Move validation-request.hpp to public API.  Moved static verifySha256WithRsaSignature to new Sha256WithRsaHandler::verify.
diff --git a/src/security/key-chain.cpp b/src/security/key-chain.cpp
index 4d82f06..fc05969 100644
--- a/src/security/key-chain.cpp
+++ b/src/security/key-chain.cpp
@@ -1,18 +1,14 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
 /**
  * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
  * @author: Jeff Thompson <jefft0@remap.ucla.edu>
  * See COPYING for copyright and distribution information.
  */
 
-#include "../c/util/crypto.h"
-#include "../c/encoding/binary-xml-data.h"
-#include "../encoding/binary-xml-encoder.hpp"
-#include <ndn-cpp/sha256-with-rsa-signature.hpp>
 #include "../util/logging.hpp"
 #include <ndn-cpp/security/security-exception.hpp>
 #include <ndn-cpp/security/policy/policy-manager.hpp>
-#include "policy/validation-request.hpp"
 #include <ndn-cpp/security/key-chain.hpp>
 
 using namespace std;
@@ -24,49 +20,6 @@
 #endif
 
 namespace ndn {
-
-/**
- * Verify the signature on the data packet using the given public key.  If there is no data.getDefaultWireEncoding(),
- * this calls data.wireEncode() to set it.
- * @param data The data packet with the signed portion and the signature to verify.  The data packet must have a
- * Sha256WithRsaSignature.
- * @param publicKey The public key used to verify the signature.
- * @return true if the signature verifies, false if not.
- * @throw SecurityException if data does not have a Sha256WithRsaSignature.
- */
-static bool
-verifySha256WithRsaSignature(const Data& data, const PublicKey& publicKey)
-{
-  const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(data.getSignature());
-  if (!signature)
-    throw SecurityException("signature is not Sha256WithRsaSignature.");
-  
-  // Set the data packet's default wire encoding if it is not already there.
-  if (signature->getDigestAlgorithm().size() != 0)
-    // TODO: Allow a non-default digest algorithm.
-    throw UnrecognizedDigestAlgorithmException("Cannot verify a data packet with a non-default digest algorithm.");
-  if (!data.getDefaultWireEncoding())
-    data.wireEncode();
-  
-  // Set signedPortionDigest to the digest of the signed portion of the wire encoding.
-  uint8_t signedPortionDigest[SHA256_DIGEST_LENGTH];
-  ndn_digestSha256(data.getDefaultWireEncoding().signedBuf(), data.getDefaultWireEncoding().signedSize(), signedPortionDigest);
-  
-  // Verify the signedPortionDigest.
-  // Use a temporary pointer since d2i updates it.
-  const uint8_t *derPointer = publicKey.getKeyDer().buf();
-  RSA *rsaPublicKey = d2i_RSA_PUBKEY(NULL, &derPointer, publicKey.getKeyDer().size());
-  if (!rsaPublicKey)
-    throw UnrecognizedKeyFormatException("Error decoding public key in d2i_RSAPublicKey");
-  int success = RSA_verify
-    (NID_sha256, signedPortionDigest, sizeof(signedPortionDigest), (uint8_t *)signature->getSignature().buf(),
-     signature->getSignature().size(), rsaPublicKey);
-  // Free the public key before checking for success.
-  RSA_free(rsaPublicKey);
-  
-  // RSA_verify returns 1 for a valid signature.
-  return (success == 1);
-}
   
 KeyChain::KeyChain(const shared_ptr<IdentityManager>& identityManager, const shared_ptr<PolicyManager>& policyManager)
 : identityManager_(identityManager), policyManager_(policyManager), face_(0), maxSteps_(100)