renaming: ndn-cpp to ndn-cpp-dev

Change-Id: Iff3e4ff53a0005b7dd35c57d03da76b347170d03
diff --git a/include/ndn-cpp-dev/security/certificate-extension.hpp b/include/ndn-cpp-dev/security/certificate-extension.hpp
new file mode 100644
index 0000000..61f7dd2
--- /dev/null
+++ b/include/ndn-cpp-dev/security/certificate-extension.hpp
@@ -0,0 +1,78 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_CERTIFICATE_EXTENSION_HPP
+#define NDN_CERTIFICATE_EXTENSION_HPP
+
+#include "../common.hpp"
+#include "../encoding/buffer.hpp"
+#include "../encoding/oid.hpp"
+
+namespace CryptoPP { class BufferedTransformation; }
+
+namespace ndn {
+
+/**
+ * A CertificateExtension represents the Extension entry in a certificate.
+ */
+class CertificateExtension
+{
+public:
+  struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+  CertificateExtension(CryptoPP::BufferedTransformation &in)
+  {
+    decode(in);
+  }
+
+  /**
+   * Create a new CertificateExtension.
+   * @param oid The oid of subject description entry.
+   * @param isCritical If true, the extension must be handled.
+   * @param value The extension value.
+   */
+  CertificateExtension(const OID& oid, const bool isCritical, const Buffer& value)
+    : extensionId_(oid), isCritical_(isCritical), extensionValue_(value)
+  {
+  }
+
+  CertificateExtension(const OID& oid, const bool isCritical, const uint8_t* value, size_t valueSize)
+    : extensionId_(oid), isCritical_(isCritical), extensionValue_(value, valueSize)
+  {
+  }
+  
+  /**
+   * The virtual destructor.
+   */
+  virtual
+  ~CertificateExtension() {}
+
+  void
+  encode(CryptoPP::BufferedTransformation &out) const;
+
+  void
+  decode(CryptoPP::BufferedTransformation &in);
+  
+  inline const OID& 
+  getOid() const { return extensionId_; }
+
+  inline const bool 
+  getIsCritical() const { return isCritical_; }
+
+  inline const Buffer& 
+  getValue() const { return extensionValue_; }
+    
+protected:
+  OID extensionId_;
+  bool isCritical_;
+  Buffer extensionValue_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/certificate-subject-description.hpp b/include/ndn-cpp-dev/security/certificate-subject-description.hpp
new file mode 100644
index 0000000..fc26d37
--- /dev/null
+++ b/include/ndn-cpp-dev/security/certificate-subject-description.hpp
@@ -0,0 +1,64 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_CERTIFICATE_SUBJECT_DESCRIPTION_HPP
+#define NDN_CERTIFICATE_SUBJECT_DESCRIPTION_HPP
+
+#include "../common.hpp"
+#include "../encoding/oid.hpp"
+
+namespace CryptoPP { class BufferedTransformation; }
+
+namespace ndn {
+
+/**
+ * A CertificateSubjectDescription represents the SubjectDescription entry in a Certificate.
+ */
+class CertificateSubjectDescription {
+public:
+  CertificateSubjectDescription(CryptoPP::BufferedTransformation &in)
+  {
+    decode(in);
+  }
+  
+  /**
+   * Create a new CertificateSubjectDescription.
+   * @param oid The oid of the subject description entry.
+   * @param value The value of the subject description entry.
+   */
+  CertificateSubjectDescription(const OID &oid, const std::string &value)
+  : oid_(oid), value_(value)
+  {
+  }
+
+  void
+  encode(CryptoPP::BufferedTransformation &out) const;
+
+  void
+  decode(CryptoPP::BufferedTransformation &in);
+  
+  std::string
+  getOidString() const
+  {
+    return oid_.toString();
+  }
+
+  const std::string &
+  getValue() const
+  {
+    return value_;
+  }
+  
+private:
+  OID oid_;
+  std::string value_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/certificate.hpp b/include/ndn-cpp-dev/security/certificate.hpp
new file mode 100644
index 0000000..9871733
--- /dev/null
+++ b/include/ndn-cpp-dev/security/certificate.hpp
@@ -0,0 +1,156 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_CERTIFICATE_HPP
+#define NDN_CERTIFICATE_HPP
+
+#include "../data.hpp"
+#include "../common.hpp"
+
+#include "certificate-subject-description.hpp"
+#include "certificate-extension.hpp"
+#include "public-key.hpp"
+
+namespace ndn {
+
+class Certificate : public Data {
+public:
+  struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+  typedef std::vector<CertificateSubjectDescription> SubjectDescriptionList;
+  typedef std::vector<CertificateExtension> ExtensionList;
+
+  /**
+   * The default constructor.
+   */
+  Certificate();
+
+  /**
+   * Create a Certificate from the content in the data packet.
+   * @param data The data packet with the content to decode.
+   */
+  Certificate(const Data& data);
+ 
+  /**
+   * The virtual destructor.
+   */
+  virtual 
+  ~Certificate();
+
+  inline void
+  wireDecode(const Block &wire);
+  
+  /**
+   * encode certificate info into content
+   */
+  void
+  encode();
+
+  /**
+   * Add a subject description.
+   * @param description The description to be added.
+   */
+  void 
+  addSubjectDescription(const CertificateSubjectDescription& description) { subjectDescriptionList_.push_back(description); }
+
+  const SubjectDescriptionList& 
+  getSubjectDescriptionList() const { return subjectDescriptionList_; }
+  
+  SubjectDescriptionList& 
+  getSubjectDescriptionList() { return subjectDescriptionList_; }
+ 
+  /**
+   * Add a certificate extension.
+   * @param extension the extension to be added
+   */
+  void 
+  addExtension(const CertificateExtension& extension) { extensionList_.push_back(extension); }
+
+  const ExtensionList&
+  getExtensionList() const { return extensionList_; }
+  
+  ExtensionList&
+  getExtensionList() { return extensionList_; }
+
+  void 
+  setNotBefore(const MillisecondsSince1970& notBefore) { notBefore_ = notBefore; }
+
+  MillisecondsSince1970& 
+  getNotBefore() { return notBefore_; }
+  
+  const MillisecondsSince1970& 
+  getNotBefore() const { return notBefore_; }
+
+  void
+  setNotAfter(const MillisecondsSince1970& notAfter) { notAfter_ = notAfter; }
+
+  MillisecondsSince1970& 
+  getNotAfter() { return notAfter_; }
+
+  const MillisecondsSince1970& 
+  getNotAfter() const { return notAfter_; }
+
+  void
+  setPublicKeyInfo(const PublicKey& key) { key_ = key; }
+  
+  PublicKey& 
+  getPublicKeyInfo() { return key_; }
+
+  const PublicKey& 
+  getPublicKeyInfo() const { return key_; }
+
+  // virtual Name 
+  // getPublicKeyName() const = 0;
+  
+  /**
+   * Check if the certificate is valid.
+   * @return True if the current time is earlier than notBefore.
+   */
+  bool 
+  isTooEarly();
+
+  /**
+   * Check if the certificate is valid.
+   * @return True if the current time is later than notAfter.
+   */
+  bool
+  isTooLate();
+
+  void 
+  printCertificate(std::ostream &os) const;
+
+protected:
+  void
+  decode();
+
+protected:
+  SubjectDescriptionList subjectDescriptionList_;
+  MillisecondsSince1970 notBefore_;
+  MillisecondsSince1970 notAfter_;
+  PublicKey key_;
+  ExtensionList extensionList_;
+};
+
+inline void
+Certificate::wireDecode(const Block &wire)
+{
+  Data::wireDecode(wire);
+  decode();
+}
+
+
+inline std::ostream&
+operator <<(std::ostream &os, const Certificate &cert)
+{
+  cert.printCertificate(os);
+  return os;
+}
+
+} // namespace ndn
+
+#endif
diff --git a/include/ndn-cpp-dev/security/encryption-manager.hpp b/include/ndn-cpp-dev/security/encryption-manager.hpp
new file mode 100644
index 0000000..44eafb7
--- /dev/null
+++ b/include/ndn-cpp-dev/security/encryption-manager.hpp
@@ -0,0 +1,34 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_ENCRYPTION_MANAGER_HPP
+#define NDN_ENCRYPTION_MANAGER_HPP
+
+#include "../../name.hpp"
+#include "../security-common.hpp"
+
+namespace ndn {
+
+class EncryptionManager {
+public:
+  virtual ~EncryptionManager() {}
+    
+  virtual void 
+  createSymmetricKey(const Name& keyName, KeyType keyType, const Name& signkeyName = Name(), bool isSymmetric = true) = 0;
+
+  virtual ConstBufferPtr
+  encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = false, 
+          EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT) = 0;
+
+  virtual ConstBufferPtr
+  decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = false, 
+          EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT) = 0;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/identity-certificate.hpp b/include/ndn-cpp-dev/security/identity-certificate.hpp
new file mode 100644
index 0000000..65b07af
--- /dev/null
+++ b/include/ndn-cpp-dev/security/identity-certificate.hpp
@@ -0,0 +1,112 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_IDENTITY_CERTIFICATE_HPP
+#define NDN_IDENTITY_CERTIFICATE_HPP
+
+#include "certificate.hpp"
+
+namespace ndn {
+
+class IdentityCertificate : public Certificate
+{
+public:
+  struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+  /**
+   * The default constructor.
+   */
+  inline
+  IdentityCertificate();
+
+  // Note: The copy constructor works because publicKeyName_ has a copy constructor.
+
+  /**
+   * Create an IdentityCertificate from the content in the data packet.
+   * @param data The data packet with the content to decode.
+   */
+  inline
+  IdentityCertificate(const Data& data);
+  
+  /**
+   * The virtual destructor.
+   */
+  inline virtual 
+  ~IdentityCertificate();
+  
+  inline void
+  wireDecode(const Block &wire);
+
+  inline void
+  setName(const Name &name);
+  
+  inline const Name &
+  getPublicKeyName () const;
+
+  static bool
+  isIdentityCertificate(const Certificate& certificate);
+
+  /**
+   * Get the public key name from the full certificate name.
+   * @param certificateName The full certificate name.
+   * @return The related public key name.
+   */
+  static Name
+  certificateNameToPublicKeyName(const Name& certificateName);
+  
+private:
+  static bool
+  isCorrectName(const Name& name);
+  
+  void
+  setPublicKeyName();
+    
+protected:
+  Name publicKeyName_;
+};
+
+inline
+IdentityCertificate::IdentityCertificate()
+{
+}
+
+inline
+IdentityCertificate::IdentityCertificate(const Data& data)
+  : Certificate(data)
+{
+  setPublicKeyName();
+}
+  
+inline
+IdentityCertificate::~IdentityCertificate()
+{
+}
+
+inline void
+IdentityCertificate::wireDecode(const Block &wire)
+{
+  Certificate::wireDecode(wire);
+  setPublicKeyName();
+}
+
+inline void
+IdentityCertificate::setName(const Name &name)
+{
+  Certificate::setName(name);
+  setPublicKeyName();
+}
+
+inline const Name &
+IdentityCertificate::getPublicKeyName () const
+{
+  return publicKeyName_;
+}
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/key-chain.hpp b/include/ndn-cpp-dev/security/key-chain.hpp
new file mode 100644
index 0000000..fffa05d
--- /dev/null
+++ b/include/ndn-cpp-dev/security/key-chain.hpp
@@ -0,0 +1,366 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_KEY_CHAIN_HPP
+#define NDN_KEY_CHAIN_HPP
+
+#include "identity-certificate.hpp"
+#include "public-key.hpp"
+#include "signature-sha256-with-rsa.hpp"
+
+#include "sec-public-info-sqlite3.hpp"
+#include "sec-public-info-memory.hpp"
+#include "sec-tpm-osx.hpp"
+#include "sec-tpm-memory.hpp"
+
+
+namespace ndn {
+
+/**
+ * KeyChain is one of the main classes of the security library.
+ *
+ * The KeyChain class provides a set of interfaces of identity management and private key related operations.
+ */
+template<class Info, class Tpm>
+class KeyChainImpl : public Info, public Tpm
+{
+public:
+  // struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+  
+  /**
+   * Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
+   * @param identityName The name of the identity.
+   * @return The key name of the auto-generated KSK of the identity.
+   */
+  Name
+  createIdentity(const Name& identityName)
+  {
+    if (!Info::doesIdentityExist(identityName)) {
+      Info::addIdentity(identityName);
+  
+      Name keyName = generateRSAKeyPairAsDefault(identityName, true);
+
+      ptr_lib::shared_ptr<IdentityCertificate> selfCert = selfSign(keyName); 
+  
+      Info::addCertificateAsDefault(*selfCert);
+
+      return keyName;
+    }
+    else
+      return Name();
+  }
+    
+  /**
+   * Generate a pair of RSA keys for the specified identity.
+   * @param identityName The name of the identity.
+   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+   * @param keySize The size of the key.
+   * @return The generated key name.
+   */
+  Name
+  generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048)
+  {
+    return generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
+  }
+  
+  /**
+   * Generate a pair of RSA keys for the specified identity and set it as default key for the identity.
+   * @param identityName The name of the identity.
+   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+   * @param keySize The size of the key.
+   * @return The generated key name.
+   */
+  Name
+  generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048)
+  {
+    Name keyName = generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
+
+    Info::setDefaultKeyNameForIdentity(keyName);
+  
+    return keyName;
+  }
+
+  /**
+   * Create an identity certificate for a public key managed by this IdentityManager.
+   * @param certificatePrefix The name of public key to be signed.
+   * @param signerCertificateName The name of signing certificate.
+   * @param notBefore The notBefore value in the validity field of the generated certificate.
+   * @param notAfter The notAfter vallue in validity field of the generated certificate.
+   * @return The name of generated identity certificate.
+   */
+  ptr_lib::shared_ptr<IdentityCertificate>
+  createIdentityCertificate
+    (const Name& certificatePrefix,
+     const Name& signerCertificateName,
+     const MillisecondsSince1970& notBefore, 
+     const MillisecondsSince1970& notAfter)
+  {
+    Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
+    
+    ptr_lib::shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName);
+    if (!pubKey)
+      throw std::runtime_error("Requested public key [" + keyName.toUri() + "] doesn't exist");
+    
+    ptr_lib::shared_ptr<IdentityCertificate> certificate =
+      createIdentityCertificate(certificatePrefix,
+                                *pubKey,
+                                signerCertificateName,
+                                notBefore, notAfter);
+
+    Info::addCertificate(*certificate);
+  
+    return certificate;
+  }
+
+
+  /**
+   * Create an identity certificate for a public key supplied by the caller.
+   * @param certificatePrefix The name of public key to be signed.
+   * @param publickey The public key to be signed.
+   * @param signerCertificateName The name of signing certificate.
+   * @param notBefore The notBefore value in the validity field of the generated certificate.
+   * @param notAfter The notAfter vallue in validity field of the generated certificate.
+   * @return The generated identity certificate.
+   */
+  ptr_lib::shared_ptr<IdentityCertificate>
+  createIdentityCertificate
+    (const Name& certificatePrefix,
+     const PublicKey& publicKey,
+     const Name& signerCertificateName, 
+     const MillisecondsSince1970& notBefore,
+     const MillisecondsSince1970& notAfter)
+  {
+    ptr_lib::shared_ptr<IdentityCertificate> certificate (new IdentityCertificate());
+    Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
+  
+    Name certificateName = certificatePrefix;
+    certificateName.append("ID-CERT").appendVersion();
+  
+    certificate->setName(certificateName);
+    certificate->setNotBefore(notBefore);
+    certificate->setNotAfter(notAfter);
+    certificate->setPublicKeyInfo(publicKey);
+    certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
+    certificate->encode();
+
+    sign(*certificate, signerCertificateName);
+
+    return certificate;
+  }
+
+  void
+  sign(Data &data)
+  {
+    if (!Info::defaultCertificate())
+      {
+        Info::refreshDefaultCertificate();
+
+        if(!Info::defaultCertificate())
+          throw std::runtime_error("Default IdentityCertificate cannot be determined");
+      }
+
+    sign(data, *Info::defaultCertificate());
+  }
+  
+  /**
+   * Wire encode the Data object, sign it and set its signature.
+   * @param data The Data object to be signed.  This updates its signature and key locator field and wireEncoding.
+   * @param certificateName The certificate name of the key to use for signing.  If omitted, infer the signing identity from the data packet name.
+   */
+  void 
+  sign(Data& data, const Name& certificateName)
+  {
+    ptr_lib::shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName);
+    if (!cert)
+      throw std::runtime_error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
+
+    SignatureSha256WithRsa signature;
+    signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
+    data.setSignature(signature);
+
+    // For temporary usage, we support RSA + SHA256 only, but will support more.
+    Tpm::signInTpm(data, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+  }
+
+  void
+  sign(Data& data, const IdentityCertificate& certificate)
+  {
+    SignatureSha256WithRsa signature;
+    signature.setKeyLocator(certificate.getName().getPrefix(-1));
+    data.setSignature(signature);
+
+    // For temporary usage, we support RSA + SHA256 only, but will support more.
+    Tpm::signInTpm(data, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+  }
+  
+  /**
+   * Sign the byte array using a certificate name and return a Signature object.
+   * @param buffer The byte array to be signed.
+   * @param bufferLength the length of buffer.
+   * @param certificateName The certificate name used to get the signing key and which will be put into KeyLocator.
+   * @return The Signature.
+   */
+  Signature
+  sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName)
+  {
+    ptr_lib::shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName);
+    if (!cert)
+      throw std::runtime_error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
+
+    SignatureSha256WithRsa signature;
+    signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
+  
+    // For temporary usage, we support RSA + SHA256 only, but will support more.
+    signature.setValue(Tpm::signInTpm(buffer, bufferLength, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
+    return signature;
+  }
+
+  /**
+   * Wire encode the Data object, sign it and set its signature.
+   * @param data The Data object to be signed.  This updates its signature and key locator field and wireEncoding.
+   * @param identityName The identity name for the key to use for signing.  If omitted, infer the signing identity from the data packet name.
+   */
+  void 
+  signByIdentity(Data& data, const Name& identityName = Name())
+  {
+    Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
+
+    if (signingCertificateName.getComponentCount() == 0)
+      throw std::runtime_error("No qualified certificate name found!");
+
+    sign(data, signingCertificateName);
+  }
+
+  /**
+   * Sign the byte array using an identity name and return a Signature object.
+   * @param buffer The byte array to be signed.
+   * @param bufferLength the length of buffer.
+   * @param identityName The identity name.
+   * @return The Signature.
+   */
+  Signature
+  signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName = Name())
+  {
+    Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
+    
+    if (signingCertificateName.size() == 0)
+      throw std::runtime_error("No qualified certificate name found!");
+
+    return sign(buffer, bufferLength, signingCertificateName);
+  }
+
+  /**
+   * Generate a self-signed certificate for a public key.
+   * @param keyName The name of the public key.
+   * @return The generated certificate.
+   */
+  ptr_lib::shared_ptr<IdentityCertificate>
+  selfSign(const Name& keyName)
+  {
+    if(keyName.empty())
+      throw std::runtime_error("Incorrect key name: " + keyName.toUri());
+
+    ptr_lib::shared_ptr<IdentityCertificate> certificate = ptr_lib::make_shared<IdentityCertificate>();
+    
+    Name certificateName = keyName.getPrefix(-1);
+    certificateName.append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion();
+    
+    ptr_lib::shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName);
+    if (!pubKey)
+      throw std::runtime_error("Requested public key [" + keyName.toUri() + "] doesn't exist");
+  
+    certificate->setName(certificateName);
+    certificate->setNotBefore(getNow());
+    certificate->setNotAfter(getNow() + 630720000 /* 20 years*/);
+    certificate->setPublicKeyInfo(*pubKey);
+    certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
+    certificate->encode();
+
+    selfSign(*certificate);
+    return certificate;
+  }
+
+  /**
+   * @brief Self-sign the supplied identity certificate
+   */
+  void
+  selfSign (IdentityCertificate& cert)
+  {
+    SignatureSha256WithRsa signature;
+    signature.setKeyLocator(cert.getName().getPrefix(-1)); // implicit conversion should take care
+    cert.setSignature(signature);
+
+    // For temporary usage, we support RSA + SHA256 only, but will support more.
+    Tpm::signInTpm(cert, cert.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+  }
+
+
+private:
+  /**
+   * Generate a key pair for the specified identity.
+   * @param identityName The name of the specified identity.
+   * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+   * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+   * @param keySize The size of the key pair.
+   * @return The name of the generated key.
+   */
+  Name
+  generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048)
+  {
+    Name keyName = Info::getNewKeyName(identityName, isKsk);
+
+    Tpm::generateKeyPairInTpm(keyName.toUri(), keyType, keySize);
+
+    ptr_lib::shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri());
+    Info::addPublicKey(keyName, keyType, *pubKey);
+
+    return keyName;
+  }
+
+  static Name
+  getKeyNameFromCertificatePrefix(const Name& certificatePrefix)
+  {
+    Name result;
+
+    std::string keyString("KEY");
+    int i = 0;
+    for(; i < certificatePrefix.size(); i++) {
+      if (certificatePrefix.get(i).toEscapedString() == keyString)
+        break;
+    }
+    
+    if (i >= certificatePrefix.size())
+      throw std::runtime_error("Identity Certificate Prefix does not have a KEY component");
+
+    result.append(certificatePrefix.getSubName(0, i));
+    result.append(certificatePrefix.getSubName(i + 1, certificatePrefix.size()-i-1));
+    
+    return result;
+  }
+
+};
+
+}
+
+#ifdef NDN_CPP_HAVE_OSX_SECURITY
+
+namespace ndn
+{
+typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmOsx> KeyChain;
+};
+
+#else
+
+namespace ndn
+{
+typedef KeyChainImpl<SecPublicInfoMemory, SecTpmMemory> KeyChain;
+};
+
+#endif //NDN_CPP_HAVE_OSX_SECURITY
+
+#endif
diff --git a/include/ndn-cpp-dev/security/public-key.hpp b/include/ndn-cpp-dev/security/public-key.hpp
new file mode 100644
index 0000000..5a70e38
--- /dev/null
+++ b/include/ndn-cpp-dev/security/public-key.hpp
@@ -0,0 +1,84 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_PUBLIC_KEY_HPP
+#define NDN_PUBLIC_KEY_HPP
+
+#include <stdexcept>
+#include "../encoding/oid.hpp"
+#include "../encoding/buffer.hpp"
+#include "security-common.hpp"
+
+namespace ndn {
+
+class PublicKey {
+public:    
+  struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+  /**
+   * The default constructor.
+   */
+  PublicKey();
+
+  /**
+   * Create a new PublicKey with the given values.
+   * @param algorithm The algorithm of the public key.
+   * @param keyDer The blob of the PublicKeyInfo in terms of DER.
+   *
+   * @throws PublicKey::Error If algorithm is not supported or keyDer cannot be decoded
+   */
+  PublicKey(const uint8_t *keyDerBuf, size_t keyDerSize);
+
+  inline const Buffer&
+  get() const
+  {
+    return key_;
+  }
+
+  inline void
+  set(const uint8_t *keyDerBuf, size_t keyDerSize)
+  {
+    Buffer buf(keyDerBuf, keyDerSize);
+    key_.swap(buf);
+  }
+
+  void
+  encode(CryptoPP::BufferedTransformation &out) const;
+
+  void
+  decode(CryptoPP::BufferedTransformation &in);
+
+  // /*
+  //  * Get the digest of the public key.
+  //  * @param digestAlgorithm The digest algorithm. If omitted, use DIGEST_ALGORITHM_SHA256 by default.
+  //  */
+  // Blob 
+  // getDigest(DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) const;
+
+  inline bool
+  operator ==(const PublicKey &key) const
+  {
+    return key_ == key.key_;
+  }
+
+  inline bool
+  operator !=(const PublicKey &key) const
+  {
+    return key_ != key.key_;
+  }
+  
+private:
+  Buffer key_;
+};
+
+std::ostream &
+operator <<(std::ostream &os, const PublicKey &key);
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-policy-no-verify.hpp b/include/ndn-cpp-dev/security/sec-policy-no-verify.hpp
new file mode 100644
index 0000000..1d2927e
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-policy-no-verify.hpp
@@ -0,0 +1,72 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_POLICY_NO_VERIFY_HPP
+#define NDN_SEC_POLICY_NO_VERIFY_HPP
+
+#include "sec-policy.hpp"
+
+namespace ndn {
+
+class SecPolicyNoVerify : public SecPolicy {
+public:
+  /**
+   * The virtual destructor.
+   */
+  virtual
+  ~SecPolicyNoVerify();
+
+  /**
+   * Override to always skip verification and trust as valid.
+   * @param data The received data packet.
+   * @return true.
+   */
+  virtual bool 
+  skipVerifyAndTrust(const Data& data);
+
+  /**
+   * Override to return false for no verification rule for the received data.
+   * @param data The received data packet.
+   * @return false.
+   */
+  virtual bool
+  requireVerify(const Data& data);
+
+  /**
+   * Override to call onVerified(data) and to indicate no further verification step.
+   * @param data The Data object with the signature to check.
+   * @param stepCount The number of verification steps that have been done, used to track the verification progress.
+   * @param onVerified This does override to call onVerified(data).
+   * @param onVerifyFailed Override to ignore this.
+   * @return null for no further step.
+   */
+  virtual ptr_lib::shared_ptr<ValidationRequest>
+  checkVerificationPolicy
+    (const ptr_lib::shared_ptr<Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);
+    
+  /**
+   * Override to always indicate that the signing certificate name and data name satisfy the signing policy.
+   * @param dataName The name of data to be signed.
+   * @param certificateName The name of signing certificate.
+   * @return true to indicate that the signing certificate can be used to sign the data.
+   */
+  virtual bool 
+  checkSigningPolicy(const Name& dataName, const Name& certificateName);
+    
+  /**
+   * Override to indicate that the signing identity cannot be inferred.
+   * @param dataName The name of data to be signed.
+   * @return An empty name because cannot infer. 
+   */
+  virtual Name 
+  inferSigningIdentity(const Name& dataName);
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-policy-self-verify.hpp b/include/ndn-cpp-dev/security/sec-policy-self-verify.hpp
new file mode 100644
index 0000000..111b61a
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-policy-self-verify.hpp
@@ -0,0 +1,91 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_POLICY_SELF_VERIFY_HPP
+#define NDN_SEC_POLICY_SELF_VERIFY_HPP
+
+#include "sec-policy.hpp"
+
+namespace ndn {
+
+/**
+ * A SecPolicySelfVerify implements a PolicyManager to use the public key DER in the data packet's KeyLocator (if available)
+ * or look in the IdentityStorage for the public key with the name in the KeyLocator (if available) and use
+ * it to verify the data packet, without searching a certificate chain.  If the public key can't be found, the
+ * verification fails.
+ */
+class SecPolicySelfVerify : public SecPolicy {
+public:
+  /**
+   * Create a new SecPolicySelfVerify which will look up the public key in the given identityManager.
+   * @param identityManager (optional) The IdentityManager for looking up the public key.  This points to an object must which remain 
+   * valid during the life of this SecPolicySelfVerify.  If omitted, then don't look for a public key with the name 
+   * in the KeyLocator and rely on the KeyLocator having the full public key DER.
+   */
+  SecPolicySelfVerify()
+  {
+  }
+  
+  /**
+   * The virtual destructor.
+   */
+  virtual
+  ~SecPolicySelfVerify();
+
+  /**
+   * Never skip verification.
+   * @param data The received data packet.
+   * @return false.
+   */
+  virtual bool 
+  skipVerifyAndTrust(const Data& data);
+
+  /**
+   * Always return true to use the self-verification rule for the received data.
+   * @param data The received data packet.
+   * @return true.
+   */
+  virtual bool
+  requireVerify(const Data& data);
+
+  /**
+   * Use the public key DER in the data packet's KeyLocator (if available) or look in the IdentityStorage for the 
+   * public key with the name in the KeyLocator (if available) and use it to verify the data packet.  If the public key can't 
+   * be found, call onVerifyFailed.
+   * @param data The Data object with the signature to check.
+   * @param stepCount The number of verification steps that have been done, used to track the verification progress.
+   * (stepCount is ignored.)
+   * @param onVerified If the signature is verified, this calls onVerified(data).
+   * @param onVerifyFailed If the signature check fails or can't find the public key, this calls onVerifyFailed(data).
+   * @return null for no further step for looking up a certificate chain.
+   */
+  virtual ptr_lib::shared_ptr<ValidationRequest>
+  checkVerificationPolicy
+    (const ptr_lib::shared_ptr<Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);
+    
+  /**
+   * Override to always indicate that the signing certificate name and data name satisfy the signing policy.
+   * @param dataName The name of data to be signed.
+   * @param certificateName The name of signing certificate.
+   * @return true to indicate that the signing certificate can be used to sign the data.
+   */
+  virtual bool 
+  checkSigningPolicy(const Name& dataName, const Name& certificateName);
+    
+  /**
+   * Override to indicate that the signing identity cannot be inferred.
+   * @param dataName The name of data to be signed.
+   * @return An empty name because cannot infer. 
+   */
+  virtual Name 
+  inferSigningIdentity(const Name& dataName);
+  
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-policy.hpp b/include/ndn-cpp-dev/security/sec-policy.hpp
new file mode 100644
index 0000000..e3879bb
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-policy.hpp
@@ -0,0 +1,79 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_POLICY_HPP
+#define NDN_SEC_POLICY_HPP
+
+#include "../data.hpp"
+#include "validation-request.hpp"
+
+namespace ndn {
+  
+/**
+ * A SecPolicy is an abstract base class to represent the policy for verifying data packets.
+ * You must create an object of a subclass.
+ */
+class SecPolicy {
+public:
+  struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+  /**
+   * The virtual destructor.
+   */
+  virtual
+  ~SecPolicy() {}
+
+  /**
+   * Check if the received data packet can escape from verification and be trusted as valid.
+   * @param data The received data packet.
+   * @return true if the data does not need to be verified to be trusted as valid, otherwise false.
+   */
+  virtual bool 
+  skipVerifyAndTrust(const Data& data) = 0;
+
+  /**
+   * Check if this SecPolicy has a verification rule for the received data.
+   * @param data The received data packet.
+   * @return true if the data must be verified, otherwise false.
+   */
+  virtual bool
+  requireVerify(const Data& data) = 0;
+
+  /**
+   * Check whether the received data packet complies with the verification policy, and get the indication of the next verification step.
+   * @param data The Data object with the signature to check.
+   * @param stepCount The number of verification steps that have been done, used to track the verification progress.
+   * @param onVerified If the signature is verified, this calls onVerified(data).
+   * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
+   * @return the indication of next verification step, null if there is no further step.
+   */
+  virtual ptr_lib::shared_ptr<ValidationRequest>
+  checkVerificationPolicy
+    (const ptr_lib::shared_ptr<Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed) = 0;
+    
+  /**
+   * Check if the signing certificate name and data name satisfy the signing policy.
+   * @param dataName The name of data to be signed.
+   * @param certificateName The name of signing certificate.
+   * @return true if the signing certificate can be used to sign the data, otherwise false.
+   */
+  virtual bool 
+  checkSigningPolicy(const Name& dataName, const Name& certificateName) = 0;
+    
+  /**
+   * Infer the signing identity name according to the policy. If the signing identity cannot be inferred, return an empty name.
+   * @param dataName The name of data to be signed.
+   * @return The signing identity or an empty name if cannot infer. 
+   */
+  virtual Name 
+  inferSigningIdentity(const Name& dataName) = 0;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-public-info-memory.hpp b/include/ndn-cpp-dev/security/sec-public-info-memory.hpp
new file mode 100644
index 0000000..c991f1a
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-public-info-memory.hpp
@@ -0,0 +1,217 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_PUBLIC_INFO_MEMORY_HPP
+#define NDN_SEC_PUBLIC_INFO_MEMORY_HPP
+
+#include <vector>
+#include <map>
+#include "sec-public-info.hpp"
+
+namespace ndn {
+
+/**
+ * MemoryKeyMetaInfo extends IdentityStorage and implements its methods to store identity, public key and certificate objects in memory.
+ * The application must get the objects through its own means and add the objects to the MemoryKeyMetaInfo object.
+ * To use permanent file-based storage, see BasicKeyMetaInfo.
+ */
+class SecPublicInfoMemory : public SecPublicInfo {
+public:
+  struct Error : public SecPublicInfo::Error { Error(const std::string &what) : SecPublicInfo::Error(what) {} };
+
+  /**
+   * The virtual Destructor.
+   */
+  virtual 
+  ~SecPublicInfoMemory();
+
+  /**
+   * Check if the specified identity already exists.
+   * @param identityName The identity name.
+   * @return true if the identity exists, otherwise false.
+   */
+  virtual bool 
+  doesIdentityExist(const Name& identityName);
+
+  /**
+   * Add a new identity. An exception will be thrown if the identity already exists.
+   * @param identityName The identity name to be added.
+   */
+  virtual void
+  addIdentity(const Name& identityName);
+
+  /**
+   * Revoke the identity.
+   * @return true if the identity was revoked, false if not.
+   */
+  virtual bool 
+  revokeIdentity();
+
+  /**
+   * Check if the specified key already exists.
+   * @param keyName The name of the key.
+   * @return true if the key exists, otherwise false.
+   */
+  virtual bool 
+  doesPublicKeyExist(const Name& keyName);
+
+  /**
+   * Add a public key to the identity storage.
+   * @param keyName The name of the public key to be added.
+   * @param keyType Type of the public key to be added.
+   * @param publicKeyDer A blob of the public key DER to be added.
+   */
+  virtual void 
+  addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer);
+
+  /**
+   * Get the public key DER blob from the identity storage.
+   * @param keyName The name of the requested public key.
+   * @return The DER Blob.  If not found, return a Blob with a null pointer.
+   */
+  virtual ptr_lib::shared_ptr<PublicKey>
+  getPublicKey(const Name& keyName);
+
+  /**
+   * Activate a key.  If a key is marked as inactive, its private part will not be used in packet signing.
+   * @param keyName name of the key
+   */
+  virtual void 
+  activatePublicKey(const Name& keyName);
+
+  /**
+   * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+   * @param keyName name of the key
+   */
+  virtual void 
+  deactivatePublicKey(const Name& keyName);
+
+  /**
+   * Check if the specified certificate already exists.
+   * @param certificateName The name of the certificate.
+   * @return true if the certificate exists, otherwise false.
+   */
+  virtual bool
+  doesCertificateExist(const Name& certificateName);
+
+  /**
+   * Add a certificate to the identity storage.
+   * @param certificate The certificate to be added.  This makes a copy of the certificate.
+   */
+  virtual void 
+  addCertificate(const IdentityCertificate& certificate);
+
+  /**
+   * Get a certificate from the identity storage.
+   * @param certificateName The name of the requested certificate.
+   * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+   * @return The requested certificate.  If not found, return a shared_ptr with a null pointer.
+   */
+  virtual ptr_lib::shared_ptr<IdentityCertificate> 
+  getCertificate(const Name &certificateName);
+
+
+  /*****************************************
+   *           Get/Set Default             *
+   *****************************************/
+
+  /**
+   * Get the default identity. 
+   * @param return The name of default identity, or an empty name if there is no default.
+   */
+  virtual Name 
+  getDefaultIdentity();
+
+  /**
+   * Get the default key name for the specified identity.
+   * @param identityName The identity name.
+   * @return The default key name.
+   */
+  virtual Name 
+  getDefaultKeyNameForIdentity(const Name& identityName);
+
+  /**
+   * Get the default certificate name for the specified key.
+   * @param keyName The key name.
+   * @return The default certificate name.
+   */
+  virtual Name 
+  getDefaultCertificateNameForKey(const Name& keyName);
+
+  virtual std::vector<Name>
+  getAllIdentities(bool isDefault);
+
+  virtual std::vector<Name>
+  getAllKeyNames(bool isDefault);
+
+  virtual std::vector<Name>
+  getAllKeyNamesOfIdentity(const Name& identity, bool isDefault);
+    
+  virtual std::vector<Name>
+  getAllCertificateNames(bool isDefault);
+
+  virtual std::vector<Name>
+  getAllCertificateNamesOfKey(const Name& keyName, bool isDefault);
+
+protected:
+  /**
+   * Set the default identity.  If the identityName does not exist, then clear the default identity
+   * so that getDefaultIdentity() returns an empty name.
+   * @param identityName The default identity name.
+   */
+  virtual void 
+  setDefaultIdentityInternal(const Name& identityName);
+
+  /**
+   * Set the default key name for the specified identity.
+   * @param keyName The key name.
+   * @param identityNameCheck (optional) The identity name to check the keyName.
+   */
+  virtual void 
+  setDefaultKeyNameForIdentityInternal(const Name& keyName);
+
+  /**
+   * Set the default key name for the specified identity.
+   * @param keyName The key name.
+   * @param certificateName The certificate name.
+   */
+  virtual void 
+  setDefaultCertificateNameForKeyInternal(const Name& certificateName);  
+
+  
+private:
+  class KeyRecord {
+  public:
+    KeyRecord(KeyType keyType, const PublicKey &key)
+    : keyType_(keyType), key_(key)
+    {
+    }
+    
+    const KeyType getKeyType() const { return keyType_; }
+    
+    const PublicKey& getKey() { return key_; }
+    
+  private:
+    KeyType   keyType_;
+    PublicKey key_;
+  };
+  
+  std::vector<std::string> identityStore_; /**< A list of name URI. */
+  std::string defaultIdentity_;            /**< The default identity in identityStore_, or "" if not defined. */
+  Name defaultKeyName_;
+  Name defaultCert_;
+
+  typedef std::map< std::string, ptr_lib::shared_ptr<KeyRecord> > KeyStore; /**< The map key is the keyName.toUri() */
+  typedef std::map< std::string, ptr_lib::shared_ptr<IdentityCertificate> > CertificateStore; /**< The map key is the certificateName.toUri() */
+  
+  KeyStore keyStore_; 
+  CertificateStore certificateStore_;                    
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-public-info-sqlite3.hpp b/include/ndn-cpp-dev/security/sec-public-info-sqlite3.hpp
new file mode 100644
index 0000000..f83c27e
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-public-info-sqlite3.hpp
@@ -0,0 +1,223 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_PUBLIC_INFO_SQLITE3_HPP
+#define NDN_SEC_PUBLIC_INFO_SQLITE3_HPP
+
+// Only compile if ndn-cpp-config.h defines NDN_CPP_HAVE_SQLITE3.
+#include <ndn-cpp-dev/ndn-cpp-config.h>
+#ifdef NDN_CPP_HAVE_SQLITE3
+
+#include <sqlite3.h>
+#include "../common.hpp"
+#include "sec-public-info.hpp"
+
+namespace ndn
+{
+  
+/**
+ * BasicIdentityStorage extends IdentityStorage to implement a basic storage of identity, public keys and certificates
+ * using SQLite.
+ */
+class SecPublicInfoSqlite3 : public SecPublicInfo {
+public:
+  struct Error : public SecPublicInfo::Error { Error(const std::string &what) : SecPublicInfo::Error(what) {} };
+
+  SecPublicInfoSqlite3();
+  
+  /**
+   * The virtual Destructor.
+   */
+  virtual 
+  ~SecPublicInfoSqlite3();
+
+  // from SecPublicInfo
+  /**
+   * Check if the specified identity already exists.
+   * @param identityName The identity name.
+   * @return true if the identity exists, otherwise false.
+   */
+  virtual bool 
+  doesIdentityExist(const Name& identityName);
+
+  /**
+   * Add a new identity. An exception will be thrown if the identity already exists.
+   * @param identityName The identity name to be added.
+   */
+  virtual void
+  addIdentity(const Name& identityName);
+
+  /**
+   * Revoke the identity.
+   * @return true if the identity was revoked, false if not.
+   */
+  virtual bool 
+  revokeIdentity();
+
+  /**
+   * Check if the specified key already exists.
+   * @param keyName The name of the key.
+   * @return true if the key exists, otherwise false.
+   */
+  virtual bool 
+  doesPublicKeyExist(const Name& keyName);
+
+  /**
+   * Add a public key to the identity storage.
+   * @param keyName The name of the public key to be added.
+   * @param keyType Type of the public key to be added.
+   * @param publicKeyDer A blob of the public key DER to be added.
+   */
+  virtual void 
+  addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer);
+
+  /**
+   * Get the public key DER blob from the identity storage.
+   * @param keyName The name of the requested public key.
+   * @return The DER Blob.  If not found, return a Blob with a null pointer.
+   */
+  virtual ptr_lib::shared_ptr<PublicKey>
+  getPublicKey(const Name& keyName);
+
+  /**
+   * Activate a key.  If a key is marked as inactive, its private part will not be used in packet signing.
+   * @param keyName name of the key
+   */
+  virtual inline void 
+  activatePublicKey(const Name& keyName);
+
+  /**
+   * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+   * @param keyName name of the key
+   */
+  virtual inline void 
+  deactivatePublicKey(const Name& keyName);
+
+  /**
+   * Check if the specified certificate already exists.
+   * @param certificateName The name of the certificate.
+   * @return true if the certificate exists, otherwise false.
+   */
+  virtual bool
+  doesCertificateExist(const Name& certificateName);
+
+  /**
+   * Add a certificate in to the identity storage without checking if the identity and key exists.
+   * @param certificate The certificate to be added.
+   */
+  virtual void
+  addAnyCertificate (const IdentityCertificate& certificate);
+
+  /**
+   * Add a certificate to the identity storage.
+   * @param certificate The certificate to be added.  This makes a copy of the certificate.
+   */
+  virtual void 
+  addCertificate(const IdentityCertificate& certificate);
+
+  /**
+   * Get a certificate from the identity storage.
+   * @param certificateName The name of the requested certificate.
+   * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+   * @return The requested certificate.  If not found, return a shared_ptr with a null pointer.
+   */
+  virtual ptr_lib::shared_ptr<IdentityCertificate> 
+  getCertificate(const Name &certificateName);
+
+
+  /*****************************************
+   *            Default Getter             *
+   *****************************************/
+
+  /**
+   * Get the default identity. 
+   * @param return The name of default identity, or an empty name if there is no default.
+   */
+  virtual Name 
+  getDefaultIdentity();
+
+  /**
+   * Get the default key name for the specified identity.
+   * @param identityName The identity name.
+   * @return The default key name.
+   */
+  virtual Name 
+  getDefaultKeyNameForIdentity(const Name& identityName);
+
+  /**
+   * Get the default certificate name for the specified key.
+   * @param keyName The key name.
+   * @return The default certificate name.
+   */
+  virtual Name 
+  getDefaultCertificateNameForKey(const Name& keyName);
+
+  virtual std::vector<Name>
+  getAllIdentities(bool isDefault);
+
+  virtual std::vector<Name>
+  getAllKeyNames(bool isDefault);
+
+  virtual std::vector<Name>
+  getAllKeyNamesOfIdentity(const Name& identity, bool isDefault);
+    
+  virtual std::vector<Name>
+  getAllCertificateNames(bool isDefault);
+
+  virtual std::vector<Name>
+  getAllCertificateNamesOfKey(const Name& keyName, bool isDefault);
+  
+protected:
+  /**
+   * Set the default identity.  If the identityName does not exist, then clear the default identity
+   * so that getDefaultIdentity() returns an empty name.
+   * @param identityName The default identity name.
+   */
+  virtual void 
+  setDefaultIdentityInternal(const Name& identityName);
+
+  /**
+   * Set the default key name for the specified identity.
+   * @param keyName The key name.
+   * @param identityNameCheck (optional) The identity name to check the keyName.
+   */
+  virtual void
+  setDefaultKeyNameForIdentityInternal(const Name& keyName);
+
+  /**
+   * Set the default key name for the specified identity.
+   * @param keyName The key name.
+   * @param certificateName The certificate name.
+   */
+  virtual void 
+  setDefaultCertificateNameForKeyInternal(const Name& certificateName);  
+  
+private:
+  void
+  updateKeyStatus(const Name& keyName, bool isActive);
+
+  sqlite3 *database_;
+};
+
+void
+SecPublicInfoSqlite3::activatePublicKey(const Name& keyName)
+{
+  updateKeyStatus(keyName, true);
+}
+
+void
+SecPublicInfoSqlite3::deactivatePublicKey(const Name& keyName)
+{
+  updateKeyStatus(keyName, false);
+}
+
+}
+
+#endif // NDN_CPP_HAVE_SQLITE3
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-public-info.hpp b/include/ndn-cpp-dev/security/sec-public-info.hpp
new file mode 100644
index 0000000..7cd7230
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-public-info.hpp
@@ -0,0 +1,380 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_PUBLIC_INFO_HPP
+#define NDN_SEC_PUBLIC_INFO_HPP
+
+#include "../name.hpp"
+#include "security-common.hpp"
+#include "public-key.hpp"
+#include "identity-certificate.hpp"
+
+
+namespace ndn {
+
+/**
+ * SecPublicInfo is a base class for the storage of identity, public keys and certificates. 
+ * Private keys are stored in SecTpm.
+ * This is an abstract base class.  A subclass must implement the methods.
+ */
+class SecPublicInfo {
+public:
+  struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+  /**
+   * The virtual Destructor.
+   */
+  virtual 
+  ~SecPublicInfo() {}
+
+  /**
+   * Check if the specified identity already exists.
+   * @param identityName The identity name.
+   * @return true if the identity exists, otherwise false.
+   */
+  virtual bool 
+  doesIdentityExist(const Name& identityName) = 0;
+
+  /**
+   * Add a new identity. An exception will be thrown if the identity already exists.
+   * @param identityName The identity name to be added.
+   */
+  virtual void
+  addIdentity(const Name& identityName) = 0;
+
+  /**
+   * Revoke the identity.
+   * @return true if the identity was revoked, false if not.
+   */
+  virtual bool 
+  revokeIdentity() = 0;
+
+  /**
+   * Check if the specified key already exists.
+   * @param keyName The name of the key.
+   * @return true if the key exists, otherwise false.
+   */
+  virtual bool 
+  doesPublicKeyExist(const Name& keyName) = 0;
+
+  /**
+   * Add a public key to the identity storage.
+   * @param keyName The name of the public key to be added.
+   * @param keyType Type of the public key to be added.
+   * @param publicKeyDer A blob of the public key DER to be added.
+   */
+  virtual void 
+  addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer) = 0;
+
+  /**
+   * Get the public key DER blob from the identity storage.
+   * @param keyName The name of the requested public key.
+   * @return The DER Blob.  If not found, return a Blob with a null pointer.
+   */
+  virtual ptr_lib::shared_ptr<PublicKey>
+  getPublicKey(const Name& keyName) = 0;
+
+  /**
+   * Activate a key.  If a key is marked as inactive, its private part will not be used in packet signing.
+   * @param keyName name of the key
+   */
+  virtual void 
+  activatePublicKey(const Name& keyName) = 0;
+
+  /**
+   * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+   * @param keyName name of the key
+   */
+  virtual void 
+  deactivatePublicKey(const Name& keyName) = 0;
+
+  /**
+   * Check if the specified certificate already exists.
+   * @param certificateName The name of the certificate.
+   * @return true if the certificate exists, otherwise false.
+   */
+  virtual bool
+  doesCertificateExist(const Name& certificateName) = 0;
+
+  /**
+   * Add a certificate to the identity storage.
+   * @param certificate The certificate to be added.  This makes a copy of the certificate.
+   */
+  virtual void 
+  addCertificate(const IdentityCertificate& certificate) = 0;
+
+  /**
+   * Get a certificate from the identity storage.
+   * @param certificateName The name of the requested certificate.
+   * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+   * @return The requested certificate.  If not found, return a shared_ptr with a null pointer.
+   */
+  virtual ptr_lib::shared_ptr<IdentityCertificate> 
+  getCertificate(const Name &certificateName) = 0;
+
+
+  /*****************************************
+   *            Default Getter             *
+   *****************************************/
+
+  /**
+   * Get the default identity. 
+   * @param return The name of default identity, or an empty name if there is no default.
+   */
+  virtual Name 
+  getDefaultIdentity() = 0;
+
+  /**
+   * Get the default key name for the specified identity.
+   * @param identityName The identity name.
+   * @return The default key name.
+   */
+  virtual Name 
+  getDefaultKeyNameForIdentity(const Name& identityName) = 0;
+
+  /**
+   * Get the default certificate name for the specified key.
+   * @param keyName The key name.
+   * @return The default certificate name.
+   */
+  virtual Name 
+  getDefaultCertificateNameForKey(const Name& keyName) = 0;
+
+  virtual std::vector<Name>
+  getAllIdentities(bool isDefault) = 0;
+
+  virtual std::vector<Name>
+  getAllKeyNames(bool isDefault) = 0;
+
+  virtual std::vector<Name>
+  getAllKeyNamesOfIdentity(const Name& identity, bool isDefault) = 0;
+    
+  virtual std::vector<Name>
+  getAllCertificateNames(bool isDefault) = 0;
+    
+  virtual std::vector<Name>
+  getAllCertificateNamesOfKey(const Name& keyName, bool isDefault) = 0;
+
+protected:
+
+  /*****************************************
+   *            Default Setter             *
+   *****************************************/
+  
+  /**
+   * Set the default identity.  If the identityName does not exist, then clear the default identity
+   * so that getDefaultIdentity() returns an empty name.
+   * @param identityName The default identity name.
+   */
+  virtual void 
+  setDefaultIdentityInternal(const Name& identityName) = 0;
+  
+  /**
+   * Set the default key name for the corresponding identity.
+   * @param keyName The key name.
+   */
+  virtual void
+  setDefaultKeyNameForIdentityInternal(const Name& keyName) = 0;
+
+  /**
+   * Set the default certificate name for the corresponding key.
+   * @param certificateName The certificate name.
+   */
+  virtual void 
+  setDefaultCertificateNameForKeyInternal(const Name& certificateName) = 0; 
+
+public:
+  
+  /*****************************************
+   *            Helper Methods             *
+   *****************************************/
+
+  /**
+   * Set the default identity.  If the identityName does not exist, then clear the default identity
+   * so that getDefaultIdentity() returns an empty name.
+   * @param identityName The default identity name.
+   */
+  inline void 
+  setDefaultIdentity(const Name& identityName);
+
+  /**
+   * Set the default key name for the corresponding identity.
+   * @param keyName The key name.
+   */
+  inline void 
+  setDefaultKeyNameForIdentity(const Name& keyName);
+
+  /**
+   * Set the default certificate name for the corresponding key.
+   * @param certificateName The certificate name.
+   */
+  inline void 
+  setDefaultCertificateNameForKey(const Name& certificateName); 
+
+  /**
+   * Generate a name for a new key belonging to the identity.
+   * @param identityName The identity name.
+   * @param useKsk If true, generate a KSK name, otherwise a DSK name.
+   * @return The generated key name.
+   */
+  inline Name 
+  getNewKeyName(const Name& identityName, bool useKsk);
+
+    /**
+   * Get the default certificate name for the specified identity.
+   * @param identityName The identity name.
+   * @return The default certificate name.
+   */
+  inline Name 
+  getDefaultCertificateNameForIdentity(const Name& identityName);
+
+  /**
+   * Get the default certificate name of the default identity, which will be used when signing is based on identity and 
+   * the identity is not specified.
+   * @return The requested certificate name.
+   */
+  inline Name
+  getDefaultCertificateName();
+
+  /**
+   * Add a certificate and set the certificate as the default of its corresponding key.
+   * @param certificate The certificate to be added.  This makes a copy of the certificate.
+   */
+  inline void
+  addCertificateAsKeyDefault(const IdentityCertificate& certificate);
+
+  /**
+   * Add a certificate into the public key identity storage and set the certificate as the default for its corresponding identity.
+   * @param certificate The certificate to be added.  This makes a copy of the certificate.
+   */
+  inline void
+  addCertificateAsIdentityDefault(const IdentityCertificate& certificate);
+
+  inline void
+  addCertificateAsSystemDefault(const IdentityCertificate& certificate);
+
+  inline ptr_lib::shared_ptr<IdentityCertificate>
+  defaultCertificate();
+  
+  inline void
+  refreshDefaultCertificate();
+
+protected:
+  ptr_lib::shared_ptr<IdentityCertificate> defaultCertificate_;
+
+};
+
+void
+SecPublicInfo::setDefaultIdentity(const Name& identityName)
+{
+  setDefaultIdentityInternal(identityName);
+  refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::setDefaultKeyNameForIdentity(const Name& keyName)
+{
+  setDefaultKeyNameForIdentityInternal(keyName);
+  refreshDefaultCertificate();
+}
+
+void 
+SecPublicInfo::setDefaultCertificateNameForKey(const Name& certificateName)
+{
+  setDefaultCertificateNameForKeyInternal(certificateName);
+  refreshDefaultCertificate();
+}
+
+Name 
+SecPublicInfo::getDefaultCertificateNameForIdentity(const Name& identityName)
+{
+  return getDefaultCertificateNameForKey(getDefaultKeyNameForIdentity(identityName));
+}
+
+Name
+SecPublicInfo::getNewKeyName (const Name& identityName, bool useKsk)
+{
+  std::ostringstream oss;
+
+  if (useKsk)
+    oss << "ksk-";
+  else
+    oss << "dsk-";
+
+  oss << static_cast<int>(getNow()/1000);  
+
+  Name keyName = Name(identityName).append(oss.str());
+
+  if (doesPublicKeyExist(keyName))
+    throw Error("Key name already exists");
+
+  return keyName;
+}
+
+Name
+SecPublicInfo::getDefaultCertificateName()
+{
+  if(!static_cast<bool>(defaultCertificate_))
+    refreshDefaultCertificate();
+
+  if(!static_cast<bool>(defaultCertificate_))
+    return Name();
+
+  return defaultCertificate_->getName();
+}
+
+void
+SecPublicInfo::addCertificateAsKeyDefault(const IdentityCertificate& certificate)
+{
+  addCertificate(certificate);
+  setDefaultCertificateNameForKeyInternal(certificate.getName());
+  refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::addCertificateAsIdentityDefault(const IdentityCertificate& certificate)
+{
+  addCertificate(certificate);
+  Name certName = certificate.getName();
+  setDefaultKeyNameForIdentityInternal(IdentityCertificate::certificateNameToPublicKeyName(certName));
+  setDefaultCertificateNameForKeyInternal(certName);
+  refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::addCertificateAsSystemDefault(const IdentityCertificate& certificate)
+{
+  addCertificate(certificate);
+  Name certName = certificate.getName();
+  Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certName);
+  setDefaultIdentityInternal(keyName.getPrefix(-1));
+  setDefaultKeyNameForIdentityInternal(keyName);
+  setDefaultCertificateNameForKeyInternal(certName);
+  refreshDefaultCertificate();
+}
+
+ptr_lib::shared_ptr<IdentityCertificate>
+SecPublicInfo::defaultCertificate()
+{
+  return defaultCertificate_;
+}
+
+void
+SecPublicInfo::refreshDefaultCertificate()
+{
+  Name certName = getDefaultCertificateNameForIdentity(getDefaultIdentity());
+  if(certName.empty())
+    defaultCertificate_.reset();
+  else
+    defaultCertificate_ = getCertificate(certName);
+}
+
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-tpm-memory.hpp b/include/ndn-cpp-dev/security/sec-tpm-memory.hpp
new file mode 100644
index 0000000..8203272
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-tpm-memory.hpp
@@ -0,0 +1,127 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_TPM_MEMORY_HPP
+#define NDN_SEC_TPM_MEMORY_HPP
+
+#include <map>
+#include "sec-tpm.hpp"
+
+struct rsa_st;
+
+namespace ndn {
+
+/**
+ * MemoryPrivateKeyStorage extends PrivateKeyStorage to implement a simple in-memory private key store.  You should
+ * initialize by calling setKeyPairForKeyName.
+ */
+class SecTpmMemory : public SecTpm {
+public:
+  struct Error : public SecTpm::Error { Error(const std::string &what) : SecTpm::Error(what) {} };
+
+  /**
+   * The virtual destructor
+   */    
+  virtual 
+  ~SecTpmMemory();
+
+  /**
+   * Set the public and private key for the keyName.
+   * @param keyName The key name.
+   * @param publicKeyDer The public key DER byte array.
+   * @param publicKeyDerLength The length of publicKeyDer.
+   * @param privateKeyDer The private key DER byte array.
+   * @param privateKeyDerLength The length of privateKeyDer.
+   */
+  void setKeyPairForKeyName(const Name& keyName,
+                            uint8_t *publicKeyDer, size_t publicKeyDerLength,
+                            uint8_t *privateKeyDer, size_t privateKeyDerLength);
+  
+  /**
+   * Generate a pair of asymmetric keys.
+   * @param keyName The name of the key pair.
+   * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+   * @param keySize The size of the key pair.
+   */
+  virtual void 
+  generateKeyPairInTpm(const Name& keyName, KeyType keyType, int keySize);
+
+  /**
+   * Get the public key
+   * @param keyName The name of public key.
+   * @return The public key.
+   */
+  virtual ptr_lib::shared_ptr<PublicKey> 
+  getPublicKeyFromTpm(const Name& keyName);
+  
+  /**
+   * Fetch the private key for keyName and sign the data, returning a signature Blob.
+   * @param data Pointer to the input byte array.
+   * @param dataLength The length of data.
+   * @param keyName The name of the signing key.
+   * @param digestAlgorithm the digest algorithm.
+   * @return The signature, or a null pointer if signing fails.
+   */  
+  virtual Block 
+  signInTpm(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm);
+
+  virtual void 
+  signInTpm(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm);
+  
+  /**
+   * Decrypt data.
+   * @param keyName The name of the decrypting key.
+   * @param data The byte to be decrypted.
+   * @param dataLength the length of data.
+   * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+   * @return The decrypted data.
+   */
+  virtual ConstBufferPtr 
+  decryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+  /**
+   * Encrypt data.
+   * @param keyName The name of the encrypting key.
+   * @param data The byte to be encrypted.
+   * @param dataLength the length of data.
+   * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+   * @return The encrypted data.
+   */
+  virtual ConstBufferPtr
+  encryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+  /**
+   * @brief Generate a symmetric key.
+   * @param keyName The name of the key.
+   * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+   * @param keySize The size of the key.
+   */
+  virtual void 
+  generateSymmetricKeyInTpm(const Name& keyName, KeyType keyType, int keySize);
+
+  /**
+   * Check if a particular key exists.
+   * @param keyName The name of the key.
+   * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+   * @return True if the key exists, otherwise false.
+   */
+  virtual bool
+  doesKeyExistInTpm(const Name& keyName, KeyClass keyClass);  
+  
+private:
+  class RsaPrivateKey;
+
+  typedef std::map<std::string, ptr_lib::shared_ptr<PublicKey> >     PublicKeyStore;
+  typedef std::map<std::string, ptr_lib::shared_ptr<RsaPrivateKey> > PrivateKeyStore;
+  
+  PublicKeyStore  publicKeyStore_;  /**< The map key is the keyName.toUri() */
+  PrivateKeyStore privateKeyStore_; /**< The map key is the keyName.toUri() */
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-tpm-osx.hpp b/include/ndn-cpp-dev/security/sec-tpm-osx.hpp
new file mode 100644
index 0000000..4839e3d
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-tpm-osx.hpp
@@ -0,0 +1,127 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_TPM_OSX_HPP
+#define NDN_SEC_TPM_OSX_HPP
+
+// Only compile if ndn-cpp-config.h defines NDN_CPP_HAVE_OSX_SECURITY 1.
+#include <ndn-cpp-dev/ndn-cpp-config.h>
+#if NDN_CPP_HAVE_OSX_SECURITY
+
+#include "../common.hpp"
+#include "sec-tpm.hpp"
+
+namespace ndn
+{
+  
+class SecTpmOsx : public SecTpm {
+public:
+  struct Error : public SecTpm::Error { Error(const std::string &what) : SecTpm::Error(what) {} };
+
+  /**
+   * constructor of OSXKeyChainTpm
+   * @param keychainName the name of keychain
+   */
+  SecTpmOsx(const std::string & keychainName = "");
+
+  /**
+   * destructor of OSXKeyChainTpm
+   */    
+  virtual 
+  ~SecTpmOsx();
+
+
+  // From TrustedPlatformModule
+  virtual void 
+  generateKeyPairInTpm(const Name& keyName, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048);
+
+  virtual ptr_lib::shared_ptr<PublicKey> 
+  getPublicKeyFromTpm(const Name& keyName);
+  
+  virtual Block
+  signInTpm(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm);
+
+  virtual void
+  signInTpm(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm);
+  
+  /**
+   * Decrypt data.
+   * @param keyName The name of the decrypting key.
+   * @param data The byte to be decrypted.
+   * @param dataLength the length of data.
+   * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+   * @return The decrypted data.
+   */
+  virtual ConstBufferPtr 
+  decryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+  /**
+   * Encrypt data.
+   * @param keyName The name of the encrypting key.
+   * @param data The byte to be encrypted.
+   * @param dataLength the length of data.
+   * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+   * @return The encrypted data.
+   */
+  virtual ConstBufferPtr
+  encryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+  /**
+   * Generate a symmetric key.
+   * @param keyName The name of the key.
+   * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+   * @param keySize The size of the key.
+   */
+  virtual void 
+  generateSymmetricKeyInTpm(const Name& keyName, KeyType keyType, int keySize);
+
+  /**
+   * Check if a particular key exists.
+   * @param keyName The name of the key.
+   * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+   * @return True if the key exists, otherwise false.
+   */
+  virtual bool
+  doesKeyExistInTpm(const Name& keyName, KeyClass keyClass);  
+
+
+  ////////////////////////////////////////////////////////////////////////////////////
+  // OSX-specifics
+  ////////////////////////////////////////////////////////////////////////////////////
+  
+  /**
+   * configure ACL of a particular key
+   * @param keyName the name of key
+   * @param keyClass the class of key, e.g. Private Key
+   * @param acl the new acl of the key
+   * @param appPath the absolute path to the application
+   * @returns true if setting succeeds
+   */
+  bool 
+  setACL(const Name & keyName, KeyClass keyClass, int acl, const std::string & appPath);
+
+  // /**
+  //  * verify data (test only)
+  //  * @param keyName the name of key
+  //  * @param pData the data to be verified
+  //  * @param pSig the signature associated with the data
+  //  * @param digestAlgo digest algorithm
+  //  * @return true if signature can be verified, otherwise false
+  //  */
+  // bool 
+  // verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo = DIGEST_ALGORITHM_SHA256);
+
+ private:
+  class Impl;
+  std::auto_ptr<Impl> impl_;
+};
+  
+}
+
+#endif // NDN_CPP_HAVE_OSX_SECURITY
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-tpm.hpp b/include/ndn-cpp-dev/security/sec-tpm.hpp
new file mode 100644
index 0000000..c6b5328
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-tpm.hpp
@@ -0,0 +1,104 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_TPM_HPP
+#define NDN_SEC_TPM_HPP
+
+#include <string>
+#include "security-common.hpp"
+#include "../name.hpp"
+#include "../data.hpp"
+#include "public-key.hpp"
+
+namespace ndn {
+
+class SecTpm {
+public:
+  struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+  /**
+   * The virtual destructor.
+   */    
+  virtual 
+  ~SecTpm() {}
+
+  /**
+   * Generate a pair of asymmetric keys.
+   * @param keyName The name of the key pair.
+   * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+   * @param keySize The size of the key pair.
+   */
+  virtual void 
+  generateKeyPairInTpm(const Name& keyName, KeyType keyType, int keySize) = 0;
+
+  /**
+   * Get the public key
+   * @param keyName The name of public key.
+   * @return The public key.
+   */
+  virtual ptr_lib::shared_ptr<PublicKey> 
+  getPublicKeyFromTpm(const Name& keyName) = 0;
+  
+  /**
+   * Fetch the private key for keyName and sign the data, returning a signature Blob.
+   * @param data Pointer to the input byte array.
+   * @param dataLength The length of data.
+   * @param keyName The name of the signing key.
+   * @param digestAlgorithm the digest algorithm.
+   * @return The signature, or a null pointer if signing fails.
+   */  
+  virtual Block
+  signInTpm(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm) = 0;
+
+  virtual void
+  signInTpm(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm) = 0;
+  
+  /**
+   * Decrypt data.
+   * @param keyName The name of the decrypting key.
+   * @param data The byte to be decrypted.
+   * @param dataLength the length of data.
+   * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric encryption is used.
+   * @return The decrypted data.
+   */
+  virtual ConstBufferPtr 
+  decryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric) = 0;
+
+  /**
+   * Encrypt data.
+   * @param keyName The name of the encrypting key.
+   * @param data The byte to be encrypted.
+   * @param dataLength the length of data.
+   * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric encryption is used.
+   * @return The encrypted data.
+   */
+  virtual ConstBufferPtr
+  encryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric) = 0;
+
+  /**
+   * @brief Generate a symmetric key.
+   * @param keyName The name of the key.
+   * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+   * @param keySize The size of the key.
+   */
+  virtual void 
+  generateSymmetricKeyInTpm(const Name& keyName, KeyType keyType, int keySize) = 0;
+
+  /**
+   * Check if a particular key exists.
+   * @param keyName The name of the key.
+   * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+   * @return True if the key exists, otherwise false.
+   */
+  virtual bool
+  doesKeyExistInTpm(const Name& keyName, KeyClass keyClass) = 0;  
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/security-common.hpp b/include/ndn-cpp-dev/security/security-common.hpp
new file mode 100644
index 0000000..9ce4599
--- /dev/null
+++ b/include/ndn-cpp-dev/security/security-common.hpp
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SECURITY_COMMON_HPP
+#define NDN_SECURITY_COMMON_HPP
+
+namespace ndn {
+
+enum KeyType {
+  KEY_TYPE_RSA,
+  // KEY_TYPE_DSA,
+  KEY_TYPE_AES,
+  // KEY_TYPE_DES,
+  // KEY_TYPE_RC4,
+  // KEY_TYPE_RC2
+};
+
+enum KeyClass {
+  KEY_CLASS_PUBLIC,
+  KEY_CLASS_PRIVATE,
+  KEY_CLASS_SYMMETRIC
+};
+  
+enum DigestAlgorithm {
+  // DIGEST_ALGORITHM_MD2,
+  // DIGEST_ALGORITHM_MD5,
+  // DIGEST_ALGORITHM_SHA1,
+  DIGEST_ALGORITHM_SHA256
+};
+
+enum EncryptMode {
+  ENCRYPT_MODE_DEFAULT,
+  ENCRYPT_MODE_CFB_AES,
+  // ENCRYPT_MODE_CBC_AES
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/security-exception.hpp b/include/ndn-cpp-dev/security/security-exception.hpp
new file mode 100644
index 0000000..daf1d61
--- /dev/null
+++ b/include/ndn-cpp-dev/security/security-exception.hpp
@@ -0,0 +1,49 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SECURITY_EXCEPTION_HPP
+#define NDN_SECURITY_EXCEPTION_HPP
+
+#include <exception>
+#include <string>
+
+namespace ndn {
+
+class SecurityException : public std::exception {
+public:
+  SecurityException(const std::string& errorMessage) throw();
+    
+  virtual ~SecurityException() throw();
+    
+  std::string Msg() { return errorMessage_; }
+
+  virtual const char* what() const throw() { return errorMessage_.c_str(); }
+    
+private:
+  const std::string errorMessage_;
+};
+
+class UnrecognizedKeyFormatException : public SecurityException {
+public:
+  UnrecognizedKeyFormatException(const std::string& errorMessage)
+  : SecurityException(errorMessage)
+  {
+  }
+};
+
+class UnrecognizedDigestAlgorithmException : public SecurityException {
+public:
+  UnrecognizedDigestAlgorithmException(const std::string& errorMessage)
+  : SecurityException(errorMessage)
+  {
+  }
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sha256-with-rsa-handler.hpp b/include/ndn-cpp-dev/security/sha256-with-rsa-handler.hpp
new file mode 100644
index 0000000..6627f02
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sha256-with-rsa-handler.hpp
@@ -0,0 +1,38 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SHA256_RSA_HANDLER_HPP
+#define NDN_SHA256_RSA_HANDLER_HPP
+
+#include "../../data.hpp"
+#include "../certificate/public-key.hpp"
+
+namespace ndn{
+
+class Sha256WithRsaHandler {
+public:
+  Sha256WithRsaHandler() {}
+
+  virtual
+  ~Sha256WithRsaHandler() {}
+
+ /**
+  * Verify the signature on the data packet using the given public key. If there is no data.getDefaultWireEncoding(),
+  * this calls data.wireEncode() to set it.
+  * @param data The data packet with the signed portion and the signature to verify. The data packet must have a
+  * Sha256WithRsaSignature.
+  * @param publicKey The public key used to verify the signature.
+  * @return true if the signature verifies, false if not.
+  * @throw SecurityException if data does not have a Sha256WithRsaSignature.
+  */
+  static bool
+  verifySignature(const Data& data, const PublicKey& publicKey);
+
+};
+
+}
+#endif
diff --git a/include/ndn-cpp-dev/security/signature-sha256-with-rsa.hpp b/include/ndn-cpp-dev/security/signature-sha256-with-rsa.hpp
new file mode 100644
index 0000000..b59c765
--- /dev/null
+++ b/include/ndn-cpp-dev/security/signature-sha256-with-rsa.hpp
@@ -0,0 +1,64 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SIGNATURE_SHA256_WITH_RSA_HPP
+#define NDN_SIGNATURE_SHA256_WITH_RSA_HPP
+
+#include "../data.hpp"
+
+namespace ndn {
+
+/**
+ * Representing of SHA256-with-RSA signature in a data packet.
+ */
+class SignatureSha256WithRsa : public Signature {
+public:
+  SignatureSha256WithRsa()
+  {
+    info_ = Block(Tlv::SignatureInfo);
+    
+    type_ = Signature::Sha256WithRsa;
+    info_.push_back(nonNegativeIntegerBlock(Tlv::SignatureType, Tlv::SignatureSha256WithRsa));
+    info_.push_back(keyLocator_.wireEncode());
+  }
+  
+  SignatureSha256WithRsa(const Signature &signature)
+    : Signature(signature)
+  {
+    if (getType() != Signature::Sha256WithRsa)
+      throw Signature::Error("Incorrect signature type");
+
+    info_.parse();
+    Block::element_iterator i = info_.find(Tlv::KeyLocator);
+    if (i != info_.getAll().end())
+      {
+        keyLocator_.wireDecode(*i);
+      }
+  }
+  
+  const KeyLocator& 
+  getKeyLocator() const
+  {
+    return keyLocator_;
+  }
+
+  void 
+  setKeyLocator(const KeyLocator& keyLocator)
+  {
+    keyLocator_ = keyLocator;
+
+    info_.remove(ndn::Tlv::KeyLocator);
+    info_.push_back(keyLocator_.wireEncode());
+  }
+
+private:
+  KeyLocator keyLocator_;
+};
+
+} // namespace ndn
+
+#endif
diff --git a/include/ndn-cpp-dev/security/validation-request.hpp b/include/ndn-cpp-dev/security/validation-request.hpp
new file mode 100644
index 0000000..7471065
--- /dev/null
+++ b/include/ndn-cpp-dev/security/validation-request.hpp
@@ -0,0 +1,48 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_VALIDATION_REQUEST_HPP
+#define NDN_VALIDATION_REQUEST_HPP
+
+#include "../interest.hpp"
+
+namespace ndn {
+
+/**
+ * An OnVerified function object is used to pass a callback to verifyData to report a successful verification.
+ */
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerified;
+
+/**
+ * An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification.
+ */
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerifyFailed;
+
+
+class ValidationRequest {
+public:
+  ValidationRequest
+    (const ptr_lib::shared_ptr<Interest> &interest, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed,
+     int retry, int stepCount)
+  : interest_(interest), onVerified_(onVerified), onVerifyFailed_(onVerifyFailed), retry_(retry), stepCount_(stepCount)
+  {
+  }
+    
+  virtual
+  ~ValidationRequest() {}
+
+  ptr_lib::shared_ptr<Interest> interest_; // An interest packet to fetch the requested data.
+  OnVerified onVerified_;                  // A callback function if the requested certificate has been validated.
+  OnVerifyFailed onVerifyFailed_;          // A callback function if the requested certificate cannot be validated.
+  int retry_;                              // The number of retrials when there is an interest timeout.
+  int stepCount_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/verifier.hpp b/include/ndn-cpp-dev/security/verifier.hpp
new file mode 100644
index 0000000..2dbd995
--- /dev/null
+++ b/include/ndn-cpp-dev/security/verifier.hpp
@@ -0,0 +1,102 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_VERIFIER_HPP
+#define NDN_VERIFIER_HPP
+
+#include "../data.hpp"
+#include "../face.hpp"
+#include "sec-policy.hpp"
+#include "validation-request.hpp"
+#include "public-key.hpp"
+#include "signature-sha256-with-rsa.hpp"
+
+namespace ndn {
+  
+/**
+ * Verifier is one of the main classes of the security librar .
+ *
+ * The Verifier class provides the interfaces for packet verification.
+ */
+class Verifier {
+public:
+  struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+  Verifier(const ptr_lib::shared_ptr<SecPolicy> &policy = DefaultPolicy);
+
+  /**
+   * @brief Set the Face which will be used to fetch required certificates.
+   * @param face A pointer to the Face object.
+   *
+   * Setting face is necessary for verifier operation that involve fetching data.
+   */
+  void
+  setFace(const ptr_lib::shared_ptr<Face> &face) { face_ = face; }
+  
+  /**
+   * @brief Get the policy.
+   * @return The Policy.
+   */
+  inline SecPolicy&
+  policy()
+  {
+    if (!policy_)
+      throw Error("policy is not assigned to the KeyChain");
+
+    return *policy_;
+  }
+
+
+  /**
+   * Check the signature on the Data object and call either onVerify or onVerifyFailed. 
+   * We use callback functions because verify may fetch information to check the signature.
+   * @param data The Data object with the signature to check. It is an error if data does not have a wireEncoding. 
+   * To set the wireEncoding, you can call data.wireDecode.
+   * @param onVerified If the signature is verified, this calls onVerified(data).
+   * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
+   */
+  void
+  verifyData
+    (const ptr_lib::shared_ptr<Data>& data, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed, int stepCount = 0);
+
+  /*****************************************
+   *      verifySignature method set       *
+   *****************************************/
+    static bool
+  verifySignature(const Data &data, const Signature &sig, const PublicKey &publicKey);
+
+  static bool
+  verifySignature(const Buffer &data, const Signature &sig, const PublicKey &publicKey);
+
+  static bool
+  verifySignature(const Data& data, const SignatureSha256WithRsa& sig, const PublicKey& publicKey);
+
+  static bool
+  verifySignature(const Buffer &data, const SignatureSha256WithRsa &sig, const PublicKey &publicKey);
+
+public:
+  static const ptr_lib::shared_ptr<SecPolicy>     DefaultPolicy;
+    
+private:
+  void
+  onCertificateData
+    (const ptr_lib::shared_ptr<const Interest> &interest, const ptr_lib::shared_ptr<Data> &data, ptr_lib::shared_ptr<ValidationRequest> nextStep);
+  
+  void
+  onCertificateInterestTimeout
+    (const ptr_lib::shared_ptr<const Interest> &interest, int retry, const OnVerifyFailed& onVerifyFailed, 
+     const ptr_lib::shared_ptr<Data> &data, ptr_lib::shared_ptr<ValidationRequest> nextStep);
+
+private:
+  ptr_lib::shared_ptr<SecPolicy>     policy_;
+  ptr_lib::shared_ptr<Face>        face_;
+};
+
+}
+
+#endif