security: Add wrapper for public/private key in transformation

Change-Id: I6610cccc8bb20b4e9e227895cf24b595a6e13698
Refs: #3009, #3010
diff --git a/src/security/detail/openssl-helper.cpp b/src/security/detail/openssl-helper.cpp
index ce51d1b..3a7140d 100644
--- a/src/security/detail/openssl-helper.cpp
+++ b/src/security/detail/openssl-helper.cpp
@@ -36,6 +36,44 @@
   }
 }
 
+EvpPkey::EvpPkey()
+  : m_key(nullptr)
+{
+}
+
+EvpPkey::~EvpPkey()
+{
+  EVP_PKEY_free(m_key);
+}
+
+EvpPkeyCtx::EvpPkeyCtx(EVP_PKEY* key)
+  : m_ctx(EVP_PKEY_CTX_new(key, nullptr))
+{
+  BOOST_ASSERT(m_ctx != nullptr);
+}
+
+EvpPkeyCtx::EvpPkeyCtx(int id)
+  : m_ctx(EVP_PKEY_CTX_new_id(id, nullptr))
+{
+  BOOST_ASSERT(m_ctx != nullptr);
+}
+
+EvpPkeyCtx::~EvpPkeyCtx()
+{
+  EVP_PKEY_CTX_free(m_ctx);
+}
+
+Bio::Bio(BIO_METHOD* method)
+  : m_bio(BIO_new(method))
+{
+  BOOST_ASSERT(m_bio != nullptr);
+}
+
+Bio::~Bio()
+{
+  BIO_free_all(m_bio);
+}
+
 } // namespace detail
 } // namespace security
 } // namespace ndn
diff --git a/src/security/detail/openssl-helper.hpp b/src/security/detail/openssl-helper.hpp
index e9e5900..d74bcf6 100644
--- a/src/security/detail/openssl-helper.hpp
+++ b/src/security/detail/openssl-helper.hpp
@@ -32,6 +32,68 @@
 const EVP_MD*
 toDigestEvpMd(DigestAlgorithm algo);
 
+class EvpPkey
+{
+public:
+  EvpPkey();
+
+  ~EvpPkey();
+
+  EVP_PKEY*
+  get() const
+  {
+    return m_key;
+  }
+
+  EVP_PKEY**
+  operator&()
+  {
+    return &m_key;
+  }
+
+private:
+  EVP_PKEY* m_key;
+};
+
+class EvpPkeyCtx
+{
+public:
+  explicit
+  EvpPkeyCtx(EVP_PKEY* key);
+
+  explicit
+  EvpPkeyCtx(int id);
+
+  ~EvpPkeyCtx();
+
+  EVP_PKEY_CTX*
+  get() const
+  {
+    return m_ctx;
+  }
+
+private:
+  EVP_PKEY_CTX* m_ctx;
+};
+
+class Bio
+{
+public:
+  explicit
+  Bio(BIO_METHOD* method);
+
+  ~Bio();
+
+  BIO*
+  get() const
+  {
+    return m_bio;
+  }
+
+private:
+  BIO* m_bio;
+};
+
 } // namespace detail
 } // namespace security
 } // namespace ndn
diff --git a/src/security/transform/private-key.cpp b/src/security/transform/private-key.cpp
new file mode 100644
index 0000000..0c61817
--- /dev/null
+++ b/src/security/transform/private-key.cpp
@@ -0,0 +1,440 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2016 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "private-key.hpp"
+#include "buffer-source.hpp"
+#include "stream-source.hpp"
+#include "base64-encode.hpp"
+#include "base64-decode.hpp"
+#include "stream-sink.hpp"
+#include "../../encoding/buffer-stream.hpp"
+#include "../detail/openssl-helper.hpp"
+#include "../key-params.hpp"
+
+#include <string.h>
+
+#define ENSURE_PRIVATE_KEY_LOADED(key) \
+  do { \
+    if (key == nullptr) \
+      BOOST_THROW_EXCEPTION(Error("Private key has not been loaded yet")); \
+  } while (false)
+
+namespace ndn {
+namespace security {
+namespace transform {
+
+class PrivateKey::Impl
+{
+public:
+  Impl()
+    : key(nullptr)
+  {
+  }
+
+  ~Impl()
+  {
+    EVP_PKEY_free(key);
+  }
+
+public:
+  EVP_PKEY* key;
+};
+
+PrivateKey::PrivateKey()
+  : m_impl(new Impl)
+{
+}
+
+PrivateKey::~PrivateKey() = default;
+
+void
+PrivateKey::loadPkcs1(const uint8_t* buf, size_t size)
+{
+  detail::Bio mem(BIO_s_mem());
+  BIO_write(mem.get(), buf, size);
+
+  d2i_PrivateKey_bio(mem.get(), &m_impl->key);
+
+  ENSURE_PRIVATE_KEY_LOADED(m_impl->key);
+}
+
+void
+PrivateKey::loadPkcs1(std::istream& is)
+{
+  OBufferStream os;
+  streamSource(is) >> streamSink(os);
+  this->loadPkcs1(os.buf()->buf(), os.buf()->size());
+}
+
+void
+PrivateKey::loadPkcs1Base64(const uint8_t* buf, size_t size)
+{
+  OBufferStream os;
+  bufferSource(buf, size) >> base64Decode() >> streamSink(os);
+  this->loadPkcs1(os.buf()->buf(), os.buf()->size());
+}
+
+void
+PrivateKey::loadPkcs1Base64(std::istream& is)
+{
+  OBufferStream os;
+  streamSource(is) >> base64Decode() >> streamSink(os);
+  this->loadPkcs1(os.buf()->buf(), os.buf()->size());
+}
+
+void
+PrivateKey::loadPkcs8(const uint8_t* buf, size_t size, const char* pw, size_t pwLen)
+{
+  BOOST_ASSERT(std::strlen(pw) == pwLen);
+
+  detail::Bio mem(BIO_s_mem());
+  BIO_write(mem.get(), buf, size);
+
+  m_impl->key = d2i_PKCS8PrivateKey_bio(mem.get(), &m_impl->key, nullptr, const_cast<char*>(pw));
+
+  ENSURE_PRIVATE_KEY_LOADED(m_impl->key);
+}
+
+static inline int
+passwordCallback(char* buf, int size, int rwflag, void* u)
+{
+  auto cb = reinterpret_cast<PrivateKey::PasswordCallback*>(u);
+  return (*cb)(buf, size, rwflag);
+}
+
+void
+PrivateKey::loadPkcs8(const uint8_t* buf, size_t size, PasswordCallback pwCallback)
+{
+  OpenSSL_add_all_algorithms();
+  detail::Bio mem(BIO_s_mem());
+  BIO_write(mem.get(), buf, size);
+
+  if (pwCallback)
+    m_impl->key = d2i_PKCS8PrivateKey_bio(mem.get(), &m_impl->key, passwordCallback, &pwCallback);
+  else
+    m_impl->key = d2i_PKCS8PrivateKey_bio(mem.get(), &m_impl->key, nullptr, nullptr);
+
+  ENSURE_PRIVATE_KEY_LOADED(m_impl->key);
+}
+
+void
+PrivateKey::loadPkcs8(std::istream& is, const char* pw, size_t pwLen)
+{
+  OBufferStream os;
+  streamSource(is) >> streamSink(os);
+  this->loadPkcs8(os.buf()->buf(), os.buf()->size(), pw, pwLen);
+}
+
+void
+PrivateKey::loadPkcs8(std::istream& is, PasswordCallback pwCallback)
+{
+  OBufferStream os;
+  streamSource(is) >> streamSink(os);
+  this->loadPkcs8(os.buf()->buf(), os.buf()->size(), pwCallback);
+}
+
+void
+PrivateKey::loadPkcs8Base64(const uint8_t* buf, size_t size, const char* pw, size_t pwLen)
+{
+  OBufferStream os;
+  bufferSource(buf, size) >> base64Decode() >> streamSink(os);
+  this->loadPkcs8(os.buf()->buf(), os.buf()->size(), pw, pwLen);
+}
+
+void
+PrivateKey::loadPkcs8Base64(const uint8_t* buf, size_t size, PasswordCallback pwCallback)
+{
+  OBufferStream os;
+  bufferSource(buf, size) >> base64Decode() >> streamSink(os);
+  this->loadPkcs8(os.buf()->buf(), os.buf()->size(), pwCallback);
+}
+
+void
+PrivateKey::loadPkcs8Base64(std::istream& is, const char* pw, size_t pwLen)
+{
+  OBufferStream os;
+  streamSource(is) >> base64Decode() >> streamSink(os);
+  this->loadPkcs8(os.buf()->buf(), os.buf()->size(), pw, pwLen);
+}
+
+void
+PrivateKey::loadPkcs8Base64(std::istream& is, PasswordCallback pwCallback)
+{
+  OBufferStream os;
+  streamSource(is) >> base64Decode() >> streamSink(os);
+  this->loadPkcs8(os.buf()->buf(), os.buf()->size(), pwCallback);
+}
+
+void
+PrivateKey::savePkcs1(std::ostream& os) const
+{
+  bufferSource(*this->toPkcs1()) >> streamSink(os);
+}
+
+void
+PrivateKey::savePkcs1Base64(std::ostream& os) const
+{
+  bufferSource(*this->toPkcs1()) >> base64Encode() >> streamSink(os);
+}
+
+void
+PrivateKey::savePkcs8(std::ostream& os, const char* pw, size_t pwLen) const
+{
+  bufferSource(*this->toPkcs8(pw, pwLen)) >> streamSink(os);
+}
+
+void
+PrivateKey::savePkcs8(std::ostream& os, PasswordCallback pwCallback) const
+{
+  bufferSource(*this->toPkcs8(pwCallback)) >> streamSink(os);
+}
+
+void
+PrivateKey::savePkcs8Base64(std::ostream& os, const char* pw, size_t pwLen) const
+{
+  bufferSource(*this->toPkcs8(pw, pwLen)) >> base64Encode() >> streamSink(os);
+}
+
+void
+PrivateKey::savePkcs8Base64(std::ostream& os, PasswordCallback pwCallback) const
+{
+  bufferSource(*this->toPkcs8(pwCallback)) >> base64Encode() >> streamSink(os);
+}
+
+ConstBufferPtr
+PrivateKey::derivePublicKey() const
+{
+  ENSURE_PRIVATE_KEY_LOADED(m_impl->key);
+
+  uint8_t* pkcs8 = nullptr;
+  int len = i2d_PUBKEY(m_impl->key, &pkcs8);
+
+  if (len <= 0)
+    BOOST_THROW_EXCEPTION(Error("Failed to derive public key"));
+
+  auto result = make_shared<Buffer>(pkcs8, len);
+  OPENSSL_free(pkcs8);
+
+  return result;
+}
+
+ConstBufferPtr
+PrivateKey::decrypt(const uint8_t* cipherText, size_t cipherLen) const
+{
+  ENSURE_PRIVATE_KEY_LOADED(m_impl->key);
+
+  switch (EVP_PKEY_type(m_impl->key->type)) {
+  case EVP_PKEY_RSA:
+    return rsaDecrypt(cipherText, cipherLen);
+  default:
+    BOOST_THROW_EXCEPTION(Error("Decryption is not supported for this key type"));
+  }
+}
+
+void*
+PrivateKey::getEvpPkey() const
+{
+  return m_impl->key;
+}
+
+ConstBufferPtr
+PrivateKey::toPkcs1() const
+{
+  ENSURE_PRIVATE_KEY_LOADED(m_impl->key);
+
+  OpenSSL_add_all_algorithms();
+  detail::Bio mem(BIO_s_mem());
+  int ret = i2d_PrivateKey_bio(mem.get(), m_impl->key);
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(Error("Cannot convert key into PKCS1 format"));
+
+  int len8 = BIO_pending(mem.get());
+  auto buffer = make_shared<Buffer>(len8);
+  BIO_read(mem.get(), buffer->buf(), len8);
+
+  return buffer;
+}
+
+ConstBufferPtr
+PrivateKey::toPkcs8(const char* pw, size_t pwLen) const
+{
+  ENSURE_PRIVATE_KEY_LOADED(m_impl->key);
+
+  BOOST_ASSERT(std::strlen(pw) == pwLen);
+
+  OpenSSL_add_all_algorithms();
+  detail::Bio mem(BIO_s_mem());
+  int ret = i2d_PKCS8PrivateKey_bio(mem.get(), m_impl->key, EVP_des_cbc(),
+                                    const_cast<char*>(pw), pwLen, nullptr, nullptr);
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(Error("Cannot convert key into PKCS8 format"));
+
+  int len8 = BIO_pending(mem.get());
+  auto buffer = make_shared<Buffer>(len8);
+  BIO_read(mem.get(), buffer->buf(), len8);
+
+  return buffer;
+}
+
+ConstBufferPtr
+PrivateKey::toPkcs8(PasswordCallback pwCallback) const
+{
+  ENSURE_PRIVATE_KEY_LOADED(m_impl->key);
+
+  OpenSSL_add_all_algorithms();
+  detail::Bio mem(BIO_s_mem());
+  int ret = i2d_PKCS8PrivateKey_bio(mem.get(), m_impl->key, EVP_des_cbc(),
+                                    nullptr, 0,
+                                    passwordCallback, &pwCallback);
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(Error("Cannot convert key into PKCS8 format"));
+
+  int len8 = BIO_pending(mem.get());
+  auto buffer = make_shared<Buffer>(len8);
+  BIO_read(mem.get(), buffer->buf(), len8);
+
+  return buffer;
+}
+
+ConstBufferPtr
+PrivateKey::rsaDecrypt(const uint8_t* cipherText, size_t cipherLen) const
+{
+  detail::EvpPkeyCtx ctx(m_impl->key);
+
+  if (EVP_PKEY_decrypt_init(ctx.get()) <= 0)
+    BOOST_THROW_EXCEPTION(Error("Failed to initialize decryption context"));
+
+  if (EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_PKCS1_OAEP_PADDING) <= 0)
+    BOOST_THROW_EXCEPTION(Error("Failed to set padding"));
+
+  size_t outlen = 0;
+  // Determine buffer length
+  if (EVP_PKEY_decrypt(ctx.get(), nullptr, &outlen, cipherText, cipherLen) <= 0)
+    BOOST_THROW_EXCEPTION(Error("Failed to estimate output length"));
+
+  auto out = make_shared<Buffer>(outlen);
+
+  if (EVP_PKEY_decrypt(ctx.get(), out->buf(), &outlen, cipherText, cipherLen) <= 0)
+    BOOST_THROW_EXCEPTION(Error("Failed to decrypt cipher text"));
+
+  out->resize(outlen);
+  return out;
+}
+
+static unique_ptr<PrivateKey>
+generateRsaKey(uint32_t keySize)
+{
+  detail::EvpPkeyCtx kctx(EVP_PKEY_RSA);
+
+  int ret = EVP_PKEY_keygen_init(kctx.get());
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(PrivateKey::Error("Fail to generate RSA key"));
+
+  ret = EVP_PKEY_CTX_set_rsa_keygen_bits(kctx.get(), keySize);
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(PrivateKey::Error("Fail to generate RSA key"));
+
+  detail::EvpPkey key;
+  ret = EVP_PKEY_keygen(kctx.get(), &key);
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(PrivateKey::Error("Fail to generate RSA key"));
+
+  detail::Bio mem(BIO_s_mem());
+  i2d_PrivateKey_bio(mem.get(), key.get());
+  int len = BIO_pending(mem.get());
+  Buffer buffer(len);
+  BIO_read(mem.get(), buffer.buf(), len);
+
+  auto privateKey = make_unique<PrivateKey>();
+  privateKey->loadPkcs1(buffer.buf(), buffer.size());
+
+  return privateKey;
+}
+
+static unique_ptr<PrivateKey>
+generateEcKey(uint32_t keySize)
+{
+  detail::EvpPkeyCtx ctx(EVP_PKEY_EC);
+
+  int ret = EVP_PKEY_paramgen_init(ctx.get());
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(PrivateKey::Error("Fail to generate EC key"));
+
+  switch (keySize) {
+    case 256:
+      ret = EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx.get(), NID_X9_62_prime256v1);
+      break;
+    case 384:
+      ret = EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx.get(), NID_secp384r1);
+      break;
+    default:
+      BOOST_THROW_EXCEPTION(PrivateKey::Error("Fail to generate EC key"));
+  }
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(PrivateKey::Error("Fail to generate EC key"));
+
+  detail::EvpPkey params;
+  ret = EVP_PKEY_paramgen(ctx.get(), &params);
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(PrivateKey::Error("Fail to generate EC key"));
+
+  detail::EvpPkeyCtx kctx(params.get());
+  ret = EVP_PKEY_keygen_init(kctx.get());
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(PrivateKey::Error("Fail to generate EC key"));
+
+  detail::EvpPkey key;
+  ret = EVP_PKEY_keygen(kctx.get(), &key);
+  if (ret != 1)
+    BOOST_THROW_EXCEPTION(PrivateKey::Error("Fail to generate EC key"));
+
+  detail::Bio mem(BIO_s_mem());
+  i2d_PrivateKey_bio(mem.get(), key.get());
+  int len = BIO_pending(mem.get());
+  Buffer buffer(len);
+  BIO_read(mem.get(), buffer.buf(), len);
+
+  auto privateKey = make_unique<PrivateKey>();
+  privateKey->loadPkcs1(buffer.buf(), buffer.size());
+
+  return privateKey;
+}
+
+unique_ptr<PrivateKey>
+generatePrivateKey(const KeyParams& keyParams)
+{
+  switch (keyParams.getKeyType()) {
+    case KeyType::RSA: {
+      const RsaKeyParams& rsaParams = static_cast<const RsaKeyParams&>(keyParams);
+      return generateRsaKey(rsaParams.getKeySize());
+    }
+    case KeyType::EC: {
+      const EcdsaKeyParams& ecdsaParams = static_cast<const EcdsaKeyParams&>(keyParams);
+      return generateEcKey(ecdsaParams.getKeySize());
+    }
+    default:
+      BOOST_THROW_EXCEPTION(std::invalid_argument("Unsupported asymmetric key type"));
+  }
+}
+
+} // namespace transform
+} // namespace security
+} // namespace ndn
diff --git a/src/security/transform/private-key.hpp b/src/security/transform/private-key.hpp
new file mode 100644
index 0000000..eae0787
--- /dev/null
+++ b/src/security/transform/private-key.hpp
@@ -0,0 +1,264 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2016 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_CXX_SECURITY_TRANSFORM_PRIVATE_KEY_HPP
+#define NDN_CXX_SECURITY_TRANSFORM_PRIVATE_KEY_HPP
+
+#include "public-key.hpp"
+#include "../../encoding/buffer.hpp"
+
+namespace ndn {
+
+class KeyParams;
+
+namespace security {
+namespace transform {
+
+/**
+ * @brief Abstraction of private key in crypto transformation
+ */
+class PrivateKey : noncopyable
+{
+public:
+  class Error : public std::runtime_error
+  {
+  public:
+    explicit
+    Error(const std::string& what)
+      : std::runtime_error(what)
+    {
+    }
+  };
+
+  friend class SignerFilter;
+
+  /**
+   * @brief Callback for application to handle password input
+   *
+   * Password should be stored in @p buf and should not be longer than @p size.  It is
+   * recommended to ask the user to verify the passphrase if @p shouldConfirm is true, e.g., by
+   * prompting for the password twice.
+   */
+  typedef function<int(char* buf, size_t bufSize, bool shouldConfirm)> PasswordCallback;
+
+public:
+  /**
+   * @brief Create a private key instance
+   *
+   * One must call loadXXXX(...) to load private key.
+   */
+  PrivateKey();
+
+  ~PrivateKey();
+
+  /**
+   * @brief Load the private key in PKCS#1 format from a buffer @p buf
+   */
+  void
+  loadPkcs1(const uint8_t* buf, size_t size);
+
+  /**
+   * @brief Load the private key in PKCS#1 format from a stream @p is
+   */
+  void
+  loadPkcs1(std::istream& is);
+
+  /**
+   * @brief Load the private key in base64-encoded PKCS#1 format from a buffer @p buf
+   */
+  void
+  loadPkcs1Base64(const uint8_t* buf, size_t size);
+
+  /**
+   * @brief Load the private key in base64-encoded PKCS#1 format from a stream @p is
+   */
+  void
+  loadPkcs1Base64(std::istream& is);
+
+  /**
+   * @brief Load the private key in encrypted PKCS#8 format from a buffer @p buf with passphrase @p pw
+   *
+   * @pre strlen(pw) == pwLen
+   */
+  void
+  loadPkcs8(const uint8_t* buf, size_t size, const char* pw, size_t pwLen);
+
+  /**
+   * @brief Load the private key in encrypted PKCS#8 format from a buffer @p buf with
+   *        passphrase obtained from @p pwCallback
+   *
+   * The default password callback is provided by OpenSSL
+   */
+  void
+  loadPkcs8(const uint8_t* buf, size_t size, PasswordCallback pwCallback = nullptr);
+
+  /**
+   * @brief Load the private key in encrypted PKCS#8 format from a stream @p is with passphrase @p pw
+   *
+   * @pre strlen(pw) == pwLen
+   */
+  void
+  loadPkcs8(std::istream& is, const char* pw, size_t pwLen);
+
+  /**
+   * @brief Load the private key in encrypted PKCS#8 format from a stream @p is with passphrase
+   *        obtained from @p pwCallback
+   *
+   * The default password callback is provided by OpenSSL
+   */
+  void
+  loadPkcs8(std::istream& is, PasswordCallback pwCallback = nullptr);
+
+  /**
+   * @brief Load the private key in base64-encoded encrypted PKCS#8 format from a buffer @p buf
+   *        with passphrase @p pw
+   *
+   * @pre strlen(pw) == pwLen
+   */
+  void
+  loadPkcs8Base64(const uint8_t* buf, size_t size, const char* pw, size_t pwLen);
+
+  /**
+   * @brief Load the private key in encrypted PKCS#8 format from a buffer @p buf with
+   *        passphrase obtained from @p pwCallback
+   *
+   * The default password callback is provided by OpenSSL
+   */
+  void
+  loadPkcs8Base64(const uint8_t* buf, size_t size, PasswordCallback pwCallback = nullptr);
+
+  /**
+   * @brief Load the private key in base64-encoded encrypted PKCS#8 format from a stream @p is
+   *        with passphrase @p pw
+   *
+   * @pre strlen(pw) == pwLen
+   */
+  void
+  loadPkcs8Base64(std::istream& is, const char* pw, size_t pwLen);
+
+  /**
+   * @brief Load the private key in base64-encoded encrypted PKCS#8 format from a stream @p is
+   *        with passphrase obtained from @p pwCallback
+   *
+   * The default password callback is provided by OpenSSL
+   */
+  void
+  loadPkcs8Base64(std::istream& is, PasswordCallback pwCallback = nullptr);
+
+  /**
+   * @brief Save the private key in PKCS#1 format into a stream @p os
+   */
+  void
+  savePkcs1(std::ostream& os) const;
+
+  /**
+   * @brief Save the private key in base64-encoded PKCS#1 format into a stream @p os
+   */
+  void
+  savePkcs1Base64(std::ostream& os) const;
+
+  /**
+   * @brief Save the private key in encrypted PKCS#8 format into a stream @p os
+   */
+  void
+  savePkcs8(std::ostream& os, const char* pw, size_t pwLen) const;
+
+  /**
+   * @brief Save the private key in encrypted PKCS#8 format into a stream @p os with passphrase
+   *        obtained from @p pwCallback
+   *
+   * The default password callback is provided by OpenSSL
+   */
+  void
+  savePkcs8(std::ostream& os, PasswordCallback pwCallback = nullptr) const;
+
+  /**
+   * @brief Save the private key in base64-encoded encrypted PKCS#8 format into a stream @p os
+   */
+  void
+  savePkcs8Base64(std::ostream& os, const char* pw, size_t pwLen) const;
+
+  /**
+   * @brief Save the private key in base64-encoded encrypted PKCS#8 format into a stream @p os
+   *        with passphrase obtained from @p pwCallback
+   *
+   * The default password callback is provided by OpenSSL
+   */
+  void
+  savePkcs8Base64(std::ostream& os, PasswordCallback pwCallback = nullptr) const;
+
+  /**
+   * @return Public key bits in PKCS#8 format
+   */
+  ConstBufferPtr
+  derivePublicKey() const;
+
+  /**
+   * @return Plain text of @p cipherText decrypted using the private key.
+   *
+   * Only RSA encryption is supported for now.
+   */
+  ConstBufferPtr
+  decrypt(const uint8_t* cipherText, size_t cipherLen) const;
+
+private:
+  /**
+   * @return A pointer to an EVP_PKEY instance.
+   *
+   * One need to explicitly cast the return value to EVP_PKEY*.
+   */
+  void*
+  getEvpPkey() const;
+
+private:
+  ConstBufferPtr
+  toPkcs1() const;
+
+  ConstBufferPtr
+  toPkcs8(const char* pw, size_t pwLen) const;
+
+  ConstBufferPtr
+  toPkcs8(PasswordCallback pwCallback = nullptr) const;
+
+  ConstBufferPtr
+  rsaDecrypt(const uint8_t* cipherText, size_t cipherLen) const;
+
+private:
+  class Impl;
+  unique_ptr<Impl> m_impl;
+};
+
+/**
+ * @brief generate a private key according to @p keyParams.
+ *
+ * @note the public key can be derived from the private key
+ *
+ * @throw std::argument_error if the key type is not supported
+ * @throw std::runtime_error when failing to generate the key
+ */
+unique_ptr<PrivateKey>
+generatePrivateKey(const KeyParams& keyParams);
+
+} // namespace transform
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_CXX_SECURITY_TRANSFORM_PRIVATE_KEY_HPP
diff --git a/src/security/transform/public-key.cpp b/src/security/transform/public-key.cpp
new file mode 100644
index 0000000..a0116e9
--- /dev/null
+++ b/src/security/transform/public-key.cpp
@@ -0,0 +1,198 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2016 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "public-key.hpp"
+#include "buffer-source.hpp"
+#include "stream-source.hpp"
+#include "base64-encode.hpp"
+#include "base64-decode.hpp"
+#include "stream-sink.hpp"
+#include "../../encoding/buffer-stream.hpp"
+#include "../detail/openssl-helper.hpp"
+
+#define ENSURE_PUBLIC_KEY_LOADED(key) \
+  do { \
+    if (key == nullptr) \
+      BOOST_THROW_EXCEPTION(Error("Public key has not been loaded yet")); \
+  } while (false)
+
+namespace ndn {
+namespace security {
+namespace transform {
+
+class PublicKey::Impl
+{
+public:
+  Impl()
+    : key(nullptr)
+  {
+  }
+
+  ~Impl()
+  {
+    EVP_PKEY_free(key);
+  }
+
+public:
+  EVP_PKEY* key;
+};
+
+PublicKey::PublicKey()
+  : m_impl(new Impl)
+{
+}
+
+PublicKey::~PublicKey() = default;
+
+KeyType
+PublicKey::getKeyType() const
+{
+  ENSURE_PUBLIC_KEY_LOADED(m_impl->key);
+
+  switch (EVP_PKEY_type(m_impl->key->type)) {
+  case EVP_PKEY_RSA:
+    return KeyType::RSA;
+  case EVP_PKEY_EC:
+    return KeyType::EC;
+  default:
+    BOOST_THROW_EXCEPTION(Error("Public key type is not recognized"));
+  }
+}
+
+void
+PublicKey::loadPkcs8(const uint8_t* buf, size_t size)
+{
+  m_impl->key = d2i_PUBKEY(nullptr, &buf, size);
+
+  ENSURE_PUBLIC_KEY_LOADED(m_impl->key);
+}
+
+void
+PublicKey::loadPkcs8(std::istream& is)
+{
+  OBufferStream os;
+  {
+    using namespace transform;
+    streamSource(is) >> streamSink(os);
+  }
+  this->loadPkcs8(os.buf()->buf(), os.buf()->size());
+}
+
+void
+PublicKey::loadPkcs8Base64(const uint8_t* buf, size_t size)
+{
+  OBufferStream os;
+  {
+    using namespace transform;
+    bufferSource(buf, size) >> base64Decode() >> streamSink(os);
+  }
+  this->loadPkcs8(os.buf()->buf(), os.buf()->size());
+}
+
+void
+PublicKey::loadPkcs8Base64(std::istream& is)
+{
+  OBufferStream os;
+  {
+    using namespace transform;
+    streamSource(is) >> base64Decode() >> streamSink(os);
+  }
+  this->loadPkcs8(os.buf()->buf(), os.buf()->size());
+}
+
+void
+PublicKey::savePkcs8(std::ostream& os) const
+{
+  using namespace transform;
+  bufferSource(*this->toPkcs8()) >> streamSink(os);
+}
+
+void
+PublicKey::savePkcs8Base64(std::ostream& os) const
+{
+  using namespace transform;
+  bufferSource(*this->toPkcs8()) >> base64Encode() >> streamSink(os);
+}
+
+ConstBufferPtr
+PublicKey::encrypt(const uint8_t* plainText, size_t plainLen) const
+{
+  ENSURE_PUBLIC_KEY_LOADED(m_impl->key);
+
+  switch (EVP_PKEY_type(m_impl->key->type)) {
+  case EVP_PKEY_RSA:
+    return rsaEncrypt(plainText, plainLen);
+  default:
+    BOOST_THROW_EXCEPTION(Error("Encryption is not supported for this key type"));
+  }
+}
+
+void*
+PublicKey::getEvpPkey() const
+{
+  return m_impl->key;
+}
+
+ConstBufferPtr
+PublicKey::toPkcs8() const
+{
+  ENSURE_PUBLIC_KEY_LOADED(m_impl->key);
+
+  uint8_t* pkcs8 = nullptr;
+  int len = i2d_PUBKEY(m_impl->key, &pkcs8);
+
+  if (pkcs8 == nullptr)
+    BOOST_THROW_EXCEPTION(Error("Failed to convert to pkcs8 format"));
+
+  auto buffer = make_shared<Buffer>(pkcs8, len);
+  OPENSSL_free(pkcs8);
+
+  return buffer;
+}
+
+ConstBufferPtr
+PublicKey::rsaEncrypt(const uint8_t* plainText, size_t plainLen) const
+{
+  detail::EvpPkeyCtx ctx(m_impl->key);
+
+  if (EVP_PKEY_encrypt_init(ctx.get()) <= 0)
+    BOOST_THROW_EXCEPTION(Error("Failed to initialize encryption context"));
+
+  if (EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_PKCS1_OAEP_PADDING) <= 0)
+    BOOST_THROW_EXCEPTION(Error("Failed to set padding"));
+
+  size_t outlen = 0;
+  // Determine buffer length
+  if (EVP_PKEY_encrypt(ctx.get(), nullptr, &outlen, plainText, plainLen) <= 0)
+    BOOST_THROW_EXCEPTION(Error("Failed to estimate output length"));
+
+  auto out = make_shared<Buffer>(outlen);
+
+  if (EVP_PKEY_encrypt(ctx.get(), out->buf(), &outlen, plainText, plainLen) <= 0)
+    BOOST_THROW_EXCEPTION(Error("Failed to decrypt cipher text"));
+
+  out->resize(outlen);
+  return out;
+}
+
+} // namespace transform
+} // namespace security
+} // namespace ndn
diff --git a/src/security/transform/public-key.hpp b/src/security/transform/public-key.hpp
new file mode 100644
index 0000000..169b9e0
--- /dev/null
+++ b/src/security/transform/public-key.hpp
@@ -0,0 +1,137 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2016 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_CXX_SECURITY_TRANSFORM_PUBLIC_KEY_HPP
+#define NDN_CXX_SECURITY_TRANSFORM_PUBLIC_KEY_HPP
+
+#include "../security-common.hpp"
+#include "../../encoding/buffer.hpp"
+
+namespace ndn {
+namespace security {
+namespace transform {
+
+class VerifierFilter;
+
+/**
+ * @brief Abstraction of public key in crypto transformation
+ */
+class PublicKey : noncopyable
+{
+public:
+  class Error : public std::runtime_error
+  {
+  public:
+    explicit
+    Error(const std::string& what)
+      : std::runtime_error(what)
+    {
+    }
+  };
+
+  friend class VerifierFilter;
+
+public:
+  /**
+   * @brief Create a public key instance
+   *
+   * One must call loadXXXX(...) to load public key.
+   */
+  PublicKey();
+
+  ~PublicKey();
+
+  /**
+   * @brief Get the type of the public key
+   */
+  KeyType
+  getKeyType() const;
+
+  /**
+   * @brief Load the public key in PKCS#8 format from a buffer @p buf
+   */
+  void
+  loadPkcs8(const uint8_t* buf, size_t size);
+
+  /**
+   * @brief Load the public key in PKCS#8 format from a stream @p is
+   */
+  void
+  loadPkcs8(std::istream& is);
+
+  /**
+   * @brief Load the public key in base64-encoded PKCS#8 format from a buffer @p buf
+   */
+  void
+  loadPkcs8Base64(const uint8_t* buf, size_t size);
+
+  /**
+   * @brief Load the public key in base64-encoded PKCS#8 format from a stream @p is
+   */
+  void
+  loadPkcs8Base64(std::istream& is);
+
+  /**
+   * @brief Save the public key in PKCS#8 format into a stream @p os
+   */
+  void
+  savePkcs8(std::ostream& os) const;
+
+  /**
+   * @brief Save the public key in base64-encoded PKCS#8 format into a stream @p os
+   */
+  void
+  savePkcs8Base64(std::ostream& os) const;
+
+  /**
+   * @return Cipher text of @p plainText encrypted using the public key.
+   *
+   * Only RSA encryption is supported for now.
+   */
+  ConstBufferPtr
+  encrypt(const uint8_t* plainText, size_t plainLen) const;
+
+private:
+  /**
+   * @return A pointer to an EVP_PKEY instance.
+   *
+   * One need to explicitly cast the return value to EVP_PKEY*.
+   */
+  void*
+  getEvpPkey() const;
+
+private:
+  ConstBufferPtr
+  toPkcs8() const;
+
+  ConstBufferPtr
+  rsaEncrypt(const uint8_t* plainText, size_t plainLen) const;
+
+private:
+  class Impl;
+  unique_ptr<Impl> m_impl;
+};
+
+} // namespace transform
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_CXX_SECURITY_TRANSFORM_PUBLIC_KEY_HPP
diff --git a/tests/unit-tests/security/transform/private-key.t.cpp b/tests/unit-tests/security/transform/private-key.t.cpp
new file mode 100644
index 0000000..35bb295
--- /dev/null
+++ b/tests/unit-tests/security/transform/private-key.t.cpp
@@ -0,0 +1,413 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2016 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/transform/private-key.hpp"
+#include "security/transform.hpp"
+#include "security/key-params.hpp"
+#include "encoding/buffer-stream.hpp"
+#include <iostream>
+
+#include <boost/mpl/list.hpp>
+#include "boost-test.hpp"
+
+namespace ndn {
+namespace security {
+namespace transform {
+namespace tests {
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(Transform)
+BOOST_AUTO_TEST_SUITE(TestPrivateKey)
+
+class RsaKeyTestData
+{
+public:
+  RsaKeyTestData()
+  {
+    privateKeyPkcs1 =
+      "MIIEpAIBAAKCAQEAw0WM1/WhAxyLtEqsiAJgWDZWuzkYpeYVdeeZcqRZzzfRgBQT\n"
+      "sNozS5t4HnwTZhwwXbH7k3QN0kRTV826Xobws3iigohnM9yTK+KKiayPhIAm/+5H\n"
+      "GT6SgFJhYhqo1/upWdueojil6RP4/AgavHhopxlAVbk6G9VdVnlQcQ5Zv0OcGi73\n"
+      "c+EnYD/YgURYGSngUi/Ynsh779p2U69/te9gZwIL5PuE9BiO6I39cL9z7EK1SfZh\n"
+      "OWvDe/qH7YhD/BHwcWit8FjRww1glwRVTJsA9rH58ynaAix0tcR/nBMRLUX+e3rU\n"
+      "RHg6UbSjJbdb9qmKM1fTGHKUzL/5pMG6uBU0ywIDAQABAoIBADQkckOIl4IZMUTn\n"
+      "W8LFv6xOdkJwMKC8G6bsPRFbyY+HvC2TLt7epSvfS+f4AcYWaOPcDu2E49vt2sNr\n"
+      "cASly8hgwiRRAB3dHH9vcsboiTo8bi2RFvMqvjv9w3tK2yMxVDtmZamzrrnaV3YV\n"
+      "Q+5nyKo2F/PMDjQ4eUAKDOzjhBuKHsZBTFnA1MFNI+UKj5X4Yp64DFmKlxTX/U2b\n"
+      "wzVywo5hzx2Uhw51jmoLls4YUvMJXD0wW5ZtYRuPogXvXb/of9ef/20/wU11WFKg\n"
+      "Xb4gfR8zUXaXS1sXcnVm3+24vIs9dApUwykuoyjOqxWqcHRec2QT2FxVGkFEraze\n"
+      "CPa4rMECgYEA5Y8CywomIcTgerFGFCeMHJr8nQGqY2V/owFb3k9maczPnC9p4a9R\n"
+      "c5szLxA9FMYFxurQZMBWSEG2JS1HR2mnjigx8UKjYML/A+rvvjZOMe4M6Sy2ggh4\n"
+      "SkLZKpWTzjTe07ByM/j5v/SjNZhWAG7sw4/LmPGRQkwJv+KZhGojuOkCgYEA2cOF\n"
+      "T6cJRv6kvzTz9S0COZOVm+euJh/BXp7oAsAmbNfOpckPMzqHXy8/wpdKl6AAcB57\n"
+      "OuztlNfV1D7qvbz7JuRlYwQ0cEfBgbZPcz1p18HHDXhwn57ZPb8G33Yh9Omg0HNA\n"
+      "Imb4LsVuSqxA6NwSj7cpRekgTedrhLFPJ+Ydb5MCgYEAsM3Q7OjILcIg0t6uht9e\n"
+      "vrlwTsz1mtCV2co2I6crzdj9HeI2vqf1KAElDt6G7PUHhglcr/yjd8uEqmWRPKNX\n"
+      "ddnnfVZB10jYeP/93pac6z/Zmc3iU4yKeUe7U10ZFf0KkiiYDQd59CpLef/2XScS\n"
+      "HB0oRofnxRQjfjLc4muNT+ECgYEAlcDk06MOOTly+F8lCc1bA1dgAmgwFd2usDBd\n"
+      "Y07a3e0HGnGLN3Kfl7C5i0tZq64HvxLnMd2vgLVxQlXGPpdQrC1TH+XLXg+qnlZO\n"
+      "ivSH7i0/gx75bHvj75eH1XK65V8pDVDEoSPottllAIs21CxLw3N1ObOZWJm2EfmR\n"
+      "cuHICmsCgYAtFJ1idqMoHxES3mlRpf2JxyQudP3SCm2WpGmqVzhRYInqeatY5sUd\n"
+      "lPLHm/p77RT7EyxQHTlwn8FJPuM/4ZH1rQd/vB+Y8qAtYJCexDMsbvLW+Js+VOvk\n"
+      "jweEC0nrcL31j9mF0vz5E6tfRu4hhJ6L4yfWs0gSejskeVB/w8QY4g==\n";
+
+    privateKeyPkcs8 =
+      "MIIFCzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIOKYJXvB6p8kCAggA\n"
+      "MBEGBSsOAwIHBAiQgMK8kQXTyASCBMjeNiKYYw5/yHgs9BfSGrpqvV0LkkgMQNUW\n"
+      "R4ZY8fuNjZynd+PxDuw2pyrv1Yv3jc+tupwUehZEzYOnGd53wQAuLO+Z0TBgRFN7\n"
+      "Lhk+AxlT7hu0xaB3ZpJ/uvWpgEJHsq/aB/GYgyzXcQo2AiqzERVpMCWJVmE1L977\n"
+      "CHwJmLm5mxclVLYp1UK5lkIBFu/M4nPavmNmYNUU1LOrXRo56TlJ2kUp8gQyQI1P\n"
+      "VPxi4chmlsr/OnQ2d1eZN+euFm0CS+yP+LFgI9ZqdyH1w+J43SXdHDzauVcZp7oa\n"
+      "Kw24OrhHfolLAnQIECXEJYeT7tZmhC4O9V6B18PFVyxWnEU4eFNpFE8kYSmm8Um2\n"
+      "buvDKI71q43hm23moYT9uIM1f4M8UkoOliJGrlf4xgEcmDuokEX01PdOq1gc4nvG\n"
+      "0DCwDI9cOsyn8cxhk9UVtFgzuG/seuznxIv1F5H0hzYOyloStXxRisJES0kgByBt\n"
+      "FFTfyoFKRrmCjRIygwVKUSkSDR0DlQS5ZLvQyIswnSQFwxAHqfvoSL4dB9UAIAQ+\n"
+      "ALVF1maaHgptbL6Ifqf0GFCv0hdNCVNDNCdy8R+S6nEYE+YdYSIdT1L88KD5PjU3\n"
+      "YY/CMnxhTncMaT4acPO1UUYuSGRZ/JL6E0ihoqIU+bqUgLSHNzhPySPfN9uqN61Y\n"
+      "HFBtxeEPWKU0f/JPkRBMmZdMI1/OVmA3QHSRBydI+CQN8no2gZRFoVbHTkG8IMpE\n"
+      "1fiDJpwFkpzIv/JPiTSE7DeBH5NJk1bgu7TcuZfa4unyAqss0UuLnXzS06TppkUj\n"
+      "QGft0g8VPW56eli6B4xrSzzuvAdbrxsVfxdmtHPyYxLb3/UG1g4x/H/yULhx7x9P\n"
+      "iI6cw6JUE+8bwJV2ZIlHXXHO+wUp/gCFJ6MHo9wkR1QvnHP2ClJAzBm9OvYnUx2Y\n"
+      "SX0HxEowW8BkhxOF184LEmxeua0yyZUqCdrYmErp7x9EY/LhD1zBwH8OGRa0qzmR\n"
+      "VKxAPKihkb9OgxcUKbvKePx3k2cQ7fbCUspGPm4Kn1zwMgRAZ4fz/o8Lnwc8MSY3\n"
+      "lPWnmLTFu420SRH2g9N0o/r195hiZ5cc+KfF4pwZWKbEbKFk/UfXA9vmOi7BBtDJ\n"
+      "RWshOINhzMU6Ij3KuaEpHni1HoHjw0SQ97ow2x/aB8k2QC28tbsa49lD2KKJku6b\n"
+      "2Or89adwFKqMgS2IXfXMXs/iG5EFLYN6r8e40Dn5f1vJfRLJl03XByIfT2n92pw3\n"
+      "fP7muOIKLUsEKjOrmn94NwMlfeW13oQHEH2KjPOWFS/tyJHDdVU+of4COH5yg59a\n"
+      "TZqFkOTGeliE1O+6sfF9fRuVxFUF3D8Hpr0JIjdc6+3RgIlGsXc8BwiSjDSI2XW+\n"
+      "vo75/2zPU9t8OeXEIJk2CQGyqLwUJ6dyi/yDRrvZAgjrUvbpcxydnBAHrLbLUGXJ\n"
+      "aEHH2tjEtnTqVyTchr1yHoupcFOCkA0dAA66XqwcssQxJiMGrWTpCbgd9mrTXQaZ\n"
+      "U7afFN1jpO78tgBQUUpImXdHLLsqdN5tefqjileZGZ9x3/C6TNAfDwYJdsicNNn5\n"
+      "y+JVsbltfLWlJxb9teb3dtQiFlJ7ofprLJnJVqI/Js8lozY+KaxV2vtbZkcD4dM=\n";
+
+    publicKeyPkcs8 =
+      "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0WM1/WhAxyLtEqsiAJg\n"
+      "WDZWuzkYpeYVdeeZcqRZzzfRgBQTsNozS5t4HnwTZhwwXbH7k3QN0kRTV826Xobw\n"
+      "s3iigohnM9yTK+KKiayPhIAm/+5HGT6SgFJhYhqo1/upWdueojil6RP4/AgavHho\n"
+      "pxlAVbk6G9VdVnlQcQ5Zv0OcGi73c+EnYD/YgURYGSngUi/Ynsh779p2U69/te9g\n"
+      "ZwIL5PuE9BiO6I39cL9z7EK1SfZhOWvDe/qH7YhD/BHwcWit8FjRww1glwRVTJsA\n"
+      "9rH58ynaAix0tcR/nBMRLUX+e3rURHg6UbSjJbdb9qmKM1fTGHKUzL/5pMG6uBU0\n"
+      "ywIDAQAB\n";
+  }
+
+public:
+  std::string privateKeyPkcs1;
+  std::string privateKeyPkcs8;
+  std::string publicKeyPkcs8;
+};
+
+class EcdsaKeyTestData
+{
+public:
+  EcdsaKeyTestData()
+  {
+    privateKeyPkcs1 =
+      "MIIBaAIBAQQgRxwcbzK9RV6AHYFsDcykI86o3M/a1KlJn0z8PcLMBZOggfowgfcC\n"
+      "AQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAAAAAAAAAAAAAA////////////////\n"
+      "MFsEIP////8AAAABAAAAAAAAAAAAAAAA///////////////8BCBaxjXYqjqT57Pr\n"
+      "vVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSdNgiG5wSTamZ44ROdJreBn36QBEEE\n"
+      "axfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54W\n"
+      "K84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA//////////+85vqtpxeehPO5ysL8\n"
+      "YyVRAgEBoUQDQgAEaG4WJuDAt0QkEM4t29KDUdzkQlMPGrqWzkWhgt9OGnwc6O7A\n"
+      "ZLPSrDyhwyrKS7XLRXml5DisQ93RvByll32y8A==\n";
+
+    privateKeyPkcs8 =
+      "MIIBwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIVHkBzLGtDvICAggA\n"
+      "MBEGBSsOAwIHBAhk6g9eI3toNwSCAYDd+LWPDBTrKV7vUyxTvDbpUd0eXfh73DKA\n"
+      "MHkdHuVmhpmpBbsF9XvaFuL8J/1xi1Yl2XGw8j3WyrprD2YEhl/+zKjNbdTDJmNO\n"
+      "SlomuwWb5AVCJ9reT94zIXKCnexUcyBFS7ep+P4dwuef0VjzprjfmnAZHrP+u594\n"
+      "ELHpKwi0ZpQLtcJjjud13bn43vbXb+aU7jmPV5lU2XP8TxaQJiYIibNEh1Y3TZGr\n"
+      "akJormYvhaYbiZkKLHQ9AvQMEjhoIW5WCB3q+tKZUKTzcQpjNnf9FOTeKN3jk3Kd\n"
+      "2OmibPZcbMJdgCD/nRVn1cBo7Hjn3IMjgtszQHtEUphOQiAkOJUnKmy9MTYqtcNN\n"
+      "6cuFItbu4QvbVwailgdUjOYwIJCmIxExlPV0ohS24pFGsO03Yn7W8rBB9VWENYmG\n"
+      "HkZIbGsHv7O9Wy7fv+FJgZkjeti0807IsNXSJl8LUK0ZIhAR7OU8uONWMsbHdQnk\n"
+      "q1HB1ZKa52ugACl7g/DF9b7CoSAjFeE=\n";
+
+    publicKeyPkcs8 =
+      "MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAA\n"
+      "AAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA////\n"
+      "///////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSd\n"
+      "NgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5\n"
+      "RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA\n"
+      "//////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABGhuFibgwLdEJBDOLdvSg1Hc\n"
+      "5EJTDxq6ls5FoYLfThp8HOjuwGSz0qw8ocMqyku1y0V5peQ4rEPd0bwcpZd9svA=\n";
+  }
+
+public:
+  std::string privateKeyPkcs1;
+  std::string privateKeyPkcs8;
+  std::string publicKeyPkcs8;
+};
+
+typedef boost::mpl::list<RsaKeyTestData,
+                         EcdsaKeyTestData> KeyTestDataSets;
+
+void
+checkPkcs8Encoding(ConstBufferPtr encoding, const std::string& password, ConstBufferPtr pkcs1)
+{
+  PrivateKey sKey;
+  BOOST_REQUIRE_NO_THROW(sKey.loadPkcs8(encoding->buf(), encoding->size(),
+                                        password.c_str(), password.size()));
+  OBufferStream os;
+  BOOST_REQUIRE_NO_THROW(sKey.savePkcs1(os));
+  ConstBufferPtr keyPkcs1Str = os.buf();
+  BOOST_CHECK_EQUAL_COLLECTIONS(pkcs1->begin(), pkcs1->end(), keyPkcs1Str->begin(), keyPkcs1Str->end());
+}
+
+void
+checkPkcs8Base64Encoding(ConstBufferPtr encoding, const std::string& password, ConstBufferPtr pkcs1)
+{
+  OBufferStream os;
+  bufferSource(*encoding) >> base64Decode() >> streamSink(os);
+
+  checkPkcs8Encoding(os.buf(), password, pkcs1);
+}
+
+BOOST_AUTO_TEST_CASE_TEMPLATE(SaveLoad, T, KeyTestDataSets)
+{
+  T dataSet;
+
+  const uint8_t* sKeyPkcs1Base64 = reinterpret_cast<const uint8_t*>(dataSet.privateKeyPkcs1.c_str());
+  size_t sKeyPkcs1Base64Len = dataSet.privateKeyPkcs1.size();
+
+  OBufferStream os;
+  bufferSource(sKeyPkcs1Base64, sKeyPkcs1Base64Len) >> base64Decode() >> streamSink(os);
+  ConstBufferPtr sKeyPkcs1Buf = os.buf();
+  const uint8_t* sKeyPkcs1 = sKeyPkcs1Buf->buf();
+  size_t sKeyPkcs1Len = sKeyPkcs1Buf->size();
+
+  // load key in base64 encoded pkcs1 format
+  PrivateKey sKey;
+  BOOST_REQUIRE_NO_THROW(sKey.loadPkcs1Base64(sKeyPkcs1Base64, sKeyPkcs1Base64Len));
+
+  std::stringstream ss2(dataSet.privateKeyPkcs1);
+  PrivateKey sKey2;
+  BOOST_REQUIRE_NO_THROW(sKey2.loadPkcs1Base64(ss2));
+
+  // load key in pkcs1 format
+  PrivateKey sKey3;
+  BOOST_REQUIRE_NO_THROW(sKey3.loadPkcs1(sKeyPkcs1, sKeyPkcs1Len));
+
+  std::stringstream ss4;
+  ss4.write(reinterpret_cast<const char*>(sKeyPkcs1), sKeyPkcs1Len);
+  PrivateKey sKey4;
+  BOOST_REQUIRE_NO_THROW(sKey4.loadPkcs1(ss4));
+
+  // save key in base64 encoded pkcs1 format
+  OBufferStream os2;
+  BOOST_REQUIRE_NO_THROW(sKey.savePkcs1Base64(os2));
+  ConstBufferPtr keyPkcs1Base64Str = os2.buf();
+  BOOST_CHECK_EQUAL_COLLECTIONS(sKeyPkcs1Base64, sKeyPkcs1Base64 + sKeyPkcs1Base64Len,
+                                keyPkcs1Base64Str->begin(), keyPkcs1Base64Str->end());
+
+  // save key in pkcs1 format
+  OBufferStream os3;
+  BOOST_REQUIRE_NO_THROW(sKey.savePkcs1(os3));
+  ConstBufferPtr keyPkcs1Str = os3.buf();
+  BOOST_CHECK_EQUAL_COLLECTIONS(sKeyPkcs1, sKeyPkcs1 + sKeyPkcs1Len,
+                                keyPkcs1Str->begin(), keyPkcs1Str->end());
+
+
+
+  const uint8_t* sKeyPkcs8Base64 = reinterpret_cast<const uint8_t*>(dataSet.privateKeyPkcs8.c_str());
+  size_t sKeyPkcs8Base64Len = dataSet.privateKeyPkcs8.size();
+
+  OBufferStream os4;
+  bufferSource(sKeyPkcs8Base64, sKeyPkcs8Base64Len) >> base64Decode() >> streamSink(os4);
+  ConstBufferPtr sKeyPkcs8Buf = os4.buf();
+  const uint8_t* sKeyPkcs8 = sKeyPkcs8Buf->buf();
+  size_t sKeyPkcs8Len = sKeyPkcs8Buf->size();
+
+  std::string password("password");
+  std::string wrongpw("wrongpw");
+  auto pwCallback = [&] (char* buf, size_t size, int rwflag) -> int {
+    std::copy(password.begin(), password.end(), buf);
+    return password.size();
+  };
+
+
+  // load key in base64 encoded pkcs8 format
+  PrivateKey sKey5;
+  BOOST_REQUIRE_NO_THROW(sKey5.loadPkcs8Base64(sKeyPkcs8Base64, sKeyPkcs8Base64Len,
+                                               password.c_str(), password.size()));
+
+  PrivateKey sKey6;
+  BOOST_REQUIRE_NO_THROW(sKey6.loadPkcs8Base64(sKeyPkcs8Base64, sKeyPkcs8Base64Len, pwCallback));
+
+  std::stringstream ss7(dataSet.privateKeyPkcs8);
+  PrivateKey sKey7;
+  BOOST_REQUIRE_NO_THROW(sKey7.loadPkcs8Base64(ss7, password.c_str(), password.size()));
+
+  std::stringstream ss8(dataSet.privateKeyPkcs8);
+  PrivateKey sKey8;
+  BOOST_REQUIRE_NO_THROW(sKey8.loadPkcs8Base64(ss8, pwCallback));
+
+  // load key in pkcs8 format
+  PrivateKey sKey9;
+  BOOST_REQUIRE_NO_THROW(sKey9.loadPkcs8(sKeyPkcs8, sKeyPkcs8Len,
+                                         password.c_str(), password.size()));
+
+  PrivateKey sKey10;
+  BOOST_REQUIRE_NO_THROW(sKey10.loadPkcs8(sKeyPkcs8, sKeyPkcs8Len, pwCallback));
+
+  std::stringstream ss11;
+  ss11.write(reinterpret_cast<const char*>(sKeyPkcs8), sKeyPkcs8Len);
+  PrivateKey sKey11;
+  BOOST_REQUIRE_NO_THROW(sKey11.loadPkcs8(ss11, password.c_str(), password.size()));
+
+  std::stringstream ss12;
+  ss12.write(reinterpret_cast<const char*>(sKeyPkcs8), sKeyPkcs8Len);
+  PrivateKey sKey12;
+  BOOST_REQUIRE_NO_THROW(sKey12.loadPkcs8(ss12, pwCallback));
+
+  // load key using wrong password, Error is expected.
+  PrivateKey sKey13;
+  BOOST_REQUIRE_THROW(sKey13.loadPkcs8Base64(sKeyPkcs8Base64, sKeyPkcs8Base64Len, wrongpw.c_str(), wrongpw.size()),
+                      PrivateKey::Error);
+
+  // save key in base64 encoded pkcs8 format
+  OBufferStream os14;
+  BOOST_REQUIRE_NO_THROW(sKey.savePkcs8Base64(os14, password.c_str(), password.size()));
+  ConstBufferPtr encoded14 = os14.buf();
+  checkPkcs8Base64Encoding(encoded14, password, sKeyPkcs1Buf);
+
+  OBufferStream os15;
+  BOOST_REQUIRE_NO_THROW(sKey.savePkcs8Base64(os15, pwCallback));
+  ConstBufferPtr encoded15 = os15.buf();
+  checkPkcs8Base64Encoding(encoded15, password, sKeyPkcs1Buf);
+
+  // save key in pkcs8 format
+  OBufferStream os16;
+  BOOST_REQUIRE_NO_THROW(sKey.savePkcs8(os16, password.c_str(), password.size()));
+  ConstBufferPtr encoded16 = os16.buf();
+  checkPkcs8Encoding(encoded16, password, sKeyPkcs1Buf);
+
+  OBufferStream os17;
+  BOOST_REQUIRE_NO_THROW(sKey.savePkcs8(os17, pwCallback));
+  ConstBufferPtr encoded17 = os17.buf();
+  checkPkcs8Encoding(encoded17, password, sKeyPkcs1Buf);
+}
+
+BOOST_AUTO_TEST_CASE_TEMPLATE(DerivePublicKey, T, KeyTestDataSets)
+{
+  T dataSet;
+
+  const uint8_t* sKeyPkcs1Base64 = reinterpret_cast<const uint8_t*>(dataSet.privateKeyPkcs1.c_str());
+  size_t sKeyPkcs1Base64Len = dataSet.privateKeyPkcs1.size();
+
+  PrivateKey sKey;
+  BOOST_REQUIRE_NO_THROW(sKey.loadPkcs1Base64(sKeyPkcs1Base64, sKeyPkcs1Base64Len));
+
+  // derive public key and compare
+  ConstBufferPtr pKeyBits= sKey.derivePublicKey();
+  OBufferStream os;
+  bufferSource(dataSet.publicKeyPkcs8) >> base64Decode() >> streamSink(os);
+  BOOST_CHECK_EQUAL_COLLECTIONS(pKeyBits->begin(), pKeyBits->end(),
+                                os.buf()->begin(), os.buf()->end());
+}
+
+BOOST_AUTO_TEST_CASE(RsaDecryption)
+{
+  RsaKeyTestData dataSet;
+
+  PrivateKey sKey;
+  sKey.loadPkcs1Base64(reinterpret_cast<const uint8_t*>(dataSet.privateKeyPkcs1.c_str()),
+                       dataSet.privateKeyPkcs1.size());
+
+  const uint8_t plainText[] = {
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
+  };
+
+  const std::string cipherTextBase64 =
+    "i2XNpZ2JbLa4JmBTdDrGmsd4/0C+p+BSCpW3MuPBNe5uChQ0eRO1dvjTnEqwSECY\n"
+    "38en9JZwcyb0It/TSFNXHlq+Z1ZpffnjIJxQR9HcgwvwQJh6WRH0vu38tvGkGuNv\n"
+    "60Rdn85hqSy1CikmXCeWXL9yCqeqcP21R94G/T3FuA+c1FtFko8KOzCwvrTXMO6n\n"
+    "5PNsqlLXabSGr+jz4EwOsSCgPkiDf9U6tXoSPRA2/YvqFQdaiUXIVlomESvaqqZ8\n"
+    "FxPs2BON0lobM8gT+xdzbRKofp+rNjNK+5uWyeOnXJwzCszh17cdJl2BH1dZwaVD\n"
+    "PmTiSdeDQXZ94U5boDQ4Aw==\n";
+
+  OBufferStream os;
+  bufferSource(cipherTextBase64) >> base64Decode() >> streamSink(os);
+
+  ConstBufferPtr decryptText = sKey.decrypt(os.buf()->buf(), os.buf()->size());
+
+  BOOST_CHECK_EQUAL_COLLECTIONS(plainText, plainText + sizeof(plainText),
+                                decryptText->begin(), decryptText->end());
+}
+
+BOOST_AUTO_TEST_CASE(RsaEncryption)
+{
+  RsaKeyTestData dataSet;
+
+  PublicKey pKey;
+  pKey.loadPkcs8Base64(reinterpret_cast<const uint8_t*>(dataSet.publicKeyPkcs8.c_str()),
+                       dataSet.publicKeyPkcs8.size());
+
+  PrivateKey sKey;
+  sKey.loadPkcs1Base64(reinterpret_cast<const uint8_t*>(dataSet.privateKeyPkcs1.c_str()),
+                       dataSet.privateKeyPkcs1.size());
+
+  const uint8_t plainText[] = {
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
+  };
+
+  ConstBufferPtr cipherText = pKey.encrypt(plainText, sizeof(plainText));
+  ConstBufferPtr decryptText = sKey.decrypt(cipherText->buf(), cipherText->size());
+
+  BOOST_CHECK_EQUAL_COLLECTIONS(plainText, plainText + sizeof(plainText),
+                                decryptText->begin(), decryptText->end());
+}
+
+typedef boost::mpl::list<RsaKeyParams,
+                         EcdsaKeyParams> TestKeyParams;
+
+BOOST_AUTO_TEST_CASE_TEMPLATE(GenerateKey, T, TestKeyParams)
+{
+  BOOST_REQUIRE_NO_THROW(generatePrivateKey(T()));
+
+  unique_ptr<PrivateKey> sKey = generatePrivateKey(T());
+  PublicKey pKey;
+  ConstBufferPtr pKeyBits = sKey->derivePublicKey();
+  pKey.loadPkcs8(pKeyBits->buf(), pKeyBits->size());
+
+  // TODO: Sign/Verify using the generated key
+
+  unique_ptr<PrivateKey> sKey2 = generatePrivateKey(T());
+
+  OBufferStream os1;
+  sKey->savePkcs1(os1);
+  ConstBufferPtr key1Pkcs1 = os1.buf();
+
+  OBufferStream os2;
+  sKey2->savePkcs1(os2);
+  ConstBufferPtr key2Pkcs1 = os2.buf();
+
+  BOOST_CHECK(*key1Pkcs1 != *key2Pkcs1);
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestPrivateKey
+BOOST_AUTO_TEST_SUITE_END() // Transform
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace transform
+} // namespace security
+} // namespace ndn
diff --git a/tests/unit-tests/security/transform/public-key.t.cpp b/tests/unit-tests/security/transform/public-key.t.cpp
new file mode 100644
index 0000000..1009bd9
--- /dev/null
+++ b/tests/unit-tests/security/transform/public-key.t.cpp
@@ -0,0 +1,127 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2016 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/transform/public-key.hpp"
+#include "security/transform/buffer-source.hpp"
+#include "security/transform/base64-decode.hpp"
+#include "security/transform/stream-sink.hpp"
+#include "encoding/buffer-stream.hpp"
+
+#include <boost/mpl/list.hpp>
+#include "boost-test.hpp"
+
+namespace ndn {
+namespace security {
+namespace transform {
+namespace tests {
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(Transform)
+BOOST_AUTO_TEST_SUITE(TestPublicKey)
+
+class RsaPublicKeyTestData
+{
+public:
+  RsaPublicKeyTestData()
+  {
+    publicKeyPkcs8 =
+      "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0WM1/WhAxyLtEqsiAJg\n"
+      "WDZWuzkYpeYVdeeZcqRZzzfRgBQTsNozS5t4HnwTZhwwXbH7k3QN0kRTV826Xobw\n"
+      "s3iigohnM9yTK+KKiayPhIAm/+5HGT6SgFJhYhqo1/upWdueojil6RP4/AgavHho\n"
+      "pxlAVbk6G9VdVnlQcQ5Zv0OcGi73c+EnYD/YgURYGSngUi/Ynsh779p2U69/te9g\n"
+      "ZwIL5PuE9BiO6I39cL9z7EK1SfZhOWvDe/qH7YhD/BHwcWit8FjRww1glwRVTJsA\n"
+      "9rH58ynaAix0tcR/nBMRLUX+e3rURHg6UbSjJbdb9qmKM1fTGHKUzL/5pMG6uBU0\n"
+      "ywIDAQAB\n";
+  }
+
+public:
+  std::string publicKeyPkcs8;
+};
+
+class EcdsaPublicKeyTestData
+{
+public:
+  EcdsaPublicKeyTestData()
+  {
+    publicKeyPkcs8 =
+      "MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAA\n"
+      "AAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA////\n"
+      "///////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSd\n"
+      "NgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5\n"
+      "RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA\n"
+      "//////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABGhuFibgwLdEJBDOLdvSg1Hc\n"
+      "5EJTDxq6ls5FoYLfThp8HOjuwGSz0qw8ocMqyku1y0V5peQ4rEPd0bwcpZd9svA=\n";
+  }
+
+public:
+  std::string publicKeyPkcs8;
+};
+
+typedef boost::mpl::list<RsaPublicKeyTestData,
+                         EcdsaPublicKeyTestData> PublicKeyTestDataSets;
+
+BOOST_AUTO_TEST_CASE_TEMPLATE(SaveLoad, T, PublicKeyTestDataSets)
+{
+  T dataSet;
+
+  const uint8_t* pKeyPkcs8Base64 = reinterpret_cast<const uint8_t*>(dataSet.publicKeyPkcs8.c_str());
+  size_t pKeyPkcs8Base64Len = dataSet.publicKeyPkcs8.size();
+
+  OBufferStream os;
+  bufferSource(pKeyPkcs8Base64, pKeyPkcs8Base64Len) >> base64Decode() >> streamSink(os);
+  ConstBufferPtr pKeyPkcs8Buf = os.buf();
+  const uint8_t* pKeyPkcs8 = pKeyPkcs8Buf->buf();
+  size_t pKeyPkcs8Len = pKeyPkcs8Buf->size();
+
+  PublicKey pKey1;
+  BOOST_REQUIRE_NO_THROW(pKey1.loadPkcs8Base64(pKeyPkcs8Base64, pKeyPkcs8Base64Len));
+
+  std::stringstream ss2(dataSet.publicKeyPkcs8);
+  PublicKey pKey2;
+  BOOST_REQUIRE_NO_THROW(pKey2.loadPkcs8Base64(ss2));
+
+  PublicKey pKey3;
+  BOOST_REQUIRE_NO_THROW(pKey3.loadPkcs8(pKeyPkcs8, pKeyPkcs8Len));
+
+  std::stringstream ss4;
+  ss4.write(reinterpret_cast<const char*>(pKeyPkcs8), pKeyPkcs8Len);
+  PublicKey pKey4;
+  BOOST_REQUIRE_NO_THROW(pKey4.loadPkcs8(ss4));
+
+  OBufferStream os5;
+  BOOST_REQUIRE_NO_THROW(pKey1.savePkcs8Base64(os5));
+  BOOST_CHECK_EQUAL_COLLECTIONS(pKeyPkcs8Base64, pKeyPkcs8Base64 + pKeyPkcs8Base64Len,
+                                os5.buf()->begin(), os5.buf()->end());
+
+  OBufferStream os6;
+  BOOST_REQUIRE_NO_THROW(pKey1.savePkcs8(os6));
+  BOOST_CHECK_EQUAL_COLLECTIONS(pKeyPkcs8, pKeyPkcs8 + pKeyPkcs8Len,
+                                os6.buf()->begin(), os6.buf()->end());
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestPublicKey
+BOOST_AUTO_TEST_SUITE_END() // Transform
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace transform
+} // namespace security
+} // namespace ndn