Move validation-request.hpp to public API.  Moved static verifySha256WithRsaSignature to new Sha256WithRsaHandler::verify.
diff --git a/CHANGELOG b/CHANGELOG
index 5103e0b..0251934 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,4 +1,4 @@
-Interim changes since NDN-CPP v0.2(2013-11-25)
+Interim changes since NDN-CPP v0.2(2013-12-16)
 
 Bug fixes
 * http://redmine.named-data.net/issues/1056 Fix DTAG NDNProtocolDataUnit to encode as "NDN\202\000".
@@ -12,6 +12,7 @@
 * Fix clang compiler warnings: Include headers, parentheses and cast explicitly.
 * Moved class ExcludeEntry to inner class Exclude::Entry.
 * In BinaryXmlDecoder, cache the result of peekDTag for a speedup when decoding optional elements.
+* Moved validation-request.hpp to public API security/policy, and moved OnVerified and OnVerifyFailed in there.
 
 Documentation
 * Move instructions for running ./autogen.sh from configure.ac to the Development section of INSTALL.
diff --git a/Makefile.am b/Makefile.am
index f1e5135..4f3bc6c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -65,6 +65,8 @@
   include/ndn-cpp/security/policy/no-verify-policy-manager.hpp \
   include/ndn-cpp/security/policy/policy-manager.hpp \
   include/ndn-cpp/security/policy/self-verify-policy-manager.hpp \
+  include/ndn-cpp/security/policy/validation-request.hpp \
+  include/ndn-cpp/security/signature/sha256-with-rsa-handler.hpp \
   include/ndn-cpp/transport/tcp-transport.hpp \
   include/ndn-cpp/transport/transport.hpp \
   include/ndn-cpp/transport/udp-transport.hpp \
@@ -145,6 +147,7 @@
   src/security/identity/osx-private-key-storage.cpp \
   src/security/policy/no-verify-policy-manager.cpp \
   src/security/policy/self-verify-policy-manager.cpp \
+  src/security/signature/sha256-with-rsa-handler.cpp \
   src/transport/tcp-transport.cpp \
   src/transport/transport.cpp \
   src/transport/udp-transport.cpp \
diff --git a/Makefile.in b/Makefile.in
index a07f09c..a5dfe8d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -206,6 +206,7 @@
 	src/security/identity/osx-private-key-storage.lo \
 	src/security/policy/no-verify-policy-manager.lo \
 	src/security/policy/self-verify-policy-manager.lo \
+	src/security/signature/sha256-with-rsa-handler.lo \
 	src/transport/tcp-transport.lo src/transport/transport.lo \
 	src/transport/udp-transport.lo src/util/blob.lo \
 	src/util/changed-event.lo src/util/dynamic-uint8-vector.lo \
@@ -622,6 +623,8 @@
   include/ndn-cpp/security/policy/no-verify-policy-manager.hpp \
   include/ndn-cpp/security/policy/policy-manager.hpp \
   include/ndn-cpp/security/policy/self-verify-policy-manager.hpp \
+  include/ndn-cpp/security/policy/validation-request.hpp \
+  include/ndn-cpp/security/signature/sha256-with-rsa-handler.hpp \
   include/ndn-cpp/transport/tcp-transport.hpp \
   include/ndn-cpp/transport/transport.hpp \
   include/ndn-cpp/transport/udp-transport.hpp \
@@ -704,6 +707,7 @@
   src/security/identity/osx-private-key-storage.cpp \
   src/security/policy/no-verify-policy-manager.cpp \
   src/security/policy/self-verify-policy-manager.cpp \
+  src/security/signature/sha256-with-rsa-handler.cpp \
   src/transport/tcp-transport.cpp \
   src/transport/transport.cpp \
   src/transport/udp-transport.cpp \
@@ -1003,6 +1007,15 @@
 src/security/policy/self-verify-policy-manager.lo:  \
 	src/security/policy/$(am__dirstamp) \
 	src/security/policy/$(DEPDIR)/$(am__dirstamp)
+src/security/signature/$(am__dirstamp):
+	@$(MKDIR_P) src/security/signature
+	@: > src/security/signature/$(am__dirstamp)
+src/security/signature/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) src/security/signature/$(DEPDIR)
+	@: > src/security/signature/$(DEPDIR)/$(am__dirstamp)
+src/security/signature/sha256-with-rsa-handler.lo:  \
+	src/security/signature/$(am__dirstamp) \
+	src/security/signature/$(DEPDIR)/$(am__dirstamp)
 src/transport/$(am__dirstamp):
 	@$(MKDIR_P) src/transport
 	@: > src/transport/$(am__dirstamp)
@@ -1113,6 +1126,8 @@
 	-rm -f src/security/identity/*.lo
 	-rm -f src/security/policy/*.$(OBJEXT)
 	-rm -f src/security/policy/*.lo
+	-rm -f src/security/signature/*.$(OBJEXT)
+	-rm -f src/security/signature/*.lo
 	-rm -f src/transport/*.$(OBJEXT)
 	-rm -f src/transport/*.lo
 	-rm -f src/util/*.$(OBJEXT)
@@ -1179,6 +1194,7 @@
 @AMDEP_TRUE@@am__include@ @am__quote@src/security/identity/$(DEPDIR)/osx-private-key-storage.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@src/security/policy/$(DEPDIR)/no-verify-policy-manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@src/security/policy/$(DEPDIR)/self-verify-policy-manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@src/security/signature/$(DEPDIR)/sha256-with-rsa-handler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@src/transport/$(DEPDIR)/tcp-transport.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@src/transport/$(DEPDIR)/transport.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@src/transport/$(DEPDIR)/udp-transport.Plo@am__quote@
@@ -1259,6 +1275,7 @@
 	-rm -rf src/security/certificate/.libs src/security/certificate/_libs
 	-rm -rf src/security/identity/.libs src/security/identity/_libs
 	-rm -rf src/security/policy/.libs src/security/policy/_libs
+	-rm -rf src/security/signature/.libs src/security/signature/_libs
 	-rm -rf src/transport/.libs src/transport/_libs
 	-rm -rf src/util/.libs src/util/_libs
 
@@ -1617,6 +1634,8 @@
 	-rm -f src/security/identity/$(am__dirstamp)
 	-rm -f src/security/policy/$(DEPDIR)/$(am__dirstamp)
 	-rm -f src/security/policy/$(am__dirstamp)
+	-rm -f src/security/signature/$(DEPDIR)/$(am__dirstamp)
+	-rm -f src/security/signature/$(am__dirstamp)
 	-rm -f src/transport/$(DEPDIR)/$(am__dirstamp)
 	-rm -f src/transport/$(am__dirstamp)
 	-rm -f src/util/$(DEPDIR)/$(am__dirstamp)
@@ -1634,7 +1653,7 @@
 
 distclean: distclean-recursive
 	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-	-rm -rf src/$(DEPDIR) src/c/$(DEPDIR) src/c/encoding/$(DEPDIR) src/c/transport/$(DEPDIR) src/c/util/$(DEPDIR) src/encoding/$(DEPDIR) src/encoding/der/$(DEPDIR) src/encoding/der/visitor/$(DEPDIR) src/security/$(DEPDIR) src/security/certificate/$(DEPDIR) src/security/identity/$(DEPDIR) src/security/policy/$(DEPDIR) src/transport/$(DEPDIR) src/util/$(DEPDIR) tests/$(DEPDIR)
+	-rm -rf src/$(DEPDIR) src/c/$(DEPDIR) src/c/encoding/$(DEPDIR) src/c/transport/$(DEPDIR) src/c/util/$(DEPDIR) src/encoding/$(DEPDIR) src/encoding/der/$(DEPDIR) src/encoding/der/visitor/$(DEPDIR) src/security/$(DEPDIR) src/security/certificate/$(DEPDIR) src/security/identity/$(DEPDIR) src/security/policy/$(DEPDIR) src/security/signature/$(DEPDIR) src/transport/$(DEPDIR) src/util/$(DEPDIR) tests/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-libtool distclean-tags
@@ -1682,7 +1701,7 @@
 maintainer-clean: maintainer-clean-recursive
 	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
 	-rm -rf $(top_srcdir)/autom4te.cache
-	-rm -rf src/$(DEPDIR) src/c/$(DEPDIR) src/c/encoding/$(DEPDIR) src/c/transport/$(DEPDIR) src/c/util/$(DEPDIR) src/encoding/$(DEPDIR) src/encoding/der/$(DEPDIR) src/encoding/der/visitor/$(DEPDIR) src/security/$(DEPDIR) src/security/certificate/$(DEPDIR) src/security/identity/$(DEPDIR) src/security/policy/$(DEPDIR) src/transport/$(DEPDIR) src/util/$(DEPDIR) tests/$(DEPDIR)
+	-rm -rf src/$(DEPDIR) src/c/$(DEPDIR) src/c/encoding/$(DEPDIR) src/c/transport/$(DEPDIR) src/c/util/$(DEPDIR) src/encoding/$(DEPDIR) src/encoding/der/$(DEPDIR) src/encoding/der/visitor/$(DEPDIR) src/security/$(DEPDIR) src/security/certificate/$(DEPDIR) src/security/identity/$(DEPDIR) src/security/policy/$(DEPDIR) src/security/signature/$(DEPDIR) src/transport/$(DEPDIR) src/util/$(DEPDIR) tests/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
diff --git a/include/Makefile.am b/include/Makefile.am
index abe0340..b38a6d4 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -20,6 +20,7 @@
   $(wildcard ndn-cpp/security/encryption/*.*) \
   $(wildcard ndn-cpp/security/identity/*.*) \
   $(wildcard ndn-cpp/security/policy/*.*) \
+  $(wildcard ndn-cpp/security/signature/*.*) \
   $(wildcard ndn-cpp/transport/*.*) \
   $(wildcard ndn-cpp/util/*.*)
 
diff --git a/include/Makefile.in b/include/Makefile.in
index f131cba..d4f6cad 100644
--- a/include/Makefile.in
+++ b/include/Makefile.in
@@ -340,6 +340,7 @@
   $(wildcard ndn-cpp/security/encryption/*.*) \
   $(wildcard ndn-cpp/security/identity/*.*) \
   $(wildcard ndn-cpp/security/policy/*.*) \
+  $(wildcard ndn-cpp/security/signature/*.*) \
   $(wildcard ndn-cpp/transport/*.*) \
   $(wildcard ndn-cpp/util/*.*)
 
diff --git a/include/ndn-cpp/security/key-chain.hpp b/include/ndn-cpp/security/key-chain.hpp
index 6cc4695..4248850 100644
--- a/include/ndn-cpp/security/key-chain.hpp
+++ b/include/ndn-cpp/security/key-chain.hpp
@@ -1,6 +1,7 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
 /**
  * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
  * @author: Jeff Thompson <jefft0@remap.ucla.edu>
  * See COPYING for copyright and distribution information.
  */
@@ -12,26 +13,16 @@
 #include "../face.hpp"
 #include "identity/identity-manager.hpp"
 #include "encryption/encryption-manager.hpp"
+#include "policy/validation-request.hpp"
 
 namespace ndn {
 
 class PolicyManager;
-class ValidationRequest;
   
 /**
- * An OnVerified function object is used to pass a callback to verifyData to report a successful verification.
- */
-typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerified;
-
-/**
- * An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification.
- */
-typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerifyFailed;
-
-/**
- * Keychain is the main class of the security library.
+ * KeyChain is the main class of the security library.
  *
- * The Keychain class provides a set of interfaces to the security library such as identity management, policy configuration 
+ * The KeyChain class provides a set of interfaces to the security library such as identity management, policy configuration 
  * and packet signing and verification.
  */
 class KeyChain {
diff --git a/src/security/policy/validation-request.hpp b/include/ndn-cpp/security/policy/validation-request.hpp
similarity index 73%
rename from src/security/policy/validation-request.hpp
rename to include/ndn-cpp/security/policy/validation-request.hpp
index 386b45d..78f2d6c 100644
--- a/src/security/policy/validation-request.hpp
+++ b/include/ndn-cpp/security/policy/validation-request.hpp
@@ -9,10 +9,21 @@
 #ifndef NDN_VALIDATION_REQUEST_HPP
 #define NDN_VALIDATION_REQUEST_HPP
 
-#include <ndn-cpp/security/key-chain.hpp>
+#include "../key-chain.hpp"
 
 namespace ndn {
 
+/**
+ * An OnVerified function object is used to pass a callback to verifyData to report a successful verification.
+ */
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerified;
+
+/**
+ * An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification.
+ */
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerifyFailed;
+
+
 class ValidationRequest {
 public:
   ValidationRequest
diff --git a/include/ndn-cpp/security/signature/sha256-with-rsa-handler.hpp b/include/ndn-cpp/security/signature/sha256-with-rsa-handler.hpp
new file mode 100644
index 0000000..4cc9f98
--- /dev/null
+++ b/include/ndn-cpp/security/signature/sha256-with-rsa-handler.hpp
@@ -0,0 +1,38 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SHA256_RSA_HANDLER_HPP
+#define NDN_SHA256_RSA_HANDLER_HPP
+
+#include "../../data.hpp"
+#include "../certificate/public-key.hpp"
+
+namespace ndn{
+
+class Sha256WithRsaHandler {
+public:
+  Sha256WithRsaHandler() {}
+
+  virtual
+  ~Sha256WithRsaHandler() {}
+
+ /**
+  * Verify the signature on the data packet using the given public key. If there is no data.getDefaultWireEncoding(),
+  * this calls data.wireEncode() to set it.
+  * @param data The data packet with the signed portion and the signature to verify. The data packet must have a
+  * Sha256WithRsaSignature.
+  * @param publicKey The public key used to verify the signature.
+  * @return true if the signature verifies, false if not.
+  * @throw SecurityException if data does not have a Sha256WithRsaSignature.
+  */
+  static bool
+  verify(const Data& data, const PublicKey& publicKey);
+
+};
+
+}
+#endif
diff --git a/src/security/key-chain.cpp b/src/security/key-chain.cpp
index 4d82f06..fc05969 100644
--- a/src/security/key-chain.cpp
+++ b/src/security/key-chain.cpp
@@ -1,18 +1,14 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
 /**
  * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
  * @author: Jeff Thompson <jefft0@remap.ucla.edu>
  * See COPYING for copyright and distribution information.
  */
 
-#include "../c/util/crypto.h"
-#include "../c/encoding/binary-xml-data.h"
-#include "../encoding/binary-xml-encoder.hpp"
-#include <ndn-cpp/sha256-with-rsa-signature.hpp>
 #include "../util/logging.hpp"
 #include <ndn-cpp/security/security-exception.hpp>
 #include <ndn-cpp/security/policy/policy-manager.hpp>
-#include "policy/validation-request.hpp"
 #include <ndn-cpp/security/key-chain.hpp>
 
 using namespace std;
@@ -24,49 +20,6 @@
 #endif
 
 namespace ndn {
-
-/**
- * Verify the signature on the data packet using the given public key.  If there is no data.getDefaultWireEncoding(),
- * this calls data.wireEncode() to set it.
- * @param data The data packet with the signed portion and the signature to verify.  The data packet must have a
- * Sha256WithRsaSignature.
- * @param publicKey The public key used to verify the signature.
- * @return true if the signature verifies, false if not.
- * @throw SecurityException if data does not have a Sha256WithRsaSignature.
- */
-static bool
-verifySha256WithRsaSignature(const Data& data, const PublicKey& publicKey)
-{
-  const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(data.getSignature());
-  if (!signature)
-    throw SecurityException("signature is not Sha256WithRsaSignature.");
-  
-  // Set the data packet's default wire encoding if it is not already there.
-  if (signature->getDigestAlgorithm().size() != 0)
-    // TODO: Allow a non-default digest algorithm.
-    throw UnrecognizedDigestAlgorithmException("Cannot verify a data packet with a non-default digest algorithm.");
-  if (!data.getDefaultWireEncoding())
-    data.wireEncode();
-  
-  // Set signedPortionDigest to the digest of the signed portion of the wire encoding.
-  uint8_t signedPortionDigest[SHA256_DIGEST_LENGTH];
-  ndn_digestSha256(data.getDefaultWireEncoding().signedBuf(), data.getDefaultWireEncoding().signedSize(), signedPortionDigest);
-  
-  // Verify the signedPortionDigest.
-  // Use a temporary pointer since d2i updates it.
-  const uint8_t *derPointer = publicKey.getKeyDer().buf();
-  RSA *rsaPublicKey = d2i_RSA_PUBKEY(NULL, &derPointer, publicKey.getKeyDer().size());
-  if (!rsaPublicKey)
-    throw UnrecognizedKeyFormatException("Error decoding public key in d2i_RSAPublicKey");
-  int success = RSA_verify
-    (NID_sha256, signedPortionDigest, sizeof(signedPortionDigest), (uint8_t *)signature->getSignature().buf(),
-     signature->getSignature().size(), rsaPublicKey);
-  // Free the public key before checking for success.
-  RSA_free(rsaPublicKey);
-  
-  // RSA_verify returns 1 for a valid signature.
-  return (success == 1);
-}
   
 KeyChain::KeyChain(const shared_ptr<IdentityManager>& identityManager, const shared_ptr<PolicyManager>& policyManager)
 : identityManager_(identityManager), policyManager_(policyManager), face_(0), maxSteps_(100)
diff --git a/src/security/signature/sha256-with-rsa-handler.cpp b/src/security/signature/sha256-with-rsa-handler.cpp
new file mode 100644
index 0000000..905fc3e
--- /dev/null
+++ b/src/security/signature/sha256-with-rsa-handler.cpp
@@ -0,0 +1,52 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#include "../../c/util/crypto.h"
+#include <ndn-cpp/sha256-with-rsa-signature.hpp>
+#include <ndn-cpp/security/security-exception.hpp>
+#include <ndn-cpp/security/signature/sha256-with-rsa-handler.hpp>
+
+using namespace std;
+using namespace ndn::ptr_lib;
+
+namespace ndn {
+
+bool
+Sha256WithRsaHandler::verify(const Data& data, const PublicKey& publicKey)
+{
+  const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(data.getSignature());
+  if (!signature)
+    throw SecurityException("signature is not Sha256WithRsaSignature.");
+  
+  // Set the data packet's default wire encoding if it is not already there.
+  if (signature->getDigestAlgorithm().size() != 0)
+    // TODO: Allow a non-default digest algorithm.
+    throw UnrecognizedDigestAlgorithmException("Cannot verify a data packet with a non-default digest algorithm.");
+  if (!data.getDefaultWireEncoding())
+    data.wireEncode();
+  
+  // Set signedPortionDigest to the digest of the signed portion of the wire encoding.
+  uint8_t signedPortionDigest[SHA256_DIGEST_LENGTH];
+  ndn_digestSha256(data.getDefaultWireEncoding().signedBuf(), data.getDefaultWireEncoding().signedSize(), signedPortionDigest);
+  
+  // Verify the signedPortionDigest.
+  // Use a temporary pointer since d2i updates it.
+  const uint8_t *derPointer = publicKey.getKeyDer().buf();
+  RSA *rsaPublicKey = d2i_RSA_PUBKEY(NULL, &derPointer, publicKey.getKeyDer().size());
+  if (!rsaPublicKey)
+    throw UnrecognizedKeyFormatException("Error decoding public key in d2i_RSAPublicKey");
+  int success = RSA_verify
+    (NID_sha256, signedPortionDigest, sizeof(signedPortionDigest), (uint8_t *)signature->getSignature().buf(),
+     signature->getSignature().size(), rsaPublicKey);
+  // Free the public key before checking for success.
+  RSA_free(rsaPublicKey);
+  
+  // RSA_verify returns 1 for a valid signature.
+  return (success == 1);
+}
+
+}