security: Add v2::Validator implementation

Based on the code originally written by Qiuhan Ding

Change-Id: Ib66e24f49d0b6fb2ae21ea1fca7b9ec62ecb753a
Refs: #3289, #1872
diff --git a/docs/index.rst b/docs/index.rst
index f73ad84..fae38ab 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -46,6 +46,7 @@
    + :doc:`specs/signed-interest`
    + :doc:`specs/certificate-format`
    + :doc:`specs/safe-bag`
+   + :doc:`specs/validation-error-code`
 
 - :doc:`manpages`
 
diff --git a/docs/specs.rst b/docs/specs.rst
index ca5810b..65803db 100644
--- a/docs/specs.rst
+++ b/docs/specs.rst
@@ -7,3 +7,4 @@
    specs/signed-interest
    specs/certificate-format
    specs/safe-bag
+   specs/validation-error-code
diff --git a/docs/specs/validation-error-code.rst b/docs/specs/validation-error-code.rst
new file mode 100644
index 0000000..4610cd4
--- /dev/null
+++ b/docs/specs/validation-error-code.rst
@@ -0,0 +1,33 @@
+Validation Error Code
+=====================
+
+The following table defines a list of known codes and their description, which can be returned from the :ndn-cxx:`v2::Validator` interface.
+Other error codes can be returned by validator implementations outside ndn-cxx codebase.
+
++------------+--------------------------+-----------------------------------------------------+
+| Error code | Short ID                 | Description                                         |
++============+==========================+=====================================================+
+| 0          | NO_ERROR                 | No error                                            |
++------------+--------------------------+-----------------------------------------------------+
+| 1          | INVALID_SIGNATURE        | Invalid signature                                   |
++------------+--------------------------+-----------------------------------------------------+
+| 2          | NO_SIGNATURE             | Missing signature                                   |
++------------+--------------------------+-----------------------------------------------------+
+| 3          | CANNOT_RETRIEVE_CERT     | Cannot retrieve certificate                         |
++------------+--------------------------+-----------------------------------------------------+
+| 4          | EXPIRED_CERT             | Certificate expired                                 |
++------------+--------------------------+-----------------------------------------------------+
+| 5          | LOOP_DETECTED            | Loop detected in certification chain                |
++------------+--------------------------+-----------------------------------------------------+
+| 6          | MALFORMED_CERT           | Malformed certificate                               |
++------------+--------------------------+-----------------------------------------------------+
+| 7          | EXCEEDED_DEPTH_LIMIT     | Exceeded validation depth limit                     |
++------------+--------------------------+-----------------------------------------------------+
+| 8          | INVALID_KEY_LOCATOR      | Key locator violates validation policy              |
++------------+--------------------------+-----------------------------------------------------+
+| ..         | ...                      | ...                                                 |
++------------+--------------------------+-----------------------------------------------------+
+| 255        | IMPLEMENTATION_ERROR     | Internal implementation error                       |
++------------+--------------------------+-----------------------------------------------------+
+
+Specialized validator implementations can use error codes >= 256 to indicate a specialized error.
diff --git a/docs/tutorials/security-library.rst b/docs/tutorials/security-library.rst
index 8ee8d40..1da1e61 100644
--- a/docs/tutorials/security-library.rst
+++ b/docs/tutorials/security-library.rst
@@ -132,7 +132,7 @@
 ~~~~~~~~~~~~~~~~~~~~
 
 One can call :ndn-cxx:`KeyChain::generateRsaKeyPair` to generate an RSA key pair or
-:ndn-cxx:`KeyChain::generateEcdsaKeyPair` to generate an ECDSA key.  Note that generated
+:ndn-cxx:`KeyChain::generateEcKeyPair` to generate an EC key.  Note that generated
 key pair is not set as the default key of the identity, so you need to set it manually by
 calling :ndn-cxx:`KeyChain::setDefaultKeyNameForIdentity`. There is also a helper method
 :ndn-cxx:`KeyChain::generateRsaKeyPairAsDefault`, which combines the two steps into one.
diff --git a/src/security/v2/certificate-cache.cpp b/src/security/v2/certificate-cache.cpp
index b3b745d..b9d15aa 100644
--- a/src/security/v2/certificate-cache.cpp
+++ b/src/security/v2/certificate-cache.cpp
@@ -59,28 +59,28 @@
 }
 
 const Certificate*
-CertificateCache::find(const Name& keyName)
+CertificateCache::find(const Name& certPrefix) const
 {
-  refresh();
-  if (keyName.size() > 0 && keyName[-1].isImplicitSha256Digest()) {
+  const_cast<CertificateCache*>(this)->refresh();
+  if (certPrefix.size() > 0 && certPrefix[-1].isImplicitSha256Digest()) {
     NDN_LOG_INFO("Certificate search using name with the implicit digest is not yet supported");
   }
-  auto itr = m_certsByName.lower_bound(keyName);
-  if (itr == m_certsByName.end() || !keyName.isPrefixOf(itr->getCertName()))
+  auto itr = m_certsByName.lower_bound(certPrefix);
+  if (itr == m_certsByName.end() || !certPrefix.isPrefixOf(itr->getCertName()))
     return nullptr;
   return &itr->cert;
 }
 
 const Certificate*
-CertificateCache::find(const Interest& interest)
+CertificateCache::find(const Interest& interest) const
 {
   if (interest.getChildSelector() >= 0) {
-    NDN_LOG_DEBUG("Certificate search using ChildSelector is not supported, search as if selector not specified");
+    NDN_LOG_DEBUG("Certificate search using ChildSelector is not supported, searching as if selector not specified");
   }
   if (interest.getName().size() > 0 && interest.getName()[-1].isImplicitSha256Digest()) {
-    NDN_LOG_INFO("Certificate search using name with the implicit digest is not yet supported");
+    NDN_LOG_INFO("Certificate search using name with implicit digest is not yet supported");
   }
-  refresh();
+  const_cast<CertificateCache*>(this)->refresh();
 
   for (auto i = m_certsByName.lower_bound(interest.getName());
        i != m_certsByName.end() && interest.getName().isPrefixOf(i->getCertName());
diff --git a/src/security/v2/certificate-cache.hpp b/src/security/v2/certificate-cache.hpp
index 4bf9f3c..f649776 100644
--- a/src/security/v2/certificate-cache.hpp
+++ b/src/security/v2/certificate-cache.hpp
@@ -64,13 +64,13 @@
 
   /**
    * @brief Get certificate given key name
-   * @param keyName  Key name for searching the certificate.
+   * @param certPrefix  Certificate prefix for searching the certificate.
    * @return The found certificate, nullptr if not found.
    *
    * @note The returned value may be invalidated after next call to one of find methods.
    */
   const Certificate*
-  find(const Name& keyName);
+  find(const Name& certPrefix) const;
 
   /**
    * @brief Find certificate given interest
@@ -82,7 +82,7 @@
    * @note The returned value may be invalidated after next call to one of find methods.
    */
   const Certificate*
-  find(const Interest& interest);
+  find(const Interest& interest) const;
 
 private:
   class Entry
diff --git a/src/security/v2/certificate-request.hpp b/src/security/v2/certificate-request.hpp
new file mode 100644
index 0000000..863d7c3
--- /dev/null
+++ b/src/security/v2/certificate-request.hpp
@@ -0,0 +1,60 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_CERTIFICATE_REQUEST_HPP
+#define NDN_SECURITY_V2_CERTIFICATE_REQUEST_HPP
+
+#include "../../interest.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Request for a certificate, associated with the number of attempts
+ */
+class CertificateRequest : noncopyable
+{
+public:
+  CertificateRequest()
+    : m_nRetriesLeft(0)
+  {
+  }
+
+  explicit
+  CertificateRequest(const Interest& interest, uint64_t requesterFaceId = 0)
+    : m_interest(interest)
+    , m_nRetriesLeft(3)
+  {
+  }
+
+public:
+  /// @brief the name for the requested data/certificate.
+  Interest m_interest;
+  /// @brief the number of remaining retries after time out or NACK
+  int m_nRetriesLeft;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_CERTIFICATE_REQUEST_HPP
diff --git a/src/security/v2/key-chain.cpp b/src/security/v2/key-chain.cpp
index 850ad58..47cb75d 100644
--- a/src/security/v2/key-chain.cpp
+++ b/src/security/v2/key-chain.cpp
@@ -681,6 +681,8 @@
 
   sigInfo.setSignatureType(getSignatureType(key.getKeyType(), params.getDigestAlgorithm()));
   sigInfo.setKeyLocator(KeyLocator(key.getName()));
+
+  NDN_LOG_TRACE("Prepared signature info: " << sigInfo);
   return std::make_tuple(key.getName(), sigInfo);
 }
 
diff --git a/src/security/v2/key-chain.hpp b/src/security/v2/key-chain.hpp
index 0e8402e..7cb71f2 100644
--- a/src/security/v2/key-chain.hpp
+++ b/src/security/v2/key-chain.hpp
@@ -22,6 +22,7 @@
 #ifndef NDN_SECURITY_V2_KEY_CHAIN_HPP
 #define NDN_SECURITY_V2_KEY_CHAIN_HPP
 
+#include "../security-common.hpp"
 #include "certificate.hpp"
 #include "../key-params.hpp"
 #include "../pib/pib.hpp"
diff --git a/src/security/v2/validation-callback.hpp b/src/security/v2/validation-callback.hpp
new file mode 100644
index 0000000..7ef4564
--- /dev/null
+++ b/src/security/v2/validation-callback.hpp
@@ -0,0 +1,58 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_CALLBACK_HPP
+#define NDN_SECURITY_V2_VALIDATION_CALLBACK_HPP
+
+#include "../../interest.hpp"
+#include "../../data.hpp"
+#include "../security-common.hpp"
+#include "validation-error.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Callback to report a successful Data validation.
+ */
+typedef function<void(const Data& data)> DataValidationSuccessCallback;
+
+/**
+ * @brief Callback to report a failed Data validation.
+ */
+typedef function<void(const Data& data, const ValidationError& error)> DataValidationFailureCallback;
+
+/**
+ * @brief Callback to report a successful Interest validation.
+ */
+typedef function<void(const Interest& interest)> InterestValidationSuccessCallback;
+
+/**
+ * @brief Callback to report a failed Interest validation.
+ */
+typedef function<void(const Interest& interest, const ValidationError& error)> InterestValidationFailureCallback;
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_CALLBACK_HPP
diff --git a/src/security/v2/validation-error.cpp b/src/security/v2/validation-error.cpp
new file mode 100644
index 0000000..5868a6d
--- /dev/null
+++ b/src/security/v2/validation-error.cpp
@@ -0,0 +1,79 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "validation-error.hpp"
+
+#include <ostream>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+std::ostream&
+operator<<(std::ostream& os, ValidationError::Code code)
+{
+  switch (code) {
+    case ValidationError::Code::NO_ERROR:
+      return os << "No error";
+    case ValidationError::Code::INVALID_SIGNATURE:
+      return os << "Invalid signature";
+    case ValidationError::Code::NO_SIGNATURE:
+      return os << "Missing signature";
+    case ValidationError::Code::CANNOT_RETRIEVE_CERT:
+      return os << "Cannot retrieve certificate";
+    case ValidationError::Code::EXPIRED_CERT:
+      return os << "Certificate expired";
+    case ValidationError::Code::LOOP_DETECTED:
+      return os << "Loop detected in certification chain";
+    case ValidationError::Code::MALFORMED_CERT:
+      return os << "Malformed certificate";
+    case ValidationError::Code::EXCEEDED_DEPTH_LIMIT:
+      return os << "Exceeded validation depth limit";
+    case ValidationError::Code::INVALID_KEY_LOCATOR:
+      return os << "Key locator violates validation policy";
+    case ValidationError::Code::POLICY_ERROR:
+      return os << "Validation policy error";
+    case ValidationError::Code::IMPLEMENTATION_ERROR:
+      return os << "Internal implementation error";
+    case ValidationError::Code::USER_MIN:
+      break;
+  }
+  if (code >= ValidationError::Code::USER_MIN) {
+    return os << "Custom error code " << static_cast<uint32_t>(code);
+  }
+  else {
+    return os << "Unrecognized error code " << static_cast<uint32_t>(code);
+  }
+}
+
+std::ostream&
+operator<<(std::ostream& os, const ValidationError& error)
+{
+  os << static_cast<ValidationError::Code>(error.getCode());
+  if (!error.getInfo().empty()) {
+    os << " (" << error.getInfo() << ")";
+  }
+  return os;
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/validation-error.hpp b/src/security/v2/validation-error.hpp
new file mode 100644
index 0000000..e737e87
--- /dev/null
+++ b/src/security/v2/validation-error.hpp
@@ -0,0 +1,93 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_ERROR_HPP
+#define NDN_SECURITY_V2_VALIDATION_ERROR_HPP
+
+#include "../../common.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Validation error code and optional detailed error message
+ */
+class ValidationError
+{
+public:
+  /**
+   * @brief Known validation error code
+   * @sa specs/validation-error-code.rst
+   */
+  enum Code : uint32_t {
+    NO_ERROR             = 0,
+    INVALID_SIGNATURE    = 1,
+    NO_SIGNATURE         = 2,
+    CANNOT_RETRIEVE_CERT = 3,
+    EXPIRED_CERT         = 4,
+    LOOP_DETECTED        = 5,
+    MALFORMED_CERT       = 6,
+    EXCEEDED_DEPTH_LIMIT = 7,
+    INVALID_KEY_LOCATOR  = 8,
+    POLICY_ERROR         = 9,
+    IMPLEMENTATION_ERROR = 255,
+    USER_MIN             = 256 // custom error codes should use >=256
+  };
+
+public:
+  /**
+   * @brief Validation error, implicitly convertible from an error code and info
+   */
+  ValidationError(uint32_t code,  const std::string& info = "")
+    : m_code(code)
+    , m_info(info)
+  {
+  }
+
+  uint32_t
+  getCode() const
+  {
+    return m_code;
+  }
+
+  const std::string&
+  getInfo() const
+  {
+    return m_info;
+  }
+
+private:
+  uint32_t m_code;
+  std::string m_info;
+};
+
+std::ostream&
+operator<<(std::ostream& os, ValidationError::Code code);
+
+std::ostream&
+operator<<(std::ostream& os, const ValidationError& error);
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_ERROR_HPP
diff --git a/src/security/v2/validation-policy-accept-all.hpp b/src/security/v2/validation-policy-accept-all.hpp
new file mode 100644
index 0000000..0d955db
--- /dev/null
+++ b/src/security/v2/validation-policy-accept-all.hpp
@@ -0,0 +1,56 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_POLICY_ACCEPT_ALL_HPP
+#define NDN_SECURITY_V2_VALIDATION_POLICY_ACCEPT_ALL_HPP
+
+#include "validation-policy.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief A validator policy that accepts any signature of data and interest packets
+ */
+class ValidationPolicyAcceptAll : public ValidationPolicy
+{
+public:
+  void
+  checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+              const ValidationContinuation& continueValidation) final
+  {
+    continueValidation(nullptr, state);
+  }
+
+  void
+  checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,
+              const ValidationContinuation& continueValidation) final
+  {
+    continueValidation(nullptr, state);
+  }
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_POLICY_ACCEPT_ALL_HPP
diff --git a/src/security/v2/validation-policy-simple-hierarchy.cpp b/src/security/v2/validation-policy-simple-hierarchy.cpp
new file mode 100644
index 0000000..ee1ad94
--- /dev/null
+++ b/src/security/v2/validation-policy-simple-hierarchy.cpp
@@ -0,0 +1,78 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "validation-policy-simple-hierarchy.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+void
+ValidationPolicySimpleHierarchy::checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+                                             const ValidationContinuation& continueValidation)
+{
+  if (!data.getSignature().hasKeyLocator()) {
+    return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Required key locator is missing"});
+  }
+  const KeyLocator& locator = data.getSignature().getKeyLocator();
+  if (locator.getType() != KeyLocator::KeyLocator_Name) {
+    return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Key locator not Name"});
+  }
+  if (locator.getName().getPrefix(-2).isPrefixOf(data.getName())) {
+    continueValidation(make_shared<CertificateRequest>(Interest(locator.getName())), state);
+  }
+  else {
+    state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Data signing policy violation for " +
+                 data.getName().toUri() + " by " + locator.getName().toUri()});
+  }
+}
+
+void
+ValidationPolicySimpleHierarchy::checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,
+                                             const ValidationContinuation& continueValidation)
+{
+  SignatureInfo info;
+  try {
+    info.wireDecode(interest.getName().at(signed_interest::POS_SIG_INFO).blockFromValue());
+  }
+  catch (const tlv::Error& e) {
+    return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Invalid signed interest (" +
+                        std::string(e.what()) + ")"});
+  }
+  if (!info.hasKeyLocator()) {
+    return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Required key locator is missing"});
+  }
+  const KeyLocator& locator = info.getKeyLocator();
+  if (locator.getType() != KeyLocator::KeyLocator_Name) {
+    return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Key locator not Name"});
+  }
+  if (locator.getName().getPrefix(-2).isPrefixOf(interest.getName())) {
+    continueValidation(make_shared<CertificateRequest>(Interest(locator.getName())), state);
+  }
+  else {
+    state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Interest signing policy violation for " +
+                 interest.getName().toUri() + " by " + locator.getName().toUri()});
+  }
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/validation-policy-simple-hierarchy.hpp b/src/security/v2/validation-policy-simple-hierarchy.hpp
new file mode 100644
index 0000000..ac08c8a
--- /dev/null
+++ b/src/security/v2/validation-policy-simple-hierarchy.hpp
@@ -0,0 +1,50 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_POLICY_SIMPLE_HIERARCHY_HPP
+#define NDN_SECURITY_V2_VALIDATION_POLICY_SIMPLE_HIERARCHY_HPP
+
+#include "validation-policy.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Validation policy for a simple hierarchical trust model
+ */
+class ValidationPolicySimpleHierarchy : public ValidationPolicy
+{
+public:
+  void
+  checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+              const ValidationContinuation& continueValidation) override;
+
+  void
+  checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,
+              const ValidationContinuation& continueValidation) override;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_POLICY_SIMPLE_HIERARCHY_HPP
diff --git a/src/security/v2/validation-policy.hpp b/src/security/v2/validation-policy.hpp
new file mode 100644
index 0000000..7d85803
--- /dev/null
+++ b/src/security/v2/validation-policy.hpp
@@ -0,0 +1,110 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_POLICY_HPP
+#define NDN_SECURITY_V2_VALIDATION_POLICY_HPP
+
+#include "validation-state.hpp"
+#include "certificate-request.hpp"
+#include "../../data.hpp"
+#include "../../interest.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Abstraction that implements validation policy for Data and Interest packets
+ */
+class ValidationPolicy : noncopyable
+{
+public:
+  using ValidationContinuation = std::function<void(const shared_ptr<CertificateRequest>& certRequest,
+                                                    const shared_ptr<ValidationState>& state)>;
+
+  virtual
+  ~ValidationPolicy() = default;
+
+  /**
+   * @brief Check @p data against the policy
+   *
+   * Depending on implementation of the policy, this check can be done synchronously or
+   * asynchronously.
+   *
+   * Semantics of checkPolicy has changed from v1::Validator
+   * - If packet violates policy, the policy should call `state->fail` with appropriate error
+   *   code and error description.
+   * - If packet conforms to the policy and no further key retrievals are necessary,
+   *   the policy should call continueValidation(state, nullptr)
+   * - If packet conforms to the policy and a key needs to be fetched, the policy should call
+   *   continueValidation(state, <appropriate-key-request-instance>)
+   */
+  virtual void
+  checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+              const ValidationContinuation& continueValidation) = 0;
+
+  /**
+   * @brief Check @p interest against the policy
+   *
+   * Depending on implementation of the policy, this check can be done synchronously or
+   * asynchronously.
+   *
+   * Semantics of checkPolicy has changed from v1::Validator
+   * - If packet violates policy, the policy should call `state->fail` with appropriate error
+   *   code and error description.
+   * - If packet conforms to the policy and no further key retrievals are necessary,
+   *   the policy should call continueValidation(state, nullptr)
+   * - If packet conforms to the policy and a key needs to be fetched, the policy should call
+   *   continueValidation(state, <appropriate-key-request-instance>)
+   */
+  virtual void
+  checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,
+              const ValidationContinuation& continueValidation) = 0;
+
+  /**
+   * @brief Check @p certificate against the policy
+   *
+   * Unless overridden by the policy, this check defaults to `checkPolicy(const Data&, ...)`.
+   *
+   * Depending on implementation of the policy, this check can be done synchronously or
+   * asynchronously.
+   *
+   * Semantics of checkPolicy has changed from v1::Validator
+   * - If packet violates policy, the policy should call `state->fail` with appropriate error
+   *   code and error description.
+   * - If packet conforms to the policy and no further key retrievals are necessary,
+   *   the policy should call continueValidation(state, nullptr)
+   * - If packet conforms to the policy and a key needs to be fetched, the policy should call
+   *   continueValidation(state, <appropriate-key-request-instance>)
+   */
+  virtual void
+  checkPolicy(const Certificate& certificate, const shared_ptr<ValidationState>& state,
+              const ValidationContinuation& continueValidation)
+  {
+    checkPolicy(static_cast<const Data&>(certificate), state, continueValidation);
+  }
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_POLICY_HPP
diff --git a/src/security/v2/validation-state.cpp b/src/security/v2/validation-state.cpp
new file mode 100644
index 0000000..269ef2d
--- /dev/null
+++ b/src/security/v2/validation-state.cpp
@@ -0,0 +1,208 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "validation-state.hpp"
+#include "validator.hpp"
+#include "../verification-helpers.hpp"
+#include "util/logger.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+NDN_LOG_INIT(ndn.security.v2.ValidationState);
+
+#define NDN_LOG_DEBUG_DEPTH(x) NDN_LOG_DEBUG(std::string(this->getDepth() + 1, '>') << " " << x)
+#define NDN_LOG_TRACE_DEPTH(x) NDN_LOG_TRACE(std::string(this->getDepth() + 1, '>') << " " << x)
+
+ValidationState::ValidationState()
+  : m_hasOutcome(false)
+{
+}
+
+ValidationState::~ValidationState()
+{
+  NDN_LOG_TRACE(__func__);
+  BOOST_ASSERT(m_hasOutcome);
+}
+
+size_t
+ValidationState::getDepth() const
+{
+  return m_certificateChain.size();
+}
+
+bool
+ValidationState::hasSeenCertificateName(const Name& certName)
+{
+  return !m_seenCertificateNames.insert(certName).second;
+}
+
+void
+ValidationState::addCertificate(const Certificate& cert)
+{
+  m_certificateChain.push_front(cert);
+}
+
+const Certificate*
+ValidationState::verifyCertificateChain(const Certificate& trustedCert)
+{
+  const Certificate* validatedCert = &trustedCert;
+  for (auto it = m_certificateChain.begin(); it != m_certificateChain.end(); ++it) {
+    const auto& certToValidate = *it;
+
+    if (!verifySignature(certToValidate, *validatedCert)) {
+      this->fail({ValidationError::Code::INVALID_SIGNATURE, "Invalid signature of certificate `" +
+                  certToValidate.getName().toUri() + "`"});
+      m_certificateChain.erase(it, m_certificateChain.end());
+      return nullptr;
+    }
+    else {
+      NDN_LOG_TRACE_DEPTH("OK signature for certificate `" << certToValidate.getName() << "`");
+      validatedCert = &certToValidate;
+    }
+  }
+  return validatedCert;
+}
+
+/////// DataValidationState
+
+DataValidationState::DataValidationState(const Data& data,
+                                         const DataValidationSuccessCallback& successCb,
+                                         const DataValidationFailureCallback& failureCb)
+  : m_data(data)
+  , m_successCb(successCb)
+  , m_failureCb(failureCb)
+{
+  BOOST_ASSERT(m_successCb != nullptr);
+  BOOST_ASSERT(m_failureCb != nullptr);
+}
+
+DataValidationState::~DataValidationState()
+{
+  if (!m_hasOutcome) {
+    this->fail({ValidationError::Code::IMPLEMENTATION_ERROR,
+                "Validator/policy did not invoke success or failure callback"});
+  }
+}
+
+void
+DataValidationState::verifyOriginalPacket(const Certificate& trustedCert)
+{
+  if (verifySignature(m_data, trustedCert)) {
+    NDN_LOG_TRACE_DEPTH("OK signature for data `" << m_data.getName() << "`");
+    m_successCb(m_data);
+    BOOST_ASSERT(!m_hasOutcome);
+    m_hasOutcome = true;
+  }
+  else {
+    this->fail({ValidationError::Code::INVALID_SIGNATURE, "Invalid signature of data `" +
+                m_data.getName().toUri() + "`"});
+  }
+}
+
+void
+DataValidationState::bypassValidation()
+{
+  NDN_LOG_TRACE_DEPTH("Signature verification bypassed for data `" << m_data.getName() << "`");
+  m_successCb(m_data);
+  BOOST_ASSERT(!m_hasOutcome);
+  m_hasOutcome = true;
+}
+
+void
+DataValidationState::fail(const ValidationError& error)
+{
+  NDN_LOG_DEBUG_DEPTH(error);
+  m_failureCb(m_data, error);
+  BOOST_ASSERT(!m_hasOutcome);
+  m_hasOutcome = true;
+}
+
+const Data&
+DataValidationState::getOriginalData() const
+{
+  return m_data;
+}
+
+/////// InterestValidationState
+
+InterestValidationState::InterestValidationState(const Interest& interest,
+                                                 const InterestValidationSuccessCallback& successCb,
+                                                 const InterestValidationFailureCallback& failureCb)
+  : m_interest(interest)
+  , m_successCb(successCb)
+  , m_failureCb(failureCb)
+{
+  BOOST_ASSERT(m_successCb != nullptr);
+  BOOST_ASSERT(m_failureCb != nullptr);
+}
+
+InterestValidationState::~InterestValidationState()
+{
+  if (!m_hasOutcome) {
+    this->fail({ValidationError::Code::IMPLEMENTATION_ERROR,
+                "Validator/policy did not invoke success or failure callback"});
+  }
+}
+
+void
+InterestValidationState::verifyOriginalPacket(const Certificate& trustedCert)
+{
+  if (verifySignature(m_interest, trustedCert)) {
+    NDN_LOG_TRACE_DEPTH("OK signature for interest `" << m_interest.getName() << "`");
+    m_successCb(m_interest);
+    BOOST_ASSERT(!m_hasOutcome);
+    m_hasOutcome = true;
+  }
+  else {
+    this->fail({ValidationError::Code::INVALID_SIGNATURE, "Invalid signature of interest `" +
+                m_interest.getName().toUri() + "`"});
+  }
+}
+
+void
+InterestValidationState::bypassValidation()
+{
+  NDN_LOG_TRACE_DEPTH("Signature verification bypassed for interest `" << m_interest.getName() << "`");
+  m_successCb(m_interest);
+  BOOST_ASSERT(!m_hasOutcome);
+  m_hasOutcome = true;
+}
+
+void
+InterestValidationState::fail(const ValidationError& error)
+{
+  NDN_LOG_DEBUG_DEPTH(error);
+  m_failureCb(m_interest, error);
+  BOOST_ASSERT(!m_hasOutcome);
+  m_hasOutcome = true;
+}
+
+const Interest&
+InterestValidationState::getOriginalInterest() const
+{
+  return m_interest;
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/validation-state.hpp b/src/security/v2/validation-state.hpp
new file mode 100644
index 0000000..2181fae
--- /dev/null
+++ b/src/security/v2/validation-state.hpp
@@ -0,0 +1,243 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_STATE_HPP
+#define NDN_SECURITY_V2_VALIDATION_STATE_HPP
+
+#include "../../tag-host.hpp"
+#include "validation-callback.hpp"
+#include "certificate.hpp"
+
+#include <unordered_set>
+#include <list>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+class Validator;
+
+/**
+ * @brief Validation state
+ *
+ * One instance of the validation state is kept for the validation of the whole certificate
+ * chain.
+ *
+ * The state collects the certificate chain that adheres to the selected validation policy to
+ * validate data or interest packets.  Certificate, data, and interest packet signatures are
+ * verified only after the validator determines that the chain terminates with a trusted
+ * certificate (a trusted anchor or a previously validated certificate).  This model allows
+ * filtering out invalid certificate chains without incurring (costly) cryptographic signature
+ * verification overhead and mitigates some forms of denial-of-service attacks.
+ *
+ * Validation policy and/or key fetcher may add custom information associated with the
+ * validation state using tags (@sa TagHost)
+ *
+ * @sa DataValidationState, InterestValidationState
+ */
+class ValidationState : public TagHost, noncopyable
+{
+public:
+  /**
+   * @brief Create validation state
+   */
+  ValidationState();
+
+  virtual
+  ~ValidationState();
+
+  /**
+   * @brief Call the failure callback
+   */
+  virtual void
+  fail(const ValidationError& error) = 0;
+
+  /**
+   * @return Depth of certificate chain
+   */
+  size_t
+  getDepth() const;
+
+  /**
+   * @brief Check if @p certName has been previously seen and record the supplied name
+   */
+  bool
+  hasSeenCertificateName(const Name& certName);
+
+  /**
+   * @brief Add @p cert to the top of the certificate chain
+   *
+   * If m_certificateChain is empty, @p cert should be the signer of the original
+   * packet.  If m_certificateChain is not empty, @p cert should be the signer of
+   * m_certificateChain.front().
+   *
+   * @post m_certificateChain.front() == cert
+   * @note This function does not verify the signature bits.
+   */
+  void
+  addCertificate(const Certificate& cert);
+
+private: // Interface intended to be used only by Validator class
+  /**
+   * @brief Verify signature of the original packet
+   *
+   * @param trustCert The certificate that signs the original packet
+   */
+  virtual void
+  verifyOriginalPacket(const Certificate& trustedCert) = 0;
+
+  /**
+   * @brief Call success callback of the original packet without signature validation
+   */
+  virtual void
+  bypassValidation() = 0;
+
+  /**
+   * @brief Verify signatures of certificates in the certificate chain
+   *
+   * When certificate chain cannot be verified, this method will call this->fail() with
+   * INVALID_SIGNATURE error code and the appropriate diagnostic message.
+   *
+   * @retval nullptr Signatures of at least one certificate in the chain is invalid.  All unverified
+   *                 certificates have been removed from m_certificateChain.
+   * @retval Certificate to validate original data packet, either m_certificateChain.back() or
+   *         trustedCert if the certificate chain is empty.
+   *
+   * @post m_certificateChain includes a list of certificates successfully verified by
+   *       @p trustedCert.
+   */
+  const Certificate*
+  verifyCertificateChain(const Certificate& trustedCert);
+
+protected:
+  bool m_hasOutcome;
+
+private:
+  std::unordered_set<Name> m_seenCertificateNames;
+
+  /**
+   * @brief the certificate chain
+   *
+   * Each certificate in the chain signs the next certificate.  The last certificate signs the
+   * original packet.
+   */
+  std::list<v2::Certificate> m_certificateChain;
+
+  friend class Validator;
+};
+
+/**
+ * @brief Validation state for a data packet
+ */
+class DataValidationState final : public ValidationState
+{
+public:
+  /**
+   * @brief Create validation state for @p data
+   *
+   * The caller must ensure that state instance is valid until validation finishes (i.e., until
+   * after validateCertificateChain() and validateOriginalPacket() are called)
+   */
+  DataValidationState(const Data& data,
+                      const DataValidationSuccessCallback& successCb,
+                      const DataValidationFailureCallback& failureCb);
+
+  /**
+   * @brief Destructor
+   *
+   * If neither success callback nor failure callback was called, the destructor will call
+   * failure callback with IMPLEMENTATION_ERROR error code.
+   */
+  ~DataValidationState() final;
+
+  void
+  fail(const ValidationError& error) final;
+
+  /**
+   * @return Original data being validated
+   */
+  const Data&
+  getOriginalData() const;
+
+private:
+  void
+  verifyOriginalPacket(const Certificate& trustedCert) final;
+
+  void
+  bypassValidation() final;
+
+private:
+  Data m_data;
+  DataValidationSuccessCallback m_successCb;
+  DataValidationFailureCallback m_failureCb;
+};
+
+/**
+ * @brief Validation state for an interest packet
+ */
+class InterestValidationState final : public ValidationState
+{
+public:
+  /**
+   * @brief Create validation state for @p interest
+   *
+   * The caller must ensure that state instance is valid until validation finishes (i.e., until
+   * after validateCertificateChain() and validateOriginalPacket() are called)
+   */
+  InterestValidationState(const Interest& interest,
+                          const InterestValidationSuccessCallback& successCb,
+                          const InterestValidationFailureCallback& failureCb);
+
+  /**
+   * @brief Destructor
+   *
+   * If neither success callback nor failure callback was called, the destructor will call
+   * failure callback with IMPLEMENTATION_ERROR error code.
+   */
+  ~InterestValidationState() final;
+
+  void
+  fail(const ValidationError& error) final;
+
+  /**
+   * @return Original interest being validated
+   */
+  const Interest&
+  getOriginalInterest() const;
+
+private:
+  void
+  verifyOriginalPacket(const Certificate& trustedCert) final;
+
+  void
+  bypassValidation() final;
+
+private:
+  Interest m_interest;
+  InterestValidationSuccessCallback m_successCb;
+  InterestValidationFailureCallback m_failureCb;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_STATE_HPP
diff --git a/src/security/v2/validator.cpp b/src/security/v2/validator.cpp
new file mode 100644
index 0000000..b18fc75
--- /dev/null
+++ b/src/security/v2/validator.cpp
@@ -0,0 +1,320 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "validator.hpp"
+
+#include "face.hpp"
+#include "security/transform/public-key.hpp"
+#include "util/logger.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+NDN_LOG_INIT(ndn.security.v2.Validator);
+
+#define NDN_LOG_DEBUG_DEPTH(x) NDN_LOG_DEBUG(std::string(state->getDepth() + 1, '>') << " " << x)
+#define NDN_LOG_TRACE_DEPTH(x) NDN_LOG_TRACE(std::string(state->getDepth() + 1, '>') << " " << x)
+
+Validator::Validator(unique_ptr<ValidationPolicy> policy, Face* face)
+  : m_policy(std::move(policy))
+  , m_face(face)
+  , m_verifiedCertificateCache(time::hours(1))
+  , m_unverifiedCertificateCache(time::minutes(5))
+  , m_maxDepth(25)
+{
+}
+
+Validator::~Validator() = default;
+
+void
+Validator::setMaxDepth(size_t depth)
+{
+  m_maxDepth = depth;
+}
+
+size_t
+Validator::getMaxDepth() const
+{
+  return m_maxDepth;
+}
+
+void
+Validator::validate(const Data& data,
+                    const DataValidationSuccessCallback& successCb,
+                    const DataValidationFailureCallback& failureCb)
+{
+  auto state = make_shared<DataValidationState>(data, successCb, failureCb);
+  NDN_LOG_DEBUG_DEPTH("Start validating data " << data.getName());
+
+  m_policy->checkPolicy(data, state,
+      [this] (const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state) {
+      if (certRequest == nullptr) {
+        state->bypassValidation();
+      }
+      else {
+        // need to fetch key and validate it
+        requestCertificate(certRequest, state);
+      }
+    });
+}
+
+void
+Validator::validate(const Interest& interest,
+                    const InterestValidationSuccessCallback& successCb,
+                    const InterestValidationFailureCallback& failureCb)
+{
+  auto state = make_shared<InterestValidationState>(interest, successCb, failureCb);
+  NDN_LOG_DEBUG_DEPTH("Start validating interest " << interest.getName());
+
+  m_policy->checkPolicy(interest, state,
+      [this] (const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state) {
+      if (certRequest == nullptr) {
+        state->bypassValidation();
+      }
+      else {
+        // need to fetch key and validate it
+        requestCertificate(certRequest, state);
+      }
+    });
+}
+
+void
+Validator::validate(const Certificate& cert, const shared_ptr<ValidationState>& state)
+{
+  NDN_LOG_DEBUG_DEPTH("Start validating certificate " << cert.getName());
+  m_policy->checkPolicy(cert, state,
+      [this, cert] (const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state) {
+      if (certRequest == nullptr) {
+        state->fail({ValidationError::POLICY_ERROR, "Validation policy is not allowed to designate `" +
+                     cert.getName().toUri() + "` as a trust anchor"});
+      }
+      else {
+        // need to fetch key and validate it
+        state->addCertificate(cert);
+        requestCertificate(certRequest, state);
+      }
+    });
+}
+
+const Certificate*
+Validator::findTrustedCert(const Interest& interestForCertificate, const shared_ptr<ValidationState>& state)
+{
+  auto anchor = m_trustAnchors.find(interestForCertificate);
+  if (anchor != nullptr) {
+    NDN_LOG_TRACE_DEPTH("Found certificate in anchor cache " << anchor->getName());
+    return anchor;
+  }
+
+  auto key = m_verifiedCertificateCache.find(interestForCertificate);
+  if (key != nullptr) {
+    NDN_LOG_TRACE_DEPTH("Found certificate in verified key cache " << key->getName());
+    return key;
+  }
+  return nullptr;
+}
+
+void
+Validator::requestCertificate(const shared_ptr<CertificateRequest>& certRequest,
+                              const shared_ptr<ValidationState>& state)
+{
+  // TODO configurable check for the maximum number of steps
+  if (state->getDepth() >= m_maxDepth) {
+    state->fail({ValidationError::Code::EXCEEDED_DEPTH_LIMIT,
+                 "Exceeded validation depth limit (" + to_string(m_maxDepth) + ")"});
+    return;
+  }
+
+  NDN_LOG_DEBUG_DEPTH("Retrieving " << certRequest->m_interest.getName());
+
+  // Check the trusted cache
+  auto cert = findTrustedCert(certRequest->m_interest, state);
+  if (cert != nullptr) {
+    cert = state->verifyCertificateChain(*cert);
+    if (cert != nullptr) {
+      state->verifyOriginalPacket(*cert);
+    }
+    for (auto trustedCert = std::make_move_iterator(state->m_certificateChain.begin());
+         trustedCert != std::make_move_iterator(state->m_certificateChain.end());
+         ++trustedCert) {
+      cacheVerifiedCertificate(*trustedCert);
+    }
+    return;
+  }
+
+  if (state->hasSeenCertificateName(certRequest->m_interest.getName())) {
+    state->fail({ValidationError::Code::LOOP_DETECTED,
+                 "Loop detected at " + certRequest->m_interest.getName().toUri()});
+    return;
+  }
+
+  // Check untrusted cache
+  cert = m_unverifiedCertificateCache.find(certRequest->m_interest);
+  if (cert != nullptr) {
+    NDN_LOG_DEBUG_DEPTH("Found certificate in **un**verified key cache " << cert->getName());
+    return dataCallback(*cert, certRequest, state, false); // to avoid caching the cached key
+  }
+
+  // Attempt to retrieve certificate from the network
+  fetchCertificateFromNetwork(certRequest, state);
+}
+
+void
+Validator::fetchCertificateFromNetwork(const shared_ptr<CertificateRequest>& certRequest,
+                                       const shared_ptr<ValidationState>& state)
+{
+  if (m_face == nullptr) {
+    state->fail({ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate in offline mode "
+                 "`" + certRequest->m_interest.getName().toUri() + "`"});
+    return;
+  }
+
+  m_face->expressInterest(certRequest->m_interest,
+                          [=] (const Interest& interest, const Data& data) {
+                            dataCallback(data, certRequest, state);
+                          },
+                          [=] (const Interest& interest, const lp::Nack& nack) {
+                            nackCallback(nack, certRequest, state);
+                          },
+                          [=] (const Interest& interest) {
+                            timeoutCallback(certRequest, state);
+                          });
+}
+
+void
+Validator::dataCallback(const Data& data,
+                        const shared_ptr<CertificateRequest>& certRequest,
+                        const shared_ptr<ValidationState>& state,
+                        bool isFromNetwork)
+{
+  NDN_LOG_DEBUG_DEPTH("Retrieved certificate " << (isFromNetwork ? "from network " : "from cache ") << data.getName());
+
+  Certificate cert;
+  try {
+    cert = Certificate(data);
+  }
+  catch (const tlv::Error& e) {
+    return state->fail({ValidationError::Code::MALFORMED_CERT, "Retrieved a malformed certificate "
+                        "`" + data.getName().toUri() + "` (" + e.what() + ")"});
+  }
+
+  if (!cert.isValid()) {
+    return state->fail({ValidationError::Code::EXPIRED_CERT, "Retrieved certificate is not yet "
+                        "valid or has expired `" + cert.getName().toUri() + "`"});
+  }
+  if (isFromNetwork) {
+    cacheUnverifiedCertificate(Certificate(cert));
+  }
+  return validate(cert, state); // recursion step
+}
+
+void
+Validator::nackCallback(const lp::Nack& nack, const shared_ptr<CertificateRequest>& certRequest,
+                        const shared_ptr<ValidationState>& state)
+{
+  NDN_LOG_DEBUG_DEPTH("NACK (" << nack.getReason() <<  ") while retrieving certificate "
+                      << certRequest->m_interest.getName());
+
+  --certRequest->m_nRetriesLeft;
+  if (certRequest->m_nRetriesLeft > 0) {
+    // TODO implement delay for the the next fetch
+    fetchCertificateFromNetwork(certRequest, state);
+  }
+  else {
+    state->fail({ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate after all "
+                 "retries `" + certRequest->m_interest.getName().toUri() + "`"});
+  }
+}
+
+void
+Validator::timeoutCallback(const shared_ptr<CertificateRequest>& certRequest,
+                           const shared_ptr<ValidationState>& state)
+{
+  NDN_LOG_DEBUG_DEPTH("Timeout while retrieving certificate "
+                      << certRequest->m_interest.getName() << ", retrying");
+
+  --certRequest->m_nRetriesLeft;
+  if (certRequest->m_nRetriesLeft > 0) {
+    fetchCertificateFromNetwork(certRequest, state);
+  }
+  else {
+    state->fail({ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate after all "
+                 "retries `" + certRequest->m_interest.getName().toUri() + "`"});
+  }
+}
+
+////////////////////////////////////////////////////////////////////////
+// Trust anchor management
+////////////////////////////////////////////////////////////////////////
+
+void
+Validator::loadAnchor(const std::string& groupId, Certificate&& cert)
+{
+  m_trustAnchors.insert(groupId, std::move(cert));
+}
+
+void
+Validator::loadAnchor(const std::string& groupId, const std::string& certfilePath,
+                      time::nanoseconds refreshPeriod, bool isDir)
+{
+  m_trustAnchors.insert(groupId, certfilePath, refreshPeriod, isDir);
+}
+
+void
+Validator::cacheVerifiedCertificate(Certificate&& cert)
+{
+  m_verifiedCertificateCache.insert(std::move(cert));
+}
+
+void
+Validator::cacheUnverifiedCertificate(Certificate&& cert)
+{
+  m_unverifiedCertificateCache.insert(std::move(cert));
+}
+
+const TrustAnchorContainer&
+Validator::getTrustAnchors() const
+{
+  return m_trustAnchors;
+}
+
+const CertificateCache&
+Validator::getVerifiedCertificateCache() const
+{
+  return m_verifiedCertificateCache;
+}
+
+const CertificateCache&
+Validator::getUnverifiedCertificateCache() const
+{
+  return m_unverifiedCertificateCache;
+}
+
+bool
+Validator::isCertificateCached(const Name& certName) const
+{
+  return (getVerifiedCertificateCache().find(certName) != nullptr ||
+          getVerifiedCertificateCache().find(certName) != nullptr);
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/validator.hpp b/src/security/v2/validator.hpp
new file mode 100644
index 0000000..c17ce82
--- /dev/null
+++ b/src/security/v2/validator.hpp
@@ -0,0 +1,276 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATOR_HPP
+#define NDN_SECURITY_V2_VALIDATOR_HPP
+
+#include "certificate.hpp"
+#include "certificate-cache.hpp"
+#include "certificate-request.hpp"
+#include "trust-anchor-container.hpp"
+#include "validation-callback.hpp"
+#include "validation-policy.hpp"
+#include "validation-state.hpp"
+
+namespace ndn {
+
+class Face;
+
+namespace lp {
+class Nack;
+} // namespace lp
+
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Interface for validating data and interest packets.
+ *
+ * Every time a validation process initiated, it creates a ValidationState that exist until
+ * validation finishes with either success or failure.  This state serves several purposes:
+ * - record Interest or Data packet being validated
+ * - record failure callback
+ * - record certificates in the certification chain for the Interest or Data packet being validated
+ * - record names of the requested certificates to detect loops in the certificate chain
+ * - keep track of the validation chain size (aka validation "depth")
+ *
+ * During validation, policy can augment validation state with policy- and fetcher-specific
+ * information using ndn::Tag's.
+ *
+ * A validator has a trust anchor cache to save static and dynamic trust anchors, a verified
+ * certificate cache for saving certificates that are already verified and an unverified
+ * certificate cache for saving prefetched but not yet verified certificates.
+ *
+ * @todo Limit the maximum time the validation process is allowed to run before declaring failure
+ * @todo Ability to customize maximum lifetime for trusted and untrusted certificate caches.
+ *       Current implementation hard-codes them to be 1 hour and 5 minutes.
+ */
+class Validator : noncopyable
+{
+public:
+  /**
+   * @brief Validator constructor.
+   *
+   * @param policy Validation policy to be associated with the validator
+   * @param face   Face for fetching certificates from network.  If provided, the Validator
+   *               operates in online mode; otherwise, the Validator operates in offline mode.
+   */
+  explicit
+  Validator(unique_ptr<ValidationPolicy> policy, Face* face = nullptr);
+
+  ~Validator();
+
+  /**
+   * @brief Set the maximum depth of the certificate chain
+   */
+  void
+  setMaxDepth(size_t depth);
+
+  /**
+   * @return The maximum depth of the certificate chain
+   */
+  size_t
+  getMaxDepth() const;
+
+  /**
+   * @brief Asynchronously validate @p data
+   *
+   * @note @p successCb and @p failureCb must not be nullptr
+   */
+  void
+  validate(const Data& data,
+           const DataValidationSuccessCallback& successCb,
+           const DataValidationFailureCallback& failureCb);
+
+  /**
+   * @brief Asynchronously validate @p interest
+   *
+   * @note @p successCb and @p failureCb must not be nullptr
+   */
+  void
+  validate(const Interest& interest,
+           const InterestValidationSuccessCallback& successCb,
+           const InterestValidationFailureCallback& failureCb);
+
+public: // anchor management
+  /**
+   * @brief load static trust anchor.
+   *
+   * Static trust anchors are permanently associated with the validator and never expire.
+   *
+   * @param groupId  Certificate group id.
+   * @param cert     Certificate to load as a trust anchor.
+   */
+  void
+  loadAnchor(const std::string& groupId, Certificate&& cert);
+
+  /**
+   * @brief load dynamic trust anchors.
+   *
+   * Dynamic trust anchors are associated with the validator for as long as the underlying
+   * trust anchor file (set of files) exist(s).
+   *
+   * @param groupId          Certificate group id, must not be empty.
+   * @param certfilePath     Specifies the path to load the trust anchors.
+   * @param refreshPeriod    Refresh period for the trust anchors, must be positive.
+   * @param isDir            Tells whether the path is a directory or a single file.
+   */
+  void
+  loadAnchor(const std::string& groupId, const std::string& certfilePath,
+             time::nanoseconds refreshPeriod, bool isDir = false);
+
+  /**
+   * @brief Cache verified @p cert a period of time (1 hour)
+   *
+   * @todo Add ability to customize time period
+   */
+  void
+  cacheVerifiedCertificate(Certificate&& cert);
+
+  /**
+   * @brief Cache unverified @p cert for a period of time (5 minutes)
+   *
+   * @todo Add ability to customize time period
+   */
+  void
+  cacheUnverifiedCertificate(Certificate&& cert);
+
+  /**
+   * @return Trust anchor container
+   */
+  const TrustAnchorContainer&
+  getTrustAnchors() const;
+
+  /**
+   * @return Verified certificate cache
+   */
+  const CertificateCache&
+  getVerifiedCertificateCache() const;
+
+  /**
+   * @return Unverified certificate cache
+   */
+  const CertificateCache&
+  getUnverifiedCertificateCache() const;
+
+  /**
+   * @brief Check if certificate with @p certName exists in verified or unverified cache
+   */
+  bool
+  isCertificateCached(const Name& certName) const;
+
+private: // Common validator operations
+  /**
+   * @brief Recursive validation of the certificate in the certification chain
+   *
+   * @param cert   The certificate to check.
+   * @param state  The current validation state.
+   */
+  void
+  validate(const Certificate& cert, const shared_ptr<ValidationState>& state);
+
+  /**
+   * @brief Request certificate for further validation.
+   *
+   * @param certRequest  Certificate request.
+   * @param state        The current validation state.
+   */
+  void
+  requestCertificate(const shared_ptr<CertificateRequest>& certRequest,
+                     const shared_ptr<ValidationState>& state);
+
+  /**
+   * @brief Find trusted certificate among trust anchors and verified certificates.
+   *
+   * @param interestForCertificate Interest for certificate
+   * @param state                  The current validation state.
+   *
+   * @return found certificate, nullptr if not found.
+   *
+   * @note The returned pointer may get invalidated after next findTrustedCert call.
+   */
+  const Certificate*
+  findTrustedCert(const Interest& interestForCertificate,
+                  const shared_ptr<ValidationState>& state);
+
+  /**
+   * @brief fetch certificate from network based on certificate request.
+   *
+   * @param certRequest Certificate request.
+   * @param state       The current validation state.
+   */
+  void
+  fetchCertificateFromNetwork(const shared_ptr<CertificateRequest>& certRequest,
+                              const shared_ptr<ValidationState>& state);
+
+  /**
+   * @brief Callback invoked when certificated is retrieved.
+   *
+   * @param data        Retrieved certificate.
+   * @param certRequest Certificate request.
+   * @param state       The current validation state.
+   * @param isFromNetwork Flag to indicate that the data packet is retrieved (to avoid re-caching).
+   */
+  void
+  dataCallback(const Data& data,
+               const shared_ptr<CertificateRequest>& certRequest,
+               const shared_ptr<ValidationState>& state,
+               bool isFromNetwork = true);
+
+  /**
+   * @brief Callback invoked when interest for fetching certificate gets NACKed.
+   *
+   * It will retry for pre-configured amount of retries.
+   *
+   * @param nack        Received NACK
+   * @param certRequest Certificate request.
+   * @param state       The current validation state.
+   */
+  void
+  nackCallback(const lp::Nack& nack, const shared_ptr<CertificateRequest>& certRequest,
+               const shared_ptr<ValidationState>& state);
+
+  /**
+   * @brief Callback invoked when interest for fetching certificate times out.
+   *
+   * It will retry for pre-configured amount of retries.
+   *
+   * @param certRequest Certificate request.
+   * @param state       The current validation state.
+   */
+  void
+  timeoutCallback(const shared_ptr<CertificateRequest>& certRequest,
+                  const shared_ptr<ValidationState>& state);
+
+private:
+  unique_ptr<ValidationPolicy> m_policy;
+  Face* m_face;
+  TrustAnchorContainer m_trustAnchors;
+  CertificateCache m_verifiedCertificateCache;
+  CertificateCache m_unverifiedCertificateCache;
+  size_t m_maxDepth;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATOR_HPP
diff --git a/tests/unit-tests/security/v2/validation-error.t.cpp b/tests/unit-tests/security/v2/validation-error.t.cpp
new file mode 100644
index 0000000..aac7ca1
--- /dev/null
+++ b/tests/unit-tests/security/v2/validation-error.t.cpp
@@ -0,0 +1,61 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/validation-error.hpp"
+
+#include "boost-test.hpp"
+#include <boost/lexical_cast.hpp>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+BOOST_AUTO_TEST_SUITE(TestValidationError)
+
+BOOST_AUTO_TEST_CASE(Basic)
+{
+  ValidationError e1{ValidationError::Code::INVALID_SIGNATURE};
+  BOOST_CHECK_EQUAL(e1.getCode(), 1);
+  BOOST_CHECK_EQUAL(e1.getInfo(), "");
+  BOOST_CHECK_EQUAL(boost::lexical_cast<std::string>(e1), "Invalid signature");
+
+  ValidationError e2{ValidationError::Code::NO_SIGNATURE, "message"};
+  BOOST_CHECK_EQUAL(e2.getCode(), 2);
+  BOOST_CHECK_EQUAL(e2.getInfo(), "message");
+  BOOST_CHECK_EQUAL(boost::lexical_cast<std::string>(e2), "Missing signature (message)");
+
+  ValidationError e3{65535, "other message"};
+  BOOST_CHECK_EQUAL(e3.getCode(), 65535);
+  BOOST_CHECK_EQUAL(e3.getInfo(), "other message");
+  BOOST_CHECK_EQUAL(boost::lexical_cast<std::string>(e3), "Custom error code 65535 (other message)");
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestValidationError
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/tests/unit-tests/security/v2/validation-policy-accept-all.t.cpp b/tests/unit-tests/security/v2/validation-policy-accept-all.t.cpp
new file mode 100644
index 0000000..5cefa9b
--- /dev/null
+++ b/tests/unit-tests/security/v2/validation-policy-accept-all.t.cpp
@@ -0,0 +1,79 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/validation-policy-accept-all.hpp"
+
+#include "boost-test.hpp"
+#include "validator-fixture.hpp"
+
+#include <boost/mpl/vector.hpp>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+using namespace ndn::tests;
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+
+class ValidationPolicyAcceptAllFixture : public ValidatorFixture<ValidationPolicyAcceptAll>
+{
+public:
+  ValidationPolicyAcceptAllFixture()
+  {
+    identity = addIdentity("/Security/V2/TestValidationPolicyAcceptAll");
+    // don't add trust anchors
+  }
+
+public:
+  Identity identity;
+};
+
+BOOST_FIXTURE_TEST_SUITE(TestValidationPolicyAcceptAll, ValidationPolicyAcceptAllFixture)
+
+typedef boost::mpl::vector<Interest, Data> Packets;
+
+BOOST_AUTO_TEST_CASE_TEMPLATE(Validate, Packet, Packets)
+{
+  Packet unsignedPacket("/Security/V2/TestValidationPolicyAcceptAll/Sub/Packet");
+
+  Packet packet = unsignedPacket;
+  VALIDATE_SUCCESS(packet, "Should accept unsigned");
+
+  packet = unsignedPacket;
+  m_keyChain.sign(packet, signingWithSha256());
+  VALIDATE_SUCCESS(packet, "Should accept Sha256Digest signature");
+
+  packet = unsignedPacket;
+  m_keyChain.sign(packet, signingByIdentity(identity));
+  VALIDATE_SUCCESS(packet, "Should accept signature while no trust anchors configured");
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestValidationPolicyAcceptAll
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/tests/unit-tests/security/v2/validation-policy-simple-hierarchy.t.cpp b/tests/unit-tests/security/v2/validation-policy-simple-hierarchy.t.cpp
new file mode 100644
index 0000000..cd8c466
--- /dev/null
+++ b/tests/unit-tests/security/v2/validation-policy-simple-hierarchy.t.cpp
@@ -0,0 +1,80 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/validation-policy-simple-hierarchy.hpp"
+
+#include "boost-test.hpp"
+#include "validator-fixture.hpp"
+
+#include <boost/mpl/vector.hpp>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+using namespace ndn::tests;
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+BOOST_FIXTURE_TEST_SUITE(TestValidationPolicySimpleHierarchy,
+                         HierarchicalValidatorFixture<ValidationPolicySimpleHierarchy>)
+
+typedef boost::mpl::vector<Interest, Data> Packets;
+
+BOOST_AUTO_TEST_CASE_TEMPLATE(Validate, Packet, Packets)
+{
+  Packet unsignedPacket("/Security/V2/ValidatorFixture/Sub1/Sub2/Packet");
+
+  Packet packet = unsignedPacket;
+  VALIDATE_FAILURE(packet, "Unsigned");
+
+  packet = unsignedPacket;
+  m_keyChain.sign(packet, signingWithSha256());
+  VALIDATE_FAILURE(packet, "Policy doesn't accept Sha256Digest signature");
+
+  packet = unsignedPacket;
+  m_keyChain.sign(packet, signingByIdentity(identity));
+  VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the anchor");
+
+  packet = unsignedPacket;
+  m_keyChain.sign(packet, signingByIdentity(subIdentity));
+  VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the policy-compliant cert");
+
+  packet = unsignedPacket;
+  m_keyChain.sign(packet, signingByIdentity(otherIdentity));
+  VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
+
+  packet = unsignedPacket;
+  m_keyChain.sign(packet, signingByIdentity(subSelfSignedIdentity));
+  VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
+
+  // TODO add checks with malformed packets
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestValidator
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/tests/unit-tests/security/v2/validator-fixture.hpp b/tests/unit-tests/security/v2/validator-fixture.hpp
new file mode 100644
index 0000000..8fac880
--- /dev/null
+++ b/tests/unit-tests/security/v2/validator-fixture.hpp
@@ -0,0 +1,133 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_TESTS_SECURITY_V2_VALIDATOR_FIXTURE_HPP
+#define NDN_TESTS_SECURITY_V2_VALIDATOR_FIXTURE_HPP
+
+#include "security/v2/validator.hpp"
+#include "util/dummy-client-face.hpp"
+
+#include "../../identity-management-time-fixture.hpp"
+
+#include <boost/lexical_cast.hpp>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+template<class ValidationPolicy>
+class ValidatorFixture : public ndn::tests::IdentityManagementTimeFixture
+{
+public:
+  ValidatorFixture()
+    : face(io, {true, true})
+    , validator(make_unique<ValidationPolicy>(), &face)
+    , cache(time::days(100))
+  {
+    processInterest = [this] (const Interest& interest) {
+      auto cert = cache.find(interest);
+      if (cert != nullptr) {
+        face.receive(*cert);
+      }
+    };
+  }
+
+  virtual
+  ~ValidatorFixture() = default;
+
+  template<class Packet>
+  void
+  validate(const Packet& packet, const std::string& msg, bool expectSuccess, int line)
+  {
+    std::string detailedInfo = msg + " on line " + to_string(line);
+    size_t nCallbacks = 0;
+    this->validator.validate(packet,
+                       [&] (const Packet&) {
+                         ++nCallbacks;
+                         BOOST_CHECK_MESSAGE(expectSuccess,
+                                             (expectSuccess ? "OK: " : "FAILED: ") + detailedInfo);
+                       },
+                       [&] (const Packet&, const ValidationError& error) {
+                         ++nCallbacks;
+                         BOOST_CHECK_MESSAGE(!expectSuccess,
+                                             (!expectSuccess ? "OK: " : "FAILED: ") + detailedInfo +
+                                             (expectSuccess ? " (" + boost::lexical_cast<std::string>(error) + ")" : ""));
+                       });
+
+    mockNetworkOperations();
+    BOOST_CHECK_EQUAL(nCallbacks, 1);
+  }
+
+  void
+  mockNetworkOperations()
+  {
+    util::signal::ScopedConnection connection = face.onSendInterest.connect([this] (const Interest& interest) {
+        if (processInterest != nullptr) {
+          io.post(bind(processInterest, interest));
+        }
+      });
+    advanceClocks(time::milliseconds(250), 200);
+  }
+
+public:
+  util::DummyClientFace face;
+  std::function<void(const Interest& interest)> processInterest;
+  Validator validator;
+
+  CertificateCache cache;
+};
+
+template<class ValidationPolicy>
+class HierarchicalValidatorFixture : public ValidatorFixture<ValidationPolicy>
+{
+public:
+  HierarchicalValidatorFixture()
+  {
+    identity = this->addIdentity("/Security/V2/ValidatorFixture");
+    subIdentity = this->addSubCertificate("/Security/V2/ValidatorFixture/Sub1", identity);
+    subSelfSignedIdentity = this->addIdentity("/Security/V2/ValidatorFixture/Sub1/Sub2");
+    otherIdentity = this->addIdentity("/Security/V2/OtherIdentity");
+
+    this->validator.loadAnchor("", Certificate(identity.getDefaultKey().getDefaultCertificate()));
+
+    this->cache.insert(identity.getDefaultKey().getDefaultCertificate());
+    this->cache.insert(subIdentity.getDefaultKey().getDefaultCertificate());
+    this->cache.insert(subSelfSignedIdentity.getDefaultKey().getDefaultCertificate());
+    this->cache.insert(otherIdentity.getDefaultKey().getDefaultCertificate());
+  }
+
+public:
+  Identity identity;
+  Identity subIdentity;
+  Identity subSelfSignedIdentity;
+  Identity otherIdentity;
+};
+
+#define VALIDATE_SUCCESS(packet, message) this->template validate(packet, message, true, __LINE__)
+#define VALIDATE_FAILURE(packet, message) this->template validate(packet, message, false, __LINE__)
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_TESTS_SECURITY_V2_VALIDATOR_FIXTURE_HPP
diff --git a/tests/unit-tests/security/v2/validator.t.cpp b/tests/unit-tests/security/v2/validator.t.cpp
new file mode 100644
index 0000000..51ff7fa
--- /dev/null
+++ b/tests/unit-tests/security/v2/validator.t.cpp
@@ -0,0 +1,277 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/validator.hpp"
+#include "security/v2/validation-policy-simple-hierarchy.hpp"
+
+#include "boost-test.hpp"
+#include "validator-fixture.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+using namespace ndn::tests;
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+BOOST_FIXTURE_TEST_SUITE(TestValidator, HierarchicalValidatorFixture<ValidationPolicySimpleHierarchy>)
+
+BOOST_AUTO_TEST_CASE(Timeouts)
+{
+  processInterest = nullptr; // no response for all interests
+
+  Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+  m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+  VALIDATE_FAILURE(data, "Should fail to retrieve certificate");
+  BOOST_CHECK_GT(face.sentInterests.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(NackedInterests)
+{
+  processInterest = [this] (const Interest& interest) {
+    lp::Nack nack(interest);
+    nack.setReason(lp::NackReason::NO_ROUTE);
+    face.receive(nack);
+  };
+
+  Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+  m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+  VALIDATE_FAILURE(data, "All interests should get NACKed");
+  BOOST_CHECK_GT(face.sentInterests.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(MalformedCert)
+{
+  Data malformedCert = subIdentity.getDefaultKey().getDefaultCertificate();
+  malformedCert.setContentType(tlv::ContentType_Blob);
+  m_keyChain.sign(malformedCert, signingByIdentity(identity));
+  // wrong content type & missing ValidityPeriod
+  BOOST_REQUIRE_THROW(Certificate(malformedCert.wireEncode()), tlv::Error);
+
+  auto originalProcessInterest = processInterest;
+  processInterest = [this, &originalProcessInterest, &malformedCert] (const Interest& interest) {
+    if (interest.getName().isPrefixOf(malformedCert.getName())) {
+      face.receive(malformedCert);
+    }
+    else {
+      originalProcessInterest(interest);
+    }
+  };
+
+  Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+  m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+  VALIDATE_FAILURE(data, "Signed by a malformed certificate");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+}
+
+
+BOOST_AUTO_TEST_CASE(ExpiredCert)
+{
+  Data expiredCert = subIdentity.getDefaultKey().getDefaultCertificate();
+  SignatureInfo info;
+  info.setValidityPeriod(ValidityPeriod(time::system_clock::now() - time::hours(2),
+                                        time::system_clock::now() - time::hours(1)));
+  m_keyChain.sign(expiredCert, signingByIdentity(identity).setSignatureInfo(info));
+  BOOST_REQUIRE_NO_THROW(Certificate(expiredCert.wireEncode()));
+
+  auto originalProcessInterest = processInterest;
+  processInterest = [this, &originalProcessInterest, &expiredCert] (const Interest& interest) {
+    if (interest.getName().isPrefixOf(expiredCert.getName())) {
+      face.receive(expiredCert);
+    }
+    else {
+      processInterest(interest);
+    }
+  };
+
+  Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+  m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+  VALIDATE_FAILURE(data, "Signed by an expired certificate");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(TrustedCertCaching)
+{
+  Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+  m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+  VALIDATE_SUCCESS(data, "Should get accepted, as signed by the policy-compliant cert");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+  face.sentInterests.clear();
+
+  processInterest = nullptr; // disable data responses from mocked network
+
+  VALIDATE_SUCCESS(data, "Should get accepted, based on the cached trusted cert");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+  face.sentInterests.clear();
+
+  advanceClocks(time::hours(1), 2); // expire trusted cache
+
+  VALIDATE_FAILURE(data, "Should try and fail to retrieve certs");
+  BOOST_CHECK_GT(face.sentInterests.size(), 1);
+  face.sentInterests.clear();
+}
+
+BOOST_AUTO_TEST_CASE(UntrustedCertCaching)
+{
+  Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+  m_keyChain.sign(data, signingByIdentity(subSelfSignedIdentity));
+
+  VALIDATE_FAILURE(data, "Should fail, as signed by the policy-violating cert");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+  face.sentInterests.clear();
+
+  processInterest = nullptr; // disable data responses from mocked network
+
+  VALIDATE_FAILURE(data, "Should fail again, but no network operations expected");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+  face.sentInterests.clear();
+
+  advanceClocks(time::minutes(10), 2); // expire untrusted cache
+
+  VALIDATE_FAILURE(data, "Should try and fail to retrieve certs");
+  BOOST_CHECK_GT(face.sentInterests.size(), 1);
+  face.sentInterests.clear();
+}
+
+class ValidationPolicySimpleHierarchyForInterestOnly : public ValidationPolicySimpleHierarchy
+{
+public:
+  void
+  checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+              const ValidationContinuation& continueValidation) override
+  {
+    continueValidation(nullptr, state);
+  }
+};
+
+BOOST_FIXTURE_TEST_CASE(ValidateInterestsButBypassForData,
+                        HierarchicalValidatorFixture<ValidationPolicySimpleHierarchyForInterestOnly>)
+{
+  Interest interest("/Security/V2/ValidatorFixture/Sub1/Sub2/Interest");
+  Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Interest");
+
+  VALIDATE_FAILURE(interest, "Unsigned");
+  VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+  face.sentInterests.clear();
+
+  interest = Interest("/Security/V2/ValidatorFixture/Sub1/Sub2/Interest");
+  m_keyChain.sign(interest, signingWithSha256());
+  m_keyChain.sign(data, signingWithSha256());
+  VALIDATE_FAILURE(interest, "Required KeyLocator/Name missing (not passed to policy)");
+  VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+  face.sentInterests.clear();
+
+  m_keyChain.sign(interest, signingByIdentity(identity));
+  m_keyChain.sign(data, signingByIdentity(identity));
+  VALIDATE_SUCCESS(interest, "Should get accepted, as signed by the anchor");
+  VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+  face.sentInterests.clear();
+
+  m_keyChain.sign(interest, signingByIdentity(subIdentity));
+  m_keyChain.sign(data, signingByIdentity(subIdentity));
+  VALIDATE_FAILURE(interest, "Should fail, as policy is not allowed to create new trust anchors");
+  VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+  face.sentInterests.clear();
+
+  m_keyChain.sign(interest, signingByIdentity(otherIdentity));
+  m_keyChain.sign(data, signingByIdentity(otherIdentity));
+  VALIDATE_FAILURE(interest, "Should fail, as signed by the policy-violating cert");
+  VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+  // no network operations expected, as certificate is not validated by the policy
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+  face.sentInterests.clear();
+
+  advanceClocks(time::hours(1), 2); // expire trusted cache
+
+  m_keyChain.sign(interest, signingByIdentity(subSelfSignedIdentity));
+  m_keyChain.sign(data, signingByIdentity(subSelfSignedIdentity));
+  VALIDATE_FAILURE(interest, "Should fail, as policy is not allowed to create new trust anchors");
+  VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+  face.sentInterests.clear();
+}
+
+BOOST_AUTO_TEST_CASE(LoopingCert)
+{
+  processInterest = [this] (const Interest& interest) {
+    // create another key for the same identity and sign it properly
+    Key parentKey = m_keyChain.createKey(subIdentity);
+    Key requestedKey = subIdentity.getKey(interest.getName());
+
+    Name certificateName = requestedKey.getName();
+    certificateName
+    .append("looper")
+    .appendVersion();
+    v2::Certificate certificate;
+    certificate.setName(certificateName);
+
+    // set metainfo
+    certificate.setContentType(tlv::ContentType_Key);
+    certificate.setFreshnessPeriod(time::hours(1));
+
+    // set content
+    certificate.setContent(requestedKey.getPublicKey().buf(), requestedKey.getPublicKey().size());
+
+    // set signature-info
+    SignatureInfo info;
+    info.setValidityPeriod(security::ValidityPeriod(time::system_clock::now() - time::days(10),
+                                                    time::system_clock::now() + time::days(10)));
+
+    m_keyChain.sign(certificate, signingByKey(parentKey).setSignatureInfo(info));
+    face.receive(certificate);
+  };
+
+  Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+  m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+  validator.setMaxDepth(40);
+  BOOST_CHECK_EQUAL(validator.getMaxDepth(), 40);
+  VALIDATE_FAILURE(data, "Should fail, as certificate should be looped");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 40);
+  face.sentInterests.clear();
+
+  advanceClocks(time::hours(1), 5); // expire caches
+
+  validator.setMaxDepth(30);
+  BOOST_CHECK_EQUAL(validator.getMaxDepth(), 30);
+  VALIDATE_FAILURE(data, "Should fail, as certificate should be looped");
+  BOOST_CHECK_EQUAL(face.sentInterests.size(), 30);
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestValidator
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn