- a/src/face.hpp
+++ b/src/face.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -31,6 +31,7 @@
 #include "encoding/nfd-constants.hpp"
 #include "lp/nack.hpp"
 #include "security/signing-info.hpp"
+#include "security/key-chain.hpp"
 
 #define NDN_FACE_KEEP_DEPRECATED_REGISTRATION_SIGNING
 
@@ -52,11 +53,6 @@
 class RegisteredPrefixId;
 class InterestFilterId;
 
-namespace security {
-class KeyChain;
-} // namespace security
-using security::KeyChain;
-
 namespace nfd {
 class Controller;
 } // namespace nfd
diff --git a/src/mgmt/dispatcher.cpp b/src/mgmt/dispatcher.cpp
index a7f4a06..a7fac52 100644
--- a/src/mgmt/dispatcher.cpp
+++ b/src/mgmt/dispatcher.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -44,7 +44,7 @@
   };
 }
 
-Dispatcher::Dispatcher(Face& face, security::KeyChain& keyChain,
+Dispatcher::Dispatcher(Face& face, security::v1::KeyChain& keyChain,
                        const security::SigningInfo& signingInfo,
                        size_t imsCapacity)
   : m_face(face)
diff --git a/src/mgmt/dispatcher.hpp b/src/mgmt/dispatcher.hpp
index b19aba6..7df61f7 100644
--- a/src/mgmt/dispatcher.hpp
+++ b/src/mgmt/dispatcher.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -145,7 +145,7 @@
    *  \param signingInfo signing parameters to sign Data with \p keyChain
    *  \param imsCapacity capacity of the internal InMemoryStorage used by dispatcher
    */
-  Dispatcher(Face& face, security::KeyChain& keyChain,
+  Dispatcher(Face& face, security::v1::KeyChain& keyChain,
              const security::SigningInfo& signingInfo = security::SigningInfo(),
              size_t imsCapacity = 256);
 
@@ -462,7 +462,7 @@
   std::unordered_map<Name, TopPrefixEntry> m_topLevelPrefixes;
 
   Face& m_face;
-  security::KeyChain& m_keyChain;
+  security::v1::KeyChain& m_keyChain;
   security::SigningInfo m_signingInfo;
 
   typedef std::unordered_map<PartialName, InterestHandler> HandlerMap;
diff --git a/src/mgmt/nfd/controller.cpp b/src/mgmt/nfd/controller.cpp
index cfb7956..4ccb895 100644
--- a/src/mgmt/nfd/controller.cpp
+++ b/src/mgmt/nfd/controller.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -36,7 +36,7 @@
 const uint32_t Controller::ERROR_LBOUND = 400;
 ValidatorNull Controller::s_validatorNull;
 
-Controller::Controller(Face& face, KeyChain& keyChain, Validator& validator)
+Controller::Controller(Face& face, security::v1::KeyChain& keyChain, Validator& validator)
   : m_face(face)
   , m_keyChain(keyChain)
   , m_validator(validator)
diff --git a/src/mgmt/nfd/controller.hpp b/src/mgmt/nfd/controller.hpp
index 3d3808c..aa4b285 100644
--- a/src/mgmt/nfd/controller.hpp
+++ b/src/mgmt/nfd/controller.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -27,11 +27,11 @@
 #include "status-dataset.hpp"
 #include "command-options.hpp"
 #include "../../security/validator-null.hpp"
+#include "../../security/key-chain.hpp"
 
 namespace ndn {
 
 namespace security {
-class KeyChain;
 class Validator;
 } // namespace security
 class Face;
@@ -66,7 +66,7 @@
   /** \brief construct a Controller that uses face for transport,
    *         and uses the passed KeyChain to sign commands
    */
-  Controller(Face& face, security::KeyChain& keyChain, security::Validator& validator = s_validatorNull);
+  Controller(Face& face, security::v1::KeyChain& keyChain, security::Validator& validator = s_validatorNull);
 
   /** \brief start command execution
    */
@@ -170,7 +170,7 @@
 
 protected:
   Face& m_face;
-  security::KeyChain& m_keyChain;
+  security::v1::KeyChain& m_keyChain;
   security::Validator& m_validator;
 
 private:
diff --git a/src/security/key-chain.hpp b/src/security/key-chain.hpp
index 4f43139..31b26ea 100644
--- a/src/security/key-chain.hpp
+++ b/src/security/key-chain.hpp
@@ -17,951 +17,23 @@
  * <http://www.gnu.org/licenses/>.
  *
  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
- *
- * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
  */
 
-#ifndef NDN_SECURITY_KEY_CHAIN_HPP
-#define NDN_SECURITY_KEY_CHAIN_HPP
+/**
+ * @file security/key-chain.hpp
+ */
 
-#include "sec-public-info.hpp"
-#include "sec-tpm.hpp"
-#include "key-params.hpp"
-#include "secured-bag.hpp"
-#include "signature-sha256-with-rsa.hpp"
-#include "signature-sha256-with-ecdsa.hpp"
-#include "digest-sha256.hpp"
-#include "signing-info.hpp"
-
-#include "../interest.hpp"
-#include "../util/crypto.hpp"
-#include "../util/random.hpp"
-#include <initializer_list>
+#include "security-common.hpp"
+#include "v1/key-chain.hpp"
+#include "v2/key-chain.hpp"
 
 namespace ndn {
 namespace security {
 
-/**
- * @brief The packet signing interface.
- */
-class KeyChain : noncopyable
-{
-public:
-  class Error : public std::runtime_error
-  {
-  public:
-    explicit
-    Error(const std::string& what)
-      : std::runtime_error(what)
-    {
-    }
-  };
-
-  /**
-   * @brief Error thrown when the supplied TPM locator to KeyChain constructor does not match
-   *        the locator stored in PIB
-   */
-  class MismatchError : public Error
-  {
-  public:
-    explicit
-    MismatchError(const std::string& what)
-      : Error(what)
-    {
-    }
-  };
-
-  typedef function<unique_ptr<SecPublicInfo> (const std::string&)> PibCreateFunc;
-  typedef function<unique_ptr<SecTpm>(const std::string&)> TpmCreateFunc;
-
-  /**
-   * @brief Register a new PIB
-   * @param aliases List of schemes with which this PIB will be associated.
-   *        The first alias in the list is considered a canonical name of the PIB instance.
-   */
-  template<class PibType>
-  static void
-  registerPib(std::initializer_list<std::string> aliases);
-
-  /**
-   * @brief Register a new TPM
-   * @param aliases List of schemes with which this TPM will be associated
-   *        The first alias in the list is considered a canonical name of the TPM instance.
-   */
-  template<class TpmType>
-  static void
-  registerTpm(std::initializer_list<std::string> aliases);
-
-  /**
-   * @brief Get default PIB locator
-   */
-  static std::string
-  getDefaultPibLocator();
-
-  /**
-    * @brief Create a PIB according to @p pibLocator
-    */
-  static unique_ptr<SecPublicInfo>
-  createPib(const std::string& pibLocator);
-
-  /**
-   * @brief Get default TPM locator
-   */
-  static std::string
-  getDefaultTpmLocator();
-
-  /**
-    * @brief Create a TPM according to @p tpmLocator
-    */
-  static unique_ptr<SecTpm>
-  createTpm(const std::string& tpmLocator);
-
-  /**
-   * @brief Constructor to create KeyChain with default PIB and TPM
-   *
-   * Default PIB and TPM are platform-dependent and can be overriden system-wide or on
-   * per-use basis.
-   *
-   * @todo Add detailed description about config file behavior here
-   */
-  KeyChain();
-
-  /**
-   * @brief KeyChain constructor
-   *
-   * @sa  http://redmine.named-data.net/issues/2260
-   *
-   * @param pibLocator PIB locator
-   * @param tpmLocator TPM locator
-   * @param allowReset if true, the PIB will be reset when the supplied tpmLocator
-   *        mismatches the one in PIB
-   */
-  KeyChain(const std::string& pibLocator,
-           const std::string& tpmLocator,
-           bool allowReset = false);
-
-  virtual
-  ~KeyChain();
-
-  /**
-   * @brief Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a
-   *        self-signed certificate of the KSK.
-   *
-   * @param identityName The name of the identity.
-   * @param params The key parameter if a key needs to be generated for the identity.
-   * @return The name of the default certificate of the identity.
-   */
-  Name
-  createIdentity(const Name& identityName, const KeyParams& params = DEFAULT_KEY_PARAMS);
-
-  /**
-   * @brief Generate a pair of RSA keys for the specified identity.
-   *
-   * @param identityName The name of the identity.
-   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
-   * @param keySize The size of the key.
-   * @return The generated key name.
-   * @see generateEcdsaKeyPair
-   */
-  Name
-  generateRsaKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 2048);
-
-  /**
-   * @brief Generate a pair of ECDSA keys for the specified identity.
-   *
-   * @param identityName The name of the identity.
-   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
-   * @param keySize The size of the key.
-   * @return The generated key name.
-   * @see generateRsaKeyPair
-   */
-  Name
-  generateEcdsaKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 256);
-
-  /**
-   * @brief Generate a pair of RSA keys for the specified identity and set it as default key for
-   *        the identity.
-   *
-   * @param identityName The name of the identity.
-   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
-   * @param keySize The size of the key.
-   * @return The generated key name.
-   * @see generateRsaKeyPair, generateEcdsaKeyPair, generateEcdsaKeyPairAsDefault
-   */
-  Name
-  generateRsaKeyPairAsDefault(const Name& identityName, bool isKsk = false, uint32_t keySize = 2048);
-
-  /**
-   * @brief Generate a pair of ECDSA keys for the specified identity and set it as default key for
-   *        the identity.
-   *
-   * @param identityName The name of the identity.
-   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
-   * @param keySize The size of the key.
-   * @return The generated key name.
-   * @see generateRsaKeyPair, generateEcdsaKeyPair, generateRsaKeyPairAsDefault
-   */
-  Name
-  generateEcdsaKeyPairAsDefault(const Name& identityName, bool isKsk = false, uint32_t keySize = 256);
-
-  /**
-   * @brief prepare an unsigned identity certificate
-   *
-   * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
-   * @param signingIdentity The signing identity.
-   * @param notBefore Refer to v1::IdentityCertificate.
-   * @param notAfter Refer to v1::IdentityCertificate.
-   * @param subjectDescription Refer to v1::IdentityCertificate.
-   * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
-   *                   certificate name according to the relation between the signingIdentity and
-   *                   the subject identity. If signingIdentity is a prefix of the subject identity,
-   *                   `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
-   *                   after subject identity (i.e., before `ksk-....`).
-   * @return v1::IdentityCertificate.
-   */
-  shared_ptr<v1::IdentityCertificate>
-  prepareUnsignedIdentityCertificate(const Name& keyName,
-    const Name& signingIdentity,
-    const time::system_clock::TimePoint& notBefore,
-    const time::system_clock::TimePoint& notAfter,
-    const std::vector<security::v1::CertificateSubjectDescription>& subjectDescription,
-    const Name& certPrefix = DEFAULT_PREFIX);
-
-  /**
-   * @brief prepare an unsigned identity certificate
-   *
-   * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
-   * @param publicKey Public key to sign.
-   * @param signingIdentity The signing identity.
-   * @param notBefore Refer to v1::IdentityCertificate.
-   * @param notAfter Refer to v1::IdentityCertificate.
-   * @param subjectDescription Refer to v1::IdentityCertificate.
-   * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
-   *                   certificate name according to the relation between the signingIdentity and
-   *                   the subject identity. If signingIdentity is a prefix of the subject identity,
-   *                   `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
-   *                   after subject identity (i.e., before `ksk-....`).
-   * @return v1::IdentityCertificate.
-   */
-  shared_ptr<v1::IdentityCertificate>
-  prepareUnsignedIdentityCertificate(const Name& keyName,
-    const v1::PublicKey& publicKey,
-    const Name& signingIdentity,
-    const time::system_clock::TimePoint& notBefore,
-    const time::system_clock::TimePoint& notAfter,
-    const std::vector<security::v1::CertificateSubjectDescription>& subjectDescription,
-    const Name& certPrefix = DEFAULT_PREFIX);
-
-  /**
-   * @brief Sign data according to the supplied signing information
-   *
-   * This method uses the supplied signing information @p params to create the SignatureInfo block:
-   * - it selects a private key and its certificate to sign the packet
-   * - sets the KeyLocator field with the certificate name, and
-   * - adds other requested information to the SignatureInfo block).
-   *
-   * After that, the method assigns the created SignatureInfo to the data packets, generate a
-   * signature and sets as part of the SignatureValue block.
-   *
-   * @param data The data to sign
-   * @param params The signing parameters.
-   * @throws Error if signing fails.
-   * @see SigningInfo
-   */
-  void
-  sign(Data& data, const SigningInfo& params = DEFAULT_SIGNING_INFO);
-
-  /**
-   * @brief Sign interest according to the supplied signing information
-   *
-   * This method uses the supplied signing information @p params to create the SignatureInfo block:
-   * - it selects a private key and its certificate to sign the packet
-   * - sets the KeyLocator field with the certificate name, and
-   * - adds other requested information to the SignatureInfo block).
-   *
-   * After that, the method appends the created SignatureInfo to the interest name, generate a
-   * signature and appends it as part of the SignatureValue block to the interest name.
-   *
-   * @param interest The interest to sign
-   * @param params The signing parameters.
-   * @throws Error if signing fails.
-   * @see SigningInfo
-   */
-  void
-  sign(Interest& interest, const SigningInfo& params = DEFAULT_SIGNING_INFO);
-
-  /**
-   * @brief Sign buffer according to the supplied signing information
-   *
-   * @param buffer The buffer to sign
-   * @param bufferLength The buffer size
-   * @param params The signing parameters.
-   * @return a SignatureValue TLV block
-   * @throws Error if signing fails.
-   * @see SigningInfo
-   */
-  Block
-  sign(const uint8_t* buffer, size_t bufferLength, const SigningInfo& params);
-
-  /**
-   * @deprecated use sign sign(T&, const SigningInfo&)
-   * @brief Sign packet with a particular certificate.
-   *
-   * @param packet The packet to be signed.
-   * @param certificateName The certificate name of the key to use for signing.
-   * @throws SecPublicInfo::Error if certificate does not exist.
-   */
-  template<typename T>
-  void
-  sign(T& packet, const Name& certificateName);
-
-  /**
-   * @deprecated Use sign(const uint8_t*, size_t, const SigningInfo&) instead
-   * @brief Sign the byte array using a particular certificate.
-   *
-   * @param buffer The byte array to be signed.
-   * @param bufferLength the length of buffer.
-   * @param certificateName The certificate name of the signing key.
-   * @return The Signature.
-   * @throws SecPublicInfo::Error if certificate does not exist.
-   */
-  Signature
-  sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName);
-
-  /**
-   * @deprecated use sign sign(T&, const SigningInfo&)
-   * @brief Sign packet using the default certificate of a particular identity.
-   *
-   * If there is no default certificate of that identity, this method will create a self-signed
-   * certificate.
-   *
-   * @param packet The packet to be signed.
-   * @param identityName The signing identity name.
-   */
-  template<typename T>
-  void
-  signByIdentity(T& packet, const Name& identityName);
-
-  /**
-   * @deprecated use sign(const uint8_t*, size_t, const SigningInfo&) instead
-   * @brief Sign the byte array using the default certificate of a particular identity.
-   *
-   * @param buffer The byte array to be signed.
-   * @param bufferLength the length of buffer.
-   * @param identityName The identity name.
-   * @return The Signature.
-   */
-  Signature
-  signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName);
-
-  /**
-   * @deprecated use sign(Data&, SigningInfo(SigningInfo::SIGNER_TYPE_SHA256))
-   * @brief Set Sha256 weak signature for @p data
-   */
-  void
-  signWithSha256(Data& data);
-
-  /**
-   * @deprecated use sign(Interest&, SigningInfo(SigningInfo::SIGNER_TYPE_SHA256))
-   * @brief Set Sha256 weak signature for @p interest
-   */
-  void
-  signWithSha256(Interest& interest);
-
-  /**
-   * @brief Generate a self-signed certificate for a public key.
-   *
-   * @param keyName The name of the public key
-   * @return The generated certificate, shared_ptr<v1::IdentityCertificate>() if selfSign fails
-   */
-  shared_ptr<v1::IdentityCertificate>
-  selfSign(const Name& keyName);
-
-  /**
-   * @brief Self-sign the supplied identity certificate.
-   *
-   * @param cert The supplied cert.
-   * @throws SecTpm::Error if the private key does not exist.
-   */
-  void
-  selfSign(v1::IdentityCertificate& cert);
-
-  /**
-   * @brief delete a certificate.
-   *
-   * @param certificateName The certificate to be deleted.
-   * @throws KeyChain::Error if certificate cannot be deleted.
-   */
-  void
-  deleteCertificate(const Name& certificateName);
-
-  /**
-   * @brief delete a key.
-   *
-   * @param keyName The key to be deleted.
-   * @throws KeyChain::Error if key cannot be deleted.
-   */
-  void
-  deleteKey(const Name& keyName);
-
-  /**
-   * @brief delete an identity.
-   *
-   * @param identity The identity to be deleted.
-   * @throws KeyChain::Error if identity cannot be deleted.
-   */
-  void
-  deleteIdentity(const Name& identity);
-
-  /**
-   * @brief export an identity.
-   *
-   * @param identity The identity to export.
-   * @param passwordStr The password to secure the private key.
-   * @return The encoded export data.
-   * @throws SecPublicInfo::Error if anything goes wrong in exporting.
-   */
-  shared_ptr<SecuredBag>
-  exportIdentity(const Name& identity, const std::string& passwordStr);
-
-  /**
-   * @brief import an identity.
-   *
-   * @param securedBag The encoded import data.
-   * @param passwordStr The password to secure the private key.
-   */
-  void
-  importIdentity(const SecuredBag& securedBag, const std::string& passwordStr);
-
-  SecPublicInfo&
-  getPib()
-  {
-    return *m_pib;
-  }
-
-  const SecPublicInfo&
-  getPib() const
-  {
-    return *m_pib;
-  }
-
-  SecTpm&
-  getTpm()
-  {
-    return *m_tpm;
-  }
-
-  const SecTpm&
-  getTpm() const
-  {
-    return *m_tpm;
-  }
-
-  /*******************************
-   *  Wrapper of SecPublicInfo   *
-   *******************************/
-  bool
-  doesIdentityExist(const Name& identityName) const
-  {
-    return m_pib->doesIdentityExist(identityName);
-  }
-
-  void
-  addIdentity(const Name& identityName)
-  {
-    return m_pib->addIdentity(identityName);
-  }
-
-  bool
-  doesPublicKeyExist(const Name& keyName) const
-  {
-    return m_pib->doesPublicKeyExist(keyName);
-  }
-
-  void
-  addPublicKey(const Name& keyName, KeyType keyType, const v1::PublicKey& publicKeyDer)
-  {
-    return m_pib->addKey(keyName, publicKeyDer);
-  }
-
-  void
-  addKey(const Name& keyName, const v1::PublicKey& publicKeyDer)
-  {
-    return m_pib->addKey(keyName, publicKeyDer);
-  }
-
-  shared_ptr<v1::PublicKey>
-  getPublicKey(const Name& keyName) const
-  {
-    return m_pib->getPublicKey(keyName);
-  }
-
-  bool
-  doesCertificateExist(const Name& certificateName) const
-  {
-    return m_pib->doesCertificateExist(certificateName);
-  }
-
-  void
-  addCertificate(const v1::IdentityCertificate& certificate)
-  {
-    return m_pib->addCertificate(certificate);
-  }
-
-  shared_ptr<v1::IdentityCertificate>
-  getCertificate(const Name& certificateName) const
-  {
-    return m_pib->getCertificate(certificateName);
-  }
-
-  Name
-  getDefaultIdentity() const
-  {
-    return m_pib->getDefaultIdentity();
-  }
-
-  Name
-  getDefaultKeyNameForIdentity(const Name& identityName) const
-  {
-    return m_pib->getDefaultKeyNameForIdentity(identityName);
-  }
-
-  /**
-   * @brief Get default key parameters for the specified identity
-   *
-   * If identity has a previously generated key, the returned parameters
-   * will include the same type of the key.  If there are no existing
-   * keys, DEFAULT_KEY_PARAMS is used.
-   */
-  const KeyParams&
-  getDefaultKeyParamsForIdentity(const Name& identityName) const;
-
-  Name
-  getDefaultCertificateNameForKey(const Name& keyName) const
-  {
-    return m_pib->getDefaultCertificateNameForKey(keyName);
-  }
-
-  void
-  getAllIdentities(std::vector<Name>& nameList, bool isDefault) const
-  {
-    return m_pib->getAllIdentities(nameList, isDefault);
-  }
-
-  void
-  getAllKeyNames(std::vector<Name>& nameList, bool isDefault) const
-  {
-    return m_pib->getAllKeyNames(nameList, isDefault);
-  }
-
-  void
-  getAllKeyNamesOfIdentity(const Name& identity, std::vector<Name>& nameList, bool isDefault) const
-  {
-    return m_pib->getAllKeyNamesOfIdentity(identity, nameList, isDefault);
-  }
-
-  void
-  getAllCertificateNames(std::vector<Name>& nameList, bool isDefault) const
-  {
-    return m_pib->getAllCertificateNames(nameList, isDefault);
-  }
-
-  void
-  getAllCertificateNamesOfKey(const Name& keyName,
-                              std::vector<Name>& nameList,
-                              bool isDefault) const
-  {
-    return m_pib->getAllCertificateNamesOfKey(keyName, nameList, isDefault);
-  }
-
-  void
-  deleteCertificateInfo(const Name& certificateName)
-  {
-    return m_pib->deleteCertificateInfo(certificateName);
-  }
-
-  void
-  deletePublicKeyInfo(const Name& keyName)
-  {
-    return m_pib->deletePublicKeyInfo(keyName);
-  }
-
-  void
-  deleteIdentityInfo(const Name& identity)
-  {
-    return m_pib->deleteIdentityInfo(identity);
-  }
-
-  void
-  setDefaultIdentity(const Name& identityName)
-  {
-    return m_pib->setDefaultIdentity(identityName);
-  }
-
-  void
-  setDefaultKeyNameForIdentity(const Name& keyName)
-  {
-    return m_pib->setDefaultKeyNameForIdentity(keyName);
-  }
-
-  void
-  setDefaultCertificateNameForKey(const Name& certificateName)
-  {
-    return m_pib->setDefaultCertificateNameForKey(certificateName);
-  }
-
-  Name
-  getNewKeyName(const Name& identityName, bool useKsk)
-  {
-    return m_pib->getNewKeyName(identityName, useKsk);
-  }
-
-  Name
-  getDefaultCertificateNameForIdentity(const Name& identityName) const
-  {
-    return m_pib->getDefaultCertificateNameForIdentity(identityName);
-  }
-
-  Name
-  getDefaultCertificateName() const
-  {
-    return m_pib->getDefaultCertificateName();
-  }
-
-  void
-  addCertificateAsKeyDefault(const v1::IdentityCertificate& certificate)
-  {
-    return m_pib->addCertificateAsKeyDefault(certificate);
-  }
-
-  void
-  addCertificateAsIdentityDefault(const v1::IdentityCertificate& certificate)
-  {
-    return m_pib->addCertificateAsIdentityDefault(certificate);
-  }
-
-  void
-  addCertificateAsSystemDefault(const v1::IdentityCertificate& certificate)
-  {
-    return m_pib->addCertificateAsSystemDefault(certificate);
-  }
-
-  shared_ptr<v1::IdentityCertificate>
-  getDefaultCertificate() const
-  {
-    if (!static_cast<bool>(m_pib->getDefaultCertificate()))
-      const_cast<KeyChain*>(this)->setDefaultCertificateInternal();
-
-    return m_pib->getDefaultCertificate();
-  }
-
-  void
-  refreshDefaultCertificate()
-  {
-    return m_pib->refreshDefaultCertificate();
-  }
-
-  /*******************************
-   *  Wrapper of SecTpm          *
-   *******************************/
-
-  void
-  setTpmPassword(const uint8_t* password, size_t passwordLength)
-  {
-    return m_tpm->setTpmPassword(password, passwordLength);
-  }
-
-  void
-  resetTpmPassword()
-  {
-    return m_tpm->resetTpmPassword();
-  }
-
-  void
-  setInTerminal(bool inTerminal)
-  {
-    return m_tpm->setInTerminal(inTerminal);
-  }
-
-  bool
-  getInTerminal() const
-  {
-    return m_tpm->getInTerminal();
-  }
-
-  bool
-  isLocked() const
-  {
-    return m_tpm->isLocked();
-  }
-
-  bool
-  unlockTpm(const char* password, size_t passwordLength, bool usePassword)
-  {
-    return m_tpm->unlockTpm(password, passwordLength, usePassword);
-  }
-
-  void
-  generateKeyPairInTpm(const Name& keyName, const KeyParams& params)
-  {
-    return m_tpm->generateKeyPairInTpm(keyName, params);
-  }
-
-  void
-  deleteKeyPairInTpm(const Name& keyName)
-  {
-    return m_tpm->deleteKeyPairInTpm(keyName);
-  }
-
-  shared_ptr<v1::PublicKey>
-  getPublicKeyFromTpm(const Name& keyName) const
-  {
-    return m_tpm->getPublicKeyFromTpm(keyName);
-  }
-
-  Block
-  signInTpm(const uint8_t* data, size_t dataLength,
-            const Name& keyName,
-            DigestAlgorithm digestAlgorithm)
-  {
-    return m_tpm->signInTpm(data, dataLength, keyName, digestAlgorithm);
-  }
-
-  ConstBufferPtr
-  decryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
-  {
-    return m_tpm->decryptInTpm(data, dataLength, keyName, isSymmetric);
-  }
-
-  ConstBufferPtr
-  encryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
-  {
-    return m_tpm->encryptInTpm(data, dataLength, keyName, isSymmetric);
-  }
-
-  void
-  generateSymmetricKeyInTpm(const Name& keyName, const KeyParams& params)
-  {
-    return m_tpm->generateSymmetricKeyInTpm(keyName, params);
-  }
-
-  bool
-  doesKeyExistInTpm(const Name& keyName, KeyClass keyClass) const
-  {
-    return m_tpm->doesKeyExistInTpm(keyName, keyClass);
-  }
-
-  bool
-  generateRandomBlock(uint8_t* res, size_t size) const
-  {
-    return m_tpm->generateRandomBlock(res, size);
-  }
-
-  void
-  addAppToAcl(const Name& keyName, KeyClass keyClass, const std::string& appPath, AclType acl)
-  {
-    return m_tpm->addAppToAcl(keyName, keyClass, appPath, acl);
-  }
-
-  ConstBufferPtr
-  exportPrivateKeyPkcs5FromTpm(const Name& keyName, const std::string& password)
-  {
-    return m_tpm->exportPrivateKeyPkcs5FromTpm(keyName, password);
-  }
-
-  bool
-  importPrivateKeyPkcs5IntoTpm(const Name& keyName,
-                               const uint8_t* buf, size_t size,
-                               const std::string& password)
-  {
-    return m_tpm->importPrivateKeyPkcs5IntoTpm(keyName, buf, size, password);
-  }
-
-private:
-  void
-  initialize(const std::string& pibLocatorUri,
-             const std::string& tpmLocatorUri,
-             bool needReset);
-
-  /**
-   * @brief Prepare a SignatureInfo TLV according to signing information and return the signing key name
-   *
-   * @param params The signing parameters.
-   * @return The signing key name and prepared SignatureInfo.
-   * @throw Error when the requested signing method cannot be satisfied.
-   */
-  std::tuple<Name, SignatureInfo>
-  prepareSignatureInfo(const SigningInfo& params);
-
-  /**
-   * @brief Internal abstraction of packet signing.
-   *
-   * @param packet The packet to sign
-   * @param params The signing parameters.
-   * @throw Error when the signing fails.
-   */
-  template<typename T>
-  void
-  signImpl(T& packet, const SigningInfo& params);
-
-  /**
-   * @brief Set default certificate if it is not initialized
-   */
-  void
-  setDefaultCertificateInternal();
-
-  /**
-   * @brief Generate a key pair for the specified identity.
-   *
-   * @param identityName The name of the specified identity.
-   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
-   * @param params The parameter of the key.
-   * @return The name of the generated key.
-   */
-  Name
-  generateKeyPair(const Name& identityName, bool isKsk = false,
-                  const KeyParams& params = DEFAULT_KEY_PARAMS);
-
-  /**
-   * @brief Sign the data using a particular key.
-   *
-   * @param data Reference to the data packet.
-   * @param signature Signature to be added.
-   * @param keyName The name of the signing key.
-   * @param digestAlgorithm the digest algorithm.
-   * @throws Tpm::Error
-   */
-  void
-  signPacketWrapper(Data& data, const Signature& signature,
-                    const Name& keyName, DigestAlgorithm digestAlgorithm);
-
-  /**
-   * @brief Sign the interest using a particular key.
-   *
-   * @param interest Reference to the interest packet.
-   * @param signature Signature to be added.
-   * @param keyName The name of the signing key.
-   * @param digestAlgorithm the digest algorithm.
-   * @throws Tpm::Error
-   */
-  void
-  signPacketWrapper(Interest& interest, const Signature& signature,
-                    const Name& keyName, DigestAlgorithm digestAlgorithm);
-
-  /**
-   * @brief Generate a SignatureValue block for a buffer @p buf with size @p size using
-   *        a key with name @p keyName and digest algorithm @p digestAlgorithm.
-   */
-  Block
-  pureSign(const uint8_t* buf, size_t size, const Name& keyName, DigestAlgorithm digestAlgorithm) const;
-
-  static void
-  registerPibImpl(const std::string& canonicalName,
-                  std::initializer_list<std::string> aliases, PibCreateFunc createFunc);
-
-  static void
-  registerTpmImpl(const std::string& canonicalName,
-                  std::initializer_list<std::string> aliases, TpmCreateFunc createFunc);
-
-public:
-  static tlv::SignatureTypeValue
-  getSignatureType(KeyType keyType, DigestAlgorithm digestAlgorithm);
-
-public:
-  static const Name DEFAULT_PREFIX;
-  static const SigningInfo DEFAULT_SIGNING_INFO;
-
-  // RsaKeyParams is set to be default for backward compatibility.
-  static const RsaKeyParams DEFAULT_KEY_PARAMS;
-
-  typedef std::map<std::string, Block> SignParams;
-
-private:
-  std::unique_ptr<SecPublicInfo> m_pib;
-  std::unique_ptr<SecTpm> m_tpm;
-  time::milliseconds m_lastTimestamp;
-};
-
-template<typename T>
-void
-KeyChain::signImpl(T& packet, const SigningInfo& params)
-{
-  Name keyName;
-  SignatureInfo sigInfo;
-  std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
-
-  signPacketWrapper(packet, Signature(sigInfo),
-                    keyName, params.getDigestAlgorithm());
-}
-
-template<typename T>
-void
-KeyChain::sign(T& packet, const Name& certificateName)
-{
-  signImpl(packet, SigningInfo(SigningInfo::SIGNER_TYPE_CERT, certificateName));
-}
-
-template<typename T>
-void
-KeyChain::signByIdentity(T& packet, const Name& identityName)
-{
-  signImpl(packet, SigningInfo(SigningInfo::SIGNER_TYPE_ID, identityName));
-}
-
-template<class PibType>
-inline void
-KeyChain::registerPib(std::initializer_list<std::string> aliases)
-{
-  registerPibImpl(*aliases.begin(), aliases, [] (const std::string& locator) {
-      return make_unique<PibType>(locator);
-    });
-}
-
-template<class TpmType>
-inline void
-KeyChain::registerTpm(std::initializer_list<std::string> aliases)
-{
-  registerTpmImpl(*aliases.begin(), aliases, [] (const std::string& locator) {
-      return make_unique<TpmType>(locator);
-    });
-}
-
-/**
- * \brief Register SecPib class in ndn-cxx KeyChain
- *
- * This macro should be placed once in the implementation file of the
- * SecPib type within the namespace where the type is declared.
- */
-#define NDN_CXX_KEYCHAIN_REGISTER_PIB(PibType, ...)     \
-static class NdnCxxAuto ## PibType ## PibRegistrationClass    \
-{                                                             \
-public:                                                       \
-  NdnCxxAuto ## PibType ## PibRegistrationClass()             \
-  {                                                           \
-    ::ndn::KeyChain::registerPib<PibType>({__VA_ARGS__});     \
-  }                                                           \
-} ndnCxxAuto ## PibType ## PibRegistrationVariable
-
-/**
- * \brief Register SecTpm class in ndn-cxx KeyChain
- *
- * This macro should be placed once in the implementation file of the
- * SecTpm type within the namespace where the type is declared.
- */
-#define NDN_CXX_KEYCHAIN_REGISTER_TPM(TpmType, ...)     \
-static class NdnCxxAuto ## TpmType ## TpmRegistrationClass    \
-{                                                             \
-public:                                                       \
-  NdnCxxAuto ## TpmType ## TpmRegistrationClass()             \
-  {                                                           \
-    ::ndn::KeyChain::registerTpm<TpmType>({__VA_ARGS__});     \
-  }                                                           \
-} ndnCxxAuto ## TpmType ## TpmRegistrationVariable
+using security::v1::KeyChain;
 
 } // namespace security
 
-using security::KeyChain;
+using ndn::security::KeyChain;
 
 } // namespace ndn
-
-#endif // NDN_SECURITY_KEY_CHAIN_HPP
diff --git a/src/security/signing-info.hpp b/src/security/signing-info.hpp
index 6284644..fc91410 100644
--- a/src/security/signing-info.hpp
+++ b/src/security/signing-info.hpp
@@ -28,7 +28,6 @@
 #include "pib/key.hpp"
 #include "security-common.hpp"
 
-
 namespace ndn {
 namespace security {
 
diff --git a/src/security/key-chain.cpp b/src/security/v1/key-chain.cpp
similarity index 92%
rename from src/security/key-chain.cpp
rename to src/security/v1/key-chain.cpp
index 1896c7a..f70bf05 100644
--- a/src/security/key-chain.cpp
+++ b/src/security/v1/key-chain.cpp
@@ -22,10 +22,10 @@
  */
 
 #include "key-chain.hpp"
-#include "signing-helpers.hpp"
+#include "../signing-helpers.hpp"
 
-#include "../util/random.hpp"
-#include "../util/config-file.hpp"
+#include "../../util/random.hpp"
+#include "../../util/config-file.hpp"
 
 #include "sec-public-info-sqlite3.hpp"
 
@@ -37,6 +37,7 @@
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 // Use a GUID as a magic number of KeyChain::DEFAULT_PREFIX identifier
 const Name KeyChain::DEFAULT_PREFIX("/723821fd-f534-44b3-80d9-44bf5f58bbbb");
@@ -60,13 +61,13 @@
 // http://stackoverflow.com/q/9459980/2150331
 //
 // Also, cannot use Type::SCHEME, as its value may be uninitialized
-NDN_CXX_KEYCHAIN_REGISTER_PIB(SecPublicInfoSqlite3, "pib-sqlite3", "sqlite3");
+NDN_CXX_V1_KEYCHAIN_REGISTER_PIB(SecPublicInfoSqlite3, "pib-sqlite3", "sqlite3");
 
 #ifdef NDN_CXX_HAVE_OSX_SECURITY
-NDN_CXX_KEYCHAIN_REGISTER_TPM(SecTpmOsx, "tpm-osxkeychain", "osx-keychain");
+NDN_CXX_V1_KEYCHAIN_REGISTER_TPM(SecTpmOsx, "tpm-osxkeychain", "osx-keychain");
 #endif // NDN_CXX_HAVE_OSX_SECURITY
 
-NDN_CXX_KEYCHAIN_REGISTER_TPM(SecTpmFile, "tpm-file", "file");
+NDN_CXX_V1_KEYCHAIN_REGISTER_TPM(SecTpmFile, "tpm-file", "file");
 
 template<class T>
 struct Factory
@@ -297,7 +298,7 @@
   try {
     keyName = m_pib->getDefaultKeyNameForIdentity(identityName);
 
-    shared_ptr<v1::PublicKey> key = m_pib->getPublicKey(keyName);
+    shared_ptr<PublicKey> key = m_pib->getPublicKey(keyName);
 
     if (key->getKeyType() != params.getKeyType()) {
       keyName = generateKeyPair(identityName, true, params);
@@ -314,7 +315,7 @@
     certName = m_pib->getDefaultCertificateNameForKey(keyName);
   }
   catch (const SecPublicInfo::Error& e) {
-    shared_ptr<v1::IdentityCertificate> selfCert = selfSign(keyName);
+    shared_ptr<IdentityCertificate> selfCert = selfSign(keyName);
     m_pib->addCertificateAsIdentityDefault(*selfCert);
     certName = selfCert->getName();
   }
@@ -361,15 +362,15 @@
 }
 
 
-shared_ptr<v1::IdentityCertificate>
+shared_ptr<IdentityCertificate>
 KeyChain::prepareUnsignedIdentityCertificate(const Name& keyName,
   const Name& signingIdentity,
   const time::system_clock::TimePoint& notBefore,
   const time::system_clock::TimePoint& notAfter,
-  const std::vector<v1::CertificateSubjectDescription>& subjectDescription,
+  const std::vector<CertificateSubjectDescription>& subjectDescription,
   const Name& certPrefix)
 {
-  shared_ptr<v1::PublicKey> publicKey;
+  shared_ptr<PublicKey> publicKey;
   try {
     publicKey = m_pib->getPublicKey(keyName);
   }
@@ -382,13 +383,13 @@
                                             subjectDescription, certPrefix);
 }
 
-shared_ptr<v1::IdentityCertificate>
+shared_ptr<IdentityCertificate>
 KeyChain::prepareUnsignedIdentityCertificate(const Name& keyName,
-  const v1::PublicKey& publicKey,
+  const PublicKey& publicKey,
   const Name& signingIdentity,
   const time::system_clock::TimePoint& notBefore,
   const time::system_clock::TimePoint& notAfter,
-  const std::vector<v1::CertificateSubjectDescription>& subjectDescription,
+  const std::vector<CertificateSubjectDescription>& subjectDescription,
   const Name& certPrefix)
 {
   if (keyName.size() < 1)
@@ -427,19 +428,19 @@
       return nullptr;
   }
 
-  auto certificate = make_shared<v1::IdentityCertificate>();
+  auto certificate = make_shared<IdentityCertificate>();
   certificate->setName(certName);
   certificate->setNotBefore(notBefore);
   certificate->setNotAfter(notAfter);
   certificate->setPublicKeyInfo(publicKey);
 
   if (subjectDescription.empty()) {
-    v1::CertificateSubjectDescription subjectName(oid::ATTRIBUTE_NAME, keyName.getPrefix(-1).toUri());
+    CertificateSubjectDescription subjectName(oid::ATTRIBUTE_NAME, keyName.getPrefix(-1).toUri());
     certificate->addSubjectDescription(subjectName);
   }
   else {
-    std::vector<v1::CertificateSubjectDescription>::const_iterator sdIt = subjectDescription.begin();
-    std::vector<v1::CertificateSubjectDescription>::const_iterator sdEnd = subjectDescription.end();
+    std::vector<CertificateSubjectDescription>::const_iterator sdIt = subjectDescription.begin();
+    std::vector<CertificateSubjectDescription>::const_iterator sdEnd = subjectDescription.end();
     for(; sdIt != sdEnd; sdIt++)
       certificate->addSubjectDescription(*sdIt);
   }
@@ -454,7 +455,7 @@
 {
   SignatureInfo sigInfo = params.getSignatureInfo();
 
-  shared_ptr<v1::IdentityCertificate> signingCert;
+  shared_ptr<IdentityCertificate> signingCert;
 
   switch (params.getSignerType()) {
     case SigningInfo::SIGNER_TYPE_NULL: {
@@ -536,7 +537,7 @@
 Signature
 KeyChain::sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName)
 {
-  shared_ptr<v1::IdentityCertificate> certificate = m_pib->getCertificate(certificateName);
+  shared_ptr<IdentityCertificate> certificate = m_pib->getCertificate(certificateName);
 
   if (certificate == nullptr) {
     BOOST_THROW_EXCEPTION(SecPublicInfo::Error("certificate does not exist"));
@@ -552,10 +553,10 @@
   return sig;
 }
 
-shared_ptr<v1::IdentityCertificate>
+shared_ptr<IdentityCertificate>
 KeyChain::selfSign(const Name& keyName)
 {
-  shared_ptr<v1::PublicKey> pubKey;
+  shared_ptr<PublicKey> pubKey;
   try {
     pubKey = m_pib->getPublicKey(keyName); // may throw an exception.
   }
@@ -563,7 +564,7 @@
     return nullptr;
   }
 
-  auto certificate = make_shared<v1::IdentityCertificate>();
+  auto certificate = make_shared<IdentityCertificate>();
 
   Name certificateName = keyName.getPrefix(-1);
   certificateName.append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion();
@@ -572,7 +573,7 @@
   certificate->setNotBefore(time::system_clock::now());
   certificate->setNotAfter(time::system_clock::now() + time::days(7300)); // ~20 years
   certificate->setPublicKeyInfo(*pubKey);
-  certificate->addSubjectDescription(v1::CertificateSubjectDescription(oid::ATTRIBUTE_NAME,
+  certificate->addSubjectDescription(CertificateSubjectDescription(oid::ATTRIBUTE_NAME,
                                                                        keyName.toUri()));
   certificate->encode();
 
@@ -583,7 +584,7 @@
 }
 
 void
-KeyChain::selfSign(v1::IdentityCertificate& cert)
+KeyChain::selfSign(IdentityCertificate& cert)
 {
   Name keyName = cert.getPublicKeyName();
 
@@ -614,7 +615,7 @@
     BOOST_THROW_EXCEPTION(SecPublicInfo::Error("Fail to export PKCS5 of private key"));
   }
 
-  shared_ptr<v1::IdentityCertificate> cert;
+  shared_ptr<IdentityCertificate> cert;
   try {
     cert = m_pib->getCertificate(m_pib->getDefaultCertificateNameForKey(keyName));
   }
@@ -631,7 +632,7 @@
 KeyChain::importIdentity(const SecuredBag& securedBag, const std::string& passwordStr)
 {
   Name certificateName = securedBag.getCertificate().getName();
-  Name keyName = v1::IdentityCertificate::certificateNameToPublicKeyName(certificateName);
+  Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificateName);
   Name identity = keyName.getPrefix(-1);
 
   // Add identity
@@ -643,7 +644,7 @@
                                       securedBag.getKey()->size(),
                                       passwordStr);
 
-  shared_ptr<v1::PublicKey> pubKey = m_tpm->getPublicKeyFromTpm(keyName.toUri());
+  shared_ptr<PublicKey> pubKey = m_tpm->getPublicKeyFromTpm(keyName.toUri());
   // HACK! We should set key type according to the pkcs8 info.
   m_pib->addKey(keyName, *pubKey);
   m_pib->setDefaultKeyNameForIdentity(keyName);
@@ -708,7 +709,7 @@
 
   m_tpm->generateKeyPairInTpm(keyName.toUri(), params);
 
-  shared_ptr<v1::PublicKey> pubKey = m_tpm->getPublicKeyFromTpm(keyName.toUri());
+  shared_ptr<PublicKey> pubKey = m_tpm->getPublicKeyFromTpm(keyName.toUri());
   m_pib->addKey(keyName, *pubKey);
 
   return keyName;
@@ -838,8 +839,8 @@
     default:
       BOOST_THROW_EXCEPTION(Error("Unsupported key types"));
   }
-
 }
 
+} // namespace v1
 } // namespace security
 } // namespace ndn
diff --git a/src/security/v1/key-chain.hpp b/src/security/v1/key-chain.hpp
new file mode 100644
index 0000000..73aab90
--- /dev/null
+++ b/src/security/v1/key-chain.hpp
@@ -0,0 +1,968 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ *
+ * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
+ */
+
+#ifndef NDN_SECURITY_V1_KEY_CHAIN_HPP
+#define NDN_SECURITY_V1_KEY_CHAIN_HPP
+
+#include "sec-public-info.hpp"
+#include "sec-tpm.hpp"
+#include "secured-bag.hpp"
+#include "../key-params.hpp"
+#include "../signature-sha256-with-rsa.hpp"
+#include "../signature-sha256-with-ecdsa.hpp"
+#include "../digest-sha256.hpp"
+#include "../signing-info.hpp"
+
+#include "../../interest.hpp"
+#include "../../util/crypto.hpp"
+#include "../../util/random.hpp"
+#include <initializer_list>
+
+namespace ndn {
+namespace security {
+namespace v1 {
+
+/**
+ * @brief The packet signing interface.
+ *
+ * @deprecated Use v2::KeyChain
+ */
+class KeyChain : noncopyable
+{
+public:
+  class Error : public std::runtime_error
+  {
+  public:
+    explicit
+    Error(const std::string& what)
+      : std::runtime_error(what)
+    {
+    }
+  };
+
+  /**
+   * @brief Error thrown when the supplied TPM locator to KeyChain constructor does not match
+   *        the locator stored in PIB
+   */
+  class MismatchError : public Error
+  {
+  public:
+    explicit
+    MismatchError(const std::string& what)
+      : Error(what)
+    {
+    }
+  };
+
+  typedef function<unique_ptr<SecPublicInfo> (const std::string&)> PibCreateFunc;
+  typedef function<unique_ptr<SecTpm>(const std::string&)> TpmCreateFunc;
+
+  /**
+   * @brief Register a new PIB
+   * @param aliases List of schemes with which this PIB will be associated.
+   *        The first alias in the list is considered a canonical name of the PIB instance.
+   */
+  template<class PibType>
+  static void
+  registerPib(std::initializer_list<std::string> aliases);
+
+  /**
+   * @brief Register a new TPM
+   * @param aliases List of schemes with which this TPM will be associated
+   *        The first alias in the list is considered a canonical name of the TPM instance.
+   */
+  template<class TpmType>
+  static void
+  registerTpm(std::initializer_list<std::string> aliases);
+
+  /**
+   * @brief Get default PIB locator
+   */
+  static std::string
+  getDefaultPibLocator();
+
+  /**
+    * @brief Create a PIB according to @p pibLocator
+    */
+  static unique_ptr<SecPublicInfo>
+  createPib(const std::string& pibLocator);
+
+  /**
+   * @brief Get default TPM locator
+   */
+  static std::string
+  getDefaultTpmLocator();
+
+  /**
+    * @brief Create a TPM according to @p tpmLocator
+    */
+  static unique_ptr<SecTpm>
+  createTpm(const std::string& tpmLocator);
+
+  /**
+   * @brief Constructor to create KeyChain with default PIB and TPM
+   *
+   * Default PIB and TPM are platform-dependent and can be overriden system-wide or on
+   * per-use basis.
+   *
+   * @todo Add detailed description about config file behavior here
+   */
+  KeyChain();
+
+  /**
+   * @brief KeyChain constructor
+   *
+   * @sa  http://redmine.named-data.net/issues/2260
+   *
+   * @param pibLocator PIB locator
+   * @param tpmLocator TPM locator
+   * @param allowReset if true, the PIB will be reset when the supplied tpmLocator
+   *        mismatches the one in PIB
+   */
+  KeyChain(const std::string& pibLocator,
+           const std::string& tpmLocator,
+           bool allowReset = false);
+
+  virtual
+  ~KeyChain();
+
+  /**
+   * @brief Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a
+   *        self-signed certificate of the KSK.
+   *
+   * @param identityName The name of the identity.
+   * @param params The key parameter if a key needs to be generated for the identity.
+   * @return The name of the default certificate of the identity.
+   */
+  Name
+  createIdentity(const Name& identityName, const KeyParams& params = DEFAULT_KEY_PARAMS);
+
+  /**
+   * @brief Generate a pair of RSA keys for the specified identity.
+   *
+   * @param identityName The name of the identity.
+   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+   * @param keySize The size of the key.
+   * @return The generated key name.
+   * @see generateEcdsaKeyPair
+   */
+  Name
+  generateRsaKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 2048);
+
+  /**
+   * @brief Generate a pair of ECDSA keys for the specified identity.
+   *
+   * @param identityName The name of the identity.
+   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+   * @param keySize The size of the key.
+   * @return The generated key name.
+   * @see generateRsaKeyPair
+   */
+  Name
+  generateEcdsaKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 256);
+
+  /**
+   * @brief Generate a pair of RSA keys for the specified identity and set it as default key for
+   *        the identity.
+   *
+   * @param identityName The name of the identity.
+   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+   * @param keySize The size of the key.
+   * @return The generated key name.
+   * @see generateRsaKeyPair, generateEcdsaKeyPair, generateEcdsaKeyPairAsDefault
+   */
+  Name
+  generateRsaKeyPairAsDefault(const Name& identityName, bool isKsk = false, uint32_t keySize = 2048);
+
+  /**
+   * @brief Generate a pair of ECDSA keys for the specified identity and set it as default key for
+   *        the identity.
+   *
+   * @param identityName The name of the identity.
+   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+   * @param keySize The size of the key.
+   * @return The generated key name.
+   * @see generateRsaKeyPair, generateEcdsaKeyPair, generateRsaKeyPairAsDefault
+   */
+  Name
+  generateEcdsaKeyPairAsDefault(const Name& identityName, bool isKsk = false, uint32_t keySize = 256);
+
+  /**
+   * @brief prepare an unsigned identity certificate
+   *
+   * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
+   * @param signingIdentity The signing identity.
+   * @param notBefore Refer to IdentityCertificate.
+   * @param notAfter Refer to IdentityCertificate.
+   * @param subjectDescription Refer to IdentityCertificate.
+   * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
+   *                   certificate name according to the relation between the signingIdentity and
+   *                   the subject identity. If signingIdentity is a prefix of the subject identity,
+   *                   `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
+   *                   after subject identity (i.e., before `ksk-....`).
+   * @return IdentityCertificate.
+   */
+  shared_ptr<IdentityCertificate>
+  prepareUnsignedIdentityCertificate(const Name& keyName,
+    const Name& signingIdentity,
+    const time::system_clock::TimePoint& notBefore,
+    const time::system_clock::TimePoint& notAfter,
+    const std::vector<CertificateSubjectDescription>& subjectDescription,
+    const Name& certPrefix = DEFAULT_PREFIX);
+
+  /**
+   * @brief prepare an unsigned identity certificate
+   *
+   * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
+   * @param publicKey Public key to sign.
+   * @param signingIdentity The signing identity.
+   * @param notBefore Refer to IdentityCertificate.
+   * @param notAfter Refer to IdentityCertificate.
+   * @param subjectDescription Refer to IdentityCertificate.
+   * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
+   *                   certificate name according to the relation between the signingIdentity and
+   *                   the subject identity. If signingIdentity is a prefix of the subject identity,
+   *                   `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
+   *                   after subject identity (i.e., before `ksk-....`).
+   * @return IdentityCertificate.
+   */
+  shared_ptr<IdentityCertificate>
+  prepareUnsignedIdentityCertificate(const Name& keyName,
+    const PublicKey& publicKey,
+    const Name& signingIdentity,
+    const time::system_clock::TimePoint& notBefore,
+    const time::system_clock::TimePoint& notAfter,
+    const std::vector<CertificateSubjectDescription>& subjectDescription,
+    const Name& certPrefix = DEFAULT_PREFIX);
+
+  /**
+   * @brief Sign data according to the supplied signing information
+   *
+   * This method uses the supplied signing information @p params to create the SignatureInfo block:
+   * - it selects a private key and its certificate to sign the packet
+   * - sets the KeyLocator field with the certificate name, and
+   * - adds other requested information to the SignatureInfo block).
+   *
+   * After that, the method assigns the created SignatureInfo to the data packets, generate a
+   * signature and sets as part of the SignatureValue block.
+   *
+   * @param data The data to sign
+   * @param params The signing parameters.
+   * @throws Error if signing fails.
+   * @see SigningInfo
+   */
+  void
+  sign(Data& data, const SigningInfo& params = DEFAULT_SIGNING_INFO);
+
+  /**
+   * @brief Sign interest according to the supplied signing information
+   *
+   * This method uses the supplied signing information @p params to create the SignatureInfo block:
+   * - it selects a private key and its certificate to sign the packet
+   * - sets the KeyLocator field with the certificate name, and
+   * - adds other requested information to the SignatureInfo block).
+   *
+   * After that, the method appends the created SignatureInfo to the interest name, generate a
+   * signature and appends it as part of the SignatureValue block to the interest name.
+   *
+   * @param interest The interest to sign
+   * @param params The signing parameters.
+   * @throws Error if signing fails.
+   * @see SigningInfo
+   */
+  void
+  sign(Interest& interest, const SigningInfo& params = DEFAULT_SIGNING_INFO);
+
+  /**
+   * @brief Sign buffer according to the supplied signing information
+   *
+   * @param buffer The buffer to sign
+   * @param bufferLength The buffer size
+   * @param params The signing parameters.
+   * @return a SignatureValue TLV block
+   * @throws Error if signing fails.
+   * @see SigningInfo
+   */
+  Block
+  sign(const uint8_t* buffer, size_t bufferLength, const SigningInfo& params);
+
+  /**
+   * @deprecated use sign sign(T&, const SigningInfo&)
+   * @brief Sign packet with a particular certificate.
+   *
+   * @param packet The packet to be signed.
+   * @param certificateName The certificate name of the key to use for signing.
+   * @throws SecPublicInfo::Error if certificate does not exist.
+   */
+  template<typename T>
+  void
+  sign(T& packet, const Name& certificateName);
+
+  /**
+   * @deprecated Use sign(const uint8_t*, size_t, const SigningInfo&) instead
+   * @brief Sign the byte array using a particular certificate.
+   *
+   * @param buffer The byte array to be signed.
+   * @param bufferLength the length of buffer.
+   * @param certificateName The certificate name of the signing key.
+   * @return The Signature.
+   * @throws SecPublicInfo::Error if certificate does not exist.
+   */
+  Signature
+  sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName);
+
+  /**
+   * @deprecated use sign sign(T&, const SigningInfo&)
+   * @brief Sign packet using the default certificate of a particular identity.
+   *
+   * If there is no default certificate of that identity, this method will create a self-signed
+   * certificate.
+   *
+   * @param packet The packet to be signed.
+   * @param identityName The signing identity name.
+   */
+  template<typename T>
+  void
+  signByIdentity(T& packet, const Name& identityName);
+
+  /**
+   * @deprecated use sign(const uint8_t*, size_t, const SigningInfo&) instead
+   * @brief Sign the byte array using the default certificate of a particular identity.
+   *
+   * @param buffer The byte array to be signed.
+   * @param bufferLength the length of buffer.
+   * @param identityName The identity name.
+   * @return The Signature.
+   */
+  Signature
+  signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName);
+
+  /**
+   * @deprecated use sign(Data&, SigningInfo(SigningInfo::SIGNER_TYPE_SHA256))
+   * @brief Set Sha256 weak signature for @p data
+   */
+  void
+  signWithSha256(Data& data);
+
+  /**
+   * @deprecated use sign(Interest&, SigningInfo(SigningInfo::SIGNER_TYPE_SHA256))
+   * @brief Set Sha256 weak signature for @p interest
+   */
+  void
+  signWithSha256(Interest& interest);
+
+  /**
+   * @brief Generate a self-signed certificate for a public key.
+   *
+   * @param keyName The name of the public key
+   * @return The generated certificate, shared_ptr<IdentityCertificate>() if selfSign fails
+   */
+  shared_ptr<IdentityCertificate>
+  selfSign(const Name& keyName);
+
+  /**
+   * @brief Self-sign the supplied identity certificate.
+   *
+   * @param cert The supplied cert.
+   * @throws SecTpm::Error if the private key does not exist.
+   */
+  void
+  selfSign(IdentityCertificate& cert);
+
+  /**
+   * @brief delete a certificate.
+   *
+   * @param certificateName The certificate to be deleted.
+   * @throws KeyChain::Error if certificate cannot be deleted.
+   */
+  void
+  deleteCertificate(const Name& certificateName);
+
+  /**
+   * @brief delete a key.
+   *
+   * @param keyName The key to be deleted.
+   * @throws KeyChain::Error if key cannot be deleted.
+   */
+  void
+  deleteKey(const Name& keyName);
+
+  /**
+   * @brief delete an identity.
+   *
+   * @param identity The identity to be deleted.
+   * @throws KeyChain::Error if identity cannot be deleted.
+   */
+  void
+  deleteIdentity(const Name& identity);
+
+  /**
+   * @brief export an identity.
+   *
+   * @param identity The identity to export.
+   * @param passwordStr The password to secure the private key.
+   * @return The encoded export data.
+   * @throws SecPublicInfo::Error if anything goes wrong in exporting.
+   */
+  shared_ptr<SecuredBag>
+  exportIdentity(const Name& identity, const std::string& passwordStr);
+
+  /**
+   * @brief import an identity.
+   *
+   * @param securedBag The encoded import data.
+   * @param passwordStr The password to secure the private key.
+   */
+  void
+  importIdentity(const SecuredBag& securedBag, const std::string& passwordStr);
+
+  SecPublicInfo&
+  getPib()
+  {
+    return *m_pib;
+  }
+
+  const SecPublicInfo&
+  getPib() const
+  {
+    return *m_pib;
+  }
+
+  SecTpm&
+  getTpm()
+  {
+    return *m_tpm;
+  }
+
+  const SecTpm&
+  getTpm() const
+  {
+    return *m_tpm;
+  }
+
+  /*******************************
+   *  Wrapper of SecPublicInfo   *
+   *******************************/
+  bool
+  doesIdentityExist(const Name& identityName) const
+  {
+    return m_pib->doesIdentityExist(identityName);
+  }
+
+  void
+  addIdentity(const Name& identityName)
+  {
+    return m_pib->addIdentity(identityName);
+  }
+
+  bool
+  doesPublicKeyExist(const Name& keyName) const
+  {
+    return m_pib->doesPublicKeyExist(keyName);
+  }
+
+  void
+  addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer)
+  {
+    return m_pib->addKey(keyName, publicKeyDer);
+  }
+
+  void
+  addKey(const Name& keyName, const PublicKey& publicKeyDer)
+  {
+    return m_pib->addKey(keyName, publicKeyDer);
+  }
+
+  shared_ptr<PublicKey>
+  getPublicKey(const Name& keyName) const
+  {
+    return m_pib->getPublicKey(keyName);
+  }
+
+  bool
+  doesCertificateExist(const Name& certificateName) const
+  {
+    return m_pib->doesCertificateExist(certificateName);
+  }
+
+  void
+  addCertificate(const IdentityCertificate& certificate)
+  {
+    return m_pib->addCertificate(certificate);
+  }
+
+  shared_ptr<IdentityCertificate>
+  getCertificate(const Name& certificateName) const
+  {
+    return m_pib->getCertificate(certificateName);
+  }
+
+  Name
+  getDefaultIdentity() const
+  {
+    return m_pib->getDefaultIdentity();
+  }
+
+  Name
+  getDefaultKeyNameForIdentity(const Name& identityName) const
+  {
+    return m_pib->getDefaultKeyNameForIdentity(identityName);
+  }
+
+  /**
+   * @brief Get default key parameters for the specified identity
+   *
+   * If identity has a previously generated key, the returned parameters
+   * will include the same type of the key.  If there are no existing
+   * keys, DEFAULT_KEY_PARAMS is used.
+   */
+  const KeyParams&
+  getDefaultKeyParamsForIdentity(const Name& identityName) const;
+
+  Name
+  getDefaultCertificateNameForKey(const Name& keyName) const
+  {
+    return m_pib->getDefaultCertificateNameForKey(keyName);
+  }
+
+  void
+  getAllIdentities(std::vector<Name>& nameList, bool isDefault) const
+  {
+    return m_pib->getAllIdentities(nameList, isDefault);
+  }
+
+  void
+  getAllKeyNames(std::vector<Name>& nameList, bool isDefault) const
+  {
+    return m_pib->getAllKeyNames(nameList, isDefault);
+  }
+
+  void
+  getAllKeyNamesOfIdentity(const Name& identity, std::vector<Name>& nameList, bool isDefault) const
+  {
+    return m_pib->getAllKeyNamesOfIdentity(identity, nameList, isDefault);
+  }
+
+  void
+  getAllCertificateNames(std::vector<Name>& nameList, bool isDefault) const
+  {
+    return m_pib->getAllCertificateNames(nameList, isDefault);
+  }
+
+  void
+  getAllCertificateNamesOfKey(const Name& keyName,
+                              std::vector<Name>& nameList,
+                              bool isDefault) const
+  {
+    return m_pib->getAllCertificateNamesOfKey(keyName, nameList, isDefault);
+  }
+
+  void
+  deleteCertificateInfo(const Name& certificateName)
+  {
+    return m_pib->deleteCertificateInfo(certificateName);
+  }
+
+  void
+  deletePublicKeyInfo(const Name& keyName)
+  {
+    return m_pib->deletePublicKeyInfo(keyName);
+  }
+
+  void
+  deleteIdentityInfo(const Name& identity)
+  {
+    return m_pib->deleteIdentityInfo(identity);
+  }
+
+  void
+  setDefaultIdentity(const Name& identityName)
+  {
+    return m_pib->setDefaultIdentity(identityName);
+  }
+
+  void
+  setDefaultKeyNameForIdentity(const Name& keyName)
+  {
+    return m_pib->setDefaultKeyNameForIdentity(keyName);
+  }
+
+  void
+  setDefaultCertificateNameForKey(const Name& certificateName)
+  {
+    return m_pib->setDefaultCertificateNameForKey(certificateName);
+  }
+
+  Name
+  getNewKeyName(const Name& identityName, bool useKsk)
+  {
+    return m_pib->getNewKeyName(identityName, useKsk);
+  }
+
+  Name
+  getDefaultCertificateNameForIdentity(const Name& identityName) const
+  {
+    return m_pib->getDefaultCertificateNameForIdentity(identityName);
+  }
+
+  Name
+  getDefaultCertificateName() const
+  {
+    return m_pib->getDefaultCertificateName();
+  }
+
+  void
+  addCertificateAsKeyDefault(const IdentityCertificate& certificate)
+  {
+    return m_pib->addCertificateAsKeyDefault(certificate);
+  }
+
+  void
+  addCertificateAsIdentityDefault(const IdentityCertificate& certificate)
+  {
+    return m_pib->addCertificateAsIdentityDefault(certificate);
+  }
+
+  void
+  addCertificateAsSystemDefault(const IdentityCertificate& certificate)
+  {
+    return m_pib->addCertificateAsSystemDefault(certificate);
+  }
+
+  shared_ptr<IdentityCertificate>
+  getDefaultCertificate() const
+  {
+    if (!static_cast<bool>(m_pib->getDefaultCertificate()))
+      const_cast<KeyChain*>(this)->setDefaultCertificateInternal();
+
+    return m_pib->getDefaultCertificate();
+  }
+
+  void
+  refreshDefaultCertificate()
+  {
+    return m_pib->refreshDefaultCertificate();
+  }
+
+  /*******************************
+   *  Wrapper of SecTpm          *
+   *******************************/
+
+  void
+  setTpmPassword(const uint8_t* password, size_t passwordLength)
+  {
+    return m_tpm->setTpmPassword(password, passwordLength);
+  }
+
+  void
+  resetTpmPassword()
+  {
+    return m_tpm->resetTpmPassword();
+  }
+
+  void
+  setInTerminal(bool inTerminal)
+  {
+    return m_tpm->setInTerminal(inTerminal);
+  }
+
+  bool
+  getInTerminal() const
+  {
+    return m_tpm->getInTerminal();
+  }
+
+  bool
+  isLocked() const
+  {
+    return m_tpm->isLocked();
+  }
+
+  bool
+  unlockTpm(const char* password, size_t passwordLength, bool usePassword)
+  {
+    return m_tpm->unlockTpm(password, passwordLength, usePassword);
+  }
+
+  void
+  generateKeyPairInTpm(const Name& keyName, const KeyParams& params)
+  {
+    return m_tpm->generateKeyPairInTpm(keyName, params);
+  }
+
+  void
+  deleteKeyPairInTpm(const Name& keyName)
+  {
+    return m_tpm->deleteKeyPairInTpm(keyName);
+  }
+
+  shared_ptr<PublicKey>
+  getPublicKeyFromTpm(const Name& keyName) const
+  {
+    return m_tpm->getPublicKeyFromTpm(keyName);
+  }
+
+  Block
+  signInTpm(const uint8_t* data, size_t dataLength,
+            const Name& keyName,
+            DigestAlgorithm digestAlgorithm)
+  {
+    return m_tpm->signInTpm(data, dataLength, keyName, digestAlgorithm);
+  }
+
+  ConstBufferPtr
+  decryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
+  {
+    return m_tpm->decryptInTpm(data, dataLength, keyName, isSymmetric);
+  }
+
+  ConstBufferPtr
+  encryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
+  {
+    return m_tpm->encryptInTpm(data, dataLength, keyName, isSymmetric);
+  }
+
+  void
+  generateSymmetricKeyInTpm(const Name& keyName, const KeyParams& params)
+  {
+    return m_tpm->generateSymmetricKeyInTpm(keyName, params);
+  }
+
+  bool
+  doesKeyExistInTpm(const Name& keyName, KeyClass keyClass) const
+  {
+    return m_tpm->doesKeyExistInTpm(keyName, keyClass);
+  }
+
+  bool
+  generateRandomBlock(uint8_t* res, size_t size) const
+  {
+    return m_tpm->generateRandomBlock(res, size);
+  }
+
+  void
+  addAppToAcl(const Name& keyName, KeyClass keyClass, const std::string& appPath, AclType acl)
+  {
+    return m_tpm->addAppToAcl(keyName, keyClass, appPath, acl);
+  }
+
+  ConstBufferPtr
+  exportPrivateKeyPkcs5FromTpm(const Name& keyName, const std::string& password)
+  {
+    return m_tpm->exportPrivateKeyPkcs5FromTpm(keyName, password);
+  }
+
+  bool
+  importPrivateKeyPkcs5IntoTpm(const Name& keyName,
+                               const uint8_t* buf, size_t size,
+                               const std::string& password)
+  {
+    return m_tpm->importPrivateKeyPkcs5IntoTpm(keyName, buf, size, password);
+  }
+
+private:
+  void
+  initialize(const std::string& pibLocatorUri,
+             const std::string& tpmLocatorUri,
+             bool needReset);
+
+  /**
+   * @brief Prepare a SignatureInfo TLV according to signing information and return the signing key name
+   *
+   * @param params The signing parameters.
+   * @return The signing key name and prepared SignatureInfo.
+   * @throw Error when the requested signing method cannot be satisfied.
+   */
+  std::tuple<Name, SignatureInfo>
+  prepareSignatureInfo(const SigningInfo& params);
+
+  /**
+   * @brief Internal abstraction of packet signing.
+   *
+   * @param packet The packet to sign
+   * @param params The signing parameters.
+   * @throw Error when the signing fails.
+   */
+  template<typename T>
+  void
+  signImpl(T& packet, const SigningInfo& params);
+
+  /**
+   * @brief Set default certificate if it is not initialized
+   */
+  void
+  setDefaultCertificateInternal();
+
+  /**
+   * @brief Generate a key pair for the specified identity.
+   *
+   * @param identityName The name of the specified identity.
+   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+   * @param params The parameter of the key.
+   * @return The name of the generated key.
+   */
+  Name
+  generateKeyPair(const Name& identityName, bool isKsk = false,
+                  const KeyParams& params = DEFAULT_KEY_PARAMS);
+
+  /**
+   * @brief Sign the data using a particular key.
+   *
+   * @param data Reference to the data packet.
+   * @param signature Signature to be added.
+   * @param keyName The name of the signing key.
+   * @param digestAlgorithm the digest algorithm.
+   * @throws Tpm::Error
+   */
+  void
+  signPacketWrapper(Data& data, const Signature& signature,
+                    const Name& keyName, DigestAlgorithm digestAlgorithm);
+
+  /**
+   * @brief Sign the interest using a particular key.
+   *
+   * @param interest Reference to the interest packet.
+   * @param signature Signature to be added.
+   * @param keyName The name of the signing key.
+   * @param digestAlgorithm the digest algorithm.
+   * @throws Tpm::Error
+   */
+  void
+  signPacketWrapper(Interest& interest, const Signature& signature,
+                    const Name& keyName, DigestAlgorithm digestAlgorithm);
+
+  /**
+   * @brief Generate a SignatureValue block for a buffer @p buf with size @p size using
+   *        a key with name @p keyName and digest algorithm @p digestAlgorithm.
+   */
+  Block
+  pureSign(const uint8_t* buf, size_t size, const Name& keyName, DigestAlgorithm digestAlgorithm) const;
+
+  static void
+  registerPibImpl(const std::string& canonicalName,
+                  std::initializer_list<std::string> aliases, PibCreateFunc createFunc);
+
+  static void
+  registerTpmImpl(const std::string& canonicalName,
+                  std::initializer_list<std::string> aliases, TpmCreateFunc createFunc);
+
+public:
+  static tlv::SignatureTypeValue
+  getSignatureType(KeyType keyType, DigestAlgorithm digestAlgorithm);
+
+public:
+  static const Name DEFAULT_PREFIX;
+  static const SigningInfo DEFAULT_SIGNING_INFO;
+
+  // RsaKeyParams is set to be default for backward compatibility.
+  static const RsaKeyParams DEFAULT_KEY_PARAMS;
+
+  typedef std::map<std::string, Block> SignParams;
+
+private:
+  std::unique_ptr<SecPublicInfo> m_pib;
+  std::unique_ptr<SecTpm> m_tpm;
+  time::milliseconds m_lastTimestamp;
+};
+
+template<typename T>
+void
+KeyChain::signImpl(T& packet, const SigningInfo& params)
+{
+  Name keyName;
+  SignatureInfo sigInfo;
+  std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
+
+  signPacketWrapper(packet, Signature(sigInfo),
+                    keyName, params.getDigestAlgorithm());
+}
+
+template<typename T>
+void
+KeyChain::sign(T& packet, const Name& certificateName)
+{
+  signImpl(packet, SigningInfo(SigningInfo::SIGNER_TYPE_CERT, certificateName));
+}
+
+template<typename T>
+void
+KeyChain::signByIdentity(T& packet, const Name& identityName)
+{
+  signImpl(packet, SigningInfo(SigningInfo::SIGNER_TYPE_ID, identityName));
+}
+
+template<class PibType>
+inline void
+KeyChain::registerPib(std::initializer_list<std::string> aliases)
+{
+  registerPibImpl(*aliases.begin(), aliases, [] (const std::string& locator) {
+      return make_unique<PibType>(locator);
+    });
+}
+
+template<class TpmType>
+inline void
+KeyChain::registerTpm(std::initializer_list<std::string> aliases)
+{
+  registerTpmImpl(*aliases.begin(), aliases, [] (const std::string& locator) {
+      return make_unique<TpmType>(locator);
+    });
+}
+
+/**
+ * \brief Register SecPib class in ndn-cxx KeyChain
+ *
+ * This macro should be placed once in the implementation file of the
+ * SecPib type within the namespace where the type is declared.
+ */
+#define NDN_CXX_V1_KEYCHAIN_REGISTER_PIB(PibType, ...)     \
+static class NdnCxxAuto ## PibType ## PibRegistrationClass    \
+{                                                             \
+public:                                                       \
+  NdnCxxAuto ## PibType ## PibRegistrationClass()             \
+  {                                                           \
+    ::ndn::security::v1::KeyChain::registerPib<PibType>({__VA_ARGS__});     \
+  }                                                           \
+} ndnCxxAuto ## PibType ## PibRegistrationVariable
+
+/**
+ * \brief Register SecTpm class in ndn-cxx KeyChain
+ *
+ * This macro should be placed once in the implementation file of the
+ * SecTpm type within the namespace where the type is declared.
+ */
+#define NDN_CXX_V1_KEYCHAIN_REGISTER_TPM(TpmType, ...)     \
+static class NdnCxxAuto ## TpmType ## TpmRegistrationClass    \
+{                                                             \
+public:                                                       \
+  NdnCxxAuto ## TpmType ## TpmRegistrationClass()             \
+  {                                                           \
+    ::ndn::security::v1::KeyChain::registerTpm<TpmType>({__VA_ARGS__});     \
+  }                                                           \
+} ndnCxxAuto ## TpmType ## TpmRegistrationVariable
+
+} // namespace v1
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V1_KEY_CHAIN_HPP
diff --git a/src/security/sec-public-info-sqlite3.cpp b/src/security/v1/sec-public-info-sqlite3.cpp
similarity index 96%
rename from src/security/sec-public-info-sqlite3.cpp
rename to src/security/v1/sec-public-info-sqlite3.cpp
index b392ba1..efb4e0f 100644
--- a/src/security/sec-public-info-sqlite3.cpp
+++ b/src/security/v1/sec-public-info-sqlite3.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -23,10 +23,10 @@
  */
 
 #include "sec-public-info-sqlite3.hpp"
-#include "v1/identity-certificate.hpp"
-#include "signature-sha256-with-rsa.hpp"
-#include "signature-sha256-with-ecdsa.hpp"
-#include "../data.hpp"
+#include "identity-certificate.hpp"
+#include "../signature-sha256-with-rsa.hpp"
+#include "../signature-sha256-with-ecdsa.hpp"
+#include "../../data.hpp"
 
 #include <sqlite3.h>
 #include <stdio.h>
@@ -37,6 +37,7 @@
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 using std::string;
 using std::vector;
@@ -364,7 +365,7 @@
 
 void
 SecPublicInfoSqlite3::addKey(const Name& keyName,
-                             const v1::PublicKey& publicKeyDer)
+                             const PublicKey& publicKeyDer)
 {
   if (keyName.empty())
     return;
@@ -397,7 +398,7 @@
   sqlite3_finalize(statement);
 }
 
-shared_ptr<v1::PublicKey>
+shared_ptr<PublicKey>
 SecPublicInfoSqlite3::getPublicKey(const Name& keyName)
 {
   if (keyName.empty())
@@ -416,9 +417,9 @@
 
   int res = sqlite3_step(statement);
 
-  shared_ptr<v1::PublicKey> result;
+  shared_ptr<PublicKey> result;
   if (res == SQLITE_ROW) {
-    result = make_shared<v1::PublicKey>(static_cast<const uint8_t*>(sqlite3_column_blob(statement, 0)),
+    result = make_shared<PublicKey>(static_cast<const uint8_t*>(sqlite3_column_blob(statement, 0)),
                                         sqlite3_column_bytes(statement, 0));
     sqlite3_finalize(statement);
     return result;
@@ -484,12 +485,12 @@
 }
 
 void
-SecPublicInfoSqlite3::addCertificate(const v1::IdentityCertificate& certificate)
+SecPublicInfoSqlite3::addCertificate(const IdentityCertificate& certificate)
 {
   const Name& certificateName = certificate.getName();
-  // KeyName is from v1::IdentityCertificate name, so should be qualified.
+  // KeyName is from IdentityCertificate name, so should be qualified.
   Name keyName =
-    v1::IdentityCertificate::certificateNameToPublicKeyName(certificate.getName());
+    IdentityCertificate::certificateNameToPublicKeyName(certificate.getName());
 
   addKey(keyName, certificate.getPublicKeyInfo());
 
@@ -538,7 +539,7 @@
   sqlite3_finalize(statement);
 }
 
-shared_ptr<v1::IdentityCertificate>
+shared_ptr<IdentityCertificate>
 SecPublicInfoSqlite3::getCertificate(const Name& certificateName)
 {
   sqlite3_stmt* statement = nullptr;
@@ -552,7 +553,7 @@
   int res = sqlite3_step(statement);
 
   if (res == SQLITE_ROW) {
-    shared_ptr<v1::IdentityCertificate> certificate = make_shared<v1::IdentityCertificate>();
+    shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>();
     try {
       certificate->wireDecode(Block(static_cast<const uint8_t*>(sqlite3_column_blob(statement, 0)),
                                     sqlite3_column_bytes(statement, 0)));
@@ -724,7 +725,7 @@
   if (!doesCertificateExist(certificateName))
     BOOST_THROW_EXCEPTION(Error("certificate does not exist:" + certificateName.toUri()));
 
-  Name keyName = v1::IdentityCertificate::certificateNameToPublicKeyName(certificateName);
+  Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificateName);
   string keyId = keyName.get(-1).toUri();
   Name identityName = keyName.getPrefix(-1);
 
@@ -952,5 +953,6 @@
   return SCHEME;
 }
 
+} // namespace v1
 } // namespace security
 } // namespace ndn
diff --git a/src/security/sec-public-info-sqlite3.hpp b/src/security/v1/sec-public-info-sqlite3.hpp
similarity index 88%
rename from src/security/sec-public-info-sqlite3.hpp
rename to src/security/v1/sec-public-info-sqlite3.hpp
index fbe7d7e..6e9dfd7 100644
--- a/src/security/sec-public-info-sqlite3.hpp
+++ b/src/security/v1/sec-public-info-sqlite3.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -22,16 +22,17 @@
  * @author Jeff Thompson <jefft0@remap.ucla.edu>
  */
 
-#ifndef NDN_SECURITY_SEC_PUBLIC_INFO_SQLITE3_HPP
-#define NDN_SECURITY_SEC_PUBLIC_INFO_SQLITE3_HPP
+#ifndef NDN_SECURITY_V1_SEC_PUBLIC_INFO_SQLITE3_HPP
+#define NDN_SECURITY_V1_SEC_PUBLIC_INFO_SQLITE3_HPP
 
-#include "../common.hpp"
+#include "../../common.hpp"
 #include "sec-public-info.hpp"
 
 struct sqlite3;
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 class SecPublicInfoSqlite3 : public SecPublicInfo
 {
@@ -78,9 +79,9 @@
   doesPublicKeyExist(const Name& keyName);
 
   virtual void
-  addKey(const Name& keyName, const v1::PublicKey& publicKeyDer);
+  addKey(const Name& keyName, const PublicKey& publicKeyDer);
 
-  virtual shared_ptr<v1::PublicKey>
+  virtual shared_ptr<PublicKey>
   getPublicKey(const Name& keyName);
 
   virtual KeyType
@@ -90,9 +91,9 @@
   doesCertificateExist(const Name& certificateName);
 
   virtual void
-  addCertificate(const v1::IdentityCertificate& certificate);
+  addCertificate(const IdentityCertificate& certificate);
 
-  virtual shared_ptr<v1::IdentityCertificate>
+  virtual shared_ptr<IdentityCertificate>
   getCertificate(const Name& certificateName);
 
 
@@ -163,10 +164,8 @@
   sqlite3* m_database;
 };
 
+} // namespace v1
 } // namespace security
-
-using security::SecPublicInfoSqlite3;
-
 } // namespace ndn
 
-#endif // NDN_SECURITY_SEC_PUBLIC_INFO_SQLITE3_HPP
+#endif // NDN_SECURITY_V1_SEC_PUBLIC_INFO_SQLITE3_HPP
diff --git a/src/security/sec-public-info.cpp b/src/security/v1/sec-public-info.cpp
similarity index 86%
rename from src/security/sec-public-info.cpp
rename to src/security/v1/sec-public-info.cpp
index 7002d36..96c4441 100644
--- a/src/security/sec-public-info.cpp
+++ b/src/security/v1/sec-public-info.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -23,6 +23,7 @@
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 SecPublicInfo::SecPublicInfo(const std::string& location)
   : m_location(location)
@@ -40,7 +41,7 @@
 }
 
 void
-SecPublicInfo::addPublicKey(const Name& keyName, KeyType keyType, const v1::PublicKey& publicKey)
+SecPublicInfo::addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKey)
 {
   addKey(keyName, publicKey);
 }
@@ -105,7 +106,7 @@
 }
 
 void
-SecPublicInfo::addCertificateAsKeyDefault(const v1::IdentityCertificate& certificate)
+SecPublicInfo::addCertificateAsKeyDefault(const IdentityCertificate& certificate)
 {
   addCertificate(certificate);
   setDefaultCertificateNameForKeyInternal(certificate.getName());
@@ -113,35 +114,35 @@
 }
 
 void
-SecPublicInfo::addCertificateAsIdentityDefault(const v1::IdentityCertificate& certificate)
+SecPublicInfo::addCertificateAsIdentityDefault(const IdentityCertificate& certificate)
 {
   addCertificate(certificate);
   Name certName = certificate.getName();
-  Name keyName = v1::IdentityCertificate::certificateNameToPublicKeyName(certName);
+  Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certName);
   setDefaultKeyNameForIdentityInternal(keyName);
   setDefaultCertificateNameForKeyInternal(certName);
   refreshDefaultCertificate();
 }
 
 void
-SecPublicInfo::addCertificateAsSystemDefault(const v1::IdentityCertificate& certificate)
+SecPublicInfo::addCertificateAsSystemDefault(const IdentityCertificate& certificate)
 {
   addCertificate(certificate);
   Name certName = certificate.getName();
-  Name keyName = v1::IdentityCertificate::certificateNameToPublicKeyName(certName);
+  Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certName);
   setDefaultIdentityInternal(keyName.getPrefix(-1));
   setDefaultKeyNameForIdentityInternal(keyName);
   setDefaultCertificateNameForKeyInternal(certName);
   refreshDefaultCertificate();
 }
 
-shared_ptr<v1::IdentityCertificate>
+shared_ptr<IdentityCertificate>
 SecPublicInfo::defaultCertificate()
 {
   return getDefaultCertificate();
 }
 
-shared_ptr<v1::IdentityCertificate>
+shared_ptr<IdentityCertificate>
 SecPublicInfo::getDefaultCertificate()
 {
   return m_defaultCertificate;
@@ -159,5 +160,6 @@
   }
 }
 
+} // namespace v1
 } // namespace security
 } // namespace ndn
diff --git a/src/security/sec-public-info.hpp b/src/security/v1/sec-public-info.hpp
similarity index 89%
rename from src/security/sec-public-info.hpp
rename to src/security/v1/sec-public-info.hpp
index 9f24538..7ed6ef4 100644
--- a/src/security/sec-public-info.hpp
+++ b/src/security/v1/sec-public-info.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -19,16 +19,17 @@
  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
  */
 
-#ifndef NDN_SECURITY_SEC_PUBLIC_INFO_HPP
-#define NDN_SECURITY_SEC_PUBLIC_INFO_HPP
+#ifndef NDN_SECURITY_V1_SEC_PUBLIC_INFO_HPP
+#define NDN_SECURITY_V1_SEC_PUBLIC_INFO_HPP
 
-#include "../name.hpp"
-#include "security-common.hpp"
-#include "v1/public-key.hpp"
-#include "v1/identity-certificate.hpp"
+#include "../../name.hpp"
+#include "../security-common.hpp"
+#include "public-key.hpp"
+#include "identity-certificate.hpp"
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 /**
  * @brief SecPublicInfo is a base class for the storage of public information.
@@ -132,7 +133,7 @@
    */
   DEPRECATED(
   void
-  addPublicKey(const Name& keyName, KeyType keyType, const v1::PublicKey& publicKey));
+  addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKey));
 
   /**
    * @brief Add a public key to the identity storage.
@@ -141,7 +142,7 @@
    * @param publicKey Reference to the PublicKey object
    */
   virtual void
-  addKey(const Name& keyName, const v1::PublicKey& publicKey) = 0;
+  addKey(const Name& keyName, const PublicKey& publicKey) = 0;
 
   /**
    * @brief Get shared pointer to PublicKey object from the identity storage
@@ -149,7 +150,7 @@
    * @param keyName The name of the requested public key
    * @throws SecPublicInfo::Error if public key does not exist
    */
-  virtual shared_ptr<v1::PublicKey>
+  virtual shared_ptr<PublicKey>
   getPublicKey(const Name& keyName) = 0;
 
   /**
@@ -180,7 +181,7 @@
    * @param certificate The certificate to be added
    */
   virtual void
-  addCertificate(const v1::IdentityCertificate& certificate) = 0;
+  addCertificate(const IdentityCertificate& certificate) = 0;
 
   /**
    * @brief Get a shared pointer to identity certificate object from the identity storage
@@ -188,7 +189,7 @@
    * @param certificateName The name of the requested certificate
    * @throws SecPublicInfo::Error if the certificate does not exist
    */
-  virtual shared_ptr<v1::IdentityCertificate>
+  virtual shared_ptr<IdentityCertificate>
   getCertificate(const Name& certificateName) = 0;
 
 
@@ -404,7 +405,7 @@
    * @throws SecPublicInfo::Error if the certificate cannot be added (though it is really rare)
    */
   void
-  addCertificateAsKeyDefault(const v1::IdentityCertificate& certificate);
+  addCertificateAsKeyDefault(const IdentityCertificate& certificate);
 
   /**
    * @brief Add a certificate into the public key identity storage and set the certificate as the
@@ -414,7 +415,7 @@
    * @throws SecPublicInfo::Error if the certificate cannot be added (though it is really rare)
    */
   void
-  addCertificateAsIdentityDefault(const v1::IdentityCertificate& certificate);
+  addCertificateAsIdentityDefault(const IdentityCertificate& certificate);
 
   /**
    * @brief Add a certificate into the public key identity storage and set the certificate as the
@@ -424,24 +425,24 @@
    * @throws SecPublicInfo::Error if the certificate cannot be added (though it is really rare)
    */
   void
-  addCertificateAsSystemDefault(const v1::IdentityCertificate& certificate);
+  addCertificateAsSystemDefault(const IdentityCertificate& certificate);
 
   /**
    * @brief Get cached default certificate of the default identity
    *
-   * @return The certificate which might be empty shared_ptr<v1::IdentityCertificate>()
+   * @return The certificate which might be empty shared_ptr<IdentityCertificate>()
    * @deprecated Use getDefaultCertificate instead
    */
   DEPRECATED(
-  shared_ptr<v1::IdentityCertificate>
+  shared_ptr<IdentityCertificate>
   defaultCertificate());
 
   /**
    * @brief Get cached default certificate of the default identity
    *
-   * @return The certificate which might be empty shared_ptr<v1::IdentityCertificate>()
+   * @return The certificate which might be empty shared_ptr<IdentityCertificate>()
    */
-  shared_ptr<v1::IdentityCertificate>
+  shared_ptr<IdentityCertificate>
   getDefaultCertificate();
 
   /**
@@ -451,14 +452,22 @@
   refreshDefaultCertificate();
 
 protected:
-  shared_ptr<v1::IdentityCertificate> m_defaultCertificate;
+  shared_ptr<IdentityCertificate> m_defaultCertificate;
   std::string m_location;
 };
 
+} // namespace v1
+
+#ifdef NDN_CXX_KEEP_SECURITY_V1_ALIASES
+using v1::SecPublicInfo;
+#endif // NDN_CXX_KEEP_SECURITY_V1_ALIASES
+
 } // namespace security
 
-using security::SecPublicInfo;
+#ifdef NDN_CXX_KEEP_SECURITY_V1_ALIASES
+using security::v1::SecPublicInfo;
+#endif // NDN_CXX_KEEP_SECURITY_V1_ALIASES
 
 } // namespace ndn
 
-#endif // NDN_SECURITY_SEC_PUBLIC_INFO_HPP
+#endif // NDN_SECURITY_V1_SEC_PUBLIC_INFO_HPP
diff --git a/src/security/sec-tpm-file.cpp b/src/security/v1/sec-tpm-file.cpp
similarity index 98%
rename from src/security/sec-tpm-file.cpp
rename to src/security/v1/sec-tpm-file.cpp
index 931d8fd..adda17f 100644
--- a/src/security/sec-tpm-file.cpp
+++ b/src/security/v1/sec-tpm-file.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -25,12 +25,12 @@
 
 #include "sec-tpm-file.hpp"
 
-#include "../encoding/buffer-stream.hpp"
+#include "../../encoding/buffer-stream.hpp"
 
 #include <boost/filesystem.hpp>
 #include <boost/algorithm/string.hpp>
 
-#include "v1/cryptopp.hpp"
+#include "cryptopp.hpp"
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -39,6 +39,7 @@
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 using std::string;
 using std::ostringstream;
@@ -232,7 +233,7 @@
     boost::filesystem::remove(privateKeyPath);
 }
 
-shared_ptr<v1::PublicKey>
+shared_ptr<PublicKey>
 SecTpmFile::getPublicKeyFromTpm(const Name&  keyName)
 {
   string keyURI = keyName.toUri();
@@ -251,7 +252,7 @@
     BOOST_THROW_EXCEPTION(Error(e.what()));
   }
 
-  return make_shared<v1::PublicKey>(reinterpret_cast<const uint8_t*>(os.str().c_str()),
+  return make_shared<PublicKey>(reinterpret_cast<const uint8_t*>(os.str().c_str()),
                                 os.str().size());
 }
 
@@ -321,7 +322,7 @@
     AutoSeededRandomPool rng;
 
     // Read public key
-    shared_ptr<v1::PublicKey> pubkeyPtr;
+    shared_ptr<PublicKey> pubkeyPtr;
     pubkeyPtr = getPublicKeyFromTpm(keyName);
 
     switch (pubkeyPtr->getKeyType()) {
@@ -587,5 +588,6 @@
   }
 }
 
+} // namespace v1
 } // namespace security
 } // namespace ndn
diff --git a/src/security/sec-tpm-file.hpp b/src/security/v1/sec-tpm-file.hpp
similarity index 92%
rename from src/security/sec-tpm-file.hpp
rename to src/security/v1/sec-tpm-file.hpp
index ed25d2d..aaaa4ce 100644
--- a/src/security/sec-tpm-file.hpp
+++ b/src/security/v1/sec-tpm-file.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -23,15 +23,16 @@
  * @author Alexander Afanasyev <http://lasr.cs.ucla.edu/afanasyev/index.html>
  */
 
-#ifndef NDN_SECURITY_SEC_TPM_FILE_HPP
-#define NDN_SECURITY_SEC_TPM_FILE_HPP
+#ifndef NDN_SECURITY_V1_SEC_TPM_FILE_HPP
+#define NDN_SECURITY_V1_SEC_TPM_FILE_HPP
 
-#include "../common.hpp"
+#include "../../common.hpp"
 
 #include "sec-tpm.hpp"
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 class SecTpmFile : public SecTpm
 {
@@ -92,7 +93,7 @@
   virtual void
   deleteKeyPairInTpm(const Name& keyName);
 
-  virtual shared_ptr<v1::PublicKey>
+  virtual shared_ptr<PublicKey>
   getPublicKeyFromTpm(const Name&  keyName);
 
   virtual Block
@@ -144,10 +145,8 @@
   bool m_inTerminal;
 };
 
+} // namespace v1
 } // namespace security
-
-using security::SecTpmFile;
-
 } // namespace ndn
 
-#endif  // NDN_SECURITY_SEC_TPM_FILE_HPP
+#endif // NDN_SECURITY_V1_SEC_TPM_FILE_HPP
diff --git a/src/security/sec-tpm-osx.cpp b/src/security/v1/sec-tpm-osx.cpp
similarity index 98%
rename from src/security/sec-tpm-osx.cpp
rename to src/security/v1/sec-tpm-osx.cpp
index 671a6f1..f3c3029 100644
--- a/src/security/sec-tpm-osx.cpp
+++ b/src/security/v1/sec-tpm-osx.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -22,11 +22,11 @@
  */
 
 #include "sec-tpm-osx.hpp"
-#include "v1/public-key.hpp"
+#include "public-key.hpp"
 
-#include "../encoding/oid.hpp"
-#include "../encoding/buffer-stream.hpp"
-#include "v1/cryptopp.hpp"
+#include "../../encoding/oid.hpp"
+#include "../../encoding/buffer-stream.hpp"
+#include "cryptopp.hpp"
 
 #include <pwd.h>
 #include <unistd.h>
@@ -44,6 +44,7 @@
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 using std::string;
 
@@ -499,7 +500,7 @@
   //   throw Error("Fail to create a symmetric key");
 }
 
-shared_ptr<v1::PublicKey>
+shared_ptr<PublicKey>
 SecTpmOsx::getPublicKeyFromTpm(const Name& keyName)
 {
   CFReleaser<SecKeychainItemRef> publicKey = m_impl->getKey(keyName, KeyClass::PUBLIC);
@@ -518,7 +519,7 @@
     BOOST_THROW_EXCEPTION(Error("Cannot export requested public key from OSX Keychain"));
   }
 
-  shared_ptr<v1::PublicKey> key = make_shared<v1::PublicKey>(CFDataGetBytePtr(exportedKey.get()),
+  shared_ptr<PublicKey> key = make_shared<PublicKey>(CFDataGetBytePtr(exportedKey.get()),
                                                              CFDataGetLength(exportedKey.get()));
   return key;
 }
@@ -541,7 +542,7 @@
                                 "in OSX Keychain"));
   }
 
-  shared_ptr<v1::PublicKey> publicKey = getPublicKeyFromTpm(keyName);
+  shared_ptr<PublicKey> publicKey = getPublicKeyFromTpm(keyName);
 
   CFReleaser<CFDataRef> exportedKey;
   OSStatus res = SecItemExport(privateKey.get(),
@@ -1139,5 +1140,6 @@
   }
 }
 
+} // namespace v1
 } // namespace security
 } // namespace ndn
diff --git a/src/security/sec-tpm-osx.hpp b/src/security/v1/sec-tpm-osx.hpp
similarity index 94%
rename from src/security/sec-tpm-osx.hpp
rename to src/security/v1/sec-tpm-osx.hpp
index 1713f06..7641514 100644
--- a/src/security/sec-tpm-osx.hpp
+++ b/src/security/v1/sec-tpm-osx.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -21,10 +21,10 @@
  * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
  */
 
-#ifndef NDN_SECURITY_SEC_TPM_OSX_HPP
-#define NDN_SECURITY_SEC_TPM_OSX_HPP
+#ifndef NDN_SECURITY_V1_SEC_TPM_OSX_HPP
+#define NDN_SECURITY_V1_SEC_TPM_OSX_HPP
 
-#include "../common.hpp"
+#include "../../common.hpp"
 
 #ifndef NDN_CXX_HAVE_OSX_SECURITY
 #error "This files should not be compiled ..."
@@ -34,6 +34,7 @@
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 class SecTpmOsx : public SecTpm
 {
@@ -161,10 +162,8 @@
   shared_ptr<Impl> m_impl;
 };
 
+} // namespace v1
 } // namespace security
-
-using security::SecTpmOsx;
-
 } // namespace ndn
 
-#endif // NDN_SECURITY_SEC_TPM_OSX_HPP
+#endif // NDN_SECURITY_V1_SEC_TPM_OSX_HPP
diff --git a/src/security/sec-tpm.cpp b/src/security/v1/sec-tpm.cpp
similarity index 98%
rename from src/security/sec-tpm.cpp
rename to src/security/v1/sec-tpm.cpp
index 2ce3d66..fae3b7e 100644
--- a/src/security/sec-tpm.cpp
+++ b/src/security/v1/sec-tpm.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -23,13 +23,14 @@
 
 #include "sec-tpm.hpp"
 
-#include "../encoding/oid.hpp"
-#include "../encoding/buffer-stream.hpp"
-#include "v1/cryptopp.hpp"
+#include "../../encoding/oid.hpp"
+#include "../../encoding/buffer-stream.hpp"
+#include "cryptopp.hpp"
 #include <unistd.h>
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 SecTpm::SecTpm(const std::string& location)
   : m_location(location)
@@ -381,5 +382,6 @@
   return isInitialized;
 }
 
+} // namespace v1
 } // namespace security
 } // namespace ndn
diff --git a/src/security/sec-tpm.hpp b/src/security/v1/sec-tpm.hpp
similarity index 93%
rename from src/security/sec-tpm.hpp
rename to src/security/v1/sec-tpm.hpp
index 3da278e..5acb0c3 100644
--- a/src/security/sec-tpm.hpp
+++ b/src/security/v1/sec-tpm.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -21,18 +21,19 @@
  * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
  */
 
-#ifndef NDN_SECURITY_SEC_TPM_HPP
-#define NDN_SECURITY_SEC_TPM_HPP
+#ifndef NDN_SECURITY_V1_SEC_TPM_HPP
+#define NDN_SECURITY_V1_SEC_TPM_HPP
 
-#include "../common.hpp"
-#include "security-common.hpp"
-#include "../name.hpp"
-#include "../data.hpp"
-#include "key-params.hpp"
-#include "v1/public-key.hpp"
+#include "../../common.hpp"
+#include "../security-common.hpp"
+#include "../../name.hpp"
+#include "../../data.hpp"
+#include "../key-params.hpp"
+#include "public-key.hpp"
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 /**
  * @brief SecTpm is the base class of the TPM classes.
@@ -301,10 +302,18 @@
   std::string m_location;
 };
 
+} // namespace v1
+
+#ifdef NDN_CXX_KEEP_SECURITY_V1_ALIASES
+using v1::SecTpm;
+#endif // NDN_CXX_KEEP_SECURITY_V1_ALIASES
+
 } // namespace security
 
-using security::SecTpm;
+#ifdef NDN_CXX_KEEP_SECURITY_V1_ALIASES
+using security::v1::SecTpm;
+#endif // NDN_CXX_KEEP_SECURITY_V1_ALIASES
 
 } // namespace ndn
 
-#endif // NDN_SECURITY_SEC_TPM_HPP
+#endif // NDN_SECURITY_V1_SEC_TPM_HPP
diff --git a/src/security/secured-bag.cpp b/src/security/v1/secured-bag.cpp
similarity index 87%
rename from src/security/secured-bag.cpp
rename to src/security/v1/secured-bag.cpp
index 66fad02..8fccbc6 100644
--- a/src/security/secured-bag.cpp
+++ b/src/security/v1/secured-bag.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -20,10 +20,12 @@
  */
 
 #include "secured-bag.hpp"
-#include "encoding/tlv-security.hpp"
-#include "util/concepts.hpp"
+#include "../../encoding/tlv-security.hpp"
+#include "../../util/concepts.hpp"
 
 namespace ndn {
+namespace security {
+namespace v1 {
 
 //BOOST_CONCEPT_ASSERT((boost::EqualityComparable<SecuredBag>));
 BOOST_CONCEPT_ASSERT((WireEncodable<SecuredBag>));
@@ -41,7 +43,7 @@
   this->wireDecode(wire);
 }
 
-SecuredBag::SecuredBag(const v1::IdentityCertificate& cert, ConstBufferPtr key)
+SecuredBag::SecuredBag(const IdentityCertificate& cert, ConstBufferPtr key)
   : m_cert(cert)
   , m_key(key)
   , m_wire(tlv::security::IdentityPackage)
@@ -76,4 +78,6 @@
   return m_wire;
 }
 
+} // namespace v1
+} // namespace security
 } // namespace ndn
diff --git a/src/security/secured-bag.hpp b/src/security/v1/secured-bag.hpp
similarity index 80%
rename from src/security/secured-bag.hpp
rename to src/security/v1/secured-bag.hpp
index 5dd27fc..fbfb151 100644
--- a/src/security/secured-bag.hpp
+++ b/src/security/v1/secured-bag.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -19,14 +19,15 @@
  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
  */
 
-#ifndef NDN_SECURITY_SECURED_BAG_HPP
-#define NDN_SECURITY_SECURED_BAG_HPP
+#ifndef NDN_SECURITY_V1_SECURED_BAG_HPP
+#define NDN_SECURITY_V1_SECURED_BAG_HPP
 
-#include "../common.hpp"
-#include "v1/identity-certificate.hpp"
+#include "../../common.hpp"
+#include "identity-certificate.hpp"
 
 namespace ndn {
 namespace security {
+namespace v1 {
 
 class SecuredBag
 {
@@ -46,7 +47,7 @@
   explicit
   SecuredBag(const Block& wire);
 
-  SecuredBag(const v1::IdentityCertificate& cert,
+  SecuredBag(const IdentityCertificate& cert,
              ConstBufferPtr key);
 
   virtual
@@ -58,7 +59,7 @@
   const Block&
   wireEncode() const;
 
-  const v1::IdentityCertificate&
+  const IdentityCertificate&
   getCertificate() const
   {
     return m_cert;
@@ -71,16 +72,14 @@
   }
 
 private:
-  v1::IdentityCertificate m_cert;
+  IdentityCertificate m_cert;
   ConstBufferPtr m_key;
 
   mutable Block m_wire;
 };
 
+} // namespace v1
 } // namespace security
-
-using security::SecuredBag;
-
 } // namespace ndn
 
-#endif // NDN_SECURITY_SECURED_BAG_HPP
+#endif // NDN_SECURITY_V1_SECURED_BAG_HPP
diff --git a/src/util/dummy-client-face.cpp b/src/util/dummy-client-face.cpp
index 14a7631..f84d997 100644
--- a/src/util/dummy-client-face.cpp
+++ b/src/util/dummy-client-face.cpp
@@ -86,13 +86,13 @@
 
 DummyClientFace::DummyClientFace(const Options& options/* = DummyClientFace::DEFAULT_OPTIONS*/)
   : Face(make_shared<DummyClientFace::Transport>())
-  , m_internalKeyChain(new KeyChain)
+  , m_internalKeyChain(new security::v1::KeyChain)
   , m_keyChain(*m_internalKeyChain)
 {
   this->construct(options);
 }
 
-DummyClientFace::DummyClientFace(KeyChain& keyChain,
+DummyClientFace::DummyClientFace(security::v1::KeyChain& keyChain,
                                  const Options& options/* = DummyClientFace::DEFAULT_OPTIONS*/)
   : Face(make_shared<DummyClientFace::Transport>(), keyChain)
   , m_keyChain(keyChain)
@@ -103,13 +103,13 @@
 DummyClientFace::DummyClientFace(boost::asio::io_service& ioService,
                                  const Options& options/* = DummyClientFace::DEFAULT_OPTIONS*/)
   : Face(make_shared<DummyClientFace::Transport>(), ioService)
-  , m_internalKeyChain(new KeyChain)
+  , m_internalKeyChain(new security::v1::KeyChain)
   , m_keyChain(*m_internalKeyChain)
 {
   this->construct(options);
 }
 
-DummyClientFace::DummyClientFace(boost::asio::io_service& ioService, KeyChain& keyChain,
+DummyClientFace::DummyClientFace(boost::asio::io_service& ioService, security::v1::KeyChain& keyChain,
                                  const Options& options/* = DummyClientFace::DEFAULT_OPTIONS*/)
   : Face(make_shared<DummyClientFace::Transport>(), ioService, keyChain)
   , m_keyChain(keyChain)
diff --git a/src/util/dummy-client-face.hpp b/src/util/dummy-client-face.hpp
index 630913c..cbf22f1 100644
--- a/src/util/dummy-client-face.hpp
+++ b/src/util/dummy-client-face.hpp
@@ -80,7 +80,7 @@
   /** \brief Create a dummy face with internal IO service and the specified KeyChain
    */
   explicit
-  DummyClientFace(KeyChain& keyChain, const Options& options = Options());
+  DummyClientFace(security::v1::KeyChain& keyChain, const Options& options = Options());
 
   /** \brief Create a dummy face with the provided IO service
    */
@@ -89,7 +89,7 @@
 
   /** \brief Create a dummy face with the provided IO service and the specified KeyChain
    */
-  DummyClientFace(boost::asio::io_service& ioService, KeyChain& keyChain,
+  DummyClientFace(boost::asio::io_service& ioService, security::v1::KeyChain& keyChain,
                   const Options& options = Options());
 
   /** \brief cause the Face to receive an interest
@@ -166,8 +166,8 @@
   Signal<DummyClientFace, lp::Nack> onSendNack;
 
 private:
-  std::unique_ptr<KeyChain> m_internalKeyChain;
-  KeyChain& m_keyChain;
+  std::unique_ptr<security::v1::KeyChain> m_internalKeyChain;
+  security::v1::KeyChain& m_keyChain;
   std::function<void(time::milliseconds)> m_processEventsOverride;
 };
 
diff --git a/src/util/notification-stream.hpp b/src/util/notification-stream.hpp
index 42d0e36..e9921c0 100644
--- a/src/util/notification-stream.hpp
+++ b/src/util/notification-stream.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /**
- * Copyright (c) 2013-2015 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -50,7 +50,7 @@
 
 #include "../name.hpp"
 #include "../face.hpp"
-#include "../security/key-chain.hpp"
+#include "../security/v1/key-chain.hpp"
 
 #include "concepts.hpp"